S. 413 (112th): Cybersecurity and Internet Freedom Act of 2011

112th Congress, 2011–2013. Text as of Feb 17, 2011 (Introduced).

Status & Summary | PDF | Source: GPO

II

112th CONGRESS

1st Session

S. 413

IN THE SENATE OF THE UNITED STATES

February 17, 2011

(for himself, Ms. Collins, and Mr. Carper) introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental Affairs

A BILL

To amend the Homeland Security Act of 2002 and other laws to enhance the security and resiliency of the cyber and communications infrastructure of the United States.

1.

Short title

This Act may be cited as the Cybersecurity and Internet Freedom Act of 2011.

2.

Internet Freedom Act

(a)

Short title

This section may be cited as the Internet Freedom Act.

(b)

Findings

Congress finds that—

(1)

the Internet is vital to almost every facet of the daily lives of the people of the United States, from the water we drink to the power we use to the ways we communicate;

(2)

in the modern world, the Internet is essential to the free flow of ideas and information;

(3)

it is vital that the Internet, and the access of the people of the United States to the Internet, be protected to ensure the reliability of the critical services that rely upon this network and the availability of the information and communications that travel over this network;

(4)

the Internet has developed into a robust network within the United States, with thousands of providers, making it technically impossible to shut down the Internet;

(5)

although the United States must ensure the security of the Nation and its critical infrastructure, the actions of the Government must not encroach on rights guaranteed by the First Amendment to the Constitution of the United States;

(6)

cyber attacks are a real and evolving threat to the information infrastructure and economy of the Nation;

(7)

the Sergeant at Arms of the Senate reported in March 2010 that the computer systems of executive branch agencies of the Federal Government and Congress are probed or attacked an average of 1,800,000,000 times per month;

(8)

experts estimate that cyber attacks can produce $8,000,000,000 in annual losses to the national economy;

(9)

in the event of a cyber attack, it is essential that the law clearly and unambiguously delineate limits on what the Federal Government can and cannot do to protect the information infrastructure that is essential to the reliable operation of the Internet and the critical infrastructure of the Nation; and

(10)

neither the President, the Director of the National Center for Cybersecurity and Communications, nor any other officer or employee of the Federal Government should have the authority to shut down the Internet.

(c)

Limitation

Notwithstanding any provision of this Act, an amendment made by this Act, or section 706 of the Communications Act of 1934 (47 U.S.C. 606), neither the President, the Director of the National Center for Cybersecurity and Communications, or any officer or employee of the United States Government shall have the authority to shut down the Internet.

3.

Table of contents

The table of contents for this Act is as follows:

Sec. 1. Short title.

Sec. 2. Internet Freedom Act.

Sec. 3. Table of contents.

Sec. 4. Definitions.

TITLE I—Office of Cyberspace Policy

Sec. 101. Establishment of the Office of Cyberspace Policy.

Sec. 102. Appointment and responsibilities of the Director.

Sec. 103. Prohibition on political campaigning.

Sec. 104. Review of Federal agency budget requests relating to the National Strategy.

Sec. 105. Access to intelligence.

Sec. 106. Consultation.

Sec. 107. Reports to Congress.

TITLE II—National Center for Cybersecurity and Communications

Sec. 201. Cybersecurity.

TITLE III—Federal information security management

Sec. 301. Coordination of Federal information policy.

TITLE IV—Recruitment and professional development

Sec. 401. Definitions.

Sec. 402. Assessment of cybersecurity workforce.

Sec. 403. Strategic cybersecurity workforce planning.

Sec. 404. Cybersecurity occupation classifications.

Sec. 405. Measures of cybersecurity hiring effectiveness.

Sec. 406. Training and education.

Sec. 407. Cybersecurity incentives.

Sec. 408. Recruitment and retention program for the National Center for Cybersecurity and Communications.

TITLE V—Other provisions

Sec. 501. Cybersecurity research and development.

Sec. 502. Prioritized critical information infrastructure.

Sec. 503. National Center for Cybersecurity and Communications acquisition authorities.

Sec. 504. Evaluation of the effective implementation of Office of Management and Budget information security related policies and directives.

Sec. 505. Technical and conforming amendments.

4.

Definitions

In this Act:

(1)

Appropriate congressional committees

The term appropriate congressional committees means—

(A)

the Committee on Homeland Security and Governmental Affairs of the Senate;

(B)

the Committee on Homeland Security of the House of Representatives;

(C)

the Committee on Oversight and Government Reform of the House of Representatives; and

(D)

any other congressional committee with jurisdiction over the particular matter.

(2)

Critical infrastructure

The term critical infrastructure has the meaning given that term in section 1016(e) of the USA PATRIOT Act (42 U.S.C. 5195c(e)).

(3)

Cyberspace

The term cyberspace means the interdependent network of information infrastructure, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries.

(4)

Director

The term Director means the Director of Cyberspace Policy established under section 101.

(5)

Federal agency

The term Federal agency

(A)

means any executive department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency; and

(B)

does not include the governments of the District of Columbia and of the territories and possessions of the United States and their various subdivisions.

(6)

Federal information infrastructure

The term Federal information infrastructure

(A)

means information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, any Federal agency, including information systems used or operated by another entity on behalf of a Federal agency; and

(B)

does not include—

(i)

a national security system; or

(ii)

information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community.

(7)

Incident

The term incident has the meaning given that term in section 3551 of title 44, United States Code, as added by this Act.

(8)

Information infrastructure

The term information infrastructure means the underlying framework that information systems and assets rely on to process, transmit, receive, or store information electronically, including programmable electronic devices and communications networks and any associated hardware, software, or data.

(9)

Information security

The term information security means protecting information and information systems from disruption or unauthorized access, use, disclosure, modification, or destruction in order to provide—

(A)

integrity, by guarding against improper information modification or destruction, including by ensuring information nonrepudiation and authenticity;

(B)

confidentiality, by preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and

(C)

availability, by ensuring timely and reliable access to and use of information.

(10)

Information technology

The term information technology has the meaning given that term in section 11101 of title 40, United States Code.

(11)

Intelligence community

The term intelligence community has the meaning given that term under section 3(4) of the National Security Act of 1947 (50 U.S.C. 401a(4)).

(12)

Key resources

The term key resources has the meaning given that term in section 2 of the Homeland Security Act of 2002 (6 U.S.C. 101).

(13)

National Center for Cybersecurity and Communications

The term National Center for Cybersecurity and Communications means the National Center for Cybersecurity and Communications established under section 242(a) of the Homeland Security Act of 2002, as added by this Act.

(14)

National information infrastructure

The term national information infrastructure means information infrastructure—

(A)

that is owned, operated, or controlled within or from the United States; and

(B)

that is not owned, operated, controlled, or licensed for use by a Federal agency.

(15)

National security system

The term national security system has the meaning given that term in section 3551 of title 44, United States Code, as added by this Act.

(16)

National strategy

The term National Strategy means the national strategy to increase the security and resiliency of cyberspace developed under section 101(a)(1).

(17)

Office

The term Office means the Office of Cyberspace Policy established under section 101.

(18)

Resiliency

The term resiliency means the ability to eliminate or reduce the magnitude or duration of a disruptive event, including the ability to prevent, prepare for, respond to, and recover from the event.

(19)

Risk

The term risk means the potential for an unwanted outcome resulting from an incident, as determined by the likelihood of the occurrence of the incident and the associated consequences, including potential for an adverse outcome assessed as a function of threats, vulnerabilities, and consequences associated with an incident.

(20)

Risk-based security

The term risk-based security has the meaning given that term in section 3551 of title 44, United States Code, as added by this Act.

I

Office of Cyberspace Policy

101.

Establishment of the Office of Cyberspace Policy

(a)

Establishment of office

There is established in the Executive Office of the President an Office of Cyberspace Policy which shall—

(1)

develop, not later than 1 year after the date of enactment of this Act, and update as needed, but not less frequently than once every 2 years, a national strategy to increase the security and resiliency of cyberspace, that includes goals and objectives relating to—

(A)

computer network operations, including offensive activities, defensive activities, and other activities;

(B)

information assurance;

(C)

protection of critical infrastructure and key resources;

(D)

research and development priorities;

(E)

law enforcement;

(F)

diplomacy;

(G)

homeland security;

(H)

protection of privacy and civil liberties;

(I)

military and intelligence activities; and

(J)

identity management and authentication;

(2)

oversee, coordinate, and integrate all policies and activities of the Federal Government across all instruments of national power relating to ensuring the security and resiliency of cyberspace, including—

(A)

diplomatic, economic, military, intelligence, homeland security, and law enforcement policies and activities within and among Federal agencies; and

(B)

offensive activities, defensive activities, and other policies and activities necessary to ensure effective capabilities to operate in cyberspace;

(3)

ensure that all Federal agencies comply with appropriate guidelines, policies, and directives from the Department of Homeland Security, other Federal agencies with responsibilities relating to cyberspace security or resiliency, and the National Center for Cybersecurity and Communications; and

(4)

ensure that Federal agencies have access to, receive, and appropriately disseminate law enforcement information, intelligence information, terrorism information, and any other information (including information relating to incidents provided under subsections (a)(4) and (c) of section 246 of the Homeland Security Act of 2002, as added by this Act) relevant to—

(A)

the security of the Federal information infrastructure or the national information infrastructure; and

(B)

the security of—

(i)

information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community; or

(ii)

a national security system.

(b)

Director of Cyberspace Policy

(1)

In general

There shall be a Director of Cyberspace Policy, who shall be the head of the Office.

(2)

Executive schedule position

Section 5312 of title 5, United States Code, is amended by adding at the end the following:

  • Director of Cyberspace Policy.

.

102.

Appointment and responsibilities of the Director

(a)

Appointment

(1)

In general

The Director shall be appointed by the President, by and with the advice and consent of the Senate.

(2)

Qualifications

The President shall appoint the Director from among individuals who have demonstrated ability and knowledge in information technology, cybersecurity, and the operations, security, and resiliency of communications networks.

(3)

Prohibition

No person shall serve as Director while serving in any other position in the Federal Government.

(b)

Responsibilities

The Director shall—

(1)

advise the President regarding the establishment of policies, goals, objectives, and priorities for securing the information infrastructure of the Nation;

(2)

advise the President and other entities within the Executive Office of the President regarding mechanisms to build, and improve the resiliency and efficiency of, the information and communication industry of the Nation, in collaboration with the private sector, while promoting national economic interests;

(3)

work with Federal agencies to—

(A)

oversee, coordinate, and integrate the implementation of the National Strategy, including coordination with—

(i)

the Department of Homeland Security;

(ii)

the Department of Defense;

(iii)

the Department of Commerce;

(iv)

the Department of State;

(v)

the Department of Justice;

(vi)

the Department of Energy;

(vii)

through the Director of National Intelligence, the intelligence community; and

(viii)

and any other Federal agency with responsibilities relating to the National Strategy; and

(B)

resolve any disputes that arise between Federal agencies relating to the National Strategy or other matters within the responsibility of the Office;

(4)

if the policies or activities of a Federal agency are not in compliance with the responsibilities of the Federal agency under the National Strategy—

(A)

notify the Federal agency;

(B)

transmit a copy of each notification under subparagraph (A) to the President and the appropriate congressional committees; and

(C)

coordinate the efforts to bring the Federal agency into compliance;

(5)

ensure the adequacy of protections for privacy and civil liberties in carrying out the responsibilities of the Director under this title, including through consultation with the Privacy and Civil Liberties Oversight Board established under section 1061 of the National Security Intelligence Reform Act of 2004 (42 U.S.C. 2000ee);

(6)

upon reasonable request, appear before any duly constituted committees of the Senate or of the House of Representatives;

(7)

recommend to the Office of Management and Budget or the head of a Federal agency actions (including requests to Congress relating to the reprogramming of funds) that the Director determines are necessary to ensure risk-based security of—

(A)

the Federal information infrastructure;

(B)

information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community; or

(C)

a national security system;

(8)

advise the Administrator of the Office of E-Government and Information Technology and the Administrator of the Office of Information and Regulatory Affairs on the development, and oversee the implementation, of policies, principles, standards, guidelines, and budget priorities for information technology functions and activities of the Federal Government;

(9)

coordinate and ensure, to the maximum extent practicable, that the standards and guidelines developed for national security systems and the standards and guidelines under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) are complementary and unified;

(10)

in consultation with the Administrator of the Office of Information and Regulatory Affairs, coordinate efforts of Federal agencies relating to the development of regulations, rules, requirements, or other actions applicable to the national information infrastructure to ensure, to the maximum extent practicable, that the efforts are complementary;

(11)

coordinate the activities of the Office of Science and Technology Policy, the National Economic Council, the Office of Management and Budget, the National Security Council, the Homeland Security Council, and the United States Trade Representative related to the National Strategy and other matters within the purview of the Office;

(12)

carry out the responsibilities for national security and emergency preparedness communications described in section 706 of the Communications Act of 1934 (47 U.S.C. 606) to ensure integration and coordination; and

(13)

as assigned by the President, other duties relating to the security and resiliency of cyberspace.

(c)

Conforming regulations and orders

The President shall amend the regulations and orders issued under section 706 of the Communications Act of 1934 (47 U.S.C. 606) in accordance with subsection (b)(12).

103.

Prohibition on political campaigning

Section 7323(b)(2)(B) of title 5, United States Code, is amended—

(1)

in clause (i), by striking or at the end;

(2)

in clause (ii), by striking the period at the end and inserting ; or; and

(3)

by adding at the end the following:

(iii)

notwithstanding the exception under subparagraph (A) (relating to an appointment made by the President, by and with the advice and consent of the Senate), the Director of Cyberspace Policy.

.

104.

Review of Federal agency budget requests relating to the National Strategy

(a)

In general

For each fiscal year, the head of each Federal agency shall transmit to the Director a copy of any portion of the budget of the Federal agency intended to implement the National Strategy at the same time as that budget request is submitted to the Office of Management and Budget in the preparation of the budget of the President submitted to Congress under section 1105(a) of title 31, United States Code.

(b)

Timely submissions

The head of each Federal agency shall ensure the timely development and submission to the Director of each proposed budget under this section, in such format as may be designated by the Director with the concurrence of the Director of the Office of Management and Budget.

(c)

Adequacy of the proposed budget requests

With the assistance of, and in coordination with, the Office of E-Government and Information Technology and the National Center for Cybersecurity and Communications, the Director shall review each budget submission to assess the adequacy of the proposed request with regard to implementation of the National Strategy, including the overall sufficiency of the requests to implement effectively the National Strategy across all Federal agencies.

(d)

Inadequate budget requests

If the Director concludes that a budget request submitted under subsection (a) is inadequate, in whole or in part, to implement the objectives of the National Strategy, the Director shall submit to the Director of the Office of Management and Budget and the head of the Federal agency submitting the budget request a written description of funding levels and specific initiatives that would, in the determination of the Director, make the request adequate.

105.

Access to intelligence

The Director shall have access to law enforcement information, intelligence information, terrorism information, and any other information (including information relating to incidents provided under subsections (a)(4) and (c) of section 246 of the Homeland Security Act of 2002, as added by this Act) that is obtained by, or in the possession of, any Federal agency that the Director determines relevant to the security of—

(1)

the Federal information infrastructure;

(2)

information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community;

(3)

a national security system; or

(4)

national information infrastructure.

106.

Consultation

(a)

In general

The Director may consult and obtain recommendations from, as needed, such Presidential and other advisory entities as the Director determines will assist in carrying out the mission of the Office, including—

(1)

the National Security Telecommunications Advisory Committee;

(2)

the National Infrastructure Advisory Council;

(3)

the Privacy and Civil Liberties Oversight Board;

(4)

the President’s Intelligence Advisory Board;

(5)

the Critical Infrastructure Partnership Advisory Council;

(6)

the Committee on Foreign Investment in the United States;

(7)

the Information Security and Privacy Advisory Board;

(8)

the National Cybersecurity Advisory Council established under section 239 of the Homeland Security Act of 2002, as added by this Act; and

(9)

any other entity that may provide assistance to the Director.

(b)

National Strategy

In developing and updating the National Strategy the Director shall consult with the National Cybersecurity Advisory Council and, as appropriate, State and local governments and private entities.

107.

Reports to Congress

(a)

In general

The Director shall submit an annual report to the appropriate congressional committees describing the activities, ongoing projects, and plans of the Federal Government designed to meet the goals and objectives of the National Strategy.

(b)

Classified annex

A report submitted under this section shall be submitted in an unclassified form, but may include a classified annex, if necessary.

(c)

Public report

An unclassified version of each report submitted under this section shall be made available to the public.

II

National Center for Cybersecurity and Communications

201.

Cybersecurity

Title II of the Homeland Security Act of 2002 (6 U.S.C. 121 et seq.) is amended by adding at the end the following:

E

Cybersecurity

241.

Definitions

In this subtitle—

(1)

the term agency information infrastructure means the Federal information infrastructure of a particular Federal agency;

(2)

the term appropriate committees of Congress means the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives;

(3)

the term Center means the National Center for Cybersecurity and Communications established under section 242(a);

(4)

the term covered critical infrastructure means a system or asset identified by the Secretary as covered critical infrastructure under section 254;

(5)

the term cyber risk means any risk to information infrastructure, including physical or personnel risks and security vulnerabilities, that, if exploited or not mitigated, could pose a significant risk of disruption to the operation of information infrastructure essential to the reliable operation of covered critical infrastructure;

(6)

the term Director means the Director of the Center appointed under section 242(b)(1);

(7)

the term Federal agency

(A)

means any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency; and

(B)

does not include the governments of the District of Columbia and of the territories and possessions of the United States and their various subdivisions;

(8)

the term Federal information infrastructure

(A)

means information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, any Federal agency, including information systems used or operated by another entity on behalf of a Federal agency; and

(B)

does not include—

(i)

a national security system; or

(ii)

information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community;

(9)

the term incident has the meaning given that term in section 3551 of title 44, United States Code;

(10)

the term information infrastructure means the underlying framework that information systems and assets rely on to process, transmit, receive, or store information electronically, including—

(A)

programmable electronic devices and communications networks; and

(B)

any associated hardware, software, or data;

(11)

the term information security means protecting information and information systems from disruption or unauthorized access, use, disclosure, modification, or destruction in order to provide—

(A)

integrity, by guarding against improper information modification or destruction, including by ensuring information nonrepudiation and authenticity;

(B)

confidentiality, by preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and

(C)

availability, by ensuring timely and reliable access to and use of information;

(12)

the term information sharing and analysis center means a self-governed forum whose members work together within a specific sector of critical infrastructure to identify, analyze, and share with other members and the Federal Government critical information relating to threats, vulnerabilities, or incidents to the security and resiliency of the critical infrastructure that comprises the specific sector;

(13)

the term information system has the meaning given that term in section 3502 of title 44, United States Code;

(14)

the term intelligence community has the meaning given that term in section 3(4) of the National Security Act of 1947 (50 U.S.C. 401a(4));

(15)

the term management controls means safeguards or countermeasures for an information system that focus on the management of risk and the management of information system security;

(16)

the term National Cybersecurity Advisory Council means the National Cybersecurity Advisory Council established under section 239;

(17)

the term national cyber emergency means an actual or imminent action by any individual or entity to exploit a cyber risk in a manner that disrupts, attempts to disrupt, or poses a significant risk of disruption to the operation of the information infrastructure essential to the reliable operation of covered critical infrastructure;

(18)

the term national information infrastructure means information infrastructure—

(A)

that is owned, operated, or controlled within or from the United States; and

(B)

that is not owned, operated, controlled, or licensed for use by a Federal agency;

(19)

the term national security system has the meaning given that term in section 3551 of title 44, United States Code;

(20)

the term operational controls means the safeguards and countermeasures for an information system that are primarily implemented and executed by individuals not systems;

(21)

the term sector-specific agency means the relevant Federal agency responsible for infrastructure protection activities in a designated critical infrastructure sector or key resources category under the National Infrastructure Protection Plan, or any other appropriate Federal agency identified by the President after the date of enactment of this subtitle;

(22)

the term sector coordinating councils means self-governed councils that are composed of representatives of key stakeholders within a specific sector of critical infrastructure that serve as the principal private sector policy coordination and planning entities with the Federal Government relating to the security and resiliency of the critical infrastructure that comprise that sector;

(23)

the term security controls means the management, operational, and technical controls prescribed for an information system to protect the information security of the system;

(24)

the term small business concern has the meaning given that term under section 3 of the Small Business Act (15 U.S.C. 632);

(25)

the term technical controls means the safeguards or countermeasures for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system;

(26)

the term terrorism information has the meaning given that term in section 1016 of the Intelligence Reform and Terrorism Prevention Act of 2004 (6 U.S.C. 485);

(27)

the term United States person has the meaning given that term in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801); and

(28)

the term US–CERT means the United States Computer Emergency Readiness Team established under section 244.

