Text: H.R.3359 — 115th Congress (2017-2018)All Information (Except Text)

Text available as:

Shown Here:
Referred in Senate (12/12/2017)


115th CONGRESS
1st Session
H. R. 3359


IN THE SENATE OF THE UNITED STATES

December 12, 2017

Received; read twice and referred to the Committee on Homeland Security and Governmental Affairs


AN ACT

To amend the Homeland Security Act of 2002 to authorize the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Cybersecurity and Infrastructure Security Agency Act of 2017”.

SEC. 2. Cybersecurity and Infrastructure Security Agency.

(a) In general.—The Homeland Security Act of 2002 is amended by adding at the end the following new title:

“TITLE XXIICybersecurity and Infrastructure Security Agency

“subtitle ACybersecurity and Infrastructure Security

“SEC. 2201. Definitions.

“In this subtitle:

“(1) CRITICAL INFRASTRUCTURE INFORMATION.—The term ‘critical infrastructure information’ has the meaning given such term in section 2215.

“(2) CYBERSECURITY RISK.—The term ‘cybersecurity risk’ has the meaning given such term in section 2209.

“(3) CYBERSECURITY THREAT.—The term ‘cybersecurity threat’ has the meaning given such term in paragraph (5) of section 102 of the Cybersecurity Act of 2015 (contained in division N of the Consolidated Appropriations Act, 2016 (Public Law 114–113; 6 U.S.C. 1501)).

“(4) FEDERAL ENTITY.—The term ‘Federal entity’ has the meaning given such term in paragraph (8) of section 102 of the Cybersecurity Act of 2015 (contained in division N of the Consolidated Appropriations Act, 2016 (Public Law 114–113; 6 U.S.C. 1501)).

“(5) NON-FEDERAL ENTITY.—The term ‘non-Federal entity’ has the meaning given such term in paragraph (14) of section 102 of the Cybersecurity Act of 2015 (contained in division N of the Consolidated Appropriations Act, 2016 (Public Law 114–113; 6 U.S.C. 1501)).

“(6) SECTOR-SPECIFIC AGENCY.—The term ‘Sector-Specific Agency’ means a Federal department or agency, designated by law or presidential directive, with responsibility for providing institutional knowledge and specialized expertise of a sector, as well as leading, facilitating, or supporting programs and associated activities of its designated critical infrastructure sector in the all hazards environment in coordination with the Department.

“(7) SHARING.—The term ‘sharing’ has the meaning given such term in section 2209.

“(8) NATIONAL CYBERSECURITY ASSET RESPONSE ACTIVITIES.—The term ‘national cybersecurity asset response activities’ means—

“(A) furnishing cybersecurity technical assistance to entities affected by cybersecurity risks to protect assets, mitigate vulnerabilities, and reduce impacts of cyber incidents;

“(B) identifying other entities that may be at risk of an incident and assessing risk to the same or similar vulnerabilities;

“(C) assessing potential cybersecurity risks to a sector or region, including potential cascading effects, and developing courses of action to mitigate such risks;

“(D) facilitating information sharing and operational coordination with threat response; and

“(E) providing guidance on how best to utilize Federal resources and capabilities in a timely, effective manner to speed recovery from cybersecurity risks.

“SEC. 2202. Cybersecurity and Infrastructure Security Agency.

“(a) Redesignation.—

“(1) IN GENERAL.—The National Protection and Programs Directorate of the Department shall, on and after the date of the enactment of this subtitle, be known as the ‘Cybersecurity and Infrastructure Security Agency’ (in this subtitle referred to as the ‘Agency’).

“(2) REFERENCES.—Any reference to the National Protection and Programs Directorate of the Department in any law, regulation, map, document, record, or other paper of the United States shall be deemed to be a reference to the Cybersecurity and Infrastructure Security Agency of the Department.

“(b) Director.—

“(1) IN GENERAL.—The Agency shall be headed by a Director of Cybersecurity and Infrastructure Security (in this subtitle referred to as the ‘Director’), who shall report to the Secretary.

