Cybersecurity and Information Sharing:
Comparison of H.R. 1560 and H.R. 1731 as
Passed by the House
Eric A. Fischer
Senior Specialist in Science and Technology
Stephanie M. Logan
Research Assistant
June 4, 2015
Congressional Research Service
7-5700
www.crs.gov
R43996
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
Summary
Effective sharing of information in cybersecurity is generally considered an important tool for
protecting information systems and their contents from unauthorized access by cybercriminals
and other adversaries. Five bills on such sharing have been introduced in the 114th Congress—
H.R. 234, H.R. 1560, H.R. 1731, S. 456, and S. 754. The White House has also submitted a
legislative proposal and issued an executive order on the topic.
In the House, H.R. 1560, the Protecting Cyber Networks Act (PCNA), was reported out of the
Intelligence Committee. H.R. 1731, the National Cybersecurity Protection Advancement Act of
2015 (NCPAA), was reported by the Homeland Security Committee. Both bills passed the House,
amended, the week of April 20, and were combined, with the PCNA becoming Title I and the
NCPAA Title II of H.R. 1560.
The PCNA and the NCPAA have many similarities but also significant differences. Both focus on
information sharing among private entities and between them and the federal government. They
address the structure of the information-sharing process, issues associated with privacy and civil
liberties, and liability risks for private-sector sharing, and both address some other topics in
common.
The NCPAA would amend portions of the Homeland Security Act of 2002, and the PCNA would
amend parts of the National Security Act of 1947. They differ in how they define some terms in
common such as cyber threat indicator, the roles they provide for federal agencies (especially, the
Department of Homeland Security and the intelligence community), processes for nonfederal
entities to share information with the federal government, processes for protecting privacy and
civil liberties, uses permitted for shared information, and reporting requirements.
S. 754 has been reported by the Senate Intelligence Committee. Presumably, if the Senate passes
a bill on information sharing, any inconsistencies between the PCNA and the NCPAA could be
reconciled during the process for resolving differences between the House and Senate bills.
All of the bills would address commonly raised concerns about barriers to sharing information
about threats, attacks, vulnerabilities, and other aspects of cybersecurity—both within and across
sectors. Such barriers are considered by many to hinder protection of information systems,
especially those associated with critical infrastructure. Private-sector entities often claim that they
are reluctant to share such information among themselves because of concerns about legal
liability, antitrust violations, and protection of intellectual property and other proprietary business
information. Institutional and cultural factors have also been cited—traditional approaches to
security tend to emphasize secrecy and confidentiality, which would necessarily impede sharing
of information.
All the bills have provisions aimed at facilitating information sharing among private-sector
entities and providing protections from liability that might arise from such sharing. While
reduction or removal of such barriers may provide benefits, concerns have also been raised about
potential adverse impacts, especially on privacy and civil liberties, and potential misuse of shared
information. The legislative proposals all address many of the concerns. In general, the proposals
limit the use of shared information to purposes of cybersecurity and law enforcement, and they
limit government use, especially for regulatory purposes. All include provisions to shield
information shared with the federal government from public disclosure and to protect privacy and
Congressional Research Service
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
civil liberties with respect to shared information that is not needed for cybersecurity purposes. All
the proposals require reports to Congress on impacts of their provisions.
Most observers appear to believe that legislation on information sharing is either necessary or at
least potentially beneficial—provided that appropriate protections are included—but two
additional factors in particular may be worthy of consideration as the various legislative proposals
are debated. First, resistance to sharing of information among private-sector entities might not be
substantially reduced by the actions contemplated in the legislation. Second, information sharing
is only one of many facets of cybersecurity that organizations need to address to secure their
systems and information.
Congressional Research Service
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
Contents
House Consideration of the Two Bills ............................................................................................. 1
Current Legislative Proposals .......................................................................................................... 2
Comparison of the NCPAA and the PCNA ..................................................................................... 5
Glossary of Abbreviations in the Table ..................................................................................... 5
Notes on the Table ..................................................................................................................... 6
Tables
Table 1. Side-by-Side Comparison of the Two Titles of H.R. 1560 as Passed by the
House—the PCNA (Title 1) and the NCPAA (Title II) ................................................................ 7
Contacts
Author Contact Information........................................................................................................... 29
Congressional Research Service
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
his report compares provisions in two bills in the House of Representatives that address
information sharing and related activities in cybersecurity:1
T
• H.R. 1560, the Protecting Cyber Networks Act (PCNA), as passed by the House
on April 22; and
• H.R. 1731, the National Cybersecurity Protection Advancement Act of 2015
(NCPAA), as passed by the House on April 23.2
Both bills focus on information sharing among private entities and between them and the federal
government. They address the structure of the information-sharing process, issues associated with
privacy and civil liberties, and liability risks for private-sector sharing, and both address some
other topics in common. In addition to other provisions, the NCPAA would explicitly amend
portions of the Homeland Security Act of 2002 (6 U.S.C. 101 et seq.), and the PCNA would
amend parts of the National Security Act of 1947 (50 U.S.C. 3021 et seq.).
This report consists of an overview of those and other legislative proposals on information
sharing, along with selected associated issues, followed by a side-by-side analysis of the two
House bills as passed. For information on economic aspects of information sharing, see CRS
Report R43821, Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis,
by N. Eric Weiss. For discussion of legal issues, see CRS Report R43941, Cybersecurity and
Information Sharing: Legal Challenges and Solutions, by Andrew Nolan. For an overview of
cybersecurity issues, see CRS Report R43831, Cybersecurity Issues and Challenges: In Brief, by
Eric A. Fischer.
House Consideration of the Two Bills
The House Committee on Rules held a hearing on proposed amendments to both H.R. 1560 and
H.R. 1731 on April 21. More than 30 amendments were submitted for H.R. 1731 and more than
20 for H.R. 1560.3 The committee reported H.Res. 212 (H.Rept. 114-88) on the two bills on
April 21, with a structured rule allowing consideration of five amendments to H.R. 1560 and 11
for H.R. 1731. For each bill, a manager’s amendment would serve as the base bill for floor
consideration, with debate on H.R. 1560 held on April 22 and on H.R. 1731 on April 23. The rule
further stated that upon passage of both bills, the text of H.R. 1731 would be appended to H.R.
1560, and H.R. 1731 would be tabled.
On April 22, all five amendments to H.R. 1560 were adopted and the bill passed the House by a
vote of 307 to 116. The amendments were all agreed to by voice vote except a sunset amendment
terminating the bill’s provisions seven years after enactment, which passed by recorded vote of
1 The analysis is limited to a textual comparison of the bills and is not intended to reach any legal conclusions regarding
them.
2 The Rules Committee print is available at http://docs.house.gov/billsthisweek/20150420/CPRT-114-HPRT-RU00-
HR1731.pdf.
3 For a list of amendments and text, see House Committee on Rules, “H.R. 1731—National Cybersecurity Protection
Advancement Act of 2015,” April 21, 2015, http://rules.house.gov/bill/114/hr-1731; and ———, “H.R. 1560—
Protecting Cyber Networks Act,” April 21, 2015, http://rules.house.gov/bill/114/hr-1560.
Congressional Research Service
1
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
313 to 110. Similarly, on April 23, the 11 amendments to H.R. 1731 were all adopted and the bill
was passed by a vote of 355 to 63. A sunset amendment similar to that approved for H.R. 1560,
and all but one other amendment were adopted by voice vote. The exception, requiring a GAO
study on privacy and civil liberties impacts, was agreed to by recorded vote, 405 to 8. The
engrossed version of H.R. 1560 combined the bills by making the PCNA Title I and the NCPAA
Title II.
Current Legislative Proposals
Five bills on information sharing have been introduced in the 114th Congress, three in the House
and two in the Senate. The White House has also submitted a legislative proposal4 (WHP) and
issued an executive order on the topic.5 Other proposals include the following:
• The Cyber Intelligence Sharing and Protection Act (CISPA), which passed the
House in the 113th Congress, has been reintroduced as H.R. 234.
• S. 456 is an amended version of the White House proposal.6
• S. 754, the Cybersecurity Information Sharing Act of 2015 (CISA), from the
Senate Intelligence Committee, has many similarities to a bill with the same
name introduced in the 113th Congress and shares many provisions with the
PCNA, although there are also significant differences between S. 754 and the
PCNA.
All the bills would address concerns that are commonly raised about barriers to sharing of
information on threats, attacks, vulnerabilities, and other aspects of cybersecurity—both within
and across sectors. It is generally recognized that effective sharing of information is an important
tool in the protection of information systems and their contents from unauthorized access by
cybercriminals and other adversaries.
Barriers to sharing have long been considered by many to be a significant hindrance to effective
protection of information systems, especially those associated with critical infrastructure.7
Private-sector entities often claim that they are reluctant to share such information among
themselves because of concerns about legal liability, antitrust violations, and protection of
intellectual property and other proprietary business information. Institutional and cultural factors
have also been cited—traditional approaches to security tend to emphasize secrecy and
confidentiality, which would necessarily impede sharing of information. While reduction or
removal of such barriers may provide benefits in cybersecurity, concerns have also been raised
4 The White House, Updated Information Sharing Legislative Proposal, 2015, http://www.whitehouse.gov/sites/
default/files/omb/legislative/letters/updated-information-sharing-legislative-proposal.pdf.
5 Executive Order 13691, “Promoting Private Sector Cybersecurity Information Sharing,” Federal Register 80, no. 34
(February 20, 2015): 9349–53, http://www.gpo.gov/fdsys/pkg/FR-2015-02-20/pdf/2015-03714.pdf.
