The chief technology officer (CTO) has indicated that your organization has been requested by the National Security Council (NSC) to comment on the upcoming National Cybersecurity Strategy. The NSC has asked for specific recommendations as it relates to the next cybersecurity strategy, private/public partnerships, and comments on how specific technologies should be incorporated into the assessment.
The CTO has asked you to collaborate with your team to provide the organizational input.
You will be collaborating with your previously assigned team on this assignment. It is up to the team members to decide how they will plan, meet, discuss, and complete the five sections of the paper. Remember, if a member fails to complete his or her part of the work, the team is still responsible for all sections. You will also complete a peer review for yourself and for each member of the team. The peer feedback will be incorporated into each team member’s assignment grade.
As a group, use the
Week 7 and 8 Assignment Template
to write your paper, which should cover the following topics:
Part 2: Public/Private Partnerships
After reading the Cybersecurity Act of 2015, address the private/public partnership with the DHS National Cybersecurity and Communications Integration Center (NCCIC), arguably the most important aspect of the act. The Cybersecurity Act of 2015 allows for private and public sharing of cybersecurity threat information.What should the DHS NCCIC (public) share with private sector organizations? What type of threat information would enable private organizations to better secure their networks?On the flip side, what should private organizations share with the NCCIC? As it is written, private organization sharing is completely voluntary. Should this be mandatory? If so, what are the implications to the customers’ private data?The government is not allowed to collect data on citizens. How should the act be updated to make it better and more value-added for the public-private partnership in regards to cybersecurity? U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1728
1
2
3
DIVISION N—CYBERSECURITY
ACT OF 2015
SEC. 1. SHORT TITLE; TABLE OF CONTENTS.
(a) SHORT TITLE.—This division may be cited as the
4
5 ‘‘Cybersecurity Act of 2015’’.
(b) TABLE
6
OF
CONTENTS.—The table of contents for
7 this division is as follows:
Sec. 1. Short title; table of contents.
TITLE I—CYBERSECURITY INFORMATION SHARING
Sec.
Sec.
Sec.
Sec.
101.
102.
103.
104.
Sec. 105.
Sec.
Sec.
Sec.
Sec.
Sec.
106.
107.
108.
109.
110.
Sec. 111.
Short title.
Definitions.
Sharing of information by the Federal Government.
Authorizations for preventing, detecting, analyzing, and mitigating
cybersecurity threats.
Sharing of cyber threat indicators and defensive measures with the
Federal Government.
Protection from liability.
Oversight of Government activities.
Construction and preemption.
Report on cybersecurity threats.
Exception to limitation on authority of Secretary of Defense to disseminate certain information.
Effective period.
TITLE II—NATIONAL CYBERSECURITY ADVANCEMENT
Subtitle A—National Cybersecurity and Communications Integration Center
Sec.
Sec.
Sec.
Sec.
Sec.
Sec.
Sec.
Sec.
Sec.
Sec.
Sec.
201.
202.
203.
204.
205.
206.
207.
208.
209.
210.
211.
Short title.
Definitions.
Information sharing structure and processes.
Information sharing and analysis organizations.
National response framework.
Report on reducing cybersecurity risks in DHS data centers.
Assessment.
Multiple simultaneous cyber incidents at critical infrastructure.
Report on cybersecurity vulnerabilities of United States ports.
Prohibition on new regulatory authority.
Termination of reporting requirements.
Subtitle B—Federal Cybersecurity Enhancement
Sec.
Sec.
Sec.
Sec.
221.
222.
223.
224.
December 16, 2015 (1:04 a.m.)
Short title.
Definitions.
Improved Federal network security.
Advanced internal defenses.
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1729
Sec.
Sec.
Sec.
Sec.
Sec.
225.
226.
227.
228.
229.
Federal cybersecurity requirements.
Assessment; reports.
Termination.
Identification of information systems relating to national security.
Direction to agencies.
TITLE III—FEDERAL CYBERSECURITY WORKFORCE ASSESSMENT
Sec.
Sec.
Sec.
Sec.
Sec.
301.
302.
303.
304.
305.
Short title.
Definitions.
National cybersecurity workforce measurement initiative.
Identification of cyber-related work roles of critical need.
Government Accountability Office status reports.
TITLE IV—OTHER CYBER MATTERS
Sec.
Sec.
Sec.
Sec.
Sec.
Sec.
Sec.
401.
402.
403.
404.
405.
406.
407.
TITLE I—CYBERSECURITY
INFORMATION SHARING
1
2
3
Study on mobile device security.
Department of State international cyberspace policy strategy.
Apprehension and prosecution of international cyber criminals.
Enhancement of emergency services.
Improving cybersecurity in the health care industry.
Federal computer security.
Stopping the fraudulent sale of financial information of people of the
United States.
SEC. 101. SHORT TITLE.
This title may be cited as the ‘‘Cybersecurity Infor-
4
5 mation Sharing Act of 2015’’.
6
SEC. 102. DEFINITIONS.
7
In this title:
8
(1) AGENCY.—The term ‘‘agency’’ has the
9
meaning given the term in section 3502 of title 44,
10
11
12
United States Code.
(2) ANTITRUST
LAWS.—The
term ‘‘antitrust
laws’’—
13
(A) has the meaning given the term in the
14
first section of the Clayton Act (15 U.S.C. 12);
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1730
1
(B) includes section 5 of the Federal
2
Trade Commission Act (15 U.S.C. 45) to the
3
extent that section 5 of that Act applies to un-
4
fair methods of competition; and
5
(C) includes any State antitrust law, but
6
only to the extent that such law is consistent
7
with the law referred to in subparagraph (A) or
8
the law referred to in subparagraph (B).
9
(3) APPROPRIATE
FEDERAL
ENTITIES.—The
10
term ‘‘appropriate Federal entities’’ means the fol-
11
lowing:
12
(A) The Department of Commerce.
13
(B) The Department of Defense.
14
(C) The Department of Energy.
15
(D) The Department of Homeland Secu-
16
rity.
17
(E) The Department of Justice.
18
(F) The Department of the Treasury.
19
(G) The Office of the Director of National
20
Intelligence.
21
(4)
CYBERSECURITY
PURPOSE.—The
term
22
‘‘cybersecurity purpose’’ means the purpose of pro-
23
tecting an information system or information that is
24
stored on, processed by, or transiting an information
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1731
1
system from a cybersecurity threat or security vul-
2
nerability.
3
(5) CYBERSECURITY
(A) IN
4
THREAT.—
GENERAL.—Except
as provided in
5
subparagraph (B), the term ‘‘cybersecurity
6
threat’’ means an action, not protected by the
7
First Amendment to the Constitution of the
8
United States, on or through an information
9
system that may result in an unauthorized ef-
10
fort to adversely impact the security, avail-
11
ability, confidentiality, or integrity of an infor-
12
mation system or information that is stored on,
13
processed by, or transiting an information sys-
14
tem.
15
(B) EXCLUSION.—The term ‘‘cybersecurity
16
threat’’ does not include any action that solely
17
involves a violation of a consumer term of serv-
18
ice or a consumer licensing agreement.
19
(6) CYBER
THREAT
INDICATOR.—The
term
20
‘‘cyber threat indicator’’ means information that is
21
necessary to describe or identify—
22
(A) malicious reconnaissance, including
23
anomalous patterns of communications that ap-
24
pear to be transmitted for the purpose of gath-
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1732
1
ering
2
cybersecurity threat or security vulnerability;
3
4
technical
information
related
to
a
(B) a method of defeating a security control or exploitation of a security vulnerability;
5
(C) a security vulnerability, including
6
anomalous activity that appears to indicate the
7
existence of a security vulnerability;
8
(D) a method of causing a user with legiti-
9
mate access to an information system or infor-
10
mation that is stored on, processed by, or
11
transiting an information system to unwittingly
12
enable the defeat of a security control or exploi-
13
tation of a security vulnerability;
14
(E) malicious cyber command and control;
15
(F) the actual or potential harm caused by
16
an incident, including a description of the infor-
17
mation exfiltrated as a result of a particular
18
cybersecurity threat;
19
(G) any other attribute of a cybersecurity
20
threat, if disclosure of such attribute is not oth-
21
erwise prohibited by law; or
22
(H) any combination thereof.
23
(7) DEFENSIVE
24
(A) IN
25
December 16, 2015 (1:04 a.m.)
MEASURE.—
GENERAL.—Except
as provided in
subparagraph (B), the term ‘‘defensive meas-
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1733
1
ure’’ means an action, device, procedure, signa-
2
ture, technique, or other measure applied to an
3
information system or information that is
4
stored on, processed by, or transiting an infor-
5
mation system that detects, prevents, or miti-
6
gates a known or suspected cybersecurity threat
7
or security vulnerability.
8
(B) EXCLUSION.—The term ‘‘defensive
9
measure’’ does not include a measure that de-
10
stroys, renders unusable, provides unauthorized
11
access to, or substantially harms an information
12
system or information stored on, processed by,
13
or transiting such information system not
14
owned by—
(i) the private entity operating the
15
measure; or
16
17
(ii) another entity or Federal entity
18
that is authorized to provide consent and
19
has provided consent to that private entity
20
for operation of such measure.
21
(8) FEDERAL
ENTITY.—The
term ‘‘Federal en-
22
tity’’ means a department or agency of the United
23
States or any component of such department or
24
agency.
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1734
1
2
(9) INFORMATION
SYSTEM.—The
term ‘‘infor-
mation system’’—
3
(A) has the meaning given the term in sec-
4
tion 3502 of title 44, United States Code; and
5
(B) includes industrial control systems,
6
such as supervisory control and data acquisition
7
systems, distributed control systems, and pro-
8
grammable logic controllers.
9
(10) LOCAL
GOVERNMENT.—The
term ‘‘local
10
government’’ means any borough, city, county, par-
11
ish, town, township, village, or other political sub-
12
division of a State.
13
(11) MALICIOUS
CYBER COMMAND AND CON-
14
TROL.—The
15
control’’ means a method for unauthorized remote
16
identification of, access to, or use of, an information
17
system or information that is stored on, processed
18
by, or transiting an information system.
19
term ‘‘malicious cyber command and
(12) MALICIOUS
RECONNAISSANCE.—The
term
20
‘‘malicious reconnaissance’’ means a method for ac-
21
tively probing or passively monitoring an information
22
system for the purpose of discerning security
23
vulnerabilities of the information system, if such
24
method is associated with a known or suspected
25
cybersecurity threat.
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1735
1
(13) MONITOR.—The term ‘‘monitor’’ means to
2
acquire, identify, or scan, or to possess, information
3
that is stored on, processed by, or transiting an in-
4
formation system.
5
6
(14) NON-FEDERAL
(A) IN
ENTITY.—
GENERAL.—Except
as otherwise
7
provided in this paragraph, the term ‘‘non-Fed-
8
eral entity’’ means any private entity, non-Fed-
9
eral government agency or department, or
10
State, tribal, or local government (including a
11
political subdivision, department, or component
12
thereof).
