Cybersecurity and Information Sharing: Comparison of H.R. 1560 (PCNA and NCPAA) and S. 754 (CISA)

AG

Attorney General

CI

Critical Infrastructure

CPO

Chief Privacy Officer

CRADA

Cooperative research and development agreement

CTIIC

Cyber Threat Intelligence Integration Center

DHS

Department of Homeland Security

DNI

Director of National Intelligence

DOD

Department of Defense

DOJ

Department of Justice

FIPPs

Fair Information Practice Principles

FISMA

Federal Information Security Modernization Act (44 U.S.C. Chapter 34, subchapter II)

GAO

Government Accountability Office

HHS

Health and Human Services

HSA

Homeland Security Act

HSC

House Committee on Homeland Security

HSGAC

Senate Homeland Security and Governmental Affairs Committee

IC

Intelligence community

ICS

Industrial control system

ICS-CERT

Industrial Control System Cyber Emergency Response Team

IG

Inspector General

ISAC

Information sharing and analysis center

ISAO

Information sharing and analysis organization

MOU

Memorandum of understanding

NCCIC

National Cybersecurity and Communications Integration Center

NCPAA

National Cybersecurity Protection Advancement Act of 2015

NICE

National Initiative for Cybersecurity Education

NIST

National Institute of Standards and Technology

NSS

National Security System(s)

ODNI

Office of the Director of National Intelligence

OMB

Office of Management and Budget

OPM

Office of Personnel Management

PCLOB

Privacy and Civil Liberties Oversight Board

PCNA

Protecting Cyber Networks Act

R&D

Research and development

SSA

Sector-specific agency

Secretary

Secretary of Homeland Security

US-CERT

United States Computer Emergency Readiness Team

U/S-CIP

DHS Under Secretary for Cybersecurity and Infrastructure Protection

NCPAA

PCNA

CISA

"To amend the Homeland Security Act of 2002 to enhance multi-directional sharing of information related to cyber­security risks and strengthen privacy and civil liberties protections, and for other purposes."

"To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes." [Note: These two official titles have been concatenated in the engrossed version of H.R. 1560.]

[Identical to PCNA]

Sec. 1. Table of Contents

Title I. Cybersecurity Information Sharing

Sec. 201. Short Title

Sec. 101. Short Title

Sec. 101. Short Title

National Cybersecurity Protection Advancement Act of 2015

Protecting Cyber Networks Act

Cybersecurity Information Sharing Act of 2015

Sec. 202. National Cybersecurity and Communications Integration Center

Amends Sec. 226 of the HSA (6 U.S.C. 148). [Note: This section, added by P.L. 113-282, established the National Cybersecurity and Communications Integration Center and is referred to in the bill as the "second section 226" to distinguish it from an identically numbered section added by P.L. 113-277.]

——

[Note: Sec. 203(a) redesignates "second section 226" of the HSA as Sec. 227 and renumbers Sec. 227 and 228 (see p. 52).]

(a) In General

Sec. 110. Definitions

Sec. 102. Definitions

Amends existing definitions in 6 U.S.C. 148(a):

Defines terms in this title:

Defines terms in this title:

Cybersecurity Risk: Excludes actions solely involving violations of consumer terms of service or licensing agreements from the definition.

——

——

Incident: Replaces the phrase "or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies" with "or actually or imminently jeopardizes, without lawful authority, an information system."

——

——

Adds the following definitions:

Agency: As in 44 U.S.C. 3502.

[Identical to PCNA]

——

——

Antitrust Laws: As in 15 U.S.C. 12, 15 U.S.C. 45 as it "applies to unfair methods of competition," and state laws with the same intent and effect.

——

Appropriate Federal Entities: Departments of Commerce, Defense, Energy, Homeland Security, Justice, and the Treasury; and Office of the ODNI.

[Identical to PCNA]

——

Cybersecurity Threat: An action unprotected by the 1^st Amendment to the Constitution that involves an information system and may result in unauthorized efforts to adversely impact the security, integrity, confidentiality, or availability of the system or its contents, but not including actions solely involving violations of consumer terms of service or licensing agreements.

[Similar to PCNA]

Cyber Threat Indicator:
Technical information necessary to describe or identify

Cyber Threat Indicator:
Information or a physical object necessary to describe or identify

Cyber Threat Indicator:
Information necessary to describe or identify

- a method for "probing, monitoring, maintaining, or establishing network awareness" [defined below] of an information system to discern its technical vulnerabilities, if the method is known or reasonably suspected of association with a known or suspected cybersecurity risk, including

- malicious reconnaissance [Note: Definition of this term below includes a method, associated with a known or suspected cybersecurity threat, for probing or monitoring an information system to discern its vulnerabilities], including

[Identical to PCNA]

communications that reasonably appear to have "the purpose of gathering technical information related to a cybersecurity risk,"

anomalous patterns of communications that appear to have "the purpose of gathering technical information related to a cybersecurity threat or security vulnerability,"

[Identical to PCNA]

- a method for defeating a security control or technical control,

- a method of defeating a security control or exploiting a security vulnerability,

[Identical to PCNA]

- "a technical vulnerability including anomalous technical behavior that may become a vulnerability,"

- a security vulnerability or anomalous activity indicating the existence of one,

[Identical to PCNA]

- a method of causing a legitimate user of an information system or its contents to
"inadvertently enable the defeat of a technical or operational control,"

- a method of causing a legitimate user of an information system or its contents to
unwittingly enable defeat of a security control or exploitation of a security vulnerability,

[Identical to PCNA]

- a method for unauthorized remote identification, access, or use of an information system or its contents, if the method is known or reasonably suspected of association with a known or suspected cybersecurity risk, or

- "malicious cyber command and control," [Note: Definition of this term below includes remote identification, access, or use of an information system or its contents.]

[Identical to PCNA]

- actual or potential harm from an incident, including exfiltration of information; or

[Identical to NCPAA]

[Identical to NCPAA]

- any other cybersecurity risk attribute that cannot be used to identify specific persons believed to be unrelated to the risk, and

- any other cybersecurity threat attribute the

[Identical to PCNA]

disclosure of which is not prohibited by law.

disclosure of which is not prohibited by law.

[Identical to PCNA]

- any combination of the above.

——

- "any combination thereof."

Cybersecurity Purpose:
Protecting
an information system or its contents from a cybersecurity risk or incident or identifying a risk or incident source.

Cybersecurity Purpose:
Protecting (including by using defensive measures)
an information system or its contents from a cybersecurity threat or security vulnerability or identifying a threat source.

Cybersecurity Purpose:
Protecting
an information system or its contents from a cybersecurity threat or security vulnerability.

Defensive Measure:
An "action, device, procedure, signature, technique, or other measure applied to an information system" or its contents that "detects, prevents or mitigates a known or suspected cybersecurity risk or incident" or attributes that could help defeat security controls,

Defensive Measure:
An "action, device, procedure, technique, or other measure" executed on an information system or its contents that "prevents or mitigates a known or suspected cybersecurity threat or security vulnerability."

Defensive Measure:
An "action, device, procedure, signature, technique, or other measure" applied to an information system that "detects, prevents or mitigates a known or suspected cybersecurity threat or security vulnerability."

but not including "a measure that destroys, renders unusable, or substantially harms an information system" or its contents not operated by that nonfederal entity, except a state, local, or tribal government, or by another nonfederal or federal entity that consented to such actions.

[No Corresponding Provision; however, the authority to operate defensive measures in Sec. 103(b) includes a similar restriction; see p. 30];

but not including "a measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information system" or its contents not operated by that private entity, or by another [nonfederal] or federal entity that consented to such actions.

——

Federal Entity: A U.S. department or agency, or any component thereof.

[Identical to PCNA]

[Note: No corresponding provision, but Information System is already defined in 6 U.S.C. 148 as 44 U.S.C. 3502.]

Information System: As in 44 U.S.C. 3502.

[Identical to PCNA]

——

Local Government: A political subdivision of a state.

[Identical to PCNA]

[Note: No corresponding provision, but the definition of Cyber Threat Indicator includes a method for unauthorized remote identification, access, or use of an information system or its contents, provided that the method is known or reasonably suspected of association with a known or suspected cybersecurity risk.]

Malicious Cyber Command and Control: "A method for unauthorized remote identification of, access to, or use of an information system" or its contents.

[Identical to PCNA]

——

Malicious Reconnaissance: A method, associated with a known or suspected cybersecurity threat, for probing or monitoring an information system to discern its vulnerabilities.

[Identical to PCNA]

Network Awareness:
Scanning, identifying, acquiring, monitoring, logging, or analyzing the contents of an information system.

Monitor:
Scanning, identifying, acquiring, or otherwise possessing the contents of an information system.

[Identical to PCNA]

[Note: Nonfederal government agencies are not expressly defined in the bill but are covered in specific provisions]

Non-Federal Entity:
A private entity or nonfederal government or agency thereof (including personnel), but not including foreign powers as defined in 50 U.S.C. 1801.

Entity:
A private entity or nonfederal government or agency thereof, but not including foreign powers as defined in 50 U.S.C. 1801.