6 See Senate Committee on Homeland Security and Government Affairs, Protecting America from Cyber Attacks: The
Importance of Information Sharing, 2015, http://www.hsgac.senate.gov/hearings/protecting-america-from-cyber-
attacks-the-importance-of-information-sharing. The hearing was not specifically on the White House proposal but it
was held after the proposal was submitted and before the introduction of S. 456.
7 See, for example, CSIS Commission on Cybersecurity for the 44th Presidency, “Cybersecurity Two Years Later,”
January 2011, http://csis.org/files/publication/110128_Lewis_CybersecurityTwoYearsLater_Web.pdf.
Congressional Research Service
2
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
about potential adverse impacts, especially with respect to privacy and civil liberties, and
potential misuse of shared information.
The legislative proposals all address many of those concerns, but they vary somewhat in
emphasis and method. The NCPAA focuses on the role of the Department of Homeland Security
(DHS), and in particular the National Cybersecurity and Communications Integration Center
(NCCIC). The PCNA, in contrast, focuses on the role of the intelligence community (IC),8
including authorization of the recently announced Cyber Threat Intelligence Integration Center
(CTIIC). Both CISPA and CISA address roles of both DHS and the IC. The NCPAA, S. 456, and
the WHP address roles of information sharing and analysis organizations (ISAOs).9 ISAOs were
defined in the Homeland Security Act (6 U.S.C. §131(5)) as entities that gather and analyze
information relating to the security of critical infrastructure, communicate such information to
help with defense against and recovery from incidents, and disseminate such information to any
entities that might assist in carrying out those goals. Information Sharing and Analysis Centers
(ISACs) are more familiar to most observers. They may also be ISAOs but are not the same,
having been originally formed pursuant to a 1998 presidential directive.10
On February 20, 2015, President Obama signed Executive Order 13691,11 which requires the
Secretary of Homeland Security to encourage and facilitate the formation of ISAOs, and to
choose and work with a nongovernmental standards organization to identify standards and
guidelines for the ISAOs.12 It also requires the NCCIC to coordinate with ISAOs on information
sharing, and includes some provisions to facilitate sharing of classified cybersecurity information
with appropriate entities.
On April 21, the White House announced support for passage of both the NCPAA and the PCNA
by the House, while calling for a narrowing of sweep for the liability protections and additional
safeguards relating to use of defensive measures in both bills..13 It also called for clarifying
provisions in the NCPAA on use of shared information in federal law enforcement and ensuring
that provisions in the PCNA do not interfere with privacy and civil liberties protections.
8 The IC consists of 17 agencies and others as designated under 50 U.S.C. 3003.
9 The House Committee on Homeland Security held two hearings on the White House proposal before H.R. 1731 was
introduced (House Committee on Homeland Security, Examining the President’s Cybersecurity Information Sharing
Proposal, 2015, http://homeland.house.gov/hearing/hearing-administration-s-cybersecurity-legislative-proposal-
information-sharing; House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure
Protection, and Security Technologies, Industry Perspectives on the President’s Cybersecurity Information Sharing
Proposal, 2015, http://homeland.house.gov/hearing/subcommittee-hearing-industry-perspectives-president-s-
cybersecurity-information-sharing).
10 The White House, “Presidential Decision Directive 63: Critical Infrastructure Protection,” May 22, 1998,
http://www.fas.org/irp/offdocs/pdd/pdd-63.htm.
11 Executive Order 13691, “Promoting Private Sector Cybersecurity Information Sharing.”
12 DHS has posted a Notice of Funding Opportunity for the standards organization, with selection expected in August
2015 (see Department of Homeland Security, “Information Sharing and Analysis Organizations,” May 27, 2015,
http://www.dhs.gov/isao).
13 Office of Management and Budget, “H.R. 1560—Protecting Cyber Networks Act” (Statement of Administration
Policy, April 21, 2015),
https://www.whitehouse.gov/sites/default/files/omb/legislative/sap/114/saphr1560r_20150421.pdf; Office of
Management and Budget, “H.R. 1731—National Cybersecurity Protection Advancement Act of 2015” (Statement of
Administration Policy, April 21, 2015),
https://www.whitehouse.gov/sites/default/files/omb/legislative/sap/114/saphr1731r_20150421.pdf.
Congressional Research Service
3
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
All of the proposals have provisions aimed at facilitating sharing of information among private-
sector entities and providing protections from liability that might arise from such sharing. They
vary somewhat in the kinds of private-sector entities and information covered, but almost all of
them address information on both cybersecurity threats and defensive measures, the exception
being S. 456 and the WHP, which cover only cyber threat indicators. In general, the proposals
limit the use of shared information to purposes of cybersecurity and law enforcement, and they
limit government use, especially for regulatory purposes.
All address concerns about privacy and civil liberties, although the mechanisms proposed vary to
some extent, in particular the roles played by the Attorney General, the DHS Secretary, Chief
Privacy Officers, the Privacy and Civil Liberties Oversight Board (PCLOB), and the Inspectors
General of DHS and other agencies. All the proposals require reports to Congress on impacts of
their provisions. All also include provisions to shield information shared with the federal
government from public disclosure, including exemption from disclosure under the Freedom of
Information Act (FOIA).
H.R. 1735, the National Defense Authorization Act of 2016, as passed by the House on May 15,
would provide liability protections similar to those in H.R. 1560 to “operationally critical”
defense contractors who are required to report incidents to DOD (10 U.S.C. 391) and cleared
contractors required to report network or system penetrations (10 U.S.C. 2224 note).
While most observers appear to believe that legislation on information sharing is either necessary
or at least potentially beneficial—provided that appropriate protections are included—two
additional factors in particular may be worthy of consideration as the legislative proposals are
developed. First, resistance to sharing of information among private-sector entities might not be
substantially reduced by the actions contemplated in the legislation. Information received can
help an entity prevent or mitigate an attack. However, there is no clear direct benefit associated
with providing information, except in the case of providers of cybersecurity services and their
clients. More indirect benefits might occur, for example, if a pattern of reciprocity develops
among sharing entities, such as through ISACs or ISAOs. While the legislative proposals may
reduce the risks to private-sector entities associated with providing information, none include
explicit incentives to stimulate such provision. In the absence of mechanisms to balance that
asymmetry, the degree to which information sharing will increase under the provisions of the
various legislative proposals may be uncertain.
The second point is that information sharing is only one of many facets of cybersecurity.14
Entities must have the resources and processes in place that are necessary for effective
cybersecurity risk management. Sharing may be relatively unimportant for many organizations,
especially in comparison with other cybersecurity needs.15 In addition, most information sharing
relates to imminent or near-term threats. It is not directly relevant to broader issues in
14 See, for example, Testimony of Martin C. Libicki before the House Committee on Oversight & Government Reform,
Subcommittee on Information Technology, hearing on Industry Perspectives on the President’s Cybersecurity
Information Sharing Proposal, 2015, http://homeland.house.gov/hearing/subcommittee-hearing-industry-perspectives-
president-s-cybersecurity-information-sharing.
15 For example, in the Cybersecurity Framework developed by the National Institute of Standards and Technology,
target levels of information sharing vary among the four tiers of cybersecurity implementation developed for
organizations with different risk profiles (National Institute of Standards and Technology, “Framework for Improving
Critical Infrastructure Cybersecurity, Version 1.0,” February 12, 2014,
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf).
Congressional Research Service
4
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
cybersecurity such as education and training, workforce, acquisition, or cybercrime law, or major
long-term challenges such as building security into the design of hardware and software,
changing the incentive structure for cybersecurity, developing a broad consensus about
cybersecurity needs and requirements, and adapting to the rapid evolution of cyberspace.
Comparison of the NCPAA and the PCNA
The remainder of the report consists of a side-by-side comparison of provisions in H.R. 1560 and
H.R. 1731 as passed by the House and combined as separate titles into a single bill, H.R. 1560.
The PCNA became Title I and the NCPAA became Title II.
Glossary of Abbreviations in the Table
AG Attorney
General
CI Critical
Infrastructure
CPO
Chief Privacy Officer
CRADA
Cooperative research and development agreement
CTIIC
Cyber Threat Intelligence Integration Center
DHS
Department of Homeland Security
DNI
Director of National Intelligence
DOD
Department of Defense
DOJ
Department of Justice
HSA
Homeland Security Act
HSC
House Committee on Homeland Security
HSGAC
Senate Homeland Security and Governmental Affairs Committee
IC Intelligence
community
ICS
Industrial control system
ICS-CERT
Industrial Control System Cyber Emergency Response Team
IG Inspector
General
ISAC
Information sharing and analysis center
ISAO
Information sharing and analysis organization
MOU
Memorandum of understanding
NCCIC
National Cybersecurity and Communications Integration Center
NCPAA
National Cybersecurity Protection Advancement Act of 2015
ODNI
Office of the Director of National Intelligence
PCLOB
Privacy and Civil Liberties Oversight Board
PCNA
Protecting Cyber Networks Act
R&D
Research and development
SSA Sector-specific
agency
Secretary
Secretary of Homeland Security
Congressional Research Service
5
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
U.S. United
States
U.S.C.
United States Code
US-CERT
United States Computer Emergency Readiness Team
U/S-CIP
DHS Under Secretary for Cybersecurity and Infrastructure Protection
Notes on the Table
Entries describing provisions in a bill are summaries or paraphrases, with direct quotes enclosed
in double quotation marks. The table uses the following formatting conventions to aid in the
comparison:
• Related provisions in the two titles are adjacent to each other, with the NCPAA
serving as the basis for comparison.16 As a result, many provisions of the PCNA
appear out of sequence in the table.
• Bold formatting denotes that the identified provision is the subject of the
subsequent text (e.g., (d) or Sec. 102 (a)).
