Report text available as:

  • TXT
  • PDF   (PDF provides a complete and accurate display of this text.) Tip ?

114th Congress   }                                        {      Report
                        HOUSE OF REPRESENTATIVES
 1st Session     }                                        {      114-63

======================================================================



 
                     PROTECTING CYBER NETWORKS ACT

                                _______
                                

 April 13, 2015.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

    Mr. Nunes, from the Permanent Select Committee on Intelligence, 
                        submitted the following

                              R E P O R T

                        [To accompany H.R. 1560]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Permanent Select Committee on 
Intelligence, to whom was referred the bill (H.R. 1560) to 
improve cybersecurity in the United States through enhanced 
sharing of information about cybersecurity threats, and for 
other purposes, having considered the same, report favorably 
thereon with an amendment and recommend that the bill as 
amended do pass.
    The amendment is as follows:
  Strike all after the enacting clause and insert the 
following:

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

  (a) Short Title.--This Act may be cited as the ``Protecting Cyber 
Networks Act''.
  (b) Table of Contents.--The table of contents of this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Sharing of cyber threat indicators and defensive measures by 
the Federal Government with non-Federal entities.
Sec. 3. Authorizations for preventing, detecting, analyzing, and 
mitigating cybersecurity threats.
Sec. 4. Sharing of cyber threat indicators and defensive measures with 
appropriate Federal entities other than the Department of Defense or 
the National Security Agency.
Sec. 5. Federal Government liability for violations of privacy or civil 
liberties.
Sec. 6. Protection from liability.
Sec. 7. Oversight of Government activities.
Sec. 8. Report on cybersecurity threats.
Sec. 9. Construction and preemption.
Sec. 10. Conforming amendments.
Sec. 11. Definitions.

SEC. 2. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE MEASURES BY 
                    THE FEDERAL GOVERNMENT WITH NON-FEDERAL ENTITIES.

  (a) In General.--Title I of the National Security Act of 1947 (50 
U.S.C. 3021 et seq.) is amended by inserting after section 110 (50 
U.S.C. 3045) the following new section:

``SEC. 111. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE MEASURES 
                    BY THE FEDERAL GOVERNMENT WITH NON-FEDERAL 
                    ENTITIES.

  ``(a) Sharing by the Federal Government.--
          ``(1) In general.--Consistent with the protection of 
        classified information, intelligence sources and methods, and 
        privacy and civil liberties, the Director of National 
        Intelligence, in consultation with the heads of the other 
        appropriate Federal entities, shall develop and promulgate 
        procedures to facilitate and promote--
                  ``(A) the timely sharing of classified cyber threat 
                indicators in the possession of the Federal Government 
                with representatives of relevant non-Federal entities 
                with appropriate security clearances;
                  ``(B) the timely sharing with relevant non-Federal 
                entities of cyber threat indicators in the possession 
                of the Federal Government that may be declassified and 
                shared at an unclassified level; and
                  ``(C) the sharing with non-Federal entities, if 
                appropriate, of information in the possession of the 
                Federal Government about imminent or ongoing 
                cybersecurity threats to such entities to prevent or 
                mitigate adverse impacts from such cybersecurity 
                threats.
          ``(2) Development of procedures.--The procedures developed 
        and promulgated under paragraph (1) shall--
                  ``(A) ensure the Federal Government has and maintains 
                the capability to share cyber threat indicators in real 
                time consistent with the protection of classified 
                information;
                  ``(B) incorporate, to the greatest extent 
                practicable, existing processes and existing roles and 
                responsibilities of Federal and non-Federal entities 
                for information sharing by the Federal Government, 
                including sector-specific information sharing and 
                analysis centers;
                  ``(C) include procedures for notifying non-Federal 
                entities that have received a cyber threat indicator 
                from a Federal entity in accordance with this Act that 
                is known or determined to be in error or in 
                contravention of the requirements of this section, the 
                Protecting Cyber Networks Act, or the amendments made 
                by such Act or another provision of Federal law or 
                policy of such error or contravention;
                  ``(D) include requirements for Federal entities 
                receiving a cyber threat indicator or defensive measure 
                to implement appropriate security controls to protect 
                against unauthorized access to, or acquisition of, such 
                cyber threat indicator or defensive measure;
                  ``(E) include procedures that require Federal 
                entities, prior to the sharing of a cyber threat 
                indicator, to--
                          ``(i) review such cyber threat indicator to 
                        assess whether such cyber threat indicator, in 
                        contravention of the requirement under section 
                        3(d)(2) of the Protecting Cyber Networks Act, 
                        contains any information that such Federal 
                        entity knows at the time of sharing to be 
                        personal information of or information 
                        identifying a specific person not directly 
                        related to a cybersecurity threat and remove 
                        such information; or
                          ``(ii) implement a technical capability 
                        configured to remove or exclude any personal 
                        information of or information identifying a 
                        specific person not directly related to a 
                        cybersecurity threat; and
                  ``(F) include procedures to promote the efficient 
                granting of security clearances to appropriate 
                representatives of non-Federal entities.
  ``(b) Definitions.--In this section, the terms `appropriate Federal 
entities', `cyber threat indicator', `defensive measure', `Federal 
entity', and `non-Federal entity' have the meaning given such terms in 
section 11 of the Protecting Cyber Networks Act.''.
  (b) Submittal to Congress.--Not later than 90 days after the date of 
the enactment of this Act, the Director of National Intelligence, in 
consultation with the heads of the other appropriate Federal entities, 
shall submit to Congress the procedures required by section 111(a) of 
the National Security Act of 1947, as inserted by subsection (a) of 
this section.
  (c) Table of Contents Amendment.--The table of contents in the first 
section of the National Security Act of 1947 is amended by inserting 
after the item relating to section 110 the following new item:

``Sec. 111. Sharing of cyber threat indicators and defensive measures 
by the Federal Government with non-Federal entities.''.

SEC. 3. AUTHORIZATIONS FOR PREVENTING, DETECTING, ANALYZING, AND 
                    MITIGATING CYBERSECURITY THREATS.

  (a) Authorization for Private-sector Defensive Monitoring.--
          (1) In general.--Notwithstanding any other provision of law, 
        a private entity may, for a cybersecurity purpose, monitor--
                  (A) an information system of such private entity;
                  (B) an information system of a non-Federal entity or 
                a Federal entity, upon the written authorization of 
                such non-Federal entity or such Federal entity; and
                  (C) information that is stored on, processed by, or 
                transiting an information system monitored by the 
                private entity under this paragraph.
          (2) Construction.--Nothing in this subsection shall be 
        construed to--
                  (A) authorize the monitoring of an information 
                system, or the use of any information obtained through 
                such monitoring, other than as provided in this Act;
                  (B) authorize the Federal Government to conduct 
                surveillance of any person; or
                  (C) limit otherwise lawful activity.
  (b) Authorization for Operation of Defensive Measures.--
          (1) In general.--Except as provided in paragraph (2) and 
        notwithstanding any other provision of law, a private entity 
        may, for a cybersecurity purpose, operate a defensive measure 
        that is operated on and is limited to--
                  (A) an information system of such private entity to 
                protect the rights or property of the private entity; 
                and
                  (B) an information system of a non-Federal entity or 
                a Federal entity upon written authorization of such 
                non-Federal entity or such Federal entity for operation 
                of such defensive measure to protect the rights or 
                property of such private entity, such non-Federal 
                entity, or such Federal entity.
          (2) Limitation.--The authority provided in paragraph (1) does 
        not include the intentional or reckless operation of any 
        defensive measure that destroys, renders unusable or 
        inaccessible (in whole or in part), substantially harms, or 
        initiates a new action, process, or procedure on an information 
        system or information stored on, processed by, or transiting 
        such information system not owned by--
                  (A) the private entity operating such defensive 
                measure; or
                  (B) a non-Federal entity or a Federal entity that has 
                provided written authorization to that private entity 
                for operation of such defensive measure on the 
                information system or information of the entity in 
                accordance with this subsection.
          (3) Construction.--Nothing in this subsection shall be 
        construed--
                  (A) to authorize the use of a defensive measure other 
                than as provided in this subsection; or
                  (B) to limit otherwise lawful activity.
  (c) Authorization for Sharing or Receiving Cyber Threat Indicators or 
Defensive Measures.--
          (1) In general.--Except as provided in paragraph (2) and 
        notwithstanding any other provision of law, a non-Federal 
        entity may, for a cybersecurity purpose and consistent with the 
        requirement under subsection (d)(2) to remove personal 
        information of or information identifying a specific person not 
        directly related to a cybersecurity threat and the protection 
        of classified information--
                  (A) share a lawfully obtained cyber threat indicator 
                or defensive measure with any other non-Federal entity 
                or an appropriate Federal entity (other than the 
                Department of Defense or any component of the 
                Department, including the National Security Agency); 
                and
                  (B) receive a cyber threat indicator or defensive 
                measure from any other non-Federal entity or an 
                appropriate Federal entity.
          (2) Lawful restriction.--A non-Federal entity receiving a 
        cyber threat indicator or defensive measure from another non-
        Federal entity or a Federal entity shall comply with otherwise 
        lawful restrictions placed on the sharing or use of such cyber 
        threat indicator or defensive measure by the sharing non-
        Federal entity or Federal entity.
          (3) Construction.--Nothing in this subsection shall be 
        construed to--
                  (A) authorize the sharing or receiving of a cyber 
                threat indicator or defensive measure other than as 
                provided in this subsection;
                  (B) authorize the sharing or receiving of classified 
                information by or with any person not authorized to 
                access such classified information;
                  (C) prohibit any Federal entity from engaging in 
                formal or informal technical discussion regarding cyber 
                threat indicators or defensive measures with a non-
                Federal entity or from providing technical assistance 
                to address vulnerabilities or mitigate threats at the 
                request of such an entity;
                  (D) limit otherwise lawful activity;
                  (E) prohibit a non-Federal entity, if authorized by 
                applicable law or regulation other than this Act, from 
                sharing a cyber threat indicator or defensive measure 
                with the Department of Defense or any component of the 
                Department, including the National Security Agency; or
                  (F) authorize the Federal Government to conduct 
                surveillance of any person.
  (d) Protection and Use of Information.--
          (1) Security of information.--A non-Federal entity monitoring 
        an information system, operating a defensive measure, or 
        providing or receiving a cyber threat indicator or defensive 
        measure under this section shall implement an appropriate 
        security control to protect against unauthorized access to, or 
        acquisition of, such cyber threat indicator or defensive 
        measure.
          (2) Removal of certain personal information.--A non-Federal 
        entity sharing a cyber threat indicator pursuant to this Act 
        shall, prior to such sharing, take reasonable efforts to--
                  (A) review such cyber threat indicator to assess 
                whether such cyber threat indicator contains any 
                information that the non-Federal entity reasonably 
                believes at the time of sharing to be personal 
                information of or information identifying a specific 
                person not directly related to a cybersecurity threat 
                and remove such information; or
                  (B) implement a technical capability configured to 
                remove any information contained within such indicator 
                that the non-Federal entity reasonably believes at the 
                time of sharing to be personal information of or 
                information identifying a specific person not directly 
                related to a cybersecurity threat.
          (3) Use of cyber threat indicators and defensive measures by 
        non-federal entities.--A non-Federal entity may, for a 
        cybersecurity purpose--
                  (A) use a cyber threat indicator or defensive measure 
                shared or received under this section to monitor or 
                operate a defensive measure on--
                          (i) an information system of such non-Federal 
                        entity; or
                          (ii) an information system of another non-
                        Federal entity or a Federal entity upon the 
                        written authorization of that other non-Federal 
                        entity or that Federal entity; and
                  (B) otherwise use, retain, and further share such 
                cyber threat indicator or defensive measure subject 
                to--
                          (i) an otherwise lawful restriction placed by 
                        the sharing non-Federal entity or Federal 
                        entity on such cyber threat indicator or 
                        defensive measure; or
                          (ii) an otherwise applicable provision of 
                        law.
          (4) Use of cyber threat indicators by state, tribal, or local 
        government.--
                  (A) Law enforcement use.--A State, tribal, or local 
                government may use a cyber threat indicator shared with 
                such State, tribal, or local government for the 
                purposes described in clauses (i), (ii), and (iii) of 
                section 4(d)(5)(A).
                  (B) Exemption from disclosure.--A cyber threat 
                indicator shared with a State, tribal, or local 
                government under this section shall be--
                          (i) deemed voluntarily shared information; 
                        and
                          (ii) exempt from disclosure under any State, 
                        tribal, or local law requiring disclosure of 
                        information or records, except as otherwise 
                        required by applicable State, tribal, or local 
                        law requiring disclosure in any criminal 
                        prosecution.
  (e) No Right or Benefit.--The sharing of a cyber threat indicator 
with a non-Federal entity under this Act shall not create a right or 
benefit to similar information by such non-Federal entity or any other 
non-Federal entity.

SEC. 4. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE MEASURES WITH 
                    APPROPRIATE FEDERAL ENTITIES OTHER THAN THE 
                    DEPARTMENT OF DEFENSE OR THE NATIONAL SECURITY 
                    AGENCY.

  (a) Requirement for Policies and Procedures.--
          (1) In general.--Section 111 of the National Security Act of 
        1947, as inserted by section 2 of this Act, is amended--
                  (A) by redesignating subsection (b) as subsection 
                (c); and
                  (B) by inserting after subsection (a) the following 
                new subsection:
  ``(b) Policies and Procedures for Sharing With the Appropriate 
Federal Entities Other Than the Department of Defense or the National 
Security Agency.--
          ``(1) Establishment.--The President shall develop and submit 
        to Congress policies and procedures relating to the receipt of 
        cyber threat indicators and defensive measures by the Federal 
        Government.
          ``(2) Requirements concerning policies and procedures.--The 
        policies and procedures required under paragraph (1) shall--
                  ``(A) be developed in accordance with the privacy and 
                civil liberties guidelines required under section 4(b) 
                of the Protecting Cyber Networks Act;
                  ``(B) ensure that--
                          ``(i) a cyber threat indicator shared by a 
                        non-Federal entity with an appropriate Federal 
                        entity (other than the Department of Defense or 
                        any component of the Department, including the 
                        National Security Agency) pursuant to section 3 
                        of such Act is shared in real-time with all of 
                        the appropriate Federal entities (including all 
                        relevant components thereof);
                          ``(ii) the sharing of such cyber threat 
                        indicator with appropriate Federal entities is 
                        not subject to any delay, modification, or any 
                        other action without good cause that could 
                        impede receipt by all of the appropriate 
                        Federal entities; and
                          ``(iii) such cyber threat indicator is 
                        provided to each other Federal entity to which 
                        such cyber threat indicator is relevant; and
                  ``(C) ensure there--
                          ``(i) is an audit capability; and
                          ``(ii) are appropriate sanctions in place for 
                        officers, employees, or agents of a Federal 
                        entity who knowingly and willfully use a cyber 
                        threat indicator or defense measure shared with 
                        the Federal Government by a non-Federal entity 
                        under the Protecting Cyber Networks Act other 
                        than in accordance with this section and such 
                        Act.''.
          (2) Submission.--The President shall submit to Congress--
                  (A) not later than 90 days after the date of the 
                enactment of this Act, interim policies and procedures 
                required under section 111(b)(1) of the National 
                Security Act of 1947, as inserted by paragraph (1) of 
                this section; and
                  (B) not later than 180 days after such date, final 
                policies and procedures required under such section 
                111(b)(1).
  (b) Privacy and Civil Liberties.--
          (1) Guidelines of attorney general.--The Attorney General, in 
        consultation with the heads of the other appropriate Federal 
        agencies and with officers designated under section 1062 of the 
        Intelligence Reform and Terrorism Prevention Act of 2004 (42 
        U.S.C. 2000ee-1), shall develop and periodically review 
        guidelines relating to privacy and civil liberties that govern 
        the receipt, retention, use, and dissemination of cyber threat 
        indicators by a Federal entity obtained in accordance with this 
        Act and the amendments made by this Act.
          (2) Content.--The guidelines developed and reviewed under 
        paragraph (1) shall, consistent with the need to protect 
        information systems from cybersecurity threats and mitigate 
        cybersecurity threats--
                  (A) limit the impact on privacy and civil liberties 
                of activities by the Federal Government under this Act, 
                including guidelines to ensure that personal 
                information of or information identifying specific 
                persons is properly removed from information received, 
                retained, used, or disseminated by a Federal entity in 
                accordance with this Act or the amendments made by this 
                Act;
                  (B) limit the receipt, retention, use, and 
                dissemination of cyber threat indicators containing 
                personal information of or information identifying 
                specific persons, including by establishing--
                          (i) a process for the prompt destruction of 
                        such information that is known not to be 
                        directly related to a use for a cybersecurity 
                        purpose;
                          (ii) specific limitations on the length of 
                        any period in which a cyber threat indicator 
                        may be retained; and
                          (iii) a process to inform recipients that 
                        such indicators may only be used for a 
                        cybersecurity purpose;
                  (C) include requirements to safeguard cyber threat 
                indicators containing personal information of or 
                identifying specific persons from unauthorized access 
                or acquisition, including appropriate sanctions for 
                activities by officers, employees, or agents of the 
                Federal Government in contravention of such guidelines;
                  (D) include procedures for notifying non-Federal 
                entities and Federal entities if information received 
                pursuant to this section is known or determined by a 
                Federal entity receiving such information not to 
                constitute a cyber threat indicator;
                  (E) be consistent with any other applicable 
                provisions of law and the fair information practice 
                principles set forth in appendix A of the document 
                entitled ``National Strategy for Trusted Identities in 
                Cyberspace'' and published by the President in April, 
                2011; and
                  (F) include steps that may be needed so that 
                dissemination of cyber threat indicators is consistent 
                with the protection of classified information and other 
                sensitive national security information.
          (3) Submission.--The Attorney General shall submit to 
        Congress--
                  (A) not later than 90 days after the date of the 
                enactment of this Act, interim guidelines required 
                under paragraph (1); and
                  (B) not later than 180 days after such date, final 
                guidelines required under such paragraph.
  (c) National Cyber Threat Intelligence Integration Center.--
          (1) Establishment.--Title I of the National Security Act of 
        1947 (50 U.S.C. 3021 et seq.), as amended by section 2 of this 
        Act, is further amended--
                  (A) by redesignating section 119B as section 119C; 
                and
                  (B) by inserting after section 119A the following new 
                section:

``SEC. 119B. CYBER THREAT INTELLIGENCE INTEGRATION CENTER.

