Cybersecurity and Information Sharing:
Comparison of Legislative Proposals in the
114th Congress
Eric A. Fischer
Senior Specialist in Science and Technology
Stephanie M. Logan
Research Assistant
June 18, 2015
Congressional Research Service
7-5700
www.crs.gov
R44069
Cybersecurity and Information Sharing: Comparison of Legislative Proposals
Summary
Effective sharing of information in cybersecurity is generally considered an important tool for
protecting information systems and their contents from unauthorized access by cybercriminals
and other adversaries. Five bills on such sharing have been introduced in the 114th Congress—
H.R. 234, H.R. 1560, H.R. 1731, S. 456, and S. 754. The White House has also submitted a
legislative proposal and issued an executive order on the topic.
In the House, H.R. 1560, the Protecting Cyber Networks Act (PCNA), and H.R. 1731, the
National Cybersecurity Protection Advancement Act of 2015 (NCPAA), passed, amended, the
week of April 20. The bills were then combined as separate titles in H.R. 1560. In the Senate, S.
754, the Cybersecurity Information Sharing Act of 2015 (CISA), was reported in March and was
proposed to be considered as an amendment to H.R. 1735, the National Defense Authorization
Act (NDAA). Presumably, if the Senate passes CISA or another bill on information sharing, any
inconsistencies between the two titles of H.R. 1560 could be reconciled during the process for
resolving differences between the House and Senate bills.
PCNA, NCPAA, and CISA have many similarities but also significant differences. All focus on
information sharing among private entities and between them and the federal government.
NCPAA would explicitly amend portions of the Homeland Security Act of 2002, and PCNA
would amend parts of the National Security Act of 1947. CISA addresses the roles of the
Department of Homeland Security and the intelligence community but does not explicitly amend
either act. The three bills differ in how they define some terms in common, the roles they provide
for federal agencies, processes for nonfederal entities to share information with the federal
government, processes for protecting privacy and civil liberties, uses permitted for shared
information, and reporting requirements. In general, however, CISA and PCNA are more similar
to each other than either is to NCPAA, although a number of those differences are provisions with
no corresponding language in the other bills and potentially could be included in any final
legislation.
All of the bills would address commonly raised concerns about barriers to sharing information
about cybersecurity—both within and across sectors. Such barriers are considered by many to
hinder protection of information systems, especially those associated with critical infrastructure.
Private-sector entities often express reluctance to share such information because of concerns
about legal liability, antitrust violations, regulatory requirements, and protection of intellectual
property and other proprietary business information. Institutional and cultural factors have also
been cited—traditional approaches to security tend to emphasize secrecy and confidentiality,
which would necessarily impede sharing of information.
All the bills have provisions aimed at facilitating information sharing among private-sector
entities and providing protections from liability that might arise from such sharing. While
reduction or removal of such barriers may provide benefits, concerns have been raised about
potential adverse impacts, especially on privacy and civil liberties, and potential misuse of shared
information. The bills address many of those concerns. In general, they limit the use of shared
information to purposes of cybersecurity and law enforcement, and they limit government use,
especially for regulatory purposes. All include provisions to shield information shared with the
federal government from public disclosure and to protect privacy and civil liberties with respect
to shared information that is not needed for cybersecurity purposes. All the proposals require
reports to Congress on impacts of their provisions.
Congressional Research Service
Cybersecurity and Information Sharing: Comparison of Legislative Proposals
Most observers appear to believe that legislation on information sharing is either necessary or at
least potentially beneficial—provided that appropriate protections are included—but additional
factors may be worthy of consideration as the various legislative proposals are debated. In
particular, resistance to sharing of information among private-sector entities might not be
substantially reduced by the actions contemplated in the legislation; and information sharing is
only one of many facets of cybersecurity that organizations need to address to secure their
systems and information.
Congressional Research Service
Cybersecurity and Information Sharing: Comparison of Legislative Proposals
Contents
Background ...................................................................................................................................... 1
Current Legislative Proposals .......................................................................................................... 3
House Consideration of NCPAA and PCNA ............................................................................. 3
Senate Consideration of CISA ................................................................................................... 3
Other Legislative Proposals in the 114th Congress .................................................................... 4
Overview of the Legislative Proposals ...................................................................................... 4
Selected Issues ................................................................................................................................. 6
Side-by-Side Comparison of NCPAA, PCNA, and CISA ............................................................. 11
Glossary of Abbreviations in the Table ................................................................................... 12
Notes on the Table ................................................................................................................... 13
Tables
Table 1. Side-by-Side Comparison of the Two Titles of H.R. 1560 as Passed by the
House—PCNA (Title 1) and NCPAA (Title II)—and S. 754 (CISA)......................................... 14
Contacts
Author Contact Information........................................................................................................... 56
Congressional Research Service
Cybersecurity and Information Sharing: Comparison of Legislative Proposals
his report compares two House bills and one Senate bill that address information sharing
and related activities in cybersecurity. It also discusses some of the issues that those and
Tother bills address. The bills are
• the Protecting Cyber Networks Act (PCNA, H.R. 1560 as passed by the House),
• the National Cybersecurity Protection Advancement Act of 2015 (NCPAA, H.R.
1731 as passed by the House), and
• the Cybersecurity Information Sharing Act of 2015 (CISA, S. 754).
All three bills focus on information sharing among private entities and between them and the
federal government. They address the structure of the information-sharing process, issues
associated with privacy and civil liberties, and liability risks for private-sector sharing, and they
also address some other topics in common. In addition to other provisions, NCPAA would
explicitly amend portions of the Homeland Security Act of 2002 (6 U.S.C. 101 et seq.), and
PCNA would amend parts of the National Security Act of 1947 (50 U.S.C. 3021 et seq.). CISA
has many similarities to a bill with a similar name introduced in the 113th Congress and shares
many provisions with PCNA, although there are also significant differences between the two
bills.
This report consists of an overview of those and other legislative proposals on information
sharing, along with selected associated issues, followed by a side-by-side analysis of NCPAA,
PCNA, and CISA.1 For information on economic aspects of information sharing, see CRS Report
R43821, Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis, by N.
Eric Weiss. For discussion of legal issues, see CRS Report R43941, Cybersecurity and
Information Sharing: Legal Challenges and Solutions, by Andrew Nolan. For an overview of
cybersecurity issues, see CRS Report R43831, Cybersecurity Issues and Challenges: In Brief, by
Eric A. Fischer.
Background
Barriers to the sharing of information on threats, attacks, vulnerabilities, and other aspects of
cybersecurity—both within and across sectors—have long been considered by many to be a
significant hindrance to effective cybersecurity, especially with respect to critical infrastructure,
such as the financial system and the electric grid.2 Private-sector entities often claim that they are
reluctant to share such information among themselves because of concerns about legal liability,
antitrust violations, and potential misuse, especially of intellectual property, including trade
secrets and other proprietary business information.
Perceived barriers to sharing with government agencies include concerns about risks of disclosure
and the ways governments might use the information provided. In addition, some private-sector
1 The analysis is limited to a textual comparison of the bills and is not intended to reach any legal conclusions regarding
them.
2 See, for example, CSIS Commission on Cybersecurity for the 44th Presidency, Cybersecurity Two Years Later,
January 2011, http://csis.org/files/publication/110128_Lewis_CybersecurityTwoYearsLater_Web.pdf. There are
currently 16 recognized critical-infrastructure sectors (see The White House, “Critical Infrastructure Security and
Resilience,” Presidential Policy Directive 21, February 12, 2013, http://www.whitehouse.gov/the-press-office/2013/02/
12/presidential-policy-directive-critical-infrastructure-security-and-resil).
Congressional Research Service
1
Cybersecurity and Information Sharing: Comparison of Legislative Proposals
entities complain that the federal government does not share its information—especially
classified information—effectively with the private sector, and that there is little reciprocity or
other incentives for such entities to share information with the government.3
Institutional and cultural factors have also been cited—traditional approaches to security tend to
emphasize secrecy and confidentiality, which would necessarily impede sharing of information.
While reduction or removal of such barriers may provide cybersecurity benefits, concerns have
also been raised about potential adverse impacts, especially with respect to privacy and civil
liberties.
A few sectors are subject to federal notification requirements,4 but most such information sharing
is voluntary, often through sector-specific Information Sharing and Analysis Centers (ISACs)5 or
programs under the auspices of the Department of Homeland Security (DHS), sector-specific
agencies, or private-sector organizations.6 In 2009, the Obama Administration established the
National Cybersecurity and Communications Integration Center (NCCIC) “to bolster information
sharing and incident response” with respect to critical infrastructure in particular.7
Legislation focusing specifically on alleviating obstacles to information sharing in cybersecurity
were first considered in the 112th Congress.8 The Cyber Intelligence Sharing and Protection Act
(CISPA, H.R. 3523) passed the House in the second session but received no action in the Senate.
The Cybersecurity Information Sharing Act (CISA, S. 2102) of 2012 was largely incorporated
into the Cybersecurity Act of 2012 (S. 3414), which was debated in the Senate but failed two
attempts at cloture. The Obama Administration also proposed legislation during the 112th
Congress that included provisions on information sharing.9
CISPA was reintroduced with little change in the 113th Congress as H.R. 624. An amended
version passed the House but once again received no action in the Senate. A substantially
amended version of CISA was reintroduced and reported in the Senate (S. 2588) but also received
no further action. However, a bill authorizing NCCIC was enacted (S. 2519, P.L. 113-282),10
along with four other cybersecurity bills with provisions on the protection of critical
3 See, for example, Sara Sorcher, “Security Pros: Cyberthreat Info-Sharing Won’t Be as Effective as Congress Thinks,”
Christian Science Monitor, June 12, 2015, http://www.csmonitor.com/World/Passcode/2015/0612/Security-pros-
Cyberthreat-info-sharing-won-t-be-as-effective-as-Congress-thinks.
4 Notable examples include the chemical industry, electricity, financial, and transportation sectors.
5 ISACs were originally formed pursuant to a 1998 presidential directive (The White House, “Presidential Decision
Directive 63: Critical Infrastructure Protection,” May 22, 1998, http://www.fas.org/irp/offdocs/pdd/pdd-63.htm).
6 See also CRS Report R42114, Federal Laws Relating to Cybersecurity: Overview of Major Issues, Current Laws, and
Proposed Legislation, by Eric A. Fischer, CRS Report R42409, Cybersecurity: Selected Legal Issues, by Edward C.
Liu et al.; CRS Report R42984, The 2013 Cybersecurity Executive Order: Overview and Considerations for Congress,
by Eric A. Fischer et al.; CRS Report R43821, Legislation to Facilitate Cybersecurity Information Sharing: Economic
Analysis, by N. Eric Weiss.
7 Department of Homeland Security, “Secretary Napolitano Opens New National Cybersecurity and Communications
Integration Center,” pressrRelease, October 30, 2009, http://www.dhs.gov/ynews/releases/pr_1256914923094.shtm.
8 Some bills in earlier Congresses had addressed aspects of information sharing. For example, H.R. 5548 and S. 3480 in
the 111th Congress included some provisions on bidirectional information sharing between the federal government and
nonfederal entities.
9 The White House, “Department of Homeland Security Cybersecurity Authority and Information Sharing,” May 12,
2011, http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/dhs-cybersecurity-authority.pdf.
10 H.R. 3696, the National Cybersecurity and Critical Infrastructure Protection Act, would also have authorized the
NCCIC. It passed the House but received no further action in the Senate.
Congressional Research Service
2
Cybersecurity and Information Sharing: Comparison of Legislative Proposals
infrastructure and federal information systems, research and development, and the cybersecurity
workforce.11
Current Legislative Proposals
House Consideration of NCPAA and PCNA
PCNA (H.R. 1560) was introduced March 24, 2015, and reported by the House Intelligence
Committee on April 13 (H.Rept. 114-63). NCPAA (H.R. 1731) was introduced April 13 and
reported by the House Homeland Security Committee on April 17 (H.Rept. 114-83). The House
Committee on Rules held a hearing on proposed amendments to both bills on April 21. More than
30 amendments were submitted for NCPAA and more than 20 for PCNA.12 The committee
reported H.Res. 212 (H.Rept. 114-88) on the two bills on April 21, with a structured rule allowing
consideration of five amendments to PCNA and 11 for NCPAA. For each bill, a manager’s
amendment would serve as the base bill for floor consideration, with debate on PCNA held on
April 22 and on NCPAA on April 23. The rule further stated that upon passage of both bills, the
text of H.R. 1731 would be appended to H.R. 1560, and H.R. 1731 would be tabled.
On April 22, all five amendments to H.R. 1560 were adopted and the bill passed the House by a
vote of 307 to 116. The amendments were all agreed to by voice vote except a sunset amendment
terminating the bill’s provisions seven years after enactment, which passed by recorded vote of
313 to 110. Similarly, on April 23, the 11 amendments to H.R. 1731 were all adopted and the bill
was passed by a vote of 355 to 63. A sunset amendment similar to that approved for H.R. 1560
and all but one other amendment were adopted by voice vote. The exception, requiring a GAO
study on privacy and civil liberties impacts, was agreed to by recorded vote, 405 to 8. The
engrossed version of H.R. 1560 combined the bills by making PCNA Title I and NCPAA Title
II.13
Senate Consideration of CISA
CISA was introduced and reported by the Senate Intelligence Committee on March 17, 2015, with
a written report filed April 15 (S.Rept. 114-32). The bill was offered as an amendment to H.R.
1735, the National Defense Authorization Act for 2016 (NDAA), but a cloture vote on the
amendment failed on June 11. Further floor consideration is anticipated during this session.
11 See CRS Report R43831, Cybersecurity Issues and Challenges: In Brief, by Eric A. Fischer.
12 For a list of amendments and text, see House Committee on Rules, “H.R. 1731—National Cybersecurity Protection
Advancement Act of 2015,” April 21, 2015, http://rules.house.gov/bill/114/hr-1731, and “H.R. 1560—Protecting Cyber
Networks Act,” April 21, 2015, http://rules.house.gov/bill/114/hr-1560.
13 To avoid confusion about the passed and engrossed versions of H.R. 1560, the two bills are referred to hereinafter by
their names, not their original bill numbers. CISA will also be referred to by name rather than bill number.
Congressional Research Service
3
Cybersecurity and Information Sharing: Comparison of Legislative Proposals
Other Legislative Proposals in the 114th Congress
Two other bills on information sharing have been introduced in the 114th Congress, one in the
House and one in the Senate. The White House has also submitted a legislative proposal14 (WHP)
and issued an executive order on the topic.15 The other bills are
• the Cyber Intelligence Sharing and Protection Act (CISPA), which passed the
House in the 113th Congress and was reintroduced unamended as H.R. 234; and
• the Cyber Threat Sharing Act of 2015, S. 456, which is similar to the WHP.16
Overview of the Legislative Proposals
All the bills would address common concerns about barriers to sharing of information on threats,
attacks, vulnerabilities, and other aspects of cybersecurity—both within and across sectors—but
they vary somewhat in emphasis and method. NCPAA focuses on the role of the Department of
Homeland Security (DHS), and in particular the National Cybersecurity and Communications
Integration Center (NCCIC), the role of which is also addressed in S. 456 and the WHP.