242.

National Center for Cybersecurity and Communications

(a)

Establishment

(1)

In general

There is established within the Department a National Center for Cybersecurity and Communications.

(2)

Operational entity

The Center may—

(A)

enter into contracts for the procurement of property and services for the Center; and

(B)

appoint employees of the Center in accordance with the civil service laws of the United States.

(b)

Director

(1)

In general

The Center shall be headed by a Director, who shall be appointed by the President, by and with the advice and consent of the Senate.

(2)

Reporting to Secretary

The Director shall report directly to the Secretary and serve as the principal advisor to the Secretary on cybersecurity and the operations, security, and resiliency of the information infrastructure and communications infrastructure of the United States.

(3)

Presidential advice

The Director shall regularly advise the President on the exercise of the authorities provided under this subtitle or any other provision of law relating to the security of the Federal information infrastructure or an agency information infrastructure.

(4)

Qualifications

The Director shall be appointed from among individuals who have—

(A)

a demonstrated ability in and knowledge of information technology, cybersecurity, and the operations, security and resiliency of communications networks; and

(B)

significant executive leadership and management experience in the public or private sector.

(5)

Limitation on service

(A)

In general

Subject to subparagraph (B), the individual serving as the Director may not, while so serving, serve in any other capacity in the Federal Government, except to the extent that the individual serving as Director is doing so in an acting capacity.

(B)

Exception

The Director may serve on any commission, board, council, or similar entity with responsibilities or duties relating to cybersecurity or the operations, security, and resiliency of the information infrastructure and communications infrastructure of the United States at the direction of the President or as otherwise provided by law.

(c)

Deputy Directors

(1)

In general

There shall be not less than 2 Deputy Directors for the Center, who shall report to the Director.

(2)

Infrastructure protection

(A)

Appointment

There shall be a Deputy Director appointed by the Secretary, who shall have expertise in infrastructure protection.

(B)

Responsibilities

The Deputy Director appointed under subparagraph (A) shall—

(i)

assist the Director and the Assistant Secretary for Infrastructure Protection in coordinating, managing, and directing the information, communications, and physical infrastructure protection responsibilities and activities of the Department, including activities under Homeland Security Presidential Directive–7, or any successor thereto, and the National Infrastructure Protection Plan, or any successor thereto;

(ii)

review the budget for the Center and the Office of Infrastructure Protection before submission of the budget to the Secretary to ensure that activities are appropriately coordinated;

(iii)

develop, update periodically, and submit to the appropriate committees of Congress a strategic plan detailing how critical infrastructure protection activities will be coordinated between the Center, the Office of Infrastructure Protection, and the private sector;

(iv)

subject to the direction of the Director resolve conflicts between the Center and the Office of Infrastructure Protection relating to the information, communications, and physical infrastructure protection responsibilities of the Center and the Office of Infrastructure Protection; and

(v)

perform such other duties as the Director may assign.

(C)

Annual evaluation

The Assistant Secretary for Infrastructure Protection shall submit annually to the Director an evaluation of the performance of the Deputy Director appointed under subparagraph (A).

(3)

Intelligence community

The Director of National Intelligence shall identify an employee of an element of the intelligence community to serve as a Deputy Director of the Center. The employee shall be detailed to the Center on a reimbursable basis for such period as is agreed to by the Director and the Director of National Intelligence, and, while serving as Deputy Director, shall report directly to the Director of the Center.

(d)

Liaison officers

(1)

In general

The Secretary of Defense, the Attorney General, the Secretary of Commerce, and the Director of National Intelligence shall detail personnel to the Center to act as full-time liaisons with the Department of Defense, the Department of Justice, the National Institute of Standards and Technology, and elements of the intelligence community to assist in coordination between and among the Center, the Department of Defense, the Department of Justice, the National Institute of Standards and Technology, and elements of the intelligence community.

(2)

Private sector

(A)

In general

Consistent with applicable law and ethics requirements, and except as provided in subparagraph (B), the Director may authorize representatives from private sector entities to participate in the activities of the Center to improve the information sharing, analysis, and coordination of activities of the US–CERT.

(B)

Limitation

A representative from a private sector entity authorized to participate in the activities of the Center under subparagraph (A) may not participate in any activities of the Center under section 248, 249, or 250.

(e)

Privacy officer

(1)

In general

The Director, in consultation with the Secretary, shall designate a full-time privacy officer, who shall report to the Director.

(2)

Duties

The privacy officer designated under paragraph (1) shall have primary responsibility for implementation by the Center of the privacy policy for the Department established by the Privacy Officer appointed under section 222.

(f)

Duties of Director

(1)

In general

The Director shall—

(A)

working cooperatively with the private sector, lead the Federal effort to secure, protect, and ensure the resiliency of the Federal information infrastructure, national information infrastructure, and communications infrastructure of the United States, including communications networks;

(B)

assist in the identification, remediation, and mitigation of vulnerabilities to the Federal information infrastructure and the national information infrastructure;

(C)

provide dynamic, comprehensive, and continuous situational awareness of the security status of the Federal information infrastructure, national information infrastructure, information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community, and information infrastructure located outside the United States the disruption of which could result in national or regional catastrophic damage in the United States by sharing and integrating classified and unclassified information, including information relating to threats, vulnerabilities, traffic, trends, incidents, and other anomalous activities affecting the infrastructure or systems, on a routine and continuous basis with—

(i)

the National Threat Operations Center of the National Security Agency;

(ii)

the United States Cyber Command, including the Joint Task Force-Global Network Operations;

(iii)

the Cyber Crime Center of the Department of Defense;

(iv)

the National Cyber Investigative Joint Task Force;

(v)

the Intelligence Community Incident Response Center;

(vi)

any other Federal agency, or component thereof, identified by the Director; and

(vii)

any non-Federal entity, including, where appropriate, information sharing and analysis centers, identified by the Director, with the concurrence of the owner or operator of that entity and consistent with applicable law;

(D)

work with the entities described in subparagraph (C) to establish policies and procedures that enable information sharing between and among the entities;

(E)
(i)

develop, in coordination with the Assistant Secretary for Infrastructure Protection, other Federal agencies, the private sector, and State and local governments, a national incident response plan that details the roles of Federal agencies, State and local governments, and the private sector, including plans to be executed in response to a declaration of a national cyber emergency by the President under section 249; and

(ii)

establish mechanisms for assisting owners or operators of critical infrastructure, including covered critical infrastructure, in the deployment of emergency measures or other actions, including measures to restore the critical infrastructure in the event of the destruction or a serious disruption of the critical infrastructure;

(F)

conduct risk-based assessments of the Federal information infrastructure with respect to acts of terrorism, natural disasters, and other large-scale disruptions and provide the results of the assessments to the Director of Cyberspace Policy and to affected Federal agencies;

(G)

develop, oversee the implementation of, and enforce policies, principles, and guidelines on information security for the Federal information infrastructure, including timely adoption of and compliance with standards developed by the National Institute of Standards and Technology under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3);

(H)

provide assistance to the National Institute of Standards and Technology in developing standards under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3);

(I)

provide to Federal agencies mandatory security controls to mitigate and remediate vulnerabilities of and incidents affecting the Federal information infrastructure;

(J)

subject to paragraph (2), and as needed, assist the Director of the Office of Management and Budget and the Director of Cyberspace Policy in conducting analysis and prioritization of budgets, resources, and policies relating to the security of the Federal information infrastructure;

(K)

in accordance with section 253, develop, periodically update, and implement a supply chain risk management strategy to enhance, in a risk-based and cost-effective manner, the security of the communications and information technology products and services purchased by the Federal Government;

(L)

notify the Director of Cyberspace Policy of any incident involving the Federal information infrastructure, information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community, or the national information infrastructure that could compromise or significantly affect economic or national security;

(M)

consult, in coordination with the Director of Cyberspace Policy, with appropriate international partners to enhance the security of the Federal information infrastructure, national information infrastructure, and information infrastructure located outside the United States the disruption of which could result in national or regional catastrophic damage in the United States;

(N)
(i)

coordinate and integrate information to analyze the composite security state of the Federal information infrastructure and information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community;

(ii)

ensure the information required under clause (i) and section 3553(c)(1)(A) of title 44, United States Code, including the views of the Director on the adequacy and effectiveness of information security throughout the Federal information infrastructure and information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community, is available on an automated and continuous basis through the system maintained under section 3552(a)(3)(D) of title 44, United States Code;

(iii)

in conjunction with the quadrennial homeland security review required under section 707, and at such other times determined appropriate by the Director, analyze the composite security state of the national information infrastructure and submit to the President, Congress, and the Secretary a report regarding actions necessary to enhance the composite security state of the national information infrastructure based on the analysis; and

(iv)

foster collaboration and serve as the primary contact between the Federal Government, State and local governments, and private entities on matters relating to the security of the Federal information infrastructure and the national information infrastructure;

(O)

oversee the development, implementation, and management of security requirements for Federal agencies relating to the external access points to or from the Federal information infrastructure;

(P)

establish, develop, and oversee the capabilities and operations within the US–CERT as required by section 244;

(Q)

oversee the operations of the National Communications System, as described in Executive Order 12472 (49 Fed. Reg. 13471; relating to the assignment of national security and emergency preparedness telecommunications functions), as amended by Executive Order 13286 (68 Fed. Reg. 10619) and Executive Order 13407 (71 Fed. Reg. 36975), or any successor thereto, including planning for and providing communications for the Federal Government under all circumstances, including crises, emergencies, attacks, recoveries, and reconstitutions;

(R)

ensure, in coordination with the privacy officer designated under subsection (e), the Privacy Officer appointed under section 222, and the Director of the Office of Civil Rights and Civil Liberties appointed under section 705, that the activities of the Center comply with all policies, regulations, and laws protecting the privacy and civil liberties of United States persons;

(S)

subject to the availability of resources, in accordance with applicable law relating to the protection of trade secrets, and at the discretion of the Director, provide voluntary technical assistance—

(i)

at the request of an owner or operator of covered critical infrastructure, to assist the owner or operator in complying with sections 248 and 249, including implementing required security or emergency measures and developing response plans for national cyber emergencies declared under section 249; and

(ii)

at the request of the owner or operator of national information infrastructure that is not covered critical infrastructure, and based on risk, to assist the owner or operator in implementing best practices, and related standards and guidelines, recommended under section 247 and other measures necessary to mitigate or remediate vulnerabilities of the information infrastructure and the consequences of efforts to exploit the vulnerabilities;

(T)
(i)

conduct, in consultation with the National Cybersecurity Advisory Council, the head of appropriate sector-specific agencies, and any private sector entity determined appropriate by the Director, risk-based assessments of national information infrastructure and information infrastructure located outside the United States the disruption of which could result in national or regional catastrophic damage in the United States, on a sector-by-sector basis, with respect to acts of terrorism, natural disasters, and other large-scale disruptions or financial harm, which shall identify and prioritize risks to the national information infrastructure and information infrastructure located outside the United States the disruption of which could result in national or regional catastrophic damage in the United States, including vulnerabilities and associated consequences; and

(ii)

coordinate and evaluate the mitigation or remediation of vulnerabilities and consequences identified under clause (i);

(U)

regularly evaluate and assess technologies designed to enhance the protection of the Federal information infrastructure and national information infrastructure, including an assessment of the cost-effectiveness of the technologies;

(V)

promote the use of the best practices recommended under section 247 to State and local governments and the private sector;

(W)

develop and implement outreach and awareness programs on cybersecurity, including—

(i)

a public education campaign to increase the awareness of cybersecurity, cyber safety, and cyber ethics, which shall include use of the Internet, social media, entertainment, and other media to reach the public;

(ii)

an education campaign to increase the understanding of State and local governments and private sector entities of the costs of failing to ensure effective security of information infrastructure and cost-effective methods to mitigate and remediate vulnerabilities; and

(iii)

outcome-based performance measures to determine the success of the programs;

(X)

develop and implement a national cybersecurity exercise program that includes—

(i)

the participation of State and local governments, international partners of the United States, and the private sector;

(ii)

an after action report analyzing lessons learned from exercises and identifying vulnerabilities to be remediated or mitigated; and

(iii)

oversight, in coordination with the Director of the Office of Cyberspace Policy, of the efforts by Federal agencies to address deficiencies identified in the after action reports required under clause (ii);

(Y)

coordinate with the Assistant Secretary for Infrastructure Protection to ensure that—

(i)

cybersecurity is appropriately addressed in carrying out the infrastructure protection responsibilities described in section 201(d); and

(ii)

the operations of the Center and the Office of Infrastructure Protection avoid duplication and use, to the maximum extent practicable, joint mechanisms for information sharing and coordination with the private sector;

(Z)

oversee the activities of the Office of Emergency Communications established under section 1801;

(AA)

in coordination with the Director of the Office of Cyberspace Policy and the heads of relevant Federal agencies, develop and implement an identity management strategy for cyberspace, which shall include, at a minimum, research and development goals, an analysis of appropriate protections for privacy and civil liberties, and mechanisms to develop and disseminate best practices and standards relating to identity management, including usability and transparency; and

(BB)

perform such other duties as the Secretary may direct relating to the security and resiliency of the information and communications infrastructure of the United States.

(2)

Budget analysis

In conducting analysis and prioritization of budgets under paragraph (1)(J), the Director—

(A)

in coordination with the Director of the Office of Management and Budget, may access information from any Federal agency regarding the finances, budget, and programs of the Federal agency relevant to the security of the Federal information infrastructure;

(B)

may make recommendations to the Director of the Office of Management and Budget and the Director of Cyberspace Policy regarding the budget for each Federal agency to ensure that adequate funding is devoted to securing the Federal information infrastructure, in accordance with policies, principles, and guidelines established by the Director under this subtitle; and

(C)

shall provide copies of any recommendations made under subparagraph (B) to—

(i)

the Committee on Appropriations of the Senate;

(ii)

the Committee on Appropriations of the House of Representatives; and

(iii)

the appropriate committees of Congress.

(g)

Use of mechanisms for collaboration

In carrying out the responsibilities and authorities of the Director under this subtitle, to the maximum extent practicable, the Director shall use mechanisms for collaboration and information sharing (including mechanisms relating to the identification and communication of threats, vulnerabilities, and associated consequences) established by other components of the Department or other Federal agencies to avoid unnecessary duplication or waste.

(h)

Sufficiency of resources plan

(1)

Report

Not later than 120 days after the date of enactment of this subtitle, the Director of the Office of Management and Budget shall submit to the appropriate committees of Congress and the Comptroller General of the United States a report on the resources and staff necessary to carry out fully the responsibilities under this subtitle.

(2)

Comptroller General review

(A)

In general

The Comptroller General of the United States shall evaluate the reasonableness and adequacy of the report submitted by the Director under paragraph (1).

(B)

Report

Not later than 60 days after the date on which the report is submitted under paragraph (1), the Comptroller General shall submit to the appropriate committees of Congress a report containing the findings of the review under subparagraph (A).

(i)

Functions transferred

There are transferred to the Center the National Cyber Security Division, the Office of Emergency Communications, and the National Communications System, including all the functions, personnel, assets, authorities, and liabilities of the National Cyber Security Division, the Office of Emergency Communications, and the National Communications System.

(j)

Assistant to the director for state, local, and private sector outreach

The Director shall identify a senior official in the Center who—

(1)

shall report directly to the Director; and

(2)

in coordination with the Special Assistant to the Secretary appointed under section 102(f), shall—

(A)

advise the Director on policies and regulations, rules, requirements or other actions affecting the private sector, including the economic impact;

(B)

work with individual businesses and other nongovernmental organizations to foster dialogue with the Center;

(C)

foster partnerships and facilitate communication between the Center and State and local governments and private sector entities;

(D)

coordinate and maintain communication and interaction with State and local governments and private sector entities on matters relating to the security of the Federal information infrastructure and the national information infrastructure;

(E)

assist the Director in sharing best practices, guidelines, and other important information relating to the policies, goals, and activities of the Center;

(F)

assist the Director in developing and implementing the national cybersecurity exercise program under subsection (f)(1)(X) as it relates to State and local governments and private sector entities;

(G)

assist the Director in developing the national incident response plan under subsection (f)(1)(E) as it relates to State and local governments and private sector entities;

(H)

assist the Director in information sharing activities of the Center as it relates to State and local governments and private sector entities; and

(I)

perform any other duties, as directed by the Director.

243.

Physical and cyber infrastructure collaboration

(a)

In general

The Director and the Assistant Secretary for Infrastructure Protection shall coordinate the information, communications, and physical infrastructure protection responsibilities and activities of the Center and the Office of Infrastructure Protection.

(b)

Oversight

The Secretary shall ensure that the coordination described in subsection (a) occurs.

244.

United States Computer Emergency Readiness Team

(a)

Establishment of office

There is established within the Center, the United States Computer Emergency Readiness Team, which shall be headed by a Director, who shall be selected from the Senior Executive Service by the Secretary.

(b)

Responsibilities

The US–CERT shall—

(1)

collect, coordinate, and disseminate information on—

(A)

risks to the Federal information infrastructure, information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community, or the national information infrastructure; and

(B)

security controls to enhance the security of the Federal information infrastructure or the national information infrastructure against the risks identified in subparagraph (A); and

(2)

establish a mechanism for engagement with the private sector.

(c)

Monitoring, analysis, warning, and response

(1)

Duties

Subject to paragraph (2), the US–CERT shall—

(A)

provide analysis and reports to Federal agencies on the security of the Federal information infrastructure;

(B)

provide continuous, automated monitoring of the Federal information infrastructure at external Internet access points, which shall include detection and warning of threats, vulnerabilities, traffic, trends, incidents, and other anomalous activities affecting the information security of the Federal information infrastructure;

(C)

warn Federal agencies of threats, vulnerabilities, incidents, and anomalous activities that could affect the Federal information infrastructure;

(D)

develop, recommend, and deploy security controls to mitigate or remediate vulnerabilities;

(E)

support Federal agencies in conducting risk assessments of the agency information infrastructure;

(F)

disseminate to Federal agencies risk analyses of incidents that could impair the risk-based security of the Federal information infrastructure;

(G)

develop and acquire predictive analytic tools to evaluate threats, vulnerabilities, traffic, trends, incidents, and anomalous activities;

(H)

aid in the detection of, and warn owners or operators of national information infrastructure regarding, threats, vulnerabilities, and incidents, affecting the national information infrastructure, including providing—

(i)

timely, targeted, and actionable notifications of threats, vulnerabilities, and incidents;

(ii)

notifications under this subparagraph; and

(iii)

recommended security controls to mitigate or remediate vulnerabilities; and

(I)

respond to assistance requests from Federal agencies and, subject to the availability of resources, owners or operators of the national information infrastructure to—

(i)

isolate, mitigate, or remediate incidents;

(ii)

recover from damages and mitigate or remediate vulnerabilities; and

(iii)

evaluate security controls and other actions taken to secure information infrastructure and incorporate lessons learned into best practices, policies, principles, and guidelines.

(2)

Requirement

With respect to the Federal information infrastructure, the US–CERT shall conduct the activities described in paragraph (1) in a manner consistent with the responsibilities of the head of a Federal agency described in section 3553 of title 44, United States Code.