  ``(a) Establishment.--There is within the Office of the Director of 
National Intelligence a Cyber Threat Intelligence Integration Center.
  ``(b) Director.--There is a Director of the Cyber Threat Intelligence 
Integration Center, who shall be the head of the Cyber Threat 
Intelligence Integration Center, and who shall be appointed by the 
Director of National Intelligence.
  ``(c) Primary Missions.--The Cyber Threat Intelligence Integration 
Center shall--
          ``(1) serve as the primary organization within the Federal 
        Government for analyzing and integrating all intelligence 
        possessed or acquired by the United States pertaining to cyber 
        threats;
          ``(2) ensure that appropriate departments and agencies have 
        full access to and receive all-source intelligence support 
        needed to execute the cyber threat intelligence activities of 
        such agencies and to perform independent, alternative analyses;
          ``(3) disseminate cyber threat analysis to the President, the 
        appropriate departments and agencies of the Federal Government, 
        and the appropriate committees of Congress;
          ``(4) coordinate cyber threat intelligence activities of the 
        departments and agencies of the Federal Government; and
          ``(5) conduct strategic cyber threat intelligence planning 
        for the Federal Government.
  ``(d) Limitations.--The Cyber Threat Intelligence Integration Center 
shall--
          ``(1) have not more than 50 permanent positions;
          ``(2) in carrying out the primary missions of the Center 
        described in subsection (c), may not augment staffing through 
        detailees, assignees, or core contractor personnel or enter 
        into any personal services contracts to exceed the limitation 
        under paragraph (1); and
          ``(3) be located in a building owned or operated by an 
        element of the intelligence community as of the date of the 
        enactment of this section.''.
          (2) Table of contents amendments.--The table of contents in 
        the first section of the National Security Act of 1947, as 
        amended by section 2 of this Act, is further amended by 
        striking the item relating to section 119B and inserting the 
        following new items:

``Sec. 119B. Cyber Threat Intelligence Integration Center.
``Sec. 119C. National intelligence centers.''.

  (d) Information Shared With or Provided to the Federal Government.--
          (1) No waiver of privilege or protection.--The provision of a 
        cyber threat indicator or defensive measure to the Federal 
        Government under this Act shall not constitute a waiver of any 
        applicable privilege or protection provided by law, including 
        trade secret protection.
          (2) Proprietary information.--Consistent with section 
        3(c)(2), a cyber threat indicator or defensive measure provided 
        by a non-Federal entity to the Federal Government under this 
        Act shall be considered the commercial, financial, and 
        proprietary information of the non-Federal entity that is the 
        originator of such cyber threat indicator or defensive measure 
        when so designated by such non-Federal entity or a non-Federal 
        entity acting in accordance with the written authorization of 
        the non-Federal entity that is the originator of such cyber 
        threat indicator or defensive measure.
          (3) Exemption from disclosure.--A cyber threat indicator or 
        defensive measure provided to the Federal Government under this 
        Act shall be--
                  (A) deemed voluntarily shared information and exempt 
                from disclosure under section 552 of title 5, United 
                States Code, and any State, tribal, or local law 
                requiring disclosure of information or records; and
                  (B) withheld, without discretion, from the public 
                under section 552(b)(3)(B) of title 5, United States 
                Code, and any State, tribal, or local provision of law 
                requiring disclosure of information or records, except 
                as otherwise required by applicable Federal, State, 
                tribal, or local law requiring disclosure in any 
                criminal prosecution.
          (4) Ex parte communications.--The provision of a cyber threat 
        indicator or defensive measure to the Federal Government under 
        this Act shall not be subject to a rule of any Federal 
        department or agency or any judicial doctrine regarding ex 
        parte communications with a decision-making official.
          (5) Disclosure, retention, and use.--
                  (A) Authorized activities.--A cyber threat indicator 
                or defensive measure provided to the Federal Government 
                under this Act may be disclosed to, retained by, and 
                used by, consistent with otherwise applicable 
                provisions of Federal law, any department, agency, 
                component, officer, employee, or agent of the Federal 
                Government solely for--
                          (i) a cybersecurity purpose;
                          (ii) the purpose of responding to, 
                        prosecuting, or otherwise preventing or 
                        mitigating a threat of death or serious bodily 
                        harm or an offense arising out of such a 
                        threat;
                          (iii) the purpose of responding to, or 
                        otherwise preventing or mitigating, a serious 
                        threat to a minor, including sexual 
                        exploitation and threats to physical safety; or
                          (iv) the purpose of preventing, 
                        investigating, disrupting, or prosecuting any 
                        of the offenses listed in sections 1028, 1029, 
                        1030, and 3559(c)(2)(F) and chapters 37 and 90 
                        of title 18, United States Code.
                  (B) Prohibited activities.--A cyber threat indicator 
                or defensive measure provided to the Federal Government 
                under this Act shall not be disclosed to, retained by, 
                or used by any Federal department or agency for any use 
                not permitted under subparagraph (A).
                  (C) Privacy and civil liberties.--A cyber threat 
                indicator or defensive measure provided to the Federal 
                Government under this Act shall be retained, used, and 
                disseminated by the Federal Government in accordance 
                with--
                          (i) the policies and procedures relating to 
                        the receipt of cyber threat indicators and 
                        defensive measures by the Federal Government 
                        required by subsection (b) of section 111 of 
                        the National Security Act of 1947, as added by 
                        subsection (a) of this section; and
                          (ii) the privacy and civil liberties 
                        guidelines required by subsection (b).

SEC. 5. FEDERAL GOVERNMENT LIABILITY FOR VIOLATIONS OF PRIVACY OR CIVIL 
                    LIBERTIES.

  (a) In General.--If a department or agency of the Federal Government 
intentionally or willfully violates the privacy and civil liberties 
guidelines issued by the Attorney General under section 4(b), the 
United States shall be liable to a person injured by such violation in 
an amount equal to the sum of--
          (1) the actual damages sustained by the person as a result of 
        the violation or $1,000, whichever is greater; and
          (2) reasonable attorney fees as determined by the court and 
        other litigation costs reasonably incurred in any case under 
        this subsection in which the complainant has substantially 
        prevailed.
  (b) Venue.--An action to enforce liability created under this section 
may be brought in the district court of the United States in--
          (1) the district in which the complainant resides;
          (2) the district in which the principal place of business of 
        the complainant is located;
          (3) the district in which the department or agency of the 
        Federal Government that violated such privacy and civil 
        liberties guidelines is located; or
          (4) the District of Columbia.
  (c) Statute of Limitations.--No action shall lie under this 
subsection unless such action is commenced not later than two years 
after the date of the violation of the privacy and civil liberties 
guidelines issued by the Attorney General under section 4(b) that is 
the basis for the action.
  (d) Exclusive Cause of Action.--A cause of action under this 
subsection shall be the exclusive means available to a complainant 
seeking a remedy for a violation by a department or agency of the 
Federal Government under this Act.

SEC. 6. PROTECTION FROM LIABILITY.

  (a) Monitoring of Information Systems.--No cause of action shall lie 
or be maintained in any court against any private entity, and such 
action shall be promptly dismissed, for the monitoring of an 
information system and information under section 3(a) that is conducted 
in good faith in accordance with this Act and the amendments made by 
this Act.
  (b) Sharing or Receipt of Cyber Threat Indicators.--No cause of 
action shall lie or be maintained in any court against any non-Federal 
entity, and such action shall be promptly dismissed, for the sharing or 
receipt of a cyber threat indicator or defensive measure under section 
3(c), or a good faith failure to act based on such sharing or receipt, 
if such sharing or receipt is conducted in good faith in accordance 
with this Act and the amendments made by this Act.
  (c) Willful Misconduct.--
          (1) Rule of construction.--Nothing in this section shall be 
        construed--
                  (A) to require dismissal of a cause of action against 
                a non-Federal entity (including a private entity) that 
                has engaged in willful misconduct in the course of 
                conducting activities authorized by this Act or the 
                amendments made by this Act; or
                  (B) to undermine or limit the availability of 
                otherwise applicable common law or statutory defenses.
          (2) Proof of willful misconduct.--In any action claiming that 
        subsection (a) or (b) does not apply due to willful misconduct 
        described in paragraph (1), the plaintiff shall have the burden 
        of proving by clear and convincing evidence the willful 
        misconduct by each non-Federal entity subject to such claim and 
        that such willful misconduct proximately caused injury to the 
        plaintiff.
          (3) Willful misconduct defined.--In this subsection, the term 
        ``willful misconduct'' means an act or omission that is taken--
                  (A) intentionally to achieve a wrongful purpose;
                  (B) knowingly without legal or factual justification; 
                and
                  (C) in disregard of a known or obvious risk that is 
                so great as to make it highly probable that the harm 
                will outweigh the benefit.

SEC. 7. OVERSIGHT OF GOVERNMENT ACTIVITIES.

  (a) Biennial Report on Implementation.--
          (1) In general.--Section 111 of the National Security Act of 
        1947, as added by section 2(a) and amended by section 4(a) of 
        this Act, is further amended--
                  (A) by redesignating subsection (c) (as redesignated 
                by such section 4(a)) as subsection (d); and
                  (B) by inserting after subsection (b) (as inserted by 
                such section 4(a)) the following new subsection:
  ``(c) Biennial Report on Implementation.--
          ``(1) In general.--Not less frequently than once every two 
        years, the Director of National Intelligence, in consultation 
        with the heads of the other appropriate Federal entities, shall 
        submit to Congress a report concerning the implementation of 
        this section and the Protecting Cyber Networks Act.
          ``(2) Contents.--Each report submitted under paragraph (1) 
        shall include the following:
                  ``(A) An assessment of the sufficiency of the 
                policies, procedures, and guidelines required by this 
                section and section 4 of the Protecting Cyber Networks 
                Act in ensuring that cyber threat indicators are shared 
                effectively and responsibly within the Federal 
                Government.
                  ``(B) An assessment of whether the procedures 
                developed under section 3 of such Act comply with the 
                goals described in subparagraphs (A), (B), and (C) of 
                subsection (a)(1).
                  ``(C) An assessment of whether cyber threat 
                indicators have been properly classified and an 
                accounting of the number of security clearances 
                authorized by the Federal Government for the purposes 
                of this section and such Act.
                  ``(D) A review of the type of cyber threat indicators 
                shared with the Federal Government under this section 
                and such Act, including the following:
                          ``(i) The degree to which such information 
                        may impact the privacy and civil liberties of 
                        specific persons.
                          ``(ii) A quantitative and qualitative 
                        assessment of the impact of the sharing of such 
                        cyber threat indicators with the Federal 
                        Government on privacy and civil liberties of 
                        specific persons.
                          ``(iii) The adequacy of any steps taken by 
                        the Federal Government to reduce such impact.
                  ``(E) A review of actions taken by the Federal 
                Government based on cyber threat indicators shared with 
                the Federal Government under this section or such Act, 
                including the appropriateness of any subsequent use or 
                dissemination of such cyber threat indicators by a 
                Federal entity under this section or section 4 of such 
                Act.
                  ``(F) A description of any significant violations of 
                the requirements of this section or such Act by the 
                Federal Government--
                          ``(i) an assessment of all reports of 
                        officers, employees, and agents of the Federal 
                        Government misusing information provided to the 
                        Federal Government under the Protecting Cyber 
                        Networks Act or this section, without regard to 
                        whether the misuse was knowing or wilful; and
                          ``(ii) an assessment of all disciplinary 
                        actions taken against such officers, employees, 
                        and agents.
                  ``(G) A summary of the number and type of non-Federal 
                entities that received classified cyber threat 
                indicators from the Federal Government under this 
                section or such Act and an evaluation of the risks and 
                benefits of sharing such cyber threat indicators.
                  ``(H) An assessment of any personal information of or 
                information identifying a specific person not directly 
                related to a cybersecurity threat that--
                          ``(i) was shared by a non-Federal entity with 
                        the Federal Government under this Act in 
                        contravention of section 3(d)(2); or
                          ``(ii) was shared within the Federal 
                        Government under this Act in contravention of 
                        the guidelines required by section 4(b).
          ``(3) Recommendations.--Each report submitted under paragraph 
        (1) may include such recommendations as the heads of the 
        appropriate Federal entities may have for improvements or 
        modifications to the authorities and processes under this 
        section or such Act.
          ``(4) Form of report.--Each report required by paragraph (1) 
        shall be submitted in unclassified form, but may include a 
        classified annex.
          ``(5) Public availability of reports.--The Director of 
        National Intelligence shall make publicly available the 
        unclassified portion of each report required by paragraph 
        (1).''.
          (2) Initial report.--The first report required under 
        subsection (c) of section 111 of the National Security Act of 
        1947, as inserted by paragraph (1) of this subsection, shall be 
        submitted not later than one year after the date of the 
        enactment of this Act.
  (b) Reports on Privacy and Civil Liberties.--
          (1) Biennial report from privacy and civil liberties 
        oversight board.--
                  (A) In general.--Section 1061(e) of the Intelligence 
                Reform and Terrorism Prevention Act of 2004 (42 U.S.C. 
                2000ee(e)) is amended by adding at the end the 
                following new paragraph:
          ``(3) Biennial report on certain cyber activities.--
                  ``(A) Report required.--The Privacy and Civil 
                Liberties Oversight Board shall biennially submit to 
                Congress and the President a report containing--
                          ``(i) an assessment of the privacy and civil 
                        liberties impact of the activities carried out 
                        under the Protecting Cyber Networks Act and the 
                        amendments made by such Act; and
                          ``(ii) an assessment of the sufficiency of 
                        the policies, procedures, and guidelines 
                        established pursuant to section 4 of the 
                        Protecting Cyber Networks Act and the 
                        amendments made by such section 4 in addressing 
                        privacy and civil liberties concerns.
                  ``(B) Recommendations.--Each report submitted under 
                this paragraph may include such recommendations as the 
                Privacy and Civil Liberties Oversight Board may have 
                for improvements or modifications to the authorities 
                under the Protecting Cyber Networks Act or the 
                amendments made by such Act.
                  ``(C) Form.--Each report required under this 
                paragraph shall be submitted in unclassified form, but 
                may include a classified annex.
                  ``(D) Public availability of reports.--The Privacy 
                and Civil Liberties Oversight Board shall make publicly 
                available the unclassified portion of each report 
                required by subparagraph (A).''.
                  (B) Initial report.--The first report required under 
                paragraph (3) of section 1061(e) of the Intelligence 
                Reform and Terrorism Prevention Act of 2004 (42 U.S.C. 
                2000ee(e)), as added by subparagraph (A) of this 
                paragraph, shall be submitted not later than 2 years 
                after the date of the enactment of this Act.
          (2) Biennial report of inspectors general.--
                  (A) In general.--Not later than 2 years after the 
                date of the enactment of this Act and not less 
                frequently than once every 2 years thereafter, the 
                Inspector General of the Department of Homeland 
                Security, the Inspector General of the Intelligence 
                Community, the Inspector General of the Department of 
                Justice, and the Inspector General of the Department of 
                Defense, in consultation with the Council of Inspectors 
                General on Financial Oversight, shall jointly submit to 
                Congress a report on the receipt, use, and 
                dissemination of cyber threat indicators and defensive 
                measures that have been shared with Federal entities 
                under this Act and the amendments made by this Act.
                  (B) Contents.--Each report submitted under 
                subparagraph (A) shall include the following:
                          (i) A review of the types of cyber threat 
                        indicators shared with Federal entities.
                          (ii) A review of the actions taken by Federal 
                        entities as a result of the receipt of such 
                        cyber threat indicators.
                          (iii) A list of Federal entities receiving 
                        such cyber threat indicators.
                          (iv) A review of the sharing of such cyber 
                        threat indicators among Federal entities to 
                        identify inappropriate barriers to sharing 
                        information.
                  (C) Recommendations.--Each report submitted under 
                this paragraph may include such recommendations as the 
                Inspectors General referred to in subparagraph (A) may 
                have for improvements or modifications to the 
                authorities under this Act or the amendments made by 
                this Act.
                  (D) Form.--Each report required under this paragraph 
                shall be submitted in unclassified form, but may 
                include a classified annex.
                  (E) Public availability of reports.--The Inspector 
                General of the Department of Homeland Security, the 
                Inspector General of the Intelligence Community, the 
                Inspector General of the Department of Justice, and the 
                Inspector General of the Department of Defense shall 
                make publicly available the unclassified portion of 
                each report required under subparagraph (A).

SEC. 8. REPORT ON CYBERSECURITY THREATS.