“(2) REFERENCE.—Any reference to an Under Secretary responsible for overseeing critical infrastructure protection, cybersecurity, and any other related program of the Department as described in section 103(a)(1)(H) as in effect on the day before the date of the enactment of this subtitle in any law, regulation, map, document, record, or other paper of the United States shall be deemed to be a reference to the Director of Cybersecurity and Infrastructure Security of the Department.

“(c) Responsibilities.—The Director shall—

“(1) lead cybersecurity and critical infrastructure security programs, operations, and associated policy for the Agency, including national cybersecurity asset response activities;

“(2) coordinate with Federal entities, including Sector-Specific Agencies, and non-Federal entities, including international entities, to carry out the cybersecurity and critical infrastructure activities of the Agency, as appropriate;

“(3) carry out the Secretary’s responsibilities to secure Federal information and information systems consistent with law, including subchapter II of chapter 35 of title 44, United States Code, and the Cybersecurity Act of 2015 (contained in division N of the Consolidated Appropriations Act, 2016 (Public Law 114–113));

“(4) coordinate a national effort to secure and protect against critical infrastructure risks, consistent with subsection (e)(1)(E);

“(5) upon request provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators and, where appropriate, provide such analyses, expertise, and other technical assistance in coordination with Sector-Specific Agencies and other Federal departments and agencies;

“(6) develop and utilize mechanisms for active and frequent collaboration between the Agency and Sector-Specific Agencies to ensure appropriate coordination, situational awareness, and communications with Sector-Specific Agencies;

“(7) maintain and utilize mechanisms for the regular and ongoing consultation and collaboration among the Agency’s Divisions to further operational coordination, integrated situational awareness, and improved integration across the Agency in accordance with this Act;

“(8) develop, coordinate, and implement—

“(A) comprehensive strategic plans for the activities of the Agency; and

“(B) risk assessments by and for the Agency;

“(9) carry out emergency communications responsibilities, in accordance with title XVIII;

“(10) carry out cybersecurity, infrastructure security, and emergency communications stakeholder outreach and engagement and coordinate such outreach and engagement with critical infrastructure Sector-Specific Agencies, as appropriate; and

“(11) carry out such other duties and powers prescribed by law or delegated by the Secretary.

“(d) Deputy director.—There shall be in the Agency a Deputy Director of Cybersecurity and Infrastructure Security who shall—

“(1) assist the Director in the management of the Agency; and

“(2) report to the Director.

“(e) Cybersecurity and infrastructure security authorities of the Secretary.—

“(1) IN GENERAL.—The responsibilities of the Secretary relating to cybersecurity and infrastructure security shall include the following:

“(A) To access, receive, and analyze law enforcement information, intelligence information, and other information from Federal Government agencies, State, local, tribal, and territorial government agencies (including law enforcement agencies), and private sector entities, and to integrate such information, in support of the mission responsibilities of the Department, in order to—

“(i) identify and assess the nature and scope of terrorist threats to the homeland;

“(ii) detect and identify threats of terrorism against the United States; and

“(iii) understand such threats in light of actual and potential vulnerabilities of the homeland.

“(B) To carry out comprehensive assessments of the vulnerabilities of the key resources and critical infrastructure of the United States, including the performance of risk assessments to determine the risks posed by particular types of terrorist attacks within the United States (including an assessment of the probability of success of such attacks and the feasibility and potential efficacy of various countermeasures to such attacks). At the discretion of the Secretary, such assessments may be carried out in coordination with Sector-Specific Agencies.

“(C) To integrate relevant information, analysis, and vulnerability assessments (regardless of whether such information, analysis, or assessments are provided or produced by the Department) in order to make recommendations, including prioritization, for protective and support measures by the Department, other Federal Government agencies, State, local, tribal, and territorial government agencies and authorities, the private sector, and other entities regarding terrorist and other threats to homeland security.

“(D) To ensure, pursuant to section 202, the timely and efficient access by the Department to all information necessary to discharge the responsibilities under this title, including obtaining such information from other Federal Government agencies.

“(E) To develop, in coordination with the Sector-Specific Agencies with available expertise, a comprehensive national plan for securing the key resources and critical infrastructure of the United States, including power production, generation, and distribution systems, information technology and telecommunications systems (including satellites), electronic financial and property record storage and transmission systems, emergency communications systems, and the physical and technological assets that support such systems.