13
(B) INCLUSIONS.—The term ‘‘non-Federal
14
entity’’ includes a government agency or depart-
15
ment of the District of Columbia, the Common-
16
wealth of Puerto Rico, the United States Virgin
17
Islands, Guam, American Samoa, the Northern
18
Mariana Islands, and any other territory or
19
possession of the United States.
20
(C) EXCLUSION.—The term ‘‘non-Federal
21
entity’’ does not include a foreign power as de-
22
fined in section 101 of the Foreign Intelligence
23
Surveillance Act of 1978 (50 U.S.C. 1801).
24
(15) PRIVATE
December 16, 2015 (1:04 a.m.)
ENTITY.—
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1736
1
(A) IN
GENERAL.—Except
as otherwise
2
provided in this paragraph, the term ‘‘private
3
entity’’ means any person or private group, or-
4
ganization, proprietorship, partnership, trust,
5
cooperative, corporation, or other commercial or
6
nonprofit entity, including an officer, employee,
7
or agent thereof.
8
(B) INCLUSION.—The term ‘‘private enti-
9
ty’’ includes a State, tribal, or local government
10
performing utility services, such as electric, nat-
11
ural gas, or water services.
12
(C) EXCLUSION.—The term ‘‘private enti-
13
ty’’ does not include a foreign power as defined
14
in section 101 of the Foreign Intelligence Sur-
15
veillance Act of 1978 (50 U.S.C. 1801).
16
(16) SECURITY
CONTROL.—The
term ‘‘security
17
control’’ means the management, operational, and
18
technical controls used to protect against an unau-
19
thorized effort to adversely affect the confidentiality,
20
integrity, and availability of an information system
21
or its information.
22
(17) SECURITY
VULNERABILITY.—The
term
23
‘‘security vulnerability’’ means any attribute of hard-
24
ware, software, process, or procedure that could en-
25
able or facilitate the defeat of a security control.
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1737
1
(18) TRIBAL.—The term ‘‘tribal’’ has the
2
meaning given the term ‘‘Indian tribe’’ in section 4
3
of the Indian Self-Determination and Education As-
4
sistance Act (25 U.S.C. 450b).
5
SEC. 103. SHARING OF INFORMATION BY THE FEDERAL
6
7
GOVERNMENT.
(a) IN GENERAL.—Consistent with the protection of
8 classified information, intelligence sources and methods,
9 and privacy and civil liberties, the Director of National
10 Intelligence, the Secretary of Homeland Security, the Sec11 retary of Defense, and the Attorney General, in consulta12 tion with the heads of the appropriate Federal entities,
13 shall jointly develop and issue procedures to facilitate and
14 promote—
15
(1) the timely sharing of classified cyber threat
16
indicators and defensive measures in the possession
17
of the Federal Government with representatives of
18
relevant Federal entities and non-Federal entities
19
that have appropriate security clearances;
20
(2) the timely sharing with relevant Federal en-
21
tities and non-Federal entities of cyber threat indica-
22
tors, defensive measures, and information relating to
23
cybersecurity threats or authorized uses under this
24
title, in the possession of the Federal Government
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1738
1
that may be declassified and shared at an unclassi-
2
fied level;
3
(3) the timely sharing with relevant Federal en-
4
tities and non-Federal entities, or the public if ap-
5
propriate, of unclassified, including controlled un-
6
classified, cyber threat indicators and defensive
7
measures in the possession of the Federal Govern-
8
ment;
9
(4) the timely sharing with Federal entities and
10
non-Federal entities, if appropriate, of information
11
relating to cybersecurity threats or authorized uses
12
under this title, in the possession of the Federal
13
Government about cybersecurity threats to such en-
14
tities to prevent or mitigate adverse effects from
15
such cybersecurity threats; and
16
(5) the periodic sharing, through publication
17
and targeted outreach, of cybersecurity best prac-
18
tices that are developed based on ongoing analyses
19
of cyber threat indicators, defensive measures, and
20
information relating to cybersecurity threats or au-
21
thorized uses under this title, in the possession of
22
the Federal Government, with attention to accessi-
23
bility and implementation challenges faced by small
24
business concerns (as defined in section 3 of the
25
Small Business Act (15 U.S.C. 632)).
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1739
1
2
3
(b) DEVELOPMENT OF PROCEDURES.—
(1) IN
GENERAL.—The
procedures developed
under subsection (a) shall—
4
(A) ensure the Federal Government has
5
and maintains the capability to share cyber
6
threat indicators and defensive measures in real
7
time consistent with the protection of classified
8
information;
9
(B) incorporate, to the greatest extent
10
practicable, existing processes and existing roles
11
and responsibilities of Federal entities and non-
12
Federal entities for information sharing by the
13
Federal Government, including sector specific
14
information sharing and analysis centers;
15
(C) include procedures for notifying, in a
16
timely manner, Federal entities and non-Fed-
17
eral entities that have received a cyber threat
18
indicator or defensive measure from a Federal
19
entity under this title that is known or deter-
20
mined to be in error or in contravention of the
21
requirements of this title or another provision
22
of Federal law or policy of such error or con-
23
travention;
24
(D) include requirements for Federal enti-
25
ties sharing cyber threat indicators or defensive
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1740
1
measures to implement and utilize security con-
2
trols to protect against unauthorized access to
3
or acquisition of such cyber threat indicators or
4
defensive measures;
5
(E) include procedures that require a Fed-
6
eral entity, prior to the sharing of a cyber
7
threat indicator—
8
(i) to review such cyber threat indi-
9
cator to assess whether such cyber threat
10
indicator contains any information not di-
11
rectly related to a cybersecurity threat that
12
such Federal entity knows at the time of
13
sharing to be personal information of a
14
specific individual or information that
15
identifies a specific individual and remove
16
such information; or
17
(ii) to implement and utilize a tech-
18
nical capability configured to remove any
19
information not directly related to a
20
cybersecurity threat that the Federal entity
21
knows at the time of sharing to be per-
22
sonal information of a specific individual or
23
information that identifies a specific indi-
24
vidual; and
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1741
1
(F) include procedures for notifying, in a
2
timely manner, any United States person whose
3
personal information is known or determined to
4
have been shared by a Federal entity in viola-
5
tion of this title.
6
(2) CONSULTATION.—In developing the proce-
7
dures required under this section, the Director of
8
National Intelligence, the Secretary of Homeland Se-
9
curity, the Secretary of Defense, and the Attorney
10
General shall consult with appropriate Federal enti-
11
ties, including the Small Business Administration
12
and the National Laboratories (as defined in section
13
2 of the Energy Policy Act of 2005 (42 U.S.C.
14
15801)), to ensure that effective protocols are imple-
15
mented that will facilitate and promote the sharing
16
of cyber threat indicators by the Federal Govern-
17
ment in a timely manner.
18
(c) SUBMITTAL
TO
CONGRESS.—Not later than 60
19 days after the date of the enactment of this Act, the Direc20 tor of National Intelligence, in consultation with the heads
21 of the appropriate Federal entities, shall submit to Con22 gress the procedures required by subsection (a).
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1742
1
SEC. 104. AUTHORIZATIONS FOR PREVENTING, DETECTING,
2
ANALYZING,
3
CYBERSECURITY THREATS.
4
5
AND
(a) AUTHORIZATION FOR MONITORING.—
(1) IN
GENERAL.—Notwithstanding
6
provision
7
cybersecurity purposes, monitor—
8
9
MITIGATING
of
law,
a
private
entity
any other
may,
for
(A) an information system of such private
entity;
10
(B) an information system of another non-
11
Federal entity, upon the authorization and writ-
12
ten consent of such other entity;
13
(C) an information system of a Federal en-
14
tity, upon the authorization and written consent
15
of an authorized representative of the Federal
16
entity; and
17
(D) information that is stored on, proc-
18
essed by, or transiting an information system
19
monitored by the private entity under this para-
20
graph.
21
(2) CONSTRUCTION.—Nothing in this sub-
22
section shall be construed—
23
(A) to authorize the monitoring of an in-
24
formation system, or the use of any information
25
obtained through such monitoring, other than
26
as provided in this title; or
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1743
(B) to limit otherwise lawful activity.
1
2
(b) AUTHORIZATION
FOR
OPERATION
OF
DEFENSIVE
3 MEASURES.—
4
(1) IN
GENERAL.—Notwithstanding
of
law,
a
private
entity
any other
5
provision
may,
for
6
cybersecurity purposes, operate a defensive measure
7
that is applied to—
8
(A) an information system of such private
9
entity in order to protect the rights or property
10
of the private entity;
11
(B) an information system of another non-
12
Federal entity upon written consent of such en-
13
tity for operation of such defensive measure to
14
protect the rights or property of such entity;
15
and
16
(C) an information system of a Federal en-
17
tity upon written consent of an authorized rep-
18
resentative of such Federal entity for operation
19
of such defensive measure to protect the rights
20
or property of the Federal Government.
21
(2) CONSTRUCTION.—Nothing in this sub-
22
section shall be construed—
23
(A) to authorize the use of a defensive
24
measure other than as provided in this sub-
25
section; or
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1744
(B) to limit otherwise lawful activity.
1
(c) AUTHORIZATION
2
FOR
SHARING
3 CYBER THREAT INDICATORS
4
OR
RECEIVING
OR
DEFENSIVE MEAS-
GENERAL.—Except
as provided in para-
URES.—
5
(1) IN
6
graph (2) and notwithstanding any other provision
7
of law, a non-Federal entity may, for a cybersecurity
8
purpose and consistent with the protection of classi-
9
fied information, share with, or receive from, any
10
other non-Federal entity or the Federal Government
11
a cyber threat indicator or defensive measure.
12
(2) LAWFUL
RESTRICTION.—A
non-Federal en-
13
tity receiving a cyber threat indicator or defensive
14
measure from another non-Federal entity or a Fed-
15
eral entity shall comply with otherwise lawful restric-
16
tions placed on the sharing or use of such cyber
17
threat indicator or defensive measure by the sharing
18
non-Federal entity or Federal entity.
19
20
(3) CONSTRUCTION.—Nothing in this subsection shall be construed—
21
(A) to authorize the sharing or receiving of
22
a cyber threat indicator or defensive measure
23
other than as provided in this subsection; or
24
(B) to limit otherwise lawful activity.
25
(d) PROTECTION AND USE OF INFORMATION.—
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1745
1
(1) SECURITY
OF INFORMATION.—A
non-Fed-
2
eral entity monitoring an information system, oper-
3
ating a defensive measure, or providing or receiving
4
a cyber threat indicator or defensive measure under
5
this section shall implement and utilize a security
6
control to protect against unauthorized access to or
7
acquisition of such cyber threat indicator or defen-
8
sive measure.
9
(2) REMOVAL
OF CERTAIN PERSONAL INFORMA-
10
TION.—A
non-Federal entity sharing a cyber threat
11
indicator pursuant to this title shall, prior to such
12
sharing—
13
(A) review such cyber threat indicator to
14
assess whether such cyber threat indicator con-
15
tains any information not directly related to a
16
cybersecurity threat that the non-Federal entity
17
knows at the time of sharing to be personal in-
18
formation of a specific individual or information
19
that identifies a specific individual and remove
20
such information; or
21
(B) implement and utilize a technical capa-
22
bility configured to remove any information not
23
directly related to a cybersecurity threat that
24
the non-Federal entity knows at the time of
25
sharing to be personal information of a specific
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1746
1
individual or information that identifies a spe-
2
cific individual.
