Legislation
DIVISION N--CYBERSECURITY ACT OF 2015
SEC. 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This division may be cited as the ``Cybersecurity
Act of 2015''.
(b) Table of Contents.--The table of contents for this division is
as follows:
Sec. 1. Short title; table of contents.
TITLE I--CYBERSECURITY INFORMATION SHARING
Sec. 101. Short title.
Sec. 102. Definitions.
Sec. 103. Sharing of information by the Federal Government.
Sec. 104. Authorizations for preventing, detecting, analyzing, and
mitigating cybersecurity threats.
Sec. 105. Sharing of cyber threat indicators and defensive measures with
the Federal Government.
Sec. 106. Protection from liability.
Sec. 107. Oversight of Government activities.
Sec. 108. Construction and preemption.
Sec. 109. Report on cybersecurity threats.
Sec. 110. Exception to limitation on authority of Secretary of Defense
to disseminate certain information.
Sec. 111. Effective period.
TITLE II--NATIONAL CYBERSECURITY ADVANCEMENT
Subtitle A--National Cybersecurity and Communications Integration Center
Sec. 201. Short title.
Sec. 202. Definitions.
Sec. 203. Information sharing structure and processes.
Sec. 204. Information sharing and analysis organizations.
Sec. 205. National response framework.
Sec. 206. Report on reducing cybersecurity risks in DHS data centers.
Sec. 207. Assessment.
Sec. 208. Multiple simultaneous cyber incidents at critical
infrastructure.
Sec. 209. Report on cybersecurity vulnerabilities of United States
ports.
Sec. 210. Prohibition on new regulatory authority.
Sec. 211. Termination of reporting requirements.
Subtitle B--Federal Cybersecurity Enhancement
Sec. 221. Short title.
Sec. 222. Definitions.
Sec. 223. Improved Federal network security.
Sec. 224. Advanced internal defenses.
Sec. 225. Federal cybersecurity requirements.
Sec. 226. Assessment; reports.
Sec. 227. Termination.
Sec. 228. Identification of information systems relating to national
security.
Sec. 229. Direction to agencies.
TITLE III--FEDERAL CYBERSECURITY WORKFORCE ASSESSMENT
Sec. 301. Short title.
Sec. 302. Definitions.
Sec. 303. National cybersecurity workforce measurement initiative.
Sec. 304. Identification of cyber-related work roles of critical need.
Sec. 305. Government Accountability Office status reports.
TITLE IV--OTHER CYBER MATTERS
Sec. 401. Study on mobile device security.
Sec. 402. Department of State international cyberspace policy strategy.
Sec. 403. Apprehension and prosecution of international cyber criminals.
Sec. 404. Enhancement of emergency services.
Sec. 405. Improving cybersecurity in the health care industry.
Sec. 406. Federal computer security.
Sec. 407. Stopping the fraudulent sale of financial information of
people of the United States.
TITLE I--CYBERSECURITY INFORMATION SHARING
SEC. 101. SHORT TITLE.
This title may be cited as the ``Cybersecurity Information Sharing
Act of 2015''.
SEC. 102. DEFINITIONS.
In this title:
(1) Agency.--The term ``agency'' has the meaning given the term
in section 3502 of title 44, United States Code.
(2) Antitrust laws.--The term ``antitrust laws''--
(A) has the meaning given the term in the first section of
the Clayton Act (15 U.S.C. 12);
(B) includes section 5 of the Federal Trade Commission Act
(15 U.S.C. 45) to the extent that section 5 of that Act applies
to unfair methods of competition; and
(C) includes any State antitrust law, but only to the
extent that such law is consistent with the law referred to in
subparagraph (A) or the law referred to in subparagraph (B).
(3) Appropriate federal entities.--The term ``appropriate
Federal entities'' means the following:
(A) The Department of Commerce.
(B) The Department of Defense.
(C) The Department of Energy.
(D) The Department of Homeland Security.
(E) The Department of Justice.
(F) The Department of the Treasury.
(G) The Office of the Director of National Intelligence.
(4) Cybersecurity purpose.--The term ``cybersecurity purpose''
means the purpose of protecting an information system or
information that is stored on, processed by, or transiting an
information system from a cybersecurity threat or security
vulnerability.
(5) Cybersecurity threat.--
(A) In general.--Except as provided in subparagraph (B),
the term ``cybersecurity threat'' means an action, not
protected by the First Amendment to the Constitution of the
United States, on or through an information system that may
result in an unauthorized effort to adversely impact the
security, availability, confidentiality, or integrity of an
information system or information that is stored on, processed
by, or transiting an information system.
(B) Exclusion.--The term ``cybersecurity threat'' does not
include any action that solely involves a violation of a
consumer term of service or a consumer licensing agreement.
(6) Cyber threat indicator.--The term ``cyber threat
indicator'' means information that is necessary to describe or
identify--
(A) malicious reconnaissance, including anomalous patterns
of communications that appear to be transmitted for the purpose
of gathering technical information related to a cybersecurity
threat or security vulnerability;
(B) a method of defeating a security control or
exploitation of a security vulnerability;
(C) a security vulnerability, including anomalous activity
that appears to indicate the existence of a security
vulnerability;
(D) a method of causing a user with legitimate access to an
information system or information that is stored on, processed
by, or transiting an information system to unwittingly enable
the defeat of a security control or exploitation of a security
vulnerability;
(E) malicious cyber command and control;
(F) the actual or potential harm caused by an incident,
including a description of the information exfiltrated as a
result of a particular cybersecurity threat;
(G) any other attribute of a cybersecurity threat, if
disclosure of such attribute is not otherwise prohibited by
law; or
(H) any combination thereof.
(7) Defensive measure.--
(A) In general.--Except as provided in subparagraph (B),
the term ``defensive measure'' means an action, device,
procedure, signature, technique, or other measure applied to an
information system or information that is stored on, processed
by, or transiting an information system that detects, prevents,
or mitigates a known or suspected cybersecurity threat or
security vulnerability.
(B) Exclusion.--The term ``defensive measure'' does not
include a measure that destroys, renders unusable, provides
unauthorized access to, or substantially harms an information
system or information stored on, processed by, or transiting
such information system not owned by--
(i) the private entity operating the measure; or
(ii) another entity or Federal entity that is
authorized to provide consent and has provided consent to
that private entity for operation of such measure.
(8) Federal entity.--The term ``Federal entity'' means a
department or agency of the United States or any component of such
department or agency.
(9) Information system.--The term ``information system''--
(A) has the meaning given the term in section 3502 of title
44, United States Code; and
(B) includes industrial control systems, such as
supervisory control and data acquisition systems, distributed
control systems, and programmable logic controllers.
(10) Local government.--The term ``local government'' means any
borough, city, county, parish, town, township, village, or other
political subdivision of a State.
(11) Malicious cyber command and control.--The term ``malicious
cyber command and control'' means a method for unauthorized remote
identification of, access to, or use of, an information system or
information that is stored on, processed by, or transiting an
information system.
(12) Malicious reconnaissance.--The term ``malicious
reconnaissance'' means a method for actively probing or passively
monitoring an information system for the purpose of discerning
security vulnerabilities of the information system, if such method
is associated with a known or suspected cybersecurity threat.
(13) Monitor.--The term ``monitor'' means to acquire, identify,
or scan, or to possess, information that is stored on, processed
by, or transiting an information system.
(14) Non-federal entity.--
(A) In general.--Except as otherwise provided in this
paragraph, the term ``non-Federal entity'' means any private
entity, non-Federal government agency or department, or State,
tribal, or local government (including a political subdivision,
department, or component thereof).
(B) Inclusions.--The term ``non-Federal entity'' includes a
government agency or department of the District of Columbia,
the Commonwealth of Puerto Rico, the United States Virgin
Islands, Guam, American Samoa, the Northern Mariana Islands,
and any other territory or possession of the United States.
(C) Exclusion.--The term ``non-Federal entity'' does not
include a foreign power as defined in section 101 of the
Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).
(15) Private entity.--
(A) In general.--Except as otherwise provided in this
paragraph, the term ``private entity'' means any person or
private group, organization, proprietorship, partnership,
trust, cooperative, corporation, or other commercial or
nonprofit entity, including an officer, employee, or agent
thereof.
(B) Inclusion.--The term ``private entity'' includes a
State, tribal, or local government performing utility services,
such as electric, natural gas, or water services.
(C) Exclusion.--The term ``private entity'' does not
include a foreign power as defined in section 101 of the
Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).
(16) Security control.--The term ``security control'' means the
management, operational, and technical controls used to protect
against an unauthorized effort to adversely affect the
confidentiality, integrity, and availability of an information
system or its information.
(17) Security vulnerability.--The term ``security
vulnerability'' means any attribute of hardware, software, process,
or procedure that could enable or facilitate the defeat of a
security control.
(18) Tribal.--The term ``tribal'' has the meaning given the
term ``Indian tribe'' in section 4 of the Indian Self-Determination
and Education Assistance Act (25 U.S.C. 450b).
SEC. 103. SHARING OF INFORMATION BY THE FEDERAL GOVERNMENT.
(a) In General.--Consistent with the protection of classified
information, intelligence sources and methods, and privacy and civil
liberties, the Director of National Intelligence, the Secretary of
Homeland Security, the Secretary of Defense, and the Attorney General,
in consultation with the heads of the appropriate Federal entities,
shall jointly develop and issue procedures to facilitate and promote--
(1) the timely sharing of classified cyber threat indicators
and defensive measures in the possession of the Federal Government
with representatives of relevant Federal entities and non-Federal
entities that have appropriate security clearances;
(2) the timely sharing with relevant Federal entities and non-
Federal entities of cyber threat indicators, defensive measures,
and information relating to cybersecurity threats or authorized
uses under this title, in the possession of the Federal Government
that may be declassified and shared at an unclassified level;
(3) the timely sharing with relevant Federal entities and non-
Federal entities, or the public if appropriate, of unclassified,
including controlled unclassified, cyber threat indicators and
defensive measures in the possession of the Federal Government;
(4) the timely sharing with Federal entities and non-Federal
entities, if appropriate, of information relating to cybersecurity
threats or authorized uses under this title, in the possession of
the Federal Government about cybersecurity threats to such entities
to prevent or mitigate adverse effects from such cybersecurity
threats; and
(5) the periodic sharing, through publication and targeted
outreach, of cybersecurity best practices that are developed based
on ongoing analyses of cyber threat indicators, defensive measures,
and information relating to cybersecurity threats or authorized
uses under this title, in the possession of the Federal Government,
with attention to accessibility and implementation challenges faced
by small business concerns (as defined in section 3 of the Small
Business Act (15 U.S.C. 632)).
(b) Development of Procedures.--
(1) In general.--The procedures developed under subsection (a)
shall--
(A) ensure the Federal Government has and maintains the
capability to share cyber threat indicators and defensive
measures in real time consistent with the protection of
classified information;
(B) incorporate, to the greatest extent practicable,
existing processes and existing roles and responsibilities of
Federal entities and non-Federal entities for information
sharing by the Federal Government, including sector specific
information sharing and analysis centers;
(C) include procedures for notifying, in a timely manner,
Federal entities and non-Federal entities that have received a
cyber threat indicator or defensive measure from a Federal
entity under this title that is known or determined to be in
error or in contravention of the requirements of this title or
another provision of Federal law or policy of such error or
contravention;
(D) include requirements for Federal entities sharing cyber
threat indicators or defensive measures to implement and
utilize security controls to protect against unauthorized
access to or acquisition of such cyber threat indicators or
defensive measures;
(E) include procedures that require a Federal entity, prior
to the sharing of a cyber threat indicator--
(i) to review such cyber threat indicator to assess
whether such cyber threat indicator contains any
information not directly related to a cybersecurity threat
that such Federal entity knows at the time of sharing to be
personal information of a specific individual or
information that identifies a specific individual and
remove such information; or
(ii) to implement and utilize a technical capability
configured to remove any information not directly related
to a cybersecurity threat that the Federal entity knows at
the time of sharing to be personal information of a
specific individual or information that identifies a
specific individual; and
(F) include procedures for notifying, in a timely manner,
any United States person whose personal information is known or
determined to have been shared by a Federal entity in violation
of this title.
(2) Consultation.--In developing the procedures required under
this section, the Director of National Intelligence, the Secretary
of Homeland Security, the Secretary of Defense, and the Attorney
General shall consult with appropriate Federal entities, including
the Small Business Administration and the National Laboratories (as
defined in section 2 of the Energy Policy Act of 2005 (42 U.S.C.
15801)), to ensure that effective protocols are implemented that
will facilitate and promote the sharing of cyber threat indicators
by the Federal Government in a timely manner.
(c) Submittal to Congress.--Not later than 60 days after the date
of the enactment of this Act, the Director of National Intelligence, in
consultation with the heads of the appropriate Federal entities, shall
submit to Congress the procedures required by subsection (a).
SEC. 104. AUTHORIZATIONS FOR PREVENTING, DETECTING, ANALYZING, AND
MITIGATING CYBERSECURITY THREATS.
(a) Authorization for Monitoring.--
(1) In general.--Notwithstanding any other provision of law, a
private entity may, for cybersecurity purposes, monitor--
(A) an information system of such private entity;
(B) an information system of another non-Federal entity,
upon the authorization and written consent of such other
entity;
(C) an information system of a Federal entity, upon the
authorization and written consent of an authorized
representative of the Federal entity; and
(D) information that is stored on, processed by, or
transiting an information system monitored by the private
entity under this paragraph.
(2) Construction.--Nothing in this subsection shall be
construed--
(A) to authorize the monitoring of an information system,
or the use of any information obtained through such monitoring,
other than as provided in this title; or
(B) to limit otherwise lawful activity.
(b) Authorization for Operation of Defensive Measures.--
(1) In general.--Notwithstanding any other provision of law, a
private entity may, for cybersecurity purposes, operate a defensive
measure that is applied to--
(A) an information system of such private entity in order
to protect the rights or property of the private entity;
(B) an information system of another non-Federal entity
upon written consent of such entity for operation of such
defensive measure to protect the rights or property of such
entity; and
(C) an information system of a Federal entity upon written
consent of an authorized representative of such Federal entity
for operation of such defensive measure to protect the rights
or property of the Federal Government.