(3)

Report

Not later than 1 year after the date of enactment of this subtitle, and every year thereafter, the Secretary shall—

(A)

in conjunction with the Inspector General of the Department, conduct an independent audit or review of the activities of the US–CERT under paragraph (1)(B), which shall include, at a minimum, an assessment of whether and to what extent the activities authorized under paragraph (1)(B) have monitored communications other than communications to or from a Federal agency; and

(B)

submit to the appropriate committees of Congress and the President a report regarding the audit or review under subparagraph (A).

(4)

Classified annex

A report submitted under paragraph (3) shall be submitted in an unclassified form, but may include a classified annex, if necessary.

(d)

Procedures for Federal Government

Not later than 90 days after the date of enactment of this subtitle, the head of each Federal agency shall establish procedures for the Federal agency that ensure that the US–CERT can perform the functions described in subsection (c) in relation to the Federal agency.

(e)

Operational updates

The US–CERT shall provide unclassified and, as appropriate, classified updates regarding the composite security state of the Federal information infrastructure to the Federal Information Security Taskforce.

(f)

Federal points of contact

The Director of the US–CERT shall designate a principal point of contact within the US–CERT for each Federal agency to—

(1)

maintain communication;

(2)

ensure cooperative engagement and information sharing; and

(3)

respond to inquiries or requests.

(g)

Requests for information or physical access

(1)

Information access

Upon request of the Director of the US–CERT, the head of a Federal agency or an Inspector General for a Federal agency shall provide any law enforcement information, intelligence information, terrorism information, or any other information (including information relating to incidents provided under subsections (a)(4) and (c) of section 246) relevant to the security of the Federal information infrastructure or the national information infrastructure necessary to carry out the duties, responsibilities, and authorities under this subtitle.

(2)

Physical access

Upon request of the Director, and in consultation with the head of a Federal agency, the Federal agency shall provide physical access to any facility of the Federal agency necessary to determine whether the Federal agency is in compliance with any policies, principles, and guidelines established by the Director under this subtitle, or otherwise necessary to carry out the duties, responsibilities, and authorities of the Director applicable to the Federal information infrastructure.

245.

Additional authorities of the Director of the National Center for Cybersecurity and Communications

(a)

Access to information

Unless otherwise directed by the President—

(1)

the Director shall access, receive, and analyze law enforcement information, intelligence information, terrorism information, and any other information (including information relating to incidents provided under subsections (a)(4) and (c) of section 246) relevant to the security of the Federal information infrastructure, information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community, or national information infrastructure from Federal agencies and, consistent with applicable law, State and local governments (including law enforcement agencies), and private entities, including information provided by any contractor to a Federal agency regarding the security of the agency information infrastructure;

(2)

any Federal agency in possession of law enforcement information, intelligence information, terrorism information, or any other information (including information relating to incidents provided under subsections (a)(4) and (c) of section 246) relevant to the security of the Federal information infrastructure, information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community, or national information infrastructure shall provide that information to the Director in a timely manner; and

(3)

the Director, in coordination with the Director of the Office of Management and Budget, the Attorney General, the Privacy and Civil Liberties Oversight Board established under section 1061 of the National Security Intelligence Reform Act of 2004 (42 U.S.C. 2000ee), the Director of National Intelligence, and the Archivist of the United States, shall establish guidelines to ensure that information is transferred, stored, and preserved—

(A)

in accordance with applicable laws relating to the protection of trade secrets and other applicable laws; and

(B)

in a manner that protects the privacy and civil liberties of United States persons and intelligence sources and methods.

(b)

Operational evaluations

(1)

In general

The Director—

(A)

subject to paragraph (2), shall develop, maintain, and enhance capabilities to evaluate the security of the Federal information infrastructure as described in section 3554(a)(3) of title 44, United States Code, including the ability to conduct risk-based penetration testing and vulnerability assessments;

(B)

in carrying out subparagraph (A), may request technical assistance from the Director of the Federal Bureau of Investigation, the Director of the National Security Agency, the head of any other Federal agency that may provide support, and any nongovernmental entity contracting with the Department or another Federal agency; and

(C)

in consultation with the Attorney General and the Privacy and Civil Liberties Oversight Board established under section 1061 of the National Security Intelligence Reform Act of 2004 (42 U.S.C. 2000ee), shall develop guidelines to ensure compliance with all applicable laws relating to the privacy of United States persons in carrying out the operational evaluations under subparagraph (A).

(2)

Operational evaluations

(A)

In general

The Director may conduct risk-based operational evaluations of the agency information infrastructure of any Federal agency, at a time determined by the Director, in consultation with the head of the Federal agency, using the capabilities developed under paragraph (1)(A).

(B)

Annual evaluation requirement

If the Director conducts an operational evaluation under subparagraph (A) or an operational evaluation at the request of a Federal agency to meet the requirements of section 3554 of title 44, United States Code, the operational evaluation shall satisfy the requirements of section 3554 for the Federal agency for the year of the evaluation, unless otherwise specified by the Director.

(c)

Corrective measures and mitigation plans

If the Director determines that a Federal agency is not in compliance with applicable policies, principles, standards, and guidelines applicable to the Federal information infrastructure—

(1)

the Director, in consultation with the Director of the Office of Management and Budget, may direct the head of the Federal agency to—

(A)

take corrective measures to meet the policies, principles, standards, and guidelines; and

(B)

develop a plan to remediate or mitigate any vulnerabilities addressed by the policies, principles, standards, and guidelines;

(2)

within such time period as the Director shall prescribe, the head of the Federal agency shall—

(A)

implement a corrective measure or develop a mitigation plan in accordance with paragraph (1); or

(B)

submit to the Director, the Director of the Office of Management and Budget, the Inspector General for the Federal agency, and the appropriate committees of Congress a report indicating why the Federal agency has not implemented the corrective measure or developed a mitigation plan; and

(3)

after providing notice to the head of the affected Federal agency, the Director may direct the isolation of any component of the agency information infrastructure, consistent with the contingency or continuity of operation plans applicable to the agency information infrastructure, until corrective measures are taken or mitigation plans approved by the Director are put in place, if—

(A)

the head of the Federal agency has failed to comply with the corrective measures prescribed under paragraph (1); and

(B)

the failure to comply presents a significant danger to the Federal information infrastructure.

246.

Information sharing

(a)

Federal agencies

(1)

Information sharing program

Consistent with the responsibilities described in sections 242 and 244, the Director, in consultation with the other members of the Chief Information Officers Council established under section 3603 of title 44, United States Code, and the Federal Information Security Taskforce, shall establish a program for sharing information with and between the Center and other Federal agencies that includes processes and procedures, including standard operating procedures—

(A)

under which the Director regularly shares with each Federal agency—

(i)

analysis and reports on the composite security state of the Federal information infrastructure and information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community, which shall include information relating to threats, vulnerabilities, incidents, or anomalous activities;

(ii)

any available analysis and reports regarding the security of the agency information infrastructure; and

(iii)

means and methods of preventing, responding to, mitigating, and remediating vulnerabilities; and

(B)

under which the Director may request information from Federal agencies concerning the security of the Federal information infrastructure, information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community, or the national information infrastructure necessary to carry out the duties of the Director under this subtitle or any other provision of law.

(2)

Contents

The program established under this section shall include—

(A)

timeframes for the sharing of information under paragraph (1);

(B)

guidance on what information shall be shared, including information regarding incidents;

(C)

a tiered structure that provides guidance for the sharing of urgent information; and

(D)

processes and procedures under which the Director or the head of a Federal agency may report noncompliance with the program to the Director of Cyberspace Policy.

(3)

US–CERT

The Director of the US–CERT shall ensure that the head of each Federal agency has continual access to data collected by the US–CERT regarding the agency information infrastructure of the Federal agency.

(4)

Federal agencies

(A)

In general

The head of a Federal agency shall comply with all processes and procedures established under this subsection regarding notification to the Director relating to incidents.

(B)

Immediate notification required

Unless otherwise directed by the President, any Federal agency with a national security system shall immediately notify the Director regarding any incident affecting the risk-based security of the national security system.

(b)

State and local governments, private sector, and international partners

(1)

In general

The Director shall establish processes and procedures, including standard operating procedures, to ensure bidirectional information sharing with State and local governments, private entities, and international partners of the United States on—

(A)

threats, vulnerabilities, incidents, and anomalous activities affecting the national information infrastructure; and

(B)

means and methods of preventing, responding to, and mitigating and remediating vulnerabilities.

(2)

Contents

The processes and procedures established under paragraph (1) shall include—

(A)

means or methods of accessing classified or unclassified information, as appropriate and in accordance with applicable laws regarding trade secrets, that will provide situational awareness of the security of the Federal information infrastructure and the national information infrastructure relating to threats, vulnerabilities, traffic, trends, incidents, and other anomalous activities affecting the Federal information infrastructure or the national information infrastructure;

(B)

a mechanism, established in consultation with the heads of the relevant sector-specific agencies, sector coordinating councils, and information sharing and analysis centers, by which owners and operators of covered critical infrastructure shall report incidents in the information infrastructure for covered critical infrastructure under subsection (c)(1)(A);

(C)

guidance on the form, content, and priority of incident reports that shall be submitted under subsection (c)(1)(A), which shall—

(i)

include appropriate mechanisms to protect—

(I)

information in accordance with section 251;

(II)

personally identifiable information; and

(III)

trade secrets; and

(ii)

prioritize the reporting of incidents based on the risk the incident poses to the disruption of the reliable operation of the covered critical infrastructure;

(D)

a procedure for notifying an information technology provider if a vulnerability is detected in the product or service produced by the information technology provider and, where possible, working with the information technology provider to remediate the vulnerability before any public disclosure of the vulnerability so as to minimize the opportunity for the vulnerability to be exploited; and

(E)

an evaluation of the need to provide security clearances to employees of State and local governments, private entities, and international partners to carry out this subsection.

(3)

Guidelines

The Director, in consultation with the Attorney General, the Director of National Intelligence, and the Privacy Officer established under section 242(e), shall develop guidelines to protect the privacy and civil liberties of United States persons and intelligence sources and methods, while carrying out this subsection.

(c)

Incidents

(1)

Non-Federal entities

(A)

In general

(i)

Mandatory reporting

Subject to clause (ii), the owner or operator of covered critical infrastructure shall report any incident affecting the information infrastructure of covered critical infrastructure to the extent the incident might indicate an actual or potential cyber risk, or exploitation of a cyber risk, in accordance with the policies and procedures for the mechanism established under subsection (b)(2)(B) and guidelines developed under subsection (b)(3).

(ii)

Limitation

Clause (i) shall not authorize the Director, the Center, the Department, or any other Federal entity to—

(I)

compel the disclosure of information relating to an incident unless otherwise authorized by law; or

(II)

intercept a wire, oral, or electronic communication (as those terms are defined in section 2510 of title 18, United States Code), access a stored electronic or wire communication, install or use a pen register or trap and trace device, or conduct electronic surveillance (as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801)) relating to an incident, unless otherwise authorized under chapter 119, chapter 121, or chapter 206 of title 18, United States Code, or the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.).

(B)

Reporting procedures

The Director shall establish procedures that enable and encourage the owner or operator of national information infrastructure to report to the Director regarding incidents affecting such information infrastructure.

(2)

Information protection

Notwithstanding any other provision of law, information reported under paragraph (1) shall be protected from unauthorized disclosure, in accordance with section 251.

(d)

Additional responsibilities

The Director shall—

(1)

share data collected on the Federal information infrastructure with the National Science Foundation and other accredited research institutions for the sole purpose of cybersecurity research in a manner that protects privacy and civil liberties of United States persons and intelligence sources and methods;

(2)

establish a website to provide an opportunity for the public to provide—

(A)

input about the operations of the Center; and

(B)

recommendations for improvements of the Center; and

(3)

in coordination with the Secretary of Defense, the Director of National Intelligence, the Secretary of State, and the Attorney General, develop information sharing pilot programs with international partners of the United States.

247.

Private sector assistance

(a)

In general

The Director, in consultation with the Director of the National Institute of Standards and Technology, the Director of the National Security Agency, the head of any relevant sector-specific agency, the National Cybersecurity Advisory Council, State and local governments, and any private entities the Director determines appropriate, shall establish a program to promote, and provide technical assistance authorized under section 242(f)(1)(S) relating to the implementation of, best practices and related standards and guidelines for securing the national information infrastructure, including the costs and benefits associated with the implementation of the best practices and related standards and guidelines.

(b)

Analysis and improvement of standards and guidelines

For purposes of the program established under subsection (a), the Director shall—

(1)

regularly assess and evaluate cybersecurity standards and guidelines issued by private sector organizations, recognized international and domestic standards setting organizations, and Federal agencies; and

(2)

in coordination with the National Institute of Standards and Technology, encourage the development of, and recommend changes to, the standards and guidelines described in paragraph (1) for securing the national information infrastructure.

(c)

Guidance and technical assistance

(1)

In general

The Director shall promote best practices and related standards and guidelines to assist owners and operators of national information infrastructure in increasing the security of the national information infrastructure and protecting against and mitigating or remediating known vulnerabilities.

(2)

Requirement

Technical assistance provided under section 242(f)(1)(S) and best practices promoted under this section shall be prioritized based on risk.

(d)

Criteria

In promoting best practices or recommending changes to standards and guidelines under this section, the Director shall ensure that best practices, and related standards and guidelines—

(1)

address cybersecurity in a comprehensive, risk-based manner;

(2)

include consideration of the cost of implementing such best practices or of implementing recommended changes to standards and guidelines;

(3)

increase the ability of the owners or operators of national information infrastructure to protect against and mitigate or remediate known vulnerabilities;

(4)

are suitable, as appropriate, for implementation by small business concerns;

(5)

as necessary and appropriate, are sector specific;

(6)

to the maximum extent possible, incorporate standards and guidelines established by private sector organizations, recognized international and domestic standards setting organizations, and Federal agencies;

(7)

consider voluntary programs by internet service providers to assist individuals using the internet service providers in the identification and mitigation of cyber threats and vulnerabilities, with the consent of the individual users; and

(8)

provide sufficient flexibility to permit a range of security solutions.

248.

Cyber risks to covered critical infrastructure

(a)

Identification of cyber risks

(1)

In general

Based on the risk-based assessments conducted under section 242(f)(1)(T)(i), the Director, in coordination with the head of the sector-specific agency with responsibility for covered critical infrastructure and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating the covered critical infrastructure, and in consultation with the National Cybersecurity Advisory Council and any private sector entity determined appropriate by the Director, shall, on a continuous and sector-by-sector basis, identify and evaluate the cyber risks to covered critical infrastructure.

(2)

Factors to be considered

In identifying and evaluating cyber risks under paragraph (1), the Director shall consider—

(A)

the actual or assessed threat, including a consideration of adversary capabilities and intent, preparedness, target attractiveness, and deterrence capabilities;

(B)

the extent and likelihood of death, injury, or serious adverse effects to human health and safety caused by a disruption of the reliable operation of covered critical infrastructure;

(C)

the threat to or impact on national security caused by a disruption of the reliable operation of covered critical infrastructure;

(D)

the extent to which the disruption of the reliable operation of covered critical infrastructure will disrupt the reliable operation of other covered critical infrastructure;

(E)

the harm to the economy that would result from a disruption of the reliable operation of covered critical infrastructure; and

(F)

other risk-based security factors that the Director, in consultation with the head of the sector-specific agency with responsibility for the covered critical infrastructure and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating the covered critical infrastructure, determine to be appropriate and necessary to protect public health and safety, critical infrastructure, or national and economic security.

(3)

Report

(A)

In general

Not later than 180 days after the date of enactment of this subtitle, and annually thereafter, the Director, in coordination with the head of the sector-specific agency with responsibility for the covered critical infrastructure and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating the covered critical infrastructure, shall submit to the appropriate committees of Congress a report on the findings of the identification and evaluation of cyber risks under this subsection. Each report submitted under this paragraph shall be submitted in an unclassified form, but may include a classified annex.

(B)

Input

For purposes of the reports required under subparagraph (A), the Director shall create a process under which owners and operators of covered critical infrastructure may provide input on the findings of the reports.

(b)

Risk-Based security performance requirements

(1)

In general

Not later than 270 days after the date of the enactment of this subtitle, in coordination with the heads of the sector-specific agencies with responsibility for covered critical infrastructure and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating the covered critical infrastructure, and in consultation with the National Cybersecurity Advisory Council and any private sector entity determined appropriate by the Director, the Director shall issue interim final regulations establishing risk-based security performance requirements to secure covered critical infrastructure against cyber risks through the adoption of security measures that satisfy the security performance requirements identified by the Director.

(2)

Procedures

The regulations issued under this subsection shall—

(A)

include a process under which owners and operators of covered critical infrastructure are informed of identified cyber risks and security performance requirements designed to remediate or mitigate the cyber risks, in combination with best practices recommended under section 247;

(B)

establish a process for owners and operators of covered critical infrastructure to select security measures, including any best practices recommended under section 247, that, in combination, satisfy the security performance requirements established by the Director under this subsection;

(C)

establish a process for owners and operators of covered critical infrastructure to develop response plans for a national cyber emergency declared under section 249;

(D)

establish a process under which the Director—

(i)

is notified of the security measures selected by the owner or operator of covered critical infrastructure under subparagraph (B); and

(ii)

may determine whether the proposed security measures satisfy the security performance requirements established by the Director under this subsection; and

(E)

establish a process under which the Director—

(i)

identifies to owners and operators of covered critical infrastructure cyber risks that are not capable of effective remediation or mitigation using available best practices or security measures;

(ii)

provides owners and operators of covered critical infrastructure the opportunity to develop best practices or security measures to remediate or mitigate the cyber risks identified in clause (i) without the prior approval of the Director and without affecting the compliance of the covered critical infrastructure with the requirements under this section;

(iii)

in accordance with applicable law relating to the protection of trade secrets, permits owners and operators of covered critical infrastructure to report to the Center the development of effective best practices or security measures to remediate or mitigate the cyber risks identified under clause (i); and

(iv)

incorporates the best practices and security measures developed into the risk-based security performance requirements under this section.

(3)

International cooperation on securing covered critical infrastructure

(A)

In general

The Director, in coordination with the head of the sector-specific agency with responsibility for covered critical infrastructure and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating the covered critical infrastructure, shall—

(i)

consistent with the protection of intelligence sources and methods and other sensitive matters, inform the owner or operator of information infrastructure located outside the United States the disruption of which could result in national or regional catastrophic damage in the United States and the government of the country in which the information infrastructure is located of any cyber risks to the information infrastructure; and

(ii)

coordinate with the government of the country in which the information infrastructure is located and, as appropriate, the owner or operator of the information infrastructure, regarding the implementation of security measures or other measures to the information infrastructure to mitigate or remediate cyber risks.

(B)

International agreements

The Director shall carry out this paragraph in a manner consistent with applicable international agreements.

(4)

Risk-based security performance requirements

(A)

In general

The security performance requirements established by the Director under this subsection shall be—

(i)

based on the factors listed in subsection (a)(2); and

(ii)

designed to remediate or mitigate identified cyber risks and any associated consequences of an exploitation based on such risks.

(B)

Consultation

In establishing security performance requirements under this subsection, the Director shall, to the maximum extent practicable, consult with—

(i)

the Director of the National Security Agency;

(ii)

the Director of the National Institute of Standards and Technology;

(iii)

the National Cybersecurity Advisory Council;

(iv)

the heads of sector-specific agencies; and

(v)

the heads of Federal agencies that are not sector-specific agencies with responsibilities for regulating the covered critical infrastructure.

(C)

Alternative measures

(i)

In general

The owners and operators of covered critical infrastructure shall have flexibility to implement any security measure, or combination thereof, to satisfy the security performance requirements described in subparagraph (A) and the Director may not disapprove under this section any proposed security measures, or combination thereof, based on the presence or absence of any particular security measure if the proposed security measures, or combination thereof, satisfy the security performance requirements established by the Director under this section or are consistent with the process for addressing new or evolving cyber risks established under paragraph (2)(E).

(ii)

Recommended security measures

The Director may recommend to an owner and operator of covered critical infrastructure a specific security measure, or combination thereof, that will satisfy the security performance requirements established by the Director. The absence of the recommended security measures, or combination thereof, may not serve as the basis for a disapproval of the security measure, or combination thereof, proposed by the owner or operator of covered critical infrastructure if the proposed security measure, or combination thereof, otherwise satisfies the security performance requirements established by the Director under this section.

