[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5390 Introduced in House (IH)]
<DOC>
114th CONGRESS
2d Session
H. R. 5390
To amend the Homeland Security Act of 2002 to authorize the
Cybersecurity and Infrastructure Protection Agency of the Department of
Homeland Security, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
June 7, 2016
Mr. McCaul (for himself, Mr. Ratcliffe, and Ms. Jackson Lee) introduced
the following bill; which was referred to the Committee on Homeland
Security, and in addition to the Committees on Energy and Commerce,
Oversight and Government Reform, and Transportation and Infrastructure,
for a period to be subsequently determined by the Speaker, in each case
for consideration of such provisions as fall within the jurisdiction of
the committee concerned
_______________________________________________________________________
A BILL
To amend the Homeland Security Act of 2002 to authorize the
Cybersecurity and Infrastructure Protection Agency of the Department of
Homeland Security, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Cybersecurity and Infrastructure
Protection Agency Act of 2016''.
SEC. 2. CYBERSECURITY AND INFRASTRUCTURE PROTECTION AGENCY.
(a) In General.--The Homeland Security Act of 2002 is amended by
adding at the end the following new title:
``TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE PROTECTION AGENCY
``Subtitle A--Cybersecurity and Infrastructure Protection
``SEC. 2201. DEFINITIONS.
``In this subtitle--
``(1) Critical infrastructure incident.--The term `critical
infrastructure incident' means an occurrence that actually or
immediately jeopardizes, without lawful authority, the
integrity, confidentially, or availability of critical
infrastructure.
``(2) Critical infrastructure information.--The term
`critical infrastructure information' has the meaning given
such term in section 2215.
``(3) Critical infrastructure risk.--The term `critical
infrastructure risk' means threats to and vulnerabilities of
critical infrastructure and any related consequences caused by
or resulting from unauthorized access, use, disclosure,
degradation, disruption, modification, or destruction of such
critical infrastructure, including such related consequences
caused by an act of terrorism.
``(4) Cybersecurity risk.--The term `cybersecurity risk'
has the meaning given such term in section 2209.
``(5) Cybersecurity threat.--The term `cybersecurity
threat' has the meaning given such term in paragraph (5) of
section 102 of the Cybersecurity Information Sharing Act of
2015 (contained in division N of the Consolidated
Appropriations Act, 2016 (Public Law 114-113; 6 U.S.C. 1501)).
``(6) Federal entity.--The term `Federal entity' has the
meaning given such term in paragraph (8) of section 102 of the
Cybersecurity Information Sharing Act of 2015 (contained in
division N of the Consolidated Appropriations Act, 2016 (Public
Law 114-113; 6 U.S.C. 1501)).
``(7) Non-federal entity.--The term `non-Federal entity'
has the meaning given such term in paragraph (14) of section
102 of the Cybersecurity Information Sharing Act of 2015
(contained in division N of the Consolidated Appropriations
Act, 2016 (Public Law 114-113; 6 U.S.C. 1501)).
``(8) Sharing.--The term `sharing' has the meaning given
such term in section 2209.
``SEC. 2202. CYBERSECURITY AND INFRASTRUCTURE PROTECTION AGENCY.
``(a) Redesignation.--
``(1) In general.--The National Protection and Programs
Directorate of the Department shall, on and after the date of
the enactment of this subtitle, be known as the `Cybersecurity
and Infrastructure Protection Agency' (in this subtitle
referred to as the `Agency').
``(2) References.--Any reference to the National Protection
and Programs Directorate of the Department in any law,
regulation, map, document, record, or other paper of the United
States shall be deemed to be a reference to the Cybersecurity
and Infrastructure Protection Agency of the Department.
``(b) Mission.--The mission of the Agency shall be to lead national
efforts to protect and enhance the security and resilience of the cyber
and critical infrastructure of the United States.
``(c) Director.--
``(1) In general.--The Agency shall be headed by a Director
of National Cybersecurity (in this subtitle referred to as the
`Director').
``(2) Reference.--Any reference to an Under Secretary
responsible for overseeing critical infrastructure protection,
cybersecurity, and any other related program of the Department
as described in section 103(a)(1)(H) as in effect on the day
before the date of the enactment of this subtitle in any law,
regulation, map, document, record, or other paper of the United
States shall be deemed to be a reference to the Director of
National Cybersecurity of the Department.
