[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[S. 754 Engrossed in Senate (ES)]
<DOC>
114th CONGRESS
1st Session
S. 754
_______________________________________________________________________
AN ACT
To improve cybersecurity in the United States through enhanced sharing
of information about cybersecurity threats, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. TABLE OF CONTENTS.
The table of contents of this Act is as follows:
Sec. 1. Table of contents.
TITLE I--CYBERSECURITY INFORMATION SHARING
Sec. 101. Short title.
Sec. 102. Definitions.
Sec. 103. Sharing of information by the Federal Government.
Sec. 104. Authorizations for preventing, detecting, analyzing, and
mitigating cybersecurity threats.
Sec. 105. Sharing of cyber threat indicators and defensive measures
with the Federal Government.
Sec. 106. Protection from liability.
Sec. 107. Oversight of Government activities.
Sec. 108. Construction and preemption.
Sec. 109. Report on cybersecurity threats.
Sec. 110. Conforming amendment.
TITLE II--FEDERAL CYBERSECURITY ENHANCEMENT
Sec. 201. Short title.
Sec. 202. Definitions.
Sec. 203. Improved Federal network security.
Sec. 204. Advanced internal defenses.
Sec. 205. Federal cybersecurity requirements.
Sec. 206. Assessment; reports.
Sec. 207. Termination.
Sec. 208. Identification of information systems relating to national
security.
Sec. 209. Direction to agencies.
TITLE III--FEDERAL CYBERSECURITY WORKFORCE ASSESSMENT
Sec. 301. Short title.
Sec. 302. Definitions.
Sec. 303. National cybersecurity workforce measurement initiative.
Sec. 304. Identification of cyber-related roles of critical need.
Sec. 305. Government Accountability Office status reports.
TITLE IV--OTHER CYBER MATTERS
Sec. 401. Study on mobile device security.
Sec. 402. Department of State international cyberspace policy strategy.
Sec. 403. Apprehension and prosecution of international cyber
criminals.
Sec. 404. Enhancement of emergency services.
Sec. 405. Improving cybersecurity in the health care industry.
Sec. 406. Federal computer security.
Sec. 407. Strategy to protect critical infrastructure at greatest risk.
Sec. 408. Stopping the fraudulent sale of financial information of
people of the United States.
Sec. 409. Effective period.
TITLE I--CYBERSECURITY INFORMATION SHARING
SEC. 101. SHORT TITLE.
This title may be cited as the ``Cybersecurity Information Sharing
Act of 2015''.
SEC. 102. DEFINITIONS.
In this title:
(1) Agency.--The term ``agency'' has the meaning given the
term in section 3502 of title 44, United States Code.
(2) Antitrust laws.--The term ``antitrust laws''--
(A) has the meaning given the term in section 1 of
the Clayton Act (15 U.S.C. 12);
(B) includes section 5 of the Federal Trade
Commission Act (15 U.S.C. 45) to the extent that
section 5 of that Act applies to unfair methods of
competition; and
(C) includes any State law that has the same intent
and effect as the laws under subparagraphs (A) and (B).
(3) Appropriate federal entities.--The term ``appropriate
Federal entities'' means the following:
(A) The Department of Commerce.
(B) The Department of Defense.
(C) The Department of Energy.
(D) The Department of Homeland Security.
(E) The Department of Justice.
(F) The Department of the Treasury.
(G) The Office of the Director of National
Intelligence.
(4) Cybersecurity purpose.--The term ``cybersecurity
purpose'' means the purpose of protecting an information system
or information that is stored on, processed by, or transiting
an information system from a cybersecurity threat or security
vulnerability.
(5) Cybersecurity threat.--
(A) In general.--Except as provided in subparagraph
(B), the term ``cybersecurity threat'' means an action,
not protected by the First Amendment to the
Constitution of the United States, on or through an
information system that may result in an unauthorized
effort to adversely impact the security, availability,
confidentiality, or integrity of an information system
or information that is stored on, processed by, or
transiting an information system.
(B) Exclusion.--The term ``cybersecurity threat''
does not include any action that solely involves a
violation of a consumer term of service or a consumer
licensing agreement.
(6) Cyber threat indicator.--The term ``cyber threat
indicator'' means information that is necessary to describe or
identify--
(A) malicious reconnaissance, including anomalous
patterns of communications that appear to be
transmitted for the purpose of gathering technical
information related to a cybersecurity threat or
security vulnerability;
(B) a method of defeating a security control or
exploitation of a security vulnerability;
(C) a security vulnerability, including anomalous
activity that appears to indicate the existence of a
security vulnerability;
(D) a method of causing a user with legitimate
access to an information system or information that is
stored on, processed by, or transiting an information
system to unwittingly enable the defeat of a security
control or exploitation of a security vulnerability;
(E) malicious cyber command and control;
(F) the actual or potential harm caused by an
incident, including a description of the information
exfiltrated as a result of a particular cybersecurity
threat;
(G) any other attribute of a cybersecurity threat,
if disclosure of such attribute is not otherwise
prohibited by law; or
(H) any combination thereof.
(7) Defensive measure.--
(A) In general.--Except as provided in subparagraph
(B), the term ``defensive measure'' means an action,
device, procedure, signature, technique, or other
measure applied to an information system or information
that is stored on, processed by, or transiting an
information system that detects, prevents, or mitigates
a known or suspected cybersecurity threat or security
vulnerability.
(B) Exclusion.--The term ``defensive measure'' does
not include a measure that destroys, renders unusable,
provides unauthorized access to, or substantially harms
an information system or data on an information system
not belonging to--
(i) the private entity operating the
measure; or
(ii) another entity or Federal entity that
is authorized to provide consent and has
provided consent to that private entity for
operation of such measure.
(8) Entity.--
(A) In general.--Except as otherwise provided in
this paragraph, the term ``entity'' means any private
entity, non-Federal government agency or department, or
State, tribal, or local government (including a
political subdivision, department, or component
thereof).
(B) Inclusions.--The term ``entity'' includes a
government agency or department of the District of
Columbia, the Commonwealth of Puerto Rico, the Virgin
Islands, Guam, American Samoa, the Northern Mariana
Islands, and any other territory or possession of the
United States.
(C) Exclusion.--The term ``entity'' does not
include a foreign power as defined in section 101 of
the Foreign Intelligence Surveillance Act of 1978 (50
U.S.C. 1801).
(9) Federal entity.--The term ``Federal entity'' means a
department or agency of the United States or any component of
such department or agency.
(10) Information system.--The term ``information system''--
(A) has the meaning given the term in section 3502
of title 44, United States Code; and
(B) includes industrial control systems, such as
supervisory control and data acquisition systems,
distributed control systems, and programmable logic
controllers.
(11) Local government.--The term ``local government'' means
any borough, city, county, parish, town, township, village, or
other political subdivision of a State.
(12) Malicious cyber command and control.--The term
``malicious cyber command and control'' means a method for
unauthorized remote identification of, access to, or use of, an
information system or information that is stored on, processed
by, or transiting an information system.
(13) Malicious reconnaissance.--The term ``malicious
reconnaissance'' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning security vulnerabilities of the information system,
if such method is associated with a known or suspected
cybersecurity threat.
(14) Monitor.--The term ``monitor'' means to acquire,
identify, or scan, or to possess, information that is stored
on, processed by, or transiting an information system.
(15) Private entity.--
(A) In general.--Except as otherwise provided in
this paragraph, the term ``private entity'' means any
person or private group, organization, proprietorship,
partnership, trust, cooperative, corporation, or other
commercial or nonprofit entity, including an officer,
employee, or agent thereof.
(B) Inclusion.--The term ``private entity''
includes a State, tribal, or local government
performing electric or other utility services.
(C) Exclusion.--The term ``private entity'' does
not include a foreign power as defined in section 101
of the Foreign Intelligence Surveillance Act of 1978
(50 U.S.C. 1801).
(16) Security control.--The term ``security control'' means
the management, operational, and technical controls used to
protect against an unauthorized effort to adversely affect the
confidentiality, integrity, and availability of an information
system or its information.
(17) Security vulnerability.--The term ``security
vulnerability'' means any attribute of hardware, software,
process, or procedure that could enable or facilitate the
defeat of a security control.
(18) Tribal.--The term ``tribal'' has the meaning given the
term ``Indian tribe'' in section 4 of the Indian Self-
Determination and Education Assistance Act (25 U.S.C. 450b).
SEC. 103. SHARING OF INFORMATION BY THE FEDERAL GOVERNMENT.
(a) In General.--Consistent with the protection of classified
information, intelligence sources and methods, and privacy and civil
liberties, the Director of National Intelligence, the Secretary of
Homeland Security, the Secretary of Defense, and the Attorney General,
in consultation with the heads of the appropriate Federal entities,
shall develop and promulgate procedures to facilitate and promote--
(1) the timely sharing of classified cyber threat
indicators in the possession of the Federal Government with
cleared representatives of relevant entities;
(2) the timely sharing with relevant entities of cyber
threat indicators or information in the possession of the
Federal Government that may be declassified and shared at an
unclassified level;
(3) the sharing with relevant entities, or the public if
appropriate, of unclassified, including controlled
unclassified, cyber threat indicators in the possession of the
Federal Government;
(4) the sharing with entities, if appropriate, of
information in the possession of the Federal Government about
cybersecurity threats to such entities to prevent or mitigate
adverse effects from such cybersecurity threats; and
(5) the periodic sharing, through publication and targeted
outreach, of cybersecurity best practices that are developed
based on ongoing analysis of cyber threat indicators and
information in possession of the Federal Government, with
attention to accessibility and implementation challenges faced
by small business concerns (as defined in section 3 of the
Small Business Act (15 U.S.C. 632)).
(b) Development of Procedures.--
(1) In general.--The procedures developed and promulgated
under subsection (a) shall--
(A) ensure the Federal Government has and maintains
the capability to share cyber threat indicators in real
time consistent with the protection of classified
information;
(B) incorporate, to the greatest extent
practicable, existing processes and existing roles and
responsibilities of Federal and non-Federal entities
for information sharing by the Federal Government,
including sector specific information sharing and
analysis centers;
(C) include procedures for notifying, in a timely
manner, entities that have received a cyber threat
indicator from a Federal entity under this title that
is known or determined to be in error or in
contravention of the requirements of this title or
another provision of Federal law or policy of such
error or contravention;
(D) include requirements for Federal entities
sharing cyber threat indicators or defensive measures
to implement and utilize security controls to protect
against unauthorized access to or acquisition of such
cyber threat indicators or defensive measures;
(E) include procedures that require a Federal
entity, prior to the sharing of a cyber threat
indicator--
(i) to review such cyber threat indicator
to assess whether such cyber threat indicator
contains any information that such Federal
entity knows at the time of sharing to be
personal information or information that
identifies a specific person not directly
related to a cybersecurity threat and remove
such information; or
(ii) to implement and utilize a technical
capability configured to remove any personal
information or information that identifies a
specific person not directly related to a
cybersecurity threat; and
(F) include procedures for notifying, in a timely
manner, any United States person whose personal
information is known or determined to have been shared
by a Federal entity in violation of this Act.
(2) Coordination.--In developing the procedures required
under this section, the Director of National Intelligence, the
Secretary of Homeland Security, the Secretary of Defense, and
the Attorney General shall coordinate with appropriate Federal
entities, including the Small Business Administration and the
National Laboratories (as defined in section 2 of the Energy
Policy Act of 2005 (42 U.S.C. 15801)), to ensure that effective
protocols are implemented that will facilitate and promote the
sharing of cyber threat indicators by the Federal Government in
a timely manner.
(c) Submittal to Congress.--Not later than 60 days after the date
of the enactment of this Act, the Director of National Intelligence, in
consultation with the heads of the appropriate Federal entities, shall
submit to Congress the procedures required by subsection (a).
SEC. 104. AUTHORIZATIONS FOR PREVENTING, DETECTING, ANALYZING, AND
MITIGATING CYBERSECURITY THREATS.