3
(3) USE
4
DEFENSIVE
5
TIES.—
6
OF CYBER THREAT INDICATORS AND
MEASURES
(A) IN
BY
NON-FEDERAL
GENERAL.—Consistent
ENTI-
with this
7
title, a cyber threat indicator or defensive meas-
8
ure shared or received under this section may,
9
for cybersecurity purposes—
10
(i) be used by a non-Federal entity to
11
monitor or operate a defensive measure
12
that is applied to—
13
14
(I) an information system of the
non-Federal entity; or
15
(II) an information system of an-
16
other non-Federal entity or a Federal
17
entity upon the written consent of
18
that other non-Federal entity or that
19
Federal entity; and
20
(ii) be otherwise used, retained, and
21
further shared by a non-Federal entity
22
subject to—
23
(I) an otherwise lawful restriction
24
placed by the sharing non-Federal en-
25
tity or Federal entity on such cyber
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1747
1
threat indicator or defensive measure;
2
or
(II) an otherwise applicable pro-
3
vision of law.
4
5
(B)
CONSTRUCTION.—Nothing
in
this
6
paragraph shall be construed to authorize the
7
use of a cyber threat indicator or defensive
8
measure other than as provided in this section.
9
(4) USE
10
11
OF CYBER THREAT INDICATORS BY
STATE, TRIBAL, OR LOCAL GOVERNMENT.—
(A) LAW
ENFORCEMENT USE.—A
State,
12
tribal, or local government that receives a cyber
13
threat indicator or defensive measure under this
14
title may use such cyber threat indicator or de-
15
fensive measure for the purposes described in
16
section 105(d)(5)(A).
17
(B) EXEMPTION
FROM DISCLOSURE.—A
18
cyber threat indicator or defensive measure
19
shared by or with a State, tribal, or local gov-
20
ernment, including a component of a State,
21
tribal, or local government that is a private en-
22
tity, under this section shall be—
23
24
December 16, 2015 (1:04 a.m.)
(i) deemed voluntarily shared information; and
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1748
1
(ii) exempt from disclosure under any
2
provision of State, tribal, or local freedom
3
of information law, open government law,
4
open meetings law, open records law, sun-
5
shine law, or similar law requiring disclo-
6
sure of information or records.
7
(C) STATE,
8
9
TRIBAL, AND LOCAL REGU-
LATORY AUTHORITY.—
(i) IN
GENERAL.—Except
as provided
10
in clause (ii), a cyber threat indicator or
11
defensive measure shared with a State,
12
tribal, or local government under this title
13
shall not be used by any State, tribal, or
14
local government to regulate, including an
15
enforcement action, the lawful activity of
16
any non-Federal entity or any activity
17
taken by a non-Federal entity pursuant to
18
mandatory standards, including an activity
19
relating to monitoring, operating a defen-
20
sive measure, or sharing of a cyber threat
21
indicator.
22
(ii) REGULATORY
AUTHORITY
SPE-
23
CIFICALLY RELATING TO PREVENTION OR
24
MITIGATION
25
THREATS.—A
December 16, 2015 (1:04 a.m.)
OF
CYBERSECURITY
cyber threat indicator or de-
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1749
1
fensive measure shared as described in
2
clause (i) may, consistent with a State,
3
tribal, or local government regulatory au-
4
thority specifically relating to the preven-
5
tion or mitigation of cybersecurity threats
6
to information systems, inform the devel-
7
opment or implementation of a regulation
8
relating to such information systems.
9
10
(e) ANTITRUST EXEMPTION.—
(1) IN
GENERAL.—Except
as provided in sec-
11
tion 108(e), it shall not be considered a violation of
12
any provision of antitrust laws for 2 or more private
13
entities to exchange or provide a cyber threat indi-
14
cator or defensive measure, or assistance relating to
15
the prevention, investigation, or mitigation of a
16
cybersecurity threat, for cybersecurity purposes
17
under this title.
18
(2) APPLICABILITY.—Paragraph (1) shall apply
19
only to information that is exchanged or assistance
20
provided in order to assist with—
21
(A) facilitating the prevention, investiga-
22
tion, or mitigation of a cybersecurity threat to
23
an information system or information that is
24
stored on, processed by, or transiting an infor-
25
mation system; or
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1750
1
(B) communicating or disclosing a cyber
2
threat indicator to help prevent, investigate, or
3
mitigate the effect of a cybersecurity threat to
4
an information system or information that is
5
stored on, processed by, or transiting an infor-
6
mation system.
(f) NO RIGHT
7
OR
BENEFIT.—The sharing of a cyber
8 threat indicator or defensive measure with a non-Federal
9 entity under this title shall not create a right or benefit
10 to similar information by such non-Federal entity or any
11 other non-Federal entity.
12
SEC. 105. SHARING OF CYBER THREAT INDICATORS AND
13
DEFENSIVE MEASURES WITH THE FEDERAL
14
GOVERNMENT.
(a) REQUIREMENT
15
16
FOR
POLICIES
AND
PROCE-
DURES.—
17
(1) INTERIM
POLICIES AND PROCEDURES.—Not
18
later than 60 days after the date of the enactment
19
of this Act, the Attorney General and the Secretary
20
of Homeland Security shall, in consultation with the
21
heads of the appropriate Federal entities, jointly de-
22
velop and submit to Congress interim policies and
23
procedures relating to the receipt of cyber threat in-
24
dicators and defensive measures by the Federal Gov-
25
ernment.
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1751
1
(2) FINAL
POLICIES AND PROCEDURES.—Not
2
later than 180 days after the date of the enactment
3
of this Act, the Attorney General and the Secretary
4
of Homeland Security shall, in consultation with the
5
heads of the appropriate Federal entities, jointly
6
issue and make publicly available final policies and
7
procedures relating to the receipt of cyber threat in-
8
dicators and defensive measures by the Federal Gov-
9
ernment.
10
(3) REQUIREMENTS
CONCERNING POLICIES AND
11
PROCEDURES.—Consistent
with the guidelines re-
12
quired by subsection (b), the policies and procedures
13
developed or issued under this subsection shall—
14
(A) ensure that cyber threat indicators
15
shared with the Federal Government by any
16
non-Federal entity pursuant to section 104(c)
17
through the real-time process described in sub-
18
section (c) of this section—
19
(i) are shared in an automated man-
20
ner with all of the appropriate Federal en-
21
tities;
22
(ii) are only subject to a delay, modi-
23
fication, or other action due to controls es-
24
tablished for such real-time process that
25
could impede real-time receipt by all of the
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1752
1
appropriate Federal entities when the
2
delay, modification, or other action is due
3
to controls—
4
(I) agreed upon unanimously by
5
all of the heads of the appropriate
6
Federal entities;
7
(II) carried out before any of the
8
appropriate Federal entities retains or
9
uses the cyber threat indicators or de-
10
fensive measures; and
11
(III) uniformly applied such that
12
each of the appropriate Federal enti-
13
ties is subject to the same delay,
14
modification, or other action; and
15
(iii) may be provided to other Federal
16
entities;
17
(B) ensure that cyber threat indicators
18
shared with the Federal Government by any
19
non-Federal entity pursuant to section 104 in a
20
manner other than the real-time process de-
21
scribed in subsection (c) of this section—
22
(i) are shared as quickly as operation-
23
ally practicable with all of the appropriate
24
Federal entities;
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1753
1
(ii) are not subject to any unnecessary
2
delay, interference, or any other action
3
that could impede receipt by all of the ap-
4
propriate Federal entities; and
(iii) may be provided to other Federal
5
6
entities; and
7
(C) ensure there are—
8
(i) audit capabilities; and
9
(ii) appropriate sanctions in place for
10
officers, employees, or agents of a Federal
11
entity who knowingly and willfully conduct
12
activities under this title in an unauthor-
13
ized manner.
14
(4) GUIDELINES
15
THREAT
16
MENT.—
17
FOR ENTITIES SHARING CYBER
INDICATORS
(A) IN
WITH
FEDERAL
GENERAL.—Not
GOVERN-
later than 60 days
18
after the date of the enactment of this Act, the
19
Attorney General and the Secretary of Home-
20
land Security shall jointly develop and make
21
publicly available guidance to assist entities and
22
promote sharing of cyber threat indicators with
23
Federal entities under this title.
24
(B) CONTENTS.—The guidelines developed
25
and made publicly available under subpara-
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1754
1
graph (A) shall include guidance on the fol-
2
lowing:
3
(i) Identification of types of informa-
4
tion that would qualify as a cyber threat
5
indicator under this title that would be un-
6
likely to include information that—
(I) is not directly related to a
7
8
cybersecurity threat; and
9
(II) is personal information of a
10
specific individual or information that
11
identifies a specific individual.
12
(ii) Identification of types of informa-
13
tion protected under otherwise applicable
14
privacy laws that are unlikely to be directly
15
related to a cybersecurity threat.
16
(iii) Such other matters as the Attor-
17
ney General and the Secretary of Home-
18
land Security consider appropriate for enti-
19
ties sharing cyber threat indicators with
20
Federal entities under this title.
21
22
(b) PRIVACY AND CIVIL LIBERTIES.—
(1) INTERIM
GUIDELINES.—Not
later than 60
23
days after the date of the enactment of this Act, the
24
Attorney General and the Secretary of Homeland
25
Security shall, in consultation with heads of the ap-
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1755
1
propriate Federal entities and in consultation with
2
officers designated under section 1062 of the Na-
3
tional Security Intelligence Reform Act of 2004 (42
4
U.S.C. 2000ee–1), jointly develop, submit to Con-
5
gress, and make available to the public interim
6
guidelines relating to privacy and civil liberties which
7
shall govern the receipt, retention, use, and dissemi-
8
nation of cyber threat indicators by a Federal entity
9
obtained in connection with activities authorized in
10
11
12
this title.
(2) FINAL
GUIDELINES.—
(A) IN
GENERAL.—Not
later than 180
13
days after the date of the enactment of this
14
Act, the Attorney General and the Secretary of
15
Homeland Security shall, in coordination with
16
heads of the appropriate Federal entities and in
17
consultation with officers designated under sec-
18
tion 1062 of the National Security Intelligence
19
Reform Act of 2004 (42 U.S.C. 2000ee–1) and
20
such private entities with industry expertise as
21
the Attorney General and the Secretary con-
22
sider relevant, jointly issue and make publicly
23
available final guidelines relating to privacy and
24
civil liberties which shall govern the receipt, re-
25
tention, use, and dissemination of cyber threat
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1756
1
indicators by a Federal entity obtained in con-
2
nection with activities authorized in this title.
(B) PERIODIC
3
REVIEW.—The
Attorney
4
General and the Secretary of Homeland Secu-
5
rity shall, in coordination with heads of the ap-
6
propriate Federal entities and in consultation
7
with officers and private entities described in
8
subparagraph (A), periodically, but not less fre-
9
quently than once every 2 years, jointly review
10
the guidelines issued under subparagraph (A).