``(d) Responsibilities.--The Director shall--
``(1) lead cybersecurity and critical infrastructure
protection policy and operations for the Department;
``(2) serve as the primary representative of the Department
for coordinating with Federal entities, non-Federal entities,
and international partners the cybersecurity and critical
infrastructure protection policy and operations referred to in
paragraph (1);
``(3) facilitate a national effort to strengthen and
maintain secure, functioning, and resilient critical
infrastructure from threats;
``(4) maintain and utilize mechanisms, including a
coordinating body for the regular and ongoing consultation and
collaboration among the Agency's Divisions to further operation
coordination, integrated situational awareness, and improved
integration across the Agency;
``(5) develop, coordinate, and implement--
``(A) comprehensive strategic plans for
cybersecurity and critical infrastructure protection;
and
``(B) risk assessments for the Department, in
accordance with subsection (f);
``(6) carry out emergency communications responsibilities,
in accordance with title XVIII;
``(7) carry out the authorities designated to the Secretary
under section 1315 of title 40 United States Code; and
``(8) carry out such other duties and powers prescribed by
law or delegated by the Secretary.
``(e) Risk Assessments.--
``(1) National risk assessments.--The Director, in
coordination with the heads of relevant components of the
Department and other appropriate Federal entities, shall
develop, coordinate, and update periodically (not less often
than once every two years) a national risk assessment of--
``(A) cybersecurity risks; and
``(B) critical infrastructure risks.
``(2) Integrated national risk assessments.--The Director
shall develop, coordinate, and update periodically (not less
often than once every two years) an integrated national risk
assessment that assesses all of the cybersecurity risks and
critical infrastructure risks referred to in paragraph (1) and
compares each such risk and incident against one another
according to their relative risk, including cascading effects
between each such risk.
``(3) Inclusion in assessments.--Each national risk
assessment required under paragraph (1) and integrated national
risk assessment required under paragraph (2) shall include--
``(A) a description of the data and methodology
used for each such assessment; and
``(B) if applicable, actions or counter-measures
recommended or taken by the Secretary or the head of
another Federal agency to address issues identified in
each such assessment.
``(4) Classification.--The Director shall ensure that each
national risk assessment required under paragraph (1) and
integrated national risk assessment required under paragraph
(2) has a classified and unclassified version.
``(5) Provision to congress.--The Director shall provide to
the Committee on Homeland Security of the House of
Representatives and the Committee on Homeland Security and
Governmental Affairs of the Senate each national risk
assessment required under paragraph (1) and integrated national
risk assessment required under paragraph (2) not later than 30
days after the completion of each such assessment.
``(f) Methodology.--In developing each national risk assessment
required under subsection (f)(1) and integrated national risk
assessment required under subsection (g)(2), the Director, in
consultation with the heads of relevant Federal entities, shall--
``(1) assess the proposed methodology to be used for such
assessments; and
``(2) consider the evolving threat to the United States as
indicated by the intelligence community (as such term is
defined in section 3(4) of the National Security Act of 1947
(50 U.S.C. 3003(4))).
``(g) Usage.--The national risk assessments and integrated national
risk assessments required under subsection (f) shall be used to inform
and guide allocation of resources for cybersecurity and critical
infrastructure protection activities of the Department.
``(h) Input and Sharing.--The Director shall, for each national
risk assessment and integrated national risk assessment required under
subsection (f)--
``(1) seek input from relevant Federal and non-Federal
entities involved in efforts to counter threats;
``(2) ensure that written procedures are in place to guide
the development of such assessments, including for input,
review, and implementation purposes, among relevant Federal
entities;
``(3) share the classified versions of such assessments
with appropriate representatives from relevant Federal and non-
Federal entities with appropriate security clearances and a
need for such assessments; and
``(4) to the maximum extent practicable, make available the
unclassified versions of such assessments to relevant Federal
and non-Federal entities for cybersecurity and critical
infrastructure protection.
``(i) Composition.--The Agency shall be composed of the following
divisions:
``(1) The Cybersecurity Division, headed by a Principal
Deputy Director.
``(2) The Infrastructure Protection Division, headed by a
Deputy Director.
``(3) The Emergency Communications Division under title
XVIII, headed by a Deputy Director.