PCNA, in contrast, focuses more on the role of the intelligence community (IC),17 including
explicit authorization of the Cyber Threat Intelligence Integration Center (CTIIC), the
establishment of which was announced by the Obama Administration in February 2015.18 Both
CISPA and CISA address roles of DHS and the IC but do not specifically reference the NCCIC or
CTIIC.
All five bills and the WHP have provisions aimed at facilitating sharing of information among
private-sector entities and providing protections from liability that might arise from such sharing.
They vary somewhat in the kinds of private-sector entities and information covered. In general,
the proposals limit the use of shared information to purposes of cybersecurity and specified
aspects of law enforcement, and they limit government use for regulatory purposes.
NCPAA, PCNA, and CISA would explicitly authorize private-sector entities to monitor and use
defensive measures to protect their own systems and those of other consenting entities. CISPA
does not directly authorize those actions, but its provisions appear to cover monitoring.19 S. 456
and the WHP do not cover monitoring or defense.
14 The White House, Updated Information Sharing Legislative Proposal, 2015, http://www.whitehouse.gov/sites/
default/files/omb/legislative/letters/updated-information-sharing-legislative-proposal.pdf.
15 Executive Order 13691, “Promoting Private Sector Cybersecurity Information Sharing,” Federal Register 80, no. 34,
February 20, 2015, pp. 9349–9353, http://www.gpo.gov/fdsys/pkg/FR-2015-02-20/pdf/2015-03714.pdf.
16 See Senate Committee on Homeland Security and Governmental Affairs, Protecting America from Cyber Attacks:
The Importance of Information Sharing, 2015, http://www.hsgac.senate.gov/hearings/protecting-america-from-cyber-
attacks-the-importance-of-information-sharing. The hearing was not specifically on the White House proposal but it
was held after the proposal was submitted and before the introduction of S. 456.
17 The IC consists of 17 agencies and others as designated under 50 U.S.C. 3003.
18 The White House, “Fact Sheet: Cyber Threat Intelligence Integration Center,” press release, February 25, 2015,
https://www.whitehouse.gov/the-press-office/2015/02/25/fact-sheet-cyber-threat-intelligence-integration-center.
19 It permits covered entities to “use cybersecurity systems to identify and obtain cyber threat information to protect the
rights and property” of covered entities (Sec. 3(a), modifying Sec. 1104(b) of the National Security Act).
Congressional Research Service
4
Cybersecurity and Information Sharing: Comparison of Legislative Proposals
All address concerns about privacy and civil liberties, although the mechanisms proposed vary to
some extent, in particular the roles played by the Attorney General, the DHS Secretary, Chief
Privacy Officers, the Privacy and Civil Liberties Oversight Board (PCLOB), and the Inspectors
General of DHS and other agencies. All the proposals require reports to Congress on impacts of
their provisions. All also include provisions to shield information shared with the federal
government from public disclosure, including exemption from disclosure under the Freedom of
Information Act (FOIA).
In addition, NCPAA, S. 456, and the WHP address and modify the roles of information sharing
and analysis organizations (ISAOs).20 ISAOs were defined in the Homeland Security Act (HSA, 6
U.S.C. §131(5)) as entities that gather and analyze information relating to the security of critical
infrastructure, communicate such information to help with defense against and recovery from
incidents, and disseminate such information to any entities that might assist in carrying out those
goals. Information Sharing and Analysis Centers (ISACs) are more familiar to most observers.
They may arguably be ISAOs under the definition in HSA but have a different origin, having
been formed pursuant to a 1998 presidential directive.21
Executive Order 13691,22 issued soon after the WHP, also addresses the role of ISAOs. It requires
the Secretary of Homeland Security to encourage and facilitate the formation of ISAOs, and to
choose and work with a nongovernmental standards organization to identify standards and
guidelines for them.23 It also requires the NCCIC to coordinate with ISAOs on information
sharing, and includes some provisions to facilitate sharing of classified cybersecurity information
with appropriate entities.
On April 21, the White House announced support for passage of both NCPAA and PCNA by the
House, while calling for a narrowing of sweep for the liability protections and additional
safeguards relating to use of defensive measures in both bills.24 It also called for clarifying
20 The House Committee on Homeland Security held two hearings on the White House proposal before H.R. 1731 was
introduced (House Committee on Homeland Security, Examining the President’s Cybersecurity Information Sharing
Proposal, 2015, http://homeland.house.gov/hearing/hearing-administration-s-cybersecurity-legislative-proposal-
information-sharing; House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure
Protection, and Security Technologies, Industry Perspectives on the President’s Cybersecurity Information Sharing
Proposal, 2015, http://homeland.house.gov/hearing/subcommittee-hearing-industry-perspectives-president-s-
cybersecurity-information-sharing).
21 The White House, “Presidential Decision Directive 63: Critical Infrastructure Protection,” May 22, 1998,
http://www.fas.org/irp/offdocs/pdd/pdd-63.htm. The directive envisioned a single center for analysis and sharing of
private-sector information relating to the protection of critical infrastructure, with specific design and functions
determined by the private sector, in consultation with the federal government. That consultation resulted in the
establishment of sector-specific ISACs, with the first, covering the financial sector, established in 1999 (ISAC Council,
“Reach of the Major ISACs,” January 31, 2004, http://www.isaccouncil.org/images/
Reach_of_the_Major_ISACs_013104.pdf).
22 Executive Order 13691, “Promoting Private Sector Cybersecurity Information Sharing.”
23 DHS has posted a Notice of Funding Opportunity for the standards organization, with selection expected in August
2015 (see Department of Homeland Security, “Information Sharing and Analysis Organizations,” May 27, 2015,
http://www.dhs.gov/isao).
24 Office of Management and Budget, “H.R. 1560—Protecting Cyber Networks Act,” Statement of Administration
Policy, April 21, 2015, https://www.whitehouse.gov/sites/default/files/omb/legislative/sap/114/
saphr1560r_20150421.pdf; Office of Management and Budget, “H.R. 1731—National Cybersecurity Protection
Advancement Act of 2015,” Statement of Administration Policy, April 21, 2015, https://www.whitehouse.gov/sites/
default/files/omb/legislative/sap/114/saphr1731r_20150421.pdf.
Congressional Research Service
5
Cybersecurity and Information Sharing: Comparison of Legislative Proposals
provisions in NCPAA on use of shared information in federal law enforcement and ensuring that
provisions in PCNA do not interfere with privacy and civil liberties protections.
Selected Issues
Several issues appear to be particularly relevant to the debate over information-sharing
legislation. Among them are the following:
• Kinds of Information. What are the kinds of information for which barriers to
sharing exist that make effective cybersecurity more difficult, and what are those
barriers?
• Information-Sharing Process. How should the gathering and sharing of
information be structured in the public and private sectors to ensure that it is
efficient, effective, and appropriate?
• Uses of Information. What limitations should be placed on how shared
information is used?
• Standards and Practices. What improvements to current standards and practices
are needed to ensure that information sharing is useful and efficient for protecting
information systems, networks, and their contents?
• Privacy and Civil Liberties. What are the risks to privacy rights and civil
liberties of individual citizens associated with sharing different kinds of
cybersecurity information, and how can those rights and liberties best be
protected?
• Liability Protections. What, if any, statutory protections against liability are
needed to reduce disincentives for private-sector entities to share cybersecurity
information with each other and with government agencies, and how can the
need to reduce such barriers best be balanced against any risks to well-
established protections?
An in-depth discussion of these issues is beyond the scope of this report. However, the points
described below may be relevant for congressional debate. For discussion of legal issues
associated with privacy, civil liberties, and liability protections, see CRS Report R43941,
Cybersecurity and Information Sharing: Legal Challenges and Solutions, by Andrew Nolan.
Information that may be usefully shared can be complex in type and purpose, which may
complicate determining the best methods and criteria for sharing. Information sharing can
involve a broad variety of material communicated on a wide range of timescales, from broad
cybersecurity policies and principles to best practices to information on threat intelligence,25
vulnerabilities, and defenses to computer-generated data transmitted directly from one
information system to another electronically. The level of sensitivity of information can also
25 This can be described as “indicators (i.e., an artifact or observable that suggests that an attack is imminent, that an
attack is underway, or that a compromise may have already occurred); the TTPs [tactics, techniques, and procedures] of
an adversary; and recommended actions to counter an attack” (Chris Johnson, Lee Badger, and David Waltermire,
Guide to Cyber Threat Information Sharing (Draft), SP 800-150, National Institute of Standards and Technology,
October 2014, 4, http://csrc.nist.gov/publications/drafts/800-150/sp800_150_draft.pdf).
Congressional Research Service
6
Cybersecurity and Information Sharing: Comparison of Legislative Proposals
vary—for example, it may be classified, proprietary, or personal. Information of any class will
also vary in its value for cybersecurity and the degree to which it needs human processing to be
useful.26
Shared information can be used for a variety of purposes relating to cybersecurity. A widely
recognized objective is to inform situational awareness—an understanding of the components,
operational roles, and current and projected states of systems and networks being protected;
events occurring within and across them; and threats, vulnerabilities, and other elements of risk,
all in the context of the larger cyberspace environment. Shared information may also be used for
identifying specific defensive actions or measures, and for planning and capacity-building, among
other objectives.27 In addition, the same information may have different utility for different
users—for example, threat signatures relating to attacks on one critical infrastructure sector may
be of marginal concern for another, and best practices may be much more useful for small
businesses than signatures associated with advanced targeted threats. Also, shared information
may prove of little use if it is delayed, provided without relevant contextual detail, or provided in
a form that requires substantial additional processing to determine its applicability. If recipients
find that the information they are provided is of little use to them, they may be less likely to
participate in or continue with information-sharing initiatives.
The timescale during which shared information will be most useful varies with the kind of
information shared and its purpose. To the extent that the goal of information sharing is to defend
systems and networks against cyberattacks, there appears to be a consensus that shared
information needs to be actionable—that is, it should identify or evoke a specific response aimed
at mitigating cybersecurity risks. To be meaningfully actionable, information may often need to
be shared very quickly or even in an automated fashion. Such rapid communication, for example
by machine-to-machine transmission and processing, is sometimes called “real-time” or “near
real-time” sharing. The relevance of timing for shared information may be measured in seconds
or even milliseconds in many cases.28 There may be little or no time for human operators to
examine a specific parcel of data to determine whether sharing it could raise privacy, liability, or
other concerns. Therefore, the way that such sharing is implemented may affect not only
operational effectiveness, but also other interests and goals such as privacy.
A large increase in information sharing could potentially lead to information overload, reducing
the effectiveness of the sharing in reducing cybersecurity risks. The relationship between the
volume of information shared and improved cybersecurity is not straightforward. Given the broad
classes of information that might be candidates for sharing, and the sheer volume of available
data, an entity could receive much more information than it can reasonably process with available
resources. Both providers and recipients—whether they are businesses, ISACs, ISAOs, or
government agencies—will incur various costs, including developing, assessing, processing,
26 See, for example, Kathleen M. Moriarty, “Transforming Expectations for Threat-Intelligence Sharing,” RSA
Perspective, August 3, 2013, https://www.emc.com/collateral/emc-perspective/h12175-transf-expect-for-threat-intell-
sharing.pdf.
27 See, for example, Department of Homeland Security, “Information Sharing: A Vital Resource,” March 10, 2015,
http://www.dhs.gov/information-sharing-vital-resource; Robin M. Ruefle and M. Murray, “CSIRT Requirements for
Situational Awareness,” Carnegie Mellon University, January 25, 2014, http://oai.dtic.mil/oai/oai?verb=getRecord&
metadataPrefix=html&identifier=ADA596848.
28 See, for example, M.J. Herring and K.D. Willett, “Active Cyber Defense: A Vision for Real-Time Cyber Defense,”
Journal of Information Warfare 13, no. 2, April 2014, pp. 46–55, https://www.nsa.gov/ia/_files/JIW-13-2—23-April-
2014—Final-Version.pdf.
Congressional Research Service
7
Cybersecurity and Information Sharing: Comparison of Legislative Proposals
sharing, and applying the information. For sharing to be effective, information from the provider
must be relevant to recipients’ needs and in forms that can be readily applied in their information
technology and security environments. Recipients must also have the capacity and willingness to
assess and use the information received in a timely fashion. A large increase in the amount of
information received may be counterproductive, especially if much of the information proves to
be of little use to the recipient. That could include not only information of uncertain quality and
use, but also similar or redundant information from a variety of sources, which could lead to
misdirection and waste of resources and could result in important information being overlooked.
However, determining a priori what information is useful to share may be difficult.29
The current structure for information sharing is fairly complex but arguably limited in scope.
Several federal entities in addition to NCCIC and CTIIC are involved. For example, the National
Cyber Investigative Joint Task Force (NCIJTF), which is operated by the Federal Bureau of
Investigation (FBI), shares information on investigations related to domestic cyberthreats with
national security and criminal law-enforcement programs.30 Other entities with broader missions
may also be involved in cybersecurity information sharing—for example, the federal Information
Sharing Environment,31 and state and local fusion centers.32 There are also many private-sector
entities with information-sharing missions, most notably the ISACs, of which 19 are members of
the national council.33
Currently, there appear to be two general models for information sharing—a decentralized, “peer-
to-peer,” often informal approach between entities with complementary needs, and a more
centralized “hub-and-spoke” model such as the ISACs.34 Organizations such as ISACs are
generally sector-specific. Not all sectors have such organizations, and affiliations other than
sector may also be important for some kinds of information sharing. Filling such gaps appears to
be part of the rationale behind the Administration’s ISAO proposal to broaden the scope of ISAOs
beyond that described in the Homeland Security Act.35 On the one hand, the absence of an
appropriate mechanism can be a barrier to information sharing for an entity. On the other hand, a
proliferation of mechanisms, such as some observers fear the Administration’s ISAO model might
result in, could also serve as a barrier if it makes information sharing inefficient or confusing for
possible participants.
A proliferation of sharing mechanisms could improve coverage for information sharing among
sectors but might also lead to duplication or overspecialization. Those could lead to a reduction
in effective sharing across sectors, for example, and lack of clarity with respect to responsibilities.
29 See, for example, Moriarty, “Transforming Expectations for Threat-Intelligence Sharing.”
30 Federal Bureau of Investigation, “National Cyber Investigative Joint Task Force,” 2015, http://www.fbi.gov/about-
us/investigate/cyber/ncijtf.
31 Information Sharing and Access Interagency Policy Committee, “Information Sharing Environment (ISE),” 2015,
http://www.ise.gov/.