• Numbers and names of sections, subsections, and paragraphs (except definitions)
added to existing laws by the bills are enclosed in single quotation marks (e.g.,
‘Sec. 111(a)’).
• Underlined text (visible only in the pdf version) is used in selected cases as a
visual aid to highlight differences with a corresponding provision in the other bill
that might otherwise be difficult to discern.
• The names of titles, sections, and some paragraphs are stated the first time a
provision from them is discussed in the table—for example, Sec. 103.
Authorizations for Preventing, Detecting, Analyzing, and Mitigating
Cybersecurity Threats—but only the number, to the paragraph level or higher,
is used thereafter.
• In cases where a provision of the PCNA is out of sequence from that immediately
above it, as much of the provision number is repeated as is needed to make its
origin clear. For example, on p. 14, a provision from Sec. 103 is described
immediately after an entry for Sec. 109 and is therefore labelled Sec. 103(c)(3).
That is followed immediately by an entry labelled (a), which is a subsection of
Sec. 103 and therefore is not preceded by the section number.
• Page numbers cited within the table are hyperlinked to the provisions they
reference in the table; the page numbers themselves refer to pages in the pdf
version of the report.
• Explanatory notes on provisions are enclosed in square brackets. Also, the entry
“[Similar to NCPAA]” means that the text in that provision in the PCNA is
closely similar in text, with no significant difference in meaning, to the
corresponding provision in the NCPAA. “[Identical to NCPAA]” means that there
are no differences in language in the two provisions.
16 This approach was taken for purposes of efficiency and convenience only. CRS does not advocate or take positions
on legislation or legislative issues.
Congressional Research Service
6
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
See the “Glossary of Abbreviations in the Table” for meanings of abbreviations used therein.
Table 1. Side-by-Side Comparison of the Two Titles of H.R. 1560 as Passed by the
House—the PCNA (Title 1) and the NCPAA (Title II)
NCPAA—Title II
PCNA—Title I
“To amend the Homeland Security Act of 2002 to enhance
“To improve cybersecurity in the United States through
multi-directional sharing of information related to
enhanced sharing of information about cybersecurity threats,
cybersecurity risks and strengthen privacy and civil liberties
and for other purposes.” [Note: These two official titles have
protections, and for other purposes.”
been concatenated in the engrossed version of H.R. 1560.]
Sec. 201. Short Title
Sec. 101. Short Title
National Cybersecurity Protection Advancement Act of 2015
Protecting Cyber Networks Act
Sec. 202. National Cybersecurity and
Communications Integration Center
Amends Sec. 226 of the HSA (6 U.S.C. 148). [Note: This
section, added by P.L. 113-282, established the National
Cybersecurity and Communications Integration Center and is
referred to in the bill as the “second section 226” to
distinguish it from an identically numbered section added by
P.L. 113-277.]
(a) In General
Sec. 110. Definitions
Amends existing definitions:
Cybersecurity Risk: Excludes actions solely involving violations
of consumer terms of service or licensing agreements from
the definition.
Incident: Replaces the phrase “or actually or imminently
jeopardizes, without lawful authority, an information system”
with "or constitutes a violation or imminent threat of
violation of law, security policies, security procedures, or
acceptable use policies."
Adds the following definitions:
Agency: As in 44 U.S.C. 3502.
Appropriate Federal Entities: Departments of Commerce,
Defense, Energy, Homeland Security, Justice, and the
Treasury; and Office of the ODNI.
Cybersecurity
Threat: An action unprotected by the 1st
Amendment to the Constitution that involves an information
system and may result in unauthorized efforts to adversely
impact the security, integrity, confidentiality, or availability of
the system or its contents, but not including actions solely
involving violations of consumer terms of service or licensing
agreements.
Cyber Threat Indicator:
Cyber Threat Indicator:
Technical information necessary to describe or identify
Information or a physical object necessary to describe or
identify
- a method for network awareness [defined below] of an
- malicious reconnaissance, including
information system to discern its technical vulnerabilities, if
the method is known or reasonably suspected of association
with a known or suspected cybersecurity risk, including
- communications that reasonably appear to have “the
- anomalous patterns of communications that appear to have
Congressional Research Service
7
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
NCPAA—Title II
PCNA—Title I
purpose of gathering technical information related to a
“the purpose of gathering technical information related to a
cybersecurity risk,”
cybersecurity threat or security vulnerability,”
- a method for defeating a technical or security control,
- a method of defeating a security control or exploiting a
security vulnerability,
- a technical vulnerability including anomalous technical
- a security vulnerability or anomalous activity indicating the
behavior that may become a vulnerability,
existence of one,
- a method of causing a legitimate user of an information
- a method of causing a legitimate user of an information
system or its contents to
system or its contents to
inadvertently enable defeat of a technical or operational
unwittingly enable defeat of a security control or exploitation
control,
of a security vulnerability,
- a method for unauthorized remote identification, access, or
- “malicious cyber command and control,”
use of an information system or its contents, if the method is
known or reasonably suspected of association with a known
or suspected cybersecurity risk, or
- actual or potential harm from an incident, including
[Identical to NCPAA]
exfiltration of information; or
- any other cybersecurity risk attribute that cannot be used
- any other cybersecurity threat attribute the
to identify specific persons believed to be unrelated to the
risk, and
disclosure of which is not prohibited by law
disclosure of which is not prohibited by law.
- any combination of the above.
[No Corresponding Provision]
Cybersecurity Purpose:
Cybersecurity Purpose:
Protecting
Protecting (including by using defensive measures)
an information system or its contents from a cybersecurity
an information system or its contents from a cybersecurity
risk or incident or identifying a risk or incident source.
threat or security vulnerability or identifying a threat source.
Defensive Measure:
Defensive Measure:
An “action, device, procedure, signature, technique, or other
An “action, device, procedure, technique, or other measure”
measure” applied to an information system that “detects,
executed on an information system or its contents that
prevents or mitigates a known or suspected cybersecurity
“prevents or mitigates a known or suspected cybersecurity
risk or incident” or attributes that could help defeat security
threat or security vulnerability.”
controls,
but not including measures that destroy, render unusable, or
[No Corresponding Provision; however, the authority to
substantially harm an information system or its contents not
operate defensive measures in Sec. 103(b) includes a similar
operated by that nonfederal entity, except a state, local, or
restriction; see p. 15];
tribal government, or by another nonfederal or federal entity
that consented to such actions.
Federal
Entity:
A U.S. department or agency, or any
component thereof.
Information
System: As in 44 U.S.C. 3502.
Local
Government: A political subdivision of a state.
Malicious Cyber Command and Control: “A method for
unauthorized remote identification of, access to, or use of an
information system” or its contents.
Malicious
Reconnaissance:
A method, associated with a known
or suspected cybersecurity threat, for probing or monitoring
an information system to discern its vulnerabilities.
Network Awareness:
Monitor:
Scanning, identifying, acquiring, monitoring, logging, or
Scanning, identifying, acquiring, or otherwise possessing the
analyzing the contents of an information system.
contents of an information system.
Congressional Research Service
8
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
NCPAA—Title II
PCNA—Title I
Non-Federal
Entity: A private or governmental entity that is not
federal, but not including foreign powers as defined in 50
U.S.C. 1801.
Private Entity:
Private Entity:
A nonfederal entity that is an individual, nonfederal
A person, nonfederal government utility, or
government utility or “an entity performing utility services,”
or
private group, organization, proprietorship, partnership, trust,
[Identical to NCPAA]
cooperative, corporation, or other commercial or nonprofit
entity,
including personnel.
including personnel, but
not including a foreign power as defined in 50 U.S.C. 1801.
Real
Time:
Automated, machine-to-machine system processing
of cyber threat indicators where the occurrence and
“reporting or recording” of an event are “as simultaneous as
technologically and operationally practicable.”
Security Control: The management, operational, and technical
Security Control: The management, operational, and technical
controls used to protect an information system and the
controls used to protect an information system and its
information stored on, processed by, or transiting it against
information against unauthorized attempts to adversely
unauthorized attempts to adversely affect their confidentiality,
impact their confidentiality, integrity, or availability.
integrity, or availability.
Security
Vulnerability: “Any attribute of hardware, software,
process, or procedure that could enable or facilitate the
defeat of a security control.”
Sharing: “Providing, receiving, and disseminating.”
Tribal: As in 25 U.S.C. 450b.
(b) Amendment
Specifies tribal governments, private entities, and ISACs as
appropriate members of the NCCIC in DHS.
Sec. 203. Information Sharing Structure and
Sec. 102. Sharing of Cyber Threat Indicators and
Processes
Defensive Measures by the Federal Government With
Non-federal Entities
(a) In General
Amends Sec. 226 of the HSA.
Amends Title I of the National Security Act of 1947 by adding
a new section.
‘Sec. 111. Sharing of Cyber Threat Indicators and
Defensive Measures by the Federal Government With
Non-Federal Entities’
‘(a) Sharing by the Federal Government’
(1) revises the functions of the NCCIC by specifying that it is
‘(1)’ requires the DNI, in consultation with the heads of
the “lead” federal civilian interface for information sharing,
appropriate federal entities, to develop and promulgate
adding “cyber threat indicators” and “defensive measures” to
procedures consistent with protection of classified
the subjects it addresses, and expanding its functions to
information, intelligence sources and methods, and privacy
include
and civil liberties, for
- providing information and recommendations on information
sharing,
- in consultation with other appropriate agencies,
collaborating with international partners, including on
enhancing “the security and resilience of the global
Congressional Research Service
9
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
NCPAA—Title II
PCNA—Title I
cybersecurity ecosystem,” and
- sharing “cyber threat indicators, defensive measures,” and
timely sharing of classified cyber threat indicators and
information on cybersecurity risks and incidents with federal
declassified indicators with relevant nonfederal entities, and
and nonfederal entities, including across critical-infrastructure
sharing of information about imminent or ongoing
(CI) sectors and with fusion centers.
cybersecurity threats to such entities to prevent and mitigate
[Note: See also the provisions on the CTIIC in PCNA, p. 12.]
adverse impacts.