  (a) Report Required.--Not later than 180 days after the date of the 
enactment of this Act, the Director of National Intelligence, in 
consultation with the heads of other appropriate elements of the 
intelligence community, shall submit to the Select Committee on 
Intelligence of the Senate and the Permanent Select Committee on 
Intelligence of the House of Representatives a report on cybersecurity 
threats, including cyber attacks, theft, and data breaches.
  (b) Contents.--The report required by subsection (a) shall include 
the following:
          (1) An assessment of--
                  (A) the current intelligence sharing and cooperation 
                relationships of the United States with other countries 
                regarding cybersecurity threats (including cyber 
                attacks, theft, and data breaches) directed against the 
                United States that threaten the United States national 
                security interests, economy, and intellectual property; 
                and
                  (B) the relative utility of such relationships, which 
                elements of the intelligence community participate in 
                such relationships, and whether and how such 
                relationships could be improved.
          (2) A list and an assessment of the countries and non-state 
        actors that are the primary threats of carrying out a 
        cybersecurity threat (including a cyber attack, theft, or data 
        breach) against the United States and that threaten the United 
        States national security, economy, and intellectual property.
          (3) A description of the extent to which the capabilities of 
        the United States Government to respond to or prevent 
        cybersecurity threats (including cyber attacks, theft, or data 
        breaches) directed against the United States private sector are 
        degraded by a delay in the prompt notification by private 
        entities of such threats or cyber attacks, theft, and breaches.
          (4) An assessment of additional technologies or capabilities 
        that would enhance the ability of the United States to prevent 
        and to respond to cybersecurity threats (including cyber 
        attacks, theft, and data breaches).
          (5) An assessment of any technologies or practices utilized 
        by the private sector that could be rapidly fielded to assist 
        the intelligence community in preventing and responding to 
        cybersecurity threats.
  (c) Form of Report.--The report required by subsection (a) shall be 
submitted in unclassified form, but may include a classified annex.
  (d) Public Availability of Report.--The Director of National 
Intelligence shall make publicly available the unclassified portion of 
the report required by subsection (a).
  (e) Intelligence Community Defined.--In this section, the term 
``intelligence community'' has the meaning given that term in section 3 
of the National Security Act of 1947 (50 U.S.C. 3003).

SEC. 9. CONSTRUCTION AND PREEMPTION.

  (a) Prohibition of Surveillance.--Nothing in this Act or the 
amendments made by this Act shall be construed to authorize the 
Department of Defense or the National Security Agency or any other 
element of the intelligence community to target a person for 
surveillance.
  (b) Otherwise Lawful Disclosures.--Nothing in this Act or the 
amendments made by this Act shall be construed to limit or prohibit--
          (1) otherwise lawful disclosures of communications, records, 
        or other information, including reporting of known or suspected 
        criminal activity, by a non-Federal entity to any other non-
        Federal entity or the Federal Government; or
          (2) any otherwise lawful use of such disclosures by any 
        entity of the Federal government, without regard to whether 
        such otherwise lawful disclosures duplicate or replicate 
        disclosures made under this Act.
  (c) Whistle Blower Protections.--Nothing in this Act or the 
amendments made by this Act shall be construed to prohibit or limit the 
disclosure of information protected under section 2302(b)(8) of title 
5, United States Code (governing disclosures of illegality, waste, 
fraud, abuse, or public health or safety threats), section 7211 of 
title 5, United States Code (governing disclosures to Congress), 
section 1034 of title 10, United States Code (governing disclosure to 
Congress by members of the military), or any similar provision of 
Federal or State law..
  (d) Protection of Sources and Methods.--Nothing in this Act or the 
amendments made by this Act shall be construed--
          (1) as creating any immunity against, or otherwise affecting, 
        any action brought by the Federal Government, or any department 
        or agency thereof, to enforce any law, executive order, or 
        procedure governing the appropriate handling, disclosure, or 
        use of classified information;
          (2) to affect the conduct of authorized law enforcement or 
        intelligence activities; or
          (3) to modify the authority of the President or a department 
        or agency of the Federal Government to protect and control the 
        dissemination of classified information, intelligence sources 
        and methods, and the national security of the United States.
  (e) Relationship to Other Laws.--Nothing in this Act or the 
amendments made by this Act shall be construed to affect any 
requirement under any other provision of law for a non-Federal entity 
to provide information to the Federal Government.
  (f) Information Sharing Relationships.--Nothing in this Act or the 
amendments made by this Act shall be construed--
          (1) to limit or modify an existing information-sharing 
        relationship;
          (2) to prohibit a new information-sharing relationship; or
          (3) to require a new information-sharing relationship between 
        any non-Federal entity and the Federal Government.
  (g) Preservation of Contractual Obligations and Rights.--Nothing in 
this Act or the amendments made by this Act shall be construed--
          (1) to amend, repeal, or supersede any current or future 
        contractual agreement, terms of service agreement, or other 
        contractual relationship between any non-Federal entities, or 
        between any non-Federal entity and a Federal entity; or
          (2) to abrogate trade secret or intellectual property rights 
        of any non-Federal entity or Federal entity.
  (h) Anti-tasking Restriction.--Nothing in this Act or the amendments 
made by this Act shall be construed to permit the Federal Government--
          (1) to require a non-Federal entity to provide information to 
        the Federal Government;
          (2) to condition the sharing of a cyber threat indicator with 
        a non-Federal entity on such non-Federal entity's provision of 
        a cyber threat indicator to the Federal Government; or
          (3) to condition the award of any Federal grant, contract, or 
        purchase on the provision of a cyber threat indicator to a 
        Federal entity.
  (i) No Liability for Non-participation.--Nothing in this Act or the 
amendments made by this Act shall be construed to subject any non-
Federal entity to liability for choosing not to engage in a voluntary 
activiy authorized in this Act and the amendments made by this Act.
  (j) Use and Retention of Information.--Nothing in this Act or the 
amendments made by this Act shall be construed to authorize, or to 
modify any existing authority of, a department or agency of the Federal 
Government to retain or use any information shared under this Act or 
the amendments made by this Act for any use other than permitted in 
this Act or the amendments made by this Act.
  (k) Federal Preemption.--
          (1) In general.--This Act and the amendments made by this Act 
        supersede any statute or other provision of law of a State or 
        political subdivision of a State that restricts or otherwise 
        expressly regulates an activity authorized under this Act or 
        the amendments made by this Act.
          (2) State law enforcement.--Nothing in this Act or the 
        amendments made by this Act shall be construed to supersede any 
        statute or other provision of law of a State or political 
        subdivision of a State concerning the use of authorized law 
        enforcement practices and procedures.
  (l) Regulatory Authority.--Nothing in this Act or the amendments made 
by this Act shall be construed--
          (1) to authorize the promulgation of any regulations not 
        specifically authorized by this Act or the amendments made by 
        this Act;
          (2) to establish any regulatory authority not specifically 
        established under this Act or the amendments made by this Act; 
        or
          (3) to authorize regulatory actions that would duplicate or 
        conflict with regulatory requirements, mandatory standards, or 
        related processes under another provision of Federal law.

SEC. 10. CONFORMING AMENDMENTS.

  Section 552(b) of title 5, United States Code, is amended--
          (1) in paragraph (8), by striking ``or'' at the end;
          (2) in paragraph (9), by striking ``wells.'' and inserting 
        ``wells; or''; and
          (3) by inserting after paragraph (9) the following:
          ``(10) information shared with or provided to the Federal 
        Government pursuant to the Protecting Cyber Networks Act or the 
        amendments made by such Act.''.

SEC. 11. DEFINITIONS.

  In this Act:
          (1) Agency.--The term ``agency'' has the meaning given the 
        term in section 3502 of title 44, United States Code.
          (2) Appropriate federal entities.--The term ``appropriate 
        Federal entities'' means the following:
                  (A) The Department of Commerce.
                  (B) The Department of Defense.
                  (C) The Department of Energy.
                  (D) The Department of Homeland Security.
                  (E) The Department of Justice.
                  (F) The Department of the Treasury.
                  (G) The Office of the Director of National 
                Intelligence.
          (3) Cybersecurity purpose.--The term ``cybersecurity 
        purpose'' means the purpose of protecting (including through 
        the use of a defensive measure) an information system or 
        information that is stored on, processed by, or transiting an 
        information system from a cybersecurity threat or security 
        vulnerability or identifying the source of a cybersecurity 
        threat.
          (4) Cybersecurity threat.--
                  (A) In general.--Except as provided in subparagraph 
                (B), the term ``cybersecurity threat'' means an action, 
                not protected by the first amendment to the 
                Constitution of the United States, on or through an 
                information system that may result in an unauthorized 
                effort to adversely impact the security, 
                confidentiality, integrity, or availability of an 
                information system or information that is stored on, 
                processed by, or transiting an information system.
                  (B) Exclusion.--The term ``cybersecurity threat'' 
                does not include any action that solely involves a 
                violation of a consumer term of service or a consumer 
                licensing agreement.
          (5) Cyber threat indicator.--The term ``cyber threat 
        indicator'' means information or a physical object that is 
        necessary to describe or identify--
                  (A) malicious reconnaissance, including anomalous 
                patterns of communications that appear to be 
                transmitted for the purpose of gathering technical 
                information related to a cybersecurity threat or 
                security vulnerability;
                  (B) a method of defeating a security control or 
                exploitation of a security vulnerability;
                  (C) a security vulnerability, including anomalous 
                activity that appears to indicate the existence of a 
                security vulnerability;
                  (D) a method of causing a user with legitimate access 
                to an information system or information that is stored 
                on, processed by, or transiting an information system 
                to unwittingly enable the defeat of a security control 
                or exploitation of a security vulnerability;
                  (E) malicious cyber command and control;
                  (F) the actual or potential harm caused by an 
                incident, including a description of the information 
                exfiltrated as a result of a particular cybersecurity 
                threat; or
                  (G) any other attribute of a cybersecurity threat, if 
                disclosure of such attribute is not otherwise 
                prohibited by law.
          (6) Defensive measure.--The term ``defensive measure'' means 
        an action, device, procedure, technique, or other measure 
        executed on an information system or information that is stored 
        on, processed by, or transiting an information system that 
        prevents or mitigates a known or suspected cybersecurity threat 
        or security vulnerability.
          (7) Federal entity.--The term ``Federal entity'' means a 
        department or agency of the United States or any component of 
        such department or agency.
          (8) Information system.--The term ``information system''--
                  (A) has the meaning given the term in section 3502 of 
                title 44, United States Code; and
                  (B) includes industrial control systems, such as 
                supervisory control and data acquisition systems, 
                distributed control systems, and programmable logic 
                controllers.
          (9) Local government.--The term ``local government'' means 
        any borough, city, county, parish, town, township, village, or 
        other political subdivision of a State.
          (10) Malicious cyber command and control.--The term 
        ``malicious cyber command and control'' means a method for 
        unauthorized remote identification of, access to, or use of, an 
        information system or information that is stored on, processed 
        by, or transiting an information system.
          (11) Malicious reconnaissance.--The term ``malicious 
        reconnaissance'' means a method for actively probing or 
        passively monitoring an information system for the purpose of 
        discerning security vulnerabilities of the information system, 
        if such method is associated with a known or suspected 
        cybersecurity threat.
          (12) Monitor.--The term ``monitor'' means to acquire, 
        identify, scan, or otherwise possess information that is stored 
        on, processed by, or transiting an information system.
          (13) Non-federal entity.--
                  (A) In general.--Except as otherwise provided in this 
                paragraph, the term ``non-Federal entity'' means any 
                private entity, non-Federal government department or 
                agency, or State, tribal, or local government 
                (including a political subdivision, department, 
                officer, employee, or agent thereof).
                  (B) Inclusions.--The term ``non-Federal entity'' 
                includes a government department or agency (including 
                an officer, employee, or agent thereof) of the District 
                of Columbia, the Commonwealth of Puerto Rico, the 
                Virgin Islands, Guam, American Samoa, the Northern 
                Mariana Islands, and any other territory or possession 
                of the United States.
                  (C) Exclusion.--The term ``non-Federal entity'' does 
                not include a foreign power or known agent of a foreign 
                power, as both terms are defined in section 101 of the 
                Foreign Intelligence Surveillance Act of 1978 (50 
                U.S.C. 1801).
          (14) Private entity.--
                  (A) In general.--Except as otherwise provided in this 
                paragraph, the term ``private entity'' means any person 
                or private group, organization, proprietorship, 
                partnership, trust, cooperative, corporation, or other 
                commercial or nonprofit entity, including an officer, 
                employee, or agent thereof.
                  (B) Inclusion.--The term ``private entity'' includes 
                a component of a State, tribal, or local government 
                performing electric utility services.
                  (C) Exclusion.--The term ``private entity'' does not 
                include a foreign power as defined in section 101 of 
                the Foreign Intelligence Surveillance Act of 1978 (50 
                U.S.C. 1801).
          (15) Real time; real-time.--The terms ``real time'' and 
        ``real-time'' mean a process by which an automated, machine-to-
        machine system processes cyber threat indicators such that the 
        time in which the occurrence of an event and the reporting or 
        recording of it are as simultaneous as technologically and 
        operationally practicable.
          (16) Security control.--The term ``security control'' means 
        the management, operational, and technical controls used to 
        protect against an unauthorized effort to adversely impact the 
        security, confidentiality, integrity, and availability of an 
        information system or its information.
          (17) Security vulnerability.--The term ``security 
        vulnerability'' means any attribute of hardware, software, 
        process, or procedure that could enable or facilitate the 
        defeat of a security control.
          (18) Tribal.--The term ``tribal'' has the meaning given the 
        term ``Indian tribe'' in section 4 of the Indian Self-
        Determination and Education Assistance Act (25 U.S.C. 450b).

                                Purpose

    The purpose of H.R. 1560 is to improve cybersecurity in the 
United States by enhancing the sharing of information about 
cybersecurity threats.

                  Background and Need for Legislation

    Four years ago, when this Committee first considered 
cybersecurity legislation, few Americans understood the threat 
our Nation faced from cyberattacks by foreign militaries, 
intelligence services, and criminal organizations. Even fewer 
understood that, as citizens and consumers, those same attacks 
could endanger their health records, financial data, and other 
sensitive personal information.
    Today, hardly a day goes by without news of a cyberattack 
on an American business or government agency. High-profile 
attacks are commonplace. Both in the boardroom and around the 
kitchen table, Americans suffer the impact of cyberattacks. 
Whether carried out by foreign governments or criminals, these 
attacks steal Americans' identities, credit card information, 
tax refunds, and countless other kinds of private information. 
In just the past year, attackers have shown they can adeptly 
carry out criminal activity, including theft and espionage, on 
computer networks inside the United States. These attacks 
violate Americans' privacy on a massive scale and cost 
thousands of American jobs.
    Some cyberattacks are sponsored by foreign governments. 
China, Russia, North Korea, and Iran have created highly 
skilled cyberwarfare units that directly target American 
businesses for their most valuable intellectual property. 
Corporate research and development forms the lifeblood of the 
American economy, and China, in particular, engages in daily 
assaults that pillage American innovation. In May 2014, for 
instance, federal prosecutors charged five military officers 
from Unit 61398 of the Third Department of the Chinese People's 
Liberation Army with computer hacking and economic espionage 
against the U.S. nuclear power, metals, and solar products 
industries. They were not the first and will not be the last 
foreign military officers who launch cyberattacks on American 
industry. The sheer number of attacks against American 
companies--at least thousands each day--harms our economy and 
thus our national security.
    Other attacks are carried out by criminal organizations. A 
recent Washington Post report suggested that more than 3,000 
companies were alerted to cyberattacks by federal agents in 
2013. And that number represents only the number of cases in 
which the federal government learned that an attack occurred. 
We cannot expect the private sector to defend itself against 
unrelenting assaults of foreign governments without federal 
assistance.
    There is no silver bullet to end cyberattacks. Thousands of 
attacks occur each day and will continue after this bill 
becomes law. Companies must defend their networks around the 
clock on all fronts, but an attacker only needs to succeed once 
to cause tremendous amounts of damage. No piece of legislation 
can wholly prevent this devastating hacking. However, the 
ability to share cyber threat information and solutions will 
significantly help security officials throughout both the 
private sector and the government defend their networks, and 
thereby defend Americans' most private information and most 
valuable intellectual property.
    The government already provides significant support and 
assistance to private companies to address cyberattacks, but 
more can--and should--be done. Real and perceived legal 
barriers to cybersecurity monitoring and information sharing 
constrain companies with even the best of intentions. After 
hundreds of conversations with companies in virtually every 
sector of the economy, the executive branch, and privacy and 
civil liberties advocates, it is clear to the Committee that 
American businesses need positive legal authority to monitor 
their networks and to share and receive cyber threat indicators 
and defensive measures. Voluntary information sharing between 
companies helps businesses defend themselves against 
cyberattacks, and voluntary, two-way information sharing with 
the federal government can help the government disseminate 
cyber threat information with greater speed and accuracy. The 
positive authorization contained in this bill is important to 
encourage this sharing and to help businesses improve their 
defenses against cyberattacks. As a result, this bill helps 
protect Americans' privacy.
    In each of the past two Congresses, the Committee adopted 
cybersecurity information sharing legislation that passed the 
House with bipartisan support. Then-Chairman Rogers and Ranking 
Member Ruppersberger made great strides in educating the 
American people about the cybersecurity threat and the need for 
information sharing legislation. Even so, in both of the past 
two Congresses, the Senate failed to act.
    Building on those past efforts, Chairman Nunes and Ranking 
Member Schiff led a bipartisan effort to advance cyber 
legislation in the 114th Congress. The result of their efforts, 
the Protecting Cyber Networks Act, enables private companies to 
monitor their networks and to voluntarily share cyber threat 
indicators with one another and with the federal government, 
all while providing strong protections for privacy and civil 
liberties.

                       Scope of Committee Review

    On March 19, 2015, the Committee held an open hearing, The 
Growing Cyber Threat and Its Impact on American Business. At 
that hearing, the Committee heard testimony from Governor Tim 
Pawlenty, the former governor of Minnesota and current Chief 
Executive Officer of the Financial Services Roundtable; Mr. 
Andrew Tannenbaum, cybersecurity counsel for IBM; Mr. John 
Latimer, Chief Risk and Compliance Officer for Total Systems 
Services, Inc.; and Mr. Richard Bejtlich, Chief Security 
Strategist for FireEye, Inc. The hearing focused on the state 
of cybersecurity information sharing between the federal 
government and the private sector, as well as information 
sharing within the private sector.
    Before and after the open hearing, Committee staff met with 
representatives from the White House, the Department of 
Justice, the Department of Defense, the Federal Bureau of 
Investigation, the Department of Treasury, the Department of 
Homeland Security, and the National Security Agency in the 
course of developing this legislation. Committee staff also 
held numerous meetings with private sector companies and trade 
groups in the telecommunications, technology, financial 
services, utilities, retail, defense, and internet security 
industries, and several meetings with representatives of 
privacy groups including, among others, the Center for 
Democracy and Technology, the American Civil Liberties Union, 
and the Open Technology Institute.
    Lastly, as part of its regular oversight responsibilities, 
the Committee held numerous classified briefings and meetings 
about cyberattacks and the serious threat they pose to our 
national security.