(a) Authorization for Monitoring.--
(1) In general.--Notwithstanding any other provision of
law, a private entity may, for cybersecurity purposes,
monitor--
(A) an information system of such private entity;
(B) an information system of another entity, upon
the authorization and written consent of such other
entity;
(C) an information system of a Federal entity, upon
the authorization and written consent of an authorized
representative of the Federal entity; and
(D) information that is stored on, processed by, or
transiting an information system monitored by the
private entity under this paragraph.
(2) Construction.--Nothing in this subsection shall be
construed--
(A) to authorize the monitoring of an information
system, or the use of any information obtained through
such monitoring, other than as provided in this title;
or
(B) to limit otherwise lawful activity.
(b) Authorization for Operation of Defensive Measures.--
(1) In general.--Notwithstanding any other provision of
law, a private entity may, for cybersecurity purposes, operate
a defensive measure that is applied to--
(A) an information system of such private entity in
order to protect the rights or property of the private
entity;
(B) an information system of another entity upon
written consent of such entity for operation of such
defensive measure to protect the rights or property of
such entity; and
(C) an information system of a Federal entity upon
written consent of an authorized representative of such
Federal entity for operation of such defensive measure
to protect the rights or property of the Federal
Government.
(2) Construction.--Nothing in this subsection shall be
construed--
(A) to authorize the use of a defensive measure
other than as provided in this subsection; or
(B) to limit otherwise lawful activity.
(c) Authorization for Sharing or Receiving Cyber Threat Indicators
or Defensive Measures.--
(1) In general.--Except as provided in paragraph (2) and
notwithstanding any other provision of law, an entity may, for
a cybersecurity purpose and consistent with the protection of
classified information, share with, or receive from, any other
entity or the Federal Government a cyber threat indicator or
defensive measure.
(2) Lawful restriction.--An entity receiving a cyber threat
indicator or defensive measure from another entity or Federal
entity shall comply with otherwise lawful restrictions placed
on the sharing or use of such cyber threat indicator or
defensive measure by the sharing entity or Federal entity.
(3) Construction.--Nothing in this subsection shall be
construed--
(A) to authorize the sharing or receiving of a
cyber threat indicator or defensive measure other than
as provided in this subsection; or
(B) to limit otherwise lawful activity.
(d) Protection and Use of Information.--
(1) Security of information.--An entity monitoring an
information system, operating a defensive measure, or providing
or receiving a cyber threat indicator or defensive measure
under this section shall implement and utilize a security
control to protect against unauthorized access to or
acquisition of such cyber threat indicator or defensive
measure.
(2) Removal of certain personal information.--An entity
sharing a cyber threat indicator pursuant to this title shall,
prior to such sharing--
(A) review such cyber threat indicator to assess
whether such cyber threat indicator contains any
information that the entity knows at the time of
sharing to be personal information or information that
identifies a specific person not directly related to a
cybersecurity threat and remove such information; or
(B) implement and utilize a technical capability
configured to remove any information contained within
such indicator that the entity knows at the time of
sharing to be personal information or information that
identifies a specific person not directly related to a
cybersecurity threat.
(3) Use of cyber threat indicators and defensive measures
by entities.--
(A) In general.--Consistent with this title, a
cyber threat indicator or defensive measure shared or
received under this section may, for cybersecurity
purposes--
(i) be used by an entity to monitor or
operate a defensive measure that is applied
to--
(I) an information system of the
entity; or
(II) an information system of
another entity or a Federal entity upon
the written consent of that other
entity or that Federal entity; and
(ii) be otherwise used, retained, and
further shared by an entity subject to--
(I) an otherwise lawful restriction
placed by the sharing entity or Federal
entity on such cyber threat indicator
or defensive measure; or
(II) an otherwise applicable
provision of law.
(B) Construction.--Nothing in this paragraph shall
be construed to authorize the use of a cyber threat
indicator or defensive measure other than as provided
in this section.
(4) Use of cyber threat indicators by state, tribal, or
local government.--
(A) Law enforcement use.--
(i) Prior written consent.--Except as
provided in clause (ii), a cyber threat
indicator shared with a State, tribal, or local
government under this section may, with the
prior written consent of the entity sharing
such indicator, be used by a State, tribal, or
local government for the purpose of preventing,
investigating, or prosecuting any of the
offenses described in section 105(d)(5)(A)(vi).
(ii) Oral consent.--If exigent
circumstances prevent obtaining written consent
under clause (i), such consent may be provided
orally with subsequent documentation of the
consent.
(B) Exemption from disclosure.--A cyber threat
indicator shared with a State, tribal, or local
government under this section shall be--
(i) deemed voluntarily shared information;
and
(ii) exempt from disclosure under any
State, tribal, or local law requiring
disclosure of information or records.
(C) State, tribal, and local regulatory
authority.--
(i) In general.--Except as provided in
clause (ii), a cyber threat indicator or
defensive measure shared with a State, tribal,
or local government under this title shall not
be directly used by any State, tribal, or local
government to regulate, including an
enforcement action, the lawful activity of any
entity, including an activity relating to
monitoring, operating a defensive measure, or
sharing of a cyber threat indicator.
(ii) Regulatory authority specifically
relating to prevention or mitigation of
cybersecurity threats.--A cyber threat
indicator or defensive measure shared as
described in clause (i) may, consistent with a
State, tribal, or local government regulatory
authority specifically relating to the
prevention or mitigation of cybersecurity
threats to information systems, inform the
development or implementation of a regulation
relating to such information systems.
(e) Antitrust Exemption.--
(1) In general.--Except as provided in section 108(e), it
shall not be considered a violation of any provision of
antitrust laws for 2 or more private entities to exchange or
provide a cyber threat indicator, or assistance relating to the
prevention, investigation, or mitigation of a cybersecurity
threat, for cybersecurity purposes under this title.
(2) Applicability.--Paragraph (1) shall apply only to
information that is exchanged or assistance provided in order
to assist with--
(A) facilitating the prevention, investigation, or
mitigation of a cybersecurity threat to an information
system or information that is stored on, processed by,
or transiting an information system; or
(B) communicating or disclosing a cyber threat
indicator to help prevent, investigate, or mitigate the
effect of a cybersecurity threat to an information
system or information that is stored on, processed by,
or transiting an information system.
(f) No Right or Benefit.--The sharing of a cyber threat indicator
with an entity under this title shall not create a right or benefit to
similar information by such entity or any other entity.
SEC. 105. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE MEASURES
WITH THE FEDERAL GOVERNMENT.
(a) Requirement for Policies and Procedures.--
(1) Interim policies and procedures.--Not later than 60
days after the date of the enactment of this Act, the Attorney
General and the Secretary of Homeland Security shall, in
coordination with the heads of the appropriate Federal
entities, develop and submit to Congress interim policies and
procedures relating to the receipt of cyber threat indicators
and defensive measures by the Federal Government.
(2) Final policies and procedures.--Not later than 180 days
after the date of the enactment of this Act, the Attorney
General and the Secretary of Homeland Security shall, in
coordination with the heads of the appropriate Federal
entities, promulgate final policies and procedures relating to
the receipt of cyber threat indicators and defensive measures
by the Federal Government.
(3) Requirements concerning policies and procedures.--
Consistent with the guidelines required by subsection (b), the
policies and procedures developed and promulgated under this
subsection shall--
(A) ensure that cyber threat indicators shared with
the Federal Government by any entity pursuant to
section 104(c) through the real-time process described
in subsection (c) of this section--
(i) are shared in an automated manner with
all of the appropriate Federal entities;
(ii) are only subject to a delay,
modification, or other action due to controls
established for such real-time process that
could impede real-time receipt by all of the
appropriate Federal entities when the delay,
modification, or other action is due to
controls--
(I) agreed upon unanimously by all
of the heads of the appropriate Federal
entities;
(II) carried out before any of the
appropriate Federal entities retains or
uses the cyber threat indicators or
defensive measures; and
(III) uniformly applied such that
each of the appropriate Federal
entities is subject to the same delay,
modification, or other action; and
(iii) may be provided to other Federal
entities;
(B) ensure that cyber threat indicators shared with
the Federal Government by any entity pursuant to
section 104 in a manner other than the real time
process described in subsection (c) of this section--
(i) are shared as quickly as operationally
practicable with all of the appropriate Federal
entities;
(ii) are not subject to any unnecessary
delay, interference, or any other action that
could impede receipt by all of the appropriate
Federal entities; and
(iii) may be provided to other Federal
entities;
(C) consistent with this title, any other
applicable provisions of law, and the fair information
practice principles set forth in appendix A of the
document entitled ``National Strategy for Trusted
Identities in Cyberspace'' and published by the
President in April, 2011, govern the retention, use,
and dissemination by the Federal Government of cyber
threat indicators shared with the Federal Government
under this title, including the extent, if any, to
which such cyber threat indicators may be used by the
Federal Government; and
(D) ensure there are--
(i) audit capabilities; and
(ii) appropriate sanctions in place for
officers, employees, or agents of a Federal
entity who knowingly and willfully conduct
activities under this title in an unauthorized
manner.
(4) Guidelines for entities sharing cyber threat indicators
with federal government.--
(A) In general.--Not later than 60 days after the
date of the enactment of this Act, the Attorney General
and the Secretary of Homeland Security shall develop
and make publicly available guidance to assist entities
and promote sharing of cyber threat indicators with
Federal entities under this title.
(B) Contents.--The guidelines developed and made
publicly available under subparagraph (A) shall include
guidance on the following:
(i) Identification of types of information
that would qualify as a cyber threat indicator
under this title that would be unlikely to
include personal information or information
that identifies a specific person not directly
related to a cyber security threat.
(ii) Identification of types of information
protected under otherwise applicable privacy
laws that are unlikely to be directly related
to a cybersecurity threat.
(iii) Such other matters as the Attorney
General and the Secretary of Homeland Security
consider appropriate for entities sharing cyber
threat indicators with Federal entities under
this title.
(b) Privacy and Civil Liberties.--
(1) Guidelines of attorney general.--Not later than 60 days
after the date of the enactment of this Act, the Attorney
General shall, in coordination with heads of the appropriate
Federal entities and in consultation with officers designated
under section 1062 of the National Security Intelligence Reform
Act of 2004 (42 U.S.C. 2000ee-1), develop, submit to Congress,
and make available to the public interim guidelines relating to
privacy and civil liberties which shall govern the receipt,
retention, use, and dissemination of cyber threat indicators by
a Federal entity obtained in connection with activities
authorized in this title.
(2) Final guidelines.--
(A) In general.--Not later than 180 days after the
date of the enactment of this Act, the Attorney General
shall, in coordination with heads of the appropriate
Federal entities and in consultation with officers
designated under section 1062 of the National Security
Intelligence Reform Act of 2004 (42 U.S.C. 2000ee-1)
and such private entities with industry expertise as
the Attorney General considers relevant, promulgate
final guidelines relating to privacy and civil
liberties which shall govern the receipt, retention,
use, and dissemination of cyber threat indicators by a
Federal entity obtained in connection with activities
authorized in this title.
(B) Periodic review.--The Attorney General shall,
in coordination with heads of the appropriate Federal
entities and in consultation with officers and private
entities described in subparagraph (A), periodically,
but not less frequently than once every two years,
review the guidelines promulgated under subparagraph
(A).
(3) Content.--The guidelines required by paragraphs (1) and
(2) shall, consistent with the need to protect information
systems from cybersecurity threats and mitigate cybersecurity
threats--
(A) limit the effect on privacy and civil liberties
of activities by the Federal Government under this
title;
(B) limit the receipt, retention, use, and
dissemination of cyber threat indicators containing
personal information or information that identifies
specific persons, including by establishing--
(i) a process for the timely destruction of
such information that is known not to be
directly related to uses authorized under this
title; and
(ii) specific limitations on the length of
any period in which a cyber threat indicator
may be retained;
(C) include requirements to safeguard cyber threat
indicators containing personal information or
information that identifies specific persons from
unauthorized access or acquisition, including
appropriate sanctions for activities by officers,
employees, or agents of the Federal Government in
contravention of such guidelines;
(D) include procedures for notifying entities and
Federal entities if information received pursuant to
this section is known or determined by a Federal entity
receiving such information not to constitute a cyber
threat indicator;
(E) protect the confidentiality of cyber threat
indicators containing personal information or
information that identifies specific persons to the
greatest extent practicable and require recipients to
be informed that such indicators may only be used for
purposes authorized under this title; and
(F) include steps that may be needed so that
dissemination of cyber threat indicators is consistent
with the protection of classified and other sensitive
national security information.