- notify the Secretary, the HSC, and the HSGAC of significant
violations of privacy and civil liberties protections under ‘Sec.
226(i)(6),’
- promptly notifying nonfederal entities that have shared
‘(2)’ requires that procedures for sharing developed by the
information known to be in error or in contravention to
DNI include methods to notify nonfederal entities that have
section requirements,
received information from a federal entity under the title and
known to be in error or in contravention to title
requirements or other federal law or policy.
- participating in DHS-run exercises, and
Requires that the procedures incorporate existing
information-sharing mechanisms of federal and nonfederal
entities, including ISACs, as much as possible, and
include methods to promote efficient granting of security
clearances to appropriate representatives of nonfederal
entities.
(2) expands NCCIC membership to include the fol owing
[Note: all are existing entities]:
- an entity that collaborates with state and local governments
on risks and incidents and has a voluntary information sharing
relationship with the NCCIC,
- the US-CERT for col aboratively addressing, responding to,
providing technical assistance upon request on, and
coordinating information about and timely sharing of threat
indicators, defensive measures, analysis, or information about
cybersecurity risks and incidents,
- the ICS-CERT to coordinate with ICS owners and
operators, provide training on ICS cybersecurity, timely share
information about indicators, defensive measures, or
cybersecurity risks and incidents of ICS, and remain current
on ICS technology advances and best practices,
- the “National Coordinating Center for Communications to
coordinate the protection, response, and recovery of
emergency communications,” and
- “an entity that coordinates with small and medium-sized
businesses.”
(3) adds “cyber threat indicators” and “defensive measures”
to the subjects covered in the principles of operation of the
NCCIC,
Sec. 103. Authorizations for Preventing, Detecting,
Analyzing, and Mitigating Cybersecurity Threats
(f) Small Business Participation
Requires that information be shared as appropriate with small
Requires the Small Business Administration to assist small
and medium-sized businesses and that the NCCIC make self-
businesses and financial institutions in monitoring, defensive
Congressional Research Service
10
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
NCPAA—Title II
PCNA—Title I
assessment tools available to them,
measures, and sharing information under the section.
Requires a report with recommendations by the
administrator to the President within one year of enactment
on sharing by those institutions and use of shared information
for network defense.
Requires federal outreach to those institutions to encourage
them to exercise the authorities provided under the section.
Specifies that information be guarded against disclosure.
Stipulates that the NCCIC must work with the DHS CPO to
ensure that the NCCIC follows privacy and civil liberties
policies and procedures under ‘Sec. 226(i)(6)’;
(4) adds new subsections to Sec. 226 of the HSA:
‘(g) Rapid Automated Sharing’
‘(1)’ requires the DHS U/S-CIP to develop capabilities, in
‘Sec. 111(a)(2)’ requires that the procedures ensure the
coordination with stakeholders and based as appropriate on
capability of real-time sharing consistent with protection of
existing standards and approaches in the information
classified information. [Note: ‘Sec. 111(b)(2)’ requires
technology industry, that support and advance automated and
procedures to ensure such sharing—see p. 12.]
timely sharing of threat indicators and defensive measures to
and from the NCCIC and with SSAs for each CI sector in
accordance with ‘Sec. 226(h).’.
‘(2)’ requires the U/S-CIP to report to Congress twice per
year on the status and progress of that capability until it is
fully implemented.
‘(h) Sector Specific Agencies’
Requires the Secretary to col aborate with relevant CI
sectors and heads of appropriate federal agencies to
recognize each CI SSA designated as of March 25, 2015, in
the DHS National Infrastructure Protection Plan. Designates
the Secretary as SSA head for each sector for which DHS is
the SSA. Requires the Secretary to coordinate with relevant
SSAs to
- support CI sector security and resilience activities,
- provide knowledge, expertise, and assistance on request,
and
- support timely sharing of threat indicators and defensive
measures with the NCCIC.
[Note: For other provisions of ‘Sec. 111(a)(2)’, see pp. 10 and
19.]
‘(b)
Definitions’
Defines the fol owing terms by reference to Sec. 110 of the
title: Appropriate Federal Entities, Cyber Threat Indicator,
Defensive Measure, Federal Entity, and Non-Federal Entity.
(b) Submittal to Congress
Requires that the procedures developed by the DNI be
submitted to Congress within 90 days of enactment of the
title.
(c) Table of Contents Amendment
Revises the table of contents of the National Security Act of
1947 to reflect the addition of ‘Sec. 111’.
Congressional Research Service
11
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
NCPAA—Title II
PCNA—Title I
Sec. 104. Sharing of Cyber Threat Indicators and
Defensive Measures With Appropriate Federal
Entities Other Than the Department of Defense or
the National Security Agency
(a) Requirement for Policies and Procedures
(1)
Adds new subsections to ‘Sec. 111’ of the National
Security Act of 1947
‘(i) Voluntary Information Sharing Procedures’
‘(b) Policies and Procedures for Sharing with the
Appropriate Federal Entities Other Than the
Department of Defense or the National Security
Agency’
‘(1)’ permits voluntary information-sharing relationships for
‘(1)’ requires the President to develop and submit to
cybersecurity purposes between the NCCIC and nonfederal
Congress policies and procedures for federal receipt of cyber
entities but prohibits requiring such an agreement.
threat indicators and defensive measures.
Permits the NCCIC, at the sole and unreviewable discretion
of the Secretary, acting through the U/S-CIP, to terminate an
agreement for repeated, intentional violation of the terms of
‘(i).’
Permits the Secretary, solely and unreviewably and acting
through the U/S-CIP, to deny an agreement for national
security reasons.
‘(2)’ permits the relationship to be established through a
standard agreement for nonfederal entities not requiring
specific terms.
Stipulates negotiated agreements with DHS upon request of a
nonfederal entity where NCCIC has determined that they are
appropriate, and at the sole and unreviewable discretion of
the Secretary, acting through the U/S-CIP.
Stipulates that any agreement in effect prior to enactment of
the title will be deemed in compliance with requirements in
‘(i).’ Requires that those agreements include “relevant privacy
protections as in effect” under the CRADA for Cybersecurity
Information Sharing and Collaboration, as of December 31st
2014.”
Also stipulates that an agreement is not required for an entity
to be in compliance with ‘(i).’
‘(2)’
requires that they be developed in accordance with the
privacy and civil liberties guidelines under Sec. 104(b) of the
title, and ensure
- real-time sharing of indicators from nonfederal entities with
appropriate federal entities except DOD,
- receipt without delay except for good cause, and
- provision to all relevant federal entities,
- audit capability, and
- appropriate sanctions for federal personnel who knowingly
and willfully use shared information other than in accordance
with the title.
(2)
requires that an interim version of the policies and
procedures be submitted to Congress within 90 days of
enactment of the title, and the final version within 180 days.
(c) National Cyber Threat Intelligence Integration
Center
Congressional Research Service
12
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
NCPAA—Title II
PCNA—Title I
(1)
Adds a new section to the National Security Act of 1947.
‘Sec. 119B. Cyber Threat Intelligence Integration
Center’
‘(a)
Establishment’
Establishes the CTIIC within the ODNI.
‘(b)
Director’
Creates a director for the CTIIC, to be appointed by the
DNI.
‘(c) Primary Missions’
Specifies the missions of the CTIIC with respect to
cyberthreat intelligence as
- serving as the primary federal organization for analyzing and
integrating it,
- ensuring full access and support of appropriate agencies to
activities and analysis,
- disseminating analysis to the President, appropriate agencies,
and Congress,
- coordinating agency activities, and
- conducting strategic federal planning.
‘(d)
Limitations’
Requires that the CTIIC
- have no more than 50 permanent positions,
- may not augment staff above that limit in carrying out its
primary missions, and
- be located in a building owned and operated by an element
of the IC,
(4) revises the table of contents of the National Security Act
of 1947.
‘(3) Information Sharing Authorization’
Sec. 103(c) Authorization for Sharing or Receiving
Cyber Threat Indicators or Defensive Measures
Permits nonfederal entities to share, for cybersecurity
(1) permits nonfederal entities to share, for cybersecurity
purposes, cyber threat indicators, and defensive measures,
purposes and consistent with privacy requirements under
from their own information systems or those of other
(d)(2) and protection of classified information, lawfully
entities upon written consent,
obtained cyber threat indicators or defensive measures
with other nonfederal entities or the NCCIC,
with other nonfederal entities or appropriate federal entities
except DOD,
notwithstanding any other provision of law, except that
(1,2) [Similar to NCPAA].
recipients must comply with lawful restrictions on sharing and
use imposed by the source.
(d) Protection and Use of Information
Requires reasonable efforts by nonfederal and federal entities,
(2) requires reasonable efforts by nonfederal entities, before
prior to sharing, to
sharing a threat indicator, to
safeguard personally identifying information from unintended
disclosure or unauthorized access or acquisition and
remove or exclude such information where it is reasonably
remove information reasonably believed to be personal or
believed when it is shared to be unrelated to a cybersecurity
personally identifying of a specific person not directly related
risk or incident.
to a cybersecurity threat, or
implement a technical capability for removing such
information.