Private Entity:
A nonfederal entity that is an individual, nonfederal government utility or "an entity performing utility services," or

Private Entity:
A person, nonfederal government utility, or

Private Entity:
A person, nonfederal government utility, or

private group, organization, proprietorship, partnership, trust, cooperative, corporation, or other commercial or nonprofit entity,

[Identical to NCPAA]

[Identical to NCPAA]

including personnel.

including personnel, but

[Identical to PCNA]

——

not including a foreign power as defined in 50 U.S.C. 1801.

[Identical to PCNA]

——

Real Time: Automated, machine-to-machine system processing of cyber threat indicators where the occurrence and "reporting or recording" of an event are "as simultaneous as technologically and operationally practicable."

——

Security Control: The management, operational, and technical controls used to protect an information system and the information stored on, processed by, or transiting it against unauthorized attempts to adversely affect their confidentiality, integrity, or availability.

Security Control: The management, operational, and technical controls used to protect an information system and its information against unauthorized attempts to adversely impact their security, confidentiality, integrity, or availability.

Security Control: The management, operational, and technical controls used to protect an information system and its information against unauthorized attempts to adversely affect their confidentiality, integrity, or availability.

——

Security Vulnerability: "Any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control."

[Identical to PCNA]

Sharing: "Providing, receiving, and disseminating."

——

——

——

Tribal: As in 25 U.S.C. 450b.

[Identical to PCNA]

(b) Amendment

Adds tribal governments, private entities, and ISACs as appropriate members of the NCCIC in DHS.

——

——

Sec. 203. Information Sharing Structure and Processes

Sec. 102. Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government With Non-federal Entities

Sec. 103. Sharing of Information by the Federal Government

(a) In General

(a) In General

Amends Sec. 226 of the HSA.

Amends Title I of the National Security Act of 1947 by adding a new section.

——

'Sec. 111. Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government With Non-Federal Entities'

'(a) Sharing by the Federal Government'

(1) revises the functions of the NCCIC by specifying that it is the "lead" federal civilian interface for information sharing, adding "cyber threat indicators" and "defensive measures" to the subjects it addresses, and expanding its functions to include

'(1)' requires the DNI, in consultation with the heads of appropriate federal entities, to develop and promulgate procedures consistent with protection of classified information, intelligence sources and methods, and privacy and civil liberties, for

Requires the DNI, the Secretaries of Homeland Security and Defense, and the AG, in consultation with the heads of appropriate federal entities, to develop and promulgate procedures consistent with protection of classified information, intelligence sources and methods, and privacy and civil liberties, for

[Note: See also Sec. 105(c), p. 26, requiring DHS to implement the process for sharing electronic threat indicators and defensive measures with the federal government.]

- providing information and recommendations on information sharing,

——

——

- in consultation with other appropriate agencies, collaborating with international partners, including on enhancing "the security and resilience of the global cybersecurity ecosystem," and

——

——

- sharing "cyber threat indicators, defensive measures," and information on cybersecurity risks and incidents with federal and nonfederal entities, including across critical-infrastructure (CI) sectors and with fusion centers.
[Note: See also the provisions on the CTIIC in PCNA, p. 27.]

timely sharing of classified cyber threat indicators and declassified indicators with relevant nonfederal entities, and sharing of information about imminent or ongoing cybersecurity threats to such entities to prevent and mitigate adverse impacts.

timely sharing of (1) classified cyber threat indicators and (2) declassified indicators and information with relevant entities, (4) sharing of information about cybersecurity threats to such entities to prevent and mitigate adverse impacts, and (3) sharing with relevant entities, or the public as appropriate, of unclassified indicators.

——

——

(5) periodic sharing of best practices based on federal information, with attention to challenges faced by small businesses.

- notify the Secretary, the HSC, and the HSGAC of significant violations of privacy and civil liberties protections under 'Sec. 226(i)(6),'

——

——

'(2) Development of Procedures'

(b) Development of Procedures

——

Requires that procedures for sharing developed by the DNI include methods to notify

(1) requires that procedures for sharing developed by the DNI include methods for timely notifying of

- promptly notifying nonfederal entities that have shared information known to be in error or in contravention to section requirements,

nonfederal entities that have received information from a federal entity under the title and known to be in error or in contravention to title requirements or other federal law or policy.

[nonfederal] entities that have received information from a federal entity under the bill and known to be in error or in contravention to requirements in the bill or other federal law or policy, and

U.S. persons whose personal information was shared by a federal entity in violation of the bill.

- participating in DHS-run exercises, and

——

——

——

Requires that the procedures incorporate existing information-sharing mechanisms of federal and nonfederal entities, including ISACs, as much as possible, and

[Identical to PCNA]

——

include methods to promote efficient granting of security clearances to appropriate representatives of nonfederal entities.

——

——

——

(2) requires that the procedures be developed in coordination with appropriate federal entities, including the Small Business Administration and the National Laboratories, to ensure implementation of timely sharing of indicators. [Note: See also PCNA, Sec. 103(f) on small business, p. 22.]

(2) expands NCCIC membership to include the following [Note: all are existing entities]:

——

——

- an entity that collaborates with state and local governments on risks and incidents and has a voluntary information sharing relationship with the NCCIC,

——

——

- the US-CERT for collaboratively addressing, responding to, providing technical assistance upon request on, and coordinating information about and timely sharing of threat indicators, defensive measures, analysis, or information about cybersecurity risks and incidents,

——

——

- the ICS-CERT to coordinate with ICS owners and operators, provide training on ICS cybersecurity, timely share information about indicators, defensive measures, or cybersecurity risks and incidents of ICS, and remain current on ICS technology advances and best practices,

——

——

- the "National Coordinating Center for Communications to coordinate the protection, response, and recovery of emergency communications," and

——

——

- "an entity that coordinates with small and medium-sized businesses."

——

——

(3) adds "cyber threat indicators" and "defensive measures" to the subjects covered in the principles of operation of the NCCIC,

——

——

Sec. 103. Authorizations for Preventing, Detecting, Analyzing, and Mitigating Cybersecurity Threats

(f) Small Business Participation

Requires that information be shared as appropriate with small and medium-sized businesses and that the NCCIC make self-assessment tools available to them,

Requires the Small Business Administration to assist small businesses and financial institutions in monitoring, defensive measures, and sharing information under the section.

——

——

Requires a report with recommendations by the administrator to the President within one year of enactment on sharing by those institutions and use of shared information for network defense.
Requires federal outreach to those institutions to encourage them to exercise the authorities provided under the section.

——

Specifies that information be guarded against disclosure.

——

——

Stipulates that the NCCIC must work with the DHS CPO to ensure that the NCCIC follows privacy and civil liberties policies and procedures under 'Sec. 226(i)(6)';

——

——

(4) adds new subsections to Sec. 226 of the HSA:

——

——

'(g) Rapid Automated Sharing'

'(1)' requires the DHS U/S-CIP to develop capabilities, in coordination with stakeholders and based as appropriate on existing standards and approaches in the information technology industry, that support and advance automated and timely sharing of threat indicators and defensive measures to and from the NCCIC and with SSAs for each CI sector in accordance with 'Sec. 226(h).'.

'Sec. 111(a)(2)' requires that the procedures ensure the capability of real-time sharing consistent with protection of classified information.
[Note: 'Sec. 111(b)(2)' requires procedures to ensure such sharing—see p. 25.]

(1) [Identical to PCNA]

'(2)' requires the U/S-CIP to report to Congress twice per year on the status and progress of that capability until it is fully implemented.

——

——

'(h) Sector Specific Agencies'

Requires the Secretary to collaborate with relevant CI sectors and heads of appropriate federal agencies to recognize each CI SSA designated as of March 25, 2015, in the DHS National Infrastructure Protection Plan. Designates the Secretary as SSA head for each sector for which DHS is the SSA. Requires the Secretary to coordinate with relevant SSAs to
- support CI sector security and resilience activities,
- provide knowledge, expertise, and assistance on request, and
- support timely sharing of threat indicators and defensive measures with the NCCIC.

——

——

'(b) Definitions'

——

Defines the following terms by reference to Sec. 110 of the title: Appropriate Federal Entities, Cyber Threat Indicator, Defensive Measure, Federal Entity, and Non-Federal Entity.

——

(b) Submittal to Congress

——

Requires that the procedures developed by the DNI be submitted to Congress within 90 days of enactment of the title.

(c) Requires that the procedures developed by the DNI be submitted to Congress within 60 days of enactment of the bill.

(c) Table of Contents Amendment

——

Revises the table of contents of the National Security Act of 1947 to reflect the addition of 'Sec. 111.'