(c) Capability and Process Within the Department of Homeland
Security.--
(1) In general.--Not later than 90 days after the date of
the enactment of this Act, the Secretary of Homeland Security,
in coordination with the heads of the appropriate Federal
entities, shall develop and implement a capability and process
within the Department of Homeland Security that--
(A) shall accept from any entity in real time cyber
threat indicators and defensive measures, pursuant to
this section;
(B) shall, upon submittal of the certification
under paragraph (2) that such capability and process
fully and effectively operates as described in such
paragraph, be the process by which the Federal
Government receives cyber threat indicators and
defensive measures under this title that are shared by
a private entity with the Federal Government through
electronic mail or media, an interactive form on an
Internet website, or a real time, automated process
between information systems except--
(i) consistent with section 104,
communications between a Federal entity and a
private entity regarding a previously shared
cyber threat indicator to describe the relevant
cybersecurity threat or develop a defensive
measure based on such cyber threat indicator;
and
(ii) communications by a regulated entity
with such entity's Federal regulatory authority
regarding a cybersecurity threat;
(C) ensures that all of the appropriate Federal
entities receive in an automated manner such cyber
threat indicators shared through the real-time process
within the Department of Homeland Security;
(D) is in compliance with the policies, procedures,
and guidelines required by this section; and
(E) does not limit or prohibit otherwise lawful
disclosures of communications, records, or other
information, including--
(i) reporting of known or suspected
criminal activity, by an entity to any other
entity or a Federal entity;
(ii) voluntary or legally compelled
participation in a Federal investigation; and
(iii) providing cyber threat indicators or
defensive measures as part of a statutory or
authorized contractual requirement.
(2) Certification.--Not later than 10 days prior to the
implementation of the capability and process required by
paragraph (1), the Secretary of Homeland Security shall, in
consultation with the heads of the appropriate Federal
entities, certify to Congress whether such capability and
process fully and effectively operates--
(A) as the process by which the Federal Government
receives from any entity a cyber threat indicator or
defensive measure under this title; and
(B) in accordance with the policies, procedures,
and guidelines developed under this section.
(3) Public notice and access.--The Secretary of Homeland
Security shall ensure there is public notice of, and access to,
the capability and process developed and implemented under
paragraph (1) so that--
(A) any entity may share cyber threat indicators
and defensive measures through such process with the
Federal Government; and
(B) all of the appropriate Federal entities receive
such cyber threat indicators and defensive measures in
real time with receipt through the process within the
Department of Homeland Security.
(4) Other federal entities.--The process developed and
implemented under paragraph (1) shall ensure that other Federal
entities receive in a timely manner any cyber threat indicators
and defensive measures shared with the Federal Government
through such process.
(5) Report on development and implementation.--
(A) In general.--Not later than 60 days after the
date of the enactment of this Act, the Secretary of
Homeland Security shall submit to Congress a report on
the development and implementation of the capability
and process required by paragraph (1), including a
description of such capability and process and the
public notice of, and access to, such process.
(B) Classified annex.--The report required by
subparagraph (A) shall be submitted in unclassified
form, but may include a classified annex.
(d) Information Shared With or Provided to the Federal
Government.--
(1) No waiver of privilege or protection.--The provision of
cyber threat indicators and defensive measures to the Federal
Government under this title shall not constitute a waiver of
any applicable privilege or protection provided by law,
including trade secret protection.
(2) Proprietary information.--Consistent with section
104(c)(2), a cyber threat indicator or defensive measure
provided by an entity to the Federal Government under this
title shall be considered the commercial, financial, and
proprietary information of such entity when so designated by
the originating entity or a third party acting in accordance
with the written authorization of the originating entity.
(3) Exemption from disclosure.--Cyber threat indicators and
defensive measures provided to the Federal Government under
this title shall be--
(A) deemed voluntarily shared information and
exempt from disclosure under section 552 of title 5,
United States Code, and any State, tribal, or local law
requiring disclosure of information or records; and
(B) withheld, without discretion, from the public
under section 552(b)(3)(B) of title 5, United States
Code, and any State, tribal, or local provision of law
requiring disclosure of information or records.
(4) Ex parte communications.--The provision of a cyber
threat indicator or defensive measure to the Federal Government
under this title shall not be subject to a rule of any Federal
agency or department or any judicial doctrine regarding ex
parte communications with a decision-making official.
(5) Disclosure, retention, and use.--
(A) Authorized activities.--Cyber threat indicators
and defensive measures provided to the Federal
Government under this title may be disclosed to,
retained by, and used by, consistent with otherwise
applicable provisions of Federal law, any Federal
agency or department, component, officer, employee, or
agent of the Federal Government solely for--
(i) a cybersecurity purpose;
(ii) the purpose of identifying a
cybersecurity threat, including the source of
such cybersecurity threat, or a security
vulnerability;
(iii) the purpose of identifying a
cybersecurity threat involving the use of an
information system by a foreign adversary or
terrorist;
(iv) the purpose of responding to, or
otherwise preventing or mitigating, an imminent
threat of death, serious bodily harm, or
serious economic harm, including a terrorist
act or a use of a weapon of mass destruction;
(v) the purpose of responding to, or
otherwise preventing or mitigating, a serious
threat to a minor, including sexual
exploitation and threats to physical safety; or
(vi) the purpose of preventing,
investigating, disrupting, or prosecuting an
offense arising out of a threat described in
clause (iv) or any of the offenses listed in--
(I) sections 1028 through 1030 of
title 18, United States Code (relating
to fraud and identity theft);
(II) chapter 37 of such title
(relating to espionage and censorship);
and
(III) chapter 90 of such title
(relating to protection of trade
secrets).
(B) Prohibited activities.--Cyber threat indicators
and defensive measures provided to the Federal
Government under this title shall not be disclosed to,
retained by, or used by any Federal agency or
department for any use not permitted under subparagraph
(A).
(C) Privacy and civil liberties.--Cyber threat
indicators and defensive measures provided to the
Federal Government under this title shall be retained,
used, and disseminated by the Federal Government--
(i) in accordance with the policies,
procedures, and guidelines required by
subsections (a) and (b);
(ii) in a manner that protects from
unauthorized use or disclosure any cyber threat
indicators that may contain personal
information or information that identifies
specific persons; and
(iii) in a manner that protects the
confidentiality of cyber threat indicators
containing personal information or information
that identifies a specific person.
(D) Federal regulatory authority.--
(i) In general.--Except as provided in
clause (ii), cyber threat indicators and
defensive measures provided to the Federal
Government under this title shall not be
directly used by any Federal, State, tribal, or
local government to regulate, including an
enforcement action, the lawful activities of
any entity, including activities relating to
monitoring, operating defensive measures, or
sharing cyber threat indicators.
(ii) Exceptions.--
(I) Regulatory authority
specifically relating to prevention or
mitigation of cybersecurity threats.--
Cyber threat indicators and defensive
measures provided to the Federal
Government under this title may,
consistent with Federal or State
regulatory authority specifically
relating to the prevention or
mitigation of cybersecurity threats to
information systems, inform the
development or implementation of
regulations relating to such
information systems.
(II) Procedures developed and
implemented under this title.--Clause
(i) shall not apply to procedures
developed and implemented under this
title.
SEC. 106. PROTECTION FROM LIABILITY.
(a) Monitoring of Information Systems.--No cause of action shall
lie or be maintained in any court against any private entity, and such
action shall be promptly dismissed, for the monitoring of information
systems and information under section 104(a) that is conducted in
accordance with this title.
(b) Sharing or Receipt of Cyber Threat Indicators.--No cause of
action shall lie or be maintained in any court against any entity, and
such action shall be promptly dismissed, for the sharing or receipt of
cyber threat indicators or defensive measures under section 104(c) if--
(1) such sharing or receipt is conducted in accordance with
this title; and
(2) in a case in which a cyber threat indicator or
defensive measure is shared with the Federal Government, the
cyber threat indicator or defensive measure is shared in a
manner that is consistent with section 105(c)(1)(B) and the
sharing or receipt, as the case may be, occurs after the
earlier of--
(A) the date on which the interim policies and
procedures are submitted to Congress under section
105(a)(1) and guidelines are submitted to Congress
under section 105(b)(1); or
(B) the date that is 60 days after the date of the
enactment of this Act.
(c) Construction.--Nothing in this section shall be construed--
(1) to require dismissal of a cause of action against an
entity that has engaged in gross negligence or willful
misconduct in the course of conducting activities authorized by
this title; or
(2) to undermine or limit the availability of otherwise
applicable common law or statutory defenses.
SEC. 107. OVERSIGHT OF GOVERNMENT ACTIVITIES.
(a) Biennial Report on Implementation.--
(1) In general.--Not later than 1 year after the date of
the enactment of this Act, and not less frequently than once
every 2 years thereafter, the heads of the appropriate Federal
entities shall jointly submit and the Inspector General of the
Department of Homeland Security, the Inspector General of the
Intelligence Community, the Inspector General of the Department
of Justice, the Inspector General of the Department of Defense,
and the Inspector General of the Department of Energy, in
consultation with the Council of Inspectors General on
Financial Oversight, shall jointly submit to Congress a
detailed report concerning the implementation of this title
during--
(A) in the case of the first report submitted under
this paragraph, the most recent 1-year period; and
(B) in the case of any subsequent report submitted
under this paragraph, the most recent 2-year period.
(2) Contents.--Each report submitted under paragraph (1)
shall include, for the period covered by the report, the
following:
(A) An assessment of the sufficiency of the
policies, procedures, and guidelines required by
section 105 in ensuring that cyber threat indicators
are shared effectively and responsibly within the
Federal Government.
(B) An evaluation of the effectiveness of real-time
information sharing through the capability and process
developed under section 105(c), including any
impediments to such real-time sharing.
(C) An assessment of the sufficiency of the
procedures developed under section 103 in ensuring that
cyber threat indicators in the possession of the
Federal Government are shared in a timely and adequate
manner with appropriate entities, or, if appropriate,
are made publicly available.
(D) An assessment of whether cyber threat
indicators have been properly classified and an
accounting of the number of security clearances
authorized by the Federal Government for the purposes
of this title.
(E) A review of the type of cyber threat indicators
shared with the appropriate Federal entities under this
title, including the following:
(i) The number of cyber threat indicators
received through the capability and process
developed under section 105(c).
(ii) The number of times that information
shared under this title was used by a Federal
entity to prosecute an offense consistent with
section 105(d)(5)(A).
(iii) The degree to which such information
may affect the privacy and civil liberties of
specific persons.
(iv) A quantitative and qualitative
assessment of the effect of the sharing of such
cyber threat indicators with the Federal
Government on privacy and civil liberties of
specific persons, including the number of
notices that were issued with respect to a
failure to remove personal information or
information that identified a specific person
not directly related to a cybersecurity threat
in accordance with the procedures required by
section 105(b)(3)(D).
(v) The adequacy of any steps taken by the
Federal Government to reduce such effect.
(F) A review of actions taken by the Federal
Government based on cyber threat indicators shared with
the Federal Government under this title, including the
appropriateness of any subsequent use or dissemination
of such cyber threat indicators by a Federal entity
under section 105.
(G) A description of any significant violations of
the requirements of this title by the Federal
Government.
(H) A summary of the number and type of entities
that received classified cyber threat indicators from
the Federal Government under this title and an
evaluation of the risks and benefits of sharing such
cyber threat indicators.
(3) Recommendations.--Each report submitted under paragraph
(1) may include recommendations for improvements or
modifications to the authorities and processes under this
title.
(4) Form of report.--Each report required by paragraph (1)
shall be submitted in unclassified form, but may include a
classified annex.