32 National Fusion Center Association, “National Strategy for the National Network of Fusion Centers, 2014-2017,”
July 2014, https://nfcausa.org/html/
National%20Strategy%20for%20the%20National%20Network%20of%20Fusion%20Centers.pdf.
33 National Council of ISACs, “Member ISACs,” 2015, http://www.isaccouncil.org/memberisacs.html.
34 Denise E. Zheng and James A. Lewis, Cyber Threat Information Sharing: Recommendations for Congress and the
Administration, CSIS, March 2015, https://csis.org/files/publication/150310_cyberthreatinfosharing.pdf.
35 The White House, Updated Information Sharing Legislative Proposal; The White House, “Fact Sheet: Executive
Order Promoting Private Sector Cybersecurity Information Sharing”; Executive Order 13691, “Promoting Private
Sector Cybersecurity Information Sharing.”
Congressional Research Service
8
Cybersecurity and Information Sharing: Comparison of Legislative Proposals
It also creates the possibility that entities could receive conflicting information or even
incompatible recommendations from different sharing organizations. However, the potential for
duplication creates the potential for market competition, and such market forces would ideally
yield more innovation and more rapid improvement in information sharing than would a more
restricted approach. Market forces might also lead to lower costs, and cost can be an impediment
to improved information sharing, especially for small businesses. Yet market forces might also
lead to higher costs, and a proliferation of sharing mechanisms might also make decisions about
which one or ones to join more difficult for potential participants. In contrast, a narrow, tightly
defined structure for information sharing could lead to logjams or impede innovation in response
to the continuing evolution of cyberspace.
Development of consensus standards and best practices may improve the effectiveness and
efficiency of information sharing.36 The adoption of standards for information sharing is one way
to help address concerns about reliability and utility of information received. Such an effort may
be especially useful if the number and scope of ISAOs grows significantly, as may be the case
under the Obama Administration proposal and EO 13691. Dozens of standards currently exist
relating to information sharing.37 The Department of Homeland Security has been developing a
single set applicable to sharing of threat intelligence.38 However, the large variation in sharing
requirements and benefits among different entities and sectors may pose a significant challenge to
the development of a useful common set of standards and practices. Nevertheless, experience
with the development of the NIST cybersecurity framework suggests that it may be possible to
create a sufficiently flexible structure that entities can use to identify and develop appropriate
standards and practices.39
Sharing of information among private-sector entities might not be substantially increased by the
actions contemplated in the legislation. Most observers appear to believe that legislation on
information sharing is either necessary or at least potentially beneficial—provided that
appropriate protections are included. Some observers have noted that the benefits of receiving
cybersecurity information tend to outweigh the benefits of providing such information for many
organizations.40 This may be especially true for information shared with the federal government.41
Timely and actionable information that an entity receives can help it prevent or mitigate an attack.
In the absence of incentives for reciprocity, however, it is hard to see what benefit an organization
would gain from providing information, unless it is a government entity whose mission is to
provide such data or a provider of cybersecurity services. More indirect benefits might occur, for
example, if a pattern of reciprocity develops among sharing entities, such as through ISACs or
ISAOs. However, information sharing by itself is not sufficient to improve cybersecurity. Not
only must the information be actionable, but the recipient must also have processes, including
36 See, for example, Moriarty, “Transforming Expectations for Threat-Intelligence Sharing.”
37 European Union Agency for Network and Information Security, Standards and Tools for Exchange and Processing
of Actionable Information, November 2014, https://www.enisa.europa.eu/activities/cert/support/actionable-information/
standards-and-tools-for-exchange-and-processing-of-actionable-information.
38 Department of Homeland Security, “Information Sharing Specifications for Cybersecurity,” 2015, https://www.us-
cert.gov/Information-Sharing-Specifications-Cybersecurity.
39 See CRS Report R42984, The 2013 Cybersecurity Executive Order: Overview and Considerations for Congress, by
Eric A. Fischer et al.
40 See, for example, CRS Report R43821, Legislation to Facilitate Cybersecurity Information Sharing: Economic
Analysis, by N. Eric Weiss; Zheng and Lewis, Cyber Threat Information Sharing: Recommendations for Congress and
the Administration.
41 Sorcher, “Security Pros.”
Congressional Research Service
9
Cybersecurity and Information Sharing: Comparison of Legislative Proposals
equipment and software, in place to use the information effectively. If such processes are not in
place and utilized properly, the net effect may be the same as if the information were not shared at
all.42
In addition to issues such as legal concerns that may be associated with providing information,
businesses may be concerned about reputation costs, if they provide information showing that
they have been victims of cyberattacks. Government measures such as requirements for data-
breach notification, as enacted in most states, can provide incentives for organizations to share
information that may be useful in attempts to prevent future attacks on other entities or to capture
and prosecute cybercriminals. While the legislative proposals on information sharing may reduce
the risks to private-sector entities associated with providing information, none include explicit
incentives to stimulate such provision. In the absence of mechanisms to balance the asymmetry
between incentives for receiving and providing information, the degree to which information
sharing would increase under the provisions of the various legislative proposals may be uncertain.
Information sharing is only one facet of cybersecurity.43 Information sharing is only one of many
cybersecurity tools, and some observers have expressed concern about risks associated with an
overemphasis on its role in cybersecurity. Sharing may be relatively unimportant for many
organizations, especially in comparison with other cybersecurity needs.44 Entities must also have
the resources and processes in place that are necessary for effective cybersecurity risk
management. For example, in the data breaches of information on federal employees revealed in
June by the Office of Personnel Management (OPM), it is not clear that specific information
about the threat or even defensive measures would have resulted in effective defense against the
attacks, given OPM’s reported shortcomings in implementation of requirements in the Federal
Information Security Management Act (FISMA).45
In addition, information sharing tends to focus on immediate concerns such as cyberattacks and
imminent threats. While those must be addressed, that does not diminish the importance of other
issues in cybersecurity such as education and training, workforce, acquisition, or cybercrime law,
or major long-term challenges such as building security into the design of hardware and software,
changing the incentive structure for cybersecurity, developing a broad consensus about
cybersecurity needs and requirements, and adapting to the rapid evolution of cyberspace.
42 See, for example, Johnson, Badger, and Waltermire, Guide to Cyber Threat Information Sharing (Draft).
43 See, for example, Testimony of Martin C. Libicki before the House Committee on Oversight and Government
Reform, Subcommittee on Information Technology, hearing on Industry Perspectives on the President’s Cybersecurity
Information Sharing Proposal, 2015, http://homeland.house.gov/hearing/subcommittee-hearing-industry-perspectives-
president-s-cybersecurity-information-sharing.
44 For example, in the Cybersecurity Framework developed by the National Institute of Standards and Technology,
target levels of information sharing vary among the four tiers of cybersecurity implementation developed for
organizations with different risk profiles (National Institute of Standards and Technology, Framework for Improving
Critical Infrastructure Cybersecurity, Version 1.0, February 12, 2014, http://www.nist.gov/cyberframework/upload/
cybersecurity-framework-021214-final.pdf).
45 See, for example, House Committee on Oversight and Government Reform, OPM: Data Breach, 2015,
https://oversight.house.gov/hearing/opm-data-breach/.
Congressional Research Service
10
Cybersecurity and Information Sharing: Comparison of Legislative Proposals
Side-by-Side Comparison of NCPAA, PCNA, and
CISA
The remainder of the report consists of a side-by-side comparison of provisions in NCPAA and
PCNA as passed by the House and CISA as reported to the Senate.
Congressional Research Service
11
Cybersecurity and Information Sharing: Comparison of Legislative Proposals
Glossary of Abbreviations in the Table
AG Attorney
General
CI Critical
Infrastructure
CPO
Chief Privacy Officer
CRADA
Cooperative research and development agreement
CTIIC
Cyber Threat Intelligence Integration Center
DHS
Department of Homeland Security
DNI
Director of National Intelligence
DOD
Department of Defense
DOJ
Department of Justice
FIPPs
Fair Information Practice Principles
HSA
Homeland Security Act
HSC
House Committee on Homeland Security
HSGAC
Senate Homeland Security and Governmental Affairs Committee
IC Intelligence
community
ICS
Industrial control system
ICS-CERT
Industrial Control System Cyber Emergency Response Team
IG Inspector
General
ISAC
Information sharing and analysis center
ISAO
Information sharing and analysis organization
MOU
Memorandum of understanding
NCCIC
National Cybersecurity and Communications Integration Center
NCPAA
National Cybersecurity Protection Advancement Act of 2015
ODNI
Office of the Director of National Intelligence
PCLOB
Privacy and Civil Liberties Oversight Board
PCNA
Protecting Cyber Networks Act
R&D
Research and development
SSA Sector-specific
agency
Secretary
Secretary of Homeland Security
U.S. United
States
U.S.C.
United States Code
US-CERT
United States Computer Emergency Readiness Team
U/S-CIP
DHS Under Secretary for Cybersecurity and Infrastructure Protection
Congressional Research Service
12
Cybersecurity and Information Sharing: Comparison of Legislative Proposals
Notes on the Table
Entries describing provisions in a bill are summaries or paraphrases, with direct quotes enclosed
in double quotation marks. The table uses the following formatting conventions to aid in the
comparison:
• Related provisions in the two titles are adjacent to each other, with NCPAA
serving as the basis for comparison.46 As a result, many provisions of PCNA
appear out of sequence in the table.
• Bold formatting denotes that the identified provision is the subject of the
subsequent text (e.g., (d) or Sec. 102 (a)).
• Numbers and names of sections, subsections, and paragraphs (except definitions)
added to existing laws by the bills are enclosed in single quotation marks (e.g.,
‘Sec. 111(a)’).
• Underlined text (visible only in the pdf version) is used in selected cases as a
visual aid to highlight differences with a corresponding provision in the other bill
that might otherwise be difficult to discern.
• The names of titles, sections, and some paragraphs are stated the first time a
provision from them is discussed in the table—for example, Sec. 103.
Authorizations for Preventing, Detecting, Analyzing, and Mitigating
Cybersecurity Threats—but only the number, to the paragraph level or higher,
is used thereafter.
• In cases where a provision of PCNA is out of sequence from that immediately
above it, as much of the provision number is repeated as is needed to make its
origin clear. For example, on p. 27, a provision from Sec. 103 is described
immediately after an entry for Sec. 109 and is therefore labelled Sec. 103(c)(3).
That is followed immediately by an entry labelled (a), which is a subsection of
Sec. 103 and therefore is not preceded by the section number.
• Page numbers cited within the table are hyperlinked to the provisions they
reference in the table; the page numbers themselves refer to pages in the pdf
version of this report.
• Explanatory notes on provisions are enclosed in square brackets. Also, the entry
“[Similar to {bill}]” means that the text in that provision is closely similar in text,
with no significant difference in meaning, to the corresponding provision in the
named bill. “[Identical to {bill}]” means that there are no differences in language
between the text of that provision and the corresponding provision in the named
bill. A double em-dash (——) means that the bill has no corresponding provision.
See the “Glossary of Abbreviations in the Table” for meanings of abbreviations used therein.
46 This approach was taken for purposes of efficiency and convenience only. CRS does not advocate or take positions
on legislation or legislative issues.
Congressional Research Service
13
Table 1. Side-by-Side Comparison of the Two Titles of H.R. 1560 as Passed by the House—PCNA (Title 1) and NCPAA (Title
II)—and S. 754 (CISA)
NCPAA—Title II
PCNA—Title I
CISA
“To amend the Homeland Security Act of 2002 to
“To improve cybersecurity in the United States
[Identical to PCNA]
enhance multi-directional sharing of information related
through enhanced sharing of information about
to cybersecurity risks and strengthen privacy and civil
cybersecurity threats, and for other purposes.” [Note:
liberties protections, and for other purposes.”
These two official titles have been concatenated in the
engrossed version of H.R. 1560.]
Sec. 201. Short Title
Sec. 101. Short Title
Sec. 1. Short title; table of contents
National Cybersecurity Protection Advancement Act
Protecting Cyber Networks Act
Cybersecurity Information Sharing Act of 2015
of 2015
Sec. 202. National Cybersecurity and
Communications Integration Center
Amends Sec. 226 of the HSA (6 U.S.C. 148). [Note:
—— ——
This section, added by P.L. 113-282, established the
National Cybersecurity and Communications
Integration Center and is referred to in the bill as the
“second section 226” to distinguish it from an
identical y numbered section added by P.L. 113-277.]
(a) In General
Sec. 110. Definitions
Sec. 2. Definitions
Amends existing definitions:
Cybersecurity Risk: Excludes actions solely involving
—— ——
violations of consumer terms of service or licensing
agreements from the definition.
Incident: Replaces the phrase "constitutes a violation or
—— ——
imminent threat of violation of law, security policies,
security procedures, or acceptable use policies" with
“actually or imminently jeopardizes, without lawful
authority, an information system.”
Adds the following definitions:
Agency: As in 44 U.S.C. 3502.
[Identical to PCNA]
CRS - 14
NCPAA—Title II
PCNA—Title I
CISA
—— ——
Antitrust Laws: As in 15 U.S.C. 12, 15 U.S.C. 45 as it
“applies to unfair methods of competition,” and state
laws with the same intent and effect.
——
Appropriate Federal Entities: Departments of Commerce,
[Identical to PCNA]
Defense, Energy, Homeland Security, Justice, and the
Treasury; and Office of the ODNI.
——
Cybersecurity Threat: An action unprotected by the 1st
[Similar to PCNA]
Amendment to the Constitution that involves an
information system and may result in unauthorized
efforts to adversely impact the security, integrity,
confidentiality, or availability of the system or its
contents, but not including actions solely involving
violations of consumer terms of service or licensing
agreements.
Cyber Threat Indicator:
Cyber Threat Indicator:
Cyber Threat Indicator:
Technical information necessary to describe or identify
Information or a physical object necessary to describe
Information necessary to describe or identify
or identify
- a method for network awareness [defined below] of
- malicious reconnaissance, including
[Identical to PCNA]
an information system to discern its technical
vulnerabilities, if the method is known or reasonably
suspected of association with a known or suspected
cybersecurity risk, including
- communications that reasonably appear to have “the
- anomalous patterns of communications that appear to
[Identical to PCNA]
purpose of gathering technical information related to a
have “the purpose of gathering technical information
cybersecurity risk,”
related to a cybersecurity threat or security
vulnerability,”
- a method for defeating a technical or security control,
- a method of defeating a security control or exploiting
[Identical to PCNA]
a security vulnerability,
- a technical vulnerability including anomalous technical
- a security vulnerability or anomalous activity
[Identical to PCNA]
behavior that may become a vulnerability,
indicating the existence of one,
- a method of causing a legitimate user of an
- a method of causing a legitimate user of an
[Identical to PCNA]
information system or its contents to
information system or its contents to
inadvertently enable defeat of a technical or
unwittingly enable defeat of a security control or
operational control,
exploitation of a security vulnerability,
CRS - 15
NCPAA—Title II
PCNA—Title I
CISA
- a method for unauthorized remote identification,
- “malicious cyber command and control,”
[Identical to PCNA]
access, or use of an information system or its contents,
if the method is known or reasonably suspected of
association with a known or suspected cybersecurity
risk, or
- actual or potential harm from an incident, including
[Identical to NCPAA]
[Identical to PCNA]
exfiltration of information; or
- any other cybersecurity risk attribute that cannot be
- any other cybersecurity threat attribute the
[Identical to PCNA]
used to identify specific persons believed to be
unrelated to the risk, and
disclosure of which is not prohibited by law
disclosure of which is not prohibited by law.
