[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3869 Referred in Senate (RFS)]
<DOC>
114th CONGRESS
1st Session
H. R. 3869
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
December 14, 2015
Received; read twice and referred to the Committee on Homeland Security
and Governmental Affairs
_______________________________________________________________________
AN ACT
To amend the Homeland Security Act of 2002 to assist State and local
coordination on cybersecurity with the national cybersecurity and
communications integration center, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``State and Local Cyber Protection Act
of 2015''.
SEC. 2. STATE AND LOCAL COORDINATION ON CYBERSECURITY WITH THE NATIONAL
CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER.
(a) In General.--The second section 226 of the Homeland Security
Act of 2002 (6 U.S.C. 148; relating to the national cybersecurity and
communications integration center) is amended by adding at the end the
following new subsection:
``(g) State and Local Coordination on Cybersecurity.--
``(1) In general.--The Center shall, to the extent
practicable--
``(A) assist State and local governments, upon
request, in identifying information system
vulnerabilities;
``(B) assist State and local governments, upon
request, in identifying information security
protections commensurate with cybersecurity risks and
the magnitude of the potential harm resulting from the
unauthorized access, use, disclosure, disruption,
modification, or destruction of--
``(i) information collected or maintained
by or on behalf of a State or local government;
or
``(ii) information systems used or operated
by an agency or by a contractor of a State or
local government or other organization on
behalf of a State or local government;
``(C) in consultation with State and local
governments, provide and periodically update via a web
portal tools, products, resources, policies,
guidelines, and procedures related to information
security;
``(D) work with senior State and local government
officials, including State and local Chief Information
Officers, through national associations to coordinate a
nationwide effort to ensure effective implementation of
tools, products, resources, policies, guidelines, and
procedures related to information security to secure
and ensure the resiliency of State and local
information systems;
``(E) provide, upon request, operational and
technical cybersecurity training to State and local
government and fusion center analysts and operators to
address cybersecurity risks or incidents;
``(F) provide, in coordination with the Chief
Privacy Officer and the Chief Civil Rights and Civil
Liberties Officer of the Department, privacy and civil
liberties training to State and local governments
related to cybersecurity;
``(G) provide, upon request, operational and
technical assistance to State and local governments to
implement tools, products, resources, policies,
guidelines, and procedures on information security by--
``(i) deploying technology to assist such
State or local government to continuously
diagnose and mitigate against cyber threats and
vulnerabilities, with or without reimbursement;
``(ii) compiling and analyzing data on
State and local information security; and
``(iii) developing and conducting targeted
operational evaluations, including threat and
vulnerability assessments, on the information
systems of State and local governments;
``(H) assist State and local governments to develop
policies and procedures for coordinating vulnerability
disclosures, to the extent practicable, consistent with
international and national standards in the information
technology industry, including standards developed by
the National Institute of Standards and Technology; and
``(I) ensure that State and local governments, as
appropriate, are made aware of the tools, products,
resources, policies, guidelines, and procedures on
information security developed by the Department and
other appropriate Federal departments and agencies for
ensuring the security and resiliency of Federal
civilian information systems.
``(2) Training.--Privacy and civil liberties training
provided pursuant to subparagraph (F) of paragraph (1) shall
include processes, methods, and information that--
``(A) are consistent with the Department's Fair
Information Practice Principles developed pursuant to
section 552a of title 5, United States Code (commonly
referred to as the `Privacy Act of 1974' or the
`Privacy Act');
``(B) reasonably limit, to the greatest extent
practicable, the receipt, retention, use, and
disclosure of information related to cybersecurity
risks and incidents associated with specific persons
that is not necessary, for cybersecurity purposes, to
protect an information system or network of information
systems from cybersecurity risks or to mitigate
cybersecurity risks and incidents in a timely manner;
``(C) minimize any impact on privacy and civil
liberties;
``(D) provide data integrity through the prompt
removal and destruction of obsolete or erroneous names
and personal information that is unrelated to the
cybersecurity risk or incident information shared and
retained by the Center in accordance with this section;
``(E) include requirements to safeguard cyber
threat indicators and defensive measures retained by
the Center, including information that is proprietary
or business-sensitive that may be used to identify
specific persons from unauthorized access or
acquisition;
``(F) protect the confidentiality of cyber threat
indicators and defensive measures associated with
specific persons to the greatest extent practicable;
and
``(G) ensure all relevant constitutional, legal,
and privacy protections are observed.''.
(b) Congressional Oversight.--Not later than 2 years after the date
of the enactment of this Act, the national cybersecurity and
communications integration center of the Department of Homeland
Security shall provide to the Committee on Homeland Security of the
House of Representatives and the Committee on Homeland Security and
Governmental Affairs of the Senate information on the activities and
effectiveness of such activities under subsection (g) of the second
section 226 of the Homeland Security Act of 2002 (6 U.S.C. 148;
relating to the national cybersecurity and communications integration
center), as added by subsection (a) of this section, on State and local
information security. The center shall seek feedback from State and
local governments regarding the effectiveness of such activities and
include such feedback in
the information required to be provided under this subsection.
Passed the House of Representatives December 10, 2015.
Attest:
KAREN L. HAAS,
Clerk.