(b) Reports on Privacy and Civil Liberties.--
(1) Biennial report from privacy and civil liberties
oversight board.--Not later than 2 years after the date of the
enactment of this Act and not less frequently than once every 2
years thereafter, the Privacy and Civil Liberties Oversight
Board shall submit to Congress and the President a report
providing--
(A) an assessment of the effect on privacy and
civil liberties by the type of activities carried out
under this title; and
(B) an assessment of the sufficiency of the
policies, procedures, and guidelines established
pursuant to section 105 in addressing concerns relating
to privacy and civil liberties.
(2) Biennial report of inspectors general.--
(A) In general.--Not later than 2 years after the
date of the enactment of this Act and not less
frequently than once every 2 years thereafter, the
Inspector General of the Department of Homeland
Security, the Inspector General of the Intelligence
Community, the Inspector General of the Department of
Justice, the Inspector General of the Department of
Defense, and the Inspector General of the Department of
Energy shall, in consultation with the Council of
Inspectors General on Financial Oversight, jointly
submit to Congress a report on the receipt, use, and
dissemination of cyber threat indicators and defensive
measures that have been shared with Federal entities
under this title.
(B) Contents.--Each report submitted under
subparagraph (A) shall include the following:
(i) A review of the types of cyber threat
indicators shared with Federal entities.
(ii) A review of the actions taken by
Federal entities as a result of the receipt of
such cyber threat indicators.
(iii) A list of Federal entities receiving
such cyber threat indicators.
(iv) A review of the sharing of such cyber
threat indicators among Federal entities to
identify inappropriate barriers to sharing
information.
(3) Recommendations.--Each report submitted under this
subsection may include such recommendations as the Privacy and
Civil Liberties Oversight Board, with respect to a report
submitted under paragraph (1), or the Inspectors General
referred to in paragraph (2)(A), with respect to a report
submitted under paragraph (2), may have for improvements or
modifications to the authorities under this title.
(4) Form.--Each report required under this subsection shall
be submitted in unclassified form, but may include a classified
annex.
SEC. 108. CONSTRUCTION AND PREEMPTION.
(a) Otherwise Lawful Disclosures.--Nothing in this title shall be
construed--
(1) to limit or prohibit otherwise lawful disclosures of
communications, records, or other information, including
reporting of known or suspected criminal activity, by an entity
to any other entity or the Federal Government under this title;
or
(2) to limit or prohibit otherwise lawful use of such
disclosures by any Federal entity, even when such otherwise
lawful disclosures duplicate or replicate disclosures made
under this title.
(b) Whistle Blower Protections.--Nothing in this title shall be
construed to prohibit or limit the disclosure of information protected
under section 2302(b)(8) of title 5, United States Code (governing
disclosures of illegality, waste, fraud, abuse, or public health or
safety threats), section 7211 of title 5, United States Code (governing
disclosures to Congress), section 1034 of title 10, United States Code
(governing disclosure to Congress by members of the military), section
1104 of the National Security Act of 1947 (50 U.S.C. 3234) (governing
disclosure by employees of elements of the intelligence community), or
any similar provision of Federal or State law.
(c) Protection of Sources and Methods.--Nothing in this title shall
be construed--
(1) as creating any immunity against, or otherwise
affecting, any action brought by the Federal Government, or any
agency or department thereof, to enforce any law, executive
order, or procedure governing the appropriate handling,
disclosure, or use of classified information;
(2) to affect the conduct of authorized law enforcement or
intelligence activities; or
(3) to modify the authority of a department or agency of
the Federal Government to protect classified information and
sources and methods and the national security of the United
States.
(d) Relationship to Other Laws.--Nothing in this title shall be
construed to affect any requirement under any other provision of law
for an entity to provide information to the Federal Government.
(e) Prohibited Conduct.--Nothing in this title shall be construed
to permit price-fixing, allocating a market between competitors,
monopolizing or attempting to monopolize a market, boycotting, or
exchanges of price or cost information, customer lists, or information
regarding future competitive planning.
(f) Information Sharing Relationships.--Nothing in this title shall
be construed--
(1) to limit or modify an existing information sharing
relationship;
(2) to prohibit a new information sharing relationship;
(3) to require a new information sharing relationship
between any entity and another entity or a Federal entity; or
(4) to require the use of the capability and process within
the Department of Homeland Security developed under section
105(c).
(g) Preservation of Contractual Obligations and Rights.--Nothing in
this title shall be construed--
(1) to amend, repeal, or supersede any current or future
contractual agreement, terms of service agreement, or other
contractual relationship between any entities, or between any
entity and a Federal entity; or
(2) to abrogate trade secret or intellectual property
rights of any entity or Federal entity.
(h) Anti-tasking Restriction.--Nothing in this title shall be
construed to permit a Federal entity--
(1) to require an entity to provide information to a
Federal entity or another entity;
(2) to condition the sharing of cyber threat indicators
with an entity on such entity's provision of cyber threat
indicators to a Federal entity or another entity; or
(3) to condition the award of any Federal grant, contract,
or purchase on the provision of a cyber threat indicator to a
Federal entity or another entity.
(i) No Liability for Non-participation.--Nothing in this title
shall be construed to subject any entity to liability for choosing not
to engage in the voluntary activities authorized in this title.
(j) Use and Retention of Information.--Nothing in this title shall
be construed to authorize, or to modify any existing authority of, a
department or agency of the Federal Government to retain or use any
information shared under this title for any use other than permitted in
this title.
(k) Federal Preemption.--
(1) In general.--This title supersedes any statute or other
provision of law of a State or political subdivision of a State
that restricts or otherwise expressly regulates an activity
authorized under this title.
(2) State law enforcement.--Nothing in this title shall be
construed to supersede any statute or other provision of law of
a State or political subdivision of a State concerning the use
of authorized law enforcement practices and procedures.
(l) Regulatory Authority.--Nothing in this title shall be
construed--
(1) to authorize the promulgation of any regulations not
specifically authorized by this title;
(2) to establish or limit any regulatory authority not
specifically established or limited under this title; or
(3) to authorize regulatory actions that would duplicate or
conflict with regulatory requirements, mandatory standards, or
related processes under another provision of Federal law.
(m) Authority of Secretary of Defense To Respond to Cyber
Attacks.--Nothing in this title shall be construed to limit the
authority of the Secretary of Defense to develop, prepare, coordinate,
or, when authorized by the President to do so, conduct a military cyber
operation in response to a malicious cyber activity carried out against
the United States or a United States person by a foreign government or
an organization sponsored by a foreign government or a terrorist
organization.
SEC. 109. REPORT ON CYBERSECURITY THREATS.
(a) Report Required.--Not later than 180 days after the date of the
enactment of this Act, the Director of National Intelligence, in
coordination with the heads of other appropriate elements of the
intelligence community, shall submit to the Select Committee on
Intelligence of the Senate and the Permanent Select Committee on
Intelligence of the House of Representatives a report on cybersecurity
threats, including cyber attacks, theft, and data breaches.
(b) Contents.--The report required by subsection (a) shall include
the following:
(1) An assessment of the current intelligence sharing and
cooperation relationships of the United States with other
countries regarding cybersecurity threats, including cyber
attacks, theft, and data breaches, directed against the United
States and which threaten the United States national security
interests and economy and intellectual property, specifically
identifying the relative utility of such relationships, which
elements of the intelligence community participate in such
relationships, and whether and how such relationships could be
improved.
(2) A list and an assessment of the countries and nonstate
actors that are the primary threats of carrying out a
cybersecurity threat, including a cyber attack, theft, or data
breach, against the United States and which threaten the United
States national security, economy, and intellectual property.
(3) A description of the extent to which the capabilities
of the United States Government to respond to or prevent
cybersecurity threats, including cyber attacks, theft, or data
breaches, directed against the United States private sector are
degraded by a delay in the prompt notification by private
entities of such threats or cyber attacks, theft, and breaches.
(4) An assessment of additional technologies or
capabilities that would enhance the ability of the United
States to prevent and to respond to cybersecurity threats,
including cyber attacks, theft, and data breaches.
(5) An assessment of any technologies or practices utilized
by the private sector that could be rapidly fielded to assist
the intelligence community in preventing and responding to
cybersecurity threats.
(c) Additional Report.--At the time the report required by
subsection (a) is submitted, the Director of National Intelligence
shall submit to the Committee on Foreign Relations of the Senate and
the Committee on Foreign Affairs of the House of Representatives a
report containing the information required by subsection (b)(2).
(d) Form of Report.--The report required by subsection (a) shall be
made available in classified and unclassified forms.
(e) Intelligence Community Defined.--In this section, the term
``intelligence community'' has the meaning given that term in section 3
of the National Security Act of 1947 (50 U.S.C. 3003).
SEC. 110. CONFORMING AMENDMENT.
Section 941(c)(3) of the National Defense Authorization Act for
Fiscal Year 2013 (Public Law 112-239; 10 U.S.C. 2224 note) is amended
by inserting at the end the following: ``The Secretary may share such
information with other Federal entities if such information consists of
cyber threat indicators and defensive measures and such information is
shared consistent with the policies and procedures promulgated by the
Attorney General and the Secretary of Homeland Security under section
105 of the Cybersecurity Information Sharing Act of 2015.''.
TITLE II--FEDERAL CYBERSECURITY ENHANCEMENT
SEC. 201. SHORT TITLE.
This title may be cited as the ``Federal Cybersecurity Enhancement
Act of 2015''.
SEC. 202. DEFINITIONS.
In this title--
(1) the term ``agency'' has the meaning given the term in
section 3502 of title 44, United States Code;
(2) the term ``agency information system'' has the meaning
given the term in section 228 of the Homeland Security Act of
2002, as added by section 203(a);
(3) the term ``appropriate congressional committees''
means--
(A) the Committee on Homeland Security and
Governmental Affairs of the Senate; and
(B) the Committee on Homeland Security of the House
of Representatives;
(4) the terms ``cybersecurity risk'' and ``information
system'' have the meanings given those terms in section 227 of
the Homeland Security Act of 2002, as so redesignated by
section 203(a);
(5) the term ``Director'' means the Director of the Office
of Management and Budget;
(6) the term ``intelligence community'' has the meaning
given the term in section 3(4) of the National Security Act of
1947 (50 U.S.C. 3003(4));
(7) the term ``national security system'' has the meaning
given the term in section 11103 of title 40, United States
Code; and
(8) the term ``Secretary'' means the Secretary of Homeland
Security.
SEC. 203. IMPROVED FEDERAL NETWORK SECURITY.
(a) In General.--Subtitle C of title II of the Homeland Security
Act of 2002 (6 U.S.C. 141 et seq.) is amended--
(1) by redesignating section 228 as section 229;
(2) by redesignating section 227 as subsection (c) of
section 228, as added by paragraph (4), and adjusting the
margins accordingly;
(3) by redesignating the second section designated as
section 226 (relating to the national cybersecurity and
communications integration center) as section 227;
(4) by inserting after section 227, as so redesignated, the
following:
``SEC. 228. CYBERSECURITY PLANS.
``(a) Definitions.--In this section--
``(1) the term `agency information system' means an
information system used or operated by an agency or by another
entity on behalf of an agency;
``(2) the terms `cybersecurity risk' and `information
system' have the meanings given those terms in section 227;
``(3) the term `intelligence community' has the meaning
given the term in section 3(4) of the National Security Act of
1947 (50 U.S.C. 3003(4)); and
``(4) the term `national security system' has the meaning
given the term in section 11103 of title 40, United States
Code.
``(b) Intrusion Assessment Plan.--
``(1) Requirement.--The Secretary, in coordination with the
Director of the Office of Management and Budget, shall develop
and implement an intrusion assessment plan to identify and
remove intruders in agency information systems.
``(2) Exception.--The intrusion assessment plan required
under paragraph (1) shall not apply to the Department of
Defense, a national security system, or an element of the
intelligence community.'';
(5) in section 228(c), as so redesignated, by striking
``section 226'' and inserting ``section 227''; and
(6) by inserting after section 229, as so redesignated, the
following:
``SEC. 230. FEDERAL INTRUSION DETECTION AND PREVENTION SYSTEM.
``(a) Definitions.--In this section--
``(1) the term `agency' has the meaning given that term in
section 3502 of title 44, United States Code;
``(2) the term `agency information' means information
collected or maintained by or on behalf of an agency;
``(3) the term `agency information system' has the meaning
given the term in section 228; and
``(4) the terms `cybersecurity risk' and `information
system' have the meanings given those terms in section 227.