                     Committee Statement and Views

    The Protecting Cyber Networks Act tears down legal barriers 
to improved cybersecurity. The bill authorizes companies to 
monitor their own networks and the networks of other consenting 
private parties for cybersecurity threats. It also authorizes 
companies to use and share defensive measures--techniques that 
prevent or mitigate cybersecurity threats--on their own 
networks and on the networks of other consenting private 
parties. And most importantly, notwithstanding any other 
federal or state law, the bill authorizes and provides 
liability protection for the sharing and receipt of cyber 
threat indicators and defensive measures. The bill encourages 
sharing of cyber threat indicators and defensive measures along 
three axes: between private companies; from private companies 
to the federal government; and from the federal government to 
private companies. Because of the real and perceived legal 
barriers to information sharing, the bill provides strong 
liability protection for sharing through its procedures. Any 
company that shares cyber threat indicators or defensive 
measures in good faith compliance with the bill--including the 
requirement to strip out private information unrelated to the 
cyber threat--will receive immunity from lawsuits. This 
immunity includes, among other things, immunity from liability 
under the antitrust laws. The bill also prohibits the federal 
government from penalizing companies for sharing cyber threat 
information pursuant to the Act. As Section 9(l) makes clear, 
nothing in the bill allows the government to establish 
regulations or regulatory authority based on the cybersecurity 
information companies share.
    The bill also provides companies with the flexibility that 
will encourage information sharing. Compared to previous 
legislative efforts, the bill gives companies the flexibility 
to choose to share cyber threat indicators or defensive 
measures with a number of different government agencies. 
Companies receive authorization and liability protection for 
sharing with the Department of Justice (including the Federal 
Bureau of Investigation), the Department of Commerce, the 
Department of the Treasury, the Office of the Director of 
National Intelligence, the Department of Homeland Security, and 
the Department of Energy. Some companies may be more 
comfortable sharing different kinds of cyber threat indicators 
with different agencies that possess different expertise. Under 
this bill, banks can share cyber threat information with the 
Department of the Treasury; power plants can share with the 
Department of Energy; and victims of crime can share with 
federal law enforcement agencies. After any federal agency 
receives a cyber threat indicator or defensive measure from the 
private sector, it must share that indicator or defensive 
measure in real-time, that is, by an automated machine-to-
machine process, with all other appropriate federal agencies, 
including the Department of Defense and the National Security 
Agency.
    Although the bill does not grant any new authorization or 
liability protection for companies to share cyber threat 
indicators or defensive measures with the Department of Defense 
or the National Security Agency, companies may choose to share 
cyber threat indicators or defensive measures with the 
Department of Defense or the National Security Agency outside 
of the bill. The Committee understands the critical importance 
of cybersecurity to the Department of Defense's missions, many 
of which rely on private sector partnerships with the Defense 
Industrial Base. The bill's lack of authorization for companies 
to share with the Department of Defense or the National 
Security Agency is not a prohibition on sharing with those 
agencies if doing so is otherwise lawful. Section 3(c)(3)(E) 
expressly states that nothing in the bill should be construed 
to prohibit private companies from sharing cyber threat 
indicators with the Department of Defense or the National 
Security Agency when that sharing is authorized by another law 
or regulation, and Section 9(f) makes clear that nothing in the 
bill limits or modifies any existing information sharing 
relationship or prohibits a new information sharing 
relationship outside of the Act. The bill also does not 
supersede any private contract, including any contractual 
obligation for a company to report a cyber intrusion to the 
Department of Defense or to any other federal agency.
    At the same time, the bill contains strong privacy 
protections, far in excess of previous legislative efforts. 
First, the bill only authorizes the sharing of cyber threat 
indicators. The bill contains a narrow definition of cyber 
threat indicator that does not include personal information 
unrelated to cybersecurity. Thus, the sharing of personal 
information that is not directly related to a cybersecurity 
threat is not authorized by the bill. Companies will not 
receive any liability protection for such sharing.
    Second, even if personal information constitutes a cyber 
threat indicator, companies may only share the information for 
a cybersecurity purpose. This restriction ensures that 
companies do not improperly share personal information for 
reasons outside the scope of the bill.
    Third, the liability protections of the bill are only 
available if a company sharing information takes reasonable 
efforts to remove irrelevant personally identifiable 
information before sharing. If a company fails to take such 
efforts, it will not receive the liability protections of the 
bill. The bill's description of personally identifiable 
information is intended to match the description contained in 
the Cybersecurity Information Sharing Act, S. 754, as reported 
favorably by the Senate Select Committee on Intelligence on 
March 17, 2015.
    Fourth, if the federal government receives cyber threat 
indicators, the bill obligates the government to search for and 
remove or exclude any residual, irrelevant personally 
identifiable information that it may have received. This dual 
privacy scrub will drastically minimize the sharing or 
dissemination of any personally identifiable information, 
protecting privacy while also ensuring that companies are able 
to take needed actions to address cyber threats.
    Fifth, the bill imposes strict limitations on the use and 
retention of any data voluntarily shared by the private sector 
with the government. The government may use the information it 
receives for cybersecurity purposes because it must be able to 
protect itself from cybersecurity threats that exist in the 
private sector, as well as provide the information to others to 
fulfill its duties to protect the Nation from cybersecurity 
threats. The government may also use the information to respond 
to specific dangerous crimes. These include the sexual abuse of 
minors, threats of death and serious bodily harm, and other 
violent felonies. Companies cannot share cyber threat 
information with the government for the purpose of stopping 
crimes, but when companies share these cyber threat indicators 
for a cybersecurity purpose, and that information also contains 
information related to these kinds of crimes, the government 
should not sit on its hands and ignore violent felonies and 
child sex offenses.
    Sixth, the bill provides for strong public and 
congressional oversight by requiring a detailed biennial 
Inspectors General report of appropriate federal entities of 
the government's receipt, use, and dissemination of cyber 
threat indicators. Additionally, the Privacy and Civil 
Liberties Oversight Board must produce a biennial report on the 
privacy and civil liberties impact of the Act.
    Finally, the bill expressly states that it provides no 
authority for the U.S. government to conduct any surveillance. 
The bill authorizes the sharing of cyber threat indicators and 
defensive measures, not surveillance.

              Committee Consideration and Roll Call Votes

    On March 26, 2015, the Committee met in open session to 
consider H.R. 1560, the Protecting Cyber Networks Act. The 
section-by-section analysis details the contents of H.R. 1560.
    Chairman Nunes and Ranking Member Schiff offered an 
amendment to clarify that the bill does not impact any existing 
information sharing relationships between the private sector 
and the Department of Defense, including the National Security 
Agency. The amendment made several other technical changes and 
incorporated privacy-enhancing proposals by Ms. Speier, Mr. 
Carson, and Mr. Swalwell. The amendment was agreed to by a 
voice vote.
    Mr. Swalwell offered an amendment to the bill's liability 
provision, which he subsequently withdrew.
    The Committee then adopted a motion by Chairman Nunes to 
favorably report the bill H.R. 1560 to the House, as amended. 
The motion was agreed to by a voice vote.

                      Section-by-Section Analysis


Section 1: Short title; Table of contents

    The short title of the Act is the Protecting Cyber Networks 
Act.

Section 2: Sharing of Cyber Threat Indicators and Defensive Measures by 
        the Federal Government with Non-Federal Entities

    This section of the Act amends Title I of the National 
Security Act by adding a new section, Section 111. Under this 
new section, the Director of National Intelligence, in 
consultation with the heads of the Departments of Homeland 
Security, Treasury, Justice, Commerce, and Defense (hereinafter 
the ``appropriate Federal entities''), should create procedures 
to facilitate and promote the timely sharing of cyber threat 
indicators with the private sector. The procedures would 
promote the sharing of: classified cyber threat indicators with 
representatives of the private sector with appropriate security 
clearances; classified cyber threat indicators that may be 
declassified and shared at an unclassified level; and any 
information in the possession of the Federal Government about 
imminent or ongoing cyber threats that may allow private 
companies to prevent or mitigate those threats.
    The procedures must also ensure the Federal Government 
creates and maintains the capability to share cyber threat 
indicators in real time with the private sector, consistent 
with the protection of classified information.
    Additionally, the procedures drafted by the Director of 
National Intelligence will require federal agencies to perform 
a review of cyber threat indicators they receive from the 
private sector before the agencies share those indicators 
within the Federal Government. In that review, the receiving 
agencies will assess whether--despite the private sector's own 
requirement to conduct a similar review--the cyber threat 
indicators contain any personal information or information 
identifying a specific person that does not directly relate to 
a cyber threat. If so, the Federal Government must remove that 
information. The Federal Government must implement a technical 
capability configured to remove or exclude the information.

Section 3: Authorizations for preventing, detecting, analyzing, and 
        mitigating cybersecurity threats

            Subsection (a)
    Subsection (a) of this section authorizes private entities 
to engage in defensive monitoring of their own networks and the 
networks of non-Federal entities that have consented to 
monitoring. Subsection (a) does not authorize the Federal 
Government to conduct surveillance of any person.
            Subsection (b)
    Subsection (b) of this section authorizes private entities 
to operate defensive measures on their own networks and the 
networks of non-Federal entities that have consented to the 
operation of defensive measures. Subsection (b) does not 
authorize non-Federal entities to intentionally or recklessly 
operate any defensive measure that destroys, render unusable or 
inaccessible (in whole or in part), substantially harms, or 
initiates a new action, process, or procedure on any network 
that does not belong to them or to a non-Federal entity that 
has not consented to the operation of those defensive measures. 
As a result, subsection (b) does not authorize ``hacking back'' 
or any other form of cyber operation that takes place on 
computers or networks without the consent of the owner of those 
computers or networks.
            Subsection (c)
    Subsection (c) of this section authorizes non-Federal 
entities, notwithstanding any other provision of law, to share 
or receive cyber threat indicators or defensive measures for 
cybersecurity purposes with other non-Federal entities. This 
subsection also authorizes non-Federal entities to share or 
receive cyber threat indicators or defensive measures with 
appropriate Federal entities other than the Department of 
Defense and the National Security Agency. Even so, subsection 
(c) expressly states that companies may share cyber threat 
information or defensive measures with the Department of 
Defense and the National Security Agency if they are authorized 
to do so by another applicable law or regulation.
            Subsection (d)
    Before sharing, non-Federal entities must, under the 
requirements of subsection (d), take reasonable efforts to 
review cyber threat indicators and defensive measures for any 
personal information or information identifying a specific 
person that does not directly relate to a cyber threat. If 
cyber threat indicators or defensive measures contain that kind 
of information, non-Federal entities must take reasonable 
efforts to remove the information before sharing. Subsection 
(d) also permits non-Federal entities to use cyber threat 
indicators and defensive measures to monitor or operate 
defensive measures on their own networks and the networks of 
other non-Federal entities that have consented to the operation 
of the defensive measures.
    In addition, subsection (d) permits state and local 
governments to use cyber threat indicators for certain law 
enforcement purposes; the subsection also exempts those shared 
cyber threat indicators from state and local disclosure laws.

Section 4: Sharing of cyber threat indicators and defensive measures 
        with appropriate Federal entities other than the Department of 
        Defense or the National Security Agency

            Subsection (a)
    Subsection (a) of this section amends Title I of the 
National Security Act of 1947, as amended by Section 2 of the 
Act, to add a subsection (b) to the newly created Section 111. 
The new subsection requires the President to develop and submit 
to Congress policies and procedures for the receipt of cyber 
threat indicators and defensive measures by the Federal 
Government. Those policies and procedures must ensure that, 
when an appropriate Federal entity other than the Department of 
Defense or the National Security Agency receives a cyber threat 
indicator under Section 3 of the Act, that Federal entity 
shares the cyber threat indicator in real time with all other 
appropriate Federal entities, including all relevant components 
of those other appropriate Federal entities. Among other 
things, the procedures must also ensure that additional Federal 
entities beyond the appropriate Federal entities receive cyber 
threat indicators when those indicators are relevant.
            Subsection (b)
    Subsection (b) of this section requires the Attorney 
General, in consultation with the heads of other appropriate 
Federal entities, to develop and periodically review privacy 
and civil liberties guidelines. The Attorney General guidelines 
will govern the receipt, retention, use, and dissemination of 
cyber threat indicators obtained by the Federal Government 
under the Act. The guidelines must also establish, among other 
things: a process for the prompt destruction of any personal 
information or information identifying a specific person that 
does not directly relate to a cyber threat; specific 
limitations on the length of time for which a cyber threat 
indicator can be retained; and a process to inform recipients 
of cyber threat indicators that the indicators may only be used 
for cybersecurity purposes. The Attorney General must submit an 
interim version of the guidelines to Congress within 90 days of 
the enactment of the Act and a final version within 180 days.
            Subsection (c)
    Subsection (c) of this section further amends Title I of 
the National Security Act of 1947 by inserting a new Section 
119B. That new section establishes the Cyber Threat 
Intelligence Integration Center (CTIIC) within the Office of 
the Director of National Intelligence. Section 119B also lays 
out the missions of the CTIIC and imposes certain limitations 
regarding the center's personnel and location.
            Subsection (d)
    Subsection (d) of this section states that the act of 
sharing a cyber threat indicator with the Federal Government 
does not constitute a waiver of any applicable privilege or 
protection provided by law. The subsection also establishes 
that cyber threat indicators shared with the Federal Government 
remain the proprietary information of the sharing non-Federal 
entity, are exempt from federal disclosure laws, and do not 
constitute ex parte communications in a judicial or regulatory 
proceeding.
    Additionally, subsection (d) lays out the purposes for 
which the Federal Government may use a cyber threat indicator 
it receives from a non-Federal entity under the Act. The 
Federal Government may use shared cyber threat indicators 
solely for: a cybersecurity purpose; preventing or prosecuting 
a threat of death or seriously bodily harm or an offense 
arising out of such a threat; preventing or prosecuting a 
serious threat to a minor, including sexual exploitation; or 
preventing or prosecuting espionage, economic espionage, 
serious violent felonies, and violations of the Computer Fraud 
and Abuse Act.

Section 5: Federal Government liability for violations of privacy and 
        civil liberties

    Section 5 creates a private cause of action against the 
Federal Government if a department or agency intentionally or 
willfully violates the privacy and civil liberties guidelines 
issued by the Attorney General under Section 4(b) of the Act. 
The section also establishes statutory damages for a violation 
of the Attorney General guidelines, provides for reasonable 
attorney fees for injured persons, specifies the possible 
venues for an action, and creates a statute of limitations for 
the new cause of action. Lastly, Section 5 clarifies that this 
cause of action is the exclusive means available to a 
complainant seeking a remedy for a violation of the Act by a 
department or agency of the Federal Government.

Section 6: Protection from liability

    This section states that no cause of action shall lie or be 
maintained in any court against any private entity acting in 
good faith for the monitoring of an information system or 
information under Section 3(a) of the Act or for the sharing or 
receipt of cyber threat indicators or defensive measures under 
Section 3(c) of the Act. Section 6 nonetheless states that 
nothing shall be construed to require the dismissal of a cause 
of action against a non-Federal entity that has engaged in 
willful misconduct in the course of conducting activities 
authorized by the Act. Section 6 also defines the term 
``willful misconduct'' for the purposes of the section and 
establishes the standard by which a plaintiff may prove willful 
misconduct.

Section 7: Oversight of Government activities

    Subsection (a) of this section further amends Section 111 
of the National Security Act of 1947, as created by the Act, to 
require a biennial report by the Director of National 
Intelligence, in consultation with the heads of other 
appropriate Federal entities, on the implementation of the Act.
    Subsection (b) of this section requires two reports on 
privacy liberties. First, subsection (b) requires the Privacy 
and Civil Liberties Oversight Board to submit to Congress a 
biennial report on the privacy and civil liberties impact of 
the Act. Second, subsection (b) requires the Inspectors General 
of certain appropriate Federal entities, in consultation with 
the Council of Inspectors General on Financial Oversight, to 
jointly submit a biennial report to Congress on the receipt, 
use, and dissemination of cyber threat indicators shared with 
the Federal Government under the Act.
    Both these reports would be made publicly available.

Section 8: Report on cybersecurity threats

    This section requires the Director of National 
Intelligence, in consultation with the heads of appropriate 
elements of the Intelligence Community, to submit a report to 
the congressional intelligence committees on cybersecurity 
threats, including cyberattacks, theft, and data breaches. The 
report shall be submitted in unclassified form, and must be 
made publicly available, but may contain a classified annex.

Section 9: Construction and preemption

    Section 9 contains a variety of construction and preemption 
provisions to clarify the scope of the Act. Among other things, 
these provisions make clear that nothing in the Act authorizes 
the Department of Defense or any element of the Intelligence 
Community, including the National Security Agency, to target a 
person for surveillance. The provisions also state that nothing 
in the Act shall be construed to limit or modify any existing 
information-sharing relationships outside of the Act or 
prohibit any new information-sharing relationships outside of 
the Act.
    The preemption provision of Section 9 expressly supersedes 
any provision of state or local law that may restrict or 
otherwise expressly regulate an activity authorized under the 
Act. The intent of this provision is to preempt state and local 
laws or regulations that may restrict the sharing of cyber 
threat indicators as authorized by the Act. The provision is 
not intended to preempt state and local laws that may encourage 
or require sharing outside of the Act, including state and 
local regulations and rules protecting critical infrastructure 
information or risk assessments concerning critical 
infrastructure.