——

Sec. 104. Sharing of Cyber Threat Indicators and Defensive Measures with Appropriate Federal Entities Other Than the Department of Defense or the National Security Agency

Sec. 105. Sharing of Cyber Threat Indicators and Defensive Measures with the Federal Government

(a) Requirement for Policies and Procedures

(a) Requirement for Policies and Procedures

——

(1) Adds new subsections to 'Sec. 111' of the National Security Act of 1947

——

'(i) Voluntary Information Sharing Procedures'

'(b) Policies and Procedures for Sharing with the Appropriate Federal Entities Other Than the Department of Defense or the National Security Agency'

'(1)' permits voluntary information-sharing relationships for cybersecurity purposes between the NCCIC and nonfederal entities but prohibits requiring such an agreement.
Permits the NCCIC, at the sole and unreviewable discretion of the Secretary, acting through the U/S-CIP, to terminate an agreement for repeated, intentional violation of the terms of '(i).'
Permits the Secretary, solely and unreviewably and acting through the U/S-CIP, to deny an agreement for national security reasons.

'(1)' requires the President to develop and submit to Congress policies and procedures for federal receipt of cyber threat indicators and defensive measures.

(1) requires the AG and the Secretary, in coordination with heads of appropriate agencies, to develop and submit to Congress policies and procedures for federal receipt of cyber threat indicators and defensive measures.

'(2)' permits the relationship to be established through a standard agreement for nonfederal entities not requiring specific terms.
Stipulates negotiated agreements with DHS upon request of a nonfederal entity where NCCIC has determined that they are appropriate, and at the sole and unreviewable discretion of the Secretary, acting through the U/S-CIP.

——

——

Stipulates that any agreement in effect prior to enactment of the title will be deemed in compliance with requirements in '(i).' Requires that those agreements include "relevant privacy protections as in effect" under the CRADA for Cybersecurity Information Sharing and Collaboration, as of December 31^st 2014." Also stipulates that an agreement is not required for an entity to be in compliance with '(i).'

——

——

——

'(2)' requires that the policies and procedures be developed in accordance with the privacy and civil liberties guidelines under Sec. 104(b) of the title, and ensure

(3) requires that, consistent with the privacy and civil liberties guidelines under Sec. (b), the policies and procedures ensure

——

- real-time sharing of indicators from nonfederal entities with appropriate federal entities except DOD,

- automated sharing of indicators from any [nonfederal] entity with the federal government through the real-time process under (c),

——

- receipt without delay, modification, or other action except for good cause that could impede receipt, and

- real-time receipt. subject only to delay, modification, or other action that could impede receipt

——

——

due to process controls unanimously agreed upon by appropriate agency heads, carried out before retention or use of the indicators or defensive measures, and uniformly applied to federal entities, with

——

- provision to all relevant federal entities,

- provision permitted to other federal entities, and

——

——

- if not through the process under (c), sharing "as quickly as operationally practicable," without unnecessary delay, and also ensure

——

- audit capability, and

- audit capabilities, and

——

- appropriate sanctions for federal personnel who knowingly and willfully use shared information other than in accordance with the title.

- appropriate sanctions for federal personnel who knowingly and willfully conduct activities under the bill in an unauthorized manner.

——

(2) requires that an interim version of the policies and procedures be submitted to Congress within 90 days of enactment of the title, and the final version within 180 days.

(1) requires that an interim version of the policies and procedures be submitted to Congress within 60 days of enactment of the title, and (2) the final version within 180 days.

——

——

(4) requires the AG and Secretary to develop public guidelines on matters appropriate to assist and promote sharing of threat indicators with federal entities, including identification of kinds of information constituting
- indicators unlikely to include personal or identifying information,
- information protected under privacy laws that is unlikely to be directly related to a threat.

——

——

(c) Capability and Process Within the Department of Homeland Security

[Note: See also Sec. 203, p. 19, specifying the DHS NCCIC as the lead federal civilian interface for information sharing.]

——

(1) requires the Secretary to develop and implement, within 90 days of enactment, a capability and process within DHS that will

——

——

- accept indicators and defensive measures in real time from any entity, and upon certification under (2),

——

——

- be the process for federal receipt of indicators and defensive measures from private entities through electronic means, except for communications about indicators previously shared consistent with Sec. 104 between federal and private entities to describe threats or develop defensive measures, and for communications about cybersecurity threats by a regulated entity with its federal regulatory authority,

——

——

- ensure automated receipt by federal entities of indicators shared in real time with DHS,

——

——

- comply with section policies, procedures, and guidelines,

——

——

- not limit or prohibit otherwise lawful disclosures, including reporting of criminal activity, participating in a federal investigation, and providing indicators or measures under a statutory or contractual requirement.

——

——

(2) requires the Secretary, in consultation with the heads of appropriate federal agencies, to certify to Congress at least 10 days before implementation whether the capability and process operates as the process for receipt of indicators and measures from any entity in accordance with section policies, procedures, and guidelines.

——

——

(3) requires the Secretary to ensure public notice of and access to the process so that entities may share indicators and measures through it and federal entities receive them in real time.

——

——

(4) requires the process under (1) to ensure timely receipt by federal entities of shared indicators and measures.

——

——

(5) requires an unclassified report, which may include a classified annex, to Congress by the Secretary within 60 days of enactment on development and implementation of requirements in (1) and (3).

(c) National Cyber Threat Intelligence Integration Center

——

(1) Adds a new section to the National Security Act of 1947.

——

'Sec. 119B. Cyber Threat Intelligence Integration Center'

'(a) Establishment'

——

Establishes the CTIIC within the ODNI.

——

'(b) Director'

——

Creates a director for the CTIIC, to be appointed by the DNI.

——

'(c) Primary Missions'

——

Specifies the missions of the CTIIC with respect to cyberthreat intelligence as
- serving as the primary federal organization for analyzing and integrating it,
- ensuring full access and support of appropriate agencies to activities and analysis,
- disseminating analysis to the President, appropriate agencies, and Congress,
- coordinating agency activities, and
- conducting strategic federal planning.

——

'(d) Limitations'

——

Requires that the CTIIC
- have no more than 50 permanent positions,
- may not augment staff above that limit in carrying out its primary missions, and
- be located in a building owned and operated by an element of the IC,

——

——

(4) revises the table of contents of the National Security Act of 1947.

——

'(3) Information Sharing Authorization'

Sec. 103(c) Authorization for Sharing or Receiving Cyber Threat Indicators or Defensive Measures

Sec. 104(c) Authorization for Sharing or Receiving Cyber Threat Indicators or Defensive Measures

Permits nonfederal entities to share, for cybersecurity purposes, cyber threat indicators, and defensive measures, from their own information systems or those of other entities upon written consent,

(1) permits nonfederal entities to share, for cybersecurity purposes and consistent with privacy requirements under (d)(2) and protection of classified information, lawfully obtained cyber threat indicators or defensive measures

(1) permits entities to share, "for a cybersecurity purpose and consistent with protection of classified information", cyber threat indicators or defensive measures

with other nonfederal entities or the NCCIC,

with other nonfederal entities or appropriate federal entities except DOD,

with any [nonfederal] entity or the federal government,

notwithstanding any other provision of law,

notwithstanding any other provision of law,

notwithstanding any other provision of law,

except that nonfederal recipients must comply with lawful restrictions on sharing and use imposed by the source.

(2) [Similar to NCPAA]

(2) [Similar to NCPAA]

(d) Protection and Use of Information

(d) Protection and Use of Information

Requires reasonable efforts by nonfederal and federal entities, prior to sharing, to

(2) requires reasonable efforts by nonfederal entities, before sharing a threat indicator, to

(2) requires entities, before sharing a threat indicator, to

safeguard personally identifying information from unintended disclosure or unauthorized access or acquisition and

——

——

remove or exclude such information where it is reasonably believed when it is shared to be unrelated to a cybersecurity risk or incident.

remove information reasonably believed to be personal or identifying of a specific person not directly related to a cybersecurity threat, or
implement a technical capability for removing such information.

remove information known to be personal or that identifies a specific person not directly related to a cybersecurity threat, or
implement and use a technical capability for removing such information.

Sec. 109. Construction and Preemption

Sec. 108. Construction and Preemption

(f) Information Sharing Relationships

(f) Information Sharing Relationships

Stipulates that nothing in '(3)'

Stipulates that nothing in the title

Stipulates that nothing in the bill

- limits or modifies an existing information sharing relationship or prohibits or requires a new one,

- (1) limits or modifies an existing information sharing relationship or (2) prohibits or requires a new one.

[Similar to PCNA] or

——

——

requires use of the DHS sharing process under Sec. 105(c) [p. 26].

——

Sec. 103(c)(3) stipulates that nothing in (c)

Sec. 104(c)(3) stipulates that nothing in (c)

——

- authorizes information sharing other than as provided in (c),

[Identical to PCNA]

——

- permits unauthorized sharing of classified information,
- authorizes federal surveillance of any person,
- prohibits a federal entity, at the request of a nonfederal entity, from technical discussion of threat indicators and defensive measures and assistance with vulnerabilities and threat mitigation,
- prohibits otherwise lawful sharing by a nonfederal entity of indicators or defensive measures with DOD, or

——

- limits otherwise lawful activity, or

[Similar to NCPAA]

[Identical to PCNA]

- impacts or modifies existing procedures for reporting criminal activity to appropriate law enforcement authorities, or participating in an investigation.

——

——

Requires the U/S-CIP to coordinate with stakeholders to develop and implement policies and procedures to coordinate disclosures of vulnerabilities as practicable and consistent with relevant international industry standards.