11
(3) CONTENT.—The guidelines required by
12
paragraphs (1) and (2) shall, consistent with the
13
need
14
cybersecurity threats and mitigate cybersecurity
15
threats—
to
protect
information
systems
from
16
(A) limit the effect on privacy and civil lib-
17
erties of activities by the Federal Government
18
under this title;
19
(B) limit the receipt, retention, use, and
20
dissemination of cyber threat indicators con-
21
taining personal information of specific individ-
22
uals or information that identifies specific indi-
23
viduals, including by establishing—
24
(i) a process for the timely destruction
25
of such information that is known not to
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1757
1
be directly related to uses authorized under
2
this title; and
3
(ii) specific limitations on the length
4
of any period in which a cyber threat indi-
5
cator may be retained;
6
(C) include requirements to safeguard
7
cyber threat indicators containing personal in-
8
formation of specific individuals or information
9
that identifies specific individuals from unau-
10
thorized access or acquisition, including appro-
11
priate sanctions for activities by officers, em-
12
ployees, or agents of the Federal Government in
13
contravention of such guidelines;
14
(D) consistent with this title, any other ap-
15
plicable provisions of law, and the fair informa-
16
tion practice principles set forth in appendix A
17
of the document entitled ‘‘National Strategy for
18
Trusted Identities in Cyberspace’’ and pub-
19
lished by the President in April 2011, govern
20
the retention, use, and dissemination by the
21
Federal Government of cyber threat indicators
22
shared with the Federal Government under this
23
title, including the extent, if any, to which such
24
cyber threat indicators may be used by the Fed-
25
eral Government;
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1758
1
(E) include procedures for notifying enti-
2
ties and Federal entities if information received
3
pursuant to this section is known or determined
4
by a Federal entity receiving such information
5
not to constitute a cyber threat indicator;
6
(F) protect the confidentiality of cyber
7
threat indicators containing personal informa-
8
tion of specific individuals or information that
9
identifies specific individuals to the greatest ex-
10
tent practicable and require recipients to be in-
11
formed that such indicators may only be used
12
for purposes authorized under this title; and
13
(G) include steps that may be needed so
14
that dissemination of cyber threat indicators is
15
consistent with the protection of classified and
16
other sensitive national security information.
17
(c) CAPABILITY AND PROCESS WITHIN THE DEPART-
18
MENT OF
19
HOMELAND SECURITY.—
(1) IN
GENERAL.—Not
later than 90 days after
20
the date of the enactment of this Act, the Secretary
21
of Homeland Security, in coordination with the
22
heads of the appropriate Federal entities, shall de-
23
velop and implement a capability and process within
24
the Department of Homeland Security that—
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1759
1
(A) shall accept from any non-Federal en-
2
tity in real time cyber threat indicators and de-
3
fensive measures, pursuant to this section;
4
(B) shall, upon submittal of the certifi-
5
cation under paragraph (2) that such capability
6
and process fully and effectively operates as de-
7
scribed in such paragraph, be the process by
8
which the Federal Government receives cyber
9
threat indicators and defensive measures under
10
this title that are shared by a non-Federal enti-
11
ty with the Federal Government through elec-
12
tronic mail or media, an interactive form on an
13
Internet website, or a real time, automated
14
process between information systems except—
15
(i) consistent with section 104, com-
16
munications between a Federal entity and
17
a non-Federal entity regarding a previously
18
shared cyber threat indicator to describe
19
the relevant cybersecurity threat or develop
20
a defensive measure based on such cyber
21
threat indicator; and
22
(ii) communications by a regulated
23
non-Federal entity with such entity’s Fed-
24
eral
25
cybersecurity threat;
December 16, 2015 (1:04 a.m.)
regulatory
authority
regarding
a
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1760
1
(C) ensures that all of the appropriate
2
Federal entities receive in an automated man-
3
ner such cyber threat indicators and defensive
4
measures shared through the real-time process
5
within the Department of Homeland Security;
6
(D) is in compliance with the policies, pro-
7
cedures, and guidelines required by this section;
8
and
9
(E) does not limit or prohibit otherwise
10
lawful disclosures of communications, records,
11
or other information, including—
12
(i) reporting of known or suspected
13
criminal activity, by a non-Federal entity
14
to any other non-Federal entity or a Fed-
15
eral entity, including cyber threat indica-
16
tors or defensive measures shared with a
17
Federal entity in furtherance of opening a
18
Federal law enforcement investigation;
19
20
(ii) voluntary or legally compelled participation in a Federal investigation; and
21
(iii) providing cyber threat indicators
22
or defensive measures as part of a statu-
23
tory or authorized contractual requirement.
24
December 16, 2015 (1:04 a.m.)
(2) CERTIFICATION
AND DESIGNATION.—
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1761
1
(A) CERTIFICATION
OF CAPABILITY AND
2
PROCESS.—Not
later than 90 days after the
3
date of the enactment of this Act, the Secretary
4
of Homeland Security shall, in consultation
5
with the heads of the appropriate Federal enti-
6
ties, submit to Congress a certification as to
7
whether the capability and process required by
8
paragraph (1) fully and effectively operates—
9
(i) as the process by which the Fed-
10
eral Government receives from any non-
11
Federal entity a cyber threat indicator or
12
defensive measure under this title; and
13
(ii) in accordance with the interim
14
policies, procedures, and guidelines devel-
15
oped under this title.
16
(B) DESIGNATION.—
17
(i) IN
GENERAL.—At
any time after
18
certification is submitted under subpara-
19
graph (A), the President may designate an
20
appropriate Federal entity, other than the
21
Department of Defense (including the Na-
22
tional Security Agency), to develop and im-
23
plement a capability and process as de-
24
scribed in paragraph (1) in addition to the
25
capability and process developed under
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1762
1
such paragraph by the Secretary of Home-
2
land Security, if, not fewer than 30 days
3
before making such designation, the Presi-
4
dent submits to Congress a certification
5
and explanation that—
6
(I) such designation is necessary
7
to ensure that full, effective, and se-
8
cure operation of a capability and
9
process for the Federal Government
10
to receive from any non-Federal entity
11
cyber threat indicators or defensive
12
measures under this title;
13
(II) the designated appropriate
14
Federal entity will receive and share
15
cyber threat indicators and defensive
16
measures in accordance with the poli-
17
cies, procedures, and guidelines devel-
18
oped under this title, including sub-
19
section (a)(3)(A); and
20
(III) such designation is con-
21
sistent with the mission of such ap-
22
propriate Federal entity and improves
23
the ability of the Federal Government
24
to receive, share, and use cyber threat
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1763
1
indicators and defensive measures as
2
authorized under this title.
3
(ii) APPLICATION
TO ADDITIONAL CA-
4
PABILITY AND PROCESS.—If
5
designates an appropriate Federal entity to
6
develop and implement a capability and
7
process under clause (i), the provisions of
8
this title that apply to the capability and
9
process required by paragraph (1) shall
10
also be construed to apply to the capability
11
and process developed and implemented
12
under clause (i).
13
(3) PUBLIC
the President
NOTICE AND ACCESS.—The
Sec-
14
retary of Homeland Security shall ensure there is
15
public notice of, and access to, the capability and
16
process developed and implemented under paragraph
17
(1) so that—
18
(A) any non-Federal entity may share
19
cyber threat indicators and defensive measures
20
through such process with the Federal Govern-
21
ment; and
22
(B) all of the appropriate Federal entities
23
receive such cyber threat indicators and defen-
24
sive measures in real time with receipt through
25
the process within the Department of Home-
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1764
1
land Security consistent with the policies and
2
procedures issued under subsection (a).
3
(4) OTHER
FEDERAL ENTITIES.—The
process
4
developed and implemented under paragraph (1)
5
shall ensure that other Federal entities receive in a
6
timely manner any cyber threat indicators and de-
7
fensive measures shared with the Federal Govern-
8
ment through such process.
9
(d) INFORMATION SHARED WITH
10
THE
11
OR
PROVIDED
TO
FEDERAL GOVERNMENT.—
(1) NO
WAIVER OF PRIVILEGE OR PROTEC-
12
TION.—The
13
defensive measures to the Federal Government
14
under this title shall not constitute a waiver of any
15
applicable privilege or protection provided by law, in-
16
cluding trade secret protection.
17
provision of cyber threat indicators and
(2) PROPRIETARY
INFORMATION.—Consistent
18
with section 104(c)(2) and any other applicable pro-
19
vision of law, a cyber threat indicator or defensive
20
measure provided by a non-Federal entity to the
21
Federal Government under this title shall be consid-
22
ered the commercial, financial, and proprietary in-
23
formation of such non-Federal entity when so des-
24
ignated by the originating non-Federal entity or a
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1765
1
third party acting in accordance with the written au-
2
thorization of the originating non-Federal entity.
3
(3) EXEMPTION
FROM DISCLOSURE.—A
cyber
4
threat indicator or defensive measure shared with
5
the Federal Government under this title shall be—
6
(A) deemed voluntarily shared information
7
and exempt from disclosure under section 552
8
of title 5, United States Code, and any State,
9
tribal, or local provision of law requiring disclo-
10
sure of information or records; and
11
(B) withheld, without discretion, from the
12
public under section 552(b)(3)(B) of title 5,
13
United States Code, and any State, tribal, or
14
local provision of law requiring disclosure of in-
15
formation or records.
16
(4) EX
PARTE COMMUNICATIONS.—The
provi-
17
sion of a cyber threat indicator or defensive measure
18
to the Federal Government under this title shall not
19
be subject to a rule of any Federal agency or depart-
20
ment or any judicial doctrine regarding ex parte
21
communications with a decision-making official.
22
23
(5) DISCLOSURE,
(A)
RETENTION, AND USE.—
AUTHORIZED
ACTIVITIES.—Cyber
24
threat indicators and defensive measures pro-
25
vided to the Federal Government under this
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1766
1
title may be disclosed to, retained by, and used
2
by, consistent with otherwise applicable provi-
3
sions of Federal law, any Federal agency or de-
4
partment, component, officer, employee, or
5
agent of the Federal Government solely for—
6
(i) a cybersecurity purpose;
7
(ii) the purpose of identifying—
8
(I) a cybersecurity threat, includ-
9
ing the source of such cybersecurity
10
threat; or
11
(II) a security vulnerability;
12
(iii) the purpose of responding to, or
13
otherwise preventing or mitigating, a spe-
14
cific threat of death, a specific threat of se-
15
rious bodily harm, or a specific threat of
16
serious economic harm, including a ter-
17
rorist act or a use of a weapon of mass de-
18
struction;
19
(iv) the purpose of responding to, in-
20
vestigating, prosecuting, or otherwise pre-
21
venting or mitigating, a serious threat to a
22
minor, including sexual exploitation and
23
threats to physical safety; or
24
(v) the purpose of preventing, inves-
25
tigating, disrupting, or prosecuting an of-
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1767
1
fense arising out of a threat described in
2
clause (iii) or any of the offenses listed
3
in—
4
(I) sections 1028 through 1030
5
of title 18, United States Code (relat-
6
ing to fraud and identity theft);
7
(II) chapter 37 of such title (re-
8
lating to espionage and censorship);
9
and
10
(III) chapter 90 of such title (re-
11
lating to protection of trade secrets).