``(b) Requirement.--
``(1) In general.--Not later than 1 year after the date of
enactment of this section, the Secretary shall deploy, operate,
and maintain, to make available for use by any agency, with or
without reimbursement--
``(A) a capability to detect cybersecurity risks in
network traffic transiting or traveling to or from an
agency information system; and
``(B) a capability to prevent network traffic
associated with such cybersecurity risks from
transiting or traveling to or from an agency
information system or modify such network traffic to
remove the cybersecurity risk.
``(2) Regular improvement.--The Secretary shall regularly
deploy new technologies and modify existing technologies to the
intrusion detection and prevention capabilities described in
paragraph (1) as appropriate to improve the intrusion detection
and prevention capabilities.
``(c) Activities.--In carrying out subsection (b), the Secretary--
``(1) may access, and the head of an agency may disclose to
the Secretary or a private entity providing assistance to the
Secretary under paragraph (2), information transiting or
traveling to or from an agency information system, regardless
of the location from which the Secretary or a private entity
providing assistance to the Secretary under paragraph (2)
accesses such information, notwithstanding any other provision
of law that would otherwise restrict or prevent the head of an
agency from disclosing such information to the Secretary or a
private entity providing assistance to the Secretary under
paragraph (2);
``(2) may enter into contracts or other agreements with, or
otherwise request and obtain the assistance of, private
entities to deploy and operate technologies in accordance with
subsection (b);
``(3) may retain, use, and disclose information obtained
through the conduct of activities authorized under this section
only to protect information and information systems from
cybersecurity risks;
``(4) shall regularly assess through operational test and
evaluation in real world or simulated environments available
advanced protective technologies to improve detection and
prevention capabilities, including commercial and non-
commercial technologies and detection technologies beyond
signature-based detection, and utilize such technologies when
appropriate;
``(5) shall establish a pilot to acquire, test, and deploy,
as rapidly as possible, technologies described in paragraph
(4);
``(6) shall periodically update the privacy impact
assessment required under section 208(b) of the E-Government
Act of 2002 (44 U.S.C. 3501 note); and
``(7) shall ensure that--
``(A) activities carried out under this section are
reasonably necessary for the purpose of protecting
agency information and agency information systems from
a cybersecurity risk;
``(B) information accessed by the Secretary will be
retained no longer than reasonably necessary for the
purpose of protecting agency information and agency
information systems from a cybersecurity risk;
``(C) notice has been provided to users of an
agency information system concerning access to
communications of users of the agency information
system for the purpose of protecting agency information
and the agency information system; and
``(D) the activities are implemented pursuant to
policies and procedures governing the operation of the
intrusion detection and prevention capabilities.
``(d) Private Entities.--
``(1) Conditions.--A private entity described in subsection
(c)(2) may not--
``(A) disclose any network traffic transiting or
traveling to or from an agency information system to
any entity without the consent of the Department or the
agency that disclosed the information under subsection
(c)(1); or
``(B) use any network traffic transiting or
traveling to or from an agency information system to
which the private entity gains access in accordance
with this section for any purpose other than to protect
agency information and agency information systems
against cybersecurity risks or to administer a contract
or other agreement entered into pursuant to subsection
(c)(2) or as part of another contract with the
Secretary.
``(2) Limitation on liability.--No cause of action shall
lie in any court against a private entity for assistance
provided to the Secretary in accordance with this section and
any contract or agreement entered into pursuant to subsection
(c)(2).
``(3) Rule of construction.--Nothing in paragraph (2) shall
be construed to authorize an Internet service provider to break
a user agreement with a customer without the consent of the
customer.
``(e) Attorney General Review.--Not later than 1 year after the
date of enactment of this section, the Attorney General shall review
the policies and guidelines for the program carried out under this
section to ensure that the policies and guidelines are consistent with
applicable law governing the acquisition, interception, retention, use,
and disclosure of communications.''.
(b) Prioritizing Advanced Security Tools.--The Director and the
Secretary, in consultation with appropriate agencies, shall--
(1) review and update governmentwide policies and programs
to ensure appropriate prioritization and use of network
security monitoring tools within agency networks; and
(2) brief appropriate congressional committees on such
prioritization and use.
(c) Agency Responsibilities.--
(1) In general.--Except as provided in paragraph (2)--
(A) not later than 1 year after the date of
enactment of this Act or 2 months after the date on
which the Secretary makes available the intrusion
detection and prevention capabilities under section
230(b)(1) of the Homeland Security Act of 2002, as
added by subsection (a), whichever is later, the head
of each agency shall apply and continue to utilize the
capabilities to all information traveling between an
agency information system and any information system
other than an agency information system; and
(B) not later than 6 months after the date on which
the Secretary makes available improvements to the
intrusion detection and prevention capabilities
pursuant to section 230(b)(2) of the Homeland Security
Act of 2002, as added by subsection (a), the head of
each agency shall apply and continue to utilize the
improved intrusion detection and prevention
capabilities.
(2) Exception.--The requirements under paragraph (1) shall
not apply to the Department of Defense, a national security
system, or an element of the intelligence community.
(3) Definition.--In this subsection only, the term ``agency
information system'' means an information system owned or
operated by an agency.
(4) Rule of construction.--Nothing in this subsection shall
be construed to limit an agency from applying the intrusion
detection and prevention capabilities under section 230(b)(1)
of the Homeland Security Act of 2002, as added by subsection
(a), at the discretion of the head of the agency or as provided
in relevant policies, directives, and guidelines.
(d) Table of Contents Amendment.--The table of contents in section
1(b) of the Homeland Security Act of 2002 (6 U.S.C. 101 note) is
amended by striking the items relating to the first section designated
as section 226, the second section designated as section 226 (relating
to the national cybersecurity and communications integration center),
section 227, and section 228 and inserting the following:
``Sec. 226. Cybersecurity recruitment and retention.
``Sec. 227. National cybersecurity and communications integration
center.
``Sec. 228. Cybersecurity plans.
``Sec. 229. Clearances.
``Sec. 230. Federal intrusion detection and prevention system.''.
SEC. 204. ADVANCED INTERNAL DEFENSES.
(a) Advanced Network Security Tools.--
(1) In general.--The Secretary shall include in the
Continuous Diagnostics and Mitigation Program advanced network
security tools to improve visibility of network activity,
including through the use of commercial and free or open source
tools, to detect and mitigate intrusions and anomalous
activity.
(2) Development of plan.--The Director shall develop and
implement a plan to ensure that each agency utilizes advanced
network security tools, including those described in paragraph
(1), to detect and mitigate intrusions and anomalous activity.
(b) Improved Metrics.--The Secretary, in collaboration with the
Director, shall review and update the metrics used to measure security
under section 3554 of title 44, United States Code, to include measures
of intrusion and incident detection and response times.
(c) Transparency and Accountability.--The Director, in consultation
with the Secretary, shall increase transparency to the public on agency
cybersecurity posture, including by increasing the number of metrics
available on Federal Government performance websites and, to the
greatest extent practicable, displaying metrics for department
components, small agencies, and micro agencies.
(d) Maintenance of Technologies.--Section 3553(b)(6)(B) of title
44, United States Code, is amended by inserting ``, operating, and
maintaining'' after ``deploying''.
(e) Exception.--The requirements under this section shall not apply
to the Department of Defense, a national security system, or an element
of the intelligence community.
SEC. 205. FEDERAL CYBERSECURITY REQUIREMENTS.
(a) Implementation of Federal Cybersecurity Standards.--Consistent
with section 3553 of title 44, United States Code, the Secretary, in
consultation with the Director, shall exercise the authority to issue
binding operational directives to assist the Director in ensuring
timely agency adoption of and compliance with policies and standards
promulgated under section 11331 of title 40, United States Code, for
securing agency information systems.
(b) Cybersecurity Requirements at Agencies.--
(1) In general.--Consistent with policies, standards,
guidelines, and directives on information security under
subchapter II of chapter 35 of title 44, United States Code,
and the standards and guidelines promulgated under section
11331 of title 40, United States Code, and except as provided
in paragraph (2), not later than 1 year after the date of the
enactment of this Act, the head of each agency shall--
(A) identify sensitive and mission critical data
stored by the agency consistent with the inventory
required under the first subsection (c) (relating to
the inventory of major information systems) and the
second subsection (c) (relating to the inventory of
information systems) of section 3505 of title 44,
United States Code;
(B) assess access controls to the data described in
subparagraph (A), the need for readily accessible
storage of the data, and individuals' need to access
the data;
(C) encrypt or otherwise render indecipherable to
unauthorized users the data described in subparagraph
(A) that is stored on or transiting agency information
systems;
(D) implement a single sign-on trusted identity
platform for individuals accessing each public website
of the agency that requires user authentication, as
developed by the Administrator of General Services in
collaboration with the Secretary; and
(E) implement identity management consistent with
section 504 of the Cybersecurity Enhancement Act of
2014 (Public Law 113-274; 15 U.S.C. 7464), including
multi-factor authentication, for--
(i) remote access to an agency information
system; and
(ii) each user account with elevated
privileges on an agency information system.
(2) Exception.--The requirements under paragraph (1) shall
not apply to an agency information system for which--
(A) the head of the agency has personally certified
to the Director with particularity that--
(i) operational requirements articulated in
the certification and related to the agency
information system would make it excessively
burdensome to implement the cybersecurity
requirement;
(ii) the cybersecurity requirement is not
necessary to secure the agency information
system or agency information stored on or
transiting it; and
(iii) the agency has taken all necessary
steps to secure the agency information system
and agency information stored on or transiting
it; and
(B) the head of the agency or the designee of the
head of the agency has submitted the certification
described in subparagraph (A) to the appropriate
congressional committees and the agency's authorizing
committees.
(3) Construction.--Nothing in this section shall be
construed to alter the authority of the Secretary, the
Director, or the Director of the National Institute of
Standards and Technology in implementing subchapter II of
chapter 35 of title 44, United States Code. Nothing in this
section shall be construed to affect the National Institute of
Standards and Technology standards process or the requirement
under section 3553(a)(4) of such title or to discourage
continued improvements and advancements in the technology,
standards, policies, and guidelines used to promote Federal
information security.
(c) Exception.--The requirements under this section shall not apply
to the Department of Defense, a national security system, or an element
of the intelligence community.
SEC. 206. ASSESSMENT; REPORTS.
(a) Definitions.--In this section--
(1) the term ``intrusion assessments'' means actions taken
under the intrusion assessment plan to identify and remove
intruders in agency information systems;
(2) the term ``intrusion assessment plan'' means the plan
required under section 228(b)(1) of the Homeland Security Act
of 2002, as added by section 203(a) of this Act; and
(3) the term ``intrusion detection and prevention
capabilities'' means the capabilities required under section
230(b) of the Homeland Security Act of 2002, as added by
section 203(a) of this Act.
(b) Third Party Assessment.--Not later than 3 years after the date
of enactment of this Act, the Government Accountability Office shall
conduct a study and publish a report on the effectiveness of the
approach and strategy of the Federal Government to securing agency
information systems, including the intrusion detection and prevention
capabilities and the intrusion assessment plan.
(c) Reports to Congress.--
(1) Intrusion detection and prevention capabilities.--
(A) Secretary of homeland security report.--Not
later than 6 months after the date of enactment of this
Act, and annually thereafter, the Secretary shall
submit to the appropriate congressional committees a
report on the status of implementation of the intrusion
detection and prevention capabilities, including--
(i) a description of privacy controls;
(ii) a description of the technologies and
capabilities utilized to detect cybersecurity
risks in network traffic, including the extent
to which those technologies and capabilities
include existing commercial and non-commercial
technologies;
(iii) a description of the technologies and
capabilities utilized to prevent network
traffic associated with cybersecurity risks
from transiting or traveling to or from agency
information systems, including the extent to
which those technologies and capabilities
include existing commercial and non-commercial
technologies;
(iv) a list of the types of indicators or
other identifiers or techniques used to detect
cybersecurity risks in network traffic
transiting or traveling to or from agency
information systems on each iteration of the
intrusion detection and prevention capabilities
and the number of each such type of indicator,
identifier, and technique;
(v) the number of instances in which the
intrusion detection and prevention capabilities
detected a cybersecurity risk in network
traffic transiting or traveling to or from
agency information systems and the number of
times the intrusion detection and prevention
capabilities blocked network traffic associated
with cybersecurity risk; and
(vi) a description of the pilot established
under section 230(c)(5) of the Homeland
Security Act of 2002, as added by section
203(a) of this Act, including the number of new
technologies tested and the number of
participating agencies.