——

——

'(4) Network Awareness Authorization'

(a) Authorization for Private-Sector Defensive Monitoring

(a) Authorization for Monitoring

permits nonfederal, nongovernment entities, notwithstanding any other provision of law, to conduct network awareness, for cybersecurity purposes and to protect rights or property, of

(1) permits private entities, notwithstanding any other provision of law, to
monitor, for cybersecurity purposes,

[Similar to PCNA]

- its own information systems,

[Similar to NCPAA]

[Identical to PCNA]

- with written consent, information systems of a nonfederal or federal entity, or

[Similar to NCPAA] or

[Similar to NCPAA] or

- the contents of such systems.

[Similar to NCPAA]

[Identical to PCNA]

Stipulates that nothing in '(4)'
- authorizes network awareness other than as provided in the section, or

(2) Stipulates that nothing in (a)
- authorizes monitoring other than as provided in the title,

[Identical to NCPAA]

- limits otherwise lawful activity,

[Similar to NCPAA]

[Similar to PCNA]

——

- authorizes federal surveillance of any person.

——

'(5) Defensive Measure Authorization'

(b) Authorization for Operation of Defensive Measures

(b) Authorization for Operation of Defensive Measures

permits nonfederal, nongovernment entities to operate defensive measures, for cybersecurity purposes and to protect rights or property, that are applied to

(1) permits private entities to operate defensive measures, for a cybersecurity purpose and to protect rights or property, that are operated on

(1) permits private entities to operate defensive measures, for cybersecurity purposes and to protect rights or property, that are applied to

- its own information systems,

[Similar to NCPAA] or

[Similar to NCPAA]

- with written consent, information systems of a nonfederal or federal entity, or

- with written authorization, information systems of a nonfederal or federal entity, or

- with written consent, information systems of another [nonfederal] entity, or
a federal entity with written consent of an authorized representative

- the contents of such systems,

——

——

notwithstanding any other provision of law, except that measures may not be used except as authorized in the section, and '(5)' does not limit otherwise lawful activity.

(1) notwithstanding any other provision of law, except
(3) that measures may not be used except as authorized in (b), and (b) does not limit otherwise lawful activity.

(1) notwithstanding any other provision of law, except
(2) [Identical to PCNA]

[No Corresponding Provision; however, the definition of defensive measure in Sec. 202(a) includes a similar restriction; see p. 17.]

(2) stipulates that (1) does not authorize operation of defensive measures that destroy, render wholly or partly unusable or inaccessible, or substantially harm an information system or its contents not owned by either the private entity operating the measure or a nonfederal or federal entity that provided written authorization to that private entity.

[No Corresponding Provision; however, the definition of defensive measure in Sec. 2 includes a similar restriction; see p. 17.]

(e) No Right or Benefit

(f) No Right or Benefit

——

Stipulates that sharing of indicators with a nonfederal entity creates no right or benefit to similar information by any nonfederal entity.

Stipulates that sharing of indicators with a [nonfederal] entity creates no right or benefit to similar information by any [nonfederal] entity.

'(6) Privacy and Civil Liberties Protections'

Sec. 104(b) Privacy and Civil Liberties

Sec. 105(b) Privacy and Civil Liberties

Requires the U/S-CIP,

(1) requires the AG,

(1) requires the AG,

in coordination with the DHS CPO and Chief Civil Rights and Civil Liberties Officer,

in consultation with appropriate federal agency heads and agency privacy and civil liberties officers,

in coordination with appropriate federal entity heads and in consultation with agency privacy and civil liberties officers,

to establish and review annually policies and procedures on information shared with the NCCIC under the section.

to develop and review periodically guidelines on privacy and civil liberties to govern federal handling of cyber threat indicators obtained through the title's provisions.

to develop interim guidelines on privacy and civil liberties to govern federal handling of cyber threat indicators obtained through the bill's provisions;

[Note: No requirement for interim policies and procedures]

[Note: No distinction between requirements for interim and final versions of the guidelines]

(2) in coordination with appropriate federal entity heads and in consultation with agency privacy and civil liberties officers and relevant private entities with industry expertise,
to promulgate, and review at least biennially, in coordination with appropriate agency heads and consultation with agency privacy and civil liberties officers and relevant private entities, final guidelines on privacy and civil liberties to govern federal handling of cyber threat indicators obtained through the bill's provisions

Requires that they apply only to DHS, consistent with the need for timely protection of information systems from and mitigation of cybersecurity risks and incidents, the policies and procedures

(2) requires that, consistent with the need for protection of information systems and threat mitigation, the guidelines

(3) [Similar to PCNA]

- be consistent with DHS FIPPs,

- be consistent with FIPPs in the White House National Strategy for Trusted Identities in Cyberspace [Note: The two versions of the principles are identical, except that the DHS version applies the principles to DHS whereas the White House document applies them to "organizations"],

(a)(3) requires that, consistent with the bill, applicable provisions of law and the FIPPs in the White House National Strategy for Trusted Identities in Cyberspace govern federal retention, use, and dissemination of information shared with the federal government under the bill;

- "reasonably limit, to the extent practicable, receipt, retention, use, and disclosure of cybersecurity threat indicators and defensive measures associated with specific persons" not needed for timely protection of systems and networks,

- limit receipt, retention, use, and dissemination of cybersecurity threat indicators containing personal information of or identifying specific persons,

(b)(3) - limit receipt, retention, use, and dissemination of cybersecurity threat indicators containing information that is personal or that identifies specific persons,

——

including by establishing processes for prompt destruction of information known not to be directly related to uses for cybersecurity purposes, setting limitations on retention of indicators, and notifying recipients that indicators may be used only for cybersecurity purposes, and,

including by establishing processes for timely destruction of information known not to be directly related to uses under the title, and setting limitations on retention of indicators, and requiring that recipients be informed that indicators may be used only for purposes authorized under the bill,

- minimize impacts on privacy and civil liberties,

- limit impacts on privacy and civil liberties of federal activities under the title, including

- limit impacts on privacy and civil liberties of federal activities under the bill,

- provide data integrity through prompt removal and destruction of obsolete or erroneous personal information unrelated to the information shared and retained by the NCCIC in accordance with this section,

guidelines for removal of personal and personally identifying information handled by federal entities under the title,

——

- include requirements to safeguard from unauthorized access or acquisition cyber threat indicators and defensive measures retained by the NCCIC,

- include requirements to safeguard from unauthorized access or acquisition cyber threat indicators

[Identical to PCNA]

identifying specific persons, including proprietary or business-sensitive information,

containing personal information of or identifying specific persons,

containing information that is personal or that identifies specific persons,

- protect the confidentiality of cyber threat indicators and defensive measures associated with specific persons, to the greatest extent practicable,

——

- protect the confidentiality of cyber threat indicators containing information that is personal or that identifies specific persons, to the greatest extent practicable,

- ensure that relevant constitutional, legal, and privacy protections are observed.

- be consistent with other applicable provisions of law,

[See (a)(3), p. 31, stating that applicable provisions of law will govern information sharing activities, consistent with the bill],

——

- include procedures to notify entities if a federal entity receiving information knows that it is not a cyber threat indicator,

[Similar to PCNA]

——

- include steps to ensure that dissemination of indicators is consistent with the protection of classified and other sensitive national security information.

[Similar to PCNA]

Stipulates that the U/S-CIP may consult with NIST in developing the policies and procedures.

——

——

Requires the DHS CPO and the Officer for Civil Rights and Civil Liberties, in consultation with the PCLOB, to submit to appropriate congressional committees

(3) requires the AG to submit to Congress

Requires the AG to submit to Congress

the policies and procedures within 180 days of enactment and annually thereafter.

interim guidelines within 90 days of enactment and final guidelines within 180 days.

(1) interim guidelines within 60 days of enactment and (2) final guidelines within 180 days.

Requires the U/S-CIP, in consultation with the PCLOB and the DHS CPO and Chief Civil Rights and Civil Liberties Officer, to ensure public notice of and access to the policies and procedures.

——

(1) requires the AG to make the interim guidelines available to the public. [Note: There is no similar requirement for the final guidelines.]

Requires the DHS CPO to
- monitor implementation of the policies and procedures,
- submit to Congress an annual review on their effectiveness,
- work with the U/S-CIP to carry out provisions in '(c)' on notification about violations of privacy and civil liberties policies and procedures and about information that is erroneous or in contravention of section requirements,
- regularly review and update impact assessments as appropriate to ensure that all relevant protections are followed, and

——

——

- ensure appropriate sanctions for DHS personnel who knowingly and willfully conduct unauthorized activities under the section.

(2) requires that the AG's guidelines include appropriate sanctions for federal activities in contravention of them. [Note: The provision does not specify whether these sanctions are limited to violation of requirements for safeguarding information or the guidelines as a whole.]

(b)(3) [Identical to PCNA]

Sec. 107. Oversight of Government Activities

Sec. 107. Oversight of Government Activities

(b) Reports on Privacy and Civil Liberties.

(b) Reports on Privacy and Civil Liberties.