[Identical to PCNA]
- any combination of the above.
——
——
Cybersecurity Purpose:
Cybersecurity Purpose:
Cybersecurity Purpose:
Protecting
Protecting (including by using defensive measures)
Protecting
an information system or its contents from a
an information system or its contents from a
an information system or its contents from a
cybersecurity risk or incident or identifying a risk or
cybersecurity threat or security vulnerability or
cybersecurity threat or security vulnerability.
incident source.
identifying a threat source.
Defensive Measure:
Defensive Measure:
Defensive Measure:
An “action, device, procedure, signature, technique, or
An “action, device, procedure, technique, or other
An “action, device, procedure, signature, technique, or
other measure” applied to an information system that
measure” executed on an information system or its
other measure” applied to an information system that
“detects, prevents or mitigates a known or suspected
contents that “prevents or mitigates a known or
“detects, prevents or mitigates a known or suspected
cybersecurity risk or incident” or attributes that could
suspected cybersecurity threat or security
cybersecurity threat or security vulnerability.”
help defeat security controls,
vulnerability.”
but not including measures that destroy, render
[No Corresponding Provision; however, the authority
but not including measures that destroy, render
unusable, or substantially harm an information system
to operate defensive measures in Sec. 103(b) includes a
unusable, or substantially harm an information system
or its contents not operated by that nonfederal entity,
similar restriction; see p. 29];
or its contents not operated by that private entity, or
except a state, local, or tribal government, or by
by another entity or federal entity that consented to
another nonfederal or federal entity that consented to
such actions.
such actions.
——
Federal Entity: A U.S. department or agency, or any
[Identical to PCNA]
component thereof.
——
Information System: As in 44 U.S.C. 3502.
——
Local Government: A political subdivision of a state.
CRS - 16
NCPAA—Title II
PCNA—Title I
CISA
Malicious Cyber Command and Control: “A method for
unauthorized remote identification of, access to, or use
of an information system” or its contents.
Malicious Reconnaissance: A method, associated with a
known or suspected cybersecurity threat, for probing
or monitoring an information system to discern its
vulnerabilities.
Network Awareness:
Monitor:
Scanning, identifying, acquiring, monitoring, logging, or
Scanning, identifying, acquiring, or otherwise possessing
analyzing the contents of an information system.
the contents of an information system.
Non-Federal Entity:
Entity:
A private entity or nonfederal government or agency
A private entity or nonfederal government or agency
thereof (including personnel), but not including foreign
thereof, but not including foreign powers as defined in
powers as defined in 50 U.S.C. 1801.
50 U.S.C. 1801.
Private Entity:
Private Entity:
Private Entity:
A nonfederal entity that is an individual, nonfederal
A person, nonfederal government utility, or
A person, nonfederal government electric utility, or
government utility or “an entity performing utility
services,” or
private group, organization, proprietorship,
[Identical to NCPAA]
[Identical to NCPAA]
partnership, trust, cooperative, corporation, or other
commercial or nonprofit entity,
including personnel.
including personnel, but
[Identical to PCNA]
——
not including a foreign power as defined in 50 U.S.C.
[Identical to PCNA]
1801.
——
Real Time: Automated, machine-to-machine system
——
processing of cyber threat indicators where the
occurrence and “reporting or recording” of an event
are “as simultaneous as technologically and
operational y practicable.”
Security Control: The management, operational, and
Security Control: The management, operational, and
Security Control: The management, operational, and
technical controls used to protect an information
technical controls used to protect an information
technical controls used to protect an information
system and the information stored on, processed by,
system and its information against unauthorized
system and its information against unauthorized
or transiting it against unauthorized attempts to
attempts to adversely impact their security,
attempts to adversely affect their confidentiality,
CRS - 17
NCPAA—Title II
PCNA—Title I
CISA
adversely affect their confidentiality, integrity, or
confidentiality, integrity, or availability.
integrity, or availability.
availability.
——
Security Vulnerability: “Any attribute of hardware,
[Identical to PCNA]
software, process, or procedure that could enable or
facilitate the defeat of a security control.”
Sharing: “Providing, receiving, and disseminating.”
——
——
——
Tribal: As in 25 U.S.C. 450b.
[Identical to PCNA]
(b) Amendment
Adds tribal governments, private entities, and ISACs as
—— ——
appropriate members of the NCCIC in DHS.
Sec. 203. Information Sharing Structure and
Sec. 102. Sharing of Cyber Threat Indicators
Sec. 3. Sharing of Information by the Federal
Processes
and Defensive Measures by the Federal
Government
Government With Non-federal Entities
(a) In General
(a) In General
Amends Sec. 226 of the HSA.
Amends Title I of the National Security Act of 1947 by
——
adding a new section.
‘Sec. 111. Sharing of Cyber Threat Indicators
and Defensive Measures by the Federal
Government With Non-Federal Entities’
‘(a) Sharing by the Federal Government’
(1) revises the functions of the NCCIC by specifying
‘(1)’ requires the DNI, in consultation with the heads
Requires the DNI, the Secretaries of Homeland
that it is the “lead” federal civilian interface for
of appropriate federal entities, to develop and
Security and Defense, and the AG, in consultation with
information sharing, adding “cyber threat indicators”
promulgate procedures consistent with protection of
the heads of appropriate federal entities, to develop
and “defensive measures” to the subjects it addresses,
classified information, intelligence sources and
and promulgate procedures consistent with protection
and expanding its functions to include
methods, and privacy and civil liberties, for
of classified information, intelligence sources and
methods, and privacy and civil liberties, for
[Note: See also Sec. 5(c), p. 24, requiring DHS to
implement the process for sharing electronic threat
indicators and defensive measures with the federal
government.]
- providing information and recommendations on
——
——
CRS - 18
NCPAA—Title II
PCNA—Title I
CISA
information sharing,
- in consultation with other appropriate agencies,
—— ——
collaborating with international partners, including on
enhancing “the security and resilience of the global
cybersecurity ecosystem,” and
- sharing “cyber threat indicators, defensive measures,”
timely sharing of classified cyber threat indicators and
timely sharing of (1) classified cyber threat indicators
and information on cybersecurity risks and incidents
declassified indicators with relevant nonfederal entities,
and (2) declassified indicators and information with
with federal and nonfederal entities, including across
and sharing of information about imminent or ongoing
relevant entities, (4) sharing of information about
critical-infrastructure (CI) sectors and with fusion
cybersecurity threats to such entities to prevent and
imminent or ongoing cybersecurity threats to such
centers.
mitigate adverse impacts.
entities to prevent and mitigate adverse impacts, and
[Note: See also the provisions on the CTIIC in PCNA,
sharing with relevant entities, or the public as
p. 25.]
appropriate, of (3) unclassified indicators.
- notify the Secretary, the HSC, and the HSGAC of
—— ——
significant violations of privacy and civil liberties
protections under ‘Sec. 226(i)(6),’
‘(2) Development of Procedures’
(b) Development of Procedures
- promptly notifying nonfederal entities that have
Requires that procedures for sharing developed by the
(1) requires that procedures for sharing developed by
shared information known to be in error or in
DNI include methods to notify nonfederal entities that
the DNI include methods to notify entities that have
contravention to section requirements,
have received information from a federal entity under
received information from a federal entity under the
the title and known to be in error or in contravention
bill and known to be in error or in contravention to
to title requirements or other federal law or policy.
requirements in the bill or other federal law or policy.
- participating in DHS-run exercises, and
——
——
——
Requires that the procedures incorporate existing
[Identical to PCNA]
information-sharing mechanisms of federal and
nonfederal entities, including ISACs, as much as
possible, and
——
include methods to promote efficient granting of
——
security clearances to appropriate representatives of
nonfederal entities.
—— ——
(2) requires that the procedures be developed in
coordination with appropriate federal entities, including
the National Laboratories, to ensure implementation of
timely sharing of indicators.
CRS - 19
NCPAA—Title II
PCNA—Title I
CISA
(2) expands NCCIC membership to include the
—— ——
following [Note: all are existing entities]:
- an entity that col aborates with state and local
—— ——
governments on risks and incidents and has a voluntary
information sharing relationship with the NCCIC,
- the US-CERT for col aboratively addressing,
—— ——
responding to, providing technical assistance upon
request on, and coordinating information about and
timely sharing of threat indicators, defensive measures,
analysis, or information about cybersecurity risks and
incidents,
- the ICS-CERT to coordinate with ICS owners and
—— ——
operators, provide training on ICS cybersecurity,
timely share information about indicators, defensive
measures, or cybersecurity risks and incidents of ICS,
and remain current on ICS technology advances and
best practices,
- the “National Coordinating Center for
—— ——
Communications to coordinate the protection,
response, and recovery of emergency
communications,” and
- “an entity that coordinates with small and medium-
—— ——
sized businesses.”
(3) adds “cyber threat indicators” and “defensive
—— ——
measures” to the subjects covered in the principles of
operation of the NCCIC,
Sec. 103. Authorizations for Preventing,
Detecting, Analyzing, and Mitigating
Cybersecurity Threats
(f) Small Business Participation
Requires that information be shared as appropriate
Requires the Small Business Administration to assist
——
with small and medium-sized businesses and that the
small businesses and financial institutions in monitoring,
NCCIC make self-assessment tools available to them,
defensive measures, and sharing information under the
CRS - 20
NCPAA—Title II
PCNA—Title I
CISA
section.
Requires a report with recommendations by the
——
administrator to the President within one year of
enactment on sharing by those institutions and use of
shared information for network defense.
Requires federal outreach to those institutions to
encourage them to exercise the authorities provided
under the section.
Specifies that information be guarded against
—— ——
disclosure.
Stipulates that the NCCIC must work with the DHS
—— ——
CPO to ensure that the NCCIC fol ows privacy and
civil liberties policies and procedures under ‘Sec.
226(i)(6)’;
(4) adds new subsections to Sec. 226 of the HSA:
——
——
‘(g) Rapid Automated Sharing’
‘(1)’ requires the DHS U/S-CIP to develop capabilities,
‘Sec. 111(a)(2)’ requires that the procedures ensure
(1) [Identical to PCNA]
in coordination with stakeholders and based as
the capability of real-time sharing consistent with
appropriate on existing standards and approaches in
protection of classified information.
the information technology industry, that support and
[Note: ‘Sec. 111(b)(2)’ requires procedures to ensure
advance automated and timely sharing of threat
such sharing—see p. 23.]
indicators and defensive measures to and from the
NCCIC and with SSAs for each CI sector in
accordance with ‘Sec. 226(h).’.
‘(2)’ requires the U/S-CIP to report to Congress twice
—— ——
per year on the status and progress of that capability
until it is fully implemented.
‘(h) Sector Specific Agencies’
Requires the Secretary to col aborate with relevant CI
—— ——
sectors and heads of appropriate federal agencies to
recognize each CI SSA designated as of March 25,
2015, in the DHS National Infrastructure Protection
Plan. Designates the Secretary as SSA head for each
sector for which DHS is the SSA. Requires the
CRS - 21
NCPAA—Title II
PCNA—Title I
CISA
Secretary to coordinate with relevant SSAs to
- support CI sector security and resilience activities,
- provide knowledge, expertise, and assistance on
request, and
- support timely sharing of threat indicators and
defensive measures with the NCCIC.
‘(b)
Definitions’
——
Defines the fol owing terms by reference to Sec. 110 of
——
the title: Appropriate Federal Entities, Cyber Threat
Indicator, Defensive Measure, Federal Entity, and Non-
Federal Entity.
(b) Submittal to Congress
——
Requires that the procedures developed by the DNI be
Requires that the procedures developed by the DNI be
submitted to Congress within 90 days of enactment of
submitted to Congress within 60 days of enactment of
the title.
the bill.
(c) Table of Contents Amendment
——
Revises the table of contents of the National Security
——
Act of 1947 to reflect the addition of ‘Sec. 111.’
Sec. 104. Sharing of Cyber Threat Indicators
Sec. 5. Sharing of Cyber Threat Indicators and
and Defensive Measures with Appropriate
Defensive Measures with the Federal
Federal Entities Other Than the Department of
Government
Defense or the National Security Agency
(a) Requirement for Policies and Procedures
(a) Requirement for Policies and Procedures
(1) Adds new subsections to ‘Sec. 111’ of the National
——
Security Act of 1947
‘(i) Voluntary Information Sharing Procedures’
‘(b) Policies and Procedures for Sharing with
the Appropriate Federal Entities Other Than
the Department of Defense or the National
Security Agency’
‘(1)’ permits voluntary information-sharing
‘(1)’ requires the President to develop and submit to
(1) requires the AG, in coordination with heads of
relationships for cybersecurity purposes between the
Congress policies and procedures for federal receipt of
appropriate agencies, to develop and submit to
NCCIC and nonfederal entities but prohibits requiring
cyber threat indicators and defensive measures.
Congress policies and procedures for federal receipt of
such an agreement.
CRS - 22
NCPAA—Title II
PCNA—Title I
CISA
Permits the NCCIC, at the sole and unreviewable
cyber threat indicators and defensive measures.
discretion of the Secretary, acting through the U/S-CIP,
to terminate an agreement for repeated, intentional
violation of the terms of ‘(i).’
Permits the Secretary, solely and unreviewably and
acting through the U/S-CIP, to deny an agreement for
national security reasons.
‘(2)’ permits the relationship to be established through
—— ——
a standard agreement for nonfederal entities not
requiring specific terms.
Stipulates negotiated agreements with DHS upon
request of a nonfederal entity where NCCIC has
determined that they are appropriate, and at the sole
and unreviewable discretion of the Secretary, acting
through the U/S-CIP.
Stipulates that any agreement in effect prior to
—— ——
enactment of the title will be deemed in compliance
with requirements in ‘(i).’ Requires that those
agreements include “relevant privacy protections as in
effect” under the CRADA for Cybersecurity
Information Sharing and Collaboration, as of December
31st 2014.” Also stipulates that an agreement is not
required for an entity to be in compliance with ‘(i).’