Section 10: Conforming amendments

    This section contains conforming amendments to Section 
552(b) of title 5, United States Code.

Section 11: Definitions

    Section 11 provides definitions for a number of key terms 
used in the Act. These definitions--in particular, the 
definitions of the terms ``cybersecurity purpose,'' ``cyber 
threat,'' ``cyber threat indicator,'' and ``defensive 
measure''--narrowly cabin the scope and breadth of the Act.

                 Oversight Findings and Recommendations

    With respect to clause 3(c)(1) of rule XIII of the Rules of 
the House of Representatives, the Committee held multiple 
closed hearings and briefings on the classified intelligence 
programs affected by H.R. 1560. The Committee also held an open 
hearing on March 19, 2015, ``The Growing Cyber Threat and its 
Impact on American Business.''
    In previous Congresses, the Committee also held numerous 
closed hearings and briefings on cyber threats. In addition, 
the Committee held several open hearings on cyber threats in 
past Congresses, including, ``Cybersecurity Threats: The Way 
Forward,'' on November 20, 2014, and ``Advanced Cyber Threats 
Facing Our Nation,'' on February 14, 2013.
    The bill, as reported by the Committee, reflects 
conclusions reached by the Committee in light of this oversight 
activity.

                General Performance Goals and Objectives

    The goal and objective of H.R. 1560 is to improve 
cybersecurity in the United States by providing clear legal 
authority for the sharing of information about cybersecurity 
threats between and among non-Federal entities and the Federal 
Government.

                       Unfunded Mandate Statement

    Section 423 of the Congressional Budget and Impoundment 
Control Act (as amended by Section 101(a)(2) of the Unfunded 
Mandates Reform Act, P.L. 104-4) requires a statement of 
whether the provisions of the reported bill include unfunded 
mandates. In compliance with this requirement, the Committee 
has received a letter from the Congressional Budget Office 
included herein.

                  Statement on Congressional Earmarks

    Pursuant to clause 9 of rule XXI of the Rules of the House 
of Representatives, the Committee states that the bill as 
reported contains no congressional earmarks, limited tax 
benefits, or limited tariff benefits.

     Budget Authority and Congressional Budget Office Cost Estimate

    With respect to clause 3(c)(2) of rule XIII of the Rules of 
the House of Representatives and section 402 of the 
Congressional Budget Act of 1974, the Committee has received 
the following cost estimate for H.R. 1560 from the Director of 
the Congressional Budget Office.
                                     U.S. Congress,
                               Congressional Budget Office,
                                    Washington, DC, April 13, 2015.
Hon. Devin Nunes,
Chairman, Permanent Select Committee on Intelligence,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 1560, the 
Protecting Cyber Networks Act.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Jason 
Wheelock.
            Sincerely,
                                                Keith Hall,
                                                          Director.
    Enclosure.

H.R. 1560--Protecting Cyber Networks Act

    Summary: H.R. 1560 would establish within the Office of the 
Director of National Intelligence (ODNI) a center that would be 
responsible for analyzing and integrating information from the 
intelligence community related to cyber threats. In addition, 
the bill would require the government to establish procedures 
for sharing information and data on cyber threats between the 
federal government and nonfederal entities. CBO estimates that 
implementing the bill would cost $186 million over the 2016-
2020 period, assuming appropriation of the estimated amounts.
    In addition, the bill would allow information shared with 
the government to be used in certain criminal prosecutions, 
which could increase federal revenues from fines as well as 
direct spending from the Crime Victims Fund. However, CBO 
anticipates that the number of cases that could be affected 
would be small and that any additional revenues and spending 
would be insignificant. Finally, section 5 of H.R. 1560 would 
make the government liable if an agency or department were to 
violate the privacy and civil liberty guidelines required by 
the bill. While such liability could result in additional 
direct spending, CBO does not have sufficient basis to estimate 
the type or frequency of violations or budgetary impact that 
might occur if the legislation was enacted. Because the bill 
would affect direct spending and revenues, pay-as-you-go 
procedure apply.
    H.R. 1560 would impose intergovernmental and private-sector 
mandates, as defined in the Unfunded Mandates Reform Act 
(UMRA), by extending civil and criminal liability protection to 
cybersecurity providers and other entities that monitor, share, 
or use cyber threat information. Doing so would prevent public 
and private entities from seeking compensation for damages from 
those protected entities if they share or use cybersecurity 
information. The bill also would impose additional 
intergovernmental mandates on state and local governments by 
preempting disclosure and liability laws and by preempting any 
laws that restrict activities authorized by the bill.
    Because of uncertainty about the number of cases that would 
be limited and any foregone compensation that would result from 
compensatory damages that might otherwise go to private-sector 
entities, CBO cannot determine whether the costs of the mandate 
would exceed the annual thresholds established in UMRA for 
private-sector mandates ($154 million in 2015, adjusted 
annually for inflation). The amount of cybersecurity 
information shared by state, local, and tribal governments is 
much smaller than that shared by the private sector, and public 
entities are much less likely to bring lawsuits as plaintiffs 
in such cases. Consequently, CBO estimates that the aggregate 
costs of the mandates on public entities would fall below the 
threshold for intergovernmental mandates ($77 million in 2015, 
adjusted annually for inflation).
    Estimated cost to the Federal Government: The estimated 
budgetary effect of H.R. 1560 is shown in the following table. 
The costs of this legislation fall within budget function 050 
(national defense).

----------------------------------------------------------------------------------------------------------------
                                                                 By fiscal year, in millions of dollars--
                                                         -------------------------------------------------------
                                                            2016     2017     2018     2019     2020   2016-2020
----------------------------------------------------------------------------------------------------------------
National Cyber Threat Intelligence and Integration
 Center:
    Estimated Authorization Level.......................       35       36       37       38       39       185
    Estimated Outlays...................................       23       33       35       37       38       166
Oversight, Administration, and Reporting:
    Estimated Authorization Level.......................        4        4        4        4        4        20
    Estimated Outlays...................................        4        4        4        4        4        20
    Total Changes:
        Estimated Authorization Level...................       39       40       41       42       43       205
        Estimated Outlays...............................       27       37       39       41       42       186
----------------------------------------------------------------------------------------------------------------

    Basis of estimate: For this estimate, CBO assumes that the 
legislation will be enacted near the end of fiscal year 2015, 
and that outlays will be similar to historical spending 
patterns for similar activities.

National Cyber Threat Intelligence and Integration Center

    The bill would establish a National Cyber Threat 
Intelligence Integration Center (CTIIC) that would be 
responsible for analyzing, integrating, and disseminating 
intelligence on cyber threats within the federal government. In 
February, based on authority in current law to establish 
intelligence centers, the President announced his intention to 
establish a CTIIC within the ODNI; however, the process for 
establishing and creating an operational center has not been 
completed. H.R. 1560 would require such a center to have a 
maximum of 50 permanent positions. CBO estimates, based on 
publicly available information regarding the planned center, 
the personnel ceiling in H.R. 1560, and budget data from the 
Office of Management and Budget (OMB), that implementing this 
provision would cost approximately $166 million over the 2016-
2020 period, assuming appropriation of the estimated amounts.

Oversight, administration, and reporting

    H.R. 1560 also would require the government to establish 
procedures to be followed when information on cyber threats is 
shared between the government and nonfederal entities, such as 
requiring personal data to be expunged from shared information. 
The bill also would require the government to audit the process 
for sharing information with nonfederal entities and would 
require additional reports to the Congress on cyber 
intelligence sharing. CBO anticipates that approximately 20 
additional personnel would be needed to administer the program, 
prepare the required reports, and manage the exchange of 
information between the government and nonfederal entities 
(such as state, local, and tribal governments and private 
companies). Based on information from the Department of 
Homeland Security, OMB, and other cybersecurity experts, CBO 
estimates that the requirements imposed by H.R. 1560 would cost 
approximately $20 million over the 2016-2020 period, assuming 
appropriation of the estimated amounts.
    Pay-As-You-Go considerations: The Statutory Pay-As-You-Go 
Act of 2010 establishes budget-reporting and enforcement 
procedures for legislation affecting direct spending or 
revenues. Enacting H.R. 1560 would affect direct spending and 
revenues because the bill would allow information shared with 
the government to be used in investigating and prosecuting 
certain violent crimes. Any additional convictions that result 
could increase the collection of fines. Criminal fines are 
recorded as revenues, deposited in the Crime Victims Fund, and 
later spent. CBO expects that additional revenues and direct 
spending would not be significant because of the small number 
of cases likely to be effected.
    In addition, section 5 of H.R. 1560 would allow a person to 
collect damages and attorney's fees if a federal agency or 
department violates the privacy and civil liberty guidelines 
required to be issued under the bill. Any costs to the federal 
government for such cases would constitute direct spending. 
However, because the types of violations and the frequency with 
which they might occur would depend on guidelines that have not 
yet been established, CBO does not have a sufficient basis to 
estimate the effect of this provision.
    Intergovernmental and private-sector impact: H.R. 1560 
would impose intergovernmental and private-sector mandates as 
defined in UMRA, by extending civil and criminal liability 
protection to cybersecurity providers and other entities that 
monitor, share, or use cyber threat information. Doing so would 
prevent public and private entities from seeking compensation 
for damages from those protected entities for sharing or using 
cybersecurity information. The bill also would impose 
additional intergovernmental mandates on state and local 
governments by preempting disclosure and liability laws and by 
preempting any laws that restrict the cybersecurity monitoring, 
sharing, and countermeasure activities authorized by the bill.
    Because of uncertainty about the number of cases that would 
be limited and any foregone compensation that would result from 
compensatory damages that might otherwise go to private-sector 
entities, CBO cannot determine whether the costs of the mandate 
would exceed the annual thresholds established in UMRA for 
private-sector mandates ($154 million in 2015, adjusted 
annually for inflation). The amount of cybersecurity 
information shared by state, local, and tribal governments is 
much smaller than that shared by the private sector, and public 
entities are much less likely to bring lawsuits as plaintiffs 
in such cases. Consequently, CBO estimates that the aggregate 
costs of the mandates on public entities would fall below the 
threshold for intergovernmental mandates ($77 million in 2015, 
adjusted annually for inflation).
    Estimate prepared by: Federal costs: Jason Wheelock; Impact 
on state, local, and tribal governments: Jon Sperl; Impact on 
the Private Sector: Paige Piper/Bach.
    Estimate approved by: Theresa Gullo, Assistant Director for 
Budget Analysis.

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in black brackets, new 
matter is printed in italic, and existing law in which no 
change is proposed is shown in roman):

                     NATIONAL SECURITY ACT OF 1947


                              short title

  That this Act may be cited as the ``National Security Act of 
1947''.

                            TABLE OF CONTENTS

     * * * * * * *

               Title I--Coordination for National Security

     * * * * * * *
Sec. 111. Sharing of cyber threat indicators and defensive measures by 
          the Federal Government with non-Federal entities.
     * * * * * * *
[Sec. 119B. National intelligence centers.]
Sec. 119B. Cyber Threat Intelligence Integration Center.
Sec. 119C. National intelligence centers.

           *       *       *       *       *       *       *


TITLE I--COORDINATION FOR NATIONAL SECURITY

           *       *       *       *       *       *       *


SEC. 111. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE MEASURES BY 
                    THE FEDERAL GOVERNMENT WITH NON-FEDERAL ENTITIES.

  (a) Sharing by the Federal Government.--
          (1) In general.--Consistent with the protection of 
        classified information, intelligence sources and 
        methods, and privacy and civil liberties, the Director 
        of National Intelligence, in consultation with the 
        heads of the other appropriate Federal entities, shall 
        develop and promulgate procedures to facilitate and 
        promote--
                  (A) the timely sharing of classified cyber 
                threat indicators in the possession of the 
                Federal Government with representatives of 
                relevant non-Federal entities with appropriate 
                security clearances;
                  (B) the timely sharing with relevant non-
                Federal entities of cyber threat indicators or 
                information in the possession of the Federal 
                Government that may be declassified and shared 
                at an unclassified level; and
                  (C) the sharing with non-Federal entities, if 
                appropriate, of information in the possession 
                of the Federal Government about imminent or 
                ongoing cybersecurity threats to such entities 
                to prevent or mitigate adverse impacts from 
                such cybersecurity threats.
          (2) Development of procedures.--The procedures 
        developed and promulgated under paragraph (1) shall--
                  (A) ensure the Federal Government has and 
                maintains the capability to share cyber threat 
                indicators in real time consistent with the 
                protection of classified information;
                  (B) incorporate, to the greatest extent 
                practicable, existing processes and existing 
                roles and responsibilities of Federal and non-
                Federal entities for information sharing by the 
                Federal Government, including sector-specific 
                information sharing and analysis centers;
                  (C) include procedures for notifying non-
                Federal entities that have received a cyber 
                threat indicator from a Federal entity in 
                accordance with this Act that is known or 
                determined to be in error or in contravention 
                of the requirements of this section, the 
                Protecting Cyber Networks Act, or the 
                amendments made by such Act or another 
                provision of Federal law or policy of such 
                error or contravention;
                  (D) include requirements for Federal entities 
                receiving a cyber threat indicator or defensive 
                measure to implement appropriate security 
                controls to protect against unauthorized access 
                to, or acquisition of, such cyber threat 
                indicator or defensive measure;
                  (E) include procedures that require Federal 
                entities, prior to the sharing of a cyber 
                threat indicator, to--
                          (i) review such cyber threat 
                        indicator to assess whether such cyber 
                        threat indicator, in contravention of 
                        the requirement under section 3(d)(2) 
                        of the Protecting Cyber Networks Act, 
                        contains any information that such 
                        Federal entity knows at the time of 
                        sharing to be personal information of 
                        or information identifying a specific 
                        person not directly related to a 
                        cybersecurity threat and remove such 
                        information; or
                          (ii) implement a technical capability 
                        configured to remove or exclude any 
                        personal information of or information 
                        identifying a specific person not 
                        directly related to a cybersecurity 
                        threat; and
                  (F) include procedures to promote the 
                efficient granting of security clearances to 
                appropriate representatives of non-Federal 
                entities.
  (b) Policies and Procedures for Sharing With the Appropriate 
Federal Entities Other Than the Department of Defense or the 
National Security Agency.--
          (1) Establishment.--The President shall develop and 
        submit to Congress policies and procedures relating to 
        the receipt of cyber threat indicators and defensive 
        measures by the Federal Government.
          (2) Requirements concerning policies and 
        procedures.--The policies and procedures required under 
        paragraph (1) shall--
                  (A) be developed in accordance with the 
                privacy and civil liberties guidelines required 
                under section 4(b) of the Protecting Cyber 
                Networks Act;
                  (B) ensure that--
                          (i) a cyber threat indicator shared 
                        by a non-Federal entity with an 
                        appropriate Federal entity (other than 
                        the Department of Defense or any 
                        component of the Department, including 
                        the National Security Agency) pursuant 
                        to section 3 of such Act is shared in 
                        real-time with all of the appropriate 
                        Federal entities (including all 
                        relevant components thereof);
                          (ii) the sharing of such cyber threat 
                        indicator with appropriate Federal 
                        entities is not subject to any delay, 
                        modification, or any other action 
                        without good cause that could impede 
                        receipt by all of the appropriate 
                        Federal entities; and
                          (iii) such cyber threat indicator is 
                        provided to each other Federal entity 
                        to which such cyber threat indicator is 
                        relevant; and
                  (C) ensure there--
                          (i) is an audit capability; and
                          (ii) are appropriate sanctions in 
                        place for officers, employees, or 
                        agents of a Federal entity who 
                        knowingly and willfully use a cyber 
                        threat indicator or defense measure 
                        shared with the Federal Government by a 
                        non-Federal entity under the Protecting 
                        Cyber Networks Act other than in 
                        accordance with this section and such 
                        Act.
  (c) Biennial Report on Implementation.--
          (1) In general.--Not less frequently than once every 
        two years, the Director of National Intelligence, in 
        consultation with the heads of the other appropriate 
        Federal entities, shall submit to Congress a report 
        concerning the implementation of this section and the 
        Protecting Cyber Networks Act.
          (2) Contents.--Each report submitted under paragraph 
        (1) shall include the following:
                  (A) An assessment of the sufficiency of the 
                policies, procedures, and guidelines required 
                by this section and section 4 of the Protecting 
                Cyber Networks Act in ensuring that cyber 
                threat indicators are shared effectively and 
                responsibly within the Federal Government.
                  (B) An assessment of whether the procedures 
                developed under section 3 of such Act comply 
                with the goals described in subparagraphs (A), 
                (B), and (C) of subsection (a)(1).
                  (C) An assessment of whether cyber threat 
                indicators have been properly classified and an 
                accounting of the number of security clearances 
                authorized by the Federal Government for the 
                purposes of this section and such Act.
                  (D) A review of the type of cyber threat 
                indicators shared with the Federal Government 
                under this section and such Act, including the 
                following:
                          (i) The degree to which such 
                        information may impact the privacy and 
                        civil liberties of specific persons.
                          (ii) A quantitative and qualitative 
                        assessment of the impact of the sharing 
                        of such cyber threat indicators with 
                        the Federal Government on privacy and 
                        civil liberties of specific persons.
                          (iii) The adequacy of any steps taken 
                        by the Federal Government to reduce 
                        such impact.
                  (E) A review of actions taken by the Federal 
                Government based on cyber threat indicators 
                shared with the Federal Government under this 
                section or such Act, including the 
                appropriateness of any subsequent use or 
                dissemination of such cyber threat indicators 
                by a Federal entity under this section or 
                section 4 of such Act.
                  (F) A description of any significant 
                violations of the requirements of this section 
                or such Act by the Federal Government--
                           (i) an assessment of all reports of 
                        officers, employees, and agents of the 
                        Federal Government misusing information 
                        provided to the Federal Government 
                        under the Protecting Cyber Networks Act 
                        or this section, without regard to 
                        whether the misuse was knowing or 
                        wilful; and
                          (ii) an assessment of all 
                        disciplinary actions taken against such 
                        officers, employees, and agents.
                  (G) A summary of the number and type of non-
                Federal entities that received classified cyber 
                threat indicators from the Federal Government 
                under this section or such Act and an 
                evaluation of the risks and benefits of sharing 
                such cyber threat indicators.
                  (H) An assessment of any personal information 
                of or information identifying a specific person 
                not directly related to a cybersecurity threat 
                that--
                          (i) was shared by a non-Federal 
                        entity with the Federal Government 
                        under this Act in contravention of 
                        section 3(d)(2); or
                          (ii) was shared within the Federal 
                        Government under this Act in 
                        contravention of the guidelines 
                        required by section 4(b).
          (3) Recommendations.--Each report submitted under 
        paragraph (1) may include such recommendations as the 
        heads of the appropriate Federal entities may have for 
        improvements or modifications to the authorities and 
        processes under this section or such Act.
          (4) Form of report.--Each report required by 
        paragraph (1) shall be submitted in unclassified form, 
        but may include a classified annex.
          (5) Public availability of reports.--The Director of 
        National Intelligence shall make publicly available the 
        unclassified portion of each report required by 
        paragraph (1).
   (d) Definitions.--In this section, the terms ``appropriate 
Federal entities'', ``cyber threat indicator'', ``defensive 
measure'', ``Federal entity'', and ``non-Federal entity'' have 
the meaning given such terms in section 11 of the Protecting 
Cyber Networks Act.