``(4) The Federal Protective Service, headed by a Deputy
Director.
``(j) Contracting Authority.--
``(1) Definition.--In this subsection the term `head of
contracting activity' means each official responsible for the
creation, management, and oversight of a team of procurement
professionals properly trained, certified, and warranted to
accomplish the acquisition of products and services on behalf
of the designated components, offices, and organizations of the
Department, and as authorized, other Federal Government
entities.
``(2) Application.--All procurement and contracting
activities for the Agency shall be performed in accordance with
the Federal Acquisition Regulation, the Department of Homeland
Security Acquisition Policy, and other applicable laws, Federal
regulations, and policies.
``(3) Delegated authority.--The Secretary, acting through
the Chief Procurement Officer of the Department, may delegate
procurement and contracting authority to the Agency head of
contracting activity, as appropriate, after--
``(A) verifying that the head of contracting
activity has the training and experience to carry out
the authority to be delegated;
``(B) validating that Agency has identified the
personnel, systems, and resources to carry out the
authority to be delegated; and
``(C) providing Congress with a notification of the
delegation and attestations under paragraphs (1) and
(2).
``(4) Performance review.--
``(A) In general.--The Chief Procurement Officer
shall provide input on the periodic performance review
of the Agency's head of contracting activity.
``(B) Rule of construction.--None of the
authorities authorized in this subsection shall
prohibit the Chief Procurement Officer from retaining
contracting authority for the Agency, as warranted.
``(5) Compliance.--The Agency shall comply with Department
policy prior to obligating funds when using reimbursable work
agreements or interagency acquisitions with other Federal
agencies or Department components.
``(4) Department review.--Not later than one year after any
delegation pursuant to paragraph (3), the Director shall report
to Congress on the exercise of procurement and contracting
authority by the head of contracting activity of the Agency and
the status of Agency major acquisition programs, cost,
schedule, and performance.
``(k) Staff.--
``(1) In general.--The Secretary shall provide the Agency
with a staff of analysts having appropriate expertise and
experience to assist the Agency in discharging its
responsibilities under this section.
``(2) Private sector analysts.--Analysts under this
subsection may include analysts from the private sector.
``(3) Security clearances.--Analysts under this subsection
shall possess security clearances appropriate for their work
under this section.
``(l) Detail of Personnel.--
``(1) In general.--In order to assist the Agency in
discharging its responsibilities under this section, personnel
of the Federal agencies referred to in paragraph (2) may be
detailed to the Agency for the performance of analytic
functions and related duties.
``(2) Agencies specified.--The Federal agencies referred to
in paragraph (1) are the following:
``(A) The Department of State.
``(B) The Central Intelligence Agency.
``(C) The Federal Bureau of Investigation.
``(D) The National Security Agency.
``(E) The National Geospatial-Intelligence Agency.
``(F) The Defense Intelligence Agency.
``(G) Any other agency of the Federal Government
that the President considers appropriate.
``(3) Cooperative agreements.--The Secretary and the head
of the agency concerned under this subsection may enter into
cooperative agreements for the purpose of detailing personnel
under this subsection.
``(4) Basis.--The detail of personnel under this subsection
may be on a reimbursable or non-reimbursable basis.
``SEC. 2203. CYBERSECURITY DIVISION.
``(a) Establishment.--
``(1) In general.--There is established in the Agency a
Cybersecurity Division.
``(2) Principal deputy director.--The Cybersecurity
Division shall be headed by a Principal Deputy Director of
Cybersecurity (in this subtitle referred to as the `Principal
Deputy Director'), who shall--
``(A) be at the level of Assistant Secretary within
the Department; and
``(B) report to the Director.
``(3) Reference.--Any reference to the Assistant Secretary
for Cybersecurity and Communications in any law, regulation,
map, document, record, or other paper of the United States
shall be deemed to be a reference to Principal Deputy Director
of Cybersecurity.