“(F) To recommend measures necessary to protect the key resources and critical infrastructure of the United States in coordination with other Federal Government agencies, including Sector-Specific Agencies, and in cooperation with State, local, tribal, and territorial government agencies and authorities, the private sector, and other entities.

“(G) To review, analyze, and make recommendations for improvements to the policies and procedures governing the sharing of information relating to homeland security within the Federal Government and between Federal Government agencies and State, local, tribal, and territorial government agencies and authorities.

“(H) To disseminate, as appropriate, information analyzed by the Department within the Department, to other Federal Government agencies with responsibilities relating to homeland security, and to State, local, tribal, and territorial government agencies and private sector entities with such responsibilities in order to assist in the deterrence, prevention, preemption of, or response to, terrorist attacks against the United States.

“(I) To consult with State, local, tribal, and territorial government agencies and private sector entities to ensure appropriate exchanges of information, including law enforcement-related information, relating to threats of terrorism against the United States.

“(J) To ensure that any material received pursuant to this Act is protected from unauthorized disclosure and handled and used only for the performance of official duties.

“(K) To request additional information from other Federal Government agencies, State, local, tribal, and territorial government agencies, and the private sector relating to threats of terrorism in the United States, or relating to other areas of responsibility assigned by the Secretary, including the entry into cooperative agreements through the Secretary to obtain such information.

“(L) To establish and utilize, in conjunction with the chief information officer of the Department, a secure communications and information technology infrastructure, including data-mining and other advanced analytical tools, in order to access, receive, and analyze data and information in furtherance of the responsibilities under this section, and to disseminate information acquired and analyzed by the Department, as appropriate.

“(M) To coordinate training and other support to the elements and personnel of the Department, other Federal Government agencies, and State, local, tribal, and territorial government agencies that provide information to the Department, or are consumers of information provided by the Department, in order to facilitate the identification and sharing of information revealed in their ordinary duties and the optimal utilization of information received from the Department.

“(N) To coordinate with Federal, State, local, tribal, and territorial law enforcement agencies, and the private sector, as appropriate.

“(O) To exercise the authorities and oversight of the functions, personnel, assets, and liabilities of those components transferred to the Department pursuant to section 201(g).

“(P) To carry out the functions of the national cybersecurity and communications integration center under section 2209.

“(Q) To carry out requirements of the Chemical Facilities Anti-Terrorism Standards Program established under title XXI and the secure handling of ammonium nitrate established under subtitle J of title VIII.

“(2) REALLOCATION.—The Secretary may reallocate within the Agency the functions specified in sections 2203(b) and 2204(b), consistent with the responsibilities provided in paragraph (1) of this subsection, upon certifying to and briefing the appropriate congressional committees, and making available to the public, at least 60 days prior to any such reallocation that such reallocation is necessary for carrying out the activities of the Agency.

“(3) STAFF.—

“(A) IN GENERAL.—The Secretary shall provide the Agency with a staff of analysts having appropriate expertise and experience to assist the Agency in discharging its responsibilities under this section.

“(B) PRIVATE SECTOR ANALYSTS.—Analysts under this subsection may include analysts from the private sector.

“(C) SECURITY CLEARANCES.—Analysts under this subsection shall possess security clearances appropriate for their work under this section.

“(4) DETAIL OF PERSONNEL.—

“(A) IN GENERAL.—In order to assist the Agency in discharging its responsibilities under this section, personnel of the Federal agencies referred to in subparagraph (B) may be detailed to the Agency for the performance of analytic functions and related duties.

“(B) AGENCIES SPECIFIED.—The Federal agencies referred to in subparagraph (A) are the following:

“(i) The Department of State.

“(ii) The Central Intelligence Agency.

“(iii) The Federal Bureau of Investigation.

“(iv) The National Security Agency.

“(v) The National Geospatial-Intelligence Agency.

“(vi) The Defense Intelligence Agency.

“(vii) Sector-Specific Agencies.

“(viii) Any other agency of the Federal Government that the President considers appropriate.