(2) Construction.--Nothing in this subsection shall be
construed--
(A) to authorize the use of a defensive measure other than
as provided in this subsection; or
(B) to limit otherwise lawful activity.
(c) Authorization for Sharing or Receiving Cyber Threat Indicators
or Defensive Measures.--
(1) In general.--Except as provided in paragraph (2) and
notwithstanding any other provision of law, a non-Federal entity
may, for a cybersecurity purpose and consistent with the protection
of classified information, share with, or receive from, any other
non-Federal entity or the Federal Government a cyber threat
indicator or defensive measure.
(2) Lawful restriction.--A non-Federal entity receiving a cyber
threat indicator or defensive measure from another non-Federal
entity or a Federal entity shall comply with otherwise lawful
restrictions placed on the sharing or use of such cyber threat
indicator or defensive measure by the sharing non-Federal entity or
Federal entity.
(3) Construction.--Nothing in this subsection shall be
construed--
(A) to authorize the sharing or receiving of a cyber threat
indicator or defensive measure other than as provided in this
subsection; or
(B) to limit otherwise lawful activity.
(d) Protection and Use of Information.--
(1) Security of information.--A non-Federal entity monitoring
an information system, operating a defensive measure, or providing
or receiving a cyber threat indicator or defensive measure under
this section shall implement and utilize a security control to
protect against unauthorized access to or acquisition of such cyber
threat indicator or defensive measure.
(2) Removal of certain personal information.--A non-Federal
entity sharing a cyber threat indicator pursuant to this title
shall, prior to such sharing--
(A) review such cyber threat indicator to assess whether
such cyber threat indicator contains any information not
directly related to a cybersecurity threat that the non-Federal
entity knows at the time of sharing to be personal information
of a specific individual or information that identifies a
specific individual and remove such information; or
(B) implement and utilize a technical capability configured
to remove any information not directly related to a
cybersecurity threat that the non-Federal entity knows at the
time of sharing to be personal information of a specific
individual or information that identifies a specific
individual.
(3) Use of cyber threat indicators and defensive measures by
non-federal entities.--
(A) In general.--Consistent with this title, a cyber threat
indicator or defensive measure shared or received under this
section may, for cybersecurity purposes--
(i) be used by a non-Federal entity to monitor or
operate a defensive measure that is applied to--
(I) an information system of the non-Federal
entity; or
(II) an information system of another non-Federal
entity or a Federal entity upon the written consent of
that other non-Federal entity or that Federal entity;
and
(ii) be otherwise used, retained, and further shared by
a non-Federal entity subject to--
(I) an otherwise lawful restriction placed by the
sharing non-Federal entity or Federal entity on such
cyber threat indicator or defensive measure; or
(II) an otherwise applicable provision of law.
(B) Construction.--Nothing in this paragraph shall be
construed to authorize the use of a cyber threat indicator or
defensive measure other than as provided in this section.
(4) Use of cyber threat indicators by state, tribal, or local
government.--
(A) Law enforcement use.--A State, tribal, or local
government that receives a cyber threat indicator or defensive
measure under this title may use such cyber threat indicator or
defensive measure for the purposes described in section
105(d)(5)(A).
(B) Exemption from disclosure.--A cyber threat indicator or
defensive measure shared by or with a State, tribal, or local
government, including a component of a State, tribal, or local
government that is a private entity, under this section shall
be--
(i) deemed voluntarily shared information; and
(ii) exempt from disclosure under any provision of
State, tribal, or local freedom of information law, open
government law, open meetings law, open records law,
sunshine law, or similar law requiring disclosure of
information or records.
(C) State, tribal, and local regulatory authority.--
(i) In general.--Except as provided in clause (ii), a
cyber threat indicator or defensive measure shared with a
State, tribal, or local government under this title shall
not be used by any State, tribal, or local government to
regulate, including an enforcement action, the lawful
activity of any non-Federal entity or any activity taken by
a non-Federal entity pursuant to mandatory standards,
including an activity relating to monitoring, operating a
defensive measure, or sharing of a cyber threat indicator.
(ii) Regulatory authority specifically relating to
prevention or mitigation of cybersecurity threats.--A cyber
threat indicator or defensive measure shared as described
in clause (i) may, consistent with a State, tribal, or
local government regulatory authority specifically relating
to the prevention or mitigation of cybersecurity threats to
information systems, inform the development or
implementation of a regulation relating to such information
systems.
(e) Antitrust Exemption.--
(1) In general.--Except as provided in section 108(e), it shall
not be considered a violation of any provision of antitrust laws
for 2 or more private entities to exchange or provide a cyber
threat indicator or defensive measure, or assistance relating to
the prevention, investigation, or mitigation of a cybersecurity
threat, for cybersecurity purposes under this title.
(2) Applicability.--Paragraph (1) shall apply only to
information that is exchanged or assistance provided in order to
assist with--
(A) facilitating the prevention, investigation, or
mitigation of a cybersecurity threat to an information system
or information that is stored on, processed by, or transiting
an information system; or
(B) communicating or disclosing a cyber threat indicator to
help prevent, investigate, or mitigate the effect of a
cybersecurity threat to an information system or information
that is stored on, processed by, or transiting an information
system.
(f) No Right or Benefit.--The sharing of a cyber threat indicator
or defensive measure with a non-Federal entity under this title shall
not create a right or benefit to similar information by such non-
Federal entity or any other non-Federal entity.
SEC. 105. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE MEASURES
WITH THE FEDERAL GOVERNMENT.
(a) Requirement for Policies and Procedures.--
(1) Interim policies and procedures.--Not later than 60 days
after the date of the enactment of this Act, the Attorney General
and the Secretary of Homeland Security shall, in consultation with
the heads of the appropriate Federal entities, jointly develop and
submit to Congress interim policies and procedures relating to the
receipt of cyber threat indicators and defensive measures by the
Federal Government.
(2) Final policies and procedures.--Not later than 180 days
after the date of the enactment of this Act, the Attorney General
and the Secretary of Homeland Security shall, in consultation with
the heads of the appropriate Federal entities, jointly issue and
make publicly available final policies and procedures relating to
the receipt of cyber threat indicators and defensive measures by
the Federal Government.
(3) Requirements concerning policies and procedures.--
Consistent with the guidelines required by subsection (b), the
policies and procedures developed or issued under this subsection
shall--
(A) ensure that cyber threat indicators shared with the
Federal Government by any non-Federal entity pursuant to
section 104(c) through the real-time process described in
subsection (c) of this section--
(i) are shared in an automated manner with all of the
appropriate Federal entities;
(ii) are only subject to a delay, modification, or
other action due to controls established for such real-time
process that could impede real-time receipt by all of the
appropriate Federal entities when the delay, modification,
or other action is due to controls--
(I) agreed upon unanimously by all of the heads of
the appropriate Federal entities;
(II) carried out before any of the appropriate
Federal entities retains or uses the cyber threat
indicators or defensive measures; and
(III) uniformly applied such that each of the
appropriate Federal entities is subject to the same
delay, modification, or other action; and
(iii) may be provided to other Federal entities;
(B) ensure that cyber threat indicators shared with the
Federal Government by any non-Federal entity pursuant to
section 104 in a manner other than the real-time process
described in subsection (c) of this section--
(i) are shared as quickly as operationally practicable
with all of the appropriate Federal entities;
(ii) are not subject to any unnecessary delay,
interference, or any other action that could impede receipt
by all of the appropriate Federal entities; and
(iii) may be provided to other Federal entities; and
(C) ensure there are--
(i) audit capabilities; and
(ii) appropriate sanctions in place for officers,
employees, or agents of a Federal entity who knowingly and
willfully conduct activities under this title in an
unauthorized manner.
(4) Guidelines for entities sharing cyber threat indicators
with federal government.--
(A) In general.--Not later than 60 days after the date of
the enactment of this Act, the Attorney General and the
Secretary of Homeland Security shall jointly develop and make
publicly available guidance to assist entities and promote
sharing of cyber threat indicators with Federal entities under
this title.
(B) Contents.--The guidelines developed and made publicly
available under subparagraph (A) shall include guidance on the
following:
(i) Identification of types of information that would
qualify as a cyber threat indicator under this title that
would be unlikely to include information that--
(I) is not directly related to a cybersecurity
threat; and
(II) is personal information of a specific
individual or information that identifies a specific
individual.
(ii) Identification of types of information protected
under otherwise applicable privacy laws that are unlikely
to be directly related to a cybersecurity threat.
(iii) Such other matters as the Attorney General and
the Secretary of Homeland Security consider appropriate for
entities sharing cyber threat indicators with Federal
entities under this title.
(b) Privacy and Civil Liberties.--
(1) Interim guidelines.--Not later than 60 days after the date
of the enactment of this Act, the Attorney General and the
Secretary of Homeland Security shall, in consultation with heads of
the appropriate Federal entities and in consultation with officers
designated under section 1062 of the National Security Intelligence
Reform Act of 2004 (42 U.S.C. 2000ee-1), jointly develop, submit to
Congress, and make available to the public interim guidelines
relating to privacy and civil liberties which shall govern the
receipt, retention, use, and dissemination of cyber threat
indicators by a Federal entity obtained in connection with
activities authorized in this title.
(2) Final guidelines.--
(A) In general.--Not later than 180 days after the date of
the enactment of this Act, the Attorney General and the
Secretary of Homeland Security shall, in coordination with
heads of the appropriate Federal entities and in consultation
with officers designated under section 1062 of the National
Security Intelligence Reform Act of 2004 (42 U.S.C. 2000ee-1)
and such private entities with industry expertise as the
Attorney General and the Secretary consider relevant, jointly
issue and make publicly available final guidelines relating to
privacy and civil liberties which shall govern the receipt,
retention, use, and dissemination of cyber threat indicators by
a Federal entity obtained in connection with activities
authorized in this title.
(B) Periodic review.--The Attorney General and the
Secretary of Homeland Security shall, in coordination with
heads of the appropriate Federal entities and in consultation
with officers and private entities described in subparagraph
(A), periodically, but not less frequently than once every 2
years, jointly review the guidelines issued under subparagraph
(A).
(3) Content.--The guidelines required by paragraphs (1) and (2)
shall, consistent with the need to protect information systems from
cybersecurity threats and mitigate cybersecurity threats--
(A) limit the effect on privacy and civil liberties of
activities by the Federal Government under this title;
(B) limit the receipt, retention, use, and dissemination of
cyber threat indicators containing personal information of
specific individuals or information that identifies specific
individuals, including by establishing--
(i) a process for the timely destruction of such
information that is known not to be directly related to
uses authorized under this title; and
(ii) specific limitations on the length of any period
in which a cyber threat indicator may be retained;
(C) include requirements to safeguard cyber threat
indicators containing personal information of specific
individuals or information that identifies specific individuals
from unauthorized access or acquisition, including appropriate
sanctions for activities by officers, employees, or agents of
the Federal Government in contravention of such guidelines;
(D) consistent with this title, any other applicable
provisions of law, and the fair information practice principles
set forth in appendix A of the document entitled ``National
Strategy for Trusted Identities in Cyberspace'' and published
by the President in April 2011, govern the retention, use, and
dissemination by the Federal Government of cyber threat
indicators shared with the Federal Government under this title,
including the extent, if any, to which such cyber threat
indicators may be used by the Federal Government;
(E) include procedures for notifying entities and Federal
entities if information received pursuant to this section is
known or determined by a Federal entity receiving such
information not to constitute a cyber threat indicator;
(F) protect the confidentiality of cyber threat indicators
containing personal information of specific individuals or
information that identifies specific individuals to the
greatest extent practicable and require recipients to be
informed that such indicators may only be used for purposes
authorized under this title; and
(G) include steps that may be needed so that dissemination
of cyber threat indicators is consistent with the protection of
classified and other sensitive national security information.
(c) Capability and Process Within the Department of Homeland
Security.--
(1) In general.--Not later than 90 days after the date of the
enactment of this Act, the Secretary of Homeland Security, in
coordination with the heads of the appropriate Federal entities,
shall develop and implement a capability and process within the
Department of Homeland Security that--
(A) shall accept from any non-Federal entity in real time
cyber threat indicators and defensive measures, pursuant to
this section;
(B) shall, upon submittal of the certification under
paragraph (2) that such capability and process fully and
effectively operates as described in such paragraph, be the
process by which the Federal Government receives cyber threat
indicators and defensive measures under this title that are
shared by a non-Federal entity with the Federal Government
through electronic mail or media, an interactive form on an
Internet website, or a real time, automated process between
information systems except--
(i) consistent with section 104, communications between
a Federal entity and a non-Federal entity regarding a
previously shared cyber threat indicator to describe the
relevant cybersecurity threat or develop a defensive
measure based on such cyber threat indicator; and
(ii) communications by a regulated non-Federal entity
with such entity's Federal regulatory authority regarding a
cybersecurity threat;
(C) ensures that all of the appropriate Federal entities
receive in an automated manner such cyber threat indicators and
defensive measures shared through the real-time process within
the Department of Homeland Security;
(D) is in compliance with the policies, procedures, and
guidelines required by this section; and
(E) does not limit or prohibit otherwise lawful disclosures
of communications, records, or other information, including--
(i) reporting of known or suspected criminal activity,
by a non-Federal entity to any other non-Federal entity or
a Federal entity, including cyber threat indicators or
defensive measures shared with a Federal entity in
furtherance of opening a Federal law enforcement
investigation;
(ii) voluntary or legally compelled participation in a
Federal investigation; and
(iii) providing cyber threat indicators or defensive
measures as part of a statutory or authorized contractual
requirement.
(2) Certification and designation.--
(A) Certification of capability and process.--Not later
than 90 days after the date of the enactment of this Act, the
Secretary of Homeland Security shall, in consultation with the
heads of the appropriate Federal entities, submit to Congress a
certification as to whether the capability and process required
by paragraph (1) fully and effectively operates--
(i) as the process by which the Federal Government
receives from any non-Federal entity a cyber threat
indicator or defensive measure under this title; and
(ii) in accordance with the interim policies,
procedures, and guidelines developed under this title.