``(b) Functions.--The Cybesecurity Division shall--
``(1) lead the cybersecurity efforts of the Agency;
``(2) carry out--
``(A) the Department's activities related to
Federal information security; and
``(B) the functions of the national cybersecurity
and communications integration center under section
2209;
``(3) coordinate cybersecurity initiatives with Federal and
non-Federal entities for all activities relating to stakeholder
outreach, engagement, and education, including engagement and
coordination activities for cybersecurity initiatives carried
out by the National Protection and Programs Directorate, Office
of Cybersecurity and Communications Stakeholder Engagement and
Cyber Infrastructure Resilience division as of June 1, 2015;
``(4) provide coordination and support to non-Federal
entities to reduce cybersecurity risks, including through
voluntary partnerships;
``(4) conduct network and malicious code analysis for known
and unknown cybersecurity threats; and
``(5) in coordination with the Director, carry out the
consultation, coordination, and collaboration required under
subsection (d)(4) of section 2202.
``(c) Additional Functions.--In addition to the responsibilities
specified in subsection (b), the Principal Deputy Director shall also--
``(1) under section 201, carry out paragraphs (1), (3),
(4), (5), (6), (8), (10), (11), (13), (14), and (22) of
subsection (d) of such section;
``(2) carry out comprehensive assessments of the
cybersecurity risks to critical infrastructure, including the
performance of risk assessments to determine the risks posed by
particular types of terrorist attacks within the United States
(including an assessment of the probability of success of such
attacks and the feasibility and potential efficacy of various
countermeasures to such attacks);
``(3) recommend cybersecurity measures necessary to protect
critical infrastructure in coordination with other Federal
entities and in cooperation with non-Federal entities; and
``(4) ensure that any material received pursuant to this
title is protected from unauthorized disclosure and handled and
used only for the performance of official duties.
``SEC. 2204. INFRASTRUCTURE PROTECTION DIVISION.
``(a) Establishment.--
``(1) In general.--There is established in the Agency an
Infrastructure Protection Division.
``(2) Deputy director.--The Infrastructure Protection
Division shall be headed by a Deputy Director of Infrastructure
Protection (in this section referred to as the `Deputy
Director'), who shall report to the Director.
``(3) Reference.--Any reference to the Assistant Secretary
for Infrastructure Protection in any law, regulation, map,
document, record, or other paper of the United States shall be
deemed to be a reference to Deputy Director of Infrastructure
Protection.
``(b) Functions.--The Infrastructure Protection Division shall--
``(1) lead the critical infrastructure protection efforts
of the Agency;
``(2) gather and manage critical infrastructure information
and ensure that such information is available to the leadership
of the Department and critical infrastructure owners and
operators;
``(3) lead the efforts of the Department to secure the
United States high-risk chemical facilities, including the
Chemical Facilities Anti-Terrorism Standards established under
title XXI;
``(4) provide coordination and support to non-Federal
entities to reduce risk to critical infrastructure from
terrorist attack or natural disaster, including through
voluntary partnerships;
``(5) operate stakeholder engagement mechanisms for
appropriate critical infrastructure sectors, except that such
mechanisms may not duplicate any engagement and coordination
activities for cybersecurity initiatives carried out by the
National Protection and Programs Directorate, Office of
Cybersecurity and Communications Stakeholder Engagement and
Cyber Infrastructure Resilience division as of June 1, 2015;
``(6) administer the Coordinating Center established under
subsection (d);
``(7) in coordination with the Director, carry out the
consultation and collaboration required under subsection (d)(4)
of section 2202; and
``(8) carry out such other duties and powers as prescribed
by the Director.
``(c) Additional Functions.--In addition to the responsibilities
specified in subsection (b), the Deputy Director shall also--
``(1) under section 201, carry out paragraphs (1), (3),
(4), (5), (6), (8), (10), (11), (13), (14), and (22) subsection
(d) of such section;
``(2) carry out comprehensive assessments of the
vulnerabilities of critical infrastructure, including the
performance of risk assessments to determine the risks posed by
particular types of terrorist attacks within the United States
(including an assessment of the probability of success of such
attacks and the feasibility and potential efficacy of various
countermeasures to such attacks);
``(3) recommend measures necessary to protect critical
infrastructure in coordination with other Federal entities and
in cooperation with non-Federal entities; and
``(4) ensure that any material received pursuant to this
title is protected from unauthorized disclosure and handled and
used only for the performance of official duties.