249.

National cyber emergencies

(a)

Declaration

(1)

In general

The President may issue a declaration of a national cyber emergency to covered critical infrastructure if there is an ongoing or imminent action by any individual or entity to exploit a cyber risk in a manner that disrupts, attempts to disrupt, or poses a significant risk of disruption to the operation of the information infrastructure essential to the reliable operation of covered critical infrastructure. Any declaration under this section shall specify the covered critical infrastructure subject to the national cyber emergency.

(2)

Notification

Upon issuing a declaration under paragraph (1), the President shall, consistent with the protection of intelligence sources and methods, notify the owners and operators of the specified covered critical infrastructure and any other relevant private sector entity of the nature of the national cyber emergency.

(3)

Authorities

If the President issues a declaration under paragraph (1), the Director shall—

(A)

immediately direct the owners and operators of covered critical infrastructure subject to the declaration under paragraph (1) to implement response plans required under section 248(b)(2)(C);

(B)

develop and coordinate emergency measures or actions necessary to preserve the reliable operation, and mitigate or remediate the consequences of the potential disruption, of covered critical infrastructure;

(C)

ensure that emergency measures or actions directed under this section represent the least disruptive means feasible to the operations of the covered critical infrastructure and to the national information infrastructure;

(D)

subject to subsection (g), direct actions by other Federal agencies to respond to the national cyber emergency;

(E)

coordinate with officials of State and local governments, international partners of the United States, owners and operators of covered critical infrastructure specified in the declaration, and other relevant private section entities to respond to the national cyber emergency;

(F)

initiate a process under section 248 to address the cyber risk that may be exploited by the national cyber emergency; and

(G)

provide voluntary technical assistance, if requested, under section 242(f)(1)(S).

(4)

Reimbursement

A Federal agency shall be reimbursed for expenditures under this section from funds appropriated for the purposes of this section. Any funds received by a Federal agency as reimbursement for services or supplies furnished under the authority of this section shall be deposited to the credit of the appropriation or appropriations available on the date of the deposit for the services or supplies.

(5)

Consultation

In carrying out this section, the Director shall consult with the Secretary, the Secretary of Defense, the Director of the National Security Agency, the Director of the National Institute of Standards and Technology, and any other official, as directed by the President.

(6)

Prohibited actions

The authority to direct compliance with an emergency measure or action under this section shall not authorize the Director, the Center, the Department, or any other Federal entity to—

(A)

restrict or prohibit communications carried by, or over, covered critical infrastructure and not specifically directed to or from the covered critical infrastructure unless the Director determines that no other emergency measure or action will preserve the reliable operation, and mitigate or remediate the consequences of the potential disruption, of the covered critical infrastructure or the national information infrastructure;

(B)

control covered critical infrastructure;

(C)

compel the disclosure of information unless specifically authorized by law; or

(D)

intercept a wire, oral, or electronic communication (as those terms are defined in section 2510 of title 18, United States Code), access a stored electronic or wire communication, install or use a pen register or trap and trace device, or conduct electronic surveillance (as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801)) relating to an incident, unless otherwise authorized under chapter 119, chapter 121, or chapter 206 of title 18, United States Code, or the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.).

(7)

Privacy

In carrying out this section, the Director shall ensure that the privacy and civil liberties of United States persons are protected.

(b)

Discontinuance of emergency measures

(1)

In general

Any emergency measure or action developed under this section shall cease to have effect not later than 30 days after the date on which the President issued the declaration of a national cyber emergency, unless—

(A)

the Director details in writing why the emergency measure or action remains necessary to address the identified national cyber emergency; and

(B)

the President issues a written order or directive reaffirming the national cyber emergency, the continuing nature of the national cyber emergency, or the need to continue the adoption of the emergency measure or action.

(2)

Extensions

An emergency measure or action extended in accordance with paragraph (1) may—

(A)

remain in effect for not more than 30 days after the date on which the emergency measure or action was to cease to have effect; and

(B)

unless a joint resolution described in subsection (f)(1) is enacted, be extended for not more than 3 additional 30-day periods, if the requirements of paragraph (1) and subsection (d) are met.

(c)

Compliance with emergency measures

(1)

In general

Subject to paragraph (2), the owner or operator of covered critical infrastructure shall immediately comply with any emergency measure or action developed by the Director under this section during the pendency of any declaration by the President under subsection (a)(1) or an extension under subsection (b)(2).

(2)

Alternative measures

(A)

In general

If the Director determines that a proposed security measure, or any combination thereof, submitted by the owner or operator of covered critical infrastructure in accordance with the process established under section 248(b)(2) will effectively mitigate or remediate the cyber risk associated with the national cyber emergency that is the subject of the declaration under this section, or effectively mitigate or remediate the consequences of the potential disruption of the covered critical infrastructure based on the cyber risk at least as effectively as the emergency measures or actions directed by the Director under this section, the owner or operator may comply with paragraph (1) of this subsection by implementing the proposed security measure, or combination thereof, approved by the Director under the process established under section 248.

(B)

Compliance pending submission or approval

Before submission of a proposed security measure, or combination thereof, and during the pendency of any review by the Director under the process established under section 248, the owner or operator of covered critical infrastructure shall remain in compliance with any emergency measure or action developed by the Director under this section during the pendency of any declaration by the President under subsection (a)(1) or an extension under subsection (b)(2), until such time as the Director has approved an alternative proposed security measure, or combination thereof, under this paragraph.

(3)

International cooperation on national cyber emergencies

(A)

In general

The Director, in coordination with the head of the sector-specific agency with responsibility for covered critical infrastructure and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating the covered critical infrastructure, shall—

(i)

consistent with the protection of intelligence sources and methods and other sensitive matters, inform the owner or operator of information infrastructure located outside the United States the disruption of which could result in national or regional catastrophic damage in the United States and the government of the country in which the information infrastructure is located of any cyber risks to the information infrastructure that led to the declaration of a national cyber emergency; and

(ii)

coordinate with the government of the country in which the information infrastructure is located and, as appropriate, the owner or operator of the information infrastructure, regarding the implementation of emergency measures or actions necessary to preserve the reliable operation, and mitigate or remediate the consequences of the potential disruption, of covered critical infrastructure that is the subject of the national cyber emergency.

(B)

International agreements

The Director shall carry out this paragraph in a manner consistent with applicable international agreements.

(d)

Reporting

(1)

In general

Except as provided in paragraph (2), the President shall ensure that any declaration under subsection (a)(1) or any extension under subsection (b)(2) is reported to the appropriate committees of Congress before the Director mandates any emergency measure or actions under subsection (a)(3).

(2)

Exception

If notice cannot be given under paragraph (1) before mandating any emergency measure or actions under subsection (a)(3), the President shall provide the report required under paragraph (1) as soon as possible, along with a statement of the reasons for not providing notice in accordance with paragraph (1).

(3)

Contents

Each report under this subsection shall describe—

(A)

the nature of the national cyber emergency;

(B)

the reasons that risk-based security requirements under section 248 are not sufficient to address the national cyber emergency;

(C)

the actions necessary to preserve the reliable operation and mitigate the consequences of the potential disruption of covered critical infrastructure; and

(D)

in the case of an extension of a national cyber emergency under subsection (b)(2)—

(i)

why the emergency measures or actions continue to be necessary to address the national cyber emergency; and

(ii)

when the President expects the national cyber emergency to abate.

(e)

Statutory defenses and civil liability limitations for compliance with emergency measures

(1)

Definitions

In this subsection—

(A)

the term covered civil action

(i)

means a civil action filed in a Federal or State court against a covered entity; and

(ii)

does not include an action brought under section 2520 or 2707 of title 18, United States Code, or section 110 or 308 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1810 and 1828);

(B)

the term covered entity means any entity that owns or operates covered critical infrastructure, including any owner, operator, officer, employee, agent, landlord, custodian, provider of information technology, or other person acting for or on behalf of that entity with respect to the covered critical infrastructure; and

(C)

the term noneconomic damages means damages for losses for physical and emotional pain, suffering, inconvenience, physical impairment, mental anguish, disfigurement, loss of enjoyment of life, loss of society and companionship, loss of consortium, hedonic damages, injury to reputation, and any other nonpecuniary losses.

(2)

Application of limitations on civil liability

The limitations on civil liability under paragraph (3) apply if—

(A)

the President has issued a declaration of national cyber emergency under subsection (a)(1);

(B)

the Director has—

(i)

issued emergency measures or actions for which compliance is required under subsection (c)(1); or

(ii)

approved security measures under subsection (c)(2);

(C)

the covered entity is in compliance with—

(i)

the emergency measures or actions required under subsection (c)(1); or

(ii)

security measures which the Director has approved under subsection (c)(2); and

(D)
(i)

the Director certifies to the court in which the covered civil action is pending that the actions taken by the covered entity during the period covered by the declaration under subsection (a)(1) were consistent with—

(I)

emergency measures or actions for which compliance is required under subsection (c)(1); or

(II)

security measures which the Director has approved under subsection (c)(2); or

(ii)

notwithstanding the lack of a certification, the covered entity demonstrates by a preponderance of the evidence that the actions taken during the period covered by the declaration under subsection (a)(1) are consistent with the implementation of—

(I)

emergency measures or actions for which compliance is required under subsection (c)(1); or

(II)

security measures which the Director has approved under subsection (c)(2).

(3)

Limitations on civil liability

In any covered civil action that is related to any incident associated with a cyber risk covered by a declaration of a national cyber emergency and for which Director has issued emergency measures or actions for which compliance is required under subsection (c)(1) or for which the Director has approved security measures under subsection (c)(2), or that is the direct consequence of actions taken in good faith for the purpose of implementing security measures or actions which the Director has approved under subsection (c)(2)—

(A)

the covered entity shall not be liable for any punitive damages intended to punish or deter, exemplary damages, or other damages not intended to compensate a plaintiff for actual losses; and

(B)

noneconomic damages may be awarded against a defendant only in an amount directly proportional to the percentage of responsibility of such defendant for the harm to the plaintiff, and no plaintiff may recover noneconomic damages unless the plaintiff suffered physical harm.

(4)

Civil actions arising out of implementation of emergency measures or actions

A covered civil action may not be maintained against a covered entity that is the direct consequence of actions taken in good faith for the purpose of implementing specific emergency measures or actions for which compliance is required under subsection (c)(1), if—

(A)

the President has issued a declaration of national cyber emergency under subsection (a)(1) and the action was taken during the period covered by that declaration;

(B)

the Director has issued emergency measures or actions for which compliance is required under subsection (c)(1) or that the Director has approved under subsection (c)(2);

(C)

the covered entity is in compliance with the emergency measures required under subsection (c)(1) or that the Director has approved under subsection (c)(2); and

(D)
(i)

the Director certifies to the court in which the covered civil action is pending that the actions taken by the entity during the period covered by the declaration under subsection (a)(1) were consistent with the implementation of emergency measures or actions for which compliance is required under subsection (c)(1) or that the Director has approved under subsection (c)(2); or

(ii)

notwithstanding the lack of a certification, the entity demonstrates by a preponderance of the evidence that the actions taken during the period covered by the declaration under subsection (a)(1) are consistent with the implementation of emergency measures or actions for which compliance is required under subsection (c)(1) or that the Director has approved under subsection (c)(2).

(5)

Certain actions not subject to limitations on liability

(A)

Additional or intervening acts

Paragraphs (2) through (4) shall not apply to a civil action relating to any additional or intervening acts or omissions by any covered entity.

(B)

Serious or substantial damage

Paragraph (4) shall not apply to any civil action brought by an individual—

(i)

whose recovery is otherwise precluded by application of paragraph (4); and

(ii)

who has suffered—

(I)

serious physical injury or death; or

(II)

substantial damage or destruction to his primary residence.

(C)

Rule of construction

Recovery available under subparagraph (B) shall be limited to those damages available under subparagraphs (A) and (B) of paragraph (3), except that neither reasonable and necessary medical benefits nor lifetime total benefits for lost employment income due to permanent and total disability shall be limited herein.

(D)

Indemnification

In any civil action brought under subparagraph (B), the United States shall defend and indemnify any covered entity. Any covered entity defended and indemnified under this subparagraph shall fully cooperate with the United States in the defense by the United States in any proceeding and shall be reimbursed the reasonable costs associated with such cooperation.

(f)

Joint resolution To extend cyber emergency

(1)

In general

For purposes of subsection (b)(2)(B), a joint resolution described in this paragraph means only a joint resolution—

(A)

the title of which is as follows: Joint resolution approving the extension of a cyber emergency; and

(B)

the matter after the resolving clause of which is as follows: That Congress approves the continuation of the emergency measure or action issued by the Director of the National Center for Cybersecurity and Communications on ____________ for not longer than an additional 120-day period., the blank space being filled in with the date on which the emergency measure or action to which the joint resolution applies was issued.

(2)

Procedure

(A)

No referral

A joint resolution described in paragraph (1) shall not be referred to a committee in either House of Congress and shall immediately be placed on the calendar.

(B)

Consideration

(i)

Debate limitation

A motion to proceed to a joint resolution described in paragraph (1) is highly privileged in the House of Representatives and is privileged in the Senate and is not debatable. The motion is not subject to a motion to postpone. In the Senate, consideration of the joint resolution, and on all debatable motions and appeals in connection therewith, shall be limited to not more than 10 hours, which shall be divided equally between the majority leader and the minority leader, or their designees. A motion further to limit debate is in order and not debatable. All points of order against the joint resolution (and against consideration of the joint resolution) are waived. An amendment to, or a motion to postpone, or a motion to proceed to the consideration of other business, or a motion to recommit the joint resolution is not in order.

(ii)

Passage

In the Senate, immediately following the conclusion of the debate on a joint resolution described in paragraph (1), and a single quorum call at the conclusion of the debate if requested in accordance with the rules of the Senate, the vote on passage of the joint resolution shall occur.

(iii)

Appeals

Appeals from the decisions of the Chair relating to the application of the rules of the Senate to the procedure relating to a joint resolution described in paragraph (1) shall be decided without debate.

(C)

Other House acts first

If, before the passage by 1 House of a joint resolution of that House described in paragraph (1), that House receives from the other House a joint resolution described in paragraph (1)—

(i)

the procedure in that House shall be the same as if no joint resolution had been received from the other House; and

(ii)

the vote on final passage shall be on the joint resolution of the other House.

(D)

Majority required for adoption

A joint resolution considered under this subsection shall require an affirmative vote of a majority of the Members, duly chosen and sworn, for adoption.

(3)

Rulemaking

This subsection is enacted by Congress—

(A)

as an exercise of the rulemaking power of the Senate and the House of Representatives, respectively, and is deemed to be part of the rules of each House, respectively but applicable only with respect to the procedure to be followed in that House in the case of a joint resolution described in paragraph (1), and it supersedes other rules only to the extent that it is inconsistent with such rules; and

(B)

with full recognition of the constitutional right of either House to change the rules (so far as they relate to the procedure of that House) at any time, in the same manner, and to the same extent as in the case of any other rule of that House.

(g)

Rule of construction

Nothing in this section shall be construed to—

(1)

alter or supersede the authority of the Secretary of Defense, the Attorney General, or the Director of National Intelligence in responding to a national cyber emergency; or

(2)

limit the authority of the Director under section 248, after a declaration issued under this section expires.

250.

Enforcement

(a)

Annual certification of compliance

(1)

In general

Not later than 6 months after the date on which the Director promulgates regulations under section 248(b), and every year thereafter, each owner or operator of covered critical infrastructure shall certify in writing to the Director whether the owner or operator has developed and implemented, or is implementing, security measures approved by the Director under section 248 and any applicable emergency measures or actions required under section 249 for any cyber risks and national cyber emergencies.

(2)

Failure to comply

If an owner or operator of covered critical infrastructure fails to submit a certification in accordance with paragraph (1), or if the certification indicates the owner or operator is not in compliance, the Director may issue an order requiring the owner or operator to submit proposed security measures under section 248 or comply with specific emergency measures or actions under section 249.

(b)

Risk-Based evaluations

(1)

In general

Consistent with the factors described in paragraph (3), the Director may perform an evaluation of the information infrastructure of any specific system or asset constituting covered critical infrastructure to assess the validity of a certification of compliance submitted under subsection (a)(1).

(2)

Document review and inspection

An evaluation performed under paragraph (1) may include—

(A)

a review of all documentation submitted to justify an annual certification of compliance submitted under subsection (a)(1); and

(B)

a physical or electronic inspection of relevant information infrastructure to which the security measures required under section 248 or the emergency measures or actions required under section 249 apply.

(3)

Evaluation selection factors

In determining whether sufficient risk exists to justify an evaluation under this subsection, the Director shall consider—

(A)

the specific cyber risks affecting or potentially affecting the information infrastructure of the specific system or asset constituting covered critical infrastructure;

(B)

any reliable intelligence or other information indicating a cyber risk or credible national cyber emergency to the information infrastructure of the specific system or asset constituting covered critical infrastructure;

(C)

actual knowledge or reasonable suspicion that the certification of compliance submitted by a specific owner or operator of covered critical infrastructure is false or otherwise inaccurate;

(D)

a request by a specific owner or operator of covered critical infrastructure for such an evaluation; and

(E)

such other risk-based factors as identified by the Director.

(4)

Sector-specific agencies

To carry out the risk-based evaluation authorized under this subsection, the Director may use the resources of a sector-specific agency with responsibility for the covered critical infrastructure or any Federal agency that is not a sector-specific agency with responsibilities for regulating the covered critical infrastructure with the concurrence of the head of the agency.

(5)

Information protection

Information provided to the Director during the course of an evaluation under this subsection shall be protected from disclosure in accordance with section 251.

(c)

Civil penalties

(1)

In general

Any person who violates section 248 or 249 shall be liable for a civil penalty.

(2)

No private right of action

Nothing in this section confers upon any person, except the Director, a right of action against an owner or operator of covered critical infrastructure to enforce any provision of this subtitle.

(d)

Limitation on civil liability

(1)

Definition

In this subsection—

(A)

the term covered civil action

(i)

means a civil action filed in a Federal or State court against a covered entity; and

(ii)

does not include an action brought under section 2520 or 2707 of title 18, United States Code, or section 110 or 308 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1810 and 1828);

(B)

the term covered entity means any entity that owns or operates covered critical infrastructure, including any owner, operator, officer, employee, agent, landlord, custodian, provider of information technology, or other person acting for or on behalf of that entity with respect to the covered critical infrastructure; and

(C)

the term noneconomic damages means damages for losses for physical and emotional pain, suffering, inconvenience, physical impairment, mental anguish, disfigurement, loss of enjoyment of life, loss of society and companionship, loss of consortium, hedonic damages, injury to reputation, and any other nonpecuniary losses.

(2)

Limitations on civil liability

If a covered entity experiences an incident related to a cyber risk identified under section 248(a), in any covered civil action for damages directly caused by the incident related to that cyber risk—

(A)

the covered entity shall not be liable for any punitive damages intended to punish or deter, exemplary damages, or other damages not intended to compensate a plaintiff for actual losses; and

(B)

noneconomic damages may be awarded against a defendant only in an amount directly proportional to the percentage of responsibility of such defendant for the harm to the plaintiff, and no plaintiff may recover noneconomic damages unless the plaintiff suffered physical harm.

(3)

Application

This subsection shall apply to claims made by any individual or nongovernmental entity, including claims made by a State or local government agency on behalf of such individuals or nongovernmental entities, against a covered entity—

(A)

whose proposed security measures, or combination thereof, satisfy the security performance requirements established under subsection 248(b) and have been approved by the Director;

(B)

that has been evaluated under subsection (b) and has been found by the Director to have implemented the proposed security measures approved under section 248; and

(C)

that is in actual compliance with the approved security measures at the time of the incident related to that cyber risk.

(4)

Limitation

This subsection shall only apply to harm directly caused by the incident related to the cyber risk and shall not apply to damages caused by any additional or intervening acts or omissions by the covered entity.