(B) Designation.--
(i) In general.--At any time after certification is
submitted under subparagraph (A), the President may
designate an appropriate Federal entity, other than the
Department of Defense (including the National Security
Agency), to develop and implement a capability and process
as described in paragraph (1) in addition to the capability
and process developed under such paragraph by the Secretary
of Homeland Security, if, not fewer than 30 days before
making such designation, the President submits to Congress
a certification and explanation that--
(I) such designation is necessary to ensure that
full, effective, and secure operation of a capability
and process for the Federal Government to receive from
any non-Federal entity cyber threat indicators or
defensive measures under this title;
(II) the designated appropriate Federal entity will
receive and share cyber threat indicators and defensive
measures in accordance with the policies, procedures,
and guidelines developed under this title, including
subsection (a)(3)(A); and
(III) such designation is consistent with the
mission of such appropriate Federal entity and improves
the ability of the Federal Government to receive,
share, and use cyber threat indicators and defensive
measures as authorized under this title.
(ii) Application to additional capability and
process.--If the President designates an appropriate
Federal entity to develop and implement a capability and
process under clause (i), the provisions of this title that
apply to the capability and process required by paragraph
(1) shall also be construed to apply to the capability and
process developed and implemented under clause (i).
(3) Public notice and access.--The Secretary of Homeland
Security shall ensure there is public notice of, and access to, the
capability and process developed and implemented under paragraph
(1) so that--
(A) any non-Federal entity may share cyber threat
indicators and defensive measures through such process with the
Federal Government; and
(B) all of the appropriate Federal entities receive such
cyber threat indicators and defensive measures in real time
with receipt through the process within the Department of
Homeland Security consistent with the policies and procedures
issued under subsection (a).
(4) Other federal entities.--The process developed and
implemented under paragraph (1) shall ensure that other Federal
entities receive in a timely manner any cyber threat indicators and
defensive measures shared with the Federal Government through such
process.
(d) Information Shared With or Provided to the Federal
Government.--
(1) No waiver of privilege or protection.--The provision of
cyber threat indicators and defensive measures to the Federal
Government under this title shall not constitute a waiver of any
applicable privilege or protection provided by law, including trade
secret protection.
(2) Proprietary information.--Consistent with section 104(c)(2)
and any other applicable provision of law, a cyber threat indicator
or defensive measure provided by a non-Federal entity to the
Federal Government under this title shall be considered the
commercial, financial, and proprietary information of such non-
Federal entity when so designated by the originating non-Federal
entity or a third party acting in accordance with the written
authorization of the originating non-Federal entity.
(3) Exemption from disclosure.--A cyber threat indicator or
defensive measure shared with the Federal Government under this
title shall be--
(A) deemed voluntarily shared information and exempt from
disclosure under section 552 of title 5, United States Code,
and any State, tribal, or local provision of law requiring
disclosure of information or records; and
(B) withheld, without discretion, from the public under
section 552(b)(3)(B) of title 5, United States Code, and any
State, tribal, or local provision of law requiring disclosure
of information or records.
(4) Ex parte communications.--The provision of a cyber threat
indicator or defensive measure to the Federal Government under this
title shall not be subject to a rule of any Federal agency or
department or any judicial doctrine regarding ex parte
communications with a decision-making official.
(5) Disclosure, retention, and use.--
(A) Authorized activities.--Cyber threat indicators and
defensive measures provided to the Federal Government under
this title may be disclosed to, retained by, and used by,
consistent with otherwise applicable provisions of Federal law,
any Federal agency or department, component, officer, employee,
or agent of the Federal Government solely for--
(i) a cybersecurity purpose;
(ii) the purpose of identifying--
(I) a cybersecurity threat, including the source of
such cybersecurity threat; or
(II) a security vulnerability;
(iii) the purpose of responding to, or otherwise
preventing or mitigating, a specific threat of death, a
specific threat of serious bodily harm, or a specific
threat of serious economic harm, including a terrorist act
or a use of a weapon of mass destruction;
(iv) the purpose of responding to, investigating,
prosecuting, or otherwise preventing or mitigating, a
serious threat to a minor, including sexual exploitation
and threats to physical safety; or
(v) the purpose of preventing, investigating,
disrupting, or prosecuting an offense arising out of a
threat described in clause (iii) or any of the offenses
listed in--
(I) sections 1028 through 1030 of title 18, United
States Code (relating to fraud and identity theft);
(II) chapter 37 of such title (relating to
espionage and censorship); and
(III) chapter 90 of such title (relating to
protection of trade secrets).
(B) Prohibited activities.--Cyber threat indicators and
defensive measures provided to the Federal Government under
this title shall not be disclosed to, retained by, or used by
any Federal agency or department for any use not permitted
under subparagraph (A).
(C) Privacy and civil liberties.--Cyber threat indicators
and defensive measures provided to the Federal Government under
this title shall be retained, used, and disseminated by the
Federal Government--
(i) in accordance with the policies, procedures, and
guidelines required by subsections (a) and (b);
(ii) in a manner that protects from unauthorized use or
disclosure any cyber threat indicators that may contain--
(I) personal information of a specific individual;
or
(II) information that identifies a specific
individual; and
(iii) in a manner that protects the confidentiality of
cyber threat indicators containing--
(I) personal information of a specific individual;
or
(II) information that identifies a specific
individual.
(D) Federal regulatory authority.--
(i) In general.--Except as provided in clause (ii),
cyber threat indicators and defensive measures provided to
the Federal Government under this title shall not be used
by any Federal, State, tribal, or local government to
regulate, including an enforcement action, the lawful
activities of any non-Federal entity or any activities
taken by a non-Federal entity pursuant to mandatory
standards, including activities relating to monitoring,
operating defensive measures, or sharing cyber threat
indicators.
(ii) Exceptions.--
(I) Regulatory authority specifically relating to
prevention or mitigation of cybersecurity threats.--
Cyber threat indicators and defensive measures provided
to the Federal Government under this title may,
consistent with Federal or State regulatory authority
specifically relating to the prevention or mitigation
of cybersecurity threats to information systems, inform
the development or implementation of regulations
relating to such information systems.
(II) Procedures developed and implemented under
this title.--Clause (i) shall not apply to procedures
developed and implemented under this title.
SEC. 106. PROTECTION FROM LIABILITY.
(a) Monitoring of Information Systems.--No cause of action shall
lie or be maintained in any court against any private entity, and such
action shall be promptly dismissed, for the monitoring of an
information system and information under section 104(a) that is
conducted in accordance with this title.
(b) Sharing or Receipt of Cyber Threat Indicators.--No cause of
action shall lie or be maintained in any court against any private
entity, and such action shall be promptly dismissed, for the sharing or
receipt of a cyber threat indicator or defensive measure under section
104(c) if--
(1) such sharing or receipt is conducted in accordance with
this title; and
(2) in a case in which a cyber threat indicator or defensive
measure is shared with the Federal Government, the cyber threat
indicator or defensive measure is shared in a manner that is
consistent with section 105(c)(1)(B) and the sharing or receipt, as
the case may be, occurs after the earlier of--
(A) the date on which the interim policies and procedures
are submitted to Congress under section 105(a)(1) and
guidelines are submitted to Congress under section 105(b)(1);
or
(B) the date that is 60 days after the date of the
enactment of this Act.
(c) Construction.--Nothing in this title shall be construed--
(1) to create--
(A) a duty to share a cyber threat indicator or defensive
measure; or
(B) a duty to warn or act based on the receipt of a cyber
threat indicator or defensive measure; or
(2) to undermine or limit the availability of otherwise
applicable common law or statutory defenses.
SEC. 107. OVERSIGHT OF GOVERNMENT ACTIVITIES.
(a) Report on Implementation.--
(1) In general.--Not later than 1 year after the date of the
enactment of this title, the heads of the appropriate Federal
entities shall jointly submit to Congress a detailed report
concerning the implementation of this title.
(2) Contents.--The report required by paragraph (1) may include
such recommendations as the heads of the appropriate Federal
entities may have for improvements or modifications to the
authorities, policies, procedures, and guidelines under this title
and shall include the following:
(A) An evaluation of the effectiveness of real-time
information sharing through the capability and process
developed under section 105(c), including any impediments to
such real-time sharing.
(B) An assessment of whether cyber threat indicators or
defensive measures have been properly classified and an
accounting of the number of security clearances authorized by
the Federal Government for the purpose of sharing cyber threat
indicators or defensive measures with the private sector.
(C) The number of cyber threat indicators or defensive
measures received through the capability and process developed
under section 105(c).
(D) A list of Federal entities that have received cyber
threat indicators or defensive measures under this title.
(b) Biennial Report on Compliance.--
(1) In general.--Not later than 2 years after the date of the
enactment of this Act and not less frequently than once every 2
years thereafter, the inspectors general of the appropriate Federal
entities, in consultation with the Inspector General of the
Intelligence Community and the Council of Inspectors General on
Financial Oversight, shall jointly submit to Congress an
interagency report on the actions of the executive branch of the
Federal Government to carry out this title during the most recent
2-year period.
(2) Contents.--Each report submitted under paragraph (1) shall
include, for the period covered by the report, the following:
(A) An assessment of the sufficiency of the policies,
procedures, and guidelines relating to the sharing of cyber
threat indicators within the Federal Government, including
those policies, procedures, and guidelines relating to the
removal of information not directly related to a cybersecurity
threat that is personal information of a specific individual or
information that identifies a specific individual.
(B) An assessment of whether cyber threat indicators or
defensive measures have been properly classified and an
accounting of the number of security clearances authorized by
the Federal Government for the purpose of sharing cyber threat
indicators or defensive measures with the private sector.
(C) A review of the actions taken by the Federal Government
based on cyber threat indicators or defensive measures shared
with the Federal Government under this title, including a
review of the following:
(i) The appropriateness of subsequent uses and
disseminations of cyber threat indicators or defensive
measures.
(ii) Whether cyber threat indicators or defensive
measures were shared in a timely and adequate manner with
appropriate entities, or, if appropriate, were made
publicly available.
(D) An assessment of the cyber threat indicators or
defensive measures shared with the appropriate Federal entities
under this title, including the following:
(i) The number of cyber threat indicators or defensive
measures shared through the capability and process
developed under section 105(c).
(ii) An assessment of any information not directly
related to a cybersecurity threat that is personal
information of a specific individual or information
identifying a specific individual and was shared by a non-
Federal government entity with the Federal government in
contravention of this title, or was shared within the
Federal Government in contravention of the guidelines
required by this title, including a description of any
significant violation of this title.
(iii) The number of times, according to the Attorney
General, that information shared under this title was used
by a Federal entity to prosecute an offense listed in
section 105(d)(5)(A).
(iv) A quantitative and qualitative assessment of the
effect of the sharing of cyber threat indicators or
defensive measures with the Federal Government on privacy
and civil liberties of specific individuals, including the
number of notices that were issued with respect to a
failure to remove information not directly related to a
cybersecurity threat that was personal information of a
specific individual or information that identified a
specific individual in accordance with the procedures
required by section 105(b)(3)(E).
(v) The adequacy of any steps taken by the Federal
Government to reduce any adverse effect from activities
carried out under this title on the privacy and civil
liberties of United States persons.
(E) An assessment of the sharing of cyber threat indicators
or defensive measures among Federal entities to identify
inappropriate barriers to sharing information.
(3) Recommendations.--Each report submitted under this
subsection may include such recommendations as the inspectors
general may have for improvements or modifications to the
authorities and processes under this title.
(c) Independent Report on Removal of Personal Information.--Not
later than 3 years after the date of the enactment of this Act, the
Comptroller General of the United States shall submit to Congress a
report on the actions taken by the Federal Government to remove
personal information from cyber threat indicators or defensive measures
pursuant to this title. Such report shall include an assessment of the
sufficiency of the policies, procedures, and guidelines established
under this title in addressing concerns relating to privacy and civil
liberties.
(d) Form of Reports.--Each report required under this section shall
be submitted in an unclassified form, but may include a classified
annex.
(e) Public Availability of Reports.--The unclassified portions of
the reports required under this section shall be made available to the
public.
SEC. 108. CONSTRUCTION AND PREEMPTION.
(a) Otherwise Lawful Disclosures.--Nothing in this title shall be
construed--
(1) to limit or prohibit otherwise lawful disclosures of
communications, records, or other information, including reporting
of known or suspected criminal activity, by a non-Federal entity to
any other non-Federal entity or the Federal Government under this
title; or
(2) to limit or prohibit otherwise lawful use of such
disclosures by any Federal entity, even when such otherwise lawful
disclosures duplicate or replicate disclosures made under this
title.
(b) Whistle Blower Protections.--Nothing in this title shall be
construed to prohibit or limit the disclosure of information protected
under section 2302(b)(8) of title 5, United States Code (governing
disclosures of illegality, waste, fraud, abuse, or public health or
safety threats), section 7211 of title 5, United States Code (governing
disclosures to Congress), section 1034 of title 10, United States Code
(governing disclosure to Congress by members of the military), section
1104 of the National Security Act of 1947 (50 U.S.C. 3234) (governing
disclosure by employees of elements of the intelligence community), or
any similar provision of Federal or State law.
(c) Protection of Sources and Methods.--Nothing in this title shall
be construed--
(1) as creating any immunity against, or otherwise affecting,
any action brought by the Federal Government, or any agency or
department thereof, to enforce any law, executive order, or
procedure governing the appropriate handling, disclosure, or use of
classified information;
(2) to affect the conduct of authorized law enforcement or
intelligence activities; or
(3) to modify the authority of a department or agency of the
Federal Government to protect classified information and sources
and methods and the national security of the United States.
(d) Relationship to Other Laws.--Nothing in this title shall be
construed to affect any requirement under any other provision of law
for a non-Federal entity to provide information to the Federal
Government.
(e) Prohibited Conduct.--Nothing in this title shall be construed
to permit price-fixing, allocating a market between competitors,
monopolizing or attempting to monopolize a market, boycotting, or
exchanges of price or cost information, customer lists, or information
regarding future competitive planning.
(f) Information Sharing Relationships.--Nothing in this title shall
be construed--
(1) to limit or modify an existing information sharing
relationship;
(2) to prohibit a new information sharing relationship;
(3) to require a new information sharing relationship between
any non-Federal entity and a Federal entity or another non-Federal
entity; or
(4) to require the use of the capability and process within the
Department of Homeland Security developed under section 105(c).