``(d) Coordinating Center.--There shall be within the
Infrastructure Protection Division a National Infrastructure
Coordinating Center which shall be headed by an Assistant Director and
be co-located with the national cybersecurity communications and
integrated center established under section 2209. The National
Infrastructure Coordinating Center shall--
``(1) collect, maintain, and share critical infrastructure
information;
``(2) evaluate critical infrastructure information for
accuracy, importance, and implications;
``(3) provide recommendations to non-Federal entities and
Department leadership;
``(4) advise the Secretary and the Director regarding
actions required before and after a critical infrastructure
incident; and
``(5) carry out such other duties and powers as prescribed
by the Director.''.
(b) Treatment of Certain Positions.--
(1) Under secretary.--The individual serving as the Under
Secretary appointed pursuant to section 103(a)(1)(H) of the
Homeland Security Act of 2002 (6 U.S.C. 113(a)(1)) of the
Department of Homeland Security on the day before the date of
the enactment of this Act may continue to serve as the Director
of the Cybersecurity and Infrastructure Protection Agency of
the Department on and after such date.
(2) Director for emergency communications.--The individual
serving as the Director for Emergency Communications of the
Department of Homeland Security on the day before the date of
the enactment of this Act may continue to serve as the Deputy
Director of Emergency Communications of the Department on and
after such date.
(3) Assistant secretary for cybersecurity and
communications.--The individual serving as the Assistant
Secretary for Cybersecurity and Communications on the day
before the date of the enactment of this Act may continue to
serve as the Principal Deputy Director of Cybersecurity.
(4) Assistant secretary for infrastructure protection.--The
individual serving as the Assistant Secretary for
Infrastructure Protection on the day before the date of the
enactment of this Act may continue to serve as the Deputy
Director of Infrastructure Protection.
(c) Operational Coordination.--The Director of the Cybersecurity
and Infrastructure Protection Agency of the Department of Homeland
Security shall provide, in accordance with the deadlines specified in
paragraphs (1) and (2), to the Committee on Homeland Security of the
House and the Committee on Homeland Security and Governmental Affairs
of the Senate information on the following:
(1) Not later than 90 days after the date of the enactment
of this Act, the Agency's mechanisms for regular consultation
and collaboration, including information on composition
(including leadership structure), authorities, frequency of
meetings, and visibility within the Agency.
(2) Not later than one year after the date of the enactment
of this Act, the activities of the Agency's consultation and
collaboration mechanisms and how such mechanisms have impacted
operational coordination, situational awareness. and
integration across the Agency.
(d) Conforming Amendments.--The Homeland Security Act of 2002 is
amended--
(1) in section 103(a) (6 U.S.C. 113(a))--
(A) in paragraph (1), by amending subparagraphs (H)
and (I) to read as follows:
``(H) A Director of the Cybersecurity and Infrastructure
Protection Agency.
``(I) The Administrator of the Transportation Security
Administration.''; and
(B) by amending paragraph (2) to read as follows:
``(2) Other Assistant Secretaries and Officials.--
``(A) Presidential appointments.--The Department shall have
the following officers appointed by the President:
``(i) The Principal Deputy Director of the
Cybersecurity Division under section 2203.
``(ii) The Assistant Secretary of the Office of
Public Affairs.
``(iii) The Assistant Secretary of the Office of
Legislative Affairs.
``(B) Secretarial appointments.--The Department shall have
the following Assistant Secretaries appointed by the Secretary:
``(i) The Assistant Secretary for International
Affairs under section 602.
``(ii) The Assistant Secretary for Partnership and
Engagement under section 603.