12
(B)
PROHIBITED
ACTIVITIES.—Cyber
13
threat indicators and defensive measures pro-
14
vided to the Federal Government under this
15
title shall not be disclosed to, retained by, or
16
used by any Federal agency or department for
17
any use not permitted under subparagraph (A).
18
(C) PRIVACY
AND
CIVIL
LIBERTIES.—
19
Cyber threat indicators and defensive measures
20
provided to the Federal Government under this
21
title shall be retained, used, and disseminated
22
by the Federal Government—
23
(i) in accordance with the policies,
24
procedures, and guidelines required by sub-
25
sections (a) and (b);
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1768
1
(ii) in a manner that protects from
2
unauthorized use or disclosure any cyber
3
threat indicators that may contain—
4
5
6
(I) personal information of a specific individual; or
(II) information that identifies a
7
specific individual; and
8
(iii) in a manner that protects the
9
confidentiality of cyber threat indicators
10
11
12
13
14
containing—
(I) personal information of a specific individual; or
(II) information that identifies a
specific individual.
15
(D) FEDERAL
16
(i) IN
REGULATORY AUTHORITY.—
GENERAL.—Except
as provided
17
in clause (ii), cyber threat indicators and
18
defensive measures provided to the Federal
19
Government under this title shall not be
20
used by any Federal, State, tribal, or local
21
government to regulate, including an en-
22
forcement action, the lawful activities of
23
any non-Federal entity or any activities
24
taken by a non-Federal entity pursuant to
25
mandatory standards, including activities
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1769
1
relating to monitoring, operating defensive
2
measures, or sharing cyber threat indica-
3
tors.
4
(ii) EXCEPTIONS.—
(I)
5
REGULATORY
AUTHORITY
6
SPECIFICALLY RELATING TO PREVEN-
7
TION
8
CYBERSECURITY
9
threat indicators and defensive meas-
10
ures provided to the Federal Govern-
11
ment under this title may, consistent
12
with Federal or State regulatory au-
13
thority specifically relating to the pre-
14
vention or mitigation of cybersecurity
15
threats to information systems, inform
16
the development or implementation of
17
regulations relating to such informa-
18
tion systems.
OR
MITIGATION
THREATS.—Cyber
(II) PROCEDURES
19
20
AND
21
TITLE.—Clause
22
procedures
23
mented under this title.
December 16, 2015 (1:04 a.m.)
OF
IMPLEMENTED
DEVELOPED
UNDER
THIS
(i) shall not apply to
developed
and
imple-
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1770
1
SEC. 106. PROTECTION FROM LIABILITY.
(a) MONITORING
2
OF
INFORMATION SYSTEMS.—No
3 cause of action shall lie or be maintained in any court
4 against any private entity, and such action shall be
5 promptly dismissed, for the monitoring of an information
6 system and information under section 104(a) that is con7 ducted in accordance with this title.
(b) SHARING
8
9
CATORS.—No
OR
RECEIPT
OF
CYBER THREAT INDI-
cause of action shall lie or be maintained
10 in any court against any private entity, and such action
11 shall be promptly dismissed, for the sharing or receipt of
12 a cyber threat indicator or defensive measure under sec13 tion 104(c) if—
14
15
(1) such sharing or receipt is conducted in accordance with this title; and
16
(2) in a case in which a cyber threat indicator
17
or defensive measure is shared with the Federal
18
Government, the cyber threat indicator or defensive
19
measure is shared in a manner that is consistent
20
with section 105(c)(1)(B) and the sharing or receipt,
21
as the case may be, occurs after the earlier of—
22
(A) the date on which the interim policies
23
and procedures are submitted to Congress
24
under section 105(a)(1) and guidelines are sub-
25
mitted to Congress under section 105(b)(1); or
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1771
(B) the date that is 60 days after the date
1
of the enactment of this Act.
2
(c) CONSTRUCTION.—Nothing in this title shall be
3
4 construed—
(1) to create—
5
(A) a duty to share a cyber threat indi-
6
cator or defensive measure; or
7
8
(B) a duty to warn or act based on the re-
9
ceipt of a cyber threat indicator or defensive
10
measure; or
11
(2) to undermine or limit the availability of oth-
12
erwise applicable common law or statutory defenses.
13
SEC. 107. OVERSIGHT OF GOVERNMENT ACTIVITIES.
14
15
(a) REPORT ON IMPLEMENTATION.—
(1) IN
GENERAL.—Not
later than 1 year after
16
the date of the enactment of this title, the heads of
17
the appropriate Federal entities shall jointly submit
18
to Congress a detailed report concerning the imple-
19
mentation of this title.
20
(2) CONTENTS.—The report required by para-
21
graph (1) may include such recommendations as the
22
heads of the appropriate Federal entities may have
23
for improvements or modifications to the authorities,
24
policies, procedures, and guidelines under this title
25
and shall include the following:
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1772
1
(A) An evaluation of the effectiveness of
2
real-time information sharing through the capa-
3
bility and process developed under section
4
105(c), including any impediments to such real-
5
time sharing.
6
(B) An assessment of whether cyber threat
7
indicators or defensive measures have been
8
properly classified and an accounting of the
9
number of security clearances authorized by the
10
Federal Government for the purpose of sharing
11
cyber threat indicators or defensive measures
12
with the private sector.
13
(C) The number of cyber threat indicators
14
or defensive measures received through the ca-
15
pability and process developed under section
16
105(c).
17
(D) A list of Federal entities that have re-
18
ceived cyber threat indicators or defensive
19
measures under this title.
20
21
(b) BIENNIAL REPORT ON COMPLIANCE.—
(1) IN
GENERAL.—Not
later than 2 years after
22
the date of the enactment of this Act and not less
23
frequently than once every 2 years thereafter, the in-
24
spectors general of the appropriate Federal entities,
25
in consultation with the Inspector General of the In-
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1773
1
telligence Community and the Council of Inspectors
2
General on Financial Oversight, shall jointly submit
3
to Congress an interagency report on the actions of
4
the executive branch of the Federal Government to
5
carry out this title during the most recent 2-year pe-
6
riod.
7
(2) CONTENTS.—Each report submitted under
8
paragraph (1) shall include, for the period covered
9
by the report, the following:
10
(A) An assessment of the sufficiency of the
11
policies, procedures, and guidelines relating to
12
the sharing of cyber threat indicators within the
13
Federal Government, including those policies,
14
procedures, and guidelines relating to the re-
15
moval of information not directly related to a
16
cybersecurity threat that is personal informa-
17
tion of a specific individual or information that
18
identifies a specific individual.
19
(B) An assessment of whether cyber threat
20
indicators or defensive measures have been
21
properly classified and an accounting of the
22
number of security clearances authorized by the
23
Federal Government for the purpose of sharing
24
cyber threat indicators or defensive measures
25
with the private sector.
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1774
1
(C) A review of the actions taken by the
2
Federal Government based on cyber threat indi-
3
cators or defensive measures shared with the
4
Federal Government under this title, including
5
a review of the following:
6
(i) The appropriateness of subsequent
7
uses and disseminations of cyber threat in-
8
dicators or defensive measures.
9
(ii) Whether cyber threat indicators or
10
defensive measures were shared in a timely
11
and adequate manner with appropriate en-
12
tities, or, if appropriate, were made pub-
13
licly available.
14
(D) An assessment of the cyber threat in-
15
dicators or defensive measures shared with the
16
appropriate Federal entities under this title, in-
17
cluding the following:
18
(i) The number of cyber threat indica-
19
tors or defensive measures shared through
20
the capability and process developed under
21
section 105(c).
22
(ii) An assessment of any information
23
not directly related to a cybersecurity
24
threat that is personal information of a
25
specific individual or information identi-
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1775
1
fying a specific individual and was shared
2
by a non-Federal government entity with
3
the Federal government in contravention of
4
this title, or was shared within the Federal
5
Government in contravention of the guide-
6
lines required by this title, including a de-
7
scription of any significant violation of this
8
title.
9
(iii) The number of times, according
10
to the Attorney General, that information
11
shared under this title was used by a Fed-
12
eral entity to prosecute an offense listed in
13
section 105(d)(5)(A).
14
(iv) A quantitative and qualitative as-
15
sessment of the effect of the sharing of
16
cyber threat indicators or defensive meas-
17
ures with the Federal Government on pri-
18
vacy and civil liberties of specific individ-
19
uals, including the number of notices that
20
were issued with respect to a failure to re-
21
move information not directly related to a
22
cybersecurity threat that was personal in-
23
formation of a specific individual or infor-
24
mation that identified a specific individual
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1776
1
in accordance with the procedures required
2
by section 105(b)(3)(E).
3
(v) The adequacy of any steps taken
4
by the Federal Government to reduce any
5
adverse effect from activities carried out
6
under this title on the privacy and civil lib-
7
erties of United States persons.
8
(E) An assessment of the sharing of cyber
9
threat indicators or defensive measures among
10
Federal entities to identify inappropriate bar-
11
riers to sharing information.
12
(3) RECOMMENDATIONS.—Each report sub-
13
mitted under this subsection may include such rec-
14
ommendations as the inspectors general may have
15
for improvements or modifications to the authorities
16
and processes under this title.
17
(c) INDEPENDENT REPORT
18
SONAL
ON
REMOVAL
OF
PER-
INFORMATION.—Not later than 3 years after the
19 date of the enactment of this Act, the Comptroller General
20 of the United States shall submit to Congress a report
21 on the actions taken by the Federal Government to remove
22 personal information from cyber threat indicators or de23 fensive measures pursuant to this title. Such report shall
24 include an assessment of the sufficiency of the policies,
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1777
1 procedures, and guidelines established under this title in
2 addressing concerns relating to privacy and civil liberties.
(d) FORM OF REPORTS.—Each report required under
3
4 this section shall be submitted in an unclassified form, but
5 may include a classified annex.
(e) PUBLIC AVAILABILITY
6
OF
REPORTS.—The un-
7 classified portions of the reports required under this sec8 tion shall be made available to the public.
9
SEC. 108. CONSTRUCTION AND PREEMPTION.
10
(a) OTHERWISE LAWFUL DISCLOSURES.—Nothing in
11 this title shall be construed—
12
(1) to limit or prohibit otherwise lawful disclo-
13
sures of communications, records, or other informa-
14
tion, including reporting of known or suspected
15
criminal activity, by a non-Federal entity to any
16
other non-Federal entity or the Federal Government
17
under this title; or
18
(2) to limit or prohibit otherwise lawful use of
19
such disclosures by any Federal entity, even when
20
such otherwise lawful disclosures duplicate or rep-
21
licate disclosures made under this title.