           *       *       *       *       *       *       *


SEC. 119B. CYBER THREAT INTELLIGENCE INTEGRATION CENTER.

  (a) Establishment.--There is within the Office of the 
Director of National Intelligence a Cyber Threat Intelligence 
Integration Center.
  (b) Director.--There is a Director of the Cyber Threat 
Intelligence Integration Center, who shall be the head of the 
Cyber Threat Intelligence Integration Center, and who shall be 
appointed by the Director of National Intelligence.
  (c) Primary Missions.--The Cyber Threat Intelligence 
Integration Center shall--
          (1) serve as the primary organization within the 
        Federal Government for analyzing and integrating all 
        intelligence possessed or acquired by the United States 
        pertaining to cyber threats;
          (2) ensure that appropriate departments and agencies 
        have full access to and receive all-source intelligence 
        support needed to execute the cyber threat intelligence 
        activities of such agencies and to perform independent, 
        alternative analyses;
          (3) disseminate cyber threat analysis to the 
        President, the appropriate departments and agencies of 
        the Federal Government, and the appropriate committees 
        of Congress;
          (4) coordinate cyber threat intelligence activities 
        of the departments and agencies of the Federal 
        Government; and
          (5) conduct strategic cyber threat intelligence 
        planning for the Federal Government.
  (d) Limitations.--The Cyber Threat Intelligence Integration 
Center shall--
          (1) have not more than 50 permanent positions;
          (2) in carrying out the primary missions of the 
        Center described in subsection (c), may not augment 
        staffing through detailees, assignees, or core 
        contractor personnel or enter into any personal 
        services contracts to exceed the limitation under 
        paragraph (1); and
          (3) be located in a building owned or operated by an 
        element of the intelligence community as of the date of 
        the enactment of this section.

                     national intelligence centers

  Sec. [119B.]  119C. (a) Authority To Establish.--The Director 
of National Intelligence may establish one or more national 
intelligence centers to address intelligence priorities, 
including, but not limited to, regional issues.
  (b) Resources of Directors of Centers.--(1) The Director of 
National Intelligence shall ensure that the head of each 
national intelligence center under subsection (a) has 
appropriate authority, direction, and control of such center, 
and of the personnel assigned to such center, to carry out the 
assigned mission of such center.
  (2) The Director of National Intelligence shall ensure that 
each national intelligence center has appropriate personnel to 
accomplish effectively the mission of such center.
  (c) Information Sharing.--The Director of National 
Intelligence shall, to the extent appropriate and practicable, 
ensure that each national intelligence center under subsection 
(a) and the other elements of the intelligence community share 
information in order to facilitate the mission of such center.
  (d) Mission of Centers.--Pursuant to the direction of the 
Director of National Intelligence, each national intelligence 
center under subsection (a) may, in the area of intelligence 
responsibility assigned to such center--
          (1) have primary responsibility for providing all-
        source analysis of intelligence based upon intelligence 
        gathered both domestically and abroad;
          (2) have primary responsibility for identifying and 
        proposing to the Director of National Intelligence 
        intelligence collection and analysis and production 
        requirements; and
          (3) perform such other duties as the Director of 
        National Intelligence shall specify.
  (e) Review and Modification of Centers.--The Director of 
National Intelligence shall determine on a regular basis 
whether--
          (1) the area of intelligence responsibility assigned 
        to each national intelligence center under subsection 
        (a) continues to meet appropriate intelligence 
        priorities; and
          (2) the staffing and management of such center 
        remains appropriate for the accomplishment of the 
        mission of such center.
  (f) Termination.--The Director of National Intelligence may 
terminate any national intelligence center under subsection 
(a).
  (g) Separate Budget Account.--The Director of National 
Intelligence shall, as appropriate, include in the National 
Intelligence Program budget a separate line item for each 
national intelligence center under subsection (a).

           *       *       *       *       *       *       *

                              ----------                              


        INTELLIGENCE REFORM AND TERRORISM PREVENTION ACT OF 2004



           *       *       *       *       *       *       *
TITLE I--REFORM OF THE INTELLIGENCE COMMUNITY

           *       *       *       *       *       *       *


                Subtitle F--Privacy and Civil Liberties

SEC. 1061. PRIVACY AND CIVIL LIBERTIES OVERSIGHT BOARD.

  (a) In General.--There is established as an independent 
agency within the executive branch a Privacy and Civil 
Liberties Oversight Board (referred to in this section as the 
``Board'').
  (b) Findings.--Consistent with the report of the National 
Commission on Terrorist Attacks Upon the United States, 
Congress makes the following findings:
          (1) In conducting the war on terrorism, the 
        Government may need additional powers and may need to 
        enhance the use of its existing powers.
          (2) This shift of power and authority to the 
        Government calls for an enhanced system of checks and 
        balances to protect the precious liberties that are 
        vital to our way of life and to ensure that the 
        Government uses its powers for the purposes for which 
        the powers were given.
          (3) The National Commission on Terrorist Attacks Upon 
        the United States correctly concluded that ``The choice 
        between security and liberty is a false choice, as 
        nothing is more likely to endanger America's liberties 
        than the success of a terrorist attack at home. Our 
        history has shown us that insecurity threatens liberty. 
        Yet, if our liberties are curtailed, we lose the values 
        that we are struggling to defend.''.
  (c) Purpose.--The Board shall--
          (1) analyze and review actions the executive branch 
        takes to protect the Nation from terrorism, ensuring 
        that the need for such actions is balanced with the 
        need to protect privacy and civil liberties; and
          (2) ensure that liberty concerns are appropriately 
        considered in the development and implementation of 
        laws, regulations, and policies related to efforts to 
        protect the Nation against terrorism.
  (d) Functions.--
          (1) Advice and counsel on policy development and 
        implementation.--The Board shall--
                  (A) review proposed legislation, regulations, 
                and policies related to efforts to protect the 
                Nation from terrorism, including the 
                development and adoption of information sharing 
                guidelines under subsections (d) and (f) of 
                section 1016;
                  (B) review the implementation of new and 
                existing legislation, regulations, and policies 
                related to efforts to protect the Nation from 
                terrorism, including the implementation of 
                information sharing guidelines under 
                subsections (d) and (f) of section 1016;
                  (C) advise the President and the departments, 
                agencies, and elements of the executive branch 
                to ensure that privacy and civil liberties are 
                appropriately considered in the development and 
                implementation of such legislation, 
                regulations, policies, and guidelines; and
                  (D) in providing advice on proposals to 
                retain or enhance a particular governmental 
                power, consider whether the department, agency, 
                or element of the executive branch has 
                established--
                          (i) that the need for the power is 
                        balanced with the need to protect 
                        privacy and civil liberties;
                          (ii) that there is adequate 
                        supervision of the use by the executive 
                        branch of the power to ensure 
                        protection of privacy and civil 
                        liberties; and
                          (iii) that there are adequate 
                        guidelines and oversight to properly 
                        confine its use.
          (2) Oversight.--The Board shall continually review--
                  (A) the regulations, policies, and 
                procedures, and the implementation of the 
                regulations, policies, and procedures, of the 
                departments, agencies, and elements of the 
                executive branch relating to efforts to protect 
                the Nation from terrorism to ensure that 
                privacy and civil liberties are protected;
                  (B) the information sharing practices of the 
                departments, agencies, and elements of the 
                executive branch relating to efforts to protect 
                the Nation from terrorism to determine whether 
                they appropriately protect privacy and civil 
                liberties and adhere to the information sharing 
                guidelines issued or developed under 
                subsections (d) and (f) of section 1016 and to 
                other governing laws, regulations, and policies 
                regarding privacy and civil liberties; and
                  (C) other actions by the executive branch 
                relating to efforts to protect the Nation from 
                terrorism to determine whether such actions--
                          (i) appropriately protect privacy and 
                        civil liberties; and
                          (ii) are consistent with governing 
                        laws, regulations, and policies 
                        regarding privacy and civil liberties.
          (3) Relationship with privacy and civil liberties 
        officers.--The Board shall--
                  (A) receive and review reports and other 
                information from privacy officers and civil 
                liberties officers under section 1062;
                  (B) when appropriate, make recommendations to 
                such privacy officers and civil liberties 
                officers regarding their activities; and
                  (C) when appropriate, coordinate the 
                activities of such privacy officers and civil 
                liberties officers on relevant interagency 
                matters.
          (4) Testimony.--The members of the Board shall appear 
        and testify before Congress upon request.
  (e) Reports.--
          (1) In general.--The Board shall--
                  (A) receive and review reports from privacy 
                officers and civil liberties officers under 
                section 1062; and
                  (B) periodically submit, not less than 
                semiannually, reports--
                          (i)(I) to the appropriate committees 
                        of Congress, including the Committee on 
                        the Judiciary of the Senate, the 
                        Committee on the Judiciary of the House 
                        of Representatives, the Committee on 
                        Homeland Security and Governmental 
                        Affairs of the Senate, the Committee on 
                        Homeland Security of the House of 
                        Representatives, the Committee on 
                        Oversight and Government Reform of the 
                        House of Representatives, the Select 
                        Committee on Intelligence of the 
                        Senate, and the Permanent Select 
                        Committee on Intelligence of the House 
                        of Representatives; and
                          (II) to the President; and
                          (ii) which shall be in unclassified 
                        form to the greatest extent possible, 
                        with a classified annex where 
                        necessary.
          (2) Contents.--Not less than 2 reports submitted each 
        year under paragraph (1)(B) shall include--
                  (A) a description of the major activities of 
                the Board during the preceding period;
                  (B) information on the findings, conclusions, 
                and recommendations of the Board resulting from 
                its advice and oversight functions under 
                subsection (d);
                  (C) the minority views on any findings, 
                conclusions, and recommendations of the Board 
                resulting from its advice and oversight 
                functions under subsection (d);
                  (D) each proposal reviewed by the Board under 
                subsection (d)(1) that--
                          (i) the Board advised against 
                        implementation; and
                          (ii) notwithstanding such advice, 
                        actions were taken to implement; and
                  (E) for the preceding period, any requests 
                submitted under subsection (g)(1)(D) for the 
                issuance of subpoenas that were modified or 
                denied by the Attorney General.
          (3) Biennial report on certain cyber activities.--
                  (A) Report required.--The Privacy and Civil 
                Liberties Oversight Board shall biennially 
                submit to Congress and the President a report 
                containing--
                          (i) an assessment of the privacy and 
                        civil liberties impact of the 
                        activities carried out under the 
                        Protecting Cyber Networks Act and the 
                        amendments made by such Act; and
                          (ii) an assessment of the sufficiency 
                        of the policies, procedures, and 
                        guidelines established pursuant to 
                        section 4 of the Protecting Cyber 
                        Networks Act and the amendments made by 
                        such section 4 in addressing privacy 
                        and civil liberties concerns.
                  (B) Recommendations.--Each report submitted 
                under this paragraph may include such 
                recommendations as the Privacy and Civil 
                Liberties Oversight Board may have for 
                improvements or modifications to the 
                authorities under the Protecting Cyber Networks 
                Act or the amendments made by such Act.
                  (C) Form.--Each report required under this 
                paragraph shall be submitted in unclassified 
                form, but may include a classified annex.
                  (D) Public availability of reports.--The 
                Privacy and Civil Liberties Oversight Board 
                shall make publicly available the unclassified 
                portion of each report required by subparagraph 
                (A).
  (f) Informing the Public.--The Board shall--
          (1) make its reports, including its reports to 
        Congress, available to the public to the greatest 
        extent that is consistent with the protection of 
        classified information and applicable law; and
          (2) hold public hearings and otherwise inform the 
        public of its activities, as appropriate and in a 
        manner consistent with the protection of classified 
        information and applicable law.
  (g) Access to Information.--
          (1) Authorization.--If determined by the Board to be 
        necessary to carry out its responsibilities under this 
        section, the Board is authorized to--
                  (A) have access from any department, agency, 
                or element of the executive branch, or any 
                Federal officer or employee of any such 
                department, agency, or element, to all relevant 
                records, reports, audits, reviews, documents, 
                papers, recommendations, or other relevant 
                material, including classified information 
                consistent with applicable law;
                  (B) interview, take statements from, or take 
                public testimony from personnel of any 
                department, agency, or element of the executive 
                branch, or any Federal officer or employee of 
                any such department, agency, or element;
                  (C) request information or assistance from 
                any State, tribal, or local government; and
                  (D) at the direction of a majority of the 
                members of the Board, submit a written request 
                to the Attorney General of the United States 
                that the Attorney General require, by subpoena, 
                persons (other than departments, agencies, and 
                elements of the executive branch) to produce 
                any relevant information, documents, reports, 
                answers, records, accounts, papers, and other 
                documentary or testimonial evidence.
          (2) Review of subpoena request.--
                  (A) In general.--Not later than 30 days after 
                the date of receipt of a request by the Board 
                under paragraph (1)(D), the Attorney General 
                shall--
                          (i) issue the subpoena as requested; 
                        or
                          (ii) provide the Board, in writing, 
                        with an explanation of the grounds on 
                        which the subpoena request has been 
                        modified or denied.
                  (B) Notification.--If a subpoena request is 
                modified or denied under subparagraph (A)(ii), 
                the Attorney General shall, not later than 30 
                days after the date of that modification or 
                denial, notify the Committee on the Judiciary 
                of the Senate and the Committee on the 
                Judiciary of the House of Representatives.
          (3) Enforcement of subpoena.--In the case of 
        contumacy or failure to obey a subpoena issued pursuant 
        to paragraph (1)(D), the United States district court 
        for the judicial district in which the subpoenaed 
        person resides, is served, or may be found may issue an 
        order requiring such person to produce the evidence 
        required by such subpoena.
          (4) Agency cooperation.--Whenever information or 
        assistance requested under subparagraph (A) or (B) of 
        paragraph (1) is, in the judgment of the Board, 
        unreasonably refused or not provided, the Board shall 
        report the circumstances to the head of the department, 
        agency, or element concerned without delay. The head of 
        the department, agency, or element concerned shall 
        ensure that the Board is given access to the 
        information, assistance, material, or personnel the 
        Board determines to be necessary to carry out its 
        functions.
  (h) Membership.--
          (1) Members.--The Board shall be composed of a full-
        time chairman and 4 additional members, who shall be 
        appointed by the President, by and with the advice and 
        consent of the Senate.
          (2) Qualifications.--Members of the Board shall be 
        selected solely on the basis of their professional 
        qualifications, achievements, public stature, expertise 
        in civil liberties and privacy, and relevant 
        experience, and without regard to political 
        affiliation, but in no event shall more than 3 members 
        of the Board be members of the same political party. 
        The President shall, before appointing an individual 
        who is not a member of the same political party as the 
        President, consult with the leadership of that party, 
        if any, in the Senate and House of Representatives.
          (3) Incompatible office.--An individual appointed to 
        the Board may not, while serving on the Board, be an 
        elected official, officer, or employee of the Federal 
        Government, other than in the capacity as a member of 
        the Board.
          (4) Term.--Each member of the Board shall serve a 
        term of 6 years, except that--
                  (A) a member appointed to a term of office 
                after the commencement of such term may serve 
                under such appointment only for the remainder 
                of such term; and
                  (B) upon the expiration of the term of office 
                of a member, the member shall continue to serve 
                until the member's successor has been appointed 
                and qualified, except that no member may serve 
                under this subparagraph--
                          (i) for more than 60 days when 
                        Congress is in session unless a 
                        nomination to fill the vacancy shall 
                        have been submitted to the Senate; or
                          (ii) after the adjournment sine die 
                        of the session of the Senate in which 
                        such nomination is submitted.
          (5) Quorum and meetings.--The Board shall meet upon 
        the call of the chairman or a majority of its members. 
        Three members of the Board shall constitute a quorum.
  (i) Compensation and Travel Expenses.--
          (1) Compensation.--
                  (A) Chairman.--The chairman of the Board 
                shall be compensated at the rate of pay payable 
                for a position at level III of the Executive 
                Schedule under section 5314 of title 5, United 
                States Code.
                  (B) Members.--Each member of the Board shall 
                be compensated at a rate of pay payable for a 
                position at level IV of the Executive Schedule 
                under section 5315 of title 5, United States 
                Code, for each day during which that member is 
                engaged in the actual performance of the duties 
                of the Board.
          (2) Travel expenses.--Members of the Board shall be 
        allowed travel expenses, including per diem in lieu of 
        subsistence, at rates authorized for persons employed 
        intermittently by the Government under section 5703(b) 
        of title 5, United States Code, while away from their 
        homes or regular places of business in the performance 
        of services for the Board.
  (j) Staff.--
          (1) Appointment and compensation.--The chairman of 
        the Board, in accordance with rules agreed upon by the 
        Board, shall appoint and fix the compensation of a 
        full-time executive director and such other personnel 
        as may be necessary to enable the Board to carry out 
        its functions, without regard to the provisions of 
        title 5, United States Code, governing appointments in 
        the competitive service, and without regard to the 
        provisions of chapter 51 and subchapter III of chapter 
        53 of such title relating to classification and General 
        Schedule pay rates, except that no rate of pay fixed 
        under this subsection may exceed the equivalent of that 
        payable for a position at level V of the Executive 
        Schedule under section 5316 of title 5, United States 
        Code.
          (2) Detailees.--Any Federal employee may be detailed 
        to the Board without reimbursement from the Board, and 
        such detailee shall retain the rights, status, and 
        privileges of the detailee's regular employment without 
        interruption.
          (3) Consultant services.--The Board may procure the 
        temporary or intermittent services of experts and 
        consultants in accordance with section 3109 of title 5, 
        United States Code, at rates that do not exceed the 
        daily rate paid a person occupying a position at level 
        IV of the Executive Schedule under section 5315 of such 
        title.
  (k) Security Clearances.--
          (1) In general.--The appropriate departments, 
        agencies, and elements of the executive branch shall 
        cooperate with the Board to expeditiously provide the 
        Board members and staff with appropriate security 
        clearances to the extent possible under existing 
        procedures and requirements.
          (2) Rules and procedures.--After consultation with 
        the Secretary of Defense, the Attorney General, and the 
        Director of National Intelligence, the Board shall 
        adopt rules and procedures of the Board for physical, 
        communications, computer, document, personnel, and 
        other security relating to carrying out the functions 
        of the Board.
  (l) Treatment as Agency, Not as Advisory Committee.--The 
Board--
          (1) is an agency (as defined in section 551(1) of 
        title 5, United States Code); and
          (2) is not an advisory committee (as defined in 
        section 3(2) of the Federal Advisory Committee Act (5 
        U.S.C. App.)).
  (m) Authorization of Appropriations.--There are authorized to 
be appropriated to carry out this section amounts as follows:
          (1) For fiscal year 2008, $5,000,000.
          (2) For fiscal year 2009, $6,650,000.
          (3) For fiscal year 2010, $8,300,000.
          (4) For fiscal year 2011, $10,000,000.
          (5) For fiscal year 2012 and each subsequent fiscal 
        year, such sums as may be necessary.