Congressional Research Service
13
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
NCPAA—Title II
PCNA—Title I
Sec. 109. Construction and Preemption
(f) Information Sharing Relationships
Stipulates that nothing in ‘(3)’
Stipulates that nothing in the title
- limits or modifies an existing information sharing
- (1) limits or modifies an existing information sharing
relationship or prohibits or requires a new one,
relationship or (2) prohibits or requires a new one,
Sec. 103(c)(3) stipulates that nothing in (c)
- authorizes information sharing other than as provided in (c),
- permits unauthorized sharing of classified information,
- authorizes federal surveillance of any person,
- prohibits a federal entity, at the request of a nonfederal
entity, from technical discussion of threat indicators and
defensive measures and assistance with vulnerabilities and
threat mitigation,
- prohibits otherwise lawful sharing by a nonfederal entity of
indicators or defensive measures with DOD, or
- limits otherwise lawful activity, or
[Similar to NCPAA]
- impacts or modifies existing procedures for reporting
criminal activity to appropriate law enforcement authorities,
or participating in an investigation.
Requires the U/S-CIP to coordinate with stakeholders to
develop and implement policies and procedures to coordinate
disclosures of vulnerabilities as practicable and consistent
with relevant international industry standards.
‘(4) Network Awareness Authorization’
(a) Authorization for Private-Sector Defensive
Monitoring
Permits nonfederal, nongovernment entities, notwithstanding
(1) permits private entities, notwithstanding any other
any other provision of law, to conduct network awareness,
provision of law, to
for cybersecurity purposes and to protect rights or property,
monitor, for cybersecurity purposes,
of
- its own information systems,
[Similar to NCPAA],
- with written consent, information systems of a nonfederal
[Similar to NCPAA], or
or federal entity, or
- the contents of such systems.
[Similar to NCPAA].
Stipulates that nothing in ‘(4)’
(2) stipulates that nothing in (a)
- authorizes network awareness other than as provided in the
- authorizes monitoring other than as provided in the title,
section, or
- limits otherwise lawful activity.
[Similar to NCPAA] or
- authorizes federal surveillance of any person.
‘(5) Defensive Measure Authorization’
(b) Authorization for Operation of Defensive
Measures
Permits nonfederal, nongovernment entities to operate
(1) permits private entities to operate defensive measures,
defensive measures, for cybersecurity purposes and to
for a cybersecurity purpose and to protect rights or
protect rights or property, that are applied to
property, that are operated on
- its own information systems,
[Similar to NCPAA], or
- with written consent, information systems of a nonfederal
with written authorization, information systems of a
or federal entity, or
nonfederal or federal entity, or
- the contents of such systems,
notwithstanding any other provision of law, except that
(1) notwithstanding any other provision of law, except that
measures may not be used except as authorized in the
(3) measures may not be used except as authorized in (b),
Congressional Research Service
14
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
NCPAA—Title II
PCNA—Title I
section, and ‘(5)’ does not limit otherwise lawful activity.
and (b) does not limit otherwise lawful activity.
[No Corresponding Provision; however, the definition of
(2) stipulates that (1) does not authorize operation of
defensive measure in Sec. 202(a) includes a similar restriction;
defensive measures that destroy, render whol y or partly
see p. 8.]
unusable or inaccessible, or substantial y harm an information
system or its contents not owned by either the private entity
operating the measure or a nonfederal or federal entity that
provided written authorization to that private entity.
(e) No Right or Benefit
Stipulates that sharing of indicators with a nonfederal entity
creates no right or benefit to similar information by any
nonfederal entity.
‘(6) Privacy and Civil Liberties Protections’
Sec. 104(b) Privacy and Civil Liberties
Requires the U/S-CIP, in coordination with the DHS CPO
(1) requires the AG, in consultation with appropriate federal
and Chief Civil Rights and Civil Liberties Officer,
agency heads and agency privacy and civil liberties officers,
to establish and review annually policies and procedures on
to develop and review periodical y guidelines on privacy and
information shared with the NCCIC under the section.
civil liberties to govern federal handling of cyber threat
indicators obtained through the title’s provisions.
Requires that they apply only to DHS, consistent with the
(2) requires that, consistent with the need for protection of
need for timely protection of information systems from and
information systems and threat mitigation, the guidelines
mitigation of cybersecurity risks and incidents, the policies
and procedures
- be consistent with DHS FIPPs,
- be consistent with FIPPs in the White House National
Strategy for Trusted Identities in Cyberspace [Note: The two
versions of the principles are identical, except that the DHS
version applies the principles to DHS whereas the White
House document applies them to “organizations”],
- “reasonably limit, to the extent practicable, receipt,
- limit receipt, retention, use, and dissemination of
retention, use, and disclosure of cybersecurity threat
cybersecurity threat indicators containing personal
indicators and defensive measures associated with specific
information of or identifying specific persons,
persons” not needed for timely protection of systems and
networks,
including by establishing processes for prompt destruction of
information known not to be directly related to uses for
cybersecurity purposes, setting limitations on retention of
indicators, and notifying recipients that indicators may be
used only for cybersecurity purposes,
- minimize impacts on privacy and civil liberties,
- limit impacts on privacy and civil liberties of federal activities
under the title, including
- provide data integrity through prompt removal and
guidelines for removal of personal and personally identifying
destruction of obsolete or erroneous personal information
information handled by federal entities under the title,
unrelated to the information shared and retained by the
NCCIC in accordance with this section,
- include requirements to safeguard from unauthorized access
- include requirements to safeguard from unauthorized access
or acquisition cyber threat indicators and defensive measures
or acquisition cyber threat indicators
retained by the NCCIC,
identifying specific persons, including proprietary or business-
containing personal information of or identifying specific
sensitive information,
persons,
- protect the confidentiality of cyber threat indicators and
defensive measures associated with specific persons, to the
greatest extent practicable,
- ensure that relevant constitutional, legal, and privacy
- be consistent with other applicable provisions of law,
Congressional Research Service
15
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
NCPAA—Title II
PCNA—Title I
protections are observed.
- include procedures to notify entities if a federal entity
receiving information knows that it is not a cyber threat
indicator,
- include steps to ensure that dissemination of indicators is
consistent with the protection of classified and other sensitive
national security information.
Stipulates that the U/S-CIP may consult with NIST in
developing the policies and procedures.
Requires the DHS CPO and the Officer for Civil Rights and
(3) requires the AG to submit to Congress
Civil Liberties, in consultation with the PCLOB, to submit to
appropriate congressional committees
the policies and procedures within 180 days of enactment and
interim guidelines within 90 days of enactment and final
annual y thereafter.
guidelines within 180 days.
Requires the U/S-CIP, in consultation with the PCLOB and
the DHS CPO and Chief Civil Rights and Civil Liberties
Officer, to ensure public notice of and access to the policies
and procedures.
Requires the DHS CPO to
- monitor implementation of the policies and procedures,
- submit to Congress an annual review on their effectiveness,
- work with the U/S-CIP to carry out provisions in ‘(c)’ on
notification about violations of privacy and civil liberties
policies and procedures and about information that is
erroneous or in contravention of section requirements,
- regularly review and update impact assessments as
appropriate to ensure that all relevant protections are
followed, and
- ensure appropriate sanctions for DHS personnel who
(2) requires that the AG’s guidelines include appropriate
knowingly and willfully conduct unauthorized activities under
sanctions for federal activities in contravention of them.
the section.
[Note: The provision does not specify whether these
sanctions are limited to violation of requirements for
safeguarding information or the guidelines as a whole.],
Sec. 107. Oversight of Government Activities
(b) Reports on Privacy and Civil Liberties.
Requires the DHS IG, in consultation with the PCLOB and
(2) requires the IGs of DHS, the IC, DOJ, and DOD, in
IGs of other agencies receiving shared indicators or defensive
consultation with the IG Council, to jointly submit a report to
measures from the NCCIC, to submit a report to HSC and
Congress within two years of enactment and biennially
HSGAC within two years of enactment and periodically
thereafter, on
thereafter reviewing such information, including
- receipt, use, and dissemination of cybersecurity indicators
- receipt, use, and dissemination of cybersecurity indicators
and defensive measures shared with federal entities under the
and defensive measures shared with federal entities under the
section,
title,
- information on NCCIC use of such information for
purposes other than cybersecurity,
- types of information shared with the NCCIC,
- types of indicators shared with federal entities,
- actions taken by NCCIC based on shared information;
- actions taken by federal entities as a result of receiving
shared indicators,
- metrics to determine impacts of sharing on privacy and civil
liberties,
Congressional Research Service
16
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
NCPAA—Title II
PCNA—Title I
- a list of federal agencies receiving the information,
- a list of federal entities receiving the indicators,
- review of sharing of information within the federal
- review of sharing of indicators among federal entities to
government to identify inappropriate stovepiping of shared
identify inappropriate barriers to sharing information,
information, and
- procedures for sharing information and removal of personal
and identifying information, and incidents involving improper
treatment of it, and
- recommendations for improvements or modifications to
- recommendations for improvements or modifications to
sharing under the section.
authorities under the title.
Requires that the reports be submitted in unclassified form
but permits a classified annex.
Requires public availability of unclassified parts of the reports.
(1) adds a new paragraph to Sec. 1061(e) of the Intelligence
Reform and Terrorism Prevention Act of 2004:
Requires the DHS CPO and Chief Civil Rights and Civil
‘(3)’ requires the PCLOB to
Liberties Officer, in consultation with the PCLOB, the DHS
IG, and senior privacy and civil liberties officers of each
federal agency receiving indicators or defensive measures
shared with the NCCIC, to
submit a biennial report to Congress
submit a biennial report to Congress and the President
assessing impacts on privacy and civil liberties of federal
assessing impacts of activities under the title on and
activities under ‘(6)’, including
sufficiency of policies, procedures, and guidelines in
addressing concerns about privacy and civil liberties, including
recommendations to minimize or mitigate such impacts.
recommendations for improvements or modifications to
authorities under the title.