——
‘(2)’ requires that the policies and procedures be
(3) requires that, consistent with the privacy and civil
developed in accordance with the privacy and civil
liberties guidelines under Sec. (b), the policies and
liberties guidelines under Sec. 104(b) of the title, and
procedures ensure
ensure
——
- real-time sharing of indicators from nonfederal
- automated sharing of indicators from any entity with
entities with appropriate federal entities except DOD,
the federal government through the real-time process
under (c),
——
- receipt without delay except for good cause, and
- real-time receipt without delay, with
——
- provision to all relevant federal entities,
- provision permitted to other federal entities, and
——
——
- if not through the process under (c), sharing “as
quickly as operational y practicable,” without
unnecessary delay, and also ensure
CRS - 23
NCPAA—Title II
PCNA—Title I
CISA
——
- audit capability, and
- audit capability, and
——
- appropriate sanctions for federal personnel who
- appropriate sanctions for federal personnel who
knowingly and willfully use shared information other
knowingly and willfully conduct activities under the bill
than in accordance with the title.
in an unauthorized manner.
—— ——
——
(2) requires that an interim version of the policies and
(1) requires that an interim version of the policies and
procedures be submitted to Congress within 90 days
procedures be submitted to Congress within 60 days
of enactment of the title, and the final version within
of enactment of the title, and the final version within
180 days.
180 days.
—— ——
(4) requires the AG to develop public guidelines on
matters appropriate to assist and promote sharing of
threat indicators with federal entities, including
identification of kinds of information constituting
- indicators unlikely to include personal information,
- information protected under privacy laws that is
unlikely to be directly related to a threat.
—— ——
(c) Capability and Process Within the
Department of Homeland Security
—— ——
(1) requires the Secretary to develop and implement,
within 90 days of enactment, a capability and process
within DHS that will
——
——
- accept indicators and defensive measures in real time
from any entity, and upon certification under (2),
——
——
- be the process for federal receipt of indicators and
defensive measures from private entities through
electronic means, except for previously shared
indicators and communications about cybersecurity
threats by a regulated entity with its federal regulatory
authority,
——
——
- ensure automated receipt by federal entities of
indicators shared in real time with DHS,
——
——
- comply with section policies, procedures, and
guidelines,
CRS - 24
NCPAA—Title II
PCNA—Title I
CISA
——
——
- not limit or prohibit otherwise lawful disclosures,
including reporting of criminal activity, participating in a
federal investigation, and providing indicators or
measures under a statutory or contractual
requirement.
—— ——
(2) requires the Secretary, in consultation with the
heads of appropriate federal agencies, to certify to
Congress at least 10 days before implementation
whether the capability and process operates as the
process for receipt of indicators and measures from
any entity in accordance with section policies,
procedures, and guidelines.
—— ——
(3) requires the Secretary to ensure public notice of
and access to the process so that entities may share
indicators and measures through it and federal entities
receive them in real time.
—— ——
(4) requires the process under (1) to ensure timely
receipt by federal entities of shared indicators and
measures.
—— ——
(5) requires an unclassified report, which may include a
classified annex, to Congress by the Secretary within
60 days of enactment on development and
implementation of requirements in (1) and (3).
(c) National Cyber Threat Intelligence
Integration Center
——
(1) Adds a new section to the National Security Act of
——
1947.
‘Sec. 119B. Cyber Threat Intelligence
Integration Center’
‘(a)
Establishment’
——
Establishes the CTIIC within the ODNI.
——
CRS - 25
NCPAA—Title II
PCNA—Title I
CISA
‘(b)
Director’
——
Creates a director for the CTIIC, to be appointed by
——
the DNI.
‘(c) Primary Missions’
——
Specifies the missions of the CTIIC with respect to
——
cyberthreat intelligence as
- serving as the primary federal organization for
analyzing and integrating it,
- ensuring full access and support of appropriate
agencies to activities and analysis,
- disseminating analysis to the President, appropriate
agencies, and Congress,
- coordinating agency activities, and
- conducting strategic federal planning.
‘(d)
Limitations’
——
Requires that the CTIIC
——
- have no more than 50 permanent positions,
- may not augment staff above that limit in carrying out
its primary missions, and
- be located in a building owned and operated by an
element of the IC,
——
(4) revises the table of contents of the National
——
Security Act of 1947.
‘(3) Information Sharing Authorization’
Sec. 103(c) Authorization for Sharing or
Sec. 4(c) Authorization for Sharing or Receiving
Receiving Cyber Threat Indicators or Defensive
Cyber Threat Indicators or Defensive Measures
Measures
Permits nonfederal entities to share, for cybersecurity
(1) permits nonfederal entities to share, for
(1) permits entities to share, for purposes permitted
purposes, cyber threat indicators, and defensive
cybersecurity purposes and consistent with privacy
under the act and consistent with protection of
measures, from their own information systems or
requirements under (d)(2) and protection of classified
classified information, cyber threat indicators or
those of other entities upon written consent,
information, lawfully obtained cyber threat indicators
defensive measures
or defensive measures
with other nonfederal entities or the NCCIC,
with other nonfederal entities or appropriate federal
with any entity or the federal government.
entities except DOD,
CRS - 26
NCPAA—Title II
PCNA—Title I
CISA
notwithstanding any other provision of law, except that
(1,2) [Similar to NCPAA].
(2) requires recipients to comply with lawful
recipients must comply with lawful restrictions on
restrictions on sharing and use imposed by the source.
sharing and use imposed by the source.
(d) Protection and Use of Information
(d) Protection and Use of Information
Requires reasonable efforts by nonfederal and federal
(2) requires reasonable efforts by nonfederal entities,
(2) requires entities, before sharing a threat indicator,
entities, prior to sharing, to
before sharing a threat indicator, to
to
safeguard personally identifying information from
—— ——
unintended disclosure or unauthorized access or
acquisition and
remove or exclude such information where it is
remove information reasonably believed to be personal
remove information known to be personal or
reasonably believed when it is shared to be unrelated
or personally identifying of a specific person not
personally identifying of a specific person not directly
to a cybersecurity risk or incident.
directly related to a cybersecurity threat, or
related to a cybersecurity threat, or
implement a technical capability for removing such
implement and use a technical capability for removing
information.
such information.
Sec. 109. Construction and Preemption
Sec. 8. Construction and Preemption
(f) Information Sharing Relationships
(f) Information Sharing Relationships
Stipulates that nothing in ‘(3)’
Stipulates that nothing in the title
Stipulates that nothing in the bill
- limits or modifies an existing information sharing
- (1) limits or modifies an existing information sharing
[Similar to PCNA], or
relationship or prohibits or requires a new one,
relationship or (2) prohibits or requires a new one.
——
——
requires use of the DHS sharing process under Sec.
5(c) [p. 24].
——
Sec. 103(c)(3) stipulates that nothing in (c) Sec.
4(c)(3)
stipulates that nothing in (c)
——
- authorizes information sharing other than as provided
[Identical to PCNA]
in (c),
——
- permits unauthorized sharing of classified information,
——
- authorizes federal surveillance of any person,
- prohibits a federal entity, at the request of a
nonfederal entity, from technical discussion of threat
indicators and defensive measures and assistance with
vulnerabilities and threat mitigation,
- prohibits otherwise lawful sharing by a nonfederal
CRS - 27
NCPAA—Title II
PCNA—Title I
CISA
entity of indicators or defensive measures with DOD,
or
- limits otherwise lawful activity, or
[Similar to NCPAA]
[Identical to PCNA]
- impacts or modifies existing procedures for reporting
—— ——
criminal activity to appropriate law enforcement
authorities, or participating in an investigation.
Requires the U/S-CIP to coordinate with stakeholders
—— ——
to develop and implement policies and procedures to
coordinate disclosures of vulnerabilities as practicable
and consistent with relevant international industry
standards.
‘(4) Network Awareness Authorization’
(a) Authorization for Private-Sector Defensive
(a) Authorization for Monitoring
Monitoring
permits nonfederal, nongovernment entities,
(1) permits private entities, notwithstanding any other
[Similar to PCNA],
notwithstanding any other provision of law, to conduct
provision of law, to
network awareness, for cybersecurity purposes and to
monitor, for cybersecurity purposes,
protect rights or property, of
- its own information systems,
[Similar to NCPAA],
[Identical to NCPAA],
- with written consent, information systems of a
[Similar to NCPAA], or
[Similar to NCPAA], or
nonfederal or federal entity, or
- the contents of such systems.
[Similar to NCPAA].
[Identical to PCNA].
Stipulates that nothing in ‘(4)’
(2) Stipulates that nothing in (a)
[Identical to NCPAA],
- authorizes network awareness other than as provided
- authorizes monitoring other than as provided in the
in the section, or
title,
- limits otherwise lawful activity,
[Similar to NCPAA],
[Similar to PCNA].
——
- authorizes federal surveillance of any person.
——
‘(5) Defensive Measure Authorization’
(b) Authorization for Operation of Defensive
(b) Authorization for Operation of Defensive
Measures
Measures
permits nonfederal, nongovernment entities to operate
(1) permits private entities to operate defensive
(1) permits private entities to operate defensive
defensive measures, for cybersecurity purposes and to
measures, for a cybersecurity purpose and to protect
measures, for cybersecurity purposes and to protect
protect rights or property, that are applied to
rights or property, that are operated on
rights or property, that are applied to
CRS - 28
NCPAA—Title II
PCNA—Title I
CISA
- its own information systems,
[Similar to NCPAA], or
[Similar to NCPAA]
- with written consent, information systems of a
- with written authorization, information systems of a
- with written consent, information systems of another
nonfederal or federal entity, or
nonfederal or federal entity, or
entity, or
a federal entity with written consent of an authorized
representative
- the contents of such systems,
——
——
notwithstanding any other provision of law, except that
(1) notwithstanding any other provision of law, except
(1) notwithstanding any other provision of law, except
measures may not be used except as authorized in the
(3) that measures may not be used except as
(2) [Identical to PCNA].
section, and ‘(5)’ does not limit otherwise lawful
authorized in (b), and (b) does not limit otherwise
activity.
lawful activity.
[No Corresponding Provision; however, the definition
(2) stipulates that (1) does not authorize operation of
[No Corresponding Provision; however, the definition
of defensive measure in Sec. 202(a) includes a similar
defensive measures that destroy, render whol y or
of defensive measure in Sec. 2 includes a similar
restriction; see p. 16.]
partly unusable or inaccessible, or substantial y harm an
restriction; see p. 16.]
information system or its contents not owned by
either the private entity operating the measure or a
nonfederal or federal entity that provided written
authorization to that private entity.
(e) No Right or Benefit
(f) No Right or Benefit
——
Stipulates that sharing of indicators with a nonfederal
Stipulates that sharing of indicators with an entity
entity creates no right or benefit to similar information
creates no right or benefit to similar information by
by any nonfederal entity.
any entity. [Note: Definition of entity in CISA is similar
to definition of nonfederal entity in PCNA; see p. 17.]
‘(6) Privacy and Civil Liberties Protections’
Sec. 104(b) Privacy and Civil Liberties
Sec. 5(b) Privacy and Civil Liberties
Requires the U/S-CIP,
(1) requires the AG,
(1) requires the AG,
in coordination with the DHS CPO and Chief Civil
in consultation with appropriate federal agency heads
in coordination with appropriate federal entity heads
Rights and Civil Liberties Officer,
and agency privacy and civil liberties officers,
and in consultation with agency privacy and civil
liberties officers,
to establish and review annually policies and
to develop and review periodical y guidelines on
to develop interim guidelines on privacy and civil
procedures on information shared with the NCCIC
privacy and civil liberties to govern federal handling of
liberties to govern federal handling of cyber threat
under the section.
cyber threat indicators obtained through the title’s
indicators obtained through the bill’s provisions;
provisions.
[Note: No separate provisions for interim and final
[Note: No separate provisions for interim and final
(2) in coordination with appropriate federal entity
CRS - 29
NCPAA—Title II
PCNA—Title I
CISA
guidelines]
guidelines]
heads and in consultation with agency privacy and civil
liberties officers and relevant private entities with
industry expertise,
to promulgate, and review periodically in coordination
with appropriate agency heads and consultation with
agency privacy and civil liberties officers and relevant
private entities, final guidelines on privacy and civil
liberties to govern federal handling of cyber threat
indicators obtained through the bill’s provisions
Requires that they apply only to DHS, consistent with
(2) requires that, consistent with the need for
(3) [Similar to PCNA]
the need for timely protection of information systems
protection of information systems and threat
from and mitigation of cybersecurity risks and
mitigation, the guidelines
incidents, the policies and procedures
- be consistent with DHS FIPPs,
- be consistent with FIPPs in the White House National
(a)(3) requires that, consistent with the bill, applicable
Strategy for Trusted Identities in Cyberspace [Note:
provisions of law and the FIPPs in the White House
The two versions of the principles are identical, except
National Strategy for Trusted Identities in Cyberspace
that the DHS version applies the principles to DHS
govern federal retention, use, and dissemination of
whereas the White House document applies them to
information shared with the federal government under
“organizations”],
the bill;
- “reasonably limit, to the extent practicable, receipt,
- limit receipt, retention, use, and dissemination of
(b)(3) [Similar to PCNA],
retention, use, and disclosure of cybersecurity threat
cybersecurity threat indicators containing personal
indicators and defensive measures associated with
information of or identifying specific persons,
specific persons” not needed for timely protection of
systems and networks,
——
including by establishing processes for prompt
including by establishing processes for timely
destruction of information known not to be directly
destruction of information known not to be directly
related to uses for cybersecurity purposes, setting
related to uses under the title, and setting limitations
limitations on retention of indicators, and notifying
on retention of indicators, and requiring that recipients
recipients that indicators may be used only for
be informed that indicators may be used only for
cybersecurity purposes, and,
purposes authorized under the bill,
- minimize impacts on privacy and civil liberties,
- limit impacts on privacy and civil liberties of federal
- limit impacts on privacy and civil liberties of federal
activities under the title, including
activities under the bill,
- provide data integrity through prompt removal and
guidelines for removal of personal and personally
——
destruction of obsolete or erroneous personal
identifying information handled by federal entities
information unrelated to the information shared and
under the title,
CRS - 30
NCPAA—Title II
PCNA—Title I
CISA
retained by the NCCIC in accordance with this
section,
- include requirements to safeguard from unauthorized
- include requirements to safeguard from unauthorized
[Identical to PCNA]
access or acquisition cyber threat indicators and
access or acquisition cyber threat indicators
defensive measures retained by the NCCIC,
identifying specific persons, including proprietary or
containing personal information of or identifying
[Identical to PCNA]
business-sensitive information,
specific persons,
- protect the confidentiality of cyber threat indicators
——
- protect the confidentiality of cyber threat indicators
and defensive measures associated with specific
containing personal information of or identifying
persons, to the greatest extent practicable,
specific persons, to the greatest extent practicable,
- ensure that relevant constitutional, legal, and privacy
- be consistent with other applicable provisions of law,
[See (a)(3), p. 30, stating that applicable provisions of
protections are observed.
law wil govern information sharing activities,
consistent with the bill],
——
- include procedures to notify entities if a federal entity
[Similar to PCNA],
receiving information knows that it is not a cyber
threat indicator,
——
- include steps to ensure that dissemination of
[Similar to PCNA].
indicators is consistent with the protection of classified
and other sensitive national security information.