           *       *       *       *       *       *       *

                              ----------                              


                      TITLE 5, UNITED STATES CODE



           *       *       *       *       *       *       *
PART I--THE AGENCIES GENERALLY

           *       *       *       *       *       *       *


CHAPTER 5--ADMINISTRATIVE PROCEDURE

           *       *       *       *       *       *       *


Subchapter II--ADMINISTRATIVE PROCEDURE

           *       *       *       *       *       *       *


Sec. 552. Public information; agency rules, opinions, orders, records, 
                    and proceedings

  (a) Each agency shall make available to the public 
information as follows:
  (1) Each agency shall separately state and currently publish 
in the Federal Register for the guidance of the public--
          (A) descriptions of its central and field 
        organization and the established places at which, the 
        employees (and in the case of a uniformed service, the 
        members) from whom, and the methods whereby, the public 
        may obtain information, make submittals or requests, or 
        obtain decisions;
          (B) statements of the general course and method by 
        which its functions are channeled and determined, 
        including the nature and requirements of all formal and 
        informal procedures available;
          (C) rules of procedure, descriptions of forms 
        available or the places at which forms may be obtained, 
        and instructions as to the scope and contents of all 
        papers, reports, or examinations;
          (D) substantive rules of general applicability 
        adopted as authorized by law, and statements of general 
        policy or interpretations of general applicability 
        formulated and adopted by the agency; and
          (E) each amendment, revision, or repeal of the 
        foregoing.
Except to the extent that a person has actual and timely notice 
of the terms thereof, a person may not in any manner be 
required to resort to, or be adversely affected by, a matter 
required to be published in the Federal Register and not so 
published. For the purpose of this paragraph, matter reasonably 
available to the class of persons affected thereby is deemed 
published in the Federal Register when incorporated by 
reference therein with the approval of the Director of the 
Federal Register.
  (2) Each agency, in accordance with published rules, shall 
make available for public inspection and copying--
          (A) final opinions, including concurring and 
        dissenting opinions, as well as orders, made in the 
        adjudication of cases;
          (B) those statements of policy and interpretations 
        which have been adopted by the agency and are not 
        published in the Federal Register;
          (C) administrative staff manuals and instructions to 
        staff that affect a member of the public;
          (D) copies of all records, regardless of form or 
        format, which have been released to any person under 
        paragraph (3) and which, because of the nature of their 
        subject matter, the agency determines have become or 
        are likely to become the subject of subsequent requests 
        for substantially the same records; and
          (E) a general index of the records referred to under 
        subparagraph (D);
unless the materials are promptly published and copies offered 
for sale. For records created on or after November 1, 1996, 
within one year after such date, each agency shall make such 
records available, including by computer telecommunications or, 
if computer telecommunications means have not been established 
by the agency, by other electronic means. To the extent 
required to prevent a clearly unwarranted invasion of personal 
privacy, an agency may delete identifying details when it makes 
available or publishes an opinion, statement of policy, 
interpretation, staff manual, instruction, or copies of records 
referred to in subparagraph (D). However, in each case the 
justification for the deletion shall be explained fully in 
writing, and the extent of such deletion shall be indicated on 
the portion of the record which is made available or published, 
unless including that indication would harm an interest 
protected by the exemption in subsection (b) under which the 
deletion is made. If technically feasible, the extent of the 
deletion shall be indicated at the place in the record where 
the deletion was made. Each agency shall also maintain and make 
available for public inspection and copying current indexes 
providing identifying information for the public as to any 
matter issued, adopted, or promulgated after July 4, 1967, and 
required by this paragraph to be made available or published. 
Each agency shall promptly publish, quarterly or more 
frequently, and distribute (by sale or otherwise) copies of 
each index or supplements thereto unless it determines by order 
published in the Federal Register that the publication would be 
unnecessary and impracticable, in which case the agency shall 
nonetheless provide copies of such index on request at a cost 
not to exceed the direct cost of duplication. Each agency shall 
make the index referred to in subparagraph (E) available by 
computer telecommunications by December 31, 1999. A final 
order, opinion, statement of policy, interpretation, or staff 
manual or instruction that affects a member of the public may 
be relied on, used, or cited as precedent by an agency against 
a party other than an agency only if--
          (i) it has been indexed and either made available or 
        published as provided by this paragraph; or
          (ii) the party has actual and timely notice of the 
        terms thereof.
  (3)(A) Except with respect to the records made available 
under paragraphs (1) and (2) of this subsection, and except as 
provided in subparagraph (E), each agency, upon any request for 
records which (i) reasonably describes such records and (ii) is 
made in accordance with published rules stating the time, 
place, fees (if any), and procedures to be followed, shall make 
the records promptly available to any person.
  (B) In making any record available to a person under this 
paragraph, an agency shall provide the record in any form or 
format requested by the person if the record is readily 
reproducible by the agency in that form or format. Each agency 
shall make reasonable efforts to maintain its records in forms 
or formats that are reproducible for purposes of this section.
  (C) In responding under this paragraph to a request for 
records, an agency shall make reasonable efforts to search for 
the records in electronic form or format, except when such 
efforts would significantly interfere with the operation of the 
agency's automated information system.
  (D) For purposes of this paragraph, the term ``search'' means 
to review, manually or by automated means, agency records for 
the purpose of locating those records which are responsive to a 
request.
  (E) An agency, or part of an agency, that is an element of 
the intelligence community (as that term is defined in section 
3(4) of the National Security Act of 1947 (50 U.S.C. 401a(4))) 
shall not make any record available under this paragraph to--
          (i) any government entity, other than a State, 
        territory, commonwealth, or district of the United 
        States, or any subdivision thereof; or
          (ii) a representative of a government entity 
        described in clause (i).
  (4)(A)(i) In order to carry out the provisions of this 
section, each agency shall promulgate regulations, pursuant to 
notice and receipt of public comment, specifying the schedule 
of fees applicable to the processing of requests under this 
section and establishing procedures and guidelines for 
determining when such fees should be waived or reduced. Such 
schedule shall conform to the guidelines which shall be 
promulgated, pursuant to notice and receipt of public comment, 
by the Director of the Office of Management and Budget and 
which shall provide for a uniform schedule of fees for all 
agencies.
  (ii) Such agency regulations shall provide that--
          (I) fees shall be limited to reasonable standard 
        charges for document search, duplication, and review, 
        when records are requested for commercial use;
          (II) fees shall be limited to reasonable standard 
        charges for document duplication when records are not 
        sought for commercial use and the request is made by an 
        educational or noncommercial scientific institution, 
        whose purpose is scholarly or scientific research; or a 
        representative of the news media; and
          (III) for any request not described in (I) or (II), 
        fees shall be limited to reasonable standard charges 
        for document search and duplication.
In this clause, the term ``a representative of the news media'' 
means any person or entity that gathers information of 
potential interest to a segment of the public, uses its 
editorial skills to turn the raw materials into a distinct 
work, and distributes that work to an audience. In this clause, 
the term ``news'' means information that is about current 
events or that would be of current interest to the public. 
Examples of news-media entities are television or radio 
stations broadcasting to the public at large and publishers of 
periodicals (but only if such entities qualify as disseminators 
of ``news'') who make their products available for purchase by 
or subscription by or free distribution to the general public. 
These examples are not all-inclusive. Moreover, as methods of 
news delivery evolve (for example, the adoption of the 
electronic dissemination of newspapers through 
telecommunications services), such alternative media shall be 
considered to be news-media entities. A freelance journalist 
shall be regarded as working for a news-media entity if the 
journalist can demonstrate a solid basis for expecting 
publication through that entity, whether or not the journalist 
is actually employed by the entity. A publication contract 
would present a solid basis for such an expectation; the 
Government may also consider the past publication record of the 
requester in making such a determination.
  (iii) Documents shall be furnished without any charge or at a 
charge reduced below the fees established under clause (ii) if 
disclosure of the information is in the public interest because 
it is likely to contribute significantly to public 
understanding of the operations or activities of the government 
and is not primarily in the commercial interest of the 
requester.
  (iv) Fee schedules shall provide for the recovery of only the 
direct costs of search, duplication, or review. Review costs 
shall include only the direct costs incurred during the initial 
examination of a document for the purposes of determining 
whether the documents must be disclosed under this section and 
for the purposes of withholding any portions exempt from 
disclosure under this section. Review costs may not include any 
costs incurred in resolving issues of law or policy that may be 
raised in the course of processing a request under this 
section. No fee may be charged by any agency under this 
section--
          (I) if the costs of routine collection and processing 
        of the fee are likely to equal or exceed the amount of 
        the fee; or
          (II) for any request described in clause (ii) (II) or 
        (III) of this subparagraph for the first two hours of 
        search time or for the first one hundred pages of 
        duplication.
  (v) No agency may require advance payment of any fee unless 
the requester has previously failed to pay fees in a timely 
fashion, or the agency has determined that the fee will exceed 
$250.
  (vi) Nothing in this subparagraph shall supersede fees 
chargeable under a statute specifically providing for setting 
the level of fees for particular types of records.
  (vii) In any action by a requester regarding the waiver of 
fees under this section, the court shall determine the matter 
de novo: Provided, That the court's review of the matter shall 
be limited to the record before the agency.
  (viii) An agency shall not assess search fees (or in the case 
of a requester described under clause (ii)(II), duplication 
fees) under this subparagraph if the agency fails to comply 
with any time limit under paragraph (6), if no unusual or 
exceptional circumstances (as those terms are defined for 
purposes of paragraphs (6)(B) and (C), respectively) apply to 
the processing of the request.
  (B) On complaint, the district court of the United States in 
the district in which the complainant resides, or has his 
principal place of business, or in which the agency records are 
situated, or in the District of Columbia, has jurisdiction to 
enjoin the agency from withholding agency records and to order 
the production of any agency records improperly withheld from 
the complainant. In such a case the court shall determine the 
matter de novo, and may examine the contents of such agency 
records in camera to determine whether such records or any part 
thereof shall be withheld under any of the exemptions set forth 
in subsection (b) of this section, and the burden is on the 
agency to sustain its action. In addition to any other matters 
to which a court accords substantial weight, a court shall 
accord substantial weight to an affidavit of an agency 
concerning the agency's determination as to technical 
feasibility under paragraph (2)(C) and subsection (b) and 
reproducibility under paragraph (3)(B).
  (C) Notwithstanding any other provision of law, the defendant 
shall serve an answer or otherwise plead to any complaint made 
under this subsection within thirty days after service upon the 
defendant of the pleading in which such complaint is made, 
unless the court otherwise directs for good cause shown.
  (E)(i) The court may assess against the United States 
reasonable attorney fees and other litigation costs reasonably 
incurred in any case under this section in which the 
complainant has substantially prevailed.
  (ii) For purposes of this subparagraph, a complainant has 
substantially prevailed if the complainant has obtained relief 
through either--
          (I) a judicial order, or an enforceable written 
        agreement or consent decree; or
          (II) a voluntary or unilateral change in position by 
        the agency, if the complainant's claim is not 
        insubstantial.
  (F)(i) Whenever the court orders the production of any agency 
records improperly withheld from the complainant and assesses 
against the United States reasonable attorney fees and other 
litigation costs, and the court additionally issues a written 
finding that the circumstances surrounding the withholding 
raise questions whether agency personnel acted arbitrarily or 
capriciously with respect to the withholding, the Special 
Counsel shall promptly initiate a proceeding to determine 
whether disciplinary action is warranted against the officer or 
employee who was primarily responsible for the withholding. The 
Special Counsel, after investigation and consideration of the 
evidence submitted, shall submit his findings and 
recommendations to the administrative authority of the agency 
concerned and shall send copies of the findings and 
recommendations to the officer or employee or his 
representative. The administrative authority shall take the 
corrective action that the Special Counsel recommends.
  (ii) The Attorney General shall--
          (I) notify the Special Counsel of each civil action 
        described under the first sentence of clause (i); and
          (II) annually submit a report to Congress on the 
        number of such civil actions in the preceding year.
  (iii) The Special Counsel shall annually submit a report to 
Congress on the actions taken by the Special Counsel under 
clause (i).
  (G) In the event of noncompliance with the order of the 
court, the district court may punish for contempt the 
responsible employee, and in the case of a uniformed service, 
the responsible member.
  (5) Each agency having more than one member shall maintain 
and make available for public inspection a record of the final 
votes of each member in every agency proceeding.
  (6)(A) Each agency, upon any request for records made under 
paragraph (1), (2), or (3) of this subsection, shall--
          (i) determine within 20 days (excepting Saturdays, 
        Sundays, and legal public holidays) after the receipt 
        of any such request whether to comply with such request 
        and shall immediately notify the person making such 
        request of such determination and the reasons therefor, 
        and of the right of such person to appeal to the head 
        of the agency any adverse determination; and
          (ii) make a determination with respect to any appeal 
        within twenty days (excepting Saturdays, Sundays, and 
        legal public holidays) after the receipt of such 
        appeal. If on appeal the denial of the request for 
        records is in whole or in part upheld, the agency shall 
        notify the person making such request of the provisions 
        for judicial review of that determination under 
        paragraph (4) of this subsection.
The 20-day period under clause (i) shall commence on the date 
on which the request is first received by the appropriate 
component of the agency, but in any event not later than ten 
days after the request is first received by any component of 
the agency that is designated in the agency's regulations under 
this section to receive requests under this section. The 20-day 
period shall not be tolled by the agency except--
          (I) that the agency may make one request to the 
        requester for information and toll the 20-day period 
        while it is awaiting such information that it has 
        reasonably requested from the requester under this 
        section; or
          (II) if necessary to clarify with the requester 
        issues regarding fee assessment. In either case, the 
        agency's receipt of the requester's response to the 
        agency's request for information or clarification ends 
        the tolling period.
  (B)(i) In unusual circumstances as specified in this 
subparagraph, the time limits prescribed in either clause (i) 
or clause (ii) of subparagraph (A) may be extended by written 
notice to the person making such request setting forth the 
unusual circumstances for such extension and the date on which 
a determination is expected to be dispatched. No such notice 
shall specify a date that would result in an extension for more 
than ten working days, except as provided in clause (ii) of 
this subparagraph.
  (ii) With respect to a request for which a written notice 
under clause (i) extends the time limits prescribed under 
clause (i) of subparagraph (A), the agency shall notify the 
person making the request if the request cannot be processed 
within the time limit specified in that clause and shall 
provide the person an opportunity to limit the scope of the 
request so that it may be processed within that time limit or 
an opportunity to arrange with the agency an alternative time 
frame for processing the request or a modified request. Refusal 
by the person to reasonably modify the request or arrange such 
an alternative time frame shall be considered as a factor in 
determining whether exceptional circumstances exist for 
purposes of subparagraph (C). To aid the requester, each agency 
shall make available its FOIA Public Liaison, who shall assist 
in the resolution of any disputes between the requester and the 
agency.
  (iii) As used in this subparagraph, ``unusual circumstances'' 
means, but only to the extent reasonably necessary to the 
proper processing of the particular requests--
          (I) the need to search for and collect the requested 
        records from field facilities or other establishments 
        that are separate from the office processing the 
        request;
          (II) the need to search for, collect, and 
        appropriately examine a voluminous amount of separate 
        and distinct records which are demanded in a single 
        request; or
          (III) the need for consultation, which shall be 
        conducted with all practicable speed, with another 
        agency having a substantial interest in the 
        determination of the request or among two or more 
        components of the agency having substantial subject-
        matter interest therein.
  (iv) Each agency may promulgate regulations, pursuant to 
notice and receipt of public comment, providing for the 
aggregation of certain requests by the same requestor, or by a 
group of requestors acting in concert, if the agency reasonably 
believes that such requests actually constitute a single 
request, which would otherwise satisfy the unusual 
circumstances specified in this subparagraph, and the requests 
involve clearly related matters. Multiple requests involving 
unrelated matters shall not be aggregated.
  (C)(i) Any person making a request to any agency for records 
under paragraph (1), (2), or (3) of this subsection shall be 
deemed to have exhausted his administrative remedies with 
respect to such request if the agency fails to comply with the 
applicable time limit provisions of this paragraph. If the 
Government can show exceptional circumstances exist and that 
the agency is exercising due diligence in responding to the 
request, the court may retain jurisdiction and allow the agency 
additional time to complete its review of the records. Upon any 
determination by an agency to comply with a request for 
records, the records shall be made promptly available to such 
person making such request. Any notification of denial of any 
request for records under this subsection shall set forth the 
names and titles or positions of each person responsible for 
the denial of such request.
  (ii) For purposes of this subparagraph, the term 
``exceptional circumstances'' does not include a delay that 
results from a predictable agency workload of requests under 
this section, unless the agency demonstrates reasonable 
progress in reducing its backlog of pending requests.
  (iii) Refusal by a person to reasonably modify the scope of a 
request or arrange an alternative time frame for processing a 
request (or a modified request) under clause (ii) after being 
given an opportunity to do so by the agency to whom the person 
made the request shall be considered as a factor in determining 