22
(b) WHISTLE BLOWER PROTECTIONS.—Nothing in
23 this title shall be construed to prohibit or limit the disclo24 sure of information protected under section 2302(b)(8) of
25 title 5, United States Code (governing disclosures of ille-
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1778
1 gality, waste, fraud, abuse, or public health or safety
2 threats), section 7211 of title 5, United States Code (gov3 erning disclosures to Congress), section 1034 of title 10,
4 United States Code (governing disclosure to Congress by
5 members of the military), section 1104 of the National
6 Security Act of 1947 (50 U.S.C. 3234) (governing disclo7 sure by employees of elements of the intelligence commu8 nity), or any similar provision of Federal or State law.
9
(c) PROTECTION
OF
SOURCES
AND
METHODS.—
10 Nothing in this title shall be construed—
11
(1) as creating any immunity against, or other-
12
wise affecting, any action brought by the Federal
13
Government, or any agency or department thereof,
14
to enforce any law, executive order, or procedure
15
governing the appropriate handling, disclosure, or
16
use of classified information;
17
18
(2) to affect the conduct of authorized law enforcement or intelligence activities; or
19
(3) to modify the authority of a department or
20
agency of the Federal Government to protect classi-
21
fied information and sources and methods and the
22
national security of the United States.
23
(d) RELATIONSHIP
TO
OTHER LAWS.—Nothing in
24 this title shall be construed to affect any requirement
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1779
1 under any other provision of law for a non-Federal entity
2 to provide information to the Federal Government.
(e) PROHIBITED CONDUCT.—Nothing in this title
3
4 shall be construed to permit price-fixing, allocating a mar5 ket between competitors, monopolizing or attempting to
6 monopolize a market, boycotting, or exchanges of price or
7 cost information, customer lists, or information regarding
8 future competitive planning.
(f) INFORMATION SHARING RELATIONSHIPS.—Noth-
9
10 ing in this title shall be construed—
(1) to limit or modify an existing information
11
sharing relationship;
12
(2) to prohibit a new information sharing rela-
13
tionship;
14
15
(3) to require a new information sharing rela-
16
tionship between any non-Federal entity and a Fed-
17
eral entity or another non-Federal entity; or
18
(4) to require the use of the capability and
19
process within the Department of Homeland Secu-
20
rity developed under section 105(c).
21
(g) PRESERVATION
22
AND
OF
CONTRACTUAL OBLIGATIONS
RIGHTS.—Nothing in this title shall be construed—
23
(1) to amend, repeal, or supersede any current
24
or future contractual agreement, terms of service
25
agreement, or other contractual relationship between
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1780
1
any non-Federal entities, or between any non-Fed-
2
eral entity and a Federal entity; or
3
(2) to abrogate trade secret or intellectual prop-
4
erty rights of any non-Federal entity or Federal en-
5
tity.
6
(h) ANTI-TASKING RESTRICTION.—Nothing in this
7 title shall be construed to permit a Federal entity—
8
(1) to require a non-Federal entity to provide
9
information to a Federal entity or another non-Fed-
10
eral entity;
11
(2) to condition the sharing of cyber threat in-
12
dicators with a non-Federal entity on such entity’s
13
provision of cyber threat indicators to a Federal en-
14
tity or another non-Federal entity; or
15
(3) to condition the award of any Federal
16
grant, contract, or purchase on the provision of a
17
cyber threat indicator to a Federal entity or another
18
non-Federal entity.
19
(i) NO LIABILITY
FOR
NON-PARTICIPATION.—Noth-
20 ing in this title shall be construed to subject any entity
21 to liability for choosing not to engage in the voluntary ac22 tivities authorized in this title.
23
(j) USE
AND
RETENTION
OF
INFORMATION.—Noth-
24 ing in this title shall be construed to authorize, or to mod25 ify any existing authority of, a department or agency of
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1781
1 the Federal Government to retain or use any information
2 shared under this title for any use other than permitted
3 in this title.
4
(k) FEDERAL PREEMPTION.—
(1) IN
5
GENERAL.—This
title supersedes any
6
statute or other provision of law of a State or polit-
7
ical subdivision of a State that restricts or otherwise
8
expressly regulates an activity authorized under this
9
title.
10
(2) STATE
LAW ENFORCEMENT.—Nothing
in
11
this title shall be construed to supersede any statute
12
or other provision of law of a State or political sub-
13
division of a State concerning the use of authorized
14
law enforcement practices and procedures.
15
(l) REGULATORY AUTHORITY.—Nothing in this title
16 shall be construed—
17
(1) to authorize the promulgation of any regu-
18
lations not specifically authorized to be issued under
19
this title;
20
(2) to establish or limit any regulatory author-
21
ity not specifically established or limited under this
22
title; or
23
(3) to authorize regulatory actions that would
24
duplicate or conflict with regulatory requirements,
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1782
1
mandatory standards, or related processes under an-
2
other provision of Federal law.
3
(m) AUTHORITY
4 RESPOND
5
BY
TO
OF
SECRETARY
OF
DEFENSE
TO
MALICIOUS CYBER ACTIVITY CARRIED OUT
FOREIGN POWERS.—Nothing in this title shall be con-
6 strued to limit the authority of the Secretary of Defense
7 under section 130g of title 10, United States Code.
(n) CRIMINAL PROSECUTION.—Nothing in this title
8
9 shall be construed to prevent the disclosure of a cyber
10 threat indicator or defensive measure shared under this
11 title in a case of criminal prosecution, when an applicable
12 provision of Federal, State, tribal, or local law requires
13 disclosure in such case.
14
SEC. 109. REPORT ON CYBERSECURITY THREATS.
15
(a) REPORT REQUIRED.—Not later than 180 days
16 after the date of the enactment of this Act, the Director
17 of National Intelligence, in coordination with the heads of
18 other appropriate elements of the intelligence community,
19 shall submit to the Select Committee on Intelligence of
20 the Senate and the Permanent Select Committee on Intel21 ligence of the House of Representatives a report on
22 cybersecurity threats, including cyber attacks, theft, and
23 data breaches.
24
(b) CONTENTS.—The report required by subsection
25 (a) shall include the following:
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1783
1
(1) An assessment of the current intelligence
2
sharing and cooperation relationships of the United
3
States with other countries regarding cybersecurity
4
threats, including cyber attacks, theft, and data
5
breaches, directed against the United States and
6
which threaten the United States national security
7
interests and economy and intellectual property, spe-
8
cifically identifying the relative utility of such rela-
9
tionships, which elements of the intelligence commu-
10
nity participate in such relationships, and whether
11
and how such relationships could be improved.
12
(2) A list and an assessment of the countries
13
and nonstate actors that are the primary threats of
14
carrying out a cybersecurity threat, including a
15
cyber attack, theft, or data breach, against the
16
United States and which threaten the United States
17
national security, economy, and intellectual property.
18
(3) A description of the extent to which the ca-
19
pabilities of the United States Government to re-
20
spond to or prevent cybersecurity threats, including
21
cyber attacks, theft, or data breaches, directed
22
against the United States private sector are de-
23
graded by a delay in the prompt notification by pri-
24
vate entities of such threats or cyber attacks, theft,
25
and data breaches.
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1784
1
(4) An assessment of additional technologies or
2
capabilities that would enhance the ability of the
3
United States to prevent and to respond to
4
cybersecurity threats, including cyber attacks, theft,
5
and data breaches.
6
(5) An assessment of any technologies or prac-
7
tices utilized by the private sector that could be rap-
8
idly fielded to assist the intelligence community in
9
preventing and responding to cybersecurity threats.
(c) FORM
10
OF
REPORT.—The report required by sub-
11 section (a) shall be made available in classified and unclas12 sified forms.
(d) INTELLIGENCE COMMUNITY DEFINED.—In this
13
14 section, the term ‘‘intelligence community’’ has the mean15 ing given that term in section 3 of the National Security
16 Act of 1947 (50 U.S.C. 3003).
17
SEC. 110. EXCEPTION TO LIMITATION ON AUTHORITY OF
18
SECRETARY OF DEFENSE TO DISSEMINATE
19
CERTAIN INFORMATION.
20
Notwithstanding subsection (c)(3) of section 393 of
21 title 10, United States Code, the Secretary of Defense may
22 authorize the sharing of cyber threat indicators and defen23 sive measures pursuant to the policies, procedures, and
24 guidelines developed or issued under this title.
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1785
1
SEC. 111. EFFECTIVE PERIOD.
(a) IN GENERAL.—Except as provided in subsection
2
3 (b), this title and the amendments made by this title shall
4 be effective during the period beginning on the date of
5 the enactment of this Act and ending on September 30,
6 2025.
(b) EXCEPTION.—With respect to any action author-
7
8 ized by this title or information obtained pursuant to an
9 action authorized by this title, which occurred before the
10 date on which the provisions referred to in subsection (a)
11 cease to have effect, the provisions of this title shall con12 tinue in effect.
18
TITLE
II—NATIONAL
CYBERSECURITY
ADVANCEMENT
Subtitle A—National Cybersecurity
and Communications Integration Center
19
SEC. 201. SHORT TITLE.
13
14
15
16
17
This subtitle may be cited as the ‘‘National
20
21 Cybersecurity Protection Advancement Act of 2015’’.
22
SEC. 202. DEFINITIONS.
23
24
In this subtitle:
(1) APPROPRIATE
25
TEES.—The
26
mittees’’ means—
December 16, 2015 (1:04 a.m.)
CONGRESSIONAL
COMMIT-
term ‘‘appropriate congressional com-
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1786
(A) the Committee on Homeland Security
1
and Governmental Affairs of the Senate; and
2
(B) the Committee on Homeland Security
3
4
of the House of Representatives.
5
(2) CYBERSECURITY
RISK;
INCIDENT.—The
6
terms ‘‘cybersecurity risk’’ and ‘‘incident’’ have the
7
meanings given those terms in section 227 of the
8
Homeland Security Act of 2002, as so redesignated
9
by section 223(a)(3) of this division.
10
(3) CYBER
11
MEASURE.—The
12
‘‘defensive measure’’ have the meanings given those
13
terms in section 102.
INDICATOR;
DEFENSIVE
terms ‘‘cyber threat indicator’’ and
(4) DEPARTMENT.—The term ‘‘Department’’
14
means the Department of Homeland Security.
15
(5) SECRETARY.—The term ‘‘Secretary’’ means
16
the Secretary of Homeland Security.
17
18
THREAT
SEC. 203. INFORMATION SHARING STRUCTURE AND PROC-
19
20
ESSES.
Section 227 of the Homeland Security Act of 2002,
21 as so redesignated by section 223(a)(3) of this division,
22 is amended—
23
24
25
December 16, 2015 (1:04 a.m.)