``(C) Limitation on creation of positions.--No Assistant
Secretary position may be created in addition to the positions
provided for by this section unless such position is authorized
by a statute enacted after the date of the enactment of the
Cybersecurity and Infrastructure Protection Agency Act of
2016.'';
(2) in title II (6 U.S.C. 121 et seq.)--
(A) in the title heading, by striking ``AND
INFRASTRUCTURE PROTECTION'';
(B) in the subtitle A heading, by striking ``and
Infrastructure Protection; Access to Information'';
(C) in section 201 (6 U.S.C. 121)--
(i) in the section heading, by striking
``and infrastructure protection'';
(ii) in subsection (a)--
(I) in the heading, by striking
``and Infrastructure Protection''; and
(II) by striking ``and an Office of
Infrastructure Protection'';
(iii) in subsection (b)--
(I) in the heading, by striking
``and Assistant Secretary for
Infrastructure Protection''; and
(II) by striking paragraph (3);
(iv) in subsection (c)--
(I) by striking ``and
infrastructure protection''; and
(II) by striking ``or the Assistant
Secretary for Infrastructure
Protection, as appropriate'';
(v) in subsection (d)--
(I) in the heading, by striking
``and Infrastructure Protection'';
(II) in the matter preceding
paragraph (1), by striking ``and
infrastructure protection'';
(III) by striking paragraphs (5)
and (6) and redesignating paragraphs
(7) through (25) as paragraphs (4)
through (23), respectively; and
(IV) by striking paragraph (23), as
so redesignated;
(vi) in subsection (e)(1), by striking
``and the Office of Infrastructure
Protection''; and
(vii) in subsection (f)(1), by striking
``and the Office of Infrastructure
Protection'';
(D) by redesignating sections 223 through 230 (6
U.S.C. 143-151) as sections 2205 through 2212,
respectively, and inserting such redesignated sections
after section 2204, as added by this Act;
(E) by redesignating section 210E (6 U.S.C. 124) as
section 2213 and inserting such redesignated section
after section 2212;
(F) in subtitle B, by redesignating sections 211
through 215 (6 U.S.C. 101 note through 134) as sections
2214 through 2218, respectively, and inserting such
redesignated sections, including the subtitle B
designation (including the enumerator and heading),
after section 2213;
(3) in title XVIII (6 U.S.C. 571 et seq.)--
(A) in section 1801 (6 U.S.C. 571)--
(i) in the section heading, by striking
``office of emergency communications'' and
inserting ``emergency communications
division'';
(ii) in subsection (a)--
(I) by striking ``Office of
Emergency Communications'' and
inserting ``Emergency Communications
Division''; and
(II) by adding at the end the
following new sentence: ``The Division
shall be located in the Cybersecurity
and Infrastructure Protection
Agency.''; and
(iii) in subsection (b)--
(I) in the first sentence, by
striking ``Director for'' and inserting
``Deputy Director of''; and
(II) in the second sentence, by
striking ``Assistant Secretary for
Cybersecurity and Communications'' and
inserting ``Director of the
Cybersecurity and Infrastructure
Protection Agency''; and
(III) in subsection (e)--
(aa) in the matter
preceding paragraph (1), by
striking ``Director for'' and
inserting ``Deputy Director
of'';
(bb) by redesignating
paragraphs (1) and (2) as
paragraphs (2) and (3),
respectively; and
(cc) by inserting before
paragraph (2), as so
redesignated, the following new
paragraph:
``(1) with the Director of the Cybersecurity and
Infrastructure Protection Agency to carry out the consultation
and collaboration required under subsection (d)(4) of section
2202;'';
(B) in sections 1801 through 1805 (6 U.S.C. 575),
by striking ``Director for Emergency Communications''
each place it appears and inserting ``Deputy Director
of Emergency Communications'';
(C) in section 1809 (6 U.S.C. 579)--
(i) by striking ``Director for Emergency
Communications'' each place it appears and
inserting ``Deputy Director of Emergency
Communications''; and
(ii) by striking ``Office of Emergency
Communications'' each place it appears and
inserting ``Emergency Communications
Division'';
(D) in section 1810 (6 U.S.C. 580)--
(i) by striking ``Director'' each place it
appears and inserting ``Deputy Director'';
(ii) by striking ``Office of Emergency
Communications'' each place it appears and
inserting ``Emergency Communications
Division''; and
(iii) in subsection (a)(1), by striking
``Director of the Office of Emergency
Communications (referred to in this section as
the `Director')'' and inserting ``Deputy
Director of the Emergency Communications
Division (referred to in this section as the
`Deputy Director')'';
(4) in title XXI (6 U.S.C. 621 et seq.)--
(A) in section 2101 (6 U.S.C. 621)--
(i) by redesignating paragraphs (4) through
(14) as paragraphs (5) through (15),
respectively;
(ii) by inserting after paragraph (3) the
following new paragraph:
``(4) the term `Director' means the Director of the
Cybersecurity and Infrastructure Protection Agency;'';
(iii) by further redesignating paragraphs
(11) through (15) (as redesignated pursuant to
clause (i)) as paragraphs (12) through (16);
and
(iv) by inserting after paragraph (10) (as
redesignated pursuant to clause (i)) the
following new paragraph:
``(11) the term `Secretary' means the Secretary acting
through the Director;'';
(B) in paragraph (1) of section 2102(a) (6 U.S.C.