Stipulates that the U/S-CIP may consult with NIST in
—— ——
developing the policies and procedures.
Requires the DHS CPO and the Officer for Civil Rights
(3) requires the AG to submit to Congress
Requires the AG to submit to Congress
and Civil Liberties, in consultation with the PCLOB, to
submit to appropriate congressional committees
the policies and procedures within 180 days of
interim guidelines within 90 days of enactment and final
(1) interim guidelines within 60 days of enactment and
enactment and annually thereafter.
guidelines within 180 days.
(2) final guidelines within 180 days.
Requires the U/S-CIP, in consultation with the PCLOB
——
(1) requires the AG to make the interim guidelines
and the DHS CPO and Chief Civil Rights and Civil
available to the public. [Note: There is no similar
Liberties Officer, to ensure public notice of and access
requirement for the final guidelines.]
to the policies and procedures.
Requires the DHS CPO to
—— ——
- monitor implementation of the policies and
procedures,
CRS - 31
NCPAA—Title II
PCNA—Title I
CISA
- submit to Congress an annual review on their
effectiveness,
- work with the U/S-CIP to carry out provisions in ‘(c)’
on notification about violations of privacy and civil
liberties policies and procedures and about information
that is erroneous or in contravention of section
requirements,
- regularly review and update impact assessments as
appropriate to ensure that all relevant protections are
followed, and
- ensure appropriate sanctions for DHS personnel who
(2) requires that the AG’s guidelines include
(b)(3) [Identical to PCNA]
knowingly and willfully conduct unauthorized activities
appropriate sanctions for federal activities in
under the section.
contravention of them. [Note: The provision does not
specify whether these sanctions are limited to violation
of requirements for safeguarding information or the
guidelines as a whole.]
Sec. 107. Oversight of Government Activities
Sec. 7. Oversight of Government Activities
(b) Reports on Privacy and Civil Liberties.
(b) Reports on Privacy and Civil Liberties.
Requires the DHS IG, in consultation with the PCLOB
(2) requires the IGs of DHS, the IC, DOJ, and DOD,
(2) requires the IGs of DHS, the IC, DOJ, DOD, and
and IGs of other agencies receiving shared indicators
in consultation with the IG Council, to jointly submit a
the Department of Energy, in consultation with the IG
or defensive measures from the NCCIC, to submit a
report to Congress within two years of enactment and
Council, to jointly submit a biennial report to Congress
report to HSC and HSGAC within two years of
biennial y thereafter, on
on
enactment and periodically thereafter reviewing such
information, including
- receipt, use, and dissemination of cybersecurity
- receipt, use, and dissemination of cybersecurity
[Similar to PCNA],
indicators and defensive measures shared with federal
indicators and defensive measures shared with federal
entities under the section,
entities under the title,
- information on NCCIC use of such information for
—— ——
purposes other than cybersecurity,
- types of information shared with the NCCIC,
- types of indicators shared with federal entities,
[Identical to PCNA],
- actions taken by NCCIC based on shared
- actions taken by federal entities as a result of
[Identical to PCNA],
information;
receiving shared indicators,
- metrics to determine impacts of sharing on privacy
——
——
CRS - 32
NCPAA—Title II
PCNA—Title I
CISA
and civil liberties,
- a list of federal agencies receiving the information,
- a list of federal entities receiving the indicators,
[Identical to PCNA], and
- review of sharing of information within the federal
- review of sharing of indicators among federal entities
[Identical to PCNA].
government to identify inappropriate stovepiping of
to identify inappropriate barriers to sharing
shared information, and
information,
——
- procedures for sharing information and removal of
——
personal and identifying information, and incidents
involving improper treatment of it, and
- recommendations for improvements or modifications
- recommendations for improvements or modifications
(3) permits inclusion of recommendations for
to sharing under the section.
to authorities under the title.
improvements or modifications to authorities under
the bill.
——
Requires that the reports be submitted in unclassified
(4) [Similar to PCNA].
form but permits a classified annex.
——
Requires public availability of unclassified parts of the
——
reports.
——
(1) adds a new paragraph to Sec. 1061(e) of the
——
Intelligence Reform and Terrorism Prevention Act of
2004:
Requires the DHS CPO and Chief Civil Rights and Civil
‘(3)’ requires the PCLOB to
(1) [Similar to PCNA]
Liberties Officer, in consultation with the PCLOB, the
DHS IG, and senior privacy and civil liberties officers of
each federal agency receiving indicators or defensive
measures shared with the NCCIC, to
submit a biennial report to Congress
submit a biennial report to Congress and the President
[Similar to PCNA]
assessing impacts on privacy and civil liberties of federal
assessing impacts of activities under the title on and
assessing effects of the types of activities under on the
activities under ‘(6)’, including
sufficiency of policies, procedures, and guidelines in
bill on and sufficiency of policies, procedures, and
addressing concerns about privacy and civil liberties,
guidelines in addressing concerns about privacy and
including
civil liberties.
recommendations to minimize or mitigate such
recommendations for improvements or modifications
(3) permits inclusion of recommendations for
impacts.
to authorities under the title.
improvements or modifications to authorities under
the bill,
——
Requires that the reports be submitted in unclassified
(4) [Similar to PCNA].
CRS - 33
NCPAA—Title II
PCNA—Title I
CISA
form but permits a classified annex.
——
Requires public availability of unclassified parts of the
——
reports.
(a) Biennial Report on Implementation
(a) Biennial Report on Implementation
——
(1) Adds to ‘Sec. 111’ of the National Security Act
——
‘(c) Biennial Report on Implementation’
——
‘(1)’ requires the DNI to submit a report to Congress
(1) requires joint reports to Congress from
on implementation of the title, (2) within one year of
- the heads of appropriate federal agencies and
enactment and ‘(1)’ at least biennially thereafter,
- the IGs of DHS, the IC, DOJ, DOD, and the
‘(2)’ including
Department of Energy, in consultation with the IG
Council on implementation of the bill, within one year
of enactment and at least biennially thereafter,
including
——
- review of types of indicators shared with the federal
[Similar to PCNA],
government,
——
- the degree to which such information may impact
[Identical to PCNA],
privacy and civil liberties of specific persons, along with
quantitative and qualitative assessment of such impacts
and adequacy of federal efforts to reduce them,
——
- assessment of sufficiency of policies, procedures, and
- assessment of sufficiency of policies, procedures, and
guidelines to ensure effective and responsible sharing
guidelines to ensure effective and responsible sharing
under Sec. 4 [sic] of PCNA,
under Sec. 5,
——
- effectiveness of real-time sharing under Sec. 5(c).
——
- sufficiency of procedures under Sec. 3 [sic] for timely
- sufficiency of procedures under Sec. 3 for timely
sharing [Note: References ‘Sec. 111(a)(1)’ as added by
sharing,
the title; see p. 19],
——
- appropriateness of classification of indicators and
[Similar to PCNA],
accounting of security clearances authorized,
——
- federal actions taken based on shared indicators,
[Similar to PCNA],
including appropriateness of subsequent use or
dissemination under the title,
CRS - 34
NCPAA—Title II
PCNA—Title I
CISA
——
- description of any significant federal violations of the
- description of any significant federal violations of the
requirements of the title, including assessments of all
requirements of the title,
reports of federal personnel misusing information
provided under the title and all disciplinary actions
taken, and
——
- a summary of the number and types of nonfederal
[Similar to PCNA],
entities receiving classified indicators from the federal
government and evaluation of risks and benefits of such
sharing.
——
- assessment of personal or personally identifying
information not directly related to a threat that was
shared by a nonfederal entity with the federal
government in contravention to Sec. 3(d)(2) or within
——
the government in contravention of Sec. 4(b)
guidelines. [Note: Intended reference to Sec. 103 and
104 respectively.]
——
‘(3)’ permits reports to include recommendations for
[Similar to PCNA].
improvements or modifications to authorities and
processes under the title.
——
‘(4)’ requires that the reports be submitted in
[Similar to PCNA].
unclassified form but permits a classified annex.
——
‘(5)’ requires public availability of unclassified parts of
the reports.
——
‘(7) Uses and Protection of Information’
Sec. 103. Authorizations for Preventing,
Sec. 4. Authorizations for Preventing,
Detecting, Analyzing, and Mitigating
Detecting, Analyzing, and Mitigating
Cybersecurity Threats
Cybersecurity Threats
(d) Protection and Use of Information
(d) Protection and Use of Information
[Nonfederal Entities]
Permits a nonfederal, nongovernment entity that
(3) permits a nonfederal entity [Note: including
(3) permits an entity [Note: including government
shares indicators or defensive measures with the
government entities], for a cybersecurity purpose, to
entities], for cybersecurity purposes, to
NCCIC to
use, retain, or disclose indicators and defensive
use indicators or defensive measure shared or received
use indicators or defensive measure shared or received
measures, solely for cybersecurity purposes.
under (d) to monitor or operate a defensive measure
under (d) to monitor or operate a defensive measure
CRS - 35
NCPAA—Title II
PCNA—Title I
CISA
on its own information systems or those of other
on its own information systems or those of other
nonfederal or federal entities upon written
entities upon written consent from them, with
authorization from them, with
Requires reasonable efforts prior to sharing to
[See (2), p. 27, describing requirements for removal of
[See (2), p. 27, describing requirements for removal of
safeguard personally identifying information from
personal information].
personal information].
unintended disclosure and unauthorized access or
acquisition, and remove or exclude such information
where it is reasonably believed when shared to be
unrelated to a cybersecurity risk or incident.
Requires compliance with appropriate restrictions on
further use, retention, or sharing subject to lawful
[Similar to PCNA].
subsequent disclosure or retention placed by a federal
restrictions by the sharing entity or otherwise
or nonfederal entity on indicators or defensive
applicable provisions of law.
measures disclosed to other entities.
Stipulates that the information shall be deemed
—— ——
voluntarily shared.
Requires implementation and utilization of security
(1) requires implementation of appropriate security
(1) Requires implementation and utilization of security
controls to protect against unauthorized access or
controls to protect against unauthorized access or
controls to protect against unauthorized access or
acquisition.
acquisition. [Note: Also applies to nonfederal
acquisition. [Note: Also applies to nonfederal
government entities.]
government entities.]
Prohibits use of such information to gain an unfair
——
Prohibits use of such information other than as
competitive advantage.
authorized in (d).
[Federal Entities]
Sec. 104(d) Information Shared with or
Provided to the Federal Government
Permits federal entities receiving indicators or
(5) permits federal entities or personnel receiving
[Similar to PCNA]
defensive measures from the NCCIC or otherwise
indicators or defensive measures under the title to,
under the section to use, retain, or further disclose it
consistent with otherwise applicable provisions of
solely for
federal law, use, retain, or disclose it solely for
cybersecurity purposes.
a cybersecurity purpose,
[Identical to PCNA]
——
——
identifying a cybersecurity threat,
- including a source or vulnerability,
- use of an information system by a foreign adversary
of terrorist,
CRS - 36
NCPAA—Title II
PCNA—Title I
CISA
[Note: Sec. 216 (see p. 52) permits use of information
responding to, investigating, prosecuting, or otherwise
responding to or otherwise preventing or mitigating
obtained from federal systems for investigating,
preventing or mitigating
prosecuting, disrupting, or otherwise responding to
imminent threats of death or serious bodily harm
threats of death or serious bodily harm or offenses
imminent threats of death or serious bodily harm or
arising out of such threats,
——
——
“serious economic harm, including a terrorist act or a
use of a weapon of mass destruction,”
serious threats to minors, including sexual exploitation
serious threats to minors, including sexual exploitation
[Similar to PCNA],
or threats to physical safety, and
and threats to physical safety, and
violations of 18 U.S.C. 1030 [computer fraud], or
- preventing, investigating, disrupting, or prosecuting
[Similar to PCNA] or
offenses listed in 18 U.S.C. 1028-30, 3559(c)(2)(F), and
Ch. 37 and 90 [computer fraud and identity theft,
espionage and censorship, protection of trade secrets,
and serious violent felonies].
——
——
threats of death or serious bodily or economic harm,
attempts or conspiracy to commit the above offenses.]
——
——
Prohibits federal disclosure, retention, or use for any
[Similar to PCNA].
——
purpose not permitted under (5).
Requires reasonable efforts prior to sharing to
Stipulates that the policies, procedures, and guidelines
Stipulates that the policies, procedures, and guidelines
safeguard personally identifying information from
in (a) [on provision of information to the federal
in (a) and (b) apply to such information, that
unintended disclosure and unauthorized access or
government] and (b) [on privacy and civil liberties] of
confidentiality of personal or personally identifying
acquisition, and remove or exclude such information
the title apply to such information.
information in indicators must be protected and the
where it is reasonably believed when shared to be
information protected from unauthorized use or
unrelated to a cybersecurity risk or incident.
disclosure.
——
‘Sec. 111(a)(2)’ requires that procedures for sharing
Sec. 3(b)(1) requires that procedures for sharing
developed include methods for federal entities to
developed include methods for federal entities to
assess, prior to sharing, whether an indicator contains
assess, prior to sharing, whether an indicator contains
information known to be personal or personal y
information known to be personal or personal y
identifying of a specific person and to remove such
identifying of a specific person and to remove such
information, or to implement a technical capability to
information, or to implement and utilize a technical
remove or exclude such information.
capability to remove such information.
Stipulates that the indicators and defensive measures
Sec. 104(d)(3) stipulates that the information shall be
Sec. 5(d)(3) [Similar to PCNA].
shall be deemed voluntarily shared.
deemed voluntarily shared.
CRS - 37
NCPAA—Title II
PCNA—Title I
CISA
Requires implementation and utilization of security
‘Sec. 111(a)(2)’ requires that procedures for sharing
Sec. 3(b)(1) requires that procedures for sharing
controls to protect against unauthorized access or
developed by the DNI include requirements for federal
developed by the DNI include requirements for federal
acquisition.
entities to implement security controls to protect
entities to implement and utilize security controls to
against unauthorized access to or acquisition of shared
protect against unauthorized access to or acquisition of
information.
shared information.
Sec. 109(a) Prohibition of Surveillance
Prohibits use in surveillance or collection activities to
Stipulates that the title does not authorize DOD or
——
track an individual’s personally identifiable information
any element of the IC to target a person for
except as authorized in the section.
surveillance.
Stipulates that the information is exempt from
Sec. 104(d)(3) [Similar to NCPAA], and
Sec. 5(d)(3) [Similar to PCNA]. and
disclosure under 5 U.S.C. 552 [the Freedom of
Information Act (FOIA)] or nonfederal disclosure laws
and withheld, without discretion, from the public under
5 U.S.C. 552(3)(B).
——
under nonfederal disclosure laws,
[Similar to PCNA]
except for those requiring disclosure in criminal
——
prosecutions.