(g) Preservation of Contractual Obligations and Rights.--Nothing in
this title shall be construed--
(1) to amend, repeal, or supersede any current or future
contractual agreement, terms of service agreement, or other
contractual relationship between any non-Federal entities, or
between any non-Federal entity and a Federal entity; or
(2) to abrogate trade secret or intellectual property rights of
any non-Federal entity or Federal entity.
(h) Anti-tasking Restriction.--Nothing in this title shall be
construed to permit a Federal entity--
(1) to require a non-Federal entity to provide information to a
Federal entity or another non-Federal entity;
(2) to condition the sharing of cyber threat indicators with a
non-Federal entity on such entity's provision of cyber threat
indicators to a Federal entity or another non-Federal entity; or
(3) to condition the award of any Federal grant, contract, or
purchase on the provision of a cyber threat indicator to a Federal
entity or another non-Federal entity.
(i) No Liability for Non-participation.--Nothing in this title
shall be construed to subject any entity to liability for choosing not
to engage in the voluntary activities authorized in this title.
(j) Use and Retention of Information.--Nothing in this title shall
be construed to authorize, or to modify any existing authority of, a
department or agency of the Federal Government to retain or use any
information shared under this title for any use other than permitted in
this title.
(k) Federal Preemption.--
(1) In general.--This title supersedes any statute or other
provision of law of a State or political subdivision of a State
that restricts or otherwise expressly regulates an activity
authorized under this title.
(2) State law enforcement.--Nothing in this title shall be
construed to supersede any statute or other provision of law of a
State or political subdivision of a State concerning the use of
authorized law enforcement practices and procedures.
(l) Regulatory Authority.--Nothing in this title shall be
construed--
(1) to authorize the promulgation of any regulations not
specifically authorized to be issued under this title;
(2) to establish or limit any regulatory authority not
specifically established or limited under this title; or
(3) to authorize regulatory actions that would duplicate or
conflict with regulatory requirements, mandatory standards, or
related processes under another provision of Federal law.
(m) Authority of Secretary of Defense to Respond to Malicious Cyber
Activity Carried Out by Foreign Powers.--Nothing in this title shall be
construed to limit the authority of the Secretary of Defense under
section 130g of title 10, United States Code.
(n) Criminal Prosecution.--Nothing in this title shall be construed
to prevent the disclosure of a cyber threat indicator or defensive
measure shared under this title in a case of criminal prosecution, when
an applicable provision of Federal, State, tribal, or local law
requires disclosure in such case.
SEC. 109. REPORT ON CYBERSECURITY THREATS.
(a) Report Required.--Not later than 180 days after the date of the
enactment of this Act, the Director of National Intelligence, in
coordination with the heads of other appropriate elements of the
intelligence community, shall submit to the Select Committee on
Intelligence of the Senate and the Permanent Select Committee on
Intelligence of the House of Representatives a report on cybersecurity
threats, including cyber attacks, theft, and data breaches.
(b) Contents.--The report required by subsection (a) shall include
the following:
(1) An assessment of the current intelligence sharing and
cooperation relationships of the United States with other countries
regarding cybersecurity threats, including cyber attacks, theft,
and data breaches, directed against the United States and which
threaten the United States national security interests and economy
and intellectual property, specifically identifying the relative
utility of such relationships, which elements of the intelligence
community participate in such relationships, and whether and how
such relationships could be improved.
(2) A list and an assessment of the countries and nonstate
actors that are the primary threats of carrying out a cybersecurity
threat, including a cyber attack, theft, or data breach, against
the United States and which threaten the United States national
security, economy, and intellectual property.
(3) A description of the extent to which the capabilities of
the United States Government to respond to or prevent cybersecurity
threats, including cyber attacks, theft, or data breaches, directed
against the United States private sector are degraded by a delay in
the prompt notification by private entities of such threats or
cyber attacks, theft, and data breaches.
(4) An assessment of additional technologies or capabilities
that would enhance the ability of the United States to prevent and
to respond to cybersecurity threats, including cyber attacks,
theft, and data breaches.
(5) An assessment of any technologies or practices utilized by
the private sector that could be rapidly fielded to assist the
intelligence community in preventing and responding to
cybersecurity threats.
(c) Form of Report.--The report required by subsection (a) shall be
made available in classified and unclassified forms.
(d) Intelligence Community Defined.--In this section, the term
``intelligence community'' has the meaning given that term in section 3
of the National Security Act of 1947 (50 U.S.C. 3003).
SEC. 110. EXCEPTION TO LIMITATION ON AUTHORITY OF SECRETARY OF
DEFENSE TO DISSEMINATE CERTAIN INFORMATION.
Notwithstanding subsection (c)(3) of section 393 of title 10,
United States Code, the Secretary of Defense may authorize the sharing
of cyber threat indicators and defensive measures pursuant to the
policies, procedures, and guidelines developed or issued under this
title.
SEC. 111. EFFECTIVE PERIOD.
(a) In General.--Except as provided in subsection (b), this title
and the amendments made by this title shall be effective during the
period beginning on the date of the enactment of this Act and ending on
September 30, 2025.
(b) Exception.--With respect to any action authorized by this title
or information obtained pursuant to an action authorized by this title,
which occurred before the date on which the provisions referred to in
subsection (a) cease to have effect, the provisions of this title shall
continue in effect.
TITLE II--NATIONAL CYBERSECURITY ADVANCEMENT
Subtitle A--National Cybersecurity and Communications Integration
Center
SEC. 201. SHORT TITLE.
This subtitle may be cited as the ``National Cybersecurity
Protection Advancement Act of 2015''.
SEC. 202. DEFINITIONS.
In this subtitle:
(1) Appropriate congressional committees.--The term
``appropriate congressional committees'' means--
(A) the Committee on Homeland Security and Governmental
Affairs of the Senate; and
(B) the Committee on Homeland Security of the House of
Representatives.
(2) Cybersecurity risk; incident.--The terms ``cybersecurity
risk'' and ``incident'' have the meanings given those terms in
section 227 of the Homeland Security Act of 2002, as so
redesignated by section 223(a)(3) of this division.
(3) Cyber threat indicator; defensive measure.--The terms
``cyber threat indicator'' and ``defensive measure'' have the
meanings given those terms in section 102.
(4) Department.--The term ``Department'' means the Department
of Homeland Security.
(5) Secretary.--The term ``Secretary'' means the Secretary of
Homeland Security.
SEC. 203. INFORMATION SHARING STRUCTURE AND PROCESSES.
Section 227 of the Homeland Security Act of 2002, as so
redesignated by section 223(a)(3) of this division, is amended--
(1) in subsection (a)--
(A) by redesignating paragraphs (3) and (4) as paragraphs
(4) and (5), respectively;
(B) by striking paragraphs (1) and (2) and inserting the
following:
``(1) the term `cybersecurity risk'--
``(A) means threats to and vulnerabilities of information
or information systems and any related consequences caused by
or resulting from unauthorized access, use, disclosure,
degradation, disruption, modification, or destruction of such
information or information systems, including such related
consequences caused by an act of terrorism; and
``(B) does not include any action that solely involves a
violation of a consumer term of service or a consumer licensing
agreement;
``(2) the terms `cyber threat indicator' and `defensive
measure' have the meanings given those terms in section 102 of the
Cybersecurity Act of 2015;
``(3) the term `incident' means an occurrence that actually or
imminently jeopardizes, without lawful authority, the integrity,
confidentiality, or availability of information on an information
system, or actually or imminently jeopardizes, without lawful
authority, an information system;'';
(C) in paragraph (4), as so redesignated, by striking
``and'' at the end;
(D) in paragraph (5), as so redesignated, by striking the
period at the end and inserting ``; and''; and
(E) by adding at the end the following:
``(6) the term `sharing' (including all conjugations thereof)
means providing, receiving, and disseminating (including all
conjugations of each of such terms).'';
(2) in subsection (c)--
(A) in paragraph (1)--
(i) by inserting ``, including the implementation of
title I of the Cybersecurity Act of 2015'' before the
semicolon at the end; and
(ii) by inserting ``cyber threat indicators, defensive
measures,'' before ``cybersecurity risks'';
(B) in paragraph (3), by striking ``cybersecurity risks''
and inserting ``cyber threat indicators, defensive measures,
cybersecurity risks,'';
(C) in paragraph (5)(A), by striking ``cybersecurity
risks'' and inserting ``cyber threat indicators, defensive
measures, cybersecurity risks,'';
(D) in paragraph (6)--
(i) by striking ``cybersecurity risks'' and inserting
``cyber threat indicators, defensive measures,
cybersecurity risks,''; and
(ii) by striking ``and'' at the end;
(E) in paragraph (7)--
(i) in subparagraph (A), by striking ``and'' at the
end;
(ii) in subparagraph (B), by striking the period at the
end and inserting ``; and''; and
(iii) by adding at the end the following:
``(C) sharing cyber threat indicators and defensive
measures;''; and
(F) by adding at the end the following:
``(8) engaging with international partners, in consultation
with other appropriate agencies, to--
``(A) collaborate on cyber threat indicators, defensive
measures, and information related to cybersecurity risks and
incidents; and
``(B) enhance the security and resilience of global
cybersecurity;
``(9) sharing cyber threat indicators, defensive measures, and
other information related to cybersecurity risks and incidents with
Federal and non-Federal entities, including across sectors of
critical infrastructure and with State and major urban area fusion
centers, as appropriate;
``(10) participating, as appropriate, in national exercises run
by the Department; and
``(11) in coordination with the Office of Emergency
Communications of the Department, assessing and evaluating
consequence, vulnerability, and threat information regarding cyber
incidents to public safety communications to help facilitate
continuous improvements to the security and resiliency of such
communications.'';
(3) in subsection (d)(1)--
(A) in subparagraph (B)--
(i) in clause (i), by striking ``and local'' and
inserting ``, local, and tribal'';
(ii) in clause (ii), by striking ``; and'' and
inserting ``, including information sharing and analysis
centers;'';
(iii) in clause (iii), by adding ``and'' at the end;
and
(iv) by adding at the end the following:
``(iv) private entities;''.
(B) in subparagraph (D), by striking ``and'' at the end;
(C) by redesignating subparagraph (E) as subparagraph (F);
and
(D) by inserting after subparagraph (D) the following:
``(E) an entity that collaborates with State and local
governments on cybersecurity risks and incidents, and has
entered into a voluntary information sharing relationship with
the Center; and'';
(4) in subsection (e)--
(A) in paragraph (1)--
(i) in subparagraph (A), by inserting ``cyber threat
indicators, defensive measures, and'' before
``information'';
(ii) in subparagraph (B), by inserting ``cyber threat
indicators, defensive measures, and'' before ``information
related'';
(iii) in subparagraph (F)--
(I) by striking ``cybersecurity risks'' and
inserting ``cyber threat indicators, defensive
measures, cybersecurity risks,''; and
(II) by striking ``and'' at the end;
(iv) in subparagraph (G), by striking ``cybersecurity
risks and incidents'' and inserting ``cyber threat
indicators, defensive measures, cybersecurity risks, and
incidents; and''; and
(v) by adding at the end the following:
``(H) the Center designates an agency contact for non-
Federal entities;'';
(B) in paragraph (2)--
(i) by striking ``cybersecurity risks'' and inserting
``cyber threat indicators, defensive measures,
cybersecurity risks,''; and
(ii) by inserting ``or disclosure'' after ``access'';
and
(C) in paragraph (3), by inserting before the period at the
end the following: ``, including by working with the Privacy
Officer appointed under section 222 to ensure that the Center
follows the policies and procedures specified in subsections
(b) and (d)(5)(C) of section 105 of the Cybersecurity Act of
2015''; and
(5) by adding at the end the following:
``(g) Automated Information Sharing.--
``(1) In general.--The Under Secretary appointed under section
103(a)(1)(H), in coordination with industry and other stakeholders,
shall develop capabilities making use of existing information
technology industry standards and best practices, as appropriate,
that support and rapidly advance the development, adoption, and
implementation of automated mechanisms for the sharing of cyber
threat indicators and defensive measures in accordance with title I
of the Cybersecurity Act of 2015.
``(2) Annual report.--The Under Secretary appointed under
section 103(a)(1)(H) shall submit to the Committee on Homeland
Security and Governmental Affairs of the Senate and the Committee
on Homeland Security of the House of Representatives an annual
report on the status and progress of the development of the
capabilities described in paragraph (1). Such reports shall be
required until such capabilities are fully implemented.
``(h) Voluntary Information Sharing Procedures.--
``(1) Procedures.--
``(A) In general.--The Center may enter into a voluntary
information sharing relationship with any consenting non-
Federal entity for the sharing of cyber threat indicators and
defensive measures for cybersecurity purposes in accordance
with this section. Nothing in this subsection may be construed
to require any non-Federal entity to enter into any such
information sharing relationship with the Center or any other
entity. The Center may terminate a voluntary information
sharing relationship under this subsection, at the sole and
unreviewable discretion of the Secretary, acting through the
Under Secretary appointed under section 103(a)(1)(H), for any
reason, including if the Center determines that the non-Federal
entity with which the Center has entered into such a
relationship has violated the terms of this subsection.
``(B) National security.--The Secretary may decline to
enter into a voluntary information sharing relationship under
this subsection, at the sole and unreviewable discretion of the
Secretary, acting through the Under Secretary appointed under
section 103(a)(1)(H), for any reason, including if the
Secretary determines that such is appropriate for national
security.
``(2) Voluntary information sharing relationships.--A voluntary
information sharing relationship under this subsection may be
characterized as an agreement described in this paragraph.
``(A) Standard agreement.--For the use of a non-Federal
entity, the Center shall make available a standard agreement,
consistent with this section, on the Department's website.
``(B) Negotiated agreement.--At the request of a non-
Federal entity, and if determined appropriate by the Center, at
the sole and unreviewable discretion of the Secretary, acting
through the Under Secretary appointed under section
103(a)(1)(H), the Department shall negotiate a non-standard
agreement, consistent with this section.