Requires that the reports be submitted in unclassified form
but permits a classified annex.
Requires public availability of unclassified parts of the reports.
(a) Biennial Report on Implementation
(I) Adds to ‘Sec. 111’ of the National Security Act
‘(c) Biennial Report on Implementation’
‘(1)’ requires the DNI to submit a report to Congress on
implementation of the title, (2) within one year of enactment
and ‘(1)’ at least biennially thereafter, ‘(2)’ including
- review of types of indicators shared with the federal
government,
- the degree to which such information may impact privacy
and civil liberties of specific persons, along with quantitative
and qualitative assessment of such impacts and adequacy of
federal efforts to reduce them,
- assessment of sufficiency of policies, procedures, and
guidelines to ensure effective and responsible sharing under
Sec. 4 [sic] of PCNA,
- sufficiency of procedures under Sec. 3 [sic] for timely
sharing, [Note: References ‘Sec. 111(a)(1)’ as added by the
title; see p. 10],
Congressional Research Service
17
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
NCPAA—Title II
PCNA—Title I
- appropriateness of classification of indicators and accounting
of security clearances authorized,
- federal actions taken based on shared indicators, including
appropriateness of subsequent use or dissemination under
the title,
- description of any significant federal violations of the
requirements of the title, including assessments of all reports
of federal personnel misusing information provided under the
title and all disciplinary actions taken, and
- a summary of the number and types of nonfederal entities
receiving classified indicators from the federal government
and evaluation of risks and benefits of such sharing.
-assessment of personal or personally identifying information
not directly related to a threat that was shared by a
nonfederal entity with the federal government in
contravention to Sec. 3(d)(2) or within the government in
contravention of Sec. 4(b) guidelines. [Note: Intended
reference presumably to Sec. 103 and 104 respectively.]
‘(3)’ permits reports to include recommendations for
improvements or modifications to authorities and processes
under the title.
‘(4)’ requires that the reports be submitted in unclassified
form but permits a classified annex.
‘(5)’ requires public availability of unclassified parts of the
reports.
‘(7) Uses and Protection of Information’
Sec. 103. Authorizations for Preventing, Detecting,
Analyzing, and Mitigating Cybersecurity Threats
(d) Protection and Use of Information
[Nonfederal Entities]
Permits a nonfederal, nongovernment entity that shares
(3) permits a nonfederal entity [Note: including government
indicators or defensive measures with the NCCIC to
entities], for a cybersecurity purpose, to
use, retain, or disclose indicators and defensive measures,
use indicators or defensive measure shared or received under
solely for cybersecurity purposes.
(d) to monitor or operate a defensive measure on its own
information systems or those of other nonfederal or federal
entities upon written authorization from them, with
Requires reasonable efforts prior to sharing to safeguard
[See (2), p. 13, describing requirements for removal of
personally identifying information from unintended disclosure
personal information].
and unauthorized access or acquisition, and remove or
exclude such information where it is reasonably believed
when shared to be unrelated to a cybersecurity risk or
incident.
Requires compliance with appropriate restrictions on
further use, retention, or sharing subject to lawful restrictions
subsequent disclosure or retention placed by a federal or
by the sharing entity or otherwise applicable provisions of
nonfederal entity on indicators or defensive measures
law.
disclosed to other entities.
Stipulates that the information shall be deemed voluntarily
shared.
Requires implementation and utilization of security controls
(1) requires implementation of appropriate security controls
to protect against unauthorized access or acquisition.
to protect against unauthorized access or acquisition. [Note:
Congressional Research Service
18
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
NCPAA—Title II
PCNA—Title I
Also applies to nonfederal government entities.]
Prohibits use of such information to gain an unfair
competitive advantage.
[Federal Entities]
Sec. 104(d) Information Shared with or Provided to
the Federal Government
Permits federal entities receiving indicators or defensive
(5) permits federal entities or personnel receiving indicators
measures from the NCCIC or otherwise under the section
or defensive measures under the title to, consistent with
to use, retain, or further disclose it solely for
otherwise applicable provisions of federal law, use, retain, or
disclose it solely for
cybersecurity purposes.
a cybersecurity purpose,
[Note: Sec. 216 (see p. 28) permits use of information
responding to, investigating, prosecuting, or otherwise
obtained from federal systems for investigating, prosecuting,
preventing or mitigating
disrupting, or otherwise responding to
imminent threats of death or serious bodily harm
threats of death or serious bodily harm or offenses arising
out of such threats,
serious threats to minors, including sexual exploitation or
serious threats to minors, including sexual exploitation and
threats to physical safety, and
threats to physical safety, and
violations of 18 U.S.C. 1030 [computer fraud], or
- preventing, investigating, disrupting, or prosecuting offenses
listed in 18 U.S.C. 1028-30, 3559(c)(2)(F), and Ch. 37 and 90
[computer fraud and identity theft, espionage and censorship,
protection of trade secrets, and serious violent felonies].
attempts or conspiracy to commit the above offenses.]
Prohibits federal disclosure, retention, or use for any purpose
not permitted under (5).
Requires reasonable efforts prior to sharing to safeguard
Stipulates that the policies, procedures, and guidelines in (a)
personally identifying information from unintended disclosure
[on provision of information to the federal government] and
and unauthorized access or acquisition, and remove or
(b) [on privacy and civil liberties] of the title apply to such
exclude such information where it is reasonably believed
information.
when shared to be unrelated to a cybersecurity risk or
incident.
‘Sec. 111(a)(2)’ requires that procedures for sharing
developed include methods for federal entities to assess,
prior to sharing, whether an indicator contains information
known to be personal or personally identifying of a specific
person and to remove such information, or to implement a
technical capability to remove or exclude such information.
Stipulates that the indicators and defensive measures shall be
Sec. 104(d)(3) stipulates that the information shall be
deemed voluntarily shared.
deemed voluntarily shared.
Requires implementation and utilization of security controls
‘Sec. 111(a)(2)’ requires that procedures for sharing
to protect against unauthorized access or acquisition.
developed by the DNI include requirements for federal
entities to implement security controls to protect against
unauthorized access to or acquisition of shared information.
Sec. 109(a) Prohibition of Surveillance
Prohibits use in surveillance or collection activities to track an
Stipulates that the title does not authorize DOD or any
individual’s personally identifiable information except as
element of the IC to target a person for surveillance.
authorized in the section.
Stipulates that the information is exempt from disclosure
Sec. 104(d)(3) [Similar to NCPAA], and
under 5 U.S.C. 552 [the Freedom of Information Act (FOIA)]
or nonfederal disclosure laws and withheld, without
discretion, from the public under 5 U.S.C. 552(3)(B).
Congressional Research Service
19
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
NCPAA—Title II
PCNA—Title I
under nonfederal disclosure laws, except for those requiring
disclosure in criminal prosecutions.
Prohibits federal use for regulatory purposes.
[Note: No specific corresponding prohibition, but Sec.
104(d)(5) above prohibits federal disclosure, retention, or use
for any purpose other than those specified in the paragraph.]
Specifies that there is no waiver of applicable privilege or
(1) [Similar to NCPAA].
protection under law, including trade-secret protection;
Requires that the information be considered the commercial,
(2) requires that, consistent with the title, the information be
financial, and proprietary information of the nonfederal entity
considered the commercial, financial, and proprietary
when so designated by it.
information of the originating nonfederal source, when so
designated by such source or nonfederal entity acting with
written authorization from it.
Stipulates that the information is not subject to judicial
(4) [Similar to NCPAA]
doctrine or rules of federal entities on ex-parte
communications.
[Nonfederal Government Entities]
[Note: See also Nonfederal Entities, p. 18]
Permits state, local, and tribal government to
Sec. 103(d)(4) permits state, local, and tribal government
entities
use, retain, or further disclose indicators or defensive
to use shared cyber threat indicators for cybersecurity
measures shared under the section solely for cybersecurity
purposes,
purposes.
responding to, prosecuting, or otherwise preventing or
mitigating threats of death or serious bodily harm or offenses
arising out of such threats, or
responding to serious threats to minors, including sexual
exploitation and threats to physical safety.
Requires reasonable efforts prior to sharing to safeguard
[See (2), p. 13, describing requirements for removal of
personally identifying information from unintended disclosure
personal information].
and unauthorized access or acquisition, and remove or
exclude such information where it is reasonably believed
when shared to be unrelated to a cybersecurity risk or
incident.
Stipulates that the information be considered “commercial,
[Note: Sec. 103(d)(3) stipulates that further use, retention, or
financial, and proprietary” if so designated by the provider.
sharing of information received by a nonfederal entity is
subject to lawful restrictions by the sharing entity or
otherwise applicable provisions of law. See Nonfederal
Entities, p. 18.]
Stipulates that the indicators and defensive measures shall be
Stipulates that such shared indicators or defensive measures
deemed voluntarily shared.
be deemed voluntarily shared and exempt from disclosure,
and
Requires implementation and utilization of security controls
(1) requires implementation of appropriate security controls
to protect against unauthorized access or acquisition.
to protect against unauthorized access or acquisition. [Note:
Also applies to nonfederal nongovernment entities.]
Exempts the information from disclosure under nonfederal
Exempts the information from disclosure under nonfederal
disclosure laws or regulations.
disclosure laws or regulations, except as required in criminal
prosecutions.
Prohibits use for regulation of lawful activities of nonfederal
entities.