622(a)), by inserting at the end the following new
sentence: ``Such Programs shall be located in the
Cybersecurity and Infrastructure Protection Agency.'';
and
(C) in paragraph (2) of section 2104(c) (6 U.S.C.
624(c)), by striking ``Under Secretary responsible for
overseeing critical infrastructure protection,
cybersecurity, and other related programs of the
Department appointed under section 103(a)(1)(H)'' and
inserting ``Director of the Cybersecurity and
Infrastructure Protection Agency''; and
(5) in title XXII, as added by this Act--
(A) in section 2205, as so redesignated, in the
matter preceding paragraph (1), by striking ``Under
Secretary appointed under section 103(a)(1)(H)'' and
inserting ``Director of the Cybersecurity and
Infrastructure Protection Agency'';
(B) in section 2209, as so redesignated--
(i) by striking ``Under Secretary appointed
under section 103(a)(1)(H)'' each place it
appears and inserting ``Director of the
Cybersecurity and Infrastructure Protection
Agency'';
(ii) in subsection (b), by adding at the
end the following new sentences: ``The Center
shall be located in the Cybersecurity and
Infrastructure Protection Agency. The head of
the Center shall be an Assistant Director of
the Center, who shall report to the Principal
Deputy Director for Cybersecurity.''; and
(iii) in subsection (c), by striking
``Office of Emergency Communications'' and
inserting ``Emergency Communications
Division'';
(C) in section 2210, as so redesignated--
(i) by striking ``section 227'' each place
it appears and inserting ``section 2209''; and
(ii) in subsection (c), by striking ``Under
Secretary appointed under section
103(a)(1)(H)'' and inserting ``Director of the
Cybersecurity and Infrastructure Protection
Agency'';
(D) in section 2211, as so redesignated, by
striking ``section 212(5)'' and inserting ``section
2215(5)''; and
(E) in section 2212, as so redesignated, in
subsection (a)--
(i) in paragraph (3), by striking ``section
228'' and inserting ``section 2210''; and
(ii) in paragraph (4), by striking
``section 227'' and inserting ``section 2209''.
(e) Clerical Amendment.--The table of contents in section 1(b) of
the Homeland Security Act of 2002 is amended--
(1) by striking the item relating to section 210E;
(2) by striking the items relating to section 211 through
section 215, including the subtitle B designation (including
the enumerator and heading);
(3) by striking the items relating to section 223 through
section 230; and
(4) by adding at the end the following new items:
``TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE PROTECTION AGENCY
``Subtitle A--Cybersecurity and Infrastructure Protection
``Sec. 2201. Definitions.
``Sec. 2202. Cybersecurity and Infrastructure Protection Agency.
``Sec. 2203. Cybersecurity Division.
``Sec. 2204. Infrastructure Protection Division.
``Sec. 2205. Enhancement of Federal and non-Federal cybersecurity.
``Sec. 2206. Net guard.
``Sec. 2207. Cyber Security Enhancement Act of 2002.
``Sec. 2208. Cybersecurity recruitment and retention.
``Sec. 2209. National cybersecurity and communications integration
center.
``Sec. 2210. Cybersecurity plans.
``Sec. 2211. Clearances.
``Sec. 2212. Federal intrusion detection and prevention system.
``Sec. 2213. National Asset Database.
``Subtitle B--Critical Infrastructure Information
``Sec. 2214. Short title.
``Sec. 2215. Definitions.
``Sec. 2216. Designation of critical infrastructure protection program.
``Sec. 2217. Protection of voluntarily shared critical infrastructure
information.
``Sec. 2218. No private right of action.''.
SEC. 3. ESTABLISHMENT OF THE OFFICE OF BIOMETRIC IDENTITY MANAGEMENT.
(a) In General.--Title VII of the Homeland Security Act of 2002 (6
U.S.C. 341, et seq.) is amended by adding at the end the following new
section:
``SEC. 708. OFFICE OF BIOMETRIC IDENTITY MANAGEMENT.