(1) in subsection (a)—
(A) by redesignating paragraphs (3) and
(4) as paragraphs (4) and (5), respectively;
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1787
(B) by striking paragraphs (1) and (2) and
1
2
inserting the following:
3
‘‘(1) the term ‘cybersecurity risk’—
4
‘‘(A) means threats to and vulnerabilities
5
of information or information systems and any
6
related consequences caused by or resulting
7
from unauthorized access, use, disclosure, deg-
8
radation, disruption, modification, or destruc-
9
tion of such information or information sys-
10
tems, including such related consequences
11
caused by an act of terrorism; and
12
‘‘(B) does not include any action that sole-
13
ly involves a violation of a consumer term of
14
service or a consumer licensing agreement;
15
‘‘(2) the terms ‘cyber threat indicator’ and ‘de-
16
fensive measure’ have the meanings given those
17
terms in section 102 of the Cybersecurity Act of
18
2015;
19
‘‘(3) the term ‘incident’ means an occurrence
20
that actually or imminently jeopardizes, without law-
21
ful authority, the integrity, confidentiality, or avail-
22
ability of information on an information system, or
23
actually or imminently jeopardizes, without lawful
24
authority, an information system;’’;
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1788
1
2
(C) in paragraph (4), as so redesignated,
by striking ‘‘and’’ at the end;
3
(D) in paragraph (5), as so redesignated,
4
by striking the period at the end and inserting
5
‘‘; and’’; and
6
(E) by adding at the end the following:
7
‘‘(6) the term ‘sharing’ (including all conjuga-
8
tions thereof) means providing, receiving, and dis-
9
seminating (including all conjugations of each of
10
11
12
such terms).’’;
(2) in subsection (c)—
(A) in paragraph (1)—
13
(i) by inserting ‘‘, including the imple-
14
mentation of title I of the Cybersecurity
15
Act of 2015’’ before the semicolon at the
16
end; and
(ii) by inserting ‘‘cyber threat indica-
17
18
tors,
defensive
19
‘‘cybersecurity risks’’;
20
(B)
in
measures,’’
paragraph
(3),
by
before
striking
21
‘‘cybersecurity risks’’ and inserting ‘‘cyber
22
threat
23
cybersecurity risks,’’;
indicators,
defensive
measures,
24
(C) in paragraph (5)(A), by striking
25
‘‘cybersecurity risks’’ and inserting ‘‘cyber
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1789
1
threat
2
cybersecurity risks,’’;
3
indicators,
defensive
measures,
(D) in paragraph (6)—
4
(i) by striking ‘‘cybersecurity risks’’
5
and inserting ‘‘cyber threat indicators, de-
6
fensive measures, cybersecurity risks,’’;
7
and
8
9
10
11
(ii) by striking ‘‘and’’ at the end;
(E) in paragraph (7)—
(i) in subparagraph (A), by striking
‘‘and’’ at the end;
12
(ii) in subparagraph (B), by striking
13
the period at the end and inserting ‘‘;
14
and’’; and
15
(iii) by adding at the end the fol-
16
lowing:
17
‘‘(C) sharing cyber threat indicators and
18
defensive measures;’’; and
19
(F) by adding at the end the following:
20
‘‘(8) engaging with international partners, in
21
consultation with other appropriate agencies, to—
22
‘‘(A) collaborate on cyber threat indicators,
23
defensive measures, and information related to
24
cybersecurity risks and incidents; and
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1790
1
‘‘(B) enhance the security and resilience of
2
global cybersecurity;
3
‘‘(9) sharing cyber threat indicators, defensive
4
measures,
5
cybersecurity risks and incidents with Federal and
6
non-Federal entities, including across sectors of crit-
7
ical infrastructure and with State and major urban
8
area fusion centers, as appropriate;
9
10
and
other
information
related
to
‘‘(10) participating, as appropriate, in national
exercises run by the Department; and
11
‘‘(11) in coordination with the Office of Emer-
12
gency Communications of the Department, assessing
13
and evaluating consequence, vulnerability, and threat
14
information regarding cyber incidents to public safe-
15
ty communications to help facilitate continuous im-
16
provements to the security and resiliency of such
17
communications.’’;
18
19
20
21
(3) in subsection (d)(1)—
(A) in subparagraph (B)—
(i) in clause (i), by striking ‘‘and
local’’ and inserting ‘‘, local, and tribal’’;
22
(ii) in clause (ii), by striking ‘‘; and’’
23
and inserting ‘‘, including information
24
sharing and analysis centers;’’;
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1791
1
2
3
4
5
6
7
8
9
10
11
(iii) in clause (iii), by adding ‘‘and’’ at
the end; and
(iv) by adding at the end the following:
‘‘(iv) private entities;’’.
(B) in subparagraph (D), by striking
‘‘and’’ at the end;
(C) by redesignating subparagraph (E) as
subparagraph (F); and
(D) by inserting after subparagraph (D)
the following:
12
‘‘(E) an entity that collaborates with State
13
and local governments on cybersecurity risks
14
and incidents, and has entered into a voluntary
15
information sharing relationship with the Cen-
16
ter; and’’;
17
(4) in subsection (e)—
18
(A) in paragraph (1)—
19
(i) in subparagraph (A), by inserting
20
‘‘cyber threat indicators, defensive meas-
21
ures, and’’ before ‘‘information’’;
22
(ii) in subparagraph (B), by inserting
23
‘‘cyber threat indicators, defensive meas-
24
ures, and’’ before ‘‘information related’’;
25
December 16, 2015 (1:04 a.m.)
(iii) in subparagraph (F)—
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1792
1
(I) by striking ‘‘cybersecurity
2
risks’’ and inserting ‘‘cyber threat in-
3
dicators,
4
cybersecurity risks,’’; and
defensive
measures,
5
(II) by striking ‘‘and’’ at the end;
6
(iv) in subparagraph (G), by striking
7
‘‘cybersecurity risks and incidents’’ and in-
8
serting ‘‘cyber threat indicators, defensive
9
measures, cybersecurity risks, and inci-
10
dents; and’’; and
11
(v) by adding at the end the following:
12
‘‘(H) the Center designates an agency con-
13
14
tact for non-Federal entities;’’;
(B) in paragraph (2)—
15
(i) by striking ‘‘cybersecurity risks’’
16
and inserting ‘‘cyber threat indicators, de-
17
fensive measures, cybersecurity risks,’’;
18
and
19
(ii) by inserting ‘‘or disclosure’’ after
20
‘‘access’’; and
21
(C) in paragraph (3), by inserting before
22
the period at the end the following: ‘‘, including
23
by working with the Privacy Officer appointed
24
under section 222 to ensure that the Center fol-
25
lows the policies and procedures specified in
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1793
1
subsections (b) and (d)(5)(C) of section 105 of
2
the Cybersecurity Act of 2015’’; and
3
(5) by adding at the end the following:
‘‘(g) AUTOMATED INFORMATION SHARING.—
4
‘‘(1) IN
5
GENERAL.—The
Under Secretary ap-
6
pointed under section 103(a)(1)(H), in coordination
7
with industry and other stakeholders, shall develop
8
capabilities making use of existing information tech-
9
nology industry standards and best practices, as ap-
10
propriate, that support and rapidly advance the de-
11
velopment, adoption, and implementation of auto-
12
mated mechanisms for the sharing of cyber threat
13
indicators and defensive measures in accordance
14
with title I of the Cybersecurity Act of 2015.
‘‘(2) ANNUAL
15
REPORT.—The
Under Secretary
16
appointed under section 103(a)(1)(H) shall submit
17
to the Committee on Homeland Security and Gov-
18
ernmental Affairs of the Senate and the Committee
19
on Homeland Security of the House of Representa-
20
tives an annual report on the status and progress of
21
the development of the capabilities described in
22
paragraph (1). Such reports shall be required until
23
such capabilities are fully implemented.
24
‘‘(h) VOLUNTARY INFORMATION SHARING PROCE-
25
DURES.—
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1794
1
2
‘‘(1) PROCEDURES.—
‘‘(A) IN
GENERAL.—The
Center may enter
3
into a voluntary information sharing relation-
4
ship with any consenting non-Federal entity for
5
the sharing of cyber threat indicators and de-
6
fensive measures for cybersecurity purposes in
7
accordance with this section. Nothing in this
8
subsection may be construed to require any
9
non-Federal entity to enter into any such infor-
10
mation sharing relationship with the Center or
11
any other entity. The Center may terminate a
12
voluntary
13
under
14
unreviewable discretion of the Secretary, acting
15
through the Under Secretary appointed under
16
section 103(a)(1)(H), for any reason, including
17
if the Center determines that the non-Federal
18
entity with which the Center has entered into
19
such a relationship has violated the terms of
20
this subsection.
21
‘‘(B)
this
information
sharing
subsection,
NATIONAL
at
the
relationship
sole
SECURITY.—The
and
Sec-
22
retary may decline to enter into a voluntary in-
23
formation sharing relationship under this sub-
24
section, at the sole and unreviewable discretion
25
of the Secretary, acting through the Under Sec-
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1795
1
retary appointed under section 103(a)(1)(H),
2
for any reason, including if the Secretary deter-
3
mines that such is appropriate for national se-
4
curity.
5
‘‘(2) VOLUNTARY
INFORMATION SHARING RELA-
6
TIONSHIPS.—A
7
tionship under this subsection may be characterized
8
as an agreement described in this paragraph.
9
voluntary information sharing rela-
‘‘(A) STANDARD
AGREEMENT.—For
the
10
use of a non-Federal entity, the Center shall
11
make available a standard agreement, con-
12
sistent with this section, on the Department’s
13
website.
14
‘‘(B) NEGOTIATED
AGREEMENT.—At
the
15
request of a non-Federal entity, and if deter-
16
mined appropriate by the Center, at the sole
17
and unreviewable discretion of the Secretary,
18
acting through the Under Secretary appointed
19
under section 103(a)(1)(H), the Department
20
shall negotiate a non-standard agreement, con-
21
sistent with this section.
22
‘‘(C) EXISTING
AGREEMENTS.—An
agree-
23
ment between the Center and a non-Federal en-
24
tity that is entered into before the date of en-
25
actment of this subsection, or such an agree-
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1796
1
ment that is in effect before such date, shall be
2
deemed in compliance with the requirements of
3
this subsection, notwithstanding any other pro-
4
vision or requirement of this subsection. An
5
agreement under this subsection shall include
6
the relevant privacy protections as in effect
7
under the Cooperative Research and Develop-
8
ment Agreement for Cybersecurity Information
9
Sharing and Collaboration, as of December 31,
10
2014. Nothing in this subsection may be con-
11
strued to require a non-Federal entity to enter
12
into either a standard or negotiated agreement
13
to be in compliance with this subsection.
14
‘‘(i) DIRECT REPORTING.—The Secretary shall de-
15 velop policies and procedures for direct reporting to the
16 Secretary by the Director of the Center regarding signifi17 cant cybersecurity risks and incidents.
18
‘‘(j) REPORTS
ON
INTERNATIONAL COOPERATION.—
19 Not later than 180 days after the date of enactment of
20 this subsection, and periodically thereafter, the Secretary
21 of Homeland Security shall submit to the Committee on
22 Homeland Security and Governmental Affairs of the Sen23 ate and the Committee on Homeland Security of the
24 House of Representatives a report on the range of efforts
25 underway to bolster cybersecurity collaboration with rel-
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1797
1 evant international partners in accordance with subsection
2 (c)(8).