‘(8) Liability Exemptions’
Sec. 106. Protection from Liability
(a) Monitoring of Information Systems
Congressional Research Service
20
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
NCPAA—Title II
PCNA—Title I
States that “no cause of action shall lie or be maintained in
States that “no cause of action shall lie or be maintained in
any court” against nonfederal, nongovernment entities for
any court” against private entities for monitoring information
conducting network awareness under ‘(4)’ in accordance with
systems under Sec. 103(a) conducted in accordance with the
the section or
title or
(b) Sharing or Receipt of Cyber Threat Indicators
for sharing indicators or defensive measures under ‘(3),’ or a
for information sharing under Sec. 103(c) in accordance with
good-faith failure to act if sharing is done in accordance with
the title, or a good-faith failure to act if sharing is done in
the section.
accordance with the title.
(c) Willful Misconduct
Stipulates that nothing in the section
(1) stipulates that nothing in the section
- requires dismissal of a cause of action against a nonfederal,
- requires dismissal of a cause of action against a nonfederal
nongovernment entity that engages in willful misconduct in
entity that engages in willful misconduct in the course of
the course of activities under the section.
activities under the title, or
- undermines or limits availability of otherwise applicable
[Identical to NCPAA]
common law or statutory defenses.
Establishes the burden of proof as clear and convincing
(2) [Similar to NCPAA]
evidence from the plaintiff of injury-causing gross negligence
or willful misconduct,
Defines willful misconduct as an act or omission taken
(3) [Similar to NCPAA].
intentional y to achieve a wrongful purpose, knowingly
without justification, and in disregard of risk of highly
probable harm that outweighs any benefit.
‘(9) Federal Government Liability for Violations of
Sec. 105. Federal Government Liability for Violations
Restrictions on the Use and Protection of Voluntarily
of Privacy or Civil Liberties
Shared Information’
(a) In General
Makes the federal government liable to injured persons for
Makes the federal government liable to injured persons for
intentional or willful violation of restrictions on federal
intentional or willful violation of privacy and civil liberties
disclosure and use under ‘Sec. 226’, with minimum damages
guidelines under Sec. 104(b), with minimum damages of
of $1,000 plus
$1,000 plus
reasonable attorney fees as determined by the court and
[Identical to NCPAA]
other reasonable litigation costs in any case under (a) where
“the complainant has substantially prevailed.”
(b) Venue
Stipulates the federal district courts where the case may be
[Identical to NCPAA]
brought as the one in which the complainant resides or the
principal place of business is located, the District of
Columbia, or
where the federal department or agency that disclosed the
where the federal department or agency that violated the
information is located.
guidelines is located.
(c) Statute of Limitations
Sets the statute of limitations under ‘(i)’ at two years from
Sets the statute of limitations under Sec. 105 at two years
the date on which the cause of action arises.
from the date on which the cause of action arises.
(d) Exclusive Cause of Action.
Sets action under ‘(i)’ as the exclusive remedy for violation of
Sets action under (d) as the exclusive remedy for federal
restrictions under ‘(i)(3),’ ‘(i)(6),’ or ‘(i)(7)(B)’.
violations under the title.
‘(10) Anti-Trust Exemption’
Congressional Research Service
21
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
NCPAA—Title II
PCNA—Title I
Exempts nonfederal entities from violation of antitrust laws
for sharing indicators or defensive measures or providing
assistance for cybersecurity purposes, provided that the
action is taken to assist with preventing, investigating, or
mitigating a cybersecurity risk or incident.
‘(11) Construction and Preemption’
Sec. 109(b) Otherwise Lawful Disclosures
Stipulates that the section does not limit or prohibit
Stipulates that the title does not limit or prohibit otherwise
otherwise lawful disclosures or participation in an
lawful disclosures by a nonfederal entity of information to any
investigation by a nonfederal entity of information to any
other federal or nonfederal entity, or
other federal or nonfederal entity.
any otherwise lawful use by a federal entity, whether or not
the disclosures duplicate those made under the title.
(c) Whistle Blower Protections
Stipulates that the section does not prohibit or limit
Stipulates that the title does not prohibit or limit disclosures
disclosures protected under 5 U.S.C. 2302(b)(8), 5 U.S.C.
protected under 5 U.S.C. 2302(b)(8), 5 U.S.C. 7211, 10
7211, 10 U.S.C. 1034, 50 U.S.C. 3234, or similar provisions of
U.S.C. 1034, or similar provisions of federal or state law.
federal or state law.
(e) Relationship to Other Laws
Stipulates that the section does not affect any requirements
Stipulates that the title does not affect any requirements
under other provisions of law for nonfederal entities
under other provisions of law for nonfederal entities
providing information to federal entities.
providing information to federal entities.
(g) Preservation of Contractual Obligations and
Rights
Stipulates that the section does not change contractual
Stipulates that the title does not change contractual
relationships between nonfederal entities or them and federal
relationships between nonfederal entities or them and federal
entities or abrogate trade-secret or intellectual property
entities, or abrogate trade-secret or intellectual property
rights.
rights.
(h) Anti-Tasking Restriction
Stipulates that the section does not permit the federal
Stipulates that the title does not permit the federal
government to require nonfederal entities to provide it with
government to require nonfederal entities to provide it with
information, or
information, or
condition sharing of indicators or defensive measures on
condition sharing of indicators on provision of indicators, or
provision by such entities of indicators or defensive measures,
or
condition award of grants, contracts, or purchases on such
condition award of grants, contracts, or purchases on such
provision.
provision.
(i) No Liability for Non-Participation
Stipulates that the section does not create liabilities for any
Stipulates that the title does not create liabilities for any
nonfederal entities that choose not to engage in the voluntary
nonfederal entities that choose not to engage in a voluntary
activities authorized in the section.
activity authorized in the title.
(j) Use and Retention of Information
Stipulates that the section does not authorize or modify
Stipulates that the title does not authorize or modify existing
existing federal authority to retain and use information shared
federal authority to retain and use information shared under
under the title for uses other than those permitted under the
the title for uses other than those permitted under the title.
section.
Stipulates that the section does not restrict or condition
sharing for cybersecurity purposes among nonfederal entities
or require sharing by them with the NCCIC.
Stipulates that nothing in the bill “shall be construed to
permit price-fixing, al ocating a market between competitors,
Congressional Research Service
22
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
NCPAA—Title II
PCNA—Title I
monopolizing or attempting to monopolize a market,
boycotting, or exchanges of price or cost information,
customer lists, or information regarding future competitive
planning.”
(k) Federal Preemption
Specifies that the section supersedes state and local laws
(1) specifies that the title supersedes state and local laws
relating to its provisions
relating to its provisions.
(2) stipulates that the title does not supersede state and local
laws on use of authorized law enforcement practices and
procedures.
(3) stipulates that, except with respect to exemption from
disclosure under Sec. 103(b)(4), the title does not supersede
state and local law on private entities performing utility
services except to the extent that they restrict activities
under the title.
Requires the Secretary to develop policies and procedures
for direct reporting by the NCCIC Director of significant
risks and incidents.
Requires the Secretary to build on existing mechanisms to
promote public awareness about the importance of securing
information systems.
Requires a report from the Secretary within 180 days of
enactment to HSC and HSGAC on efforts to bolster
collaboration on cybersecurity with international partners.
Requires the Secretary, within 60 days of enactment, to
publicly disseminate information about ways of sharing
information with the NCCIC, including enhanced outreach to
CI owners and operators.
(d) Protection of Sources and Methods
Stipulates that the title does not affect federal enforcement
actions on classified information or conduct of authorized
law-enforcement or intelligence activities, or modify the
authority of the President or federal entities to protect and
control dissemination of classified information, intelligence
sources and methods, and U.S. national security.
Sec. 204. Information Sharing and Analysis
Organizations
Amends Sec. 212 of the HSA to
(1) broaden the functions of ISAOs to include cybersecurity
risk and incident information beyond that relating to critical
infrastructure, and
(2) add by reference the definitions of cybersecurity risk and
incident in 6 U.S.C. 148(a).
Sec. 205. Streamlining of Department of Homeland
Security Cybersecurity and Infrastructure Protection
Organization
(a) Cybersecurity and Infrastructure Protection
Directorate
Renames the DHS National Protection and Programs
Congressional Research Service
23
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
NCPAA—Title II
PCNA—Title I
Directorate as the Cybersecurity and Infrastructure
Protection. [Sic.]
(b) Senior Leadership of the Cybersecurity and
Infrastructure Protection Directorate
Provides a specific title for the undersecretary in charge of
critical infrastructure protection as U/S-CIP. Also adds two
deputy undersecretaries, one for cybersecurity and the other
for infrastructure protection. Does not require new
appointments for current officeholders and specifies that
appointment of the undersecretaries does not require Senate
confirmation.
(c) Report
Requires a report to HSC and HSGAC from the U/S-CIP
within 90 days of enactment on the feasibility of becoming an
operational component of DHS, If that is determined to be
the best option for mission fulfillment, requires submission of
a legislative proposal and implementation plan. Also requires
that the report include plans for more effective execution of
the cybersecurity mission, including expediting of information
sharing agreements.
Sec. 206. Cyber Incident Response Plans
(a) In General
Amends Sec. 227 of the HSA to change “Plan” to “Plans” in
the title, to specify the U/S-CIP as the responsible official, and
to add a new subsection:
‘(b) Updates to the Cyber Incident Annex to the
National Response Framework’
Requires the Secretary, in coordination with other agency
heads and in accordance with the National Cybersecurity
Incident Response Plan, to update, maintain, and exercise
regularly the Cyber Incident Annex to the DHS National
Response Framework.