``(a) Establishment.--The Office of Biometric Identity Management
is established within the Department.
``(b) Director.--
``(1) In general.--The Office of Biometric Identity
Management shall be administered by the Director of the Office
of Biometric Identity Management (in this section referred to
as the `Director') who shall report to the Under Secretary for
Management, or to another official of the Department, as the
Under Secretary for Management may direct.
``(2) Qualifications and duties.--The Director shall--
``(A) have significant professional management
experience, as well as experience in the field of
biometrics and identity management;
``(B) lead the Department's biometric identity
services to support anti-terrorism, counter-terrorism,
border security, credentialing, national security, and
public safety, and enable operational missions across
the Department by matching, storing, sharing, and
analyzing biometric data;
``(C) deliver biometric identity information and
analysis capabilities to--
``(i) the Department and its components;
``(ii) appropriate Federal, State, local,
territorial, and tribal agencies;
``(iii) appropriate foreign governments;
and
``(iv) appropriate private sector entities;
``(D) support the law enforcement, public safety,
national security, and homeland security missions of
other Federal, State, local, territorial, and tribal
agencies, as appropriate;
``(E) establish and manage the operation and
maintenance of the Department's sole biometric
repository;
``(F) establish, manage, and operate Biometric
Support Centers to provide biometric identification and
verification analysis and services to the Department,
appropriate Federal, State, local, territorial, and
tribal agencies, appropriate foreign governments, and
appropriate private sector entities;
``(G) in collaboration with the Undersecretary for
Science and Technology, establish a Department-wide
research and development program to support efforts in
assessment, development, and exploration of biometric
advancements and emerging technologies;
``(H) oversee Department-wide standards for
biometric conformity, and work to make such standards
Government-wide;
``(I) in coordination with the Department's Office
of Policy, and in consultation with relevant component
offices and headquarters offices, enter into data
sharing agreements with appropriate Federal agencies to
support immigration, law enforcement, national
security, and public safety missions;
``(J) maximize interoperability with other Federal,
State, local, and international biometric systems, as
appropriate; and
``(K) carry out the duties and powers prescribed by
law or delegated by the Secretary.
``(c) Deputy Director.--There shall be in the Office of Biometric
Identity Management a Deputy Director, who shall assist the Director in
the management of the Office.
``(d) Chief Technology Officer.--
``(1) In general.--There shall be in the Office of
Biometric Identity Management a Chief Technology Officer.
``(2) Duties.--The Chief Technology Officer shall--
``(A) ensure compliance with policies, processes,
standards, guidelines, and procedures related to
information technology systems management, enterprise
architecture, and data management;
``(B) provide engineering and enterprise
architecture guidance and direction to the Office of
Biometric Identity Management; and
``(C) leverage emerging biometric technologies to
recommend improvements to major enterprise
applications, identify tools to optimize information
technology systems performance, and develop and promote
joint technology solutions to improve services to
enhance mission effectiveness.
``(e) Other Authorities.--
``(1) In general.--The Director may establish such other
offices within the Office of Biometric Identity Management as
the Director determines necessary to carry out the missions,
duties, functions, and authorities of the Office.
``(2) Notification.--If the Director exercises the
authority provided by paragraph (1), the Director shall notify
the Committee on Homeland Security of the House of
Representatives and the Committee on Homeland Security and
Governmental Affairs of the Senate not later than 30 days
before exercising such authority.''.
(b) Transfer Limitation.--The Secretary of Homeland Security may
not transfer the location or reporting structure of the Office of
Biometric Identity Management (established by section 708 of the
Homeland Security Act of 2002, as added by subsection (a) of this
section) to any component of the Department of Homeland Security.
(c) Clerical Amendment.--The table of contents in section 1(b) of
the Homeland Security Act of 2002 is amended by adding after the item
relating to section 707 the following new item:
``Sec. 708. Office of Biometric Identity Management.''.
SEC. 4. RULE OF CONSTRUCTION.
Nothing in this Act may be construed to confer new authorities to
the Secretary of Homeland Security, including programmatic and
regulatory authorities, outside of the authorities that existed on the
day before the date of the enactment of this Act.
SEC. 5. PROHIBITION ON ADDITIONAL FUNDING.
No additional funds are authorized to be appropriated to carry out
this Act or the amendments made by this Act.
<all>