(5)

Rule of construction

Except as provided under paragraph (3), nothing in this subsection shall be construed to abrogate or limit any right, remedy, or authority that the Federal Government or any State or local government, or any entity or agency thereof, may possess under any law, or that any individual is authorized by law to bring on behalf of the government.

(e)

Report to Congress

The Director shall submit an annual report to the appropriate committees of Congress on the implementation and enforcement of the risk-based security performance requirements of covered critical infrastructure under subsection 248(b) and this section including—

(1)

the level of compliance of covered critical infrastructure with the risk-based security performance requirements issued under section 248(b);

(2)

how frequently the evaluation authority under subsection (b) was utilized and a summary of the aggregate results of the evaluations; and

(3)

any civil penalties imposed on covered critical infrastructure.

251.

Protection of information

(a)

Definition

In this section, the term covered information

(1)

means—

(A)

any information required to be submitted under sections 246, 248, and 249 to the Center by the owners and operators of covered critical infrastructure; and

(B)

any information submitted to the Center under the processes and procedures established under section 246 by State and local governments, private entities, and international partners of the United States regarding threats, vulnerabilities, and incidents affecting—

(i)

the Federal information infrastructure;

(ii)

information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community; or

(iii)

the national information infrastructure; and

(2)

shall not include any information described under paragraph (1), if that information is submitted to—

(A)

conceal violations of law, inefficiency, or administrative error;

(B)

prevent embarrassment to a person, organization, or agency; or

(C)

interfere with competition in the private sector.

(b)

Voluntarily shared critical infrastructure information

Covered information submitted in accordance with this section shall be treated as voluntarily shared critical infrastructure information under section 214, except that the requirement of section 214 that the information be voluntarily submitted, including the requirement for an express statement, shall not be required for submissions of covered information.

(c)

Guidelines

(1)

In general

Subject to paragraph (2), the Director shall develop and issue guidelines, in consultation with the Secretary, the Attorney General, and the National Cybersecurity Advisory Council, as necessary to implement this section.

(2)

Requirements

The guidelines developed under this section shall—

(A)

consistent with subsections (e)(2)(D) and (g) of section 214 and the processes, procedures, and guidelines developed under section 246(b), include provisions for information sharing among Federal, State, and local and officials, private entities, or international partners of the United States necessary to carry out the authorities and responsibilities of the Director;

(B)

be consistent, to the maximum extent possible, with policy guidance and implementation standards developed by the National Archives and Records Administration for controlled unclassified information, including with respect to marking, safeguarding, dissemination and dispute resolution; and

(C)

describe, with as much detail as possible, the categories and type of information entities should voluntarily submit under subsections (b) and (c)(1)(B) of section 246.

(d)

Process for reporting security problems

(1)

Establishment of process

The Director shall establish through regulation, and provide information to the public regarding, a process by which any person may submit a report to the Secretary regarding cybersecurity threats, vulnerabilities, and incidents affecting—

(A)

the Federal information infrastructure;

(B)

information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community; or

(C)

national information infrastructure.

(2)

Acknowledgment of receipt

If a report submitted under paragraph (1) identifies the person making the report, the Director shall respond promptly to such person and acknowledge receipt of the report.

(3)

Steps to address problem

The Director shall review and consider the information provided in any report submitted under paragraph (1) and, at the sole, unreviewable discretion of the Director, determine what, if any, steps are necessary or appropriate to address any problems or deficiencies identified.

(4)

Disclosure of identity

(A)

In general

Except as provided in subparagraph (B), or with the written consent of the person, the Secretary may not disclose the identity of a person who has provided information described in paragraph (1).

(B)

Referral to the Attorney General

The Secretary shall disclose to the Attorney General the identity of a person described under subparagraph (A) if the matter is referred to the Attorney General for enforcement. The Director shall provide reasonable advance notice to the affected person if disclosure of that person’s identity is to occur, unless such notice would risk compromising a criminal or civil enforcement investigation or proceeding.

(e)

Rules of construction

Nothing in this section shall be construed to—

(1)

limit or otherwise affect the right, ability, duty, or obligation of any entity to use or disclose any information of that entity, including in the conduct of any judicial or other proceeding;

(2)

prevent the classification of information submitted under this section if that information meets the standards for classification under Executive Order 12958 or any successor of that order or affect measures and controls relating to the protection of classified information as prescribed by Federal statute or under Executive Order 12958, or any successor of that order;

(3)

limit the right of an individual to make any disclosure—

(A)

protected or authorized under section 2302(b)(8) or 7211 of title 5, United States Code;

(B)

to an appropriate official of information that the individual reasonably believes evidences a violation of any law, rule, or regulation, gross mismanagement, or substantial and specific danger to public health, safety, or security, and that is protected under any Federal or State law (other than those referenced in subparagraph (A)) that shields the disclosing individual against retaliation or discrimination for having made the disclosure if such disclosure is not specifically prohibited by law and if such information is not specifically required by Executive order to be kept secret in the interest of national defense or the conduct of foreign affairs; or

(C)

to the Special Counsel, the inspector general of an agency, or any other employee designated by the head of an agency to receive similar disclosures;

(4)

prevent the Director from using information required to be submitted under sections 246, 248, or 249 for enforcement of this subtitle, including enforcement proceedings subject to appropriate safeguards;

(5)

authorize information to be withheld from Congress, the Government Accountability Office, or Inspector General of the Department;

(6)

affect protections afforded to trade secrets under any other provision of law; or

(7)

create a private right of action for enforcement of any provision of this section.

(f)

Audit

(1)

In general

Not later than 1 year after the date of enactment of the Cybersecurity and Internet Freedom Act of 2011, the Inspector General of the Department shall conduct an audit of the management of information submitted under subsection (b) and report the findings to appropriate committees of Congress.

(2)

Contents

The audit under paragraph (1) shall include assessments of—

(A)

whether the information is adequately safeguarded against inappropriate disclosure;

(B)

the processes for marking and disseminating the information and resolving any disputes;

(C)

how the information is used for the purposes of this section, and whether that use is effective;

(D)

whether information sharing has been effective to fulfill the purposes of this section;

(E)

whether the kinds of information submitted have been appropriate and useful, or overbroad or overnarrow;

(F)

whether the information protections allow for adequate accountability and transparency of the regulatory, enforcement, and other aspects of implementing this subtitle; and

(G)

any other factors at the discretion of the Inspector General.

252.

Sector-specific agencies

(a)

In general

The head of each sector-specific agency and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating covered critical infrastructure shall coordinate with the Director on any activities of the sector-specific agency or Federal agency that relate to the efforts of the agency regarding security or resiliency of the national information infrastructure, including critical infrastructure and covered critical infrastructure, within or under the supervision of the agency.

(b)

Duplicative reporting requirements

The head of each sector-specific agency and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating covered critical infrastructure shall coordinate with the Director to eliminate and avoid the creation of duplicate reporting or compliance requirements relating to the security or resiliency of the national information infrastructure, including critical infrastructure and covered critical infrastructure, within or under the supervision of the agency.

(c)

Requirements

(1)

In general

To the extent that the head of each sector-specific agency and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating covered critical infrastructure has the authority to establish regulations, rules, or requirements or other required actions that are applicable to the security of national information infrastructure, including critical infrastructure and covered critical infrastructure, the head of that agency shall—

(A)

notify the Director in a timely fashion of the intent to establish the regulations, rules, requirements, or other required actions;

(B)

coordinate with the Director to ensure that the regulations, rules, requirements, or other required actions are consistent with, and do not conflict or impede, the activities of the Director under sections 247, 248, and 249; and

(C)

in coordination with the Director, ensure that the regulations, rules, requirements, or other required actions are implemented, as they relate to covered critical infrastructure, in accordance with subsection (a).

(2)

Coordination

Coordination under paragraph (1)(B) shall include the active participation of the Director in the process for developing regulations, rules, requirements, or other required actions.

(3)

Rule of construction

Nothing in this section shall be construed to provide additional authority for any sector-specific agency or any Federal agency that is not a sector-specific agency with responsibilities for regulating national information infrastructure, including critical infrastructure or covered critical infrastructure, to establish standards or other measures that are applicable to the security of national information infrastructure not otherwise authorized by law.

253.

Strategy for Federal cybersecurity supply chain management

(a)

In general

The Secretary, in consultation with the Director of Cyberspace Policy, the Director, the Secretary of Defense, the Secretary of Commerce, the Secretary of State, the Director of National Intelligence, the Administrator of General Services, the Administrator for Federal Procurement Policy, the other members of the Chief Information Officers Council established under section 3603 of title 44, United States Code, the Chief Acquisition Officers Council established under section 1311 of title 41, United States Code, the Chief Financial Officers Council established under section 302 of the Chief Financial Officers Act of 1990 (31 U.S.C. 901 note), and the private sector, shall develop, periodically update, and implement a supply chain risk management strategy designed to ensure, based on mission criticality and cost effectiveness, the security of the Federal information infrastructure, including protection against unauthorized access to, alteration of information in, disruption of operations of, interruption of communications or services of, and insertion of malicious software, engineering vulnerabilities, or otherwise corrupting software, hardware, services, or products intended for use in Federal information infrastructure.

(b)

Contents

The supply chain risk management strategy developed under subsection (a) shall—

(1)

address risks in the supply chain during the entire life cycle of any part of the Federal information infrastructure;

(2)

place particular emphasis on—

(A)

securing critical information systems and the Federal information infrastructure;

(B)

developing processes that—

(i)

incorporate all-source intelligence analysis into assessments of the supply chain for the Federal information infrastructure;

(ii)

assess risks from potential suppliers providing critical components or services of the Federal information infrastructure;

(iii)

assess risks from individual components, including all subcomponents, or software used in or affecting the Federal information infrastructure;

(iv)

manage the quality, configuration, and security of software, hardware, and systems of the Federal information infrastructure throughout the life cycle of the software, hardware, or system, including components or subcomponents from secondary and tertiary sources;

(v)

detect the occurrence, reduce the likelihood of occurrence, and mitigate or remediate the risks associated with products containing counterfeit components or malicious functions;

(vi)

enhance developmental and operational test and evaluation capabilities, including software vulnerability detection methods and automated methods and tools that shall be integrated into acquisition policy practices by Federal agencies and, where appropriate, make the capabilities available for use by the private sector; and

(vii)

protect the intellectual property and trade secrets of suppliers of information and communications technology products and services;

(C)

the use of internationally recognized standards and standards developed by the private sector and developing a process, with the National Institute for Standards and Technology, to make recommendations for improvements of the standards;

(D)

identifying acquisition practices of Federal agencies that increase risks in the supply chain and developing a process to provide recommendations for revisions to those processes; and

(E)

sharing with the private sector, to the fullest extent possible, the threats identified in the supply chain and working with the private sector to develop responses to those threats as identified; and

(3)

to the maximum extent practicable, promote the ability of Federal agencies to procure authentic commercial off the shelf information and communications technology products and services from a diverse pool of suppliers.

(c)

Implementation

The Federal Acquisition Regulatory Council established under section 1302(a) of title 41, United States Code, shall—

(1)

amend the Federal Acquisition Regulation maintained under section 1303(a)(1) of title 41, United States Code, to—

(A)

incorporate, where relevant, the supply chain risk management strategy developed under subsection (a) to improve security throughout the acquisition process; and

(B)

direct that all software and hardware purchased by the Federal Government shall comply with standards developed or be interoperable with automated tools approved by the National Institute of Standards and Technology, to continually enhance security; and

(2)

develop a clause or set of clauses for inclusion in solicitations, contracts, and task and delivery orders that sets forth the responsibility of the contractor under the Federal Acquisition Regulation provisions implemented under this subsection.

(d)

Preferences for acquisition of commercial items

The strategy developed under this section, and any actions taken under subsection (c), shall be consistent with the preferences for the acquisition of commercial items under section 2377 of title 10, United States Code, and section 3307 of title 41, United States Code.

.

III

Federal information security management

301.

Coordination of Federal information policy

(a)

Findings

Congress finds that—

(1)

since 2002 the Federal Government has experienced multiple high-profile incidents that resulted in the theft of sensitive information amounting to more than the entire print collection contained in the Library of Congress, including personally identifiable information, advanced scientific research, and prenegotiated United States diplomatic positions; and

(2)

chapter 35 of title 44, United States Code, must be amended to increase the coordination of Federal agency activities and to enhance situational awareness throughout the Federal Government using more effective enterprise-wide automated monitoring, detection, and response capabilities.

(b)

In general

Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting the following:

II

Information security

3550.

Purposes

The purposes of this subchapter are to—

(1)

provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support the Federal information infrastructure and the operations and assets of agencies;

(2)

recognize the highly networked nature of the current Federal information infrastructure and provide effective Government-wide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities;

(3)

provide for development and maintenance of prioritized and risk-based security controls required to protect Federal information infrastructure and information systems; and

(4)

provide a mechanism for improved oversight of Federal agency information security programs.

(5)

acknowledge that commercially developed information security products offer advanced, dynamic, robust, and effective information security solutions, reflecting market solutions for the protection of critical information infrastructures important to the national defense and economic security of the Nation that are designed, built, and operated by the private sector; and

(6)

recognize that the selection of specific technical hardware and software information security solutions should be left to individual agencies from among commercially developed products.

3551.

Definitions

(a)

In general

Except as provided under subsection (b), the definitions under section 3502 shall apply to this subchapter.

(b)

Additional definitions

In this subchapter:

(1)

The term agency information infrastructure

(A)

means information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, an agency, including information systems used or operated by another entity on behalf of the agency; and

(B)

does not include national security systems.

(2)

The term automated and continuous monitoring means monitoring at a frequency and sufficiency such that the data exchange requires little to no human involvement and is not interrupted.

(3)

The term incident means an occurrence that—

(A)

actually or imminently jeopardizes—

(i)

the information security of information infrastructure; or

(ii)

the information that information infrastructure processes, stores, receives, or transmits; or

(B)

constitutes a violation of security policies, security procedures, or acceptable use policies applicable to information infrastructure.

(4)

The term information infrastructure means the underlying framework that information systems and assets rely on to process, transmit, receive, or store information electronically, including programmable electronic devices and communications networks and any associated hardware, software, or data.

(5)

The term information security means protecting information and information systems from disruption or unauthorized access, use, disclosure, modification, or destruction in order to provide—

(A)

integrity, by guarding against improper information modification or destruction, including by ensuring information nonrepudiation and authenticity;

(B)

confidentiality, by preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and

(C)

availability, by ensuring timely and reliable access to and use of information.

(6)

The term information technology has the meaning given that term in section 11101 of title 40.

(7)

The term management controls means safeguards or countermeasures for an information system that focus on the management of risk and the management of information system security.

(8)
(A)

The term national security system means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency—

(i)

the function, operation, or use of which—

(I)

involves intelligence activities;

(II)

involves cryptologic activities related to national security;

(III)

involves command and control of military forces;

(IV)

involves equipment that is an integral part of a weapon or weapons system; or

(V)

subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or

(ii)

that is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

(B)

Subparagraph (A)(i)(V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications).

(9)

The term operational controls means the safeguards and countermeasures for an information system that are primarily implemented and executed by individuals, not systems.

(10)

The term risk means the potential for an unwanted outcome resulting from an incident, as determined by the likelihood of the occurrence of the incident and the associated consequences, including potential for an adverse outcome assessed as a function of threats, vulnerabilities, and consequences associated with an incident.

(11)

The term risk-based security means security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to, or modification, of information, including assuring that systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability.

(12)

The term security controls means the management, operational, and technical controls prescribed for an information system to protect the information security of the system.

(13)

The term technical controls means the safeguards or countermeasures for an information system that are primarily implemented and executed by the information system through mechanism contained in the hardware, software, or firmware components of the system.

3552.

Authority and functions of the National Center for Cybersecurity and Communications

(a)

In general

The Director of the National Center for Cybersecurity and Communications shall—

(1)

develop, oversee the implementation of, and enforce policies, principles, and guidelines on information security, including through ensuring timely agency adoption of and compliance with standards developed under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) and subtitle E of title II of the Homeland Security Act of 2002;

(2)

provide to agencies security controls that agencies shall be required to be implemented to mitigate and remediate vulnerabilities, attacks, and exploitations discovered as a result of activities required under this subchapter or subtitle E of title II of the Homeland Security Act of 2002;

(3)

to the extent practicable—

(A)

prioritize the policies, principles, standards, and guidelines promulgated under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3), paragraph (1), and subtitle E of title II of the Homeland Security Act of 2002, based upon the risk of an incident; and

(B)

develop guidance that requires agencies to monitor, including automated and continuous monitoring of, the effective implementation of policies, principles, standards, and guidelines developed under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3), paragraph (1), and subtitle E of title II of the Homeland Security Act of 2002;

(C)

ensure the effective operation of technical capabilities within the National Center for Cybersecurity and Communications to enable automated and continuous monitoring of any information collected as a result of the guidance developed under subparagraph (B) and use the information to enhance the risk-based security of the Federal information infrastructure; and

(D)

ensure the effective operation of a secure system that satisfies information reporting requirements under sections 3553(c) and 3556(c);

(4)

require agencies, consistent with the standards developed under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) or paragraph (1) and the requirements of this subchapter, to identify and provide information security protections commensurate with the risk resulting from the disruption or unauthorized access, use, disclosure, modification, or destruction of—

(A)

information collected or maintained by or on behalf of an agency; or

(B)

information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency;

(5)

oversee agency compliance with the requirements of this subchapter, including coordinating with the Office of Management and Budget to use any authorized action under section 11303 of title 40 to enforce accountability for compliance with such requirements;

(6)

review, at least annually, and approve or disapprove, agency information security programs required under section 3553(b); and

(7)

coordinate information security policies and procedures with the Administrator for Electronic Government and the Administrator for the Office of Information and Regulatory Affairs with related information resources management policies and procedures.

(b)

National security systems

The authorities of the Director of the National Center for Cybersecurity and Communications under this section shall not apply to national security systems.

3553.