(b) Clerical Amendment
Amends the table of contents of the act to reflect the title
change made by (a).
Sec. 207. Security and Resiliency of Public Safety
Communications; Cybersecurity Awareness
Campaign
(a) In General
Adds two new sections to the HSA:
‘Sec. 230. Security and Resiliency of Public Safety
Communications’
Requires the NCCIC to coordinate with the DHS Office of
Emergency Communications to assess information on
cybersecurity incidents involving public safety communications
to facilitate continuous improvement in those
communications.
‘Sec. 231. Cybersecurity Awareness Campaign’
Congressional Research Service
24
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
NCPAA—Title II
PCNA—Title I
‘(a) In General’
Requires the U/S-CIP to develop and implement an
awareness campaign on risks and best practices for mitigation
and response, including at a minimum public service
announcements and information on best practices that are
vendor- and technology-neutral.
‘(b) Consultation’
Requires consultation with a wide range of stakeholders.
‘Sec. 232. National Cybersecurity Preparedness
Consortium’
‘(a) In General’
Authorizes the Secretary to establish the National
Cybersecurity Preparedness Consortium to
‘(b) Functions’
- provide cybersecurity training to state and local first
responders and officials,
- establish a training curriculum for them using the DHS
Community Cyber Security Maturity Model,
- provide technical assistance for improving capabilities,
- conduct training and simulation exercises,
- coordinate with the NCCIC to help states and communities
develop information sharing programs, and
- coordinate with the National Domestic Preparedness
Consortium to incorporate cybersecurity into emergency
management functions.
‘(c) Members’
Stipulates that members be academic, nonprofit, and
government partners with prior experience conducting
cybersecurity training and exercises in support of homeland
security.
(b) Clerical Amendment
Amends the table of contents of the act to include the new
sections.
Sec. 208. Critical Infrastructure Protection Research
and Development
(a) Strategic Plan; Public-Private Consortiums
Adds a new section to the HSA:
‘Sec. 318. Research and Development Strategy for
Critical Infrastructure Protection’
‘(a) In General’
Requires the Secretary to submit to Congress within 180
days of enactment, and biennially thereafter, a strategic plan
to guide federal R&D in technology relating to both cyber-
and physical security for CI.
‘(b) Contents of Plan’
Requires the plan to include
- CI risks and technology gaps identified in consultation with
Congressional Research Service
25
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
NCPAA—Title II
PCNA—Title I
stakeholders and a resulting risk and gap analysis,
- prioritized needs based on that analysis, emphasizing
technologies to address rapidly evolving threats and
technology and including clearly defined roadmaps,
- facilities and capabilities required to meet those needs,
- current and planned programmatic initiatives to foster
technology advancement and deployment, including
col aborative opportunities, and
- progress on meeting plan requirements.
‘(c) Coordination’
Requires coordination between the DHS Under Secretaries
for Science and Technology and for the National Protection
and Programs Directorate. [Note: Sec. 205 renames the latter
position as the U/S-CIP.]
‘(d) Consultation’
Requires the Under Secretary for Science and Technology to
consult with CI Sector Coordinating Councils, heads of other
relevant federal agencies, and state, local, and tribal
governments as appropriate.
(b) Clerical Amendment
Amends the table of contents of the act to include the new
section.
Sec. 209. Report on Reducing Cybersecurity Risks in
DHS Data Centers
Requires a report to HSC and HSGAC within one year of
enactment on the feasibility of creating an environment within
DHS for reduction in cybersecurity risks in data centers,
including but not limited to increased compartmentalization
of systems with a mix of security controls among
compartments.
Sec. 108. Report on Cybersecurity Threats
(a) Report Required
Requires the DNI, in consultation with heads of other
appropriate elements of the IC, to submit within 180 days of
enactment a report to the House and Senate Intelligence
Committees on cybersecurity threats to the U.S. national
security and economy, including attacks, theft, and data
breaches.
(b) Contents
Requires that the report include
(1) assessments of current U.S. intelligence sharing and
cooperation relationships with other countries on such
threats directed against the United States and threatening
U.S. national security interests, the economy, and intellectual
property, identifying the utility of relationships, participation
by elements of the IC, and possible improvements,
(2) a list and assessment of countries and nonstate actors
constituting the primary sources of such threats,
(3) description of how much U.S. capabilities to respond to
Congressional Research Service
26
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
NCPAA—Title II
PCNA—Title I
or prevent such threats to the U.S. private sector are
degraded by delays in notification of the threats,
(4) assessment of additional technologies or capabilities that
would enhance the U.S. ability to prevent and respond to
such threats, and
(5) assessment of private-sector technologies or practices
that could be rapidly fielded to assist the IC in preventing and
responding to such threats.
(c) Form of Report
Requires that the report be unclassified, but may include a
classified annex.
(d) Public Availability of Report
Requires that the unclassified portion of the report be
publicly available.
(e) Intelligence Community Defined
Defines intelligence community as in 50 U.S.C. 3003.
Sec. 210. Assessment
Requires the Comptroller General, within two years of
enactment, to submit a report to HSC and HSGAC assessing
implementation of the title and, as practicable, findings on
increased sharing at NCCIC and throughout the United
States.
Sec. 211. Consultation
Requires a report from the U/S-CIP on “the feasibility of a
prioritization plan in the event of simultaneous multi-CI
incidents.
Sec. 212. Technical Assistance
Requires the DHS IG to review US-CERT and ICS-CERT
operations to assess their capacity for responding to current
and potential y increasing requests for technical assistance
from nonfederal entities.
Sec. 213. Prohibition on New Regulatory Authority
Sec. 109(l) Regulatory Authority
Stipulates that the title does not grant DHS new authority to
Stipulates that the title does not authorize (1) promulgation
promulgate regulations or set standards relating to
of regulations or (2) establishment of regulatory authority
cybersecurity for nonfederal, nongovernmental entities.
not specified by the title, or (3) duplicative or conflicting
regulatory actions.
Sec. 214 Sunset
Ends all requirements for reports in the title seven years after
enactment.
Sec. 215. Prohibition on New Funding
Stipulates that the title does not authorize additional funds
for implementation and must be carried out using available
amounts.
Sec. 216. Protection of Federal Information Systems
(a) In General
Congressional Research Service
27
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
NCPAA—Title II
PCNA—Title I
Adds a new section to the HSA.
‘Sec. 233. Available Protection of Federal Information
Systems’
‘(a) In General’
Requires the Secretary to make available to agencies
capabilities, including technologies for continuous diagnostics
and mitigation, for protecting federal information systems and
their contents from risks.
‘(b) Activities’
Authorizes the Secretary to
- access information on a system regardless of location, and
permits agency heads to disclose such information to the
Secretary or a private entity assisting the Secretary,
notwithstanding any other provision of law that would
otherwise restrict such disclosure,
- obtain assistance through agreements or otherwise from
private entities for implementing technologies under ‘(a),’
- use, retain, and disclose information obtained under this
section only to protect federal systems and their contents or,
with approval of the AG, to respond to
[Note: Sec. 104(d)(5) has related provisions for information
violations of 18 U.S.C. 1030 [on computer fraud and related
shared with the federal government (see p. 19).]
activities],
threats of death or serious bodily harm,
serious threats to minors, including sexual exploitation and
threats to physical safety, or
attempts or conspiracy to commit such offenses.
‘(c) Conditions’
Requires that the agreements bar disclosure of identifying
information reasonably believed to be unrelated to a
cybersecurity risk except to DHS or the disclosing agency, or
use of information accessed under the section by a private
entity for any purpose other than protecting federal
information systems and their contents or administration of
the agreement.
‘(d) Limitation’
States that no cause of action shal lie against a private entity
for assistance provided in accordance with this section and an
agreement under ‘(b).’
(b) Clerical Amendment
Amends the table of contents of the act to include the new
section.
Sec. 217 Sunset
Sec. 112 Sunset
Terminates the provisions in the title seven years after
[Identical to NCPAA]
enactment.
Sec. 218. Report on Cybersecurity Vulnerabilities of
United States Ports
Requires a report with recommendations from the Secretary
Congressional Research Service
28
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731
NCPAA—Title II
PCNA—Title I
to HSC, HSGAC, House Committee on Transportation and
Infrastructure, and Senate Committee on Commerce,
Science, and Transportation within 180 days of enactment on
cybersecurity vulnerabilities for the ten ports that the
Secretary determines are at greatest risk of an incident.
Sec. 219. Report on Cybersecurity and Critical
Infrastructure
Authorizes the Secretary to consult with sector-specific
entities on a report to HSC and HSGAC on federally funded
cybersecurity R&D with private-sector efforts to protect
privacy and civil liberties while protecting CI, including
promoting R&D for secure and resilient design and
construction, enhanced modeling of impacts from incidents or
threats, and facilitating incentivization of investments to
strengthen cybersecurity and resilience of CI.
Sec. 220. GAO Report on Impact Privacy and Civil
Sec. 111. Comptroller General Report on Removal of
Liberties
Personal Identifying Information
(a) Report
Requires a report from the Comptrol er General to HSC and
Requires a report from the Comptrol er General to
HSGAC within five years of enactment assessing the impacts
Congress within three years of enactment on federal actions
of NCCIC activities on privacy and civil liberties.
to remove personal information from threat indicators
pursuant to Sec. 104(b).
(b) Form
Requires that the report be unclassified but permits a
classified annex.
Source: CRS.
Notes: See “Notes on the Table.”
Author Contact Information
Eric A. Fischer
Stephanie M. Logan
Senior Specialist in Science and Technology
Research Assistant
efischer@crs.loc.gov, 7-7071
slogan@crs.loc.gov, 7-0504
Congressional Research Service
29