Requires the DHS IG, in consultation with the PCLOB and IGs of other agencies receiving shared indicators or defensive measures from the NCCIC, to submit a report to HSC and HSGAC within two years of enactment and periodically thereafter reviewing such information, including

(2) requires the IGs of DHS, the IC, DOJ, and DOD, in consultation with the IG Council, to jointly submit a report to Congress within two years of enactment and biennially thereafter, on

(2) requires the IGs of DHS, the IC, DOJ, DOD, and the Department of Energy, in consultation with the IG Council, to jointly submit a biennial report to Congress on

- receipt, use, and dissemination of cybersecurity indicators and defensive measures shared with federal entities under the section,

- receipt, use, and dissemination of cybersecurity indicators and defensive measures shared with federal entities under the title,

[Similar to PCNA]

- information on NCCIC use of such information for purposes other than cybersecurity,

——

——

- types of information shared with the NCCIC,

- types of indicators shared with federal entities,

[Identical to PCNA]

- actions taken by NCCIC based on shared information;

- actions taken by federal entities as a result of receiving shared indicators,

[Identical to PCNA]

- metrics to determine impacts of sharing on privacy and civil liberties,

——

——

- a list of federal agencies receiving the information,

- a list of federal entities receiving the indicators,

[Identical to PCNA] and

- review of sharing of information within the federal government to identify inappropriate stovepiping of shared information, and

- review of sharing of indicators among federal entities to identify inappropriate barriers to sharing information,

[Identical to PCNA]

——

- procedures for sharing information and removal of personal and identifying information, and incidents involving improper treatment of it, and

——

- recommendations for improvements or modifications to sharing under the section.

- recommendations for improvements or modifications to authorities under the title.

(3) permits inclusion of recommendations for improvements or modifications to authorities under the bill.

——

Requires that the reports be submitted in unclassified form but permits a classified annex.

(4) [Similar to PCNA]

——

Requires public availability of unclassified parts of the reports.

——

——

(1) adds a new paragraph to Sec. 1061(e) of the Intelligence Reform and Terrorism Prevention Act of 2004:

——

Requires the DHS CPO and Chief Civil Rights and Civil Liberties Officer, in consultation with the PCLOB, the DHS IG, and senior privacy and civil liberties officers of each federal agency receiving indicators or defensive measures shared with the NCCIC, to

'(3)' requires the PCLOB to

(1) [Similar to PCNA]

submit a biennial report to Congress

submit a biennial report to Congress and the President

[Similar to PCNA]

assessing impacts on privacy and civil liberties of federal activities under '(6)', including

assessing impacts of activities under the title on and sufficiency of policies, procedures, and guidelines in addressing concerns about privacy and civil liberties, including

assessing effects of the types of activities under on the bill on and sufficiency of policies, procedures, and guidelines in addressing concerns about privacy and civil liberties.

recommendations to minimize or mitigate such impacts.

recommendations for improvements or modifications to authorities under the title.

(3) permits inclusion of recommendations for improvements or modifications to authorities under the bill,

Requires that the two reports be submitted in unclassified form but permits a classified annex.

Requires that the reports be submitted in unclassified form but permits a classified annex.

(4) [Similar to PCNA]

——

Requires public availability of unclassified parts of the reports.

——

(a) Biennial Report on Implementation

(a) Biennial Report on Implementation

——

(1) Adds to 'Sec. 111' of the National Security Act

——

'(c) Biennial Report on Implementation'

——

'(1)' requires the DNI to submit a report to Congress on implementation of the title, (2) within one year of enactment and '(1)' at least biennially thereafter,
'(2)' including

(1) requires joint reports to Congress from
- the heads of appropriate federal agencies and
- the IGs of DHS, the IC, DOJ, DOD, and the Department of Energy, in consultation with the IG Council on implementation of the bill, within one year of enactment, covering the most recent one-year period, and at least biennially thereafter, covering the most recent two-year period, including

——

- review of types of indicators shared with the federal government, including

- review of types of indicators shared with the appropriate federal entities, including

——

——

the number of indicators received through the methods in Sec. 105(c),

——

——

the number of times shared information was used by a federal entity to prosecute an offense consistent with Sec. 105(d)(5),

——

the degree to which such information may impact privacy and civil liberties of specific persons, along with quantitative and qualitative assessment of such impacts and adequacy of federal efforts to reduce them,

the degree to which such information may affect privacy and civil liberties of specific persons, along with quantitative and qualitative assessment of such effects and adequacy of federal efforts to reduce them, and including the number of notices issued with respect to failures to remove information that is personal or that identifies specific persons not directly related to a threat in accordance with Sec. 105(b)(3) procedures,

——

- assessment of sufficiency of policies, procedures, and guidelines to ensure effective and responsible sharing under Sec. 4 [sic] of PCNA,

- assessment of sufficiency of policies, procedures, and guidelines to ensure effective and responsible sharing under Sec. 105,

——

——

- effectiveness of real-time sharing under Sec. 105(c).

——

- sufficiency of procedures under Sec. 3 [sic] for timely sharing [Note: References 'Sec. 111(a)(1)' as added by the title; see p. 20],

- sufficiency of procedures under Sec. 103 for timely sharing,

——

- appropriateness of classification of indicators and accounting of security clearances authorized,

[Similar to PCNA]

——

- federal actions taken based on shared indicators, including appropriateness of subsequent use or dissemination under the title,

[Similar to PCNA]

——

- description of any significant federal violations of the requirements of the title, including assessments of all reports of federal personnel misusing information provided under the title and all disciplinary actions taken, and

- description of any significant federal violations of the requirements of the title,

——

- a summary of the number and types of nonfederal entities receiving classified indicators from the federal government and evaluation of risks and benefits of such sharing.

[Similar to PCNA]

——

- assessment of personal or personally identifying information not directly related to a threat that was shared by a nonfederal entity with the federal government in contravention to Sec. 3(d)(2) or within the government in contravention of Sec. 4(b) guidelines. [Note: Intended reference to Sec. 103 and 104 respectively.]

——

——

'(3)' permits reports to include recommendations for improvements or modifications to authorities and processes under the title.

[Similar to PCNA]

——

'(4)' requires that the reports be submitted in unclassified form but permits a classified annex.

[Similar to PCNA]

——

'(5)' requires public availability of unclassified parts of the reports.

——

'(7) Uses and Protection of Information'

Sec. 103. Authorizations for Preventing, Detecting, Analyzing, and Mitigating Cybersecurity Threats

Sec. 104. Authorizations for Preventing, Detecting, Analyzing, and Mitigating Cybersecurity Threats

(d) Protection and Use of Information

(d) Protection and Use of Information

[Nonfederal Entities]

Permits a nonfederal, nongovernment entity that shares indicators or defensive measures with the NCCIC to

(3) permits a nonfederal entity [Note: including government entities], for a cybersecurity purpose, to

(3) permits a [nonfederal] entity [Note: including government entities], for cybersecurity purposes, to

use, retain, or disclose indicators and defensive measures, solely for cybersecurity purposes.

use an "indicator or defensive measure shared or received under this section to monitor or operate a defensive measure on" its own information systems or those of other nonfederal or federal entities upon written authorization from them, with

use indicators or defensive measure shared or received under this section to monitor or operate a defensive measure that is applied to its own information systems or those of other entities upon written consent from them, with

Requires reasonable efforts prior to sharing to safeguard personally identifying information from unintended disclosure and unauthorized access or acquisition, and remove or exclude such information where it is reasonably believed when shared to be unrelated to a cybersecurity risk or incident.

[See (2), p. 28, describing requirements for removal of personal information.]

[See (2), p. 28, describing requirements for removal of personal information.]

Requires compliance with appropriate restrictions on subsequent disclosure or retention placed by a federal or nonfederal entity on indicators or defensive measures disclosed to other entities.

further use, retention, or sharing subject to lawful restrictions by the sharing entity or otherwise applicable provisions of law.

[Similar to PCNA]

Stipulates that the information shall be deemed voluntarily shared.

——

——

Requires implementation and utilization of security controls to protect against unauthorized access or acquisition.

(1) requires implementation of appropriate security controls to protect against unauthorized access or acquisition. [Note: Also applies to nonfederal government entities.]

(1) Requires implementation and utilization of security controls to protect against unauthorized access or acquisition. [Note: Also applies to nonfederal government entities.]

Prohibits use of such information to gain an unfair competitive advantage.

——

(3) Prohibits use of such information other than as authorized in (d).