Agency responsibilities

(a)

In general

The head of each agency shall—

(1)

be responsible for—

(A)

providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of—

(i)

information collected or maintained by or on behalf of the agency; and

(ii)

agency information infrastructure;

(B)

complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines, including—

(i)

information security requirements, including security controls, developed by the Director of the National Center for Cybersecurity and Communications under section 3552, subtitle E of title II of the Homeland Security Act of 2002, or any other provision of law;

(ii)

information security policies, principles, standards, and guidelines promulgated under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) and section 3552(a)(1);

(iii)

information security standards and guidelines for national security systems issued in accordance with law and as directed by the President; and

(iv)

ensuring the standards implemented for information systems and national security systems of the agency are complementary and uniform, to the extent practicable;

(C)

ensuring that information security management processes are integrated with agency strategic and operational planning and budget processes, including policies, procedures, and practices described in subsection (c)(1)(C);

(D)

as appropriate, maintaining secure facilities that have the capability of accessing, sending, receiving, and storing classified information;

(E)

maintaining a sufficient number of personnel with security clearances, at the appropriate levels, to access, send, receive and analyze classified information to carry out the responsibilities of this subchapter; and

(F)

ensuring that information security performance indicators and measures are included in the annual performance evaluations of all managers, senior managers, senior executive service personnel, and political appointees;

(2)

ensure that senior agency officials provide information security for the information and information systems that support the operations and assets under the control of those officials, including through—

(A)

assessing the risk and magnitude of the harm that could result from the disruption or unauthorized access, use, disclosure, modification, or destruction of such information or information systems;

(B)

determining the levels of information security appropriate to protect such information and information systems in accordance with policies, principles, standards, and guidelines promulgated under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3), section 3552(a)(1), and subtitle E of title II of the Homeland Security Act of 2002, for information security categorizations and related requirements;

(C)

implementing policies and procedures to cost effectively reduce risks to an acceptable level;

(D)

periodically testing and evaluating information security controls and techniques to ensure that such controls and techniques are operating effectively; and

(E)

withholding all bonus and cash awards to senior agency officials accountable for the operation of such agency information infrastructure that are recognized by the Chief Information Security Officer as impairing the risk-based security information, information system, or agency information infrastructure;

(3)

delegate to a senior agency officer designated as the Chief Information Security Officer the authority and budget necessary to ensure and enforce compliance with the requirements imposed on the agency under this subchapter, subtitle E of title II of the Homeland Security Act of 2002, or any other provision of law, including—

(A)

overseeing the establishment, maintenance, and management of a security operations center that has technical capabilities that can, through automated and continuous monitoring—

(i)

detect, report, respond to, contain, remediate, and mitigate incidents that impair risk-based security of the information, information systems, and agency information infrastructure, in accordance with policy provided by the Director of the National Center for Cybersecurity and Communications;

(ii)

monitor and, on a risk-based basis, mitigate and remediate the vulnerabilities of every information system within the agency information infrastructure;

(iii)

continually evaluate risks posed to information collected or maintained by or on behalf of the agency and information systems and hold senior agency officials accountable for ensuring the risk-based security of such information and information systems;

(iv)

collaborate with the Director of the National Center for Cybersecurity and Communications and appropriate public and private sector security operations centers to address incidents that impact the security of information and information systems that extend beyond the control of the agency; and

(v)

report any incident described under clauses (i) and (ii), as directed by the policy of the Director of the National Center for Cybersecurity and Communications and the Inspector General of the agency;

(B)

collaborating with the Administrator for E–Government and the Chief Information Officer to establish, maintain, and update an enterprise network, system, storage, and security architecture, that can be accessed by the National Cybersecurity Communications Center and includes—

(i)

information on how security controls are implemented throughout the agency information infrastructure; and

(ii)

information on how the controls described under subparagraph (A) maintain the appropriate level of confidentiality, integrity, and availability of information and information systems based on—

(I)

the policy of the Director of the National Center for Cybersecurity and Communications; and

(II)

the standards or guidance developed by the National Institute of Standards and Technology;

(C)

developing, maintaining, and overseeing an agency-wide information security program as required by subsection (b);

(D)

developing, maintaining, and overseeing information security policies, procedures, and control techniques to address all applicable requirements, including those issued under section 3552;

(E)

training, consistent with the requirements of section 406 of the Cybersecurity and Internet Freedom Act of 2011, and overseeing personnel with significant responsibilities for information security with respect to such responsibilities; and

(F)

assisting senior agency officers concerning their responsibilities under paragraph (2);

(4)

ensure that the Chief Information Security Officer has a sufficient number of cleared and trained personnel with technical skills identified by the Director of the National Center for Cybersecurity and Communications as critical to maintaining the risk-based security of agency information infrastructure as required by the subchapter and other applicable laws;

(5)

ensure that the agency Chief Information Security Officer, in coordination with appropriate senior agency officials, reports not less than annually to the head of the agency on the effectiveness of the agency information security program, including progress of remedial actions;

(6)

ensure that the Chief Information Security Officer—

(A)

possesses necessary qualifications, including education, professional certifications, training, experience, and the security clearance required to administer the functions described under this subchapter; and

(B)

has information security duties as the primary duty of that officer; and

(7)

ensure that components of that agency establish and maintain an automated reporting mechanism that allows the Chief Information Security Officer with responsibility for the entire agency, and all components thereof, to implement, monitor, and hold senior agency officers accountable for the implementation of appropriate security policies, procedures, and controls of agency components.

(b)

Agency-Wide information security program

Each agency shall develop, document, and implement an agency-wide information security program, approved by the Director of the National Center for Cybersecurity and Communications under section 3552(a)(6) and consistent with components across and within agencies, to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source, that includes—

(1)

frequent assessments, at least twice each month—

(A)

of the risk and magnitude of the harm that could result from the disruption or unauthorized access, use, disclosure, modification, or destruction of information and information systems that support the operations and assets of the agency; and

(B)

that assess whether information or information systems should be removed or migrated to more secure networks or standards and make recommendations to the head of the agency and the Director of the National Center for Cybersecurity and Communications based on that assessment;

(2)

consistent with guidance developed under section 3554, vulnerability assessments and penetration tests commensurate with the risk posed to an agency information infrastructure;

(3)

ensure that information security vulnerabilities are remediated or mitigated based on the risk posed to the agency;

(4)

policies and procedures that—

(A)

are informed and revised by the assessments required under paragraphs (1) and (2);

(B)

cost effectively reduce information security risks to an acceptable level;

(C)

ensure that information security is addressed throughout the life cycle of each agency information system; and

(D)

ensure compliance with—

(i)

the requirements of this subchapter;

(ii)

policies and procedures prescribed by the Director of the National Center for Cybersecurity and Communications;

(iii)

minimally acceptable system configuration requirements, as determined by the Director of the National Center for Cybersecurity and Communications; and

(iv)

any other applicable requirements, including standards and guidelines for national security systems issued in accordance with law and as directed by the President;

(5)

subordinate plans for providing risk-based information security for networks, facilities, and systems or groups of information systems, as appropriate;

(6)

role-based security awareness training, consistent with the requirements of section 406 of the Cybersecurity and Internet Freedom Act of 2011, to inform personnel with access to the agency network, including contractors and other users of information systems that support the operations and assets of the agency, of—

(A)

information security risks associated with agency activities; and

(B)

agency responsibilities in complying with agency policies and procedures designed to reduce those risks;

(7)

periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, to be performed with a rigor and frequency depending on risk, which shall include—

(A)

testing and evaluation not less than twice each year of security controls of information collected or maintained by or on behalf of the agency and every information system identified in the inventory required under section 3505(c);

(B)

the effectiveness of ongoing monitoring, including automated and continuous monitoring, vulnerability scanning, and intrusion detection and prevention of incidents posed to the risk-based security of information and information systems as required under subsection (a)(3); and

(C)

testing relied on in—

(i)

an operational evaluation under section 3554;

(ii)

an independent assessment under section 3556; or

(iii)

another evaluation, to the extent specified by the Director of the National Center for Cybersecurity and Communications;

(8)

a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency;

(9)

procedures for detecting, reporting, and responding to incidents, consistent with requirements issued under section 3552, that include—

(A)

to the extent practicable, automated and continuous monitoring of the use of information and information systems;

(B)

requirements for mitigating risks and remediating vulnerabilities associated with such incidents systemically within the agency information infrastructure before substantial damage is done; and

(C)

notifying and coordinating with the Director of the National Center for Cybersecurity and Communications, as required by this subchapter, subtitle E of title II of the Homeland Security Act of 2002, and any other provision of law; and

(10)

plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.

(c)

Agency reporting

(1)

In general

Each agency shall—

(A)

ensure that information relating to the adequacy and effectiveness of information security policies, procedures, and practices, is available to the entities identified under paragraph (2) through the system developed under section 3552(a)(3), including information relating to—

(i)

compliance with the requirements of this subchapter;

(ii)

the effectiveness of the information security policies, procedures, and practices of the agency based on a determination of the aggregate effect of identified deficiencies and vulnerabilities;

(iii)

an identification and analysis of any significant deficiencies identified in such policies, procedures, and practices;

(iv)

an identification of any vulnerability that could impair the risk-based security of the agency information infrastructure; and

(v)

results of any operational evaluation conducted under section 3554 and plans of action to address the deficiencies and vulnerabilities identified as a result of such operational evaluation;

(B)

follow the policy, guidance, and standards of the Director of the National Center for Cybersecurity and Communications, in consultation with the Federal Information Security Taskforce, to continually update, and ensure the electronic availability of both a classified and unclassified version of the information required under subparagraph (A);

(C)

ensure the information under subparagraph (A) addresses the adequacy and effectiveness of information security policies, procedures, and practices in plans and reports relating to—

(i)

annual agency budgets;

(ii)

information resources management of this subchapter;

(iii)

information technology management and procurement under this chapter or any other applicable provision of law;

(iv)

subtitle E of title II of the Homeland Security Act of 2002;

(v)

program performance under sections 1105 and 1115 through 1119 of title 31, and sections 2801 and 2805 of title 39;

(vi)

financial management under chapter 9 of title 31, and the Chief Financial Officers Act of 1990 (31 U.S.C. 501 note; Public Law 101–576) (and the amendments made by that Act);

(vii)

financial management systems under the Federal Financial Management Improvement Act (31 U.S.C. 3512 note);

(viii)

internal accounting and administrative controls under section 3512 of title 31; and

(ix)

performance ratings, salaries, and bonuses provided to the senior managers and supporting personnel taking into account program performance as it relates to complying with this subchapter; and

(D)

report any significant deficiency in a policy, procedure, or practice identified under subparagraph (A) or (B)—

(i)

as a material weakness in reporting under section 3512 of title 31; and

(ii)

if relating to financial management systems, as an instance of a lack of substantial compliance under the Federal Financial Management Improvement Act (31 U.S.C. 3512 note).

(2)

Adequacy and effectiveness information

Information required under paragraph (1)(A) shall, to the extent possible and in accordance with applicable law, policy, guidance, and standards, be available on an automated and continuous basis to—

(A)

the Director of the National Center for Cybersecurity and Communications;

(B)

the Office of Management and Budget;

(C)

the Committee on Homeland Security and Governmental Affairs of the Senate;

(D)

the Committee on Government Oversight and Reform of the House of Representatives;

(E)

the Committee on Homeland Security of the House of Representatives;

(F)

other appropriate authorization and appropriations committees of Congress;

(G)

the Inspector General of the Federal agency; and

(H)

the Comptroller General.

(d)

Inclusions in performance plans

(1)

In General

In addition to the requirements of subsection (c), each agency, in consultation with the Director of the National Center for Cybersecurity and Communications, shall include as part of the performance plan required under section 1115 of title 31 a description of the time periods the resources, including budget, staffing, and training, that are necessary to implement the program required under subsection (b).

(2)

Risk assessments

The description under paragraph (1) shall be based on the risk and vulnerability assessments required under subsection (b) and evaluations required under section 3554.

(e)

Notice and comment

Each agency shall provide the public with timely notice and opportunities for comment on proposed information security policies and procedures to the extent that such policies and procedures affect communication with the public.

(f)

More stringent standards

The head of an agency may employ standards for the cost effective information security for information systems within or under the supervision of that agency that are more stringent than the standards the Director of the National Center for Cybersecurity and Communications prescribes under this subchapter, subtitle E of title II of the Homeland Security Act of 2002, or any other provision of law, if the more stringent standards—

(1)

contain at least the applicable standards made compulsory and binding by the Director of the National Center for Cybersecurity and Communications; and

(2)

are otherwise consistent with policies and guidelines issued under section 3552.

3554.

Annual operational evaluation

(a)

Guidance

(1)

In general

Not later than 1 year after the date of enactment of the Cybersecurity and Internet Freedom Act of 2011 and each year thereafter, the Director of the National Center for Cybersecurity and Communications shall oversee, coordinate, and develop guidance for the effective implementation of operational evaluations of the Federal information infrastructure and agency information security programs and practices to determine the effectiveness of such program and practices.

(2)

Collaboration in development

In developing guidance for the operational evaluations described under this section, the Director of the National Center for Cybersecurity and Communications shall collaborate with the Federal Information Security Taskforce and the Council of Inspectors General on Integrity and Efficiency, and other agencies as necessary, to develop and update risk-based performance indicators and measures that assess the adequacy and effectiveness of information security of an agency and the Federal information infrastructure.

(3)

Contents of operational evaluation

Each operational evaluation under this section—

(A)

shall be prioritized based on risk; and

(B)

shall—

(i)

test the effectiveness of agency information security policies, procedures, and practices of the information systems of the agency, or a representative subset of those information systems;

(ii)

assess (based on the results of the testing) compliance with—

(I)

the requirements of this subchapter; and

(II)

related information security policies, procedures, standards, and guidelines;

(iii)

evaluate whether agencies—

(I)

effectively monitor, detect, analyze, protect, report, and respond to vulnerabilities and incidents;

(II)

report to and collaborate with the appropriate public and private security operation centers, the Director of the National Center for Cybersecurity and Communications, and law enforcement agencies; and

(III)

remediate or mitigate the risk posed by attacks and exploitations in a timely fashion in order to prevent future vulnerabilities and incidents; and

(iv)

identify deficiencies of agency information security policies, procedures, and controls on the agency information infrastructure.

(b)

Conduct an operational evaluation

(1)

In general

Except as provided under paragraph (2), and in consultation with the Chief Information Officer and senior officials responsible for the affected systems, the Chief Information Security Officer of each agency shall not less than annually—

(A)

conduct an operational evaluation of the agency information infrastructure for vulnerabilities, attacks, and exploitations of the agency information infrastructure;

(B)

evaluate the ability of the agency to monitor, detect, correlate, analyze, report, and respond to incidents; and

(C)

report to the head of the agency, the Director of the National Center for Cybersecurity and Communications, the Chief Information Officer, and the Inspector General for the agency the findings of the operational evaluation.

(2)

Satisfaction of requirements by other evaluation

Unless otherwise specified by the Director of the National Center for Cybersecurity and Communications, if the Director of the National Center for Cybersecurity and Communications conducts an operational evaluation of the agency information infrastructure under section 245(b)(2)(A) of the Homeland Security Act of 2002, the Chief Information Security Officer may deem the requirements of paragraph (1) satisfied for the year in which the operational evaluation described under this paragraph is conducted.

(c)

Corrective measures mitigation and remediation plans

(1)

In general

In consultation with the Director of the National Center for Cybersecurity and Communications and the Chief Information Officer, Chief Information Security Officers shall remediate or mitigate vulnerabilities in accordance with this subsection.

(2)

Risk-based plan

After an operational evaluation is conducted under this section or under section 245(b) of the Homeland Security Act of 2002, the agency shall submit to the Director of the National Center for Cybersecurity and Communications in a timely fashion a risk-based plan for addressing recommendations and mitigating and remediating vulnerabilities identified as a result of such operational evaluation, including a timeline and budget for implementing such plan.

(3)

Approval or disapproval

Not later than 15 days after receiving a plan submitted under paragraph (2), the Director of the National Center for Cybersecurity and Communications shall—

(A)

approve or disprove the agency plan; and

(B)

comment on the adequacy and effectiveness of the plan.

(4)

Isolation from infrastructure

(A)

In general

The Director of the National Center for Cybersecurity and Communications may, consistent with the contingency or continuity of operation plans applicable to such agency information infrastructure, order the isolation of any component of the Federal information infrastructure from any other Federal information infrastructure, if—

(i)

an agency does not implement measures in a risk-based plan approved under this subsection; and

(ii)

the failure to comply presents a significant danger to the Federal information infrastructure.

(B)

Duration

An isolation under subparagraph (A) shall remain in effect until—

(i)

the Director of the National Center for Cybersecurity and Communications determines that corrective measures have been implemented; or

(ii)

an updated risk-based plan is approved by the Director of the National Center for Cybersecurity and Communications and implemented by the agency.

(d)

Operational guidance

The Director of the National Center for Cybersecurity and Communications shall—

(1)

not later than 180 days after the date of enactment of the Cybersecurity and Internet Freedom Act of 2011, develop operational guidance for operational evaluations as required under this section that are risk-based and cost effective; and

(2)

periodically evaluate and ensure information is available on an automated and continuous basis through the system required under section 3552(a)(3)(D) to Congress on—

(A)

the adequacy and effectiveness of the operational evaluations conducted under this section or section 245(b) of the Homeland Security Act of 2002; and

(B)

possible executive and legislative actions for cost-effectively managing the risks to the Federal information infrastructure.

3555.

Federal Information Security Taskforce

(a)

Establishment

There is established in the executive branch a Federal Information Security Taskforce.

(b)

Membership

The members of the Federal Information Security Taskforce shall be full-time senior Government employees and shall be as follows:

(1)

The Director of the National Center for Cybersecurity and Communications.

(2)

The Administrator of the Office of Electronic Government of the Office of Management and Budget.

(3)

The Chief Information Security Officer of each agency described under section 901(b) of title 31.

(4)

The Chief Information Security Officer of the Department of the Army, the Department of the Navy, and the Department of the Air Force.

(5)

A representative from the Office of Cyberspace Policy.

(6)

A representative from the Office of the Director of National Intelligence.

(7)

A representative from the United States Cyber Command.

(8)

A representative from the National Security Agency.

(9)

A representative from the United States Computer Emergency Readiness Team.

(10)

A representative from the Intelligence Community Incident Response Center.

(11)

A representative from the Committee on National Security Systems.

(12)

A representative from the National Institute for Standards and Technology.

(13)

A representative from the Council of Inspectors General on Integrity and Efficiency.

(14)

A representative from State and local government.

(15)

Any other officer or employee of the United States designated by the chairperson.

(c)

Chairperson and Vice-Chairperson

(1)

Chairperson

The Director of the National Center for Cybersecurity and Communications shall act as chairperson of the Federal Information Security Taskforce.

(2)

Vice-chairperson

The vice-chairperson of the Federal Information Security Taskforce shall—

(A)

be selected by the Federal Information Security Taskforce from among its members;

(B)

serve a 1-year term and may serve multiple terms; and

(C)

serve as a liaison to the Chief Information Officer, Council of the Inspectors General on Integrity and Efficiency, Committee on National Security Systems, and other councils or committees as appointed by the chairperson.

(d)

Functions

The Federal Information Security Taskforce shall—

(1)

be the principal interagency forum for collaboration regarding best practices and recommendations for agency information security and the security of the Federal information infrastructure;

(2)

assist in the development of and annually evaluate guidance to fulfill the requirements under sections 3554 and 3556;

(3)

share experiences and innovative approaches relating to threats against the Federal information infrastructure, information sharing and information security best practices, penetration testing regimes, and incident response, mitigation, and remediation;

(4)

promote the development and use of standard performance indicators and measures for agency information security that—

(A)

are outcome-based;

(B)

focus on risk management;

(C)

align with the business and program goals of the agency;

(D)

measure improvements in the agency security posture over time; and

(E)

reduce burdensome and inefficient performance indicators and measures;

(5)

recommend to the Office of Personnel Management the necessary qualifications to be established for Chief Information Security Officers to be capable of administering the functions described under this subchapter including education, training, and experience;

(6)

enhance information system processes by establishing a prioritized baseline of information security measures and controls that can be continuously monitored through automated mechanisms; and

(7)

evaluate the effectiveness and efficiency of any reporting and compliance requirements that are required by law related to the information security of Federal information infrastructure; and

(8)

submit proposed enhancements developed under paragraphs (1) through (7) to the Director of the National Center for Cybersecurity and Communications.

(e)

Termination

(1)

In general

Except as provided under paragraph (2), the Federal Information Security Taskforce shall terminate 4 years after the date of enactment of the Cybersecurity and Internet Freedom Act of 2011.

(2)

Extension

The President may—

(A)

extend the Federal Information Security Taskforce by executive order; and

(B)

make more than 1 extension under this paragraph for any period as the President may determine.

3556.

Independent Assessments

(a)

In general

(1)

Inspectors General assessments

Not less than every 2 years, each agency with an Inspector General appointed under the Inspector General Act of 1978 (5 U.S.C. App.) or any other law shall assess the adequacy and effectiveness of the information security program developed under section 3553 (b) and (c), and evaluations conducted under section 3554.

(2)

Independent assessments

For each agency to which paragraph (1) does not apply, the head of the agency shall engage an independent external auditor to perform the assessment.

(b)

Standards

The assessments required under subsection (a) shall be performed in accordance with standards developed by the Government Accountability Office, in collaboration with the Council of Inspectors General on Integrity and Efficiency and with assistance from the Federal Information Security Taskforce.

(c)

Existing assessments

The assessments required under this section may be based in whole or in part on an audit, evaluation, or report relating to programs or practices of the applicable agency.

(d)

Reporting of Information

(1)

Inspectors general reporting

Each Inspector General shall ensure information obtained as a result of the assessment required under this section, or any other relevant information, is—

(A)

provided to the head of the agency, the agency Chief Information Security Officer, and the agency Chief Information Officer; and

(B)

available through the system required under section 3552(a)(3)(D) to Congress and the Director of the National Center for Cybersecurity and Communications.

(2)

Heads of agencies reporting

If an assessment described under subsection (a)(2) is performed, the head of the agency shall comply with the requirements of paragraph (1) (A) and (B).