“(C) INTERAGENCY AGREEMENTS.—The Secretary and the head of an agency specified in subparagraph (B) may enter into agreements for the purpose of detailing personnel under this paragraph.

“(D) BASIS.—The detail of personnel under this paragraph may be on a reimbursable or non-reimbursable basis.

“(f) Composition.—The Agency shall be composed of the following divisions:

“(1) The Cybersecurity Division, headed by an Assistant Director.

“(2) The Infrastructure Security Division, headed by an Assistant Director.

“(3) The Emergency Communications Division under title XVIII, headed by an Assistant Director.

“(g) Co-Location.—To the maximum extent practicable, the Director shall examine the establishment of central locations in geographical regions with a significant Agency presence. When establishing such locations, the Director shall coordinate with component heads and the Under Secretary for Management to co-locate or partner on any new real property leases, renewing any occupancy agreements for existing leases, or agreeing to extend or newly occupy any Federal space or new construction.

“(h) Privacy.—

“(1) IN GENERAL.—There shall be a Privacy Officer of the Agency with primary responsibility for privacy policy and compliance for the Agency.

“(2) RESPONSIBILITIES.—The responsibilities of the Privacy Officer of the Agency shall include—

“(A) assuring that the use of technologies by the Agency sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information;

“(B) assuring that personal information contained in Privacy Act systems of records of the Agency is handled in full compliance with fair information practices as specified in the Privacy Act of 1974;

“(C) evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Agency; and

“(D) conducting a privacy impact assessment of proposed rules of the Agency on the privacy of personal information, including the type of personal information collected and the number of people affected.

“(i) Savings.—Nothing in this title may be construed as affecting in any manner the authority, existing on the day before the date of the enactment of this title, of any other component of the Department or any other Federal department or agency.

“SEC. 2203. Cybersecurity Division.

“(a) Establishment.—

“(1) IN GENERAL.—There is established in the Agency a Cybersecurity Division.

“(2) ASSISTANT DIRECTOR.—The Cybersecurity Division shall be headed by an Assistant Director for Cybersecurity (in this subtitle referred to as the ‘Assistant Director’), who shall—

“(A) be at the level of Assistant Secretary within the Department;

“(B) be appointed by the President without the advice and consent of the Senate; and

“(C) report to the Director.

“(3) REFERENCE.—Any reference to the Assistant Secretary for Cybersecurity and Communications in any law, regulation, map, document, record, or other paper of the United States shall be deemed to be a reference to the Assistant Director for Cybersecurity.

“(b) Functions.—The Assistant Director shall—

“(1) direct the cybersecurity efforts of the Agency;

“(2) carry out activities, at the direction of the Director, related to the security of Federal information and Federal information systems consistent with law, including subchapter II of chapter 35 of title 44, United States Code, and the Cybersecurity Act of 2015 (contained in division N of the Consolidated Appropriations Act, 2016 (Public Law 114–113));

“(3) fully participate in the mechanisms required under subsection (c)(7) of section 2202; and

“(4) carry out such other duties and powers as prescribed by the Director.

“SEC. 2204. Infrastructure Security Division.

“(a) Establishment.—

“(1) IN GENERAL.—There is established in the Agency an Infrastructure Security Division.

“(2) ASSISTANT DIRECTOR.—The Infrastructure Security Division shall be headed by an Assistant Director of Infrastructure Security (in this section referred to as the ‘Assistant Director’), who shall—

“(A) be at the level of Assistant Secretary within the Department;

“(B) be appointed by the President without the advice and consent of the Senate; and

“(C) report to the Director.

“(3) REFERENCE.—Any reference to the Assistant Secretary for Infrastructure Protection in any law, regulation, map, document, record, or other paper of the United States shall be deemed to be a reference to the Assistant Director for Infrastructure Security.

“(b) Functions.—The Assistant Director shall—

“(1) direct the critical infrastructure security efforts of the Agency;

“(2) carry, at the direction of the Director, the Chemical Facilities Anti-Terrorism Standards Program established under title XXI and the secure handling of ammonium nitrate established under subtitle J of title VIII or successor program;

“(3) fully participate in the mechanisms required under subsection (c)(7) of section 2202; and

“(4) carry out such other duties and powers as prescribed by the Director.”.