——
Prohibits federal use for regulatory purposes.
[Note: No specific corresponding prohibition, but Sec.
(5) prohibits federal or nonfederal use to regulate
104(d)(5) above prohibits federal disclosure, retention,
lawful activities of an entity, including those relating to
or use for any purpose other than those specified in
monitoring, defense, or sharing of indicators, except to
the paragraph.]
inform development or implementation of authorized
regulations relating to prevention or mitigation of
threats to information systems and to procedures
under the bill.
Specifies that there is no waiver of applicable privilege
(1) [Similar to NCPAA].
(1) [Similar to NCPAA].
or protection under law, including trade-secret
protection;
Requires that the information be considered the
(2) requires that, consistent with the title, the
(2) requires that, consistent with Sec. 4(c)(2), the
commercial, financial, and proprietary information of
information be considered the commercial, financial,
information be considered the commercial, financial,
the nonfederal entity when so designated by it.
and proprietary information of the originating
and proprietary information of the entity providing it,
nonfederal source, when so designated by such source
when so designated by the originating entity or third
or nonfederal entity acting with written authorization
party acting with written authorization from it.
from it.
CRS - 38
NCPAA—Title II
PCNA—Title I
CISA
Stipulates that the information is not subject to judicial
(4) [Similar to NCPAA]
(4) [Similar to NCPAA]
doctrine or rules of federal entities on ex-parte
communications.
[Nonfederal Government Entities]
[Note: See also Nonfederal Entities, p. 35.]
[Note: See also Nonfederal Entities, p. 35.]
Permits state, local, and tribal government to
Sec. 103(d)(4) permits state, local, and tribal
Sec. 4(d)(4) permits state, local, and tribal
government entities
government entities, with prior written consent of
sharing entity or oral consent in exigent circumstances,
use, retain, or further disclose indicators or defensive
to use shared cyber threat indicators for cybersecurity
to use shared cyber threat indicators for
measures shared under the section solely for
purposes,
cybersecurity purposes.
——
responding to, prosecuting, or otherwise preventing or
investigating, prosecuting, or preventing
mitigating
——
threats of death or serious bodily harm or offenses
offenses relating to serious violent felonies, fraud and
arising out of such threats, or
identity theft, espionage and censorship, and protection
responding to serious threats to minors, including
of trade secrets.
sexual exploitation and threats to physical safety.
Requires reasonable efforts prior to sharing to
[See (2), p. 27, describing requirements for removal of
[Similar to PCNA].
safeguard personally identifying information from
personal information.]
unintended disclosure and unauthorized access or
acquisition, and remove or exclude such information
where it is reasonably believed when shared to be
unrelated to a cybersecurity risk or incident.
Stipulates that the information be considered
[Note: Sec. 103(d)(3) stipulates that further use,
[Similar to PCNA].
“commercial, financial, and proprietary” if so
retention, or sharing of information received by a
designated by the provider.
nonfederal entity is subject to lawful restrictions by the
sharing entity or otherwise applicable provisions of law.
See Nonfederal Entities, p. 35.]
Stipulates that the indicators and defensive measures
Stipulates that such shared indicators or defensive
Stipulates that such shared indicators be deemed
shall be deemed voluntarily shared.
measures be deemed voluntarily shared and exempt
voluntarily shared and exempt from disclosure, and
from disclosure, and
Requires implementation and utilization of security
(1) requires implementation of appropriate security
(1) Requires implementation and utilization of security
controls to protect against unauthorized access or
controls to protect against unauthorized access or
controls to protect against unauthorized access or
acquisition.
acquisition. [Note: Also applies to nonfederal
acquisition. [Note: Also applies to nonfederal
CRS - 39
NCPAA—Title II
PCNA—Title I
CISA
nongovernment entities.]
nongovernment entities.]
Exempts the information from disclosure under
Exempts the information from disclosure under
Exempts the information from disclosure under
nonfederal disclosure laws or regulations.
nonfederal disclosure laws or regulations, except as
nonfederal disclosure laws or regulations.
required in criminal prosecutions.
Prohibits use for regulation of lawful activities of
——
Prohibits use to regulate lawful activities of an entity,
nonfederal entities.
including those relating to monitoring, defense, or
sharing of indicators, except to inform development or
implementation of authorized regulations relating to
prevention or mitigation of threats to information
systems.
‘(8) Liability Exemptions’
Sec. 106. Protection from Liability
Sec. 6. Protection from Liability
(a) Monitoring of Information Systems
(a) Monitoring of Information Systems
States that “no cause of action shall lie or be
States that “no cause of action shall lie or be
[Similar to PCNA, but refers to Sec. 4(a)]
maintained in any court” against nonfederal,
maintained in any court” against private entities for
nongovernment entities for conducting network
monitoring information systems under Sec. 103(a)
awareness under ‘(4)’ in accordance with the section
conducted in accordance with the title or
or
(b) Sharing or Receipt of Cyber Threat
(b) Sharing or Receipt of Cyber Threat
Indicators
Indicators
for sharing indicators or defensive measures under
for information sharing under Sec. 103(c) in
for information sharing under Sec. 4(c) in accordance
‘(3),’ or a good-faith failure to act if sharing is done in
accordance with the title or a good-faith failure to act if
with the title if sharing is done in accordance with the
accordance with the section.
sharing is done in accordance with the title.
bill and, for sharing with the federal government after
the earlier of submission of interim procedures under
Sec. 5(a)(1) or 60 days after enactment, it uses the
DHS process under Sec. 5(c)(1).
(c) Willful Misconduct
(c) Construction
Stipulates that nothing in the section
(1) Stipulates that nothing in the section
Stipulates that nothing in the section
- requires dismissal of a cause of action against a
- requires dismissal of a cause of action against a
- requires dismissal of a cause of action against an
nonfederal, nongovernment entity that engages in
nonfederal entity that engages in willful misconduct in
entity that engages in gross negligence or willful
willful misconduct in the course of activities under the
the course of activities under the title, or
misconduct in the course of activities under the bill, or
section.
- undermines or limits availability of otherwise
[Identical to NCPAA]
[Identical to NCPAA]
CRS - 40
NCPAA—Title II
PCNA—Title I
CISA
applicable common law or statutory defenses.
Establishes the burden of proof as clear and convincing
(2) [Similar to NCPAA]
——
evidence from the plaintiff of injury-causing willful
misconduct,
Defines willful misconduct as an act or omission taken
(3) [Similar to NCPAA].
——
intentional y to achieve a wrongful purpose, knowingly
without justification, and in disregard of risk of highly
probable harm that outweighs any benefit.
‘(9) Federal Government Liability for Violations
Sec. 105. Federal Government Liability for
of Restrictions on the Use and Protection of
Violations of Privacy or Civil Liberties
Voluntarily Shared Information’
(a) In General
Makes the federal government liable to injured persons
Makes the federal government liable to injured persons
——
for intentional or willful violation of restrictions on
for intentional or willful violation of privacy and civil
federal disclosure and use under ‘Sec. 226’, with
liberties guidelines under Sec. 104(b), with minimum
minimum damages of $1,000 plus
damages of $1,000 plus
reasonable attorney fees as determined by the court
[Identical to NCPAA]
——
and other reasonable litigation costs in any case under
(a) where “the complainant has substantially prevailed.”
(b) Venue
Stipulates the federal district courts where the case
[Identical to NCPAA]
——
may be brought as the one in which the complainant
resides or the principal place of business is located, the
District of Columbia, or
where the federal department or agency that disclosed
where the federal department or agency that violated
——
the information is located.
the guidelines is located.
(c) Statute of Limitations
Sets the statute of limitations under ‘(i)’ at two years
Sets the statute of limitations under Sec. 105 at two
——
from the date on which the cause of action arises.
years from the date on which the cause of action
arises.
CRS - 41
NCPAA—Title II
PCNA—Title I
CISA
(d) Exclusive Cause of Action.
Sets action under ‘(i)’ as the exclusive remedy for
Sets action under (d) as the exclusive remedy for
——
violation of restrictions under ‘(i)(3),’ ‘(i)(6),’ or
federal violations under the title.
‘(i)(7)(B)’.
‘(10) Anti-Trust Exemption’
Sec. 4(c) Antitrust Exemption
Exempts nonfederal entities from violation of antitrust
——
Exempts any two or more private entities from
laws for sharing indicators or defensive measures or
violation of antitrust laws, except as provided in Sec.
providing assistance for cybersecurity purposes,
8(e) [p. 43] for exchanging or providing indicators or
provided that the action is taken to assist with
assistance for cybersecurity purposes to help prevent,
preventing, investigating, or mitigating a cybersecurity
investigate, or mitigate a cybersecurity risk or incident.
risk or incident.
‘(11) Construction and Preemption’
Sec. 109(b) Otherwise Lawful Disclosures
Sec. 8(a) Otherwise Lawful Disclosures
Stipulates that the section does not limit or prohibit
Stipulates that the title does not limit or prohibit
Stipulates that the bill does not limit or prohibit
otherwise lawful disclosures or participation in an
otherwise lawful disclosures by a nonfederal entity of
otherwise lawful disclosures by an entity of information
investigation by a nonfederal entity of information to
information to any other federal or nonfederal entity,
to any federal or other entity, or
any other federal or nonfederal entity.
or
——
any otherwise lawful use by a federal entity, whether
any otherwise lawful use by a federal entity, even when
or not the disclosures duplicate those made under the
the disclosures duplicate those made under the bill.
title.
(c) Whistle Blower Protections
(b) Whistle Blower Protections
Stipulates that the section does not prohibit or limit
Stipulates that the title does not prohibit or limit
Stipulates that the bill does not prohibit or limit
disclosures protected under 5 U.S.C. 2302(b)(8), 5
disclosures protected under 5 U.S.C. 2302(b)(8), 5
disclosures protected under 5 U.S.C. 2302(b)(8), 5
U.S.C. 7211, 10 U.S.C. 1034, 50 U.S.C. 3234, or similar
U.S.C. 7211, 10 U.S.C. 1034, or similar provisions of
U.S.C. 7211, 10 U.S.C. 1034, 50 U.S.C. 3234, or similar
provisions of federal or state law.
federal or state law.
provisions of federal or state law.
(e) Relationship to Other Laws
Stipulates that the section does not affect any
Stipulates that the title does not affect any
Stipulates that the bill does not affect any requirements
requirements under other provisions of law for
requirements under other provisions of law for
under other provisions of law for entities providing
nonfederal entities providing information to federal
nonfederal entities providing information to federal
information to federal entities.
entities.
entities.
(g) Preservation of Contractual Obligations and
(g) Preservation of Contractual Obligations and
Rights
Rights
Stipulates that the section does not change contractual
Stipulates that the title does not change contractual
Stipulates that the bill does not change contractual
CRS - 42
NCPAA—Title II
PCNA—Title I
CISA
relationships between nonfederal entities or them and
relationships between nonfederal entities or them and
relationships between entities or them and federal
federal entities or abrogate trade-secret or intellectual
federal entities, or abrogate trade-secret or intellectual
entities, or abrogate trade-secret or intellectual
property rights.
property rights.
property rights.
(h) Anti-Tasking Restriction
(h) Anti-Tasking Restriction
Stipulates that the section does not permit the federal
Stipulates that the title does not permit the federal
Stipulates that the bill does not permit the federal
government to require nonfederal entities to provide it
government to require nonfederal entities to provide it
government to require nonfederal entities to provide it
with information, or
with information, or
with information, or
condition sharing of indicators or defensive measures
condition sharing of indicators on provision of
[Similar to PCNA]
on provision by such entities of indicators or defensive
indicators, or
measures, or
condition award of grants, contracts, or purchases on
condition award of grants, contracts, or purchases on
[Identical to PCNA]
such provision.
such provision.
(i) No Liability for Non-Participation
(i) No Liability for Non-Participation
Stipulates that the section does not create liabilities for
Stipulates that the title does not create liabilities for
Stipulates that the bill does not create liabilities for any
any nonfederal entities that choose not to engage in
any nonfederal entities that choose not to engage in a
nonfederal entities that choose not to engage in the
the voluntary activities authorized in the section.
voluntary activity authorized in the title.
voluntary activities authorized in the bill.
(j) Use and Retention of Information
(j) Use and Retention of Information
Stipulates that the section does not authorize or
Stipulates that the title does not authorize or modify
Stipulates that the bill does not authorize or modify
modify existing federal authority to retain and use
existing federal authority to retain and use information
existing federal authority to retain and use information
information shared under the title for uses other than
shared under the title for uses other than those
shared under the title for uses other than those
those permitted under the section.
permitted under the title.
permitted under the bill.
Stipulates that the section does not restrict or
—— ——
condition sharing for cybersecurity purposes among
nonfederal entities or require sharing by them with the
NCCIC.
(e) Prohibited Conduct
Stipulates that nothing in the bill “shall be construed to
——
Stipulates that nothing in the bill “may be construed to
permit price-fixing, al ocating a market between
permit price-fixing, allocating a market between
competitors, monopolizing or attempting to
competitors, monopolizing or attempting to
monopolize a market, boycotting, or exchanges of
monopolize a market, or exchanges of price or cost
price or cost information, customer lists, or
information, customer lists, or information regarding
information regarding future competitive planning.”
future competitive planning.”
CRS - 43
NCPAA—Title II
PCNA—Title I
CISA
(k) Federal Preemption
(k) Federal Preemption
Specifies that the section supersedes state and local
(1) Specifies that the title supersedes state and local
(1) Specifies that the bill supersedes state and local
laws relating to its provisions
laws relating to its provisions.
laws relating to its provisions.
——
(2) Stipulates that the title does not supersede state
[Similar to PCNA]
and local laws on use of authorized law enforcement
practices and procedures.
——
(3) Stipulates that, except with respect to exemption
——
from disclosure under Sec. 103(b)(4), the title does not
supersede state and local law on private entities
performing utility services except to the extent that
they restrict activities under the title.
Requires the Secretary to develop policies and
—— ——
procedures for direct reporting by the NCCIC
Director of significant risks and incidents.
Requires the Secretary to build on existing mechanisms
—— ——
to promote public awareness about the importance of
securing information systems.
Requires a report from the Secretary within 180 days
—— ——
of enactment to HSC and HSGAC on efforts to bolster
collaboration on cybersecurity with international
partners.
Requires the Secretary, within 60 days of enactment, to
—— ——
publicly disseminate information about ways of sharing
information with the NCCIC, including enhanced
outreach to CI owners and operators.
(d) Protection of Sources and Methods
(c) Protection of Sources and Methods
——
Stipulates that the title does not affect federal
Stipulates that the bill does not affect federal
enforcement actions on classified information or
enforcement actions on classified information or
conduct of authorized law-enforcement or intelligence
conduct of authorized law-enforcement or intelligence
activities, or modify the authority of the President or
activities, or modify the authority of federal entities to
federal entities to protect and control dissemination of
protect classified information, sources and methods,
classified information, intelligence sources and
and U.S. national security.
methods, and U.S. national security.