3557.

Protection of Information

In complying with this subchapter, agencies, evaluators, and Inspectors General shall take appropriate actions to ensure the protection of information which, if disclosed, may adversely affect information security. Protections under this chapter shall be commensurate with the risk and comply with all applicable laws and regulations.

3558.

Department of Defense and Central Intelligence Agency systems

(a)

In general

The authorities of the Director of the National Center for Cybersecurity and Communications under this subchapter shall be delegated to—

(1)

the Secretary of Defense in the case of systems described under subsection (b); and

(2)

the Director of the Central Intelligence Agency in the case of systems described under subsection (c).

(b)

Department of Defense systems

The systems described under this subsection are systems that are operated by the Department of Defense, a contractor of the Department of Defense, or another entity on behalf of the Department of Defense that processes any information the unauthorized access, use, disclosure, disruption, modification, or destruction of which would have a debilitating impact on the mission of the Department of Defense.

(c)

Central Intelligence Agency systems

The systems described under this subsection are systems that are operated by the Central Intelligence Agency, a contractor of the Central Intelligence Agency, or another entity on behalf of the Central Intelligence Agency that processes any information the unauthorized access, use, disclosure, disruption, modification, or destruction of which would have a debilitating impact on the mission of the Central Intelligence Agency.

.

(c)

Technical and conforming amendments

(1)

Table of sections

The table of sections for chapter 35 of title 44, United States Code, is amended by striking the matter relating to subchapters II and III and inserting the following:

SUBCHAPTER II—Information security

3550. Purposes.

3551. Definitions.

3552. Authority and functions of the National Center for Cybersecurity and Communications.

3553. Agency responsibilities.

3554. Annual operational evaluation.

3555. Federal Information Security Taskforce.

3556. Independent assessments.

3557. Protection of information.

3558. Department of Defense and Central Intelligence Agency systems.

.

(2)

Other references

(A)

Section 1001(c)(1)(A) of the Homeland Security Act of 2002 (6 U.S.C. 511(c)(1)(A)) is amended by striking section 3532(3) and inserting section 3551(b).

(B)

Section 2222(j)(6) of title 10, United States Code, is amended by striking section 3542(b)(2)) and inserting section 3551(b).

(C)

Section 2223(c)(3) of title 10, United States Code, is amended, by striking section 3542(b)(2)) and inserting section 3551(b).

(D)

Section 2315 of title 10, United States Code, is amended by striking section 3542(b)(2)) and inserting section 3551(b).

(E)

Section 20(a)(2) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) is amended by striking section 3532(b)(2) and inserting section 3551(b).

(F)

Section 21(b)(2) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–4(b)(2)) is amended by striking Institute and and inserting Institute, the Director of the National Center on Cybersecurity and Communications, and.

(G)

Section 21(b)(3) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–4(b)(3)) is amended by inserting the Director of the National Center on Cybersecurity and Communications, after the Director of the National Security Agency,.

(H)

Section 8(d)(1) of the Cyber Security Research and Development Act (15 U.S.C. 7406(d)(1)) is amended by striking section 3534(b) and inserting section 3553(b).

(3)

Homeland Security Act of 2002

(A)

Title X

The Homeland Security Act of 2002 (6 U.S.C. 101 et seq.) is amended by striking title X.

(B)

Table of contents

The table of contents in section 1(b) of the Homeland Security Act of 2002 (6 U.S.C. 101 et seq.) is amended by striking the matter relating to title X.

(d)

Repeal of other standards

(1)

In general

Section 11331 of title 40, United States Code, is repealed.

(2)

Technical and conforming amendments

(A)

Section 20(c)(3) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3(c)(3)) is amended by striking under section 11331 of title 40, United States Code.

(B)

Section 20(d)(1) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3(d)(1)) is amended by striking the Director of the Office of Management and Budget for promulgation under section 11331 of title 40, United States Code and inserting the Secretary of Commerce for promulgation.

(C)

Section 11302(d) of title 40, United States Code, is amended by striking under section 11331 of this title and.

(D)

Section 1874A (e)(2)(A)(ii) of the Social Security Act (42 U.S.C.1395kk-1 (e)(2)(A)(ii)) is amended by striking section 11331 of title 40, United States Code and inserting section 3552 of title 44, United States Code.

(E)

Section 3504(g)(2) of title 44, United States Code, is amended by striking section 11331 of title 40 and inserting section 3552 of title 44.

(F)

Section 3504(h)(1) of title 44, United States Code, is amended by inserting “, the Director of the National Center for Cybersecurity and Communications,” after the National Institute of Standards and Technology.

(G)

Section 3504(h)(1)(B) of title 44, United States Code, is amended by striking under section 11331 of title 40 and inserting section 3552 of title 44.

(H)

Section 3518(d) of title 44, United States Code, is amended by striking sections 11331 and 11332 and inserting section 11332.

(I)

Section 3602(f)(8) of title 44, United States Code, is amended by striking “under section 11331 of title 40.

(J)

Section 3603(f)(5) of title 44, United States Code, is amended by striking and promulgated under section 11331 of title 40,.

IV

Recruitment and professional development

401.

Definitions

In this title:

(1)

Cybersecurity mission

The term cybersecurity mission means the activities of the Federal Government that encompass the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as such activities relate to the security and stability of cyberspace.

(2)

Federal agency’s cybersecurity mission

The term Federal agency's cybersecurity mission means, with respect to any Federal agency, the portion of the cybersecurity mission that is the responsibility of the Federal agency.

402.

Assessment of cybersecurity workforce

(a)

In general

The Director of the Office of Personnel Management and the Director shall assess the readiness and capacity of the Federal workforce to meet the needs of the cybersecurity mission of the Federal Government.

(b)

Strategy

(1)

In general

The Director of the Office of Personnel Management, in consultation with the Director and the Director of the Office of Management and Budget, shall develop a comprehensive workforce strategy that enhances the readiness, capacity, training, and recruitment and retention of Federal cybersecurity personnel.

(2)

Contents

The strategy developed under paragraph (1) shall include—

(A)

a 5-year plan on recruitment of personnel for the Federal workforce; and

(B)

10-year and 20-year projections of workforce needs.

(3)

Dates for completion

The strategy under this subsection shall be—

(A)

completed not later than 180 days after the date of enactment of this Act; and

(B)

updated as needed.

403.

Strategic cybersecurity workforce planning

(a)

Federal agency development of strategic cybersecurity workforce plans

Not later than 180 days after the date of enactment of this Act and in every subsequent year, and subject to subsection (c)(2), the head of each Federal agency shall develop a strategic cybersecurity workforce plan as part of the Federal agency performance plan required under section 1115 of title 31, United States Code.

(b)

Basis and guidance for plans

Each Federal agency shall develop a plan prepared under subsection (a) on the basis of the assessment developed under section 402 and any subsequent guidance issued by the Director of the Office of Personnel Management, in consultation with the Director and the Director of the Office of Management and Budget.

(c)

Contents of the plan

(1)

In general

Subject to paragraph (2), each plan prepared under subsection (a) shall include—

(A)

a description of the Federal agency’s cybersecurity mission;

(B)

a description and analysis, relating to the specialized workforce needed by the Federal agency to fulfill the Federal agency’s cybersecurity mission, including—

(i)

the workforce needs of the Federal agency on the date of the report, and 10-year and 20-year projections of workforce needs;

(ii)

hiring projections to meet workforce needs, including, for at least a 2-year period, specific occupation and grade levels;

(iii)

long-term and short-term strategic goals to address critical skills deficiencies, including analysis of the numbers of and reasons for attrition of employees;

(iv)

recruitment strategies, including the use of student internships, part-time employment, student loan reimbursement, and telework, to attract highly qualified candidates from diverse backgrounds and geographic locations;

(v)

an assessment of the sources and availability of individuals with needed expertise;

(vi)

ways to streamline the hiring process;

(vii)

the barriers to recruiting and hiring individuals qualified in cybersecurity and recommendations to overcome the barriers; and

(viii)

a training and development plan, consistent with the curriculum developed under section 406, to enhance and improve the knowledge of employees.

(2)

Federal agencies with small specialized workforce

In accordance with guidance issued under subsection (b), a Federal agency that needs only a small specialized workforce to fulfill the Federal agency’s cybersecurity mission may, in lieu of developing a separate strategic cybersecurity workforce plan, present the workforce plan component referred to in paragraph (1)(A) and those components referred to in paragraph (1)(B) that are relevant and appropriate to the circumstances of the agency as part of the Federal agency performance plan required under section 1115 of title 31, United States Code.

404.

Cybersecurity occupation classifications

(a)

In general

Not later than 1 year after the date of enactment of this Act, the Director of the Office of Personnel Management, in coordination with the Director, shall develop and issue comprehensive occupation classifications for Federal employees engaged in cybersecurity missions.

(b)

Applicability of classifications

The Director of the Office of Personnel Management shall ensure that the comprehensive occupation classifications issued under subsection (a) may be used throughout the Federal Government.

405.

Measures of cybersecurity hiring effectiveness

(a)

In general

The head of each Federal agency shall measure, and collect information on, indicators of the effectiveness of the recruitment and hiring by the Federal agency of a workforce needed to fulfill the Federal agency’s cybersecurity mission.

(b)

Types of information

The indicators of effectiveness measured and subject to collection of information under subsection (a) shall include indicators with respect to the following:

(1)

Recruiting and hiring

In relation to recruiting and hiring by the Federal agency—

(A)

the ability to reach and recruit well-qualified individuals from diverse talent pools;

(B)

the use and impact of special hiring authorities and flexibilities to recruit the most qualified applicants, including the use of student internship and scholarship programs for permanent hires;

(C)

the use and impact of special hiring authorities and flexibilities to recruit diverse candidates, including criteria such as the veteran status, race, ethnicity, gender, disability, or national origin of the candidates; and

(D)

the educational level, and source of applicants.

(2)

Supervisors

In relation to the supervisors of the positions being filled—

(A)

satisfaction with the quality of the applicants interviewed and hired;

(B)

satisfaction with the match between the skills of the individuals and the needs of the Federal agency;

(C)

satisfaction of the supervisors with the hiring process and hiring outcomes;

(D)

whether any mission-critical deficiencies were addressed by the individuals and the connection between the deficiencies and the performance of the Federal agency; and

(E)

the satisfaction of the supervisors with the period of time elapsed to fill the positions.

(3)

Applicants

The satisfaction of applicants with the hiring process, including clarity of job announcements, any reasons for withdrawal of an application, the user-friendliness of the application process, communication regarding status of applications, and the timeliness of offers of employment.

(4)

Hired individuals

In relation to the individuals hired—

(A)

satisfaction with the hiring process;

(B)

satisfaction with the process of starting employment in the position for which the individual was hired;

(C)

attrition; and

(D)

the results of exit interviews.

(c)

Reports

(1)

In general

The head of each Federal agency shall submit the information collected under this section to the Director of the Office of Personnel Management on an annual basis and in accordance with the regulations issued under subsection (d).

(2)

Availability of recruiting and hiring information

(A)

In general

The Director of the Office of Personnel Management shall prepare an annual report containing the information received under paragraph (1) in a consistent format to allow for a comparison of hiring effectiveness and experience across demographic groups and Federal agencies.

(B)

Submission

The Director of the Office of Personnel Management shall—

(i)

not later than 90 days after the receipt of all information required to be submitted under paragraph (1), make the report prepared under subparagraph (A) publicly available, including on the website of the Office of Personnel Management; and

(ii)

before the date on which the report prepared under subparagraph (A) is made publicly available, submit the report to Congress.

(d)

Regulations

(1)

In general

Not later than 180 days after the date of enactment of this Act, the Director of the Office of Personnel Management shall issue regulations establishing the methodology, timing, and reporting of the data required to be submitted under this section.

(2)

Scope and detail of required information

The regulations under paragraph (1) shall delimit the scope and detail of the information that a Federal agency is required to collect and submit under this section, taking account of the size and complexity of the workforce that the Federal agency needs to fulfill the Federal agency’s cybersecurity mission.

406.

Training and education

(a)

Training

(1)

Federal Government employees and Federal contractors

The Director of the Office of Personnel Management, in conjunction with the Director of the National Center for Cybersecurity and Communications, the Director of National Intelligence, the Secretary of Defense, and the Chief Information Officers Council established under section 3603 of title 44, United States Code, shall establish a cybersecurity awareness and education curriculum that shall be required for all Federal employees and contractors engaged in the design, development, or operation of agency information infrastructure, as defined under section 3551 of title 44, United States Code.

(2)

Contents

The curriculum established under paragraph (1) may include—

(A)

role-based security awareness training;

(B)

recommended cybersecurity practices;

(C)

cybersecurity recommendations for traveling abroad;

(D)

unclassified counterintelligence information;

(E)

information regarding industrial espionage;

(F)

information regarding malicious activity online;

(G)

information regarding cybersecurity and law enforcement;

(H)

identity management information;

(I)

information regarding supply chain security;

(J)

information security risks associated with the activities of Federal employees; and

(K)

the responsibilities of Federal employees in complying with policies and procedures designed to reduce information security risks identified under subparagraph (J).

(3)

Federal cybersecurity professionals

The Director of the Office of Personnel Management in conjunction with the Director of the National Center for Cybersecurity and Communications, the Director of National Intelligence, the Secretary of Defense, the Director of the Office of Management and Budget, and, as appropriate, colleges, universities, and nonprofit organizations with cybersecurity training expertise, shall develop a program, to provide training to improve and enhance the skills and capabilities of Federal employees engaged in the cybersecurity mission, including training specific to the acquisition workforce.

(4)

Heads of Federal agencies

Not later than 30 days after the date on which an individual is appointed to a position at level I or II of the Executive Schedule, the Director of the National Center for Cybersecurity and Communications and the Director of National Intelligence, or their designees, shall provide that individual with a cybersecurity threat briefing.

(5)

Certification

The head of each Federal agency shall include in the annual report required under section 3553(c) of title 44, United States Code, a certification regarding whether all officers, employees, and contractors of the Federal agency have completed the training required under this subsection.

(b)

Education

(1)

Federal employees

The Director of the Office of Personnel Management, in coordination with the Secretary of Education, the Director of the National Science Foundation, and the Director, shall develop and implement a strategy to provide Federal employees who work in cybersecurity missions with the opportunity to obtain additional education.

(2)

K through 12

The Secretary of Education, in coordination with the Director of the National Center for Cybersecurity and Communications and State and local governments, shall develop curriculum standards, guidelines, and recommended courses to address cyber safety, cybersecurity, and cyber ethics for students in kindergarten through grade 12.

(3)

Undergraduate, graduate, vocational, and technical institutions

(A)

Secretary of education

The Secretary of Education, in coordination with the Director of the National Center for Cybersecurity and Communications, shall—

(i)

develop curriculum standards and guidelines to address cyber safety, cybersecurity, and cyber ethics for all students enrolled in undergraduate, graduate, vocational, and technical institutions in the United States; and

(ii)

analyze and develop recommended courses for students interested in pursuing careers in information technology, communications, computer science, engineering, math, and science, as those subjects relate to cybersecurity.

(B)

Office of personnel management

The Director of the Office of Personnel Management, in coordination with the Director, shall develop strategies and programs—

(i)

to recruit students from undergraduate, graduate, vocational, and technical institutions in the United States to serve as Federal employees engaged in cyber missions; and

(ii)

that provide internship and part-time work opportunities with the Federal Government for students at the undergraduate, graduate, vocational, and technical institutions in the United States.

(c)

Cyber talent competitions and challenges

(1)

In general

The Director of the National Center for Cybersecurity and Communications shall establish a program to ensure the effective operation of national and statewide competitions and challenges that seek to identify, develop, and recruit talented individuals to work in Federal agencies, State and local government agencies, and the private sector to perform duties relating to the security of the Federal information infrastructure or the national information infrastructure.

(2)

Groups and individuals

The program under this subsection shall include—

(A)

high school students;

(B)

undergraduate students;

(C)

graduate students;

(D)

academic and research institutions;

(E)

veterans; and

(F)

other groups or individuals as the Director may determine.

(3)

Support of other competitions and challenges

The program under this subsection may support other competitions and challenges not established under this subsection through affiliation and cooperative agreements with—

(A)

Federal agencies;

(B)

regional, State, or community school programs supporting the development of cyber professionals; or

(C)

other private sector organizations.

(4)

Areas of talent

The program under this subsection shall seek to identify, develop, and recruit exceptional talent relating to—

(A)

ethical hacking;

(B)

penetration testing;

(C)

vulnerability assessment;

(D)

continuity of system operations;

(E)

cyber forensics; and

(F)

offensive and defensive cyber operations.

407.

Cybersecurity incentives

(a)

Awards

In making cash awards under chapter 45 of title 5, United States Code, the President or the head of a Federal agency, in consultation with the Director, shall consider the success of an employee in fulfilling the objectives of the National Strategy, in a manner consistent with any policies, guidelines, procedures, instructions, or standards established by the President.

(b)

Other incentives

The head of each Federal agency shall adopt best practices, developed by the Director of the National Center for Cybersecurity and Communications and the Office of Management and Budget, regarding effective ways to educate and motivate employees of the Federal Government to demonstrate leadership in cybersecurity, including—

(1)

promotions and other nonmonetary awards; and

(2)

publicizing information sharing accomplishments by individual employees and, if appropriate, the tangible benefits that resulted.

408.

Recruitment and retention program for the National Center for Cybersecurity and Communications

(a)

Definitions

In this section:

(1)

Center

The term Center means the National Center for Cybersecurity and Communications.

(2)

Department

The term Department means the Department of Homeland Security.

(3)

Director

The term Director means the Director of the Center.

(4)

Entry level position

The term entry level position means a position that—

(A)

is established by the Director in the Center; and

(B)

is classified at GS–7, GS–8, or GS–9 of the General Schedule.

(5)

Secretary

The term Secretary means the Secretary of Homeland Security.

(6)

Senior position

The term senior position means a position that—

(A)

is established by the Director in the Center; and

(B)

is not established under section 5108 of title 5, United States Code, but is similar in duties and responsibilities for positions established under that section.

(b)

Recruitment and retention program

(1)

Establishment

The Director may establish a program to assist in the recruitment and retention of highly skilled personnel to carry out the functions of the Center.

(2)

Consultation and considerations

In establishing a program under this section, the Director shall—

(A)

consult with the Secretary; and

(B)

consider—

(i)

national and local employment trends;

(ii)

the availability and quality of candidates;

(iii)

any specialized education or certifications required for positions;

(iv)

whether there is a shortage of certain skills; and

(v)

such other factors as the Director determines appropriate.

(c)

Hiring and special pay authorities

(1)

Direct hire authority

Without regard to the civil service laws (other than sections 3303 and 3328 of title 5, United States Code), the Director may appoint not more than 500 employees under this subsection to carry out the functions of the Center.

(2)

Rates of pay

(A)

Entry level positions

The Director may fix the pay of the employees appointed to entry level positions under this subsection without regard to chapter 51 and subchapter III of chapter 53 of title 5, United States Code, relating to classification of positions and General Schedule pay rates, except that the rate of pay for any such employee may not exceed the maximum rate of basic pay payable for a position at GS–10 of the General Schedule while that employee is in an entry level position.

(B)

Senior positions

(i)

In general

The Director may fix the pay of the employees appointed to senior positions under this subsection without regard to chapter 51 and subchapter III of chapter 53 of title 5, United States Code, relating to classification of positions and General Schedule pay rates, except that the rate of pay for any such employee may not exceed the maximum rate of basic pay payable under section 5376 of title 5, United States Code.

(ii)

Higher maximum rates

(I)

In general

Notwithstanding the limitation on rates of pay under clause (i)—

(aa)

not more than 20 employees, identified by the Director, may be paid at a rate of pay not to exceed the maximum rate of basic pay payable for a position at level I of the Executive Schedule under section 5312 of title 5, United States Code; and

(bb)

not more than 5 employees, identified by the Director with the approval of the Secretary, may be paid at a rate of pay not to exceed the maximum rate of basic pay payable for the Vice President under section 104 of title 3, United States Code.