(b) Treatment of certain positions.—

(1) UNDER SECRETARY.—The individual serving as the Under Secretary appointed pursuant to section 103(a)(1)(H) of the Homeland Security Act of 2002 (6 U.S.C. 113(a)(1)) of the Department of Homeland Security on the day before the date of the enactment of this Act may continue to serve as the Director of the Cybersecurity and Infrastructure Security Agency of the Department on and after such date.

(2) DIRECTOR FOR EMERGENCY COMMUNICATIONS.—The individual serving as the Director for Emergency Communications of the Department of Homeland Security on the day before the date of the enactment of this Act may continue to serve as the Assistant Director for Emergency Communications of the Department on and after such date.

(3) ASSISTANT SECRETARY FOR CYBERSECURITY AND COMMUNICATIONS.—The individual serving as the Assistant Secretary for Cybersecurity and Communications on the day before the date of the enactment of this Act may continue to serve as the Assistant Director for Cybersecurity on and after such date.

(4) ASSISTANT SECRETARY FOR INFRASTRUCTURE SECURITY.—The individual serving as the Assistant Secretary for Infrastructure Protection on the day before the date of the enactment of this Act may continue to serve as the Assistant Director for Infrastructure Security on and after such date.

(c) Reference.—Any reference to—

(1) the Office of Emergency Communications in any law, regulation, map, document, record, or other paper of the United States shall be deemed to be a reference to the Emergency Communications Division; and

(2) the Director for Emergency Communications in any law, regulation, map, document, record, or other paper of the United States shall be deemed to be a reference to the Assistant Director for Emergency Communications.

(d) Oversight.—The Director of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security shall provide to Congress, in accordance with the deadlines specified in paragraphs (1) and (2), information on the following:

(1) Not later than 60 days after the date of the enactment of this Act, a briefing on the activities of the Agency relating to the development and use of the mechanisms required pursuant to section 2202(c)(6) of the Homeland Security Act of 2002 (as added by subsection (a) of this section).

(2) Not later than 1 year after the date of the enactment of this Act, a briefing on the activities of the Agency relating to its use and improvement of the mechanisms required pursuant to section 2202(c)(6) of the Homeland Security Act of 2002 and how such activities have impacted coordination, situational awareness, and communications with Sector-Specific Agencies.

(3) Not later than 90 days after the date of the enactment of this Act, information on the Agency’s mechanisms for regular and ongoing consultation and collaboration, as required pursuant to section 2202(c)(7) of the Homeland Security Act of 2002 (as added by subsection (a) of this section).

(4) Not later than 1 year after the date of the enactment of this Act, the activities of the Agency’s consultation and collaboration mechanisms as required pursuant to section 2202(c)(7) of the Homeland Security Act of 2002, and how such mechanisms have impacted operational coordination, situational awareness, and integration across the Agency.

(e) Cyber workforce.—Not later than 90 days after the date of the enactment of this subtitle, the Director of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security shall submit to Congress a report detailing how the Agency is meeting legislative requirements under the Cybersecurity Workforce Assessment Act (Public Law 113–246) and the Homeland Security Cybersecurity Workforce Assessment Act (enacted as section 4 of the Border Patrol Agent Pay Reform Act of 2014; Public Law 113–277) to address cyber workforce needs.

(f) Facility.—Not later than 180 days after the date of the enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security shall report to Congress on the most efficient and effective methods of consolidating Agency facilities, personnel, and programs to most effectively carry out the Agency’s mission.