[Federal Entities]

Sec. 104(d) Information Shared with or Provided to the Federal Government

Sec. 105(d) Information Shared with or Provided to the Federal Government

Permits federal entities receiving indicators or defensive measures from the NCCIC or otherwise under the section to use, retain, or further disclose it solely for

(5) permits federal entities or personnel receiving indicators or defensive measures under the title to, consistent with otherwise applicable provisions of federal law, use, retain, or disclose it solely for

(5) [Similar to PCNA]

cybersecurity purposes.

a cybersecurity purpose,

[Identical to PCNA]

——

——

identifying a cybersecurity threat,
- including a source or vulnerability,
- use of an information system by a foreign adversary of terrorist,

[Note: Sec. 216 (see p. 54) permits use of information obtained from federal systems for investigating, prosecuting, disrupting, or otherwise responding to

"responding to, investigating, prosecuting, or otherwise preventing or mitigating"

"responding to or otherwise preventing or mitigating"

imminent threats of death or serious bodily harm

threats of death or serious bodily harm or offenses arising out of such threats,

imminent threats of death or serious bodily harm or

——

——

"serious economic harm, including a terrorist act or a use of a weapon of mass destruction,"

serious threats to minors, including sexual exploitation or threats to physical safety, and

"a serious threat to a minor, including sexual exploitation and threats to physical safety," and

[Identical to PCNA]

violations of 18 U.S.C. 1030 [computer fraud], or

- preventing, investigating, disrupting, or prosecuting offenses listed in 18 U.S.C. 1028-30, 3559(c)(2)(F), and Ch. 37 and 90 [computer fraud and identity theft, espionage and censorship, protection of trade secrets, and serious violent felonies].

[Similar to PCNA] or

——

——

attempts or conspiracy to commit the above offenses.]

——

——

——

Prohibits federal disclosure, retention, or use for any purpose not permitted under (5).

[Similar to PCNA]

Requires reasonable efforts prior to sharing to safeguard personally identifying information from unintended disclosure and unauthorized access or acquisition, and remove or exclude such information where it is reasonably believed when shared to be unrelated to a cybersecurity risk or incident.

Stipulates that the policies, procedures, and guidelines in (a) [on provision of information to the federal government] and (b) [on privacy and civil liberties] of the title apply to such information.

Stipulates that the policies, procedures, and guidelines in (a) and (b) apply to such information, that confidentiality of information in indicators that is personal or that identifies specific persons must be protected and the information protected from unauthorized use or disclosure.

——

'Sec. 111(a)(2)' requires that procedures for sharing developed include methods for federal entities to assess, prior to sharing, whether an indicator contains information known to be personal or identifying of a specific person and to remove such information, or to implement a technical capability to remove or exclude such information.

Sec. 103(b)(1) requires that procedures for sharing developed include methods for federal entities to assess, prior to sharing, whether an indicator contains information known to be personal or that identifies a specific person and to remove such information, or to implement and utilize a technical capability to remove such information.

Requires implementation and utilization of security controls to protect against unauthorized access or acquisition.

'Sec. 111(a)(2)' requires that procedures for sharing developed by the DNI include requirements for federal entities to implement security controls to protect against unauthorized access to or acquisition of shared information.

Requires that procedures for sharing developed by the DNI include requirements for federal entities to implement and utilize security controls to protect against unauthorized access to or acquisition of shared information.

Sec. 109(a) Prohibition of Surveillance

Prohibits use in surveillance or collection activities to track an individual's personally identifiable information except as authorized in the section.

Stipulates that the title does not authorize DOD or any element of the IC to target a person for surveillance.

——

Stipulates that the indicators and defensive measures shared from a federal or nonfederal entity under the section shall be deemed to have been voluntarily shared.

Sec. 104(d)(3) stipulates that an indicator or defensive measure provided to the federal government under the bill shall be deemed voluntarily shared information.

Sec. 105(d)(3) stipulates that indicators and defensive measure provided to the federal government under the title shall be deemed voluntarily shared information.

Stipulates that the information is exempt from disclosure under 5 U.S.C. 552 [the Freedom of Information Act (FOIA)] or nonfederal disclosure laws and withheld, without discretion, from the public under 5 U.S.C. 552(3)(B).

Stipulates that the information is exempt from disclosure under FOIA or nonfederal disclosure laws and withheld, without discretion, from the public under 5 U.S.C. 552(3)(B),

[Similar to PCNA]

——

except for information requiring disclosure in criminal prosecutions.

——

Prohibits federal use for regulatory purposes.

[Note: No specific corresponding prohibition, but Sec. 104(d)(5) above prohibits federal disclosure, retention, or use for any purpose other than those specified in the paragraph.]

(5) prohibits federal or nonfederal use to regulate lawful activities of an entity, including enforcement actions and activities relating to monitoring, defense, or sharing of indicators, except to inform development or implementation of authorized regulations relating to prevention or mitigation of threats to information systems and to procedures under the title.

Specifies that there is no waiver of applicable privilege or protection under law, including trade-secret protection;

(1) [Similar to NCPAA]

(1) [Similar to NCPAA]

Requires that the information be considered the commercial, financial, and proprietary information of the nonfederal entity when so designated by it.

(2) requires that, consistent with the title, the information be considered the commercial, financial, and proprietary information of the originating nonfederal source, when so designated by such source or nonfederal entity acting with written authorization from it.

(2) requires that, consistent with Sec. 104(c)(2), the information be considered the commercial, financial, and proprietary information of the [nonfederal] entity providing it, when so designated by the originating [nonfederal] entity or third party acting with written authorization from it.

Stipulates that the information is not subject to judicial doctrine or rules of federal entities on ex-parte communications.

(4) [Similar to NCPAA]

(4) [Similar to NCPAA]

[Nonfederal Government Entities]

[Note: See also Nonfederal Entities, p. 37.]

[Note: See also Nonfederal Entities, p. 37.]

Permits state, local, and tribal government to

Sec. 103(d)(4) permits state, local, and tribal government entities

Sec. 104(d)(4) permits state, local, and tribal government entities, with prior written consent of sharing entity or oral consent in exigent circumstances,

use, retain, or further disclose indicators or defensive measures shared under the section solely for.

to use shared cyber threat indicators for [Note: Purposes below are included by reference to specified provisions in Sec. 104(d)(5)]

to use shared cyber threat indicators for [Note: included by reference to specified provisions in Sec. 105(d)(5)]

cybersecurity purposes.

a cybersecurity purpose,

——

"responding to, investigating, prosecuting, or otherwise preventing or mitigating"

"responding to, or otherwise preventing or mitigating"

——

"a threat of death or serious bodily harm or an offense arising out of such a threat," or

"an imminent threat of death, serious bodily harm, or serious economic harm, including a terrorist act or a use of a weapon of mass destruction," or

——

"a serious threat to a minor, including sexual exploitation and threats to physical safety."

——

——

——

"preventing, investigating, disrupting, or prosecuting" offenses relating to fraud and identity theft, espionage and censorship, and protection of trade secrets. [Note: The bill cites provisions in title 18 of the U.S. Code.]

Requires reasonable efforts prior to sharing to safeguard personally identifying information from unintended disclosure and unauthorized access or acquisition, and remove or exclude such information where it is reasonably believed when shared to be unrelated to a cybersecurity risk or incident.

[See (2), p. 28, describing requirements for removal of personal information.]

[Similar to PCNA]

Stipulates that the information be considered "commercial, financial, and proprietary" if so designated by the provider.

[Note: Sec. 103(d)(3) stipulates that further use, retention, or sharing of information received by a nonfederal entity is subject to lawful restrictions by the sharing entity or otherwise applicable provisions of law. See Nonfederal Entities, p. 37.]

[Similar to PCNA]

Stipulates that the indicators and defensive measures shall be deemed voluntarily shared.

Stipulates that such shared indicators or defensive measures be deemed voluntarily shared and exempt from disclosure, and

Stipulates that such shared indicators be deemed voluntarily shared and exempt from disclosure, and

Requires implementation and utilization of security controls to protect against unauthorized access or acquisition.

(1) requires implementation of appropriate security controls to protect against unauthorized access or acquisition. [Note: Also applies to nonfederal nongovernment entities.]

(1) Requires implementation and utilization of security controls to protect against unauthorized access or acquisition. [Note: Also applies to nonfederal nongovernment entities.]

Exempts the information from disclosure under nonfederal disclosure laws or regulations.

Exempts the information from disclosure under nonfederal disclosure laws or regulations, except as required in criminal prosecutions.

(4) Exempts the information from disclosure under nonfederal disclosure laws or regulations.

Prohibits use for regulation of lawful activities of nonfederal entities.

——

Prohibits use to regulate lawful activities of a [nonfederal] entity, including enforcement actions and activities relating to monitoring, defense, or sharing of indicators, except to inform development or implementation of authorized regulations relating to prevention or mitigation of threats to information systems.

'(8) Liability Exemptions'

Sec. 106. Protection from Liability

Sec. 106. Protection from Liability

(a) Monitoring of Information Systems

(a) Monitoring of Information Systems

States that "no cause of action shall lie or be maintained in any court" against nonfederal, nongovernment entities for conducting network awareness under '(4)' in accordance with the section or

States that "no cause of action shall lie or be maintained in any court" against private entities for monitoring information systems under Sec. 103(a) conducted in accordance with the title or

[Similar to PCNA, but refers to Sec. 104(a)]

(b) Sharing or Receipt of Cyber Threat Indicators

(b) Sharing or Receipt of Cyber Threat Indicators

for sharing indicators or defensive measures under '(3),' or a good-faith failure to act if sharing is done in accordance with the section.

for information sharing under Sec. 103(c) in accordance with the title or a good-faith failure to act if sharing is done in accordance with the title.

for information sharing under Sec. 104(c) in accordance with the title if sharing is done in accordance with the bill and, for sharing with the federal government after the earlier of submission of interim procedures under Sec. 105(a)(1) and guidelines under Sec. 105(b)(1) or 60 days after enactment, it uses the DHS process under Sec. 105(c)(1).