(B) OMB report.--Not later than 18 months after the
date of enactment of this Act, and annually thereafter,
the Director shall submit to Congress, as part of the
report required under section 3553(c) of title 44,
United States Code, an analysis of agency application
of the intrusion detection and prevention capabilities,
including--
(i) a list of each agency and the degree to
which each agency has applied the intrusion
detection and prevention capabilities to an
agency information system; and
(ii) a list by agency of--
(I) the number of instances in
which the intrusion detection and
prevention capabilities detected a
cybersecurity risk in network traffic
transiting or traveling to or from an
agency information system and the types
of indicators, identifiers, and
techniques used to detect such
cybersecurity risks; and
(II) the number of instances in
which the intrusion detection and
prevention capabilities prevented
network traffic associated with a
cybersecurity risk from transiting or
traveling to or from an agency
information system and the types of
indicators, identifiers, and techniques
used to detect such agency information
systems.
(2) OMB report on development and implementation of
intrusion assessment plan, advanced internal defenses, and
federal cybersecurity best practices.--The Director shall--
(A) not later than 6 months after the date of
enactment of this Act, and 30 days after any update
thereto, submit the intrusion assessment plan to the
appropriate congressional committees;
(B) not later than 1 year after the date of
enactment of this Act, and annually thereafter, submit
to Congress, as part of the report required under
section 3553(c) of title 44, United States Code--
(i) a description of the implementation of
the intrusion assessment plan;
(ii) the findings of the intrusion
assessments conducted pursuant to the intrusion
assessment plan;
(iii) advanced network security tools
included in the Continuous Diagnostics and
Mitigation Program pursuant to section
204(a)(1);
(iv) the results of the assessment of the
Secretary of best practices for Federal
cybersecurity pursuant to section 205(a); and
(v) a list by agency of compliance with the
requirements of section 205(b); and
(C) not later than 1 year after the date of
enactment of this Act, submit to the appropriate
congressional committees--
(i) a copy of the plan developed pursuant
to section 204(a)(2); and
(ii) the improved metrics developed
pursuant to section 204(b).
SEC. 207. TERMINATION.
(a) In General.--The authority provided under section 230 of the
Homeland Security Act of 2002, as added by section 203(a) of this Act,
and the reporting requirements under section 206(c) shall terminate on
the date that is 7 years after the date of enactment of this Act.
(b) Rule of Construction.--Nothing in subsection (a) shall be
construed to affect the limitation of liability of a private entity for
assistance provided to the Secretary under section 230(d)(2) of the
Homeland Security Act of 2002, as added by section 203(a) of this Act,
if such assistance was rendered before the termination date under
subsection (a) or otherwise during a period in which the assistance was
authorized.
SEC. 208. IDENTIFICATION OF INFORMATION SYSTEMS RELATING TO NATIONAL
SECURITY.
(a) In General.--Except as provided in subsection (c), not later
than 180 days after the date of enactment of this Act--
(1) the Director of National Intelligence and the Director
of the Office of Management and Budget, in coordination with
the heads of other agencies, shall--
(A) identify all unclassified information systems
that provide access to information that may provide an
adversary with the ability to derive information that
would otherwise be considered classified;
(B) assess the risks that would result from the
breach of each unclassified information system
identified in subparagraph (A); and
(C) assess the cost and impact on the mission
carried out by each agency that owns an unclassified
information system identified in subparagraph (A) if
the system were to be subsequently designated as a
national security system; and
(2) the Director of National Intelligence and the Director
of the Office of Management and Budget shall submit to the
appropriate congressional committees, the Select Committee on
Intelligence of the Senate, and the Permanent Select Committee
on Intelligence of the House of Representatives a report that
includes the findings under paragraph (1).
(b) Form.--The report submitted under subsection (a)(2) shall be in
unclassified form, and shall include a classified annex.
(c) Exception.--The requirements under subsection (a)(1) shall not
apply to the Department of Defense, a national security system, or an
element of the intelligence community.
(d) Rule of Construction.--Nothing in this section shall be
construed to designate an information system as a national security
system.
SEC. 209. DIRECTION TO AGENCIES.
(a) In General.--Section 3553 of title 44, United States Code, is
amended by adding at the end the following:
``(h) Direction to Agencies.--
``(1) Authority.--
``(A) In general.--Subject to subparagraph (B), in
response to a known or reasonably suspected information
security threat, vulnerability, or incident that
represents a substantial threat to the information
security of an agency, the Secretary may issue an
emergency directive to the head of an agency to take
any lawful action with respect to the operation of the
information system, including such systems used or
operated by another entity on behalf of an agency, that
collects, processes, stores, transmits, disseminates,
or otherwise maintains agency information, for the
purpose of protecting the information system from, or
mitigating, an information security threat.
``(B) Exception.--The authorities of the Secretary
under this subsection shall not apply to a system
described subsection (d) or to a system described in
paragraph (2) or (3) of subsection (e).
``(2) Procedures for use of authority.--The Secretary
shall--
``(A) in coordination with the Director, establish
procedures governing the circumstances under which a
directive may be issued under this subsection, which
shall include--
``(i) thresholds and other criteria;
``(ii) privacy and civil liberties
protections; and
``(iii) providing notice to potentially
affected third parties;
``(B) specify the reasons for the required action
and the duration of the directive;
``(C) minimize the impact of a directive under this
subsection by--
``(i) adopting the least intrusive means
possible under the circumstances to secure the
agency information systems; and
``(ii) limiting directives to the shortest
period practicable;
``(D) notify the Director and the head of any
affected agency immediately upon the issuance of a
directive under this subsection;
``(E) consult with the Director of the National
Institute of Standards and Technology regarding any
directive under this subsection that implements
standards and guidelines developed by the National
Institute of Standards and Technology;
``(F) ensure that directives issued under this
subsection do not conflict with the standards and
guidelines issued under section 11331 of title 40;
``(G) consider any applicable standards or
guidelines developed by the National Institute of
Standards and issued by the Secretary of Commerce under
section 11331 of title 40; and
``(H) not later than February 1 of each year,
submit to the appropriate congressional committees a
report regarding the specific actions the Secretary has
taken pursuant to paragraph (1)(A).
``(3) Imminent threats.--
``(A) In general.--Notwithstanding section 3554,
the Secretary may authorize the intrusion detection and
prevention capabilities under section 230(b)(1) of the
Homeland Security Act of 2002 for the purpose of
ensuring the security of agency information systems,
if--
``(i) the Secretary determines there is an
imminent threat to agency information systems;
``(ii) the Secretary determines a directive
under subsection (b)(2)(C) or paragraph (1)(A)
is not reasonably likely to result in a timely
response to the threat;
``(iii) the Secretary determines the risk
posed by the imminent threat outweighs any
adverse consequences reasonably expected to
result from the use of protective capabilities
under the control of the Secretary;
``(iv) the Secretary provides prior notice
to the Director, and the head and chief
information officer (or equivalent official) of
each agency to which specific actions will be
taken pursuant to subparagraph (A), and
notifies the appropriate congressional
committees and authorizing committees of each
such agencies within seven days of taking an
action under this subsection of--
``(I) any action taken under this
subsection; and
``(II) the reasons for and duration
and nature of the action;
``(v) the action of the Secretary is
consistent with applicable law; and
``(vi) the Secretary authorizes the use of
protective capabilities in accordance with the
advance procedures established under
subparagraph (C).
``(B) Limitation on delegation.--The authority
under this subsection may not be delegated by the
Secretary.
``(C) Advance procedures.--The Secretary shall, in
coordination with the Director, and in consultation
with the heads of Federal agencies, establish
procedures governing the circumstances under which the
Secretary may authorize the use of protective
capabilities subparagraph (A). The Secretary shall
submit the procedures to Congress.
``(4) Limitation.--The Secretary may direct or authorize
lawful action or protective capability under this subsection
only to--
``(A) protect agency information from unauthorized
access, use, disclosure, disruption, modification, or
destruction; or
``(B) require the remediation of or protect against
identified information security risks with respect to--
``(i) information collected or maintained
by or on behalf of an agency; or
``(ii) that portion of an information
system used or operated by an agency or by a
contractor of an agency or other organization
on behalf of an agency.
``(i) Annual Report to Congress.--Not later than February 1 of each
year, the Director shall submit to the appropriate congressional
committees a report regarding the specific actions the Director has
taken pursuant to subsection (a)(5), including any actions taken
pursuant to section 11303(b)(5) of title 40.
``(j) Appropriate Congressional Committees Defined.--In this
section, the term `appropriate congressional committees' means--
``(1) the Committee on Appropriations and the Committee on
Homeland Security and Governmental Affairs of the Senate; and
``(2) the Committee on Appropriations, the Committee on
Homeland Security, the Committee on Oversight and Government
Reform, and the Committee on Science, Space, and Technology of
the House of Representatives.''.
(b) Conforming Amendment.--Section 3554(a)(1)(B) of title 44,
United States Code, is amended--
(1) in clause (iii), by striking ``and'' at the end; and
(2) by adding at the end the following:
``(v) emergency directives issued by the
Secretary under section 3553(h); and''.
TITLE III--FEDERAL CYBERSECURITY WORKFORCE ASSESSMENT
SEC. 301. SHORT TITLE.
This title may be cited as the ``Federal Cybersecurity Workforce
Assessment Act of 2015''.
SEC. 302. DEFINITIONS.
In this title:
(1) Appropriate congressional committees.--The term
``appropriate congressional committees'' means--
(A) the Committee on Armed Services of the Senate;
(B) the Committee on Homeland Security and
Governmental Affairs of the Senate;
(C) the Select Committee on Intelligence of the
Senate;
(D) the Committee on Commerce, Science, and
Transportation of the Senate;
(E) the Committee on Armed Services in the House of
Representatives;
(F) the Committee on Homeland Security of the House
of Representatives;
(G) the Committee on Oversight and Government
Reform of the House of Representatives; and
(H) the Permanent Select Committee on Intelligence
of the House of Representatives.
(2) Director.--The term ``Director'' means the Director of
the Office of Personnel Management.
(3) Roles.--The term ``roles'' has the meaning given the
term in the National Initiative for Cybersecurity Education's
Cybersecurity Workforce Framework.
SEC. 303. NATIONAL CYBERSECURITY WORKFORCE MEASUREMENT INITIATIVE.
(a) In General.--The head of each Federal agency shall--
(1) identify all positions within the agency that require
the performance of cybersecurity or other cyber-related
functions; and
(2) assign the corresponding employment code, which shall
be added to the National Initiative for Cybersecurity
Education's National Cybersecurity Workforce Framework, in
accordance with subsection (b).
(b) Employment Codes.--
(1) Procedures.--
(A) Coding structure.--Not later than 180 days
after the date of the enactment of this Act, the
Secretary of Commerce, acting through the National
Institute of Standards and Technology, shall update the
National Initiative for Cybersecurity Education's
Cybersecurity Workforce Framework to include a
corresponding coding structure.
(B) Identification of civilian cyber personnel.--
Not later than 9 months after the date of enactment of
this Act, the Director, in coordination with the
Director of the National Institute of Standards and
Technology and the Director of National Intelligence,
shall establish procedures to implement the National
Initiative for Cybersecurity Education's coding
structure to identify all Federal civilian positions
that require the performance of information technology,
cybersecurity, or other cyber-related functions.
(C) Identification of noncivilian cyber
personnel.--Not later than 18 months after the date of
enactment of this Act, the Secretary of Defense shall
establish procedures to implement the National
Initiative for Cybersecurity Education's coding
structure to identify all Federal noncivilian positions
that require the performance of information technology,
cybersecurity, or other cyber-related functions.