(g) Conforming amendments to the Homeland Security Act of 2002.—The Homeland Security Act of 2002 is amended—

(1) in title I, by amending subparagraph (H) of section 103(a)(1) (6 U.S.C. 113(a)(1)) to read as follows:

“(H) A Director of the Cybersecurity and Infrastructure Security Agency.”;

(2) in title II (6 U.S.C. 121 et seq.)—

(A) in the title heading, by striking “and infrastructure protection”;

(B) in the subtitle A heading, by striking “and infrastructure protection”;

(C) in section 201 (6 U.S.C. 121)—

(i) in the section heading, by striking “and infrastructure protection”;

(ii) in subsection (a)—

(I) in the heading, by striking “and infrastructure protection”; and

(II) by striking “and an Office of Infrastructure Protection”;

(iii) in subsection (b)—

(I) in the heading, by striking “and Assistant Secretary for Infrastructure Protection”; and

(II) by striking paragraph (3);

(iv) in subsection (c)—

(I) by striking “and infrastructure protection”; and

(II) by striking “or the Assistant Secretary for Infrastructure Protection, as appropriate”;

(v) in subsection (d)—

(I) in the heading, by striking “and infrastructure protection”;

(II) in the matter preceding paragraph (1), by striking “and infrastructure protection”;

(III) by striking paragraphs (5) and (6) and redesignating paragraphs (7) through (26) as paragraphs (5) through (24), respectively;

(IV) by striking paragraph (23), as so redesignated; and

(V) by redesignating paragraph (24), as so redesignated, as paragraph (23);

(vi) in subsection (e)(1), by striking “and the Office of Infrastructure Protection”; and

(vii) in subsection (f)(1), by striking “and the Office of Infrastructure Protection”;

(D) in section 204 (6 U.S.C. 124a)—

(i) in subsection (c)(1), in the matter preceding subparagraph (A), by striking “Assistant Secretary for Infrastructure Protection” and inserting “Director of the Cybersecurity and Infrastructure Security Agency”; and

(ii) in subsection (d)(1), in the matter preceding subparagraph (A), by striking “Assistant Secretary for Infrastructure Protection” and inserting “Director of the Cybersecurity and Infrastructure Security Agency”;

(E) in subparagraph (B) of section 210A(c)(2) (6 U.S.C. 124h(c)(2)), by striking “Office of Infrastructure Protection” and inserting “Cybersecurity and Infrastructure Security Agency”;

(F) by transferring section 210E (6 U.S.C. 124) to appear after section 2213 (as redesignated by subparagraph (H) of this paragraph) and redesignating such section 210E as section 2214;

(G) in subtitle B, by redesignating sections 211 through 215 (6 U.S.C. 101 note through 134) as sections 2221 through 2225, respectively, and inserting such redesignated sections, including the enumerator and heading of subtitle B (containing such redesignated sections), after section 2214, as redesignated by subparagraph (F) of this paragraph; and

(H) by redesignating sections 223 through 230 (6 U.S.C. 143 through 151) as sections 2205 through 2213, respectively, and inserting such redesignated sections after section 2204, as added by this Act;

(3) in title III, in paragraph (3) of section 302 (6 U.S.C. 182), by striking “Assistant Secretary for Infrastructure Protection” and inserting “Director of the Cybersecurity and Infrastructure Security Agency”;

(4) in title V—

(A) in section 514 (6 U.S.C. 321c), by—

(i) striking subsection (b); and

(ii) redesignating subsection (c) as subsection (b);

(B) in section 523 (6 U.S.C. 321l)—

(i) in subsection (a), in the matter preceding paragraph (1), by striking “Assistant Secretary for Infrastructure Protection” and inserting “Director of the Cybersecurity and Infrastructure Security Agency”; and

(ii) in subsection (c), by striking “Assistant Secretary for Infrastructure Protection” and inserting “Director of the Cybersecurity and Infrastructure Security Agency”; and

(C) in section 524(a)(2)(B) (6 U.S.C. 321m(a)(2)(B)), in the matter preceding clause (i)—

(i) by striking “Assistant Secretary for Infrastructure Protection” and inserting “Director of the Cybersecurity and Infrastructure Security Agency”; and

(ii) by striking “of the Assistant Secretary” and inserting “of the Director”;

(5) in title VIII, in section 899B(a) (6 U.S.C. 488a(a)), by inserting at the end the following new sentence: “Such regulations shall be carried out by the Cybersecurity and Infrastructure Security Agency.”;

(6) in title XVIII (6 U.S.C. 571 et seq.)—

(A) in section 1801 (6 U.S.C. 571)—

(i) in the section heading, by striking “Office of Emergency Communications” and inserting “Emergency Communications Division”;