(II)

Nondelegation of authority

The Secretary or the Director may not delegate any authority under this clause.

(d)

Conversion to Competitive Service

(1)

Definition

In this subsection, the term qualified employee means any individual appointed to an excepted service position in the Department who performs functions relating to the security of the Federal information infrastructure or national information infrastructure.

(2)

Competitive civil service status

In consultation with the Director, the Secretary may grant competitive civil service status to a qualified employee if that employee is—

(A)

employed in the Center; or

(B)

transferring to the Center.

(e)

Retention Bonuses

(1)

Authority

Notwithstanding section 5754 of title 5, United States Code, the Director may—

(A)

pay a retention bonus under that section to any individual appointed under this subsection, if the Director determines that, in the absence of a retention bonus, there is a high risk that the individual would likely leave employment with the Department; and

(B)

exercise the authorities of the Office of Personnel Management and the head of an agency under that section with respect to retention bonuses paid under this subsection.

(2)

Limitations on amount of annual bonuses

(A)

Definitions

In this paragraph:

(i)

Maximum total pay

The term maximum total pay means—

(I)

in the case of an employee described under subsection (c)(2)(B)(i), the total amount of pay paid in a calendar year at the maximum rate of basic pay payable for a position at level I of the Executive Schedule under section 5312 of title 5, United States Code;

(II)

in the case of an employee described under subsection (c)(2)(B)(ii)(I)(aa), the total amount of pay paid in a calendar year at the maximum rate of basic pay payable for a position at level I of the Executive Schedule under section 5312 of title 5, United States Code; and

(III)

in the case of an employee described under subsection (c)(2)(B)(ii)(I)(bb), the total amount of pay paid in a calendar year at the maximum rate of basic pay payable for the Vice President under section 104 of title 3, United States Code.

(ii)

Total compensation

The term total compensation means—

(I)

the amount of pay paid to an employee in any calendar year; and

(II)

the amount of all retention bonuses paid to an employee in any calendar year.

(B)

Limitation

The Director may not pay a retention bonus under this subsection to an employee that would result in the total compensation of that employee exceeding maximum total pay.

(f)

Termination of Authority

The authority to make appointments and pay retention bonuses under this section shall terminate 3 years after the date of enactment of this Act.

(g)

Reports

(1)

Plan for execution of authorities

Not later than 120 days after the date of enactment of this Act, the Director shall submit a report to the appropriate committees of Congress with a plan for the execution of the authorities provided under this section.

(2)

Annual report

Not later than 6 months after the date of enactment of this Act, and every year thereafter, the Director shall submit to the appropriate committees of Congress a detailed report that—

(A)

discusses how the actions taken during the period of the report are fulfilling the critical hiring needs of the Center;

(B)

assesses metrics relating to individuals hired under the authority of this section, including—

(i)

the numbers of individuals hired;

(ii)

the turnover in relevant positions;

(iii)

with respect to each individual hired—

(I)

the position for which hired;

(II)

the salary paid;

(III)

any retention bonus paid and the amount of the bonus;

(IV)

the geographic location from which hired;

(V)

the immediate past salary; and

(VI)

whether the individual was a noncareer appointee in the Senior Executive Service or an appointee to a position of a confidential or policy-determining character under schedule C of subpart C of part 213 of title 5 of the Code of Federal Regulations before the hiring; and

(iv)

whether public notice for recruitment was made, and if so—

(I)

the total number of qualified applicants;

(II)

the number of veteran preference eligible candidates who applied;

(III)

the time from posting to job offer; and

(IV)

statistics on diversity, including age, disability, race, gender, and national origin, of individuals hired under the authority of this section to the extent such statistics are available; and

(C)

includes rates of pay set in accordance with subsection (c).

V

Other provisions

501.

Cybersecurity research and development

Subtitle D of title II of the Homeland Security Act of 2002 (6 U.S.C. 161 et seq.) is amended by adding at the end the following:

238.

Cybersecurity research and development

(a)

Establishment of research and development program

The Under Secretary for Science and Technology, in coordination with the Director of the National Center for Cybersecurity and Communications, shall carry out a research and development program for the purpose of improving the security of information infrastructure.

(b)

Eligible projects

The research and development program carried out under subsection (a) may include projects to—

(1)

advance the development and accelerate the deployment of more secure versions of fundamental Internet protocols and architectures, including for the secure domain name addressing system and routing security;

(2)

improve and create technologies for detecting and analyzing attacks or intrusions, including analysis of malicious software;

(3)

improve and create mitigation and recovery methodologies, including techniques for containment of attacks and development of resilient networks and systems;

(4)

develop and support infrastructure and tools to support cybersecurity research and development efforts, including modeling, testbeds, and data sets for assessment of new cybersecurity technologies;

(5)

assist the development and support of technologies to reduce vulnerabilities in process control systems;

(6)

understand human behavioral factors that can affect cybersecurity technology and practices;

(7)

test, evaluate, and facilitate, with appropriate protections for any proprietary information concerning the technologies, the transfer of technologies associated with the engineering of less vulnerable software and securing the information technology software development lifecycle;

(8)

assist the development of identity management and attribution technologies;

(9)

assist the development of technologies designed to increase the security and resiliency of telecommunications networks;

(10)

advance the protection of privacy and civil liberties in cybersecurity technology and practices; and

(11)

address other risks identified by the Director of the National Center for Cybersecurity and Communications.

(c)

Coordination with other research initiatives

The Under Secretary—

(1)

shall ensure that the research and development program carried out under subsection (a) is consistent with the national strategy to increase the security and resilience of cyberspace developed by the Director of Cyberspace Policy under section 101 of the Cybersecurity and Internet Freedom Act of 2011, or any succeeding strategy;

(2)

shall, to the extent practicable, coordinate the research and development activities of the Department with other ongoing research and development security-related initiatives, including research being conducted by—

(A)

the National Institute of Standards and Technology;

(B)

the National Science Foundation;

(C)

the National Academy of Sciences;

(D)

other Federal agencies, as defined under section 241;

(E)

other Federal and private research laboratories, research entities, and universities and institutions of higher education, and relevant nonprofit organizations; and

(F)

international partners of the United States;

(3)

shall carry out any research and development project under subsection (a) through a reimbursable agreement with an appropriate Federal agency, as defined under section 241, if the Federal agency—

(A)

is sponsoring a research and development project in a similar area; or

(B)

has a unique facility or capability that would be useful in carrying out the project;

(4)

may make grants to, or enter into cooperative agreements, contracts, other transactions, or reimbursable agreements with, the entities described in paragraph (2); and

(5)

shall submit a report to the appropriate committees of Congress on a review of the cybersecurity activities, and the capacity, of the national laboratories and other research entities available to the Department to determine if the establishment of a national laboratory dedicated to cybersecurity research and development is necessary.

(d)

Privacy and civil rights and civil liberties issues

(1)

Consultation

In carrying out research and development projects under subsection (a), the Under Secretary shall consult with the Privacy Officer appointed under section 222 and the Officer for Civil Rights and Civil Liberties of the Department appointed under section 705.

(2)

Privacy impact assessments

In accordance with sections 222 and 705, the Privacy Officer shall conduct privacy impact assessments and the Officer for Civil Rights and Civil Liberties shall conduct reviews, as appropriate, for research and development projects carried out under subsection (a) that the Under Secretary determines could have an impact on privacy, civil rights, or civil liberties.

239.

National Cybersecurity Advisory Council

(a)

Establishment

Not later than 90 days after the date of enactment of this section, the Secretary shall establish an advisory committee under section 871 on private sector cybersecurity, to be known as the National Cybersecurity Advisory Council (in this section referred to as the Council).

(b)

Responsibilities

(1)

In general

The Council shall advise the Director of the National Center for Cybersecurity and Communications on the implementation of the cybersecurity provisions affecting the private sector under this subtitle and subtitle E.

(2)

Incentives and regulations

The Council shall advise the Director of the National Center for Cybersecurity and Communications and appropriate committees of Congress (as defined in section 241) and any other congressional committee with jurisdiction over the particular matter regarding how market incentives and regulations may be implemented to enhance the cybersecurity and economic security of the Nation.

(c)

Membership

(1)

In general

The members of the Council shall be appointed the Director of the National Center for Cybersecurity and Communications and shall, to the extent practicable, represent a geographic and substantive cross-section of owners and operators of critical infrastructure and others with expertise in cybersecurity, including, as appropriate—

(A)

representatives of covered critical infrastructure (as defined under section 241);

(B)

academic institutions with expertise in cybersecurity;

(C)

Federal, State, and local government agencies with expertise in cybersecurity;

(D)

a representative of the National Security Telecommunications Advisory Council, as established by Executive Order 12382 (47 Fed. Reg. 40531; relating to the establishment of the advisory council), as amended by Executive Order 13286 (68 Fed. Reg. 10619), as in effect on August 3, 2009, or any successor entity;

(E)

a representative of the Communications Sector Coordinating Council, or any successor entity;

(F)

a representative of the Information Technology Sector Coordinating Council, or any successor entity;

(G)

individuals, acting in their personal capacity, with demonstrated technical expertise in cybersecurity; and

(H)

such other individuals as the Director determines to be appropriate, including owners of small business concerns (as defined under section 3 of the Small Business Act (15 U.S.C. 632)).

(2)

Term

The members of the Council shall be appointed for 2 year terms and may be appointed to consecutive terms.

(3)

Leadership

The Chairperson and Vice-Chairperson of the Council shall be selected by members of the Council from among the members of the Council and shall serve 2-year terms.

(d)

Applicability of Federal Advisory Committee Act

The Federal Advisory Committee Act (5 U.S.C. App.) shall not apply to the Council.

.

502.

Prioritized critical information infrastructure

(a)

In general

Section 210E(a)(2) of the Homeland Security Act of 2002 (6 U.S.C. 124l(a)(2)) is amended—

(1)

by striking In accordance and inserting the following:

(A)

In general

In accordance

; and

(2)

by adding at the end the following:

(B)

Considerations

In establishing and maintaining a list under subparagraph (A), the Secretary, in coordination with the Director of the National Center for Cybersecurity and Communications, shall consider cyber risks and consequences by sector, including—

(i)

the factors listed in section 248(a)(2);

(ii)

interdependencies between components of covered critical infrastructure (as defined under section 241); and

(iii)

the potential for the destruction or disruption of the system or asset to cause—

(I)

a mass casualty event which includes an extraordinary number of fatalities;

(II)

severe economic consequences;

(III)

mass evacuations with a prolonged absence; or

(IV)

severe degradation of national security capabilities, including intelligence and defense functions.

.

(b)

Covered critical infrastructure

Title II of the Homeland Security Act of 2002 (6 U.S.C. 121 et seq.) (as amended by section 201 of this Act) is further amended by adding at the end the following:

254.

Covered critical infrastructure

(a)

Identification of covered critical infrastructure

(1)

In general

Subject to paragraphs (2) and (3), the Secretary, in coordination with sector-specific agencies and in consultation with the National Cybersecurity Advisory Council and other appropriate representatives of State and local governments and the private sector, shall establish and maintain a list of systems or assets that constitute covered critical infrastructure for purposes of this subtitle.

(2)

Requirements

(A)

In general

A system or asset may not be identified as covered critical infrastructure under this section unless such system or asset meets each of the requirements under subparagraph (B) (i), (ii), and (iii).

(B)

Requirements

The requirements referred to under subparagraph (A) are that—

(i)

the destruction or the disruption of the reliable operation of the system or asset would cause national or regional catastrophic effects identified under section 210E(a)(2)(B)(iii);

(ii)

the system or asset is on the prioritized critical infrastructure list established by the Secretary under section 210E(a)(2); and

(iii)
(I)

the system or asset is a component of the national information infrastructure; or

(II)

the national information infrastructure is essential to the reliable operation of the system or asset.

(3)

Limitation

A system or asset may not be identified as covered critical infrastructure under this section based solely on activities protected by the first amendment to the United States Constitution.

(b)

Notification

(1)

Identification of system or asset

If the Secretary identifies any system or asset as covered critical infrastructure under subsection (a), the Secretary shall promptly notify the owner or operator of that system or asset of that identification.

(2)

System or asset no longer covered critical infrastructure

If the Secretary determines that any system or asset that was identified as covered critical infrastructure under subsection (a) no longer constitutes covered critical infrastructure, the Secretary shall promptly notify the owner or operator of that system or asset of that determination.

(c)

Redress

(1)

In general

Subject to paragraphs (2) and (3), the Secretary shall develop a mechanism, consistent with subchapter II of chapter 5 of title 5, United States Code, for an owner or operator notified under subsection (b)(1) to appeal the identification of a system or asset as covered critical infrastructure under this section.

(2)

Appeal to Federal court

A civil action seeking judicial review of a final agency action taken under the mechanism developed under paragraph (1) shall be filed in the United States District Court for the District of Columbia.

(3)

Compliance

The owner or operator of a system or asset identified as covered critical infrastructure shall comply with any requirement of this subtitle relating to covered critical infrastructure until such time as the system or asset is no longer identified as covered critical infrastructure, based on—

(A)

an appeal under paragraph (1);

(B)

a determination of the Secretary unrelated to an appeal; or

(C)

a final judgment entered in a civil action seeking judicial review brought in accordance with paragraph (2).

(d)

Addition of systems or assets

(1)

In general

The Secretary shall develop a process under which any owner or operator of a system or asset that may constitute covered critical infrastructure may—

(A)

request that such system or asset be identified by the Secretary as covered critical infrastructure under this section; and

(B)

submit material supporting such a request to the Director of the Center for consideration by the Secretary in carrying out this section.

(2)

Final decision

A decision to identify any system or asset as covered critical infrastructure based on a request submitted under this subsection—

(A)

is committed to the sole, unreviewable discretion of the Secretary; and

(B)

shall not be subject to—

(i)

an appeal under subsection (c); or

(ii)

judicial review.

.

503.

National Center for Cybersecurity and Communications acquisition authorities

(a)

In general

The National Center for Cybersecurity and Communications is authorized to use the authorities under subsections (c)(1) and (d)(1)(B) of section 2304 of title 10, United States Code, instead of the authorities under subsections (a)(1) and (b)(2) of section 3304 of title 41, United States Code, subject to all other requirements of sections 3301 and 3304 of title 41, United States Code.

(b)

Guidelines

Not later than 90 days after the date of enactment of this Act, the chief procurement officer of the Department of Homeland Security shall issue guidelines for use of the authority under subsection (a).

(c)

Termination

The National Center for Cybersecurity and Communications may not use the authority under subsection (a) on and after the date that is 3 years after the date of enactment of this Act.

(d)

Reporting

(1)

In general

On a semiannual basis, the Director of the National Center for Cybersecurity and Communications shall submit a report on use of the authority granted by subsection (a) to—

(A)

the Committee on Homeland Security and Governmental Affairs of the Senate; and

(B)

the Committee on Homeland Security of the House of Representatives.

(2)

Contents

Each report submitted under paragraph (1) shall include, at a minimum—

(A)

the number of contract actions taken under the authority under subsection (a) during the period covered by the report; and

(B)

for each contract action described in subparagraph (A)—

(i)

the total dollar value of the contract action;

(ii)

a summary of the market research conducted by the National Center for Cybersecurity and Communications, including a list of all offerors who were considered and those who actually submitted bids, in order to determine that use of the authority was appropriate; and

(iii)

a copy of the justification and approval documents required by section 3304(e) of title 41, United States Code.

(3)

Classified annex

A report submitted under this subsection shall be submitted in an unclassified form, but may include a classified annex, if necessary.

504.

Evaluation of the effective implementation of Office of Management and Budget information security related policies and directives

(a)

In general

The Administrator for Electronic Government and Information Technology, in coordination with the Chief Information Officers Council, the Federal Information Security Taskforce, and Council on Inspectors General on Integrity and Efficiency, shall evaluate agency adoption and effective implementation of appropriate information security related policies, memoranda, and directives issued by the Office of Management and Budget including—

(1)

OMB Memorandum M–10–15, FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, issued April 21, 2010;

(2)

OMB Memorandum M–09–32, Update on the Trusted Internet Connections Initiative, issued September 17, 2009;

(3)

OMB Memorandum M–09–02, Information Technology Management Structure and Governance Framework, issued October 21, 2008;

(4)

OMB Memorandum M–08–23, Securing the Federal Government’s Domain Name System Infrastructure, issued April 22, 2008;

(5)

OMB Memorandum M–08–22, Guidance on the Federal Desktop Core Configuration (FDCC), issued August 11, 2008;

(6)

OMB Memorandum M–07–16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, issued May 22, 2007;

(7)

OMB Memorandum M–07–06, Validating and Monitoring Agency Issuance of Personal Identity Verification Credentials, issued January 11, 2007;

(8)

OMB Memorandum M–04–26, Personal Use Policies and File Sharing Technology, issued September 8, 2004; and

(9)

OMB Memorandum M–03–22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, issued September 26, 2003.

(b)

Report

Not later than 1 year after the date of enactment of this Act, the Office of Management and Budget shall submit a report on the evaluation required under subsection (a) to the appropriate congressional committees which shall include—

(1)

an examination of whether Federal agencies have effectively implemented information security policies;

(2)

identification of and reasons why Federal agencies are not in compliance with information security policies;

(3)

the extent to which contractors working on behalf of Federal agencies are in compliance and effectively implementing information security policies; and

(4)

recommended legislative and executive branch actions.

505.

Technical and conforming amendments

(a)

Elimination of assistant Secretary for cybersecurity and communications

The Homeland Security Act of 2002 (6 U.S.C. 101 et seq.) is amended—

(1)

in section 103(a)(8) (6 U.S.C. 113(a)(8)), by striking , cybersecurity,;

(2)

in section 514 (6 U.S.C. 321c)—

(A)

by striking subsection (b); and

(B)

by redesignating subsection (c) as subsection (b); and

(3)

in section 1801(b) (6 U.S.C. 571(b)), by striking shall report to the Assistant Secretary for Cybersecurity and Communications and inserting shall report to the Director of the National Center for Cybersecurity and Communications.

(b)

CIO council

Section 3603(b) of title 44, United States Code, is amended—

(1)

by redesignating paragraph (7) as paragraph (8); and

(2)

by inserting after paragraph (6) the following:

(7)

The Director of the National Center for Cybersecurity and Communications.

.

(c)

Repeal

The Homeland Security Act of 2002 (6 U.S.C. 101 et seq.) is amended—

(1)

by striking section 223 (6 U.S.C. 143); and

(2)

by redesignating sections 224 and 225 (6 U.S.C. 144 and 145) as sections 223 and 224, respectively.

(d)

Technical correction

Section 1802(a) of the Homeland Security Act of 2002 (6 U.S.C. 572(a)) is amended in the matter preceding paragraph (1) by striking Department of.

(e)

Executive schedule position

Section 5313 of title 5, United States Code, is amended by adding at the end the following:

  • Director of the National Center for Cybersecurity and Communications.

.

(f)

Table of contents

The table of contents in section 1(b) of the Homeland Security Act of 2002 (6 U.S.C. 101 et seq.) is amended—

(1)

by striking the items relating to sections 223, 224, and 225 and inserting the following:

Sec. 223. NET guard.

Sec. 224. Cyber Security Enhancements Act of 2002.

;

and
(2)

by inserting after the item relating to section 237 the following:

Sec. 238. Cybersecurity research and development.

Sec. 239. National Cybersecurity Advisory Council.

Subtitle E—Cybersecurity

Sec. 241. Definitions.

Sec. 242. National Center for Cybersecurity and Communications.

Sec. 243. Physical and cyber infrastructure collaboration.

Sec. 244. United States Computer Emergency Readiness Team.

Sec. 245. Additional authorities of the Director of the National Center for Cybersecurity and Communications.

Sec. 246. Information sharing.

Sec. 247. Private sector assistance.

Sec. 248. Cyber risks to covered critical infrastructure.

Sec. 249. National cyber emergencies.

Sec. 250. Enforcement.

Sec. 251. Protection of information.

Sec. 252. Sector-specific agencies.

Sec. 253. Strategy for Federal cybersecurity supply chain management.

Sec. 254. Covered critical infrastructure.

.