(D) Baseline assessment of existing cybersecurity
workforce.--Not later than 3 months after the date on
which the procedures are developed under subparagraphs
(B) and (C), respectively, the head of each Federal
agency shall submit to the appropriate congressional
committees of jurisdiction a report that identifies--
(i) the percentage of personnel with
information technology, cybersecurity, or other
cyber-related job functions who currently hold
the appropriate industry-recognized
certifications as identified in the National
Initiative for Cybersecurity Education's
Cybersecurity Workforce Framework;
(ii) the level of preparedness of other
civilian and noncivilian cyber personnel
without existing credentials to take
certification exams; and
(iii) a strategy for mitigating any gaps
identified in clause (i) or (ii) with the
appropriate training and certification for
existing personnel.
(E) Procedures for assigning codes.--Not later than
3 months after the date on which the procedures are
developed under subparagraphs (B) and (C),
respectively, the head of each Federal agency shall
establish procedures--
(i) to identify all encumbered and vacant
positions with information technology,
cybersecurity, or other cyber-related functions
(as defined in the National Initiative for
Cybersecurity Education's coding structure);
and
(ii) to assign the appropriate employment
code to each such position, using agreed
standards and definitions.
(2) Code assignments.--Not later than 1 year after the date
after the procedures are established under paragraph (1)(E),
the head of each Federal agency shall complete assignment of
the appropriate employment code to each position within the
agency with information technology, cybersecurity, or other
cyber-related functions.
(c) Progress Report.--Not later than 180 days after the date of
enactment of this Act, the Director shall submit a progress report on
the implementation of this section to the appropriate congressional
committees.
SEC. 304. IDENTIFICATION OF CYBER-RELATED ROLES OF CRITICAL NEED.
(a) In General.--Beginning not later than 1 year after the date on
which the employment codes are assigned to employees pursuant to
section 203(b)(2), and annually through 2022, the head of each Federal
agency, in consultation with the Director, the Director of the National
Institute of Standards and Technology, and the Secretary of Homeland
Security, shall--
(1) identify information technology, cybersecurity, or
other cyber-related roles of critical need in the agency's
workforce; and
(2) submit a report to the Director that--
(A) describes the information technology,
cybersecurity, or other cyber-related roles identified
under paragraph (1); and
(B) substantiates the critical need designations.
(b) Guidance.--The Director shall provide Federal agencies with
timely guidance for identifying information technology, cybersecurity,
or other cyber-related roles of critical need, including--
(1) current information technology, cybersecurity, and
other cyber-related roles with acute skill shortages; and
(2) information technology, cybersecurity, or other cyber-
related roles with emerging skill shortages.
(c) Cybersecurity Needs Report.--Not later than 2 years after the
date of the enactment of this Act, the Director, in consultation with
the Secretary of Homeland Security, shall--
(1) identify critical needs for information technology,
cybersecurity, or other cyber-related workforce across all
Federal agencies; and
(2) submit a progress report on the implementation of this
section to the appropriate congressional committees.
SEC. 305. GOVERNMENT ACCOUNTABILITY OFFICE STATUS REPORTS.
The Comptroller General of the United States shall--
(1) analyze and monitor the implementation of sections 303
and 304; and
(2) not later than 3 years after the date of the enactment
of this Act, submit a report to the appropriate congressional
committees that describes the status of such implementation.
TITLE IV--OTHER CYBER MATTERS
SEC. 401. STUDY ON MOBILE DEVICE SECURITY.
(a) In General.--Not later than 1 year after the date of the
enactment of this Act, the Secretary of Homeland Security, in
consultation with the Director of the National Institute of Standards
and Technology, shall--
(1) complete a study on threats relating to the security of
the mobile devices of the Federal Government; and
(2) submit an unclassified report to Congress, with a
classified annex if necessary, that contains the findings of
such study, the recommendations developed under paragraph (3)
of subsection (b), the deficiencies, if any, identified under
(4) of such subsection, and the plan developed under paragraph
(5) of such subsection.
(b) Matters Studied.--In carrying out the study under subsection
(a)(1), the Secretary, in consultation with the Director of the
National Institute of Standards and Technology, shall--
(1) assess the evolution of mobile security techniques from
a desktop-centric approach, and whether such techniques are
adequate to meet current mobile security challenges;
(2) assess the effect such threats may have on the
cybersecurity of the information systems and networks of the
Federal Government (except for national security systems or the
information systems and networks of the Department of Defense
and the intelligence community);
(3) develop recommendations for addressing such threats
based on industry standards and best practices;
(4) identify any deficiencies in the current authorities of
the Secretary that may inhibit the ability of the Secretary to
address mobile device security throughout the Federal
Government (except for national security systems and the
information systems and networks of the Department of Defense
and intelligence community); and
(5) develop a plan for accelerated adoption of secure
mobile device technology by the Department of Homeland
Security.
(c) Intelligence Community Defined.--In this section, the term
``intelligence community'' has the meaning given such term in section 3
of the National Security Act of 1947 (50 U.S.C. 3003).
SEC. 402. DEPARTMENT OF STATE INTERNATIONAL CYBERSPACE POLICY STRATEGY.
(a) In General.--Not later than 90 days after the date of the
enactment of this Act, the Secretary of State shall produce a
comprehensive strategy relating to United States international policy
with regard to cyberspace.
(b) Elements.--The strategy required by subsection (a) shall
include the following:
(1) A review of actions and activities undertaken by the
Secretary of State to date to support the goal of the
President's International Strategy for Cyberspace, released in
May 2011, to ``work internationally to promote an open,
interoperable, secure, and reliable information and
communications infrastructure that supports international trade
and commerce, strengthens international security, and fosters
free expression and innovation.''.
(2) A plan of action to guide the diplomacy of the
Secretary of State, with regard to foreign countries, including
conducting bilateral and multilateral activities to develop the
norms of responsible international behavior in cyberspace, and
status review of existing discussions in multilateral fora to
obtain agreements on international norms in cyberspace.
(3) A review of the alternative concepts with regard to
international norms in cyberspace offered by foreign countries
that are prominent actors, including China, Russia, Brazil, and
India.
(4) A detailed description of threats to United States
national security in cyberspace from foreign countries, state-
sponsored actors, and private actors to Federal and private
sector infrastructure of the United States, intellectual
property in the United States, and the privacy of citizens of
the United States.
(5) A review of policy tools available to the President to
deter foreign countries, state-sponsored actors, and private
actors, including those outlined in Executive Order 13694,
released on April 1, 2015.
(6) A review of resources required by the Secretary,
including the Office of the Coordinator for Cyber Issues, to
conduct activities to build responsible norms of international
cyber behavior.
(c) Consultation.--In preparing the strategy required by subsection
(a), the Secretary of State shall consult, as appropriate, with other
agencies and departments of the United States and the private sector
and nongovernmental organizations in the United States with recognized
credentials and expertise in foreign policy, national security, and
cybersecurity.
(d) Form of Strategy.--The strategy required by subsection (a)
shall be in unclassified form, but may include a classified annex.
(e) Availability of Information.--The Secretary of State shall--
(1) make the strategy required in subsection (a) available
the public; and
(2) brief the Committee on Foreign Relations of the Senate
and the Committee on Foreign Affairs of the House of
Representatives on the strategy, including any material
contained in a classified annex.
SEC. 403. APPREHENSION AND PROSECUTION OF INTERNATIONAL CYBER
CRIMINALS.
(a) International Cyber Criminal Defined.--In this section, the
term ``international cyber criminal'' means an individual--
(1) who is believed to have committed a cybercrime or
intellectual property crime against the interests of the United
States or the citizens of the United States; and
(2) for whom--
(A) an arrest warrant has been issued by a judge in
the United States; or
(B) an international wanted notice (commonly
referred to as a ``Red Notice'') has been circulated by
Interpol.
(b) Consultations for Noncooperation.--The Secretary of State, or
designee, shall consult with the appropriate government official of
each country from which extradition is not likely due to the lack of an
extradition treaty with the United States or other reasons, in which
one or more international cyber criminals are physically present, to
determine what actions the government of such country has taken--
(1) to apprehend and prosecute such criminals; and
(2) to prevent such criminals from carrying out cybercrimes
or intellectual property crimes against the interests of the
United States or its citizens.
(c) Annual Report.--
(1) In general.--The Secretary of State shall submit to the
appropriate congressional committees an annual report that
includes--
(A) the number of international cyber criminals
located in other countries, disaggregated by country,
and indicating from which countries extradition is not
likely due to the lack of an extradition treaty with
the United States or other reasons;
(B) the nature and number of significant
discussions by an official of the Department of State
on ways to thwart or prosecute international cyber
criminals with an official of another country,
including the name of each such country; and
(C) for each international cyber criminal who was
extradited to the United States during the most
recently completed calendar year--
(i) his or her name;
(ii) the crimes for which he or she was
charged;
(iii) his or her previous country of
residence; and
(iv) the country from which he or she was
extradited into the United States.
(2) Form.--The report required by this subsection shall be
in unclassified form to the maximum extent possible, but may
include a classified annex.
(3) Appropriate congressional committees.--For purposes of
this subsection, the term ``appropriate congressional
committees'' means--
(A) the Committee on Foreign Relations, the
Committee on Appropriations, the Committee on Homeland
Security and Governmental Affairs, the Committee on
Banking, Housing, and Urban Affairs, the Select
Committee on Intelligence, and the Committee on the
Judiciary of the Senate; and
(B) the Committee on Foreign Affairs, the Committee
on Appropriations, the Committee on Homeland Security,
the Committee on Financial Services, the Permanent
Select Committee on Intelligence, and the Committee on
the Judiciary of the House of Representatives.
SEC. 404. ENHANCEMENT OF EMERGENCY SERVICES.
(a) Collection of Data.--Not later than 90 days after the date of
enactment of this Act, the Secretary of Homeland Security, acting
through the National Cybersecurity and Communications Integration
Center, in coordination with appropriate Federal entities and the
Director for Emergency Communications, shall establish a process by
which a Statewide Interoperability Coordinator may report data on any
cybersecurity risk or incident involving any information system or
network used by emergency response providers (as defined in section 2
of the Homeland Security Act of 2002 (6 U.S.C. 101)) within the State.
(b) Analysis of Data.--Not later than 1 year after the date of
enactment of this Act, the Secretary of Homeland Security, acting
through the Director of the National Cybersecurity and Communications
Integration Center, in coordination with appropriate entities and the
Director for Emergency Communications, and in consultation with the
Director of the National Institute of Standards and Technology, shall
conduct integration and analysis of the data reported under subsection
(a) to develop information and recommendations on security and
resilience measures for any information system or network used by State
emergency response providers.
(c) Best Practices.--
(1) In general.--Using the results of the integration and
analysis conducted under subsection (b), and any other relevant
information, the Director of the National Institute of
Standards and Technology shall, on an ongoing basis, facilitate
and support the development of methods for reducing
cybersecurity risks to emergency response providers using the
process described in section 2(e) of the National Institute of
Standards and Technology Act (15 U.S.C. 272(e)).
(2) Report.--The Director of the National Institute of
Standards and Technology shall submit a report to Congress on
the methods developed under paragraph (1) and shall make such
report publically available on the website of the National
Institute of Standards and Technology.
(d) Rule of Construction.--Nothing in this section shall be
construed to--
(1) require a State to report data under subsection (a); or
(2) require an entity to--
(A) adopt a recommended measure developed under
subsection (b); or
(B) follow the best practices developed under
subsection (c).
SEC. 405. IMPROVING CYBERSECURITY IN THE HEALTH CARE INDUSTRY.
(a) Definitions.--In this section:
(1) Business associate.--The term ``business associate''
has the meaning given such term in section 160.103 of title 45,
Code of Federal Regulations.
(2) Covered entity.--The term ``covered entity'' has the
meaning given such term in section 160.103 of title 45, Code of
Federal Regulations.
(3) Health care clearinghouse; health care provider; health
plan.--The terms ``health care clearinghouse'', ``health care
provider'', and ``health plan'' have the meanings given the
terms in section 160.103 of title 45, Code of Federal
Regulations.
(4) Health care industry stakeholder.--The term ``health
care industry stakeholder'' means any--
(A) health plan, health care clearinghouse, or
health care provider;
(B) patient advocate;
(C) pharmacist;
(D) developer of health information technology;
(E) laboratory;
(F) pharmaceutical or medical device manufacturer;
or
(G) additional stakeholder the Secretary determines
necessary for purposes of subsection (d)(1), (d)(3), or
(e).
(5) Secretary.--The term ``Secretary'' means the Secretary
of Health and Human Services.
(b) Report.--Not later than 1 year after the date of enactment of
this Act, the Secretary shall submit, to the Committee on Health,
Education, Labor, and Pensions of the Senate and the Committee on
Energy and Commerce of the House of Representatives, a report on the
preparedness of the health care industry in responding to cybersecurity
threats.
(c) Contents of Report.--With respect to the internal response of
the Department of Health and Human Services to emerging cybersecurity
threats, the report shall include--
(1) a clear statement of the official within the Department
of Health and Human Services to be responsible for leading and
coordinating efforts of the Department regarding cybersecurity
threats in the health care industry; and
(2) a plan from each relevant operating division and
subdivision of the Department of Health and Human Services on
how such division or subdivision will address cybersecurity
threats in the health care industry, including a clear
delineation of how each such division or subdivision will
divide responsibility among the personnel of such division or
subdivision and communicate with other such divisions and
subdivisions regarding efforts to address such threats.
(d) Health Care Industry Cybersecurity Task Force.--
(1) In general.--Not later than 60 days after the date of
enactment of this Act, the Secretary, in consultation with the
Director of the National Institute of Standards and Technology
and the Secretary of Homeland Security, shall convene health
care industry stakeholders, cybersecurity experts, and any
Federal agencies or entities the Secretary determines
appropriate to establish a task force to--
(A) analyze how industries, other than the health
care industry, have implemented strategies and
safeguards for addressing cybersecurity threats within
their respective industries;
(B) analyze challenges and barriers private
entities (notwithstanding section 102(15)(B), excluding
any State, tribal, or local government) in the health
care industry face securing themselves against cyber
attacks;
(C) review challenges that covered entities and
business associates face in securing networked medical
devices and other software or systems that connect to
an electronic health record;
(D) provide the Secretary with information to
disseminate to health care industry stakeholders for
purposes of improving their preparedness for, and
response to, cybersecurity threats affecting the health
care industry;
(E) establish a plan for creating a single system
for the Federal Government to share information on
actionable intelligence regarding cybersecurity threats
to the health care industry in near real time,
requiring no fee to the recipients of such information,
including which Federal agency or other entity may be
best suited to be the central conduit to facilitate the
sharing of such information; and
(F) report to Congress on the findings and
recommendations of the task force regarding carrying
out subparagraphs (A) through (E).
(2) Termination.--The task force established under this
subsection shall terminate on the date that is 1 year after the
date of enactment of this Act.
(3) Dissemination.--Not later than 60 days after the
termination of the task force established under this
subsection, the Secretary shall disseminate the information
described in paragraph (1)(D) to health care industry
stakeholders in accordance with such paragraph.
(4) Rule of construction.--Nothing in this subsection shall
be construed to limit the antitrust exemption under section
104(e) or the protection from liability under section 106.
(e) Cybersecurity Framework.--
(1) In general.--The Secretary shall establish, through a
collaborative process with the Secretary of Homeland Security,
health care industry stakeholders, the National Institute of
Standards and Technology, and any Federal agency or entity the
Secretary determines appropriate, a single, voluntary, national
health-specific cybersecurity framework that--
(A) establishes a common set of voluntary,
consensus-based, and industry-led standards, security
practices, guidelines, methodologies, procedures, and
processes that serve as a resource for cost-effectively
reducing cybersecurity risks for a range of health care
organizations;
(B) supports voluntary adoption and implementation
efforts to improve safeguards to address cybersecurity
threats;
(C) is consistent with the security and privacy
regulations promulgated under section 264(c) of the
Health Insurance Portability and Accountability Act of
1996 (42 U.S.C. 1320d-2 note) and with the Health
Information Technology for Economic and Clinical Health
Act (title XIII of division A, and title IV of division
B, of Public Law 111-5), and the amendments made by
such Act; and
(D) is updated on a regular basis and applicable to
the range of health care organizations described in
subparagraph (A).
(2) Limitation.--Nothing in this subsection shall be
interpreted as granting the Secretary authority to--
(A) provide for audits to ensure that health care
organizations are in compliance with the voluntary
framework under this subsection; or
(B) mandate, direct, or condition the award of any
Federal grant, contract, or purchase on compliance with
such voluntary framework.
(3) No liability for nonparticipation.--Nothing in this
title shall be construed to subject a health care organization
to liability for choosing not to engage in the voluntary
activities authorized under this subsection.
SEC. 406. FEDERAL COMPUTER SECURITY.
(a) Definitions.--In this section:
(1) Covered system.--The term ``covered system'' shall mean
a national security system as defined in section 11103 of title
40, United States Code, or a Federal computer system that
provides access to personally identifiable information.
(2) Covered agency.--The term ``covered agency'' means an
agency that operates a covered system.
(3) Logical access control.--The term ``logical access
control'' means a process of granting or denying specific
requests to obtain and use information and related information
processing services.
(4) Multi-factor logical access controls.--The term
``multi-factor logical access controls'' means a set of not
less than 2 of the following logical access controls:
(A) Information that is known to the user, such as
a password or personal identification number.
(B) An access device that is provided to the user,
such as a cryptographic identification device or token.
(C) A unique biometric characteristic of the user.
(5) Privileged user.--The term ``privileged user'' means a
user who, by virtue of function or seniority, has been
allocated powers within a covered system, which are
significantly greater than those available to the majority of
users.
(b) Inspector General Reports on Covered Systems.--
(1) In general.--Not later than 240 days after the date of
enactment of this Act, the Inspector General of each covered
agency shall submit to the appropriate committees of
jurisdiction in the Senate and the House of Representatives a
report, which shall include information collected from the
covered agency for the contents described in paragraph (2)
regarding the Federal computer systems of the covered agency.
(2) Contents.--The report submitted by each Inspector
General of a covered agency under paragraph (1) shall include,
with respect to the covered agency, the following:
(A) A description of the logical access standards
used by the covered agency to access a covered system,
including--
(i) in aggregate, a list and description of
logical access controls used to access such a
covered system; and
(ii) whether the covered agency is using
multi-factor logical access controls to access
such a covered system.
(B) A description of the logical access controls
used by the covered agency to govern access to covered
systems by privileged users.
(C) If the covered agency does not use logical
access controls or multi-factor logical access controls
to access a covered system, a description of the
reasons for not using such logical access controls or
multi-factor logical access controls.
(D) A description of the following data security
management practices used by the covered agency:
(i) The policies and procedures followed to
conduct inventories of the software present on
the covered systems of the covered agency and
the licenses associated with such software.
(ii) What capabilities the covered agency
utilizes to monitor and detect exfiltration and
other threats, including--
(I) data loss prevention
capabilities; or
(II) digital rights management
capabilities.
(iii) A description of how the covered
agency is using the capabilities described in
clause (ii).
(iv) If the covered agency is not utilizing
capabilities described in clause (ii), a
description of the reasons for not utilizing
such capabilities.
(E) A description of the policies and procedures of
the covered agency with respect to ensuring that
entities, including contractors, that provide services
to the covered agency are implementing the data
security management practices described in subparagraph
(D).
(3) Existing review.--The reports required under this
subsection may be based in whole or in part on an audit,
evaluation, or report relating to programs or practices of the
covered agency, and may be submitted as part of another report,
including the report required under section 3555 of title 44,
United States Code.
(4) Classified information.--Reports submitted under this
subsection shall be in unclassified form, but may include a
classified annex.
SEC. 407. STRATEGY TO PROTECT CRITICAL INFRASTRUCTURE AT GREATEST RISK.
(a) Definitions.--In this section:
(1) Appropriate agency.--The term ``appropriate agency''
means, with respect to a covered entity--
(A) except as provided in subparagraph (B), the
applicable sector-specific agency; or
(B) in the case of a covered entity that is
regulated by a Federal entity, such Federal entity.
(2) Appropriate agency head.--The term ``appropriate agency
head'' means, with respect to a covered entity, the head of the
appropriate agency.
(3) Covered entity.--The term ``covered entity'' means an
entity identified pursuant to section 9(a) of Executive Order
13636 of February 12, 2013 (78 Fed. Reg. 11742), relating to
identification of critical infrastructure where a cybersecurity
incident could reasonably result in catastrophic regional or
national effects on public health or safety, economic security,
or national security.
(4) Appropriate congressional committees.--The term
``appropriate congressional committees'' means--
(A) the Select Committee on Intelligence of the
Senate;
(B) the Permanent Select Committee on Intelligence
of the House of Representatives;
(C) the Committee on Homeland Security and
Governmental Affairs of the Senate;
(D) the Committee on Homeland Security of the House
of Representatives;
(E) the Committee on Energy and Natural Resources
of the Senate;
(F) the Committee on Energy and Commerce of the
House of Representatives; and
(G) the Committee on Commerce, Science, and
Transportation of the Senate.
(5) Secretary.--The term ``Secretary'' means the Secretary
of the Department of Homeland Security.
(b) Status of Existing Cyber Incident Reporting.--
(1) In general.--No later than 120 days after the date of
the enactment of this Act, the Secretary, in conjunction with
the appropriate agency head (as the case may be), shall submit
to the appropriate congressional committees describing the
extent to which each covered entity reports significant
intrusions of information systems essential to the operation of
critical infrastructure to the Department of Homeland Security
or the appropriate agency head in a timely manner.
(2) Form.--The report submitted under paragraph (1) may
include a classified annex.
(c) Mitigation Strategy Required for Critical Infrastructure at
Greatest Risk.--
(1) In general.--No later than 180 days after the date of
the enactment of this Act, the Secretary, in conjunction with
the appropriate agency head (as the case may be), shall conduct
an assessment and develop a strategy that addresses each of the
covered entities, to ensure that, to the greatest extent
feasible, a cyber security incident affecting such entity would
no longer reasonably result in catastrophic regional or
national effects on public health or safety, economic security,
or national security.
(2) Elements.--The strategy submitted by the Secretary with
respect to a covered entity shall include the following:
(A) An assessment of whether each entity should be
required to report cyber security incidents.
(B) A description of any identified security gaps
that must be addressed.
(C) Additional statutory authority necessary to
reduce the likelihood that a cyber incident could cause
catastrophic regional or national effects on public
health or safety, economic security, or national
security.
(3) Submittal.--The Secretary shall submit to the
appropriate congressional committees the assessment and
strategy required by paragraph (1).
(4) Form.--The assessment and strategy submitted under
paragraph (3) may each include a classified annex.
SEC. 408. STOPPING THE FRAUDULENT SALE OF FINANCIAL INFORMATION OF
PEOPLE OF THE UNITED STATES.
Section 1029(h) of title 18, United States Code, is amended by
striking ``title if--'' and all that follows through ``therefrom.'' and
inserting ``title if the offense involves an access device issued,
owned, managed, or controlled by a financial institution, account
issuer, credit card system member, or other entity organized under the
laws of the United States, or any State, the District of Columbia, or
other Territory of the United States.''.
SEC. 409. EFFECTIVE PERIOD.
(a) In General.--Except as provided in subsection (b), this Act and
the amendments made by this Act shall be in effect during the 10-year
period beginning on the date of the enactment of this Act.
(b) Exception.--With respect to any action authorized by this Act
or information obtained pursuant to an action authorized by this Act,
which occurred before the date on which the provisions referred to in
subsection (a) cease to have effect, the provisions of this Act shall
continue in effect.
Passed the Senate October 27, 2015.
Attest:
Secretary.
114th CONGRESS
1st Session
S. 754
_______________________________________________________________________
AN ACT
To improve cybersecurity in the United States through enhanced sharing
of information about cybersecurity threats, and for other purposes.