(ii) in subsection (a)—

(I) by striking “Office of Emergency Communications” and inserting “Emergency Communications Division”; and

(II) by adding at the end the following new sentence: “The Division shall be located in the Cybersecurity and Infrastructure Security Agency.”;

(iii) by amending subsection (b) to read as follows:

“(b) Assistant Director.—The head of the office shall be the Assistant Director for Emergency Communications. The Assistant Director shall report to the Director of the Cybersecurity and Infrastructure Security Agency. All decisions of the Assistant Director that entail the exercise of significant authority shall be subject to the approval of the Director.”;

(iv) in subsection (c)—

(I) in the matter preceding paragraph (1), by inserting “Assistant” before “Director”;

(II) in paragraph (14), by striking “and” at the end;

(III) by redesignating paragraph (15) as paragraph (16); and

(IV) by inserting after paragraph (14) the following new paragraph:

“(15) fully participate in the mechanisms required under subsection (c)(7) of section 2202; and”;

(v) in subsection (d), by inserting “Assistant” before “Director”; and

(vi) in subsection (e), in the matter preceding paragraph (1), by inserting “Assistant” before “Director”;

(B) in sections 1802 through 1805 (6 U.S.C. 575), by striking “Director for Emergency Communications” each place it appears and inserting “Assistant Director for Emergency Communications”;

(C) in section 1809 (6 U.S.C. 579)—

(i) by striking “Director for Emergency Communications” and inserting “Assistant Director for Emergency Communications”; and

(ii) by striking “Office of Emergency Communications” each place it appears and inserting “Emergency Communications Division”; and

(D) in section 1810 (6 U.S.C. 580)—

(i) in subsection (a)(1), by striking “Director of the Office of Emergency Communications (referred to in this section as the ‘Director’)” and inserting “Assistant Director for the Emergency Communications Division (referred to in this section as the ‘Assistant Director’)”;

(ii) in subsection (c), by striking “Office of Emergency Communications” and inserting “Emergency Communications Division”; and

(iii) by striking “Director” each place it appears and inserting “Assistant Director”;

(7) in title XXI (6 U.S.C. 621 et seq.)—

(A) in section 2101 (6 U.S.C. 621)—

(i) by redesignating paragraphs (4) through (14) as paragraphs (5) through (15), respectively; and

(ii) by inserting after paragraph (3) the following new paragraph:

“(4) the term ‘Director’ means the Director of the Cybersecurity and Infrastructure Security Agency;”;

(B) in paragraph (1) of section 2102(a) (6 U.S.C. 622(a)), by inserting at the end the following new sentence: “Such Program shall be located in the Cybersecurity and Infrastructure Security Agency.”; and

(C) in paragraph (2) of section 2104(c) (6 U.S.C. 624(c)), by striking “Under Secretary responsible for overseeing critical infrastructure protection, cybersecurity, and other related programs of the Department appointed under section 103(a)(1)(H)” and inserting “Director of the Cybersecurity and Infrastructure Security Agency ”; and

(8) in title XXII, as added by this Act—

(A) in section 2205, as so redesignated, in the matter preceding paragraph (1), by striking “Under Secretary appointed under section 103(a)(1)(H)” and inserting “Director of the Cybersecurity and Infrastructure Security Agency”;

(B) in section 2206, as so redesignated, by striking “Assistant Secretary for Infrastructure Protection” and inserting “Director of the Cybersecurity and Infrastructure Security Agency”;

(C) in section 2209, as so redesignated—

(i) by striking “Under Secretary appointed under section 103(a)(1)(H)” each place it appears and inserting “Director of the Cybersecurity and Infrastructure Security Agency”;

(ii) in subsection (b), by adding at the end the following new sentences: “The Center shall be located in the Cybersecurity and Infrastructure Security Agency. The head of the Center shall report to the Assistant Director for Cybersecurity.”; and

(iii) in subsection (c)(11), by striking “Office of Emergency Communications” and inserting “Emergency Communications Division”;

(D) in section 2210, as so redesignated—

(i) by striking “section 227” each place it appears and inserting “section 2209”; and