CRS - 44
NCPAA—Title II
PCNA—Title I
CISA
(m) Authority of Secretary of Defense to
Respond to Cyber Attacks
——
——
Stipulates that the bill does not “limit the authority of
the Secretary of Defense to develop, prepare,
coordinate, or, when authorized by the President to do
so, conduct a military cyber operation in response to a
malicious cyber activity carried out against the United
States or a United States person by a foreign
government or an organization sponsored by a foreign
government or a terrorist organization.”
Sec. 204. Information Sharing and Analysis
Organizations
Amends Sec. 212 of the HSA to
——
——
(1) broaden the functions of ISAOs to include
—— ——
cybersecurity risk and incident information beyond that
relating to critical infrastructure, and
(2) add by reference the definitions of cybersecurity risk
—— ——
and incident in 6 U.S.C. 148(a).
Sec. 205. Streamlining of Department of
Homeland Security Cybersecurity and
Infrastructure Protection Organization
(a) Cybersecurity and Infrastructure Protection
Directorate
Renames the DHS National Protection and Programs
—— ——
Directorate as the Cybersecurity and Infrastructure
Protection. [Sic.]
(b) Senior Leadership of the Cybersecurity and
Infrastructure Protection Directorate
Provides a specific title for the undersecretary in
—— ——
charge of critical infrastructure protection as U/S-CIP.
Also adds two deputy undersecretaries, one for
cybersecurity and the other for infrastructure
protection. Does not require new appointments for
CRS - 45
NCPAA—Title II
PCNA—Title I
CISA
current officeholders and specifies that appointment of
the undersecretaries does not require Senate
confirmation.
(c) Report
Requires a report to HSC and HSGAC from the U/S-
—— ——
CIP within 90 days of enactment on the feasibility of
becoming an operational component of DHS, If that is
determined to be the best option for mission
fulfillment, requires submission of a legislative proposal
and implementation plan. Also requires that the report
include plans for more effective execution of the
cybersecurity mission, including expediting of
information sharing agreements.
Sec. 206. Cyber Incident Response Plans
(a) In General
Amends Sec. 227 of the HSA to change “Plan” to
—— ——
“Plans” in the title, to specify the U/S-CIP as the
responsible official, and to add a new subsection:
‘(b) Updates to the Cyber Incident Annex to the
National Response Framework’
Requires the Secretary, in coordination with other
—— ——
agency heads and in accordance with the National
Cybersecurity Incident Response Plan, to update,
maintain, and exercise regularly the Cyber Incident
Annex to the DHS National Response Framework.
(b) Clerical Amendment
Amends the table of contents of the act to reflect the
—— ——
title change made by (a).
CRS - 46
NCPAA—Title II
PCNA—Title I
CISA
Sec. 207. Security and Resiliency of Public
Safety Communications; Cybersecurity
Awareness Campaign
(a) In General
Adds two new sections to the HSA:
——
——
‘Sec. 230. Security and Resiliency of Public
Safety Communications’
Requires the NCCIC to coordinate with the DHS
—— ——
Office of Emergency Communications to assess
information on cybersecurity incidents involving public
safety communications to facilitate continuous
improvement in those communications.
‘Sec. 231. Cybersecurity Awareness Campaign’
‘(a) In General’
Requires the U/S-CIP to develop and implement an
—— ——
awareness campaign on risks and best practices for
mitigation and response, including at a minimum public
service announcements and information on best
practices that are vendor- and technology-neutral.
‘(b) Consultation’
Requires consultation with a wide range of
—— ——
stakeholders.
‘Sec. 232. National Cybersecurity Preparedness
Consortium’
‘(a) In General’
Authorizes the Secretary to establish the National
—— ——
Cybersecurity Preparedness Consortium to
‘(b) Functions’
- provide cybersecurity training to state and local first
—— ——
responders and officials,
- establish a training curriculum for them using the
CRS - 47
NCPAA—Title II
PCNA—Title I
CISA
DHS Community Cyber Security Maturity Model,
- provide technical assistance for improving capabilities,
- conduct training and simulation exercises,
- coordinate with the NCCIC to help states and
communities develop information sharing programs,
and
- coordinate with the National Domestic Preparedness
Consortium to incorporate cybersecurity into
emergency management functions.
‘(c) Members’
Stipulates that members be academic, nonprofit, and
—— ——
government partners with prior experience conducting
cybersecurity training and exercises in support of
homeland security.
(b) Clerical Amendment
Amends the table of contents of the act to include the
—— ——
new sections.
Sec. 208. Critical Infrastructure Protection
Research and Development
(a) Strategic Plan; Public-Private Consortiums
Adds a new section to the HSA:
——
——
‘Sec. 318. Research and Development Strategy
for Critical Infrastructure Protection’
‘(a) In General’
Requires the Secretary to submit to Congress within
—— ——
180 days of enactment, and biennially thereafter, a
strategic plan to guide federal R&D in technology
relating to both cyber- and physical security for CI.
‘(b) Contents of Plan’
Requires the plan to include
—— ——
- CI risks and technology gaps identified in consultation
with stakeholders and a resulting risk and gap analysis,
CRS - 48
NCPAA—Title II
PCNA—Title I
CISA
- prioritized needs based on that analysis, emphasizing
technologies to address rapidly evolving threats and
technology and including clearly defined roadmaps,
- facilities and capabilities required to meet those
needs,
- current and planned programmatic initiatives to foster
technology advancement and deployment, including
collaborative opportunities, and
- progress on meeting plan requirements.
‘(c) Coordination’
Requires coordination between the DHS Under
—— ——
Secretaries for Science and Technology and for the
National Protection and Programs Directorate. [Note:
Sec. 205 renames the latter position as the U/S-CIP.]
‘(d) Consultation’
Requires the Under Secretary for Science and
—— ——
Technology to consult with CI Sector Coordinating
Councils, heads of other relevant federal agencies, and
state, local, and tribal governments as appropriate.
(b) Clerical Amendment
Amends the table of contents of the act to include the
—— ——
new section.
Sec. 209. Report on Reducing Cybersecurity
Risks in DHS Data Centers
Requires a report to HSC and HSGAC within one year
—— ——
of enactment on the feasibility of creating an
environment within DHS for reduction in cybersecurity
risks in data centers, including but not limited to
increased compartmentalization of systems with a mix
of security controls among compartments.
CRS - 49
NCPAA—Title II
PCNA—Title I
CISA
Sec. 108. Report on Cybersecurity Threats
Sec. 9. Report on Cybersecurity Threats
(a) Report Required
(a) Report Required
——
Requires the DNI, in consultation with heads of other
Requires the DNI, in coordination with heads of other
appropriate elements of the IC, to submit within 180
appropriate elements of the IC, to submit within 180
days of enactment a report to the House and Senate
days of enactment a report to the House and Senate
Intelligence Committees on cybersecurity threats to
Intelligence Committees on cybersecurity threats,
the U.S. national security and economy, including
including attacks, theft, and data breaches.
attacks, theft, and data breaches.
(b) Contents
——
Requires that the report include
Requires that the report include
——
(1) assessments of current U.S. intelligence sharing and
(1) assessments of current U.S. intelligence sharing and
cooperation relationships with other countries on such
cooperation relationships with other countries on such
threats directed against the United States and
threats directed against the United States and
threatening U.S. national security interests, the
threatening U.S. national security interests, the
economy, and intellectual property, identifying the
economy, and intellectual property, specifically
utility of relationships, participation by elements of the
identifying the utility of relationships, participation by
IC, and possible improvements,
elements of the IC, and possible improvements,
——
(2) a list and assessment of countries and nonstate
(2) [Similar to PCNA],
actors constituting the primary sources of such threats,
——
(3) description of how much U.S. capabilities to
(3) [Similar to PCNA],
respond to or prevent such threats to the U.S. private
sector are degraded by delays in notification of the
threats,
——
(4) assessment of additional technologies or
(4) [Similar to PCNA],
capabilities that would enhance the U.S. ability to
prevent and respond to such threats, and
——
(5) assessment of private-sector technologies or
(5) [Identical to PCNA].
practices that could be rapidly fielded to assist the IC in
preventing and responding to such threats.
(c) Form of Report
——
Requires that the report be unclassified, but may
Requires that the report be made available in
include a classified annex.
unclassified and classified forms.
CRS - 50
NCPAA—Title II
PCNA—Title I
CISA
(d) Public Availability of Report
——
Requires that the unclassified portion of the report be
——
publicly available.
(e) Intelligence Community Defined
(d) Intelligence Community Defined
——
Defines intelligence community as in 50 U.S.C. 3003.
[Identical to PCNA].
Sec. 210. Assessment
Requires the Comptroller General, within two years of
—— ——
enactment, to submit a report to HSC and HSGAC
assessing implementation of the title and, as
practicable, findings on increased sharing at NCCIC
and throughout the United States.
Sec. 211. Consultation
Requires a report from the U/S-CIP on “the feasibility
—— ——
of a prioritization plan in the event of simultaneous
multi-CI incidents.
Sec. 212. Technical Assistance
Requires the DHS IG to review US-CERT and ICS-
—— ——
CERT operations to assess their capacity for
responding to current and potential y increasing
requests for technical assistance from nonfederal
entities.
Sec. 213. Prohibition on New Regulatory
Sec. 109(l) Regulatory Authority
Sec. 8(l) Regulatory Authority
Authority
Stipulates that the title does not grant DHS new
Stipulates that the title does not authorize
Stipulates that the bill does not authorize
authority to promulgate regulations or set standards
(1) promulgation of regulations or
(1) promulgation of regulations or
relating to cybersecurity for nonfederal,
(2) establishment of regulatory authority not specified
(2) establishment or limitation of regulatory authority
nongovernmental entities.
by the title, or
not specified by the bill, or
(3) duplicative or conflicting regulatory actions.
(3) duplicative or conflicting regulatory actions.
Sec. 214 Sunset
Ends all requirements for reports in the title seven
—— ——
years after enactment.
CRS - 51
NCPAA—Title II
PCNA—Title I
CISA
Sec. 215. Prohibition on New Funding
Stipulates that the title does not authorize additional
—— ——
funds for implementation and must be carried out using
available amounts.
Sec. 216. Protection of Federal Information
Systems
(a) In General
Adds a new section to the HSA.
——
——
‘Sec. 233. Available Protection of Federal
Information Systems’
‘(a) In General’
Requires the Secretary to make available to agencies
—— ——
capabilities, including technologies for continuous
diagnostics and mitigation, for protecting federal
information systems and their contents from risks.
‘(b) Activities’
Authorizes the Secretary to
——
——
- access information on a system regardless of location,
—— ——
and permits agency heads to disclose such information
to the Secretary or a private entity assisting the
Secretary, notwithstanding any other provision of law
that would otherwise restrict such disclosure,
- obtain assistance through agreements or otherwise
—— ——
from private entities for implementing technologies
under ‘(a),’
- use, retain, and disclose information obtained under
—— ——
this section only to protect federal systems and their
contents or,
with approval of the AG, to respond to
[Note: Sec. 104(d)(5) has related provisions for
[Note: Sec. 5(d)(5) has related provisions for
violations of 18 U.S.C. 1030 [on computer fraud and
information shared with the federal government (see p.
information shared with the federal government (see p.
related activities],
37).]
37).]
CRS - 52
NCPAA—Title II
PCNA—Title I
CISA
threats of death or serious bodily harm,
serious threats to minors, including sexual exploitation
and threats to physical safety, or
attempts or conspiracy to commit such offenses.
‘(c) Conditions’
Requires that the agreements bar disclosure of
—— ——
identifying information reasonably believed to be
unrelated to a cybersecurity risk except to DHS or the
disclosing agency, or use of information accessed under
the section by a private entity for any purpose other
than protecting federal information systems and their
contents or administration of the agreement.
‘(d) Limitation’
States that no cause of action shal lie against a private
—— ——
entity for assistance provided in accordance with this
section and an agreement under ‘(b).’
(b) Clerical Amendment
Amends the table of contents of the act to include the
—— ——
new section.
Sec. 217. Sunset
Sec. 112. Sunset
Terminates the provisions in the title seven years after
[Identical to NCPAA]
——
enactment.
Sec. 218. Report on Cybersecurity
Vulnerabilities of United States Ports
Requires a report with recommendations from the
—— ——
Secretary to HSC, HSGAC, House Committee on
Transportation and Infrastructure, and Senate
Committee on Commerce, Science, and
Transportation within 180 days of enactment on
cybersecurity vulnerabilities for the ten ports that the
Secretary determines are at greatest risk of an incident.
CRS - 53
NCPAA—Title II
PCNA—Title I
CISA
Sec. 219. Report on Cybersecurity and Critical
Infrastructure
Authorizes the Secretary to consult with sector-
—— ——
specific entities on a report to HSC and HSGAC on
federal y funded cybersecurity R&D with private-sector
efforts to protect privacy and civil liberties while
protecting CI, including promoting R&D for secure and
resilient design and construction, enhanced modeling of
impacts from incidents or threats, and facilitating
incentivization of investments to strengthen
cybersecurity and resilience of CI.
Sec. 220. GAO Report on Impact Privacy and
Sec. 111. Comptroller General Report on
Civil Liberties
Removal of Personal Identifying Information
(a)
Report
Requires a report from the Comptrol er General to
Requires a report from the Comptrol er General to
——
HSC and HSGAC within five years of enactment
Congress within three years of enactment on federal
assessing the impacts of NCCIC activities on privacy
actions to remove personal information from threat
and civil liberties.
indicators pursuant to Sec. 104(b).
(b) Form
——
Requires that the report be unclassified but permits a
——
classified annex.
Sec. 10. Conforming Amendments
(a) Public Information
——
——
Amends 5 U.S.C. 552(b) [on public information] to
specify protection from federal disclosure of
information provided under the bill.
(b) Modification of Limitation on Dissemination
of Certain Information Concerning
Penetrations of Defense Contractor Networks
——
——
Amends Sec. 941(c)(3) of the FY2013 National Defense
Authorization Act (10 U.S.C. 2224 note) to permit
CRS - 54
NCPAA—Title II
PCNA—Title I
CISA
sharing by the Secretary of Defense of threat indicators
and defensive measures consistent with the procedures
promulgated by the AG under Sec. 5 of the bill.
Source: CRS.
Notes: See “Notes on the Table.”
CRS - 55
Cybersecurity and Information Sharing: Comparison of Legislative Proposals
Author Contact Information
Eric A. Fischer
Stephanie M. Logan
Senior Specialist in Science and Technology
Research Assistant
efischer@crs.loc.gov, 7-7071
slogan@crs.loc.gov, 7-0504
Congressional Research Service
56