whether exceptional circumstances exist for purposes of this 
subparagraph.
  (D)(i) Each agency may promulgate regulations, pursuant to 
notice and receipt of public comment, providing for multitrack 
processing of requests for records based on the amount of work 
or time (or both) involved in processing requests.
  (ii) Regulations under this subparagraph may provide a person 
making a request that does not qualify for the fastest 
multitrack processing an opportunity to limit the scope of the 
request in order to qualify for faster processing.
  (iii) This subparagraph shall not be considered to affect the 
requirement under subparagraph (C) to exercise due diligence.
  (E)(i) Each agency shall promulgate regulations, pursuant to 
notice and receipt of public comment, providing for expedited 
processing of requests for records--
          (I) in cases in which the person requesting the 
        records demonstrates a compelling need; and
          (II) in other cases determined by the agency.
  (ii) Notwithstanding clause (i), regulations under this 
subparagraph must ensure--
          (I) that a determination of whether to provide 
        expedited processing shall be made, and notice of the 
        determination shall be provided to the person making 
        the request, within 10 days after the date of the 
        request; and
          (II) expeditious consideration of administrative 
        appeals of such determinations of whether to provide 
        expedited processing.
  (iii) An agency shall process as soon as practicable any 
request for records to which the agency has granted expedited 
processing under this subparagraph. Agency action to deny or 
affirm denial of a request for expedited processing pursuant to 
this subparagraph, and failure by an agency to respond in a 
timely manner to such a request shall be subject to judicial 
review under paragraph (4), except that the judicial review 
shall be based on the record before the agency at the time of 
the determination.
  (iv) A district court of the United States shall not have 
jurisdiction to review an agency denial of expedited processing 
of a request for records after the agency has provided a 
complete response to the request.
  (v) For purposes of this subparagraph, the term ``compelling 
need'' means--
          (I) that a failure to obtain requested records on an 
        expedited basis under this paragraph could reasonably 
        be expected to pose an imminent threat to the life or 
        physical safety of an individual; or
          (II) with respect to a request made by a person 
        primarily engaged in disseminating information, urgency 
        to inform the public concerning actual or alleged 
        Federal Government activity.
  (vi) A demonstration of a compelling need by a person making 
a request for expedited processing shall be made by a statement 
certified by such person to be true and correct to the best of 
such person's knowledge and belief.
  (F) In denying a request for records, in whole or in part, an 
agency shall make a reasonable effort to estimate the volume of 
any requested matter the provision of which is denied, and 
shall provide any such estimate to the person making the 
request, unless providing such estimate would harm an interest 
protected by the exemption in subsection (b) pursuant to which 
the denial is made.
  (7) Each agency shall--
          (A) establish a system to assign an individualized 
        tracking number for each request received that will 
        take longer than ten days to process and provide to 
        each person making a request the tracking number 
        assigned to the request; and
          (B) establish a telephone line or Internet service 
        that provides information about the status of a request 
        to the person making the request using the assigned 
        tracking number, including--
                  (i) the date on which the agency originally 
                received the request; and
                  (ii) an estimated date on which the agency 
                will complete action on the request.
  (b) This section does not apply to matters that are--
          (1)(A) specifically authorized under criteria 
        established by an Executive order to be kept secret in 
        the interest of national defense or foreign policy and 
        (B) are in fact properly classified pursuant to such 
        Executive order;
          (2) related solely to the internal personnel rules 
        and practices of an agency;
          (3) specifically exempted from disclosure by statute 
        (other than section 552b of this title), if that 
        statute--
                  (A)(i) requires that the matters be withheld 
                from the public in such a manner as to leave no 
                discretion on the issue; or
                  (ii) establishes particular criteria for 
                withholding or refers to particular types of 
                matters to be withheld; and
                  (B) if enacted after the date of enactment of 
                the OPEN FOIA Act of 2009, specifically cites 
                to this paragraph.
          (4) trade secrets and commercial or financial 
        information obtained from a person and privileged or 
        confidential;
          (5) inter-agency or intra-agency memorandums or 
        letters which would not be available by law to a party 
        other than an agency in litigation with the agency;
          (6) personnel and medical files and similar files the 
        disclosure of which would constitute a clearly 
        unwarranted invasion of personal privacy;
          (7) records or information compiled for law 
        enforcement purposes, but only to the extent that the 
        production of such law enforcement records or 
        information (A) could reasonably be expected to 
        interfere with enforcement proceedings, (B) would 
        deprive a person of a right to a fair trial or an 
        impartial adjudication, (C) could reasonably be 
        expected to constitute an unwarranted invasion of 
        personal privacy, (D) could reasonably be expected to 
        disclose the identity of a confidential source, 
        including a State, local, or foreign agency or 
        authority or any private institution which furnished 
        information on a confidential basis, and, in the case 
        of a record or information compiled by criminal law 
        enforcement authority in the course of a criminal 
        investigation or by an agency conducting a lawful 
        national security intelligence investigation, 
        information furnished by a confidential source, (E) 
        would disclose techniques and procedures for law 
        enforcement investigations or prosecutions, or would 
        disclose guidelines for law enforcement investigations 
        or prosecutions if such disclosure could reasonably be 
        expected to risk circumvention of the law, or (F) could 
        reasonably be expected to endanger the life or physical 
        safety of any individual;
          (8) contained in or related to examination, 
        operating, or condition reports prepared by, on behalf 
        of, or for the use of an agency responsible for the 
        regulation or supervision of financial institutions; 
        [or]
          (9) geological and geophysical information and data, 
        including maps, concerning [wells.] wells; or
          (10) information shared with or provided to the 
        Federal Government pursuant to the Protecting Cyber 
        Networks Act or the amendments made by such Act.
Any reasonably segregable portion of a record shall be provided 
to any person requesting such record after deletion of the 
portions which are exempt under this subsection. The amount of 
information deleted, and the exemption under which the deletion 
is made, shall be indicated on the released portion of the 
record, unless including that indication would harm an interest 
protected by the exemption in this subsection under which the 
deletion is made. If technically feasible, the amount of the 
information deleted, and the exemption under which the deletion 
is made, shall be indicated at the place in the record where 
such deletion is made.
  (c)(1) Whenever a request is made which involves access to 
records described in subsection (b)(7)(A) and--
          (A) the investigation or proceeding involves a 
        possible violation of criminal law; and
          (B) there is reason to believe that (i) the subject 
        of the investigation or proceeding is not aware of its 
        pendency, and (ii) disclosure of the existence of the 
        records could reasonably be expected to interfere with 
        enforcement proceedings,
the agency may, during only such time as that circumstance 
continues, treat the records as not subject to the requirements 
of this section.
  (2) Whenever informant records maintained by a criminal law 
enforcement agency under an informant's name or personal 
identifier are requested by a third party according to the 
informant's name or personal identifier, the agency may treat 
the records as not subject to the requirements of this section 
unless the informant's status as an informant has been 
officially confirmed.
  (3) Whenever a request is made which involves access to 
records maintained by the Federal Bureau of Investigation 
pertaining to foreign intelligence or counterintelligence, or 
international terrorism, and the existence of the records is 
classified information as provided in subsection (b)(1), the 
Bureau may, as long as the existence of the records remains 
classified information, treat the records as not subject to the 
requirements of this section.
  (d) This section does not authorize withholding of 
information or limit the availability of records to the public, 
except as specifically stated in this section. This section is 
not authority to withhold information from Congress.
  (e)(1) On or before February 1 of each year, each agency 
shall submit to the Attorney General of the United States a 
report which shall cover the preceding fiscal year and which 
shall include--
          (A) the number of determinations made by the agency 
        not to comply with requests for records made to such 
        agency under subsection (a) and the reasons for each 
        such determination;
          (B)(i) the number of appeals made by persons under 
        subsection (a)(6), the result of such appeals, and the 
        reason for the action upon each appeal that results in 
        a denial of information; and
          (ii) a complete list of all statutes that the agency 
        relies upon to authorize the agency to withhold 
        information under subsection (b)(3), the number of 
        occasions on which each statute was relied upon, a 
        description of whether a court has upheld the decision 
        of the agency to withhold information under each such 
        statute, and a concise description of the scope of any 
        information withheld;
          (C) the number of requests for records pending before 
        the agency as of September 30 of the preceding year, 
        and the median and average number of days that such 
        requests had been pending before the agency as of that 
        date;
          (D) the number of requests for records received by 
        the agency and the number of requests which the agency 
        processed;
          (E) the median number of days taken by the agency to 
        process different types of requests, based on the date 
        on which the requests were received by the agency;
          (F) the average number of days for the agency to 
        respond to a request beginning on the date on which the 
        request was received by the agency, the median number 
        of days for the agency to respond to such requests, and 
        the range in number of days for the agency to respond 
        to such requests;
          (G) based on the number of business days that have 
        elapsed since each request was originally received by 
        the agency--
                  (i) the number of requests for records to 
                which the agency has responded with a 
                determination within a period up to and 
                including 20 days, and in 20-day increments up 
                to and including 200 days;
                  (ii) the number of requests for records to 
                which the agency has responded with a 
                determination within a period greater than 200 
                days and less than 301 days;
                  (iii) the number of requests for records to 
                which the agency has responded with a 
                determination within a period greater than 300 
                days and less than 401 days; and
                  (iv) the number of requests for records to 
                which the agency has responded with a 
                determination within a period greater than 400 
                days;
          (H) the average number of days for the agency to 
        provide the granted information beginning on the date 
        on which the request was originally filed, the median 
        number of days for the agency to provide the granted 
        information, and the range in number of days for the 
        agency to provide the granted information;
          (I) the median and average number of days for the 
        agency to respond to administrative appeals based on 
        the date on which the appeals originally were received 
        by the agency, the highest number of business days 
        taken by the agency to respond to an administrative 
        appeal, and the lowest number of business days taken by 
        the agency to respond to an administrative appeal;
          (J) data on the 10 active requests with the earliest 
        filing dates pending at each agency, including the 
        amount of time that has elapsed since each request was 
        originally received by the agency;
          (K) data on the 10 active administrative appeals with 
        the earliest filing dates pending before the agency as 
        of September 30 of the preceding year, including the 
        number of business days that have elapsed since the 
        requests were originally received by the agency;
          (L) the number of expedited review requests that are 
        granted and denied, the average and median number of 
        days for adjudicating expedited review requests, and 
        the number adjudicated within the required 10 days;
          (M) the number of fee waiver requests that are 
        granted and denied, and the average and median number 
        of days for adjudicating fee waiver determinations;
          (N) the total amount of fees collected by the agency 
        for processing requests; and
          (O) the number of full-time staff of the agency 
        devoted to processing requests for records under this 
        section, and the total amount expended by the agency 
        for processing such requests.
  (2) Information in each report submitted under paragraph (1) 
shall be expressed in terms of each principal component of the 
agency and for the agency overall.
  (3) Each agency shall make each such report available to the 
public including by computer telecommunications, or if computer 
telecommunications means have not been established by the 
agency, by other electronic means. In addition, each agency 
shall make the raw statistical data used in its reports 
available electronically to the public upon request.
  (4) The Attorney General of the United States shall make each 
report which has been made available by electronic means 
available at a single electronic access point. The Attorney 
General of the United States shall notify the Chairman and 
ranking minority member of the Committee on Government Reform 
and Oversight of the House of Representatives and the Chairman 
and ranking minority member of the Committees on Governmental 
Affairs and the Judiciary of the Senate, no later than April 1 
of the year in which each such report is issued, that such 
reports are available by electronic means.
  (5) The Attorney General of the United States, in 
consultation with the Director of the Office of Management and 
Budget, shall develop reporting and performance guidelines in 
connection with reports required by this subsection by October 
1, 1997, and may establish additional requirements for such 
reports as the Attorney General determines may be useful.
  (6) The Attorney General of the United States shall submit an 
annual report on or before April 1 of each calendar year which 
shall include for the prior calendar year a listing of the 
number of cases arising under this section, the exemption 
involved in each case, the disposition of such case, and the 
cost, fees, and penalties assessed under subparagraphs (E), 
(F), and (G) of subsection (a)(4). Such report shall also 
include a description of the efforts undertaken by the 
Department of Justice to encourage agency compliance with this 
section.
  (f) For purposes of this section, the term--
          (1) ``agency'' as defined in section 551(1) of this 
        title includes any executive department, military 
        department, Government corporation, Government 
        controlled corporation, or other establishment in the 
        executive branch of the Government (including the 
        Executive Office of the President), or any independent 
        regulatory agency; and
          (2) ``record'' and any other term used in this 
        section in reference to information includes--
                  (A) any information that would be an agency 
                record subject to the requirements of this 
                section when maintained by an agency in any 
                format, including an electronic format; and
                  (B) any information described under 
                subparagraph (A) that is maintained for an 
                agency by an entity under Government contract, 
                for the purposes of records management.
  (g) The head of each agency shall prepare and make publicly 
available upon request, reference material or a guide for 
requesting records or information from the agency, subject to 
the exemptions in subsection (b), including--
          (1) an index of all major information systems of the 
        agency;
          (2) a description of major information and record 
        locator systems maintained by the agency; and
          (3) a handbook for obtaining various types and 
        categories of public information from the agency 
        pursuant to chapter 35 of title 44, and under this 
        section.
  (h)(1) There is established the Office of Government 
Information Services within the National Archives and Records 
Administration.
  (2) The Office of Government Information Services shall--
          (A) review policies and procedures of administrative 
        agencies under this section;
          (B) review compliance with this section by 
        administrative agencies; and
          (C) recommend policy changes to Congress and the 
        President to improve the administration of this 
        section.
  (3) The Office of Government Information Services shall offer 
mediation services to resolve disputes between persons making 
requests under this section and administrative agencies as a 
non-exclusive alternative to litigation and, at the discretion 
of the Office, may issue advisory opinions if mediation has not 
resolved the dispute.
  (i) The Government Accountability Office shall conduct audits 
of administrative agencies on the implementation of this 
section and issue reports detailing the results of such audits.
  (j) Each agency shall designate a Chief FOIA Officer who 
shall be a senior official of such agency (at the Assistant 
Secretary or equivalent level).
  (k) The Chief FOIA Officer of each agency shall, subject to 
the authority of the head of the agency--
          (1) have agency-wide responsibility for efficient and 
        appropriate compliance with this section;
          (2) monitor implementation of this section throughout 
        the agency and keep the head of the agency, the chief 
        legal officer of the agency, and the Attorney General 
        appropriately informed of the agency's performance in 
        implementing this section;
          (3) recommend to the head of the agency such 
        adjustments to agency practices, policies, personnel, 
        and funding as may be necessary to improve its 
        implementation of this section;
          (4) review and report to the Attorney General, 
        through the head of the agency, at such times and in 
        such formats as the Attorney General may direct, on the 
        agency's performance in implementing this section;
          (5) facilitate public understanding of the purposes 
        of the statutory exemptions of this section by 
        including concise descriptions of the exemptions in 
        both the agency's handbook issued under subsection (g), 
        and the agency's annual report on this section, and by 
        providing an overview, where appropriate, of certain 
        general categories of agency records to which those 
        exemptions apply; and
          (6) designate one or more FOIA Public Liaisons.
  (l) FOIA Public Liaisons shall report to the agency Chief 
FOIA Officer and shall serve as supervisory officials to whom a 
requester under this section can raise concerns about the 
service the requester has received from the FOIA Requester 
Center, following an initial response from the FOIA Requester 
Center Staff. FOIA Public Liaisons shall be responsible for 
assisting in reducing delays, increasing transparency and 
understanding of the status of requests, and assisting in the 
resolution of disputes.

           *       *       *       *       *       *       *


                   Disclosure of Directed Rule Making

    H.R. 1560 does not specifically direct any rule makings 
within the meaning of 5 U.S.C. 551.

                    Duplication of Federal Programs

    H.R. 1560 does not duplicate or reauthorize an established 
program of the Federal Government that was included in any 
report from the Government Accountability Office to Congress 
pursuant to section 21 of Public Law 111-139, or a program 
related to a program identified in the most recent Catalog of 
Federal Domestic Assistance.

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]