(ii) in subsection (c)—

(I) by striking “Under Secretary appointed under section 103(a)(1)(H)” and inserting “Director of the Cybersecurity and Infrastructure Security Agency”; and

(II) by striking “section 212(5)” and inserting “section 2225(5)”;

(E) in subsection (b)(2)(A) of section 2211, as so redesignated, by striking “section 227” and inserting “section 2209”;

(F) in section 2212, as so redesignated, by striking “section 212(5)” and inserting “section 2225(5)”; and

(G) in section 2213, as so redesignated, in subsection (a)—

(i) in paragraph (3), by striking “section 228” and inserting “section 2210”; and

(ii) in paragraph (4), by striking “section 227” and inserting “section 2209”.

(h) Conforming amendment to title 5, United States Code.—Section 5314 of title 5, United States Code, is amended by inserting after “Under Secretaries, Department of Homeland Security.” the following new item:

“ Director, Cybersecurity and Infrastructure Security Agency.”.

(i) Clerical amendments.—The table of contents in section 1(b) of the Homeland Security Act of 2002 is amended—

(1) in title II—

(A) in the item relating to the title heading, by striking “AND INFRASTRUCTURE PROTECTION”;

(B) in the item relating to the heading of subtitle A, by striking “and Infrastructure Protection”;

(C) in the item relating to section 201, by striking “and Infrastructure Protection”;

(D) by striking the item relating to section 210E;

(E) by striking the items relating to subtitle B of title II; and

(F) by striking the items relating to section 223 through section 230;

(2) in title XVIII, by amending the item relating to section 1801 to read as follows:


“Sec. 1801. Emergency Communications Division.”; and

(3) by adding at the end the following new items:

“TITLE XXII—CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

“Subtitle A—Cybersecurity and Infrastructure Security


“Sec. 2201. Definitions.

“Sec. 2202. Cybersecurity and Infrastructure Security Agency.

“Sec. 2203. Cybersecurity Division.

“Sec. 2204. Infrastructure Security Division.

“Sec. 2205. Enhancement of Federal and non-Federal cybersecurity.

“Sec. 2206. Net guard.

“Sec. 2207. Cyber Security Enhancement Act of 2002.

“Sec. 2208. Cybersecurity recruitment and retention.

“Sec. 2209. National cybersecurity and communications integration center.

“Sec. 2210. Cybersecurity plans.

“Sec. 2211. Cybersecurity strategy.

“Sec. 2212. Clearances.

“Sec. 2213. Federal intrusion detection and prevention system.

“Sec. 2214. National Asset Database.

“Subtitle B—Critical Infrastructure Information


“Sec. 2221. Short title.

“Sec. 2222. Definitions.

“Sec. 2223. Designation of critical infrastructure protection program.

“Sec. 2224. Protection of voluntarily shared critical infrastructure information.

“Sec. 2225. No private right of action.”.

SEC. 3. Transfer of other entities.

(a) Office of Biometric Identity Management.—The Office of Biometric Identity Management of the Department of Homeland Security located in the National Protection and Programs Directorate of the Department of Homeland Security on the day before the date of the enactment of this Act is hereby transferred to the Management Directorate of the Department.

(b) Federal Protective Service.—The Secretary of Homeland Security is authorized to transfer the Federal Protective Service, as authorized under section 1315 of title 40, United States Code, to any component, directorate, or other office of the Department of Homeland Security that the Secretary determines appropriate.

SEC. 4. Rule of construction.

Nothing in this Act may be construed as—

(1) conferring new authorities to the Secretary of Homeland Security, including programmatic, regulatory, or enforcement authorities, outside of the authorities in existence on the day before the date of the enactment of this Act;

(2) reducing or limiting the programmatic, regulatory, or enforcement authority vested in any other Federal agency by statute; or

(3) affecting in any manner the authority, existing on the day before the date of the enactment of this Act, of any other Federal agency or component of the Department of Homeland Security.

SEC. 5. Prohibition on additional funding.

No additional funds are authorized to be appropriated to carry out this Act or the amendments made by this Act. This Act and such amendments shall be carried out using amounts otherwise authorized.

Passed the House of Representatives December 11, 2017.

    Attest: karen l. haas,   
    Clerk