``(C) Existing agreements.--An agreement between the Center
and a non-Federal entity that is entered into before the date
of enactment of this subsection, or such an agreement that is
in effect before such date, shall be deemed in compliance with
the requirements of this subsection, notwithstanding any other
provision or requirement of this subsection. An agreement under
this subsection shall include the relevant privacy protections
as in effect under the Cooperative Research and Development
Agreement for Cybersecurity Information Sharing and
Collaboration, as of December 31, 2014. Nothing in this
subsection may be construed to require a non-Federal entity to
enter into either a standard or negotiated agreement to be in
compliance with this subsection.
``(i) Direct Reporting.--The Secretary shall develop policies and
procedures for direct reporting to the Secretary by the Director of the
Center regarding significant cybersecurity risks and incidents.
``(j) Reports on International Cooperation.--Not later than 180
days after the date of enactment of this subsection, and periodically
thereafter, the Secretary of Homeland Security shall submit to the
Committee on Homeland Security and Governmental Affairs of the Senate
and the Committee on Homeland Security of the House of Representatives
a report on the range of efforts underway to bolster cybersecurity
collaboration with relevant international partners in accordance with
subsection (c)(8).
``(k) Outreach.--Not later than 60 days after the date of enactment
of this subsection, the Secretary, acting through the Under Secretary
appointed under section 103(a)(1)(H), shall--
``(1) disseminate to the public information about how to
voluntarily share cyber threat indicators and defensive measures
with the Center; and
``(2) enhance outreach to critical infrastructure owners and
operators for purposes of such sharing.
``(l) Coordinated Vulnerability Disclosure.--The Secretary, in
coordination with industry and other stakeholders, may develop and
adhere to Department policies and procedures for coordinating
vulnerability disclosures.''.
SEC. 204. INFORMATION SHARING AND ANALYSIS ORGANIZATIONS.
Section 212 of the Homeland Security Act of 2002 (6 U.S.C. 131) is
amended--
(1) in paragraph (5)--
(A) in subparagraph (A)--
(i) by inserting ``, including information related to
cybersecurity risks and incidents,'' after ``critical
infrastructure information''; and
(ii) by inserting ``, including cybersecurity risks and
incidents,'' after ``related to critical infrastructure'';
(B) in subparagraph (B)--
(i) by inserting ``, including cybersecurity risks and
incidents,'' after ``critical infrastructure information'';
and
(ii) by inserting ``, including cybersecurity risks and
incidents,'' after ``related to critical infrastructure'';
and
(C) in subparagraph (C), by inserting ``, including
cybersecurity risks and incidents,'' after ``critical
infrastructure information''; and
(2) by adding at the end the following:
``(8) Cybersecurity risk; incident.--The terms `cybersecurity
risk' and `incident' have the meanings given those terms in section
227.''.
SEC. 205. NATIONAL RESPONSE FRAMEWORK.
Section 228 of the Homeland Security Act of 2002, as added by
section 223(a)(4) of this division, is amended by adding at the end the
following:
``(d) National Response Framework.--The Secretary, in coordination
with the heads of other appropriate Federal departments and agencies,
and in accordance with the National Cybersecurity Incident Response
Plan required under subsection (c), shall regularly update, maintain,
and exercise the Cyber Incident Annex to the National Response
Framework of the Department.''.
SEC. 206. REPORT ON REDUCING CYBERSECURITY RISKS IN DHS DATA
CENTERS.
Not later than 1 year after the date of the enactment of this Act,
the Secretary shall submit to the appropriate congressional committees
a report on the feasibility of the Department creating an environment
for the reduction in cybersecurity risks in Department data centers,
including by increasing compartmentalization between systems, and
providing a mix of security controls between such compartments.
SEC. 207. ASSESSMENT.
Not later than 2 years after the date of enactment of this Act, the
Comptroller General of the United States shall submit to the
appropriate congressional committees a report that includes--
(1) an assessment of the implementation by the Secretary of
this title and the amendments made by this title; and
(2) to the extent practicable, findings regarding increases in
the sharing of cyber threat indicators, defensive measures, and
information relating to cybersecurity risks and incidents at the
center established under section 227 of the Homeland Security Act
of 2002, as redesignated by section 223(a) of this division, and
throughout the United States.
SEC. 208. MULTIPLE SIMULTANEOUS CYBER INCIDENTS AT CRITICAL
INFRASTRUCTURE.
Not later than 1 year after the date of enactment of this Act, the
Under Secretary appointed under section 103(a)(1)(H) of the Homeland
Security Act of 2002 (6 U.S.C. 113(a)(1)(H)) shall provide information
to the appropriate congressional committees on the feasibility of
producing a risk-informed plan to address the risk of multiple
simultaneous cyber incidents affecting critical infrastructure,
including cyber incidents that may have a cascading effect on other
critical infrastructure.
SEC. 209. REPORT ON CYBERSECURITY VULNERABILITIES OF UNITED STATES
PORTS.
Not later than 180 days after the date of enactment of this Act,
the Secretary shall submit to the appropriate congressional committees,
the Committee on Commerce, Science and Transportation of the Senate,
and the Committee on Transportation and Infrastructure of the House of
Representatives a report on cybersecurity vulnerabilities for the 10
United States ports that the Secretary determines are at greatest risk
of a cybersecurity incident and provide recommendations to mitigate
such vulnerabilities.
SEC. 210. PROHIBITION ON NEW REGULATORY AUTHORITY.
Nothing in this subtitle or the amendments made by this subtitle
may be construed to grant the Secretary any authority to promulgate
regulations or set standards relating to the cybersecurity of non-
Federal entities, not including State, local, and tribal governments,
that was not in effect on the day before the date of enactment of this
Act.
SEC. 211. TERMINATION OF REPORTING REQUIREMENTS.
Any reporting requirements in this subtitle shall terminate on the
date that is 7 years after the date of enactment of this Act.
Subtitle B--Federal Cybersecurity Enhancement
SEC. 221. SHORT TITLE.
This subtitle may be cited as the ``Federal Cybersecurity
Enhancement Act of 2015''.
SEC. 222. DEFINITIONS.
In this subtitle:
(1) Agency.--The term ``agency'' has the meaning given the term
in section 3502 of title 44, United States Code.
(2) Agency information system.--The term ``agency information
system'' has the meaning given the term in section 228 of the
Homeland Security Act of 2002, as added by section 223(a)(4) of
this division.
(3) Appropriate congressional committees.--The term
``appropriate congressional committees'' means--
(A) the Committee on Homeland Security and Governmental
Affairs of the Senate; and
(B) the Committee on Homeland Security of the House of
Representatives.
(4) Cybersecurity risk; information system.--The terms
``cybersecurity risk'' and ``information system'' have the meanings
given those terms in section 227 of the Homeland Security Act of
2002, as so redesignated by section 223(a)(3) of this division.
(5) Director.--The term ``Director'' means the Director of the
Office of Management and Budget.
(6) Intelligence community.--The term ``intelligence
community'' has the meaning given the term in section 3(4) of the
National Security Act of 1947 (50 U.S.C. 3003(4)).
(7) National security system.--The term ``national security
system'' has the meaning given the term in section 11103 of title
40, United States Code.
(8) Secretary.--The term ``Secretary'' means the Secretary of
Homeland Security.
SEC. 223. IMPROVED FEDERAL NETWORK SECURITY.
(a) In General.--Subtitle C of title II of the Homeland Security
Act of 2002 (6 U.S.C. 141 et seq.) is amended--
(1) by redesignating section 228 as section 229;
(2) by redesignating section 227 as subsection (c) of section
228, as added by paragraph (4), and adjusting the margins
accordingly;
(3) by redesignating the second section designated as section
226 (relating to the national cybersecurity and communications
integration center) as section 227;
(4) by inserting after section 227, as so redesignated, the
following:
``SEC. 228. CYBERSECURITY PLANS.
``(a) Definitions.--In this section--
``(1) the term `agency information system' means an information
system used or operated by an agency or by another entity on behalf
of an agency;
``(2) the terms `cybersecurity risk' and `information system'
have the meanings given those terms in section 227;
``(3) the term `intelligence community' has the meaning given
the term in section 3(4) of the National Security Act of 1947 (50
U.S.C. 3003(4)); and
``(4) the term `national security system' has the meaning given
the term in section 11103 of title 40, United States Code.
``(b) Intrusion Assessment Plan.--
``(1) Requirement.--The Secretary, in coordination with the
Director of the Office of Management and Budget, shall--
``(A) develop and implement an intrusion assessment plan to
proactively detect, identify, and remove intruders in agency
information systems on a routine basis; and
``(B) update such plan as necessary.
``(2) Exception.--The intrusion assessment plan required under
paragraph (1) shall not apply to the Department of Defense, a
national security system, or an element of the intelligence
community.'';
(5) in section 228(c), as so redesignated, by striking
``section 226'' and inserting ``section 227''; and
(6) by inserting after section 229, as so redesignated, the
following:
``SEC. 230. FEDERAL INTRUSION DETECTION AND PREVENTION SYSTEM.
``(a) Definitions.--In this section--
``(1) the term `agency' has the meaning given the term in
section 3502 of title 44, United States Code;
``(2) the term `agency information' means information collected
or maintained by or on behalf of an agency;
``(3) the term `agency information system' has the meaning
given the term in section 228; and
``(4) the terms `cybersecurity risk' and `information system'
have the meanings given those terms in section 227.
``(b) Requirement.--
``(1) In general.--Not later than 1 year after the date of
enactment of this section, the Secretary shall deploy, operate, and
maintain, to make available for use by any agency, with or without
reimbursement--
``(A) a capability to detect cybersecurity risks in network
traffic transiting or traveling to or from an agency
information system; and
``(B) a capability to prevent network traffic associated
with such cybersecurity risks from transiting or traveling to
or from an agency information system or modify such network
traffic to remove the cybersecurity risk.
``(2) Regular improvement.--The Secretary shall regularly
deploy new technologies and modify existing technologies to the
intrusion detection and prevention capabilities described in
paragraph (1) as appropriate to improve the intrusion detection and
prevention capabilities.
``(c) Activities.--In carrying out subsection (b), the Secretary--
``(1) may access, and the head of an agency may disclose to the
Secretary or a private entity providing assistance to the Secretary
under paragraph (2), information transiting or traveling to or from
an agency information system, regardless of the location from which
the Secretary or a private entity providing assistance to the
Secretary under paragraph (2) accesses such information,
notwithstanding any other provision of law that would otherwise
restrict or prevent the head of an agency from disclosing such
information to the Secretary or a private entity providing
assistance to the Secretary under paragraph (2);
``(2) may enter into contracts or other agreements with, or
otherwise request and obtain the assistance of, private entities to
deploy, operate, and maintain technologies in accordance with
subsection (b);
``(3) may retain, use, and disclose information obtained
through the conduct of activities authorized under this section
only to protect information and information systems from
cybersecurity risks;
``(4) shall regularly assess through operational test and
evaluation in real world or simulated environments available
advanced protective technologies to improve detection and
prevention capabilities, including commercial and noncommercial
technologies and detection technologies beyond signature-based
detection, and acquire, test, and deploy such technologies when
appropriate;
``(5) shall establish a pilot through which the Secretary may
acquire, test, and deploy, as rapidly as possible, technologies
described in paragraph (4); and
``(6) shall periodically update the privacy impact assessment
required under section 208(b) of the E-Government Act of 2002 (44
U.S.C. 3501 note).
``(d) Principles.--In carrying out subsection (b), the Secretary
shall ensure that--
``(1) activities carried out under this section are reasonably
necessary for the purpose of protecting agency information and
agency information systems from a cybersecurity risk;
``(2) information accessed by the Secretary will be retained no
longer than reasonably necessary for the purpose of protecting
agency information and agency information systems from a
cybersecurity risk;
``(3) notice has been provided to users of an agency
information system concerning access to communications of users of
the agency information system for the purpose of protecting agency
information and the agency information system; and
``(4) the activities are implemented pursuant to policies and
procedures governing the operation of the intrusion detection and
prevention capabilities.
``(e) Private Entities.--
``(1) Conditions.--A private entity described in subsection
(c)(2) may not--
``(A) disclose any network traffic transiting or traveling
to or from an agency information system to any entity other
than the Department or the agency that disclosed the
information under subsection (c)(1), including personal
information of a specific individual or information that
identifies a specific individual not directly related to a
cybersecurity risk; or
``(B) use any network traffic transiting or traveling to or
from an agency information system to which the private entity
gains access in accordance with this section for any purpose
other than to protect agency information and agency information
systems against cybersecurity risks or to administer a contract
or other agreement entered into pursuant to subsection (c)(2)
or as part of another contract with the Secretary.
``(2) Limitation on liability.--No cause of action shall lie in
any court against a private entity for assistance provided to the
Secretary in accordance with this section and any contract or
agreement entered into pursuant to subsection (c)(2).
``(3) Rule of construction.--Nothing in paragraph (2) shall be
construed to authorize an Internet service provider to break a user
agreement with a customer without the consent of the customer.
``(f) Privacy Officer Review.--Not later than 1 year after the date
of enactment of this section, the Privacy Officer appointed under
section 222, in consultation with the Attorney General, shall review
the policies and guidelines for the program carried out under this
section to ensure that the policies and guidelines are consistent with
applicable privacy laws, including those governing the acquisition,
interception, retention, use, and disclosure of communications.''.
(b) Agency Responsibilities.--
(1) In general.--Except as provided in paragraph (2)--
(A) not later than 1 year after the date of enactment of
this Act or 2 months after the date on which the Secretary
makes available the intrusion detection and prevention
capabilities under section 230(b)(1) of the Homeland Security
Act of 2002, as added by subsection (a), whichever is later,
the head of each agency shall apply and continue to utilize the
capabilities to all information traveling between an agency
information system and any information system other than an
agency information system; and
(B) not later than 6 months after the date on which the
Secretary makes available improvements to the intrusion
detection and prevention capabilities pursuant to section
230(b)(2) of the Homeland Security Act of 2002, as added by
subsection (a), the head of each agency shall apply and
continue to utilize the improved intrusion detection and
prevention capabilities.
(2) Exception.--The requirements under paragraph (1) shall not
apply to the Department of Defense, a national security system, or
an element of the intelligence community.
(3) Definition.--Notwithstanding section 222, in this
subsection, the term ``agency information system'' means an
information system owned or operated by an agency.