(c) Willful Misconduct

(c) Construction

Stipulates that nothing in the section

(1) Stipulates that nothing in the section

Stipulates that nothing in the section

- requires dismissal of a cause of action against a nonfederal, nongovernment entity that engages in willful misconduct in the course of activities under the section.

requires dismissal of a cause of action against a nonfederal entity that engages in willful misconduct in the course of activities under the title, or

- requires dismissal of a cause of action against a [nonfederal] entity that engages in gross negligence or willful misconduct in the course of activities under the title, or

- undermines or limits availability of otherwise applicable common law or statutory defenses.

[Identical to NCPAA]

[Identical to NCPAA]

Establishes the burden of proof as clear and convincing evidence from the plaintiff of injury-causing willful misconduct,

(2) [Similar to NCPAA]

——

Defines willful misconduct as an act or omission taken intentionally to achieve a wrongful purpose, knowingly without justification, and in disregard of risk of highly probable harm that outweighs any benefit.

(3) [Similar to NCPAA]

——

'(9) Federal Government Liability for Violations of Restrictions on the Use and Protection of Voluntarily Shared Information'

Sec. 105. Federal Government Liability for Violations of Privacy or Civil Liberties

(a) In General

Makes the federal government liable to injured persons for intentional or willful violation of restrictions on federal disclosure and use under 'Sec. 226', with minimum damages of $1,000 plus

Makes the federal government liable to injured persons for intentional or willful violation of privacy and civil liberties guidelines under Sec. 104(b), with minimum damages of $1,000 plus

——

reasonable attorney fees as determined by the court and other reasonable litigation costs in any case under (a) where "the complainant has substantially prevailed."

[Identical to NCPAA]

——

(b) Venue

Stipulates the federal district courts where the case may be brought as the one in which the complainant resides or the principal place of business is located, the District of Columbia, or

[Identical to NCPAA]

——

where the federal department or agency that disclosed the information is located.

where the federal department or agency that violated the guidelines is located.

——

(c) Statute of Limitations

Sets the statute of limitations under '(i)' at two years from the date on which the cause of action arises.

Sets the statute of limitations under Sec. 105 at two years from the date on which the cause of action arises.

——

(d) Exclusive Cause of Action.

Sets action under '(i)' as the exclusive remedy for violation of restrictions under '(i)(3),' '(i)(6),' or '(i)(7)(B)'.

Sets action under (d) as the exclusive remedy for federal violations under the title.

——

'(10) Anti-Trust Exemption'

Sec. 104(e) Antitrust Exemption

Exempts nonfederal entities from violation of antitrust laws for sharing indicators or defensive measures or providing assistance for cybersecurity purposes, provided that the action is taken to assist with preventing, investigating, or mitigating a cybersecurity risk or incident.

——

Exempts any two or more private entities from violation of antitrust laws, except as provided in Sec. 108(e) [p.45] for exchanging or providing indicators or assistance for cybersecurity purposes to help prevent, investigate, or mitigate a cybersecurity risk or incident.

'(11) Construction and Preemption'

Sec. 109(b) Otherwise Lawful Disclosures

Sec. 108(a) Otherwise Lawful Disclosures

Nothing in the section may be construed to

Nothing in the title or the amendments made by it shall be construed to

Nothing in the title shall be construed to

- limit or prohibit otherwise lawful disclosures or participation in an investigation by a nonfederal entity of information to any other federal or nonfederal entity,

- limit or prohibit otherwise lawful disclosures by a nonfederal entity of information to any other federal or nonfederal entity, or

- limit or prohibit otherwise lawful disclosures by a [nonfederal] entity of information to any federal or other entity, or

——

any otherwise lawful use by a federal entity, whether or not the disclosures duplicate those made under the title,

any otherwise lawful use by a federal entity, even when the disclosures duplicate those made under the title,

(c) Whistle Blower Protections

(b) Whistle Blower Protections

- prohibit or limit disclosures protected under 5 U.S.C. 2302(b)(8), 5 U.S.C. 7211, 10 U.S.C. 1034, 50 U.S.C. 3234, or similar provisions of federal or state law,

- prohibit or limit disclosures protected under 5 U.S.C. 2302(b)(8), 5 U.S.C. 7211, 10 U.S.C. 1034, or similar provisions of federal or state law,

- prohibit or limit disclosures protected under 5 U.S.C. 2302(b)(8), 5 U.S.C. 7211, 10 U.S.C. 1034, 50 U.S.C. 3234, or similar provisions of federal or state law,

(d) Protection of Sources and Methods

(c) Protection of Sources and Methods

——

- affect federal enforcement actions on classified information or conduct of authorized law-enforcement or intelligence activities, or modify the authority of the President or federal entities to protect and control dissemination of classified information, intelligence sources and methods, and U.S. national security,

- affect federal enforcement actions on classified information or conduct of authorized law-enforcement or intelligence activities, or modify the authority of federal entities to protect classified information, sources and methods, and U.S. national security,

(e) Relationship to Other Laws

- affect any requirements under other provisions of law for nonfederal entities providing information to federal entities,

[Similar to NCPAA]

[Similar to NCPAA]

(g) Preservation of Contractual Obligations and Rights

(g) Preservation of Contractual Obligations and Rights

- change contractual relationships between nonfederal entities or them and federal entities or abrogate trade-secret or intellectual property rights,

[Similar to NCPAA]

[Similar to NCPAA]

(h) Anti-Tasking Restriction

(h) Anti-Tasking Restriction

- permit the federal government to require nonfederal entities to provide it with information, or to condition

- permit the federal government to require nonfederal entities to provide it with information, or to condition

- permit a federal entity to require nonfederal entities to provide it or another entity with information, or to condition

sharing of indicators or defensive measures on provision by such entities of indicators or defensive measures, or

sharing of indicators on provision of indicators, or

sharing of indicators on provision of indicators to a federal or other entity, or

award of grants, contracts, or purchases on such provision,

award of grants, contracts, or purchases on such provision,

award of grants, contracts, or purchases on such provision,

(i) No Liability for Non-Participation

(i) No Liability for Non-Participation

- create liabilities for any nonfederal entities that choose not to engage in the voluntary activities authorized in the section,

- create liabilities for any nonfederal entities that choose not to engage in a voluntary activity authorized in the title, or

- create liabilities for any nonfederal entities that choose not to engage in the voluntary activities authorized in the title,

(j) Use and Retention of Information

(j) Use and Retention of Information

- authorize or modify existing federal authority to retain and use information shared under the title for uses other than those permitted under the section,

- authorize or modify existing federal authority to retain and use information shared under the title for uses other than those permitted under the title.

- authorize or modify existing federal authority to retain and use information shared under the title for uses other than those permitted under the title,

- restrict or condition sharing for cybersecurity purposes among nonfederal entities or require sharing by them with the NCCIC, or

——

——

(e) Prohibited Conduct

- "permit price-fixing, allocating a market between competitors, monopolizing or attempting to monopolize a market, or exchanges of price or cost information, customer lists, or information regarding future competitive planning."

——

- "permit price-fixing, allocating a market between competitors, monopolizing or attempting to monopolize a market, boycotting, or exchanges of price or cost information, customer lists, or information regarding future competitive planning," or

(m) Authority of Secretary of Defense to Respond to Cyber Attacks

——

——

- "limit the authority of the Secretary of Defense to develop, prepare, coordinate, or, when authorized by the President to do so, conduct a military cyber operation in response to a malicious cyber activity carried out against the United States or a United States person by a foreign government or an organization sponsored by a foreign government or a terrorist organization."

(k) Federal Preemption

(k) Federal Preemption

Specifies that the section supersedes state and local laws relating to its provisions

(1) Specifies that the title supersedes state and local laws relating to its provisions.

(1) Specifies that the title supersedes state and local laws relating to its provisions.

——

(2) Stipulates that the title does not supersede state and local laws on use of authorized law enforcement practices and procedures.

[Similar to PCNA]

——

(3) Stipulates that, except with respect to exemption from disclosure under Sec. 103(b)(4), the title does not supersede state and local law on private entities performing utility services except to the extent that they restrict activities under the title.

——

Requires the Secretary to develop policies and procedures for direct reporting by the NCCIC Director of significant risks and incidents.

——

——

Requires the Secretary to build on existing mechanisms to promote public awareness about the importance of securing information systems.

——

——

Requires a report from the Secretary within 180 days of enactment to HSC and HSGAC on efforts to bolster collaboration on cybersecurity with international partners.

——

——

Requires the Secretary, within 60 days of enactment, to publicly disseminate information about ways of sharing information with the NCCIC, including enhanced outreach to CI owners and operators.