‘‘(k) OUTREACH.—Not later than 60 days after the
3
4 date of enactment of this subsection, the Secretary, acting
5 through the Under Secretary appointed under section
6 103(a)(1)(H), shall—
7
‘‘(1) disseminate to the public information
8
about how to voluntarily share cyber threat indica-
9
tors and defensive measures with the Center; and
10
‘‘(2) enhance outreach to critical infrastructure
11
owners and operators for purposes of such sharing.
12
‘‘(l) COORDINATED VULNERABILITY DISCLOSURE.—
13 The Secretary, in coordination with industry and other
14 stakeholders, may develop and adhere to Department poli15 cies and procedures for coordinating vulnerability disclo16 sures.’’.
17
SEC. 204. INFORMATION SHARING AND ANALYSIS ORGANI-
18
19
ZATIONS.
Section 212 of the Homeland Security Act of 2002
20 (6 U.S.C. 131) is amended—
21
22
(1) in paragraph (5)—
(A) in subparagraph (A)—
23
(i) by inserting ‘‘, including informa-
24
tion related to cybersecurity risks and inci-
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1798
1
dents,’’ after ‘‘critical infrastructure infor-
2
mation’’; and
3
(ii)
by
inserting
‘‘,
including
4
cybersecurity risks and incidents,’’ after
5
‘‘related to critical infrastructure’’;
6
(B) in subparagraph (B)—
(i)
7
by
inserting
‘‘,
including
8
cybersecurity risks and incidents,’’ after
9
‘‘critical infrastructure information’’; and
(ii)
10
by
inserting
‘‘,
including
11
cybersecurity risks and incidents,’’ after
12
‘‘related to critical infrastructure’’; and
13
(C) in subparagraph (C), by inserting ‘‘,
14
including cybersecurity risks and incidents,’’
15
after ‘‘critical infrastructure information’’; and
16
(2) by adding at the end the following:
17
‘‘(8) CYBERSECURITY
RISK;
INCIDENT.—The
18
terms ‘cybersecurity risk’ and ‘incident’ have the
19
meanings given those terms in section 227.’’.
20
SEC. 205. NATIONAL RESPONSE FRAMEWORK.
21
Section 228 of the Homeland Security Act of 2002,
22 as added by section 223(a)(4) of this division, is amended
23 by adding at the end the following:
24
‘‘(d) NATIONAL RESPONSE FRAMEWORK.—The Sec-
25 retary, in coordination with the heads of other appropriate
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1799
1 Federal departments and agencies, and in accordance with
2 the National Cybersecurity Incident Response Plan re3 quired under subsection (c), shall regularly update, main4 tain, and exercise the Cyber Incident Annex to the Na5 tional Response Framework of the Department.’’.
6
SEC. 206. REPORT ON REDUCING CYBERSECURITY RISKS IN
7
DHS DATA CENTERS.
Not later than 1 year after the date of the enactment
8
9 of this Act, the Secretary shall submit to the appropriate
10 congressional committees a report on the feasibility of the
11 Department creating an environment for the reduction in
12 cybersecurity risks in Department data centers, including
13 by increasing compartmentalization between systems, and
14 providing a mix of security controls between such compart15 ments.
16
SEC. 207. ASSESSMENT.
17
Not later than 2 years after the date of enactment
18 of this Act, the Comptroller General of the United States
19 shall submit to the appropriate congressional committees
20 a report that includes—
21
(1) an assessment of the implementation by the
22
Secretary of this title and the amendments made by
23
this title; and
24
(2) to the extent practicable, findings regarding
25
increases in the sharing of cyber threat indicators,
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1800
1
defensive measures, and information relating to
2
cybersecurity risks and incidents at the center estab-
3
lished under section 227 of the Homeland Security
4
Act of 2002, as redesignated by section 223(a) of
5
this division, and throughout the United States.
6
SEC. 208. MULTIPLE SIMULTANEOUS CYBER INCIDENTS AT
7
CRITICAL INFRASTRUCTURE.
Not later than 1 year after the date of enactment
8
9 of this Act, the Under Secretary appointed under section
10 103(a)(1)(H) of the Homeland Security Act of 2002 (6
11 U.S.C. 113(a)(1)(H)) shall provide information to the ap12 propriate congressional committees on the feasibility of
13 producing a risk-informed plan to address the risk of mul14 tiple simultaneous cyber incidents affecting critical infra15 structure, including cyber incidents that may have a cas16 cading effect on other critical infrastructure.
17
SEC. 209. REPORT ON CYBERSECURITY VULNERABILITIES
18
19
OF UNITED STATES PORTS.
Not later than 180 days after the date of enactment
20 of this Act, the Secretary shall submit to the appropriate
21 congressional committees, the Committee on Commerce,
22 Science and Transportation of the Senate, and the Com23 mittee on Transportation and Infrastructure of the House
24 of Representatives a report on cybersecurity vulnerabilities
25 for the 10 United States ports that the Secretary deter-
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1801
1 mines are at greatest risk of a cybersecurity incident and
2 provide recommendations to mitigate such vulnerabilities.
3
SEC. 210. PROHIBITION ON NEW REGULATORY AUTHORITY.
4
Nothing in this subtitle or the amendments made by
5 this subtitle may be construed to grant the Secretary any
6 authority to promulgate regulations or set standards relat7 ing to the cybersecurity of non-Federal entities, not in8 cluding State, local, and tribal governments, that was not
9 in effect on the day before the date of enactment of this
10 Act.
11
SEC. 211. TERMINATION OF REPORTING REQUIREMENTS.
Any reporting requirements in this subtitle shall ter-
12
13 minate on the date that is 7 years after the date of enact14 ment of this Act.
15
16
17
Subtitle B—Federal Cybersecurity
Enhancement
SEC. 221. SHORT TITLE.
This subtitle may be cited as the ‘‘Federal
18
19 Cybersecurity Enhancement Act of 2015’’.
20
SEC. 222. DEFINITIONS.
21
In this subtitle:
22
(1) AGENCY.—The term ‘‘agency’’ has the
23
meaning given the term in section 3502 of title 44,
24
United States Code.
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1802
(2) AGENCY
1
INFORMATION SYSTEM.—The
term
2
‘‘agency information system’’ has the meaning given
3
the term in section 228 of the Homeland Security
4
Act of 2002, as added by section 223(a)(4) of this
5
division.
(3) APPROPRIATE
6
7
TEES.—The
8
mittees’’ means—
CONGRESSIONAL
COMMIT-
term ‘‘appropriate congressional com-
(A) the Committee on Homeland Security
9
and Governmental Affairs of the Senate; and
10
(B) the Committee on Homeland Security
11
12
of the House of Representatives.
13
(4) CYBERSECURITY
RISK; INFORMATION SYS-
14
TEM.—The
terms ‘‘cybersecurity risk’’ and ‘‘infor-
15
mation system’’ have the meanings given those
16
terms in section 227 of the Homeland Security Act
17
of 2002, as so redesignated by section 223(a)(3) of
18
this division.
19
(5) DIRECTOR.—The term ‘‘Director’’ means
20
the Director of the Office of Management and Budg-
21
et.
22
(6) INTELLIGENCE
COMMUNITY.—The
term
23
‘‘intelligence community’’ has the meaning given the
24
term in section 3(4) of the National Security Act of
25
1947 (50 U.S.C. 3003(4)).
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1803
(7) NATIONAL
1
SECURITY SYSTEM.—The
term
2
‘‘national security system’’ has the meaning given
3
the term in section 11103 of title 40, United States
4
Code.
(8) SECRETARY.—The term ‘‘Secretary’’ means
5
the Secretary of Homeland Security.
6
7
SEC. 223. IMPROVED FEDERAL NETWORK SECURITY.
(a) IN GENERAL.—Subtitle C of title II of the Home-
8
9 land Security Act of 2002 (6 U.S.C. 141 et seq.) is amend10 ed—
11
(1) by redesignating section 228 as section 229;
12
(2) by redesignating section 227 as subsection
13
(c) of section 228, as added by paragraph (4), and
14
adjusting the margins accordingly;
15
(3) by redesignating the second section des-
16
ignated as section 226 (relating to the national
17
cybersecurity and communications integration cen-
18
ter) as section 227;
(4) by inserting after section 227, as so redesig-
19
nated, the following:
20
21
‘‘SEC. 228. CYBERSECURITY PLANS.
22
‘‘(a) DEFINITIONS.—In this section—
23
‘‘(1) the term ‘agency information system’
24
means an information system used or operated by an
25
agency or by another entity on behalf of an agency;
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1804
1
‘‘(2) the terms ‘cybersecurity risk’ and ‘infor-
2
mation system’ have the meanings given those terms
3
in section 227;
4
‘‘(3) the term ‘intelligence community’ has the
5
meaning given the term in section 3(4) of the Na-
6
tional Security Act of 1947 (50 U.S.C. 3003(4));
7
and
8
‘‘(4) the term ‘national security system’ has the
9
meaning given the term in section 11103 of title 40,
10
United States Code.
11
‘‘(b) INTRUSION ASSESSMENT PLAN.—
12
‘‘(1) REQUIREMENT.—The Secretary, in coordi-
13
nation with the Director of the Office of Manage-
14
ment and Budget, shall—
15
‘‘(A) develop and implement an intrusion
16
assessment plan to proactively detect, identify,
17
and remove intruders in agency information
18
systems on a routine basis; and
19
‘‘(B) update such plan as necessary.
20
‘‘(2) EXCEPTION.—The intrusion assessment
21
plan required under paragraph (1) shall not apply to
22
the Department of Defense, a national security sys-
23
tem, or an element of the intelligence community.’’;
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1805
1
(5) in section 228(c), as so redesignated, by
2
striking ‘‘section 226’’ and inserting ‘‘section 227’’;
3
and
(6) by inserting after section 229, as so redesig-
4
nated, the following:
5
6
‘‘SEC. 230. FEDERAL INTRUSION DETECTION AND PREVEN-
7
8
TION SYSTEM.
‘‘(a) DEFINITIONS.—In this section—
9
‘‘(1) the term ‘agency’ has the meaning given
10
the term in section 3502 of title 44, United States
11
Code;
12
‘‘(2) the term ‘agency information’ means infor-
13
mation collected or maintained by or on behalf of an
14
agency;
15
16
‘‘(3) the term ‘agency information system’ has
the meaning given the term in section 228; and
17
‘‘(4) the terms ‘cybersecurity risk’ and ‘infor-
18
mation system’ have the meanings given those terms
19
in section 227.
20
‘‘(b) REQUIREMENT.—
21
‘‘(1) IN
GENERAL.—Not
later than 1 year after
22
the date of enactment of this section, the Secretary
23
shall deploy, operate, and maintain, to make avail-
24
able for use by any agency, with or without reim-
25
bursement—
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1806
1
‘‘(A) a capability to detect cybersecurity
2
risks in network traffic transiting or traveling
3
to or from an agency information system; and
4
‘‘(B) a capability to prevent network traffic
5
associated with such cybersecurity risks from
6
transiting or traveling to or from an agency in-
7
formation system or modify such network traf-
8
fic to remove the cybersecurity risk.
9
‘‘(2) REGULAR
IMPROVEMENT.—The
Secretary
10
shall regularly deploy new technologies and modify
11
e…