(4) Rule of construction.--Nothing in this subsection shall be
construed to limit an agency from applying the intrusion detection
and prevention capabilities to an information system other than an
agency information system under section 230(b)(1) of the Homeland
Security Act of 2002, as added by subsection (a), at the discretion
of the head of the agency or as provided in relevant policies,
directives, and guidelines.
(c) Table of Contents Amendment.--The table of contents in section
1(b) of the Homeland Security Act of 2002 (6 U.S.C. 101 note) is
amended by striking the items relating to the first section designated
as section 226, the second section designated as section 226 (relating
to the national cybersecurity and communications integration center),
section 227, and section 228 and inserting the following:
``Sec. 226. Cybersecurity recruitment and retention.
``Sec. 227. National cybersecurity and communications integration
center.
``Sec. 228. Cybersecurity plans.
``Sec. 229. Clearances.
``Sec. 230. Federal intrusion detection and prevention system.''.
SEC. 224. ADVANCED INTERNAL DEFENSES.
(a) Advanced Network Security Tools.--
(1) In general.--The Secretary shall include, in the efforts of
the Department to continuously diagnose and mitigate cybersecurity
risks, advanced network security tools to improve visibility of
network activity, including through the use of commercial and free
or open source tools, and to detect and mitigate intrusions and
anomalous activity.
(2) Development of plan.--The Director shall develop and the
Secretary shall implement a plan to ensure that each agency
utilizes advanced network security tools, including those described
in paragraph (1), to detect and mitigate intrusions and anomalous
activity.
(b) Prioritizing Advanced Security Tools.--The Director and the
Secretary, in consultation with appropriate agencies, shall--
(1) review and update Government-wide policies and programs to
ensure appropriate prioritization and use of network security
monitoring tools within agency networks; and
(2) brief appropriate congressional committees on such
prioritization and use.
(c) Improved Metrics.--The Secretary, in collaboration with the
Director, shall review and update the metrics used to measure security
under section 3554 of title 44, United States Code, to include measures
of intrusion and incident detection and response times.
(d) Transparency and Accountability.--The Director, in consultation
with the Secretary, shall increase transparency to the public on agency
cybersecurity posture, including by increasing the number of metrics
available on Federal Government performance websites and, to the
greatest extent practicable, displaying metrics for department
components, small agencies, and micro-agencies.
(e) Maintenance of Technologies.--Section 3553(b)(6)(B) of title
44, United States Code, is amended by inserting ``, operating, and
maintaining'' after ``deploying''.
(f) Exception.--The requirements under this section shall not apply
to the Department of Defense, a national security system, or an element
of the intelligence community.
SEC. 225. FEDERAL CYBERSECURITY REQUIREMENTS.
(a) Implementation of Federal Cybersecurity Standards.--Consistent
with section 3553 of title 44, United States Code, the Secretary, in
consultation with the Director, shall exercise the authority to issue
binding operational directives to assist the Director in ensuring
timely agency adoption of and compliance with policies and standards
promulgated under section 11331 of title 40, United States Code, for
securing agency information systems.
(b) Cybersecurity Requirements at Agencies.--
(1) In general.--Consistent with policies, standards,
guidelines, and directives on information security under subchapter
II of chapter 35 of title 44, United States Code, and the standards
and guidelines promulgated under section 11331 of title 40, United
States Code, and except as provided in paragraph (2), not later
than 1 year after the date of the enactment of this Act, the head
of each agency shall--
(A) identify sensitive and mission critical data stored by
the agency consistent with the inventory required under the
first subsection (c) (relating to the inventory of major
information systems) and the second subsection (c) (relating to
the inventory of information systems) of section 3505 of title
44, United States Code;
(B) assess access controls to the data described in
subparagraph (A), the need for readily accessible storage of
the data, and individuals' need to access the data;
(C) encrypt or otherwise render indecipherable to
unauthorized users the data described in subparagraph (A) that
is stored on or transiting agency information systems;
(D) implement a single sign-on trusted identity platform
for individuals accessing each public website of the agency
that requires user authentication, as developed by the
Administrator of General Services in collaboration with the
Secretary; and
(E) implement identity management consistent with section
504 of the Cybersecurity Enhancement Act of 2014 (Public Law
113-274; 15 U.S.C. 7464), including multi-factor
authentication, for--
(i) remote access to an agency information system; and
(ii) each user account with elevated privileges on an
agency information system.
(2) Exception.--The requirements under paragraph (1) shall not
apply to an agency information system for which--
(A) the head of the agency has personally certified to the
Director with particularity that--
(i) operational requirements articulated in the
certification and related to the agency information system
would make it excessively burdensome to implement the
cybersecurity requirement;
(ii) the cybersecurity requirement is not necessary to
secure the agency information system or agency information
stored on or transiting it; and
(iii) the agency has taken all necessary steps to
secure the agency information system and agency information
stored on or transiting it; and
(B) the head of the agency or the designee of the head of
the agency has submitted the certification described in
subparagraph (A) to the appropriate congressional committees
and the agency's authorizing committees.
(3) Construction.--Nothing in this section shall be construed
to alter the authority of the Secretary, the Director, or the
Director of the National Institute of Standards and Technology in
implementing subchapter II of chapter 35 of title 44, United States
Code. Nothing in this section shall be construed to affect the
National Institute of Standards and Technology standards process or
the requirement under section 3553(a)(4) of such title or to
discourage continued improvements and advancements in the
technology, standards, policies, and guidelines used to promote
Federal information security.
(c) Exception.--The requirements under this section shall not apply
to the Department of Defense, a national security system, or an element
of the intelligence community.
SEC. 226. ASSESSMENT; REPORTS.
(a) Definitions.--In this section:
(1) Agency information.--The term ``agency information'' has
the meaning given the term in section 230 of the Homeland Security
Act of 2002, as added by section 223(a)(6) of this division.
(2) Cyber threat indicator; defensive measure.--The terms
``cyber threat indicator'' and ``defensive measure'' have the
meanings given those terms in section 102.
(3) Intrusion assessments.--The term ``intrusion assessments''
means actions taken under the intrusion assessment plan to identify
and remove intruders in agency information systems.
(4) Intrusion assessment plan.--The term ``intrusion assessment
plan'' means the plan required under section 228(b)(1) of the
Homeland Security Act of 2002, as added by section 223(a)(4) of
this division.
(5) Intrusion detection and prevention capabilities.--The term
``intrusion detection and prevention capabilities'' means the
capabilities required under section 230(b) of the Homeland Security
Act of 2002, as added by section 223(a)(6) of this division.
(b) Third-party Assessment.--Not later than 3 years after the date
of enactment of this Act, the Comptroller General of the United States
shall conduct a study and publish a report on the effectiveness of the
approach and strategy of the Federal Government to securing agency
information systems, including the intrusion detection and prevention
capabilities and the intrusion assessment plan.
(c) Reports to Congress.--
(1) Intrusion detection and prevention capabilities.--
(A) Secretary of homeland security report.--Not later than
6 months after the date of enactment of this Act, and annually
thereafter, the Secretary shall submit to the appropriate
congressional committees a report on the status of
implementation of the intrusion detection and prevention
capabilities, including--
(i) a description of privacy controls;
(ii) a description of the technologies and capabilities
utilized to detect cybersecurity risks in network traffic,
including the extent to which those technologies and
capabilities include existing commercial and noncommercial
technologies;
(iii) a description of the technologies and
capabilities utilized to prevent network traffic associated
with cybersecurity risks from transiting or traveling to or
from agency information systems, including the extent to
which those technologies and capabilities include existing
commercial and noncommercial technologies;
(iv) a list of the types of indicators or other
identifiers or techniques used to detect cybersecurity
risks in network traffic transiting or traveling to or from
agency information systems on each iteration of the
intrusion detection and prevention capabilities and the
number of each such type of indicator, identifier, and
technique;
(v) the number of instances in which the intrusion
detection and prevention capabilities detected a
cybersecurity risk in network traffic transiting or
traveling to or from agency information systems and the
number of times the intrusion detection and prevention
capabilities blocked network traffic associated with
cybersecurity risk; and
(vi) a description of the pilot established under
section 230(c)(5) of the Homeland Security Act of 2002, as
added by section 223(a)(6) of this division, including the
number of new technologies tested and the number of
participating agencies.
(B) OMB report.--Not later than 18 months after the date of
enactment of this Act, and annually thereafter, the Director
shall submit to Congress, as part of the report required under
section 3553(c) of title 44, United States Code, an analysis of
agency application of the intrusion detection and prevention
capabilities, including--
(i) a list of each agency and the degree to which each
agency has applied the intrusion detection and prevention
capabilities to an agency information system; and
(ii) a list by agency of--
(I) the number of instances in which the intrusion
detection and prevention capabilities detected a
cybersecurity risk in network traffic transiting or
traveling to or from an agency information system and
the types of indicators, identifiers, and techniques
used to detect such cybersecurity risks; and
(II) the number of instances in which the intrusion
detection and prevention capabilities prevented network
traffic associated with a cybersecurity risk from
transiting or traveling to or from an agency
information system and the types of indicators,
identifiers, and techniques used to detect such agency
information systems.
(C) Chief information officer.--Not earlier than 18 months
after the date of enactment of this Act and not later than 2
years after the date of enactment of this Act, the Federal
Chief Information Officer shall review and submit to the
appropriate congressional committees a report assessing the
intrusion detection and intrusion prevention capabilities,
including--
(i) the effectiveness of the system in detecting,
disrupting, and preventing cyber-threat actors, including
advanced persistent threats, from accessing agency
information and agency information systems;
(ii) whether the intrusion detection and prevention
capabilities, continuous diagnostics and mitigation, and
other systems deployed under subtitle D of title II of the
Homeland Security Act of 2002 (6 U.S.C. 231 et seq.) are
effective in securing Federal information systems;
(iii) the costs and benefits of the intrusion detection
and prevention capabilities, including as compared to
commercial technologies and tools and including the value
of classified cyber threat indicators; and
(iv) the capability of agencies to protect sensitive
cyber threat indicators and defensive measures if they were
shared through unclassified mechanisms for use in
commercial technologies and tools.
(2) OMB report on development and implementation of intrusion
assessment plan, advanced internal defenses, and federal
cybersecurity requirements.--The Director shall--
(A) not later than 6 months after the date of enactment of
this Act, and 30 days after any update thereto, submit the
intrusion assessment plan to the appropriate congressional
committees;
(B) not later than 1 year after the date of enactment of
this Act, and annually thereafter, submit to Congress, as part
of the report required under section 3553(c) of title 44,
United States Code--
(i) a description of the implementation of the
intrusion assessment plan;
(ii) the findings of the intrusion assessments
conducted pursuant to the intrusion assessment plan;
(iii) a description of the advanced network security
tools included in the efforts to continuously diagnose and
mitigate cybersecurity risks pursuant to section 224(a)(1);
and
(iv) a list by agency of compliance with the
requirements of section 225(b); and
(C) not later than 1 year after the date of enactment of
this Act, submit to the appropriate congressional committees--
(i) a copy of the plan developed pursuant to section
224(a)(2); and
(ii) the improved metrics developed pursuant to section
224(c).
(d) Form.--Each report required under this section shall be
submitted in unclassified form, but may include a classified annex.
SEC. 227. TERMINATION.
(a) In General.--The authority provided under section 230 of the
Homeland Security Act of 2002, as added by section 223(a)(6) of this
division, and the reporting requirements under section 226(c) of this
division shall terminate on the date that is 7 years after the date of
enactment of this Act.
(b) Rule of Construction.--Nothing in subsection (a) shall be
construed to affect the limitation of liability of a private entity for
assistance provided to the Secretary under section 230(d)(2) of the
Homeland Security Act of 2002, as added by section 223(a)(6) of this
division, if such assistance was rendered before the termination date
under subsection (a) or otherwise during a period in which the
assistance was authorized.
SEC. 228. IDENTIFICATION OF INFORMATION SYSTEMS RELATING TO
NATIONAL SECURITY.
(a) In General.--Except as provided in subsection (c), not later
than 180 days after the date of enactment of this Act--
(1) the Director of National Intelligence and the Director of
the Office of Management and Budget, in coordination with the heads
of other agencies, shall--
(A) identify all unclassified information systems that
provide access to information that may provide an adversary
with the ability to derive information that would otherwise be
considered classified;
(B) assess the risks that would result from the breach of
each unclassified information system identified in subparagraph
(A); and
(C) assess the cost and impact on the mission carried out
by each agency that owns an unclassified information system
identified in subparagraph (A) if the system were to be
subsequently designated as a national security system; and
(2) the Director of National Intelligence and the Director of
the Office of Management and Budget shall submit to the appropriate
congressional committees, the Select Committee on Intelligence of
the Senate, and the Permanent Select Committee on Intelligence of
the House of Representatives a report that includes the findings
under paragraph (1).
(b) Form.--The report submitted under subsection (a)(2) shall be in
unclassified form, and shall include a classified annex.
(c) Exception.--The requirements under subsection (a)(1) shall not
apply to the Department of Defense, a national security system, or an
element of the intelligence community.
(d) Rule of Construction.--Nothing in this section shall be
construed to designate an information system as a national security
system.
SEC. 229. DIRECTION TO AGENCIES.
(a) In General.--Section 3553 of title 44, United States Code, is
amended by adding at the end the following:
``(h) Direction to Agencies.--
``(1) Authority.--
``(A) In general.--Subject to subparagraph (B), in response
to a known or reasonably suspected information security threat,
vulnerability, or incident that represents a substantial threat
to the information security of an agency, the Secretary may
issue an emergency directive to the head of an agency to take
any lawful action with respect to the operation of the
information system, including such systems used or operated by
another entity on behalf of an agency, that collects,
processes, stores, transmits, disseminates, or otherwise
maintains agency information, for the purpose of protecting the
information system from, or mitigating, an information security
threat.
``(B) Exception.--The authorities of the Secretary under
this subsection shall not apply to a system described
subsection (d) or to a system described in paragraph (2) or (3)
of subsection (e).