——

——

Sec. 204. Information Sharing and Analysis Organizations

Amends Sec. 212 of the HSA to

——

——

(1) broaden the functions of ISAOs to include cybersecurity risk and incident information beyond that relating to critical infrastructure, and

——

——

(2) add by reference the definitions of cybersecurity risk and incident in 6 U.S.C. 148(a).

——

——

Sec. 207. Security and Resiliency of Public Safety Communications; Cybersecurity Awareness Campaign

Sec. 404. Enhancement of Emergency Services

(a) In General

Adds two new sections to the HSA:

——

——

(a) Collection of Data

Requires the Secretary, acting through the NCCIC and in coordination with appropriate federal entities and the Director for Emergency Communications, to establish, within 90 days of enactment, a process for reporting of data by a Statewide Interoperability Coordinator on cybersecurity risks or incidents involving systems or networks used by state emergency response providers as defined in 6 U.S.C. 101.

'Sec. 230. Security and Resiliency of Public Safety Communications'

(b) Analysis of Data

Requires the NCCIC to coordinate with the DHS Office of Emergency Communications to assess information on cybersecurity incidents involving public safety communications to facilitate continuous improvement in those communications.

——

Requires the Secretary, acting through the NCCIC and in coordination with appropriate entities and the Director for Emergency Communications and in consultation with the NIST Director, to conduct, within one year of enactment, integration and analysis of the data reported in (a) to develop information and recommendations on security and resilience measures for systems and networks used by state emergency response providers.

(c) Best Practices

——

——

(1) requires the NIST Director to use the results under (b) and other relevant information to facilitate and support development of methods to reduce cybersecurity risks to emergency response providers using the process described in 15 U.S.C. 272(e) [relating to public/private collaboration in reducing such risks].

——

——

(2) requires a publicly available report to Congress on those methods from the NIST Director.

'Sec. 231. Cybersecurity Awareness Campaign'

'(a) In General'

Requires the U/S-CIP to develop and implement an awareness campaign on risks and best practices for mitigation and response, including at a minimum public service announcements and information on best practices that are vendor- and technology-neutral.

——

——

'(b) Consultation'

Requires consultation with a wide range of stakeholders.

——

——

'Sec. 232. National Cybersecurity Preparedness Consortium'

'(a) In General'

Authorizes the Secretary to establish the National Cybersecurity Preparedness Consortium to

——

——

'(b) Functions'

- provide cybersecurity training to state and local first responders and officials,
- establish a training curriculum for them using the DHS Community Cyber Security Maturity Model,
- provide technical assistance for improving capabilities,
- conduct training and simulation exercises,
- coordinate with the NCCIC to help states and communities develop information sharing programs, and
- coordinate with the National Domestic Preparedness Consortium to incorporate cybersecurity into emergency management functions.

——

——

'(c) Members'

Stipulates that members be academic, nonprofit, and government partners with prior experience conducting cybersecurity training and exercises in support of homeland security.

——

——

(b) Clerical Amendment

Amends the table of contents of the act to include the new sections.

——

——

Sec. 108. Report on Cybersecurity Threats

Sec. 109. Report on Cybersecurity Threats

(a) Report Required

(a) Report Required

——

Requires the DNI, in consultation with heads of other appropriate elements of the IC, to submit within 180 days of enactment a report to the House and Senate Intelligence Committees on cybersecurity threats to the U.S. national security and economy, including attacks, theft, and data breaches.

Requires the DNI, in coordination with heads of other appropriate elements of the IC, to submit within 180 days of enactment a report to the House and Senate Intelligence Committees on cybersecurity threats, including attacks, theft, and data breaches.

(b) Contents

(b) Contents

——

Requires that the report include

Requires that the report include

——

(1) assessments of current U.S. intelligence sharing and cooperation relationships with other countries on such threats directed against the United States and threatening U.S. national security interests, the economy, and intellectual property, identifying the utility of relationships, participation by elements of the IC, and possible improvements,

(1) assessments of current U.S. intelligence sharing and cooperation relationships with other countries on such threats directed against the United States and threatening U.S. national security interests, the economy, and intellectual property, specifically identifying the utility of relationships, participation by elements of the IC, and possible improvements,

——

(2) a list and assessment of countries and nonstate actors constituting the primary sources of such threats,

(2) [Similar to PCNA]

——

(3) description of how much U.S. capabilities to respond to or prevent such threats to the U.S. private sector are degraded by delays in notification of the threats,

(3) [Similar to PCNA]

——

(4) assessment of additional technologies or capabilities that would enhance the U.S. ability to prevent and respond to such threats, and

(4) [Similar to PCNA]

——

(5) assessment of private-sector technologies or practices that could be rapidly fielded to assist the IC in preventing and responding to such threats.

(5) [Identical to PCNA]

(c) Form of Report

(d) Form of Report

——

Requires that the report be unclassified but permits a classified annex.

Requires that the report be made available in unclassified and classified forms.

(d) Public Availability of Report

——

Requires that the unclassified portion of the report be publicly available.

——

(c) Additional Report

——

——

Requires that the DNI submit a report to the House Foreign Affairs and Senate Foreign Relations Committees with the information in (b)(2) at the time the report required in (a) is submitted.

(e) Intelligence Community Defined

(e) Intelligence Community Defined

——

Defines intelligence community as in 50 U.S.C. 3003.

[Identical to PCNA]

Sec. 210. Assessment

Requires the Comptroller General, within two years of enactment, to submit a report to HSC and HSGAC assessing implementation of the title and, as practicable, findings on increased sharing at NCCIC and throughout the United States.

——

——

Sec. 213. Prohibition on New Regulatory Authority

Sec. 109(l) Regulatory Authority

Sec. 108(l) Regulatory Authority

Stipulates that the title does not grant DHS new authority to promulgate regulations or set standards relating to cybersecurity for nonfederal, nongovernmental entities.

Stipulates that the title does not authorize
(1) promulgation of regulations or
(2) establishment of regulatory authority not specified by the title, or
(3) duplicative or conflicting regulatory actions.

Stipulates that the title does not authorize
(1) promulgation of regulations or
(2) establishment or limitation of regulatory authority not specified by the bill, or
(3) duplicative or conflicting regulatory actions.

Sec. 214 Sunset

Ends all requirements for reports in the title seven years after enactment.

——

——

Sec. 215. Prohibition on New Funding

Stipulates that the title does not authorize additional funds for implementation and must be carried out using available amounts.

——

——

Sec. 216. Protection of Federal Information Systems

Title II—Federal Cybersecurity Enhancement

Sec. 201. Short Title

——

——

Federal Cybersecurity Enhancement Act of 2015

Sec. 202. Definitions

——

——

Defines, in the title,

——

——

Agency: As in 44 U.S.C. 3502.

——

——

Agency information system: As in Sec. 228 of the HSA as added by Sec. 203(a).

——

——

Appropriate Congressional Committees: The Senate Homeland Security and Governmental Affairs Committee and the House Committee on Homeland Security.

——

——

Cybersecurity Risk: As in 6 U.S.C. 148(a).

——

——

Director: The OMB Director.

——

——

Information System: As in 44 U.S.C. 3502.

——

——

Intelligence Community: As in 50 U.S.C. 3003.

——

——

National Security System: As in 40 U.S.C. 11103.

——

——

Secretary: The Secretary of Homeland Security.

——

——

Sec. 203. Improved Federal Network Security

(a) In General

(a) In General

Adds a new section to the HSA.

——

Amends the HSA by
(1) renumbering Sec. 228 [on clearances] as Sec. 229,
(4) adding a new Sec. 228,
(2) renumbering Sec. 227 [on cyber incident response plans] as Sec. 228(c),
(3) renumbering "second section 226" [on the NCCIC, see p. 19] as Sec. 227,
(5) amending the reference to Sec. 226 in Sec. 228(c) to read "Sec. 227," and
(6) adding a new Sec. 230.

'Sec. 228. Cybersecurity plans'

'(a) Definitions'

——

——

Defines, in the section,

——

——

Agency Information System: "An information system used or operated by an agency or by another entity on behalf of an agency."

——

——

Cybersecurity Risk, Information System, Intelligence Community, and National Security System: As in Sec. 202:

'(b) Intrusion Assessment Plan'

——

——

'(1)' requires the Secretary to develop and implement, in coordination with the OMB Director, a plan to identify and remove intruders from agency information systems.

——

——

'(2)' stipulates that the plan does not apply to DOD, NSS, or the IC.

'Sec. 233. Available Protection of Federal Information Systems'

'Sec. 230. Federal Intrusion Detection and Prevention System'

'(a) Definitions'

——

——

Defines, in the section,

——

——

Agency Information: "Information collected or maintained by or on behalf of an agency."

——

——

Agency, Agency Information System, Cybersecurity Risk, and Information System: As in Sec. 202.

'(b) Requirement'

'(a) In General'

'(1) In General'

Requires the Secretary to deploy and operate, to make available to agencies with or without reimbursement, capabilities,

——

'(1)' Requires the Secretary to deploy, operate, and maintain, to make available to agencies with or without reimbursement, capabilities,

including technologies for continuous diagnostics, detection, prevention, and mitigