Summary: H.R.3510 — 114th Congress (2015-2016)All Information (Except Text)

Bill summaries are authored by CRS.

Shown Here:
Passed House amended (10/06/2015)

Department of Homeland Security Cybersecurity Strategy Act of 2015

(Sec. 2) This bill amends the Homeland Security Act of 2002 to require the Department of Homeland Security (DHS) to develop a cybersecurity strategy that includes: (1) strategic and operational goals and priorities to execute the full range of DHS's cybersecurity responsibilities; and (2) information on programs, policies, and activities in furtherance of the cybersecurity functions of the national cybersecurity and communications integration center (NCCIC), investigations capabilities, research and development, and engagement with international partners.

In developing the strategy, DHS must consider: (1) the cybersecurity strategy published in November 2011 for governmental and nongovernmental entities involved in homeland security, including federal, state, local, and tribal government officials, private sector representatives, academics, and other policy experts; (2) the Department of Homeland Security Fiscal Years 2014-2018 Strategic Plan; and (3) the most recent Quadrennial Homeland Security Review.

The strategy must include the roles and responsibilities of DHS components and offices.

DHS must also issue an implementation plan that includes strategic objectives, projected timelines, costs for tasks, and evaluation metrics.

DHS must submit the strategy and implementation plan to Congress.

The bill prohibits the strategy from being construed as permitting DHS to engage in monitoring, surveillance, exfiltration, or other collection activities to track an individual's personally identifiable information.

The bill also prohibits DHS from changing the location or reporting structure of the National Protection and Programs Directorate without prior authorization from Congress.

For purposes of the NCCIC, the bill redefines "incident" to include occurrences that actually or imminently jeopardize, without lawful authority, an information system, thereby replacing a standard that currently includes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.