``(2) Procedures for use of authority.--The Secretary shall--
``(A) in coordination with the Director, and in
consultation with Federal contractors as appropriate, establish
procedures governing the circumstances under which a directive
may be issued under this subsection, which shall include--
``(i) thresholds and other criteria;
``(ii) privacy and civil liberties protections; and
``(iii) providing notice to potentially affected third
parties;
``(B) specify the reasons for the required action and the
duration of the directive;
``(C) minimize the impact of a directive under this
subsection by--
``(i) adopting the least intrusive means possible under
the circumstances to secure the agency information systems;
and
``(ii) limiting directives to the shortest period
practicable;
``(D) notify the Director and the head of any affected
agency immediately upon the issuance of a directive under this
subsection;
``(E) consult with the Director of the National Institute
of Standards and Technology regarding any directive under this
subsection that implements standards and guidelines developed
by the National Institute of Standards and Technology;
``(F) ensure that directives issued under this subsection
do not conflict with the standards and guidelines issued under
section 11331 of title 40;
``(G) consider any applicable standards or guidelines
developed by the National Institute of Standards and Technology
issued by the Secretary of Commerce under section 11331 of
title 40; and
``(H) not later than February 1 of each year, submit to the
appropriate congressional committees a report regarding the
specific actions the Secretary has taken pursuant to paragraph
(1)(A).
``(3) Imminent threats.--
``(A) In general.--Notwithstanding section 3554, the
Secretary may authorize the use under this subsection of the
intrusion detection and prevention capabilities established
under section 230(b)(1) of the Homeland Security Act of 2002
for the purpose of ensuring the security of agency information
systems, if--
``(i) the Secretary determines there is an imminent
threat to agency information systems;
``(ii) the Secretary determines a directive under
subsection (b)(2)(C) or paragraph (1)(A) is not reasonably
likely to result in a timely response to the threat;
``(iii) the Secretary determines the risk posed by the
imminent threat outweighs any adverse consequences
reasonably expected to result from the use of the intrusion
detection and prevention capabilities under the control of
the Secretary;
``(iv) the Secretary provides prior notice to the
Director, and the head and chief information officer (or
equivalent official) of each agency to which specific
actions will be taken pursuant to this paragraph, and
notifies the appropriate congressional committees and
authorizing committees of each such agency within 7 days of
taking an action under this paragraph of--
``(I) any action taken under this paragraph; and
``(II) the reasons for and duration and nature of
the action;
``(v) the action of the Secretary is consistent with
applicable law; and
``(vi) the Secretary authorizes the use of the
intrusion detection and prevention capabilities in
accordance with the advance procedures established under
subparagraph (C).
``(B) Limitation on delegation.--The authority under this
paragraph may not be delegated by the Secretary.
``(C) Advance procedures.--The Secretary shall, in
coordination with the Director, and in consultation with the
heads of Federal agencies, establish procedures governing the
circumstances under which the Secretary may authorize the use
of the intrusion detection and prevention capabilities under
subparagraph (A). The Secretary shall submit the procedures to
Congress.
``(4) Limitation.--The Secretary may direct or authorize lawful
action or the use of the intrusion detection and prevention
capabilities under this subsection only to--
``(A) protect agency information from unauthorized access,
use, disclosure, disruption, modification, or destruction; or
``(B) require the remediation of or protect against
identified information security risks with respect to--
``(i) information collected or maintained by or on
behalf of an agency; or
``(ii) that portion of an information system used or
operated by an agency or by a contractor of an agency or
other organization on behalf of an agency.
``(i) Annual Report to Congress.--Not later than February 1 of each
year, the Director and the Secretary shall submit to the appropriate
congressional committees a report regarding the specific actions the
Director and the Secretary have taken pursuant to subsection (a)(5),
including any actions taken pursuant to section 11303(b)(5) of title
40.
``(j) Appropriate Congressional Committees Defined.--In this
section, the term `appropriate congressional committees' means--
``(1) the Committee on Appropriations and the Committee on
Homeland Security and Governmental Affairs of the Senate; and
``(2) the Committee on Appropriations, the Committee on
Homeland Security, the Committee on Oversight and Government
Reform, and the Committee on Science, Space, and Technology of the
House of Representatives.''.
(b) Conforming Amendment.--Section 3554(a)(1)(B) of title 44,
United States Code, is amended--
(1) in clause (iii), by striking ``and'' at the end; and
(2) by adding at the end the following:
``(v) emergency directives issued by the Secretary
under section 3553(h); and''.
TITLE III--FEDERAL CYBERSECURITY WORKFORCE ASSESSMENT
SEC. 301. SHORT TITLE.
This title may be cited as the ``Federal Cybersecurity Workforce
Assessment Act of 2015''.
SEC. 302. DEFINITIONS.
In this title:
(1) Appropriate congressional committees.--The term
``appropriate congressional committees'' means--
(A) the Committee on Armed Services of the Senate;
(B) the Committee on Homeland Security and Governmental
Affairs of the Senate;
(C) the Select Committee on Intelligence of the Senate;
(D) the Committee on Commerce, Science, and Transportation
of the Senate;
(E) the Committee on Armed Services of the House of
Representatives;
(F) the Committee on Homeland Security of the House of
Representatives;
(G) the Committee on Oversight and Government Reform of the
House of Representatives; and
(H) the Permanent Select Committee on Intelligence of the
House of Representatives.
(2) Director.--The term ``Director'' means the Director of the
Office of Personnel Management.
(3) National initiative for cybersecurity education.--The term
``National Initiative for Cybersecurity Education'' means the
initiative under the national cybersecurity awareness and education
program, as authorized under section 401 of the Cybersecurity
Enhancement Act of 2014 (15 U.S.C. 7451).
(4) Work roles.--The term `` work roles'' means a specialized
set of tasks and functions requiring specific knowledge, skills,
and abilities.
SEC. 303. NATIONAL CYBERSECURITY WORKFORCE MEASUREMENT INITIATIVE.
(a) In General.--The head of each Federal agency shall--
(1) identify all positions within the agency that require the
performance of cybersecurity or other cyber-related functions; and
(2) assign the corresponding employment code under the National
Initiative for Cybersecurity Education in accordance with
subsection (b).
(b) Employment Codes.--
(1) Procedures.--
(A) Coding structure.--Not later than 180 days after the
date of the enactment of this Act, the Director, in
coordination with the National Institute of Standards and
Technology, shall develop a coding structure under the National
Initiative for Cybersecurity Education.
(B) Identification of civilian cyber personnel.--Not later
than 9 months after the date of enactment of this Act, the
Director, in coordination with the Secretary of Homeland
Security, the Director of the National Institute of Standards
and Technology, and the Director of National Intelligence,
shall establish procedures to implement the National Initiative
for Cybersecurity Education coding structure to identify all
Federal civilian positions that require the performance of
information technology, cybersecurity, or other cyber-related
functions.
(C) Identification of noncivilian cyber personnel.--Not
later than 18 months after the date of enactment of this Act,
the Secretary of Defense shall establish procedures to
implement the National Initiative for Cybersecurity Education's
coding structure to identify all Federal noncivilian positions
that require the performance of information technology,
cybersecurity, or other cyber-related functions.
(D) Baseline assessment of existing cybersecurity
workforce.--Not later than 3 months after the date on which the
procedures are developed under subparagraphs (B) and (C),
respectively, the head of each Federal agency shall submit to
the appropriate congressional committees of jurisdiction a
report that identifies--
(i) the percentage of personnel with information
technology, cybersecurity, or other cyber-related job
functions who currently hold the appropriate industry-
recognized certifications as identified under the National
Initiative for Cybersecurity Education;
(ii) the level of preparedness of other civilian and
noncivilian cyber personnel without existing credentials to
take certification exams; and
(iii) a strategy for mitigating any gaps identified in
clause (i) or (ii) with the appropriate training and
certification for existing personnel.
(E) Procedures for assigning codes.--Not later than 3
months after the date on which the procedures are developed
under subparagraphs (B) and (C), respectively, the head of each
Federal agency shall establish procedures--
(i) to identify all encumbered and vacant positions
with information technology, cybersecurity, or other cyber-
related functions (as defined in the National Initiative
for Cybersecurity Education's coding structure); and
(ii) to assign the appropriate employment code to each
such position, using agreed standards and definitions.
(2) Code assignments.--Not later than 1 year after the date
after the procedures are established under paragraph (1)(E), the
head of each Federal agency shall complete assignment of the
appropriate employment code to each position within the agency with
information technology, cybersecurity, or other cyber-related
functions.
(c) Progress Report.--Not later than 180 days after the date of
enactment of this Act, the Director shall submit a progress report on
the implementation of this section to the appropriate congressional
committees.
SEC. 304. IDENTIFICATION OF CYBER-RELATED WORK ROLES OF CRITICAL
NEED.
(a) In General.--Beginning not later than 1 year after the date on
which the employment codes are assigned to employees pursuant to
section 303(b)(2), and annually thereafter through 2022, the head of
each Federal agency, in consultation with the Director, the Director of
the National Institute of Standards and Technology, and the Secretary
of Homeland Security, shall--
(1) identify information technology, cybersecurity, or other
cyber-related work roles of critical need in the agency's
workforce; and
(2) submit a report to the Director that--
(A) describes the information technology, cybersecurity, or
other cyber-related roles identified under paragraph (1); and
(B) substantiates the critical need designations.
(b) Guidance.--The Director shall provide Federal agencies with
timely guidance for identifying information technology, cybersecurity,
or other cyber-related roles of critical need, including--
(1) current information technology, cybersecurity, and other
cyber-related roles with acute skill shortages; and
(2) information technology, cybersecurity, or other cyber-
related roles with emerging skill shortages.
(c) Cybersecurity Needs Report.--Not later than 2 years after the
date of the enactment of this Act, the Director, in consultation with
the Secretary of Homeland Security, shall--
(1) identify critical needs for information technology,
cybersecurity, or other cyber-related workforce across all Federal
agencies; and
(2) submit a progress report on the implementation of this
section to the appropriate congressional committees.
SEC. 305. GOVERNMENT ACCOUNTABILITY OFFICE STATUS REPORTS.
The Comptroller General of the United States shall--
(1) analyze and monitor the implementation of sections 303 and
304; and
(2) not later than 3 years after the date of the enactment of
this Act, submit a report to the appropriate congressional
committees that describes the status of such implementation.
TITLE IV--OTHER CYBER MATTERS
SEC. 401. STUDY ON MOBILE DEVICE SECURITY.
(a) In General.--Not later than 1 year after the date of the
enactment of this Act, the Secretary of Homeland Security, in
consultation with the Director of the National Institute of Standards
and Technology, shall--
(1) complete a study on threats relating to the security of the
mobile devices of the Federal Government; and
(2) submit an unclassified report to Congress, with a
classified annex if necessary, that contains the findings of such
study, the recommendations developed under paragraph (3) of
subsection (b), the deficiencies, if any, identified under (4) of
such subsection, and the plan developed under paragraph (5) of such
subsection.
(b) Matters Studied.--In carrying out the study under subsection
(a)(1), the Secretary, in consultation with the Director of the
National Institute of Standards and Technology, shall--
(1) assess the evolution of mobile security techniques from a
desktop-centric approach, and whether such techniques are adequate
to meet current mobile security challenges;
(2) assess the effect such threats may have on the
cybersecurity of the information systems and networks of the
Federal Government (except for national security systems or the
information systems and networks of the Department of Defense and
the intelligence community);
(3) develop recommendations for addressing such threats based
on industry standards and best practices;
(4) identify any deficiencies in the current authorities of the
Secretary that may inhibit the ability of the Secretary to address
mobile device security throughout the Federal Government (except
for national security systems and the information systems and
networks of the Department of Defense and intelligence community);
and
(5) develop a plan for accelerated adoption of secure mobile
device technology by the Department of Homeland Security.
(c) Intelligence Community Defined.--In this section, the term
``intelligence community'' has the meaning given such term in section 3
of the National Security Act of 1947 (50 U.S.C. 3003).
SEC. 402. DEPARTMENT OF STATE INTERNATIONAL CYBERSPACE POLICY
STRATEGY.
(a) In General.--Not later than 90 days after the date of the
enactment of this Act, the Secretary of State shall produce a
comprehensive strategy relating to United States international policy
with regard to cyberspace.
(b) Elements.--The strategy required by subsection (a) shall
include the following:
(1) A review of actions and activities undertaken by the
Secretary of State to date to support the goal of the President's
International Strategy for Cyberspace, released in May 2011, to
``work internationally to promote an open, interoperable, secure,
and reliable information and communications infrastructure that
supports international trade and commerce, strengthens
international security, and fosters free expression and
innovation.''.
(2) A plan of action to guide the diplomacy of the Secretary of
State, with regard to foreign countries, including conducting
bilateral and multilateral activities to develop the norms of
responsible international behavior in cyberspace, and status review
of existing discussions in multilateral fora to obtain agreements
on international norms in cyberspace.
(3) A review of the alternative concepts with regard to
international norms in cyberspace offered by foreign countries that
are prominent actors, including China, Russia, Brazil, and India.
(4) A detailed description of threats to United States national
security in cyberspace from foreign countries, state-sponsored
actors, and private actors to Federal and private sector
infrastructure of the United States, intellectual property in the
United States, and the privacy of citizens of the United States.
(5) A review of policy tools available to the President to
deter foreign countries, state-sponsored actors, and private
actors, including those outlined in Executive Order 13694, released
on April 1, 2015.
(6) A review of resources required by the Secretary, including
the Office of the Coordinator for Cyber Issues, to conduct
activities to build responsible norms of international cyber
behavior.
(c) Consultation.--In preparing the strategy required by subsection
(a), the Secretary of State shall consult, as appropriate, with other
agencies and departments of the United States and the private sector
and nongovernmental organizations in the United States with recognized
credentials and expertise in foreign policy, national security, and
cybersecurity.
(d) Form of Strategy.--The strategy required by subsection (a)
shall be in unclassified form, but may include a classified annex.
(e) Availability of Information.--The Secretary of State shall--
(1) make the strategy required in subsection (a) available the
public; and
(2) brief the Committee on Foreign Relations of the Senate and
the Committee on Foreign Affairs of the House of Representatives on
the strategy, including any material contained in a classified
annex.
SEC. 403. APPREHENSION AND PROSECUTION OF INTERNATIONAL CYBER
CRIMINALS.
(a) International Cyber Criminal Defined.--In this section, the
term ``international cyber criminal'' means an individual--
(1) who is believed to have committed a cybercrime or
intellectual property crime against the interests of the United
States or the citizens of the United States; and
(2) for whom--
(A) an arrest warrant has been issued by a judge in the
United States; or
(B) an international wanted notice (commonly referred to as
a ``Red Notice'') has been circulated by Interpol.
(b) Consultations for Noncooperation.--The Secretary of State, or
designee, shall consult with the appropriate government official of
each country from which extradition is not likely due to the lack of an
extradition treaty with the United States or other reasons, in which
one or more international cyber criminals are physically present, to
determine what actions the government of such country has taken--
(1) to apprehend and prosecute such criminals; and
(2) to prevent such criminals from carrying out cybercrimes or
intellectual property crimes against the interests of the United
States or its citizens.
(c) Annual Report.--
(1) In general.--The Secretary of State shall submit to the
appropriate congressional committees an annual report that
includes--
(A) the number of international cyber criminals located in
other countries, disaggregated by country, and indicating from
which countries extradition is not likely due to the lack of an
extradition treaty with the United States or other reasons;
(B) the nature and number of significant discussions by an
official of the Department of State on ways to thwart or
prosecute international cyber criminals with an official of
another country, including the name of each such country; and
(C) for each international cyber criminal who was
extradited to the United States during the most recently
completed calendar year--
(i) his or her name;
(ii) the crimes for which he or she was charged;
(iii) his or her previous country of residence; and
(iv) the country from which he or she was extradited
into the United States.
(2) Form.--The report required by this subsection shall be in
unclassified form to the maximum extent possible, but may include a
classified annex.
(3) Appropriate congressional committees.--For purposes of this
subsection, the term ``appropriate congressional committees''
means--
(A) the Committee on Foreign Relations, the Committee on
Appropriations, the Committee on Homeland Security and
Governmental Affairs, the Committee on Banking, Housing, and
Urban Affairs, the Select Committee on Intelligence, and the
Committee on the Judiciary of the Senate; and
(B) the Committee on Foreign Affairs, the Committee on
Appropriations, the Committee on Homeland Security, the
Committee on Financial Services, the Permanent Select Committee
on Intelligence, and the Committee on the Judiciary of the
House of Representatives.
SEC. 404. ENHANCEMENT OF EMERGENCY SERVICES.
(a) Collection of Data.--Not later than 90 days after the date of
the enactment of this Act, the Secretary of Homeland Security, acting
through the center established under section 227 of the Homeland
Security Act of 2002, as redesignated by section 223(a)(3) of this
division, in coordination with appropriate Federal entities and the
Director for Emergency Communications, shall establish a process by
which a Statewide Interoperability Coordinator may report data on any
cybersecurity risk or incident involving any information system or
network used by emergency response providers (as defined in section 2
of the Homeland Security Act of 2002 (6 U.S.C. 101)) within the State.
(b) Analysis of Data.--Not later than 1 year after the date of the
enactment of this Act, the Secretary of Homeland Security, acting
through the Director of the National Cybersecurity and Communications
Integration Center, in coordination with appropriate entities and the
Director for Emergency Communications, and in consultation with the
Secretary of Commerce, acting through the Director of the National
Institute of Standards and Technology, shall conduct integration and
analysis of the data reported under subsection (a) to develop
information and recommendations on security and resilience measures for
any information system or network used by State emergency response
providers.
(c) Best Practices.--
(1) In general.--Using the results of the integration and
analysis conducted under subsection (b), and any other relevant
information, the Director of the National Institute of Standards
and Technology shall, on an ongoing basis, facilitate and support
the development of methods for reducing cybersecurity risks to
emergency response providers using the process described in section
2(e) of the National Institute of Standards and Technology Act (15
U.S.C. 272(e)).
(2) Report.--The Director of the National Institute of
Standards and Technology shall submit to Congress a report on the
result of the activities of the Director under paragraph (1),
including any methods developed by the Director under such
paragraph, and shall make such report publicly available on the
website of the National Institute of Standards and Technology.
(d) Rule of Construction.--Nothing in this section shall be
construed to--
(1) require a State to report data under subsection (a); or
(2) require a non-Federal entity (as defined in section 102)
to--
(A) adopt a recommended measure developed under subsection
(b); or
(B) follow the result of the activities carried out under
subsection (c), including any methods developed under such
subsection.
SEC. 405. IMPROVING CYBERSECURITY IN THE HEALTH CARE INDUSTRY.
(a) Definitions.--In this section:
(1) Appropriate congressional committees.--The term
``appropriate congressional committees'' means--
(A) the Committee on Health, Education, Labor, and
Pensions, the Committee on Homeland Security and Governmental
Affairs, and the Select Committee on Intelligence of the
Senate; and
(B) the Committee on Energy and Commerce, the Committee on
Homeland Security, and the Permanent Select Committee on
Intelligence of the House of Representatives.
(2) Business associate.--The term ``business associate'' has
the meaning given such term in section 160.103 of title 45, Code of
Federal Regulations (as in effect on the day before the date of the
enactment of this Act).
(3) Covered entity.--The term ``covered entity'' has the
meaning given such term in section 160.103 of title 45, Code of
Federal Regulations (as in effect on the day before the date of the
enactment of this Act).
(4) Cybersecurity threat; cyber threat indicator; defensive
measure; federal entity; non-federal entity; private entity.--The
terms ``cybersecurity threat'', ``cyber threat indicator'',
``defensive measure'', ``Federal entity'', ``non-Federal entity'',
and ``private entity'' have the meanings given such terms in
section 102 of this division.
(5) Health care clearinghouse; health care provider; health
plan.--The terms ``health care clearinghouse'', ``health care
provider'', and ``health plan'' have the meanings given such terms
in section 160.103 of title 45, Code of Federal Regulations (as in
effect on the day before the date of the enactment of this Act).
(6) Health care industry stakeholder.--The term ``health care
industry stakeholder'' means any--
(A) health plan, health care clearinghouse, or health care
provider;
(B) advocate for patients or consumers;
(C) pharmacist;
(D) developer or vendor of health information technology;
(E) laboratory;
(F) pharmaceutical or medical device manufacturer; or
(G) additional stakeholder the Secretary determines
necessary for purposes of subsection (b)(1), (c)(1), (c)(3), or
(d)(1).
(7) Secretary.--The term ``Secretary'' means the Secretary of
Health and Human Services.
(b) Report.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act, the Secretary shall submit to the Committee
on Health, Education, Labor, and Pensions of the Senate and the
Committee on Energy and Commerce of the House of Representatives a
report on the preparedness of the Department of Health and Human
Services and health care industry stakeholders in responding to
cybersecurity threats.
(2) Contents of report.--With respect to the internal response
of the Department of Health and Human Services to emerging
cybersecurity threats, the report under paragraph (1) shall
include--
(A) a clear statement of the official within the Department
of Health and Human Services to be responsible for leading and
coordinating efforts of the Department regarding cybersecurity
threats in the health care industry; and
(B) a plan from each relevant operating division and
subdivision of the Department of Health and Human Services on
how such division or subdivision will address cybersecurity
threats in the health care industry, including a clear
delineation of how each such division or subdivision will
divide responsibility among the personnel of such division or
subdivision and communicate with other such divisions and
subdivisions regarding efforts to address such threats.
(c) Health Care Industry Cybersecurity Task Force.--
(1) In general.--Not later than 90 days after the date of the
enactment of this Act, the Secretary, in consultation with the
Director of the National Institute of Standards and Technology and
the Secretary of Homeland Security, shall convene health care
industry stakeholders, cybersecurity experts, and any Federal
agencies or entities the Secretary determines appropriate to
establish a task force to--
(A) analyze how industries, other than the health care
industry, have implemented strategies and safeguards for
addressing cybersecurity threats within their respective
industries;
(B) analyze challenges and barriers private entities
(excluding any State, tribal, or local government) in the
health care industry face securing themselves against cyber
attacks;
(C) review challenges that covered entities and business
associates face in securing networked medical devices and other
software or systems that connect to an electronic health
record;
(D) provide the Secretary with information to disseminate
to health care industry stakeholders of all sizes for purposes
of improving their preparedness for, and response to,
cybersecurity threats affecting the health care industry;
(E) establish a plan for implementing title I of this
division, so that the Federal Government and health care
industry stakeholders may in real time, share actionable cyber
threat indicators and defensive measures; and
(F) report to the appropriate congressional committees on
the findings and recommendations of the task force regarding
carrying out subparagraphs (A) through (E).
(2) Termination.--The task force established under this
subsection shall terminate on the date that is 1 year after the
date on which such task force is established.
(3) Dissemination.--Not later than 60 days after the
termination of the task force established under this subsection,
the Secretary shall disseminate the information described in
paragraph (1)(D) to health care industry stakeholders in accordance
with such paragraph.
(d) Aligning Health Care Industry Security Approaches.--
(1) In general.--The Secretary shall establish, through a
collaborative process with the Secretary of Homeland Security,
health care industry stakeholders, the Director of the National
Institute of Standards and Technology, and any Federal entity or
non-Federal entity the Secretary determines appropriate, a common
set of voluntary, consensus-based, and industry-led guidelines,
best practices, methodologies, procedures, and processes that--
(A) serve as a resource for cost-effectively reducing
cybersecurity risks for a range of health care organizations;
(B) support voluntary adoption and implementation efforts
to improve safeguards to address cybersecurity threats;
(C) are consistent with--
(i) the standards, guidelines, best practices,
methodologies, procedures, and processes developed under
section 2(c)(15) of the National Institute of Standards and
Technology Act (15 U.S.C. 272(c)(15));
(ii) the security and privacy regulations promulgated
under section 264(c) of the Health Insurance Portability
and Accountability Act of 1996 (42 U.S.C. 1320d-2 note);
and
(iii) the provisions of the Health Information
Technology for Economic and Clinical Health Act (title XIII
of division A, and title IV of division B, of Public Law
111-5), and the amendments made by such Act; and
(D) are updated on a regular basis and applicable to a
range of health care organizations.
(2) Limitation.--Nothing in this subsection shall be
interpreted as granting the Secretary authority to--
(A) provide for audits to ensure that health care
organizations are in compliance with this subsection; or
(B) mandate, direct, or condition the award of any Federal
grant, contract, or purchase, on compliance with this
subsection.
(3) No liability for nonparticipation.--Nothing in this section
shall be construed to subject a health care industry stakeholder to
liability for choosing not to engage in the voluntary activities
authorized or guidelines developed under this subsection.
(e) Incorporating Ongoing Activities.--In carrying out the
activities under this section, the Secretary may incorporate activities
that are ongoing as of the day before the date of enactment of this Act
and that are consistent with the objectives of this section.
(f) Rule of Construction.--Nothing in this section shall be
construed to limit the antitrust exemption under section 104(e) or the
protection from liability under section 106.
SEC. 406. FEDERAL COMPUTER SECURITY.
(a) Definitions.--In this section:
(1) Covered system.--The term ``covered system'' shall mean a
national security system as defined in section 11103 of title 40,
United States Code, or a Federal computer system that provides
access to personally identifiable information.
(2) Covered agency.--The term ``covered agency'' means an
agency that operates a covered system.
(3) Logical access control.--The term ``logical access
control'' means a process of granting or denying specific requests
to obtain and use information and related information processing
services.
(4) Multi-factor authentication.--The term ``multi-factor
authentication'' means the use of not fewer than 2 authentication
factors, such as the following:
(A) Something that is known to the user, such as a password
or personal identification number.
(B) An access device that is provided to the user, such as
a cryptographic identification device or token.
(C) A unique biometric characteristic of the user.
(5) Privileged user.--The term ``privileged user'' means a user
who has access to system control, monitoring, or administrative
functions.
(b) Inspector General Reports on Covered Systems.--
(1) In general.--Not later than 240 days after the date of
enactment of this Act, the Inspector General of each covered agency
shall submit to the appropriate committees of jurisdiction in the
Senate and the House of Representatives a report, which shall
include information collected from the covered agency for the
contents described in paragraph (2) regarding the Federal computer
systems of the covered agency.
(2) Contents.--The report submitted by each Inspector General
of a covered agency under paragraph (1) shall include, with respect
to the covered agency, the following:
(A) A description of the logical access policies and
practices used by the covered agency to access a covered
system, including whether appropriate standards were followed.
(B) A description and list of the logical access controls
and multi-factor authentication used by the covered agency to
govern access to covered systems by privileged users.
(C) If the covered agency does not use logical access
controls or multi-factor authentication to access a covered
system, a description of the reasons for not using such logical
access controls or multi-factor authentication.
(D) A description of the following information security
management practices used by the covered agency regarding
covered systems:
(i) The policies and procedures followed to conduct
inventories of the software present on the covered systems
of the covered agency and the licenses associated with such
software.
(ii) What capabilities the covered agency utilizes to
monitor and detect exfiltration and other threats,
including--
(I) data loss prevention capabilities;
(II) forensics and visibility capabilities; or
(III) digital rights management capabilities.
(iii) A description of how the covered agency is using
the capabilities described in clause (ii).
(iv) If the covered agency is not utilizing
capabilities described in clause (ii), a description of the
reasons for not utilizing such capabilities.
(E) A description of the policies and procedures of the
covered agency with respect to ensuring that entities,
including contractors, that provide services to the covered
agency are implementing the information security management
practices described in subparagraph (D).
(3) Existing review.--The reports required under this
subsection may be based in whole or in part on an audit,
evaluation, or report relating to programs or practices of the
covered agency, and may be submitted as part of another report,
including the report required under section 3555 of title 44,
United States Code.
(4) Classified information.--Reports submitted under this
subsection shall be in unclassified form, but may include a
classified annex.
SEC. 407. STOPPING THE FRAUDULENT SALE OF FINANCIAL INFORMATION OF
PEOPLE OF THE UNITED STATES.
Section 1029(h) of title 18, United States Code, is amended by
striking ``title if--'' and all that follows through ``therefrom.'' and
inserting ``title if the offense involves an access device issued,
owned, managed, or controlled by a financial institution, account
issuer, credit card system member, or other entity organized under the
laws of the United States, or any State, the District of Columbia, or
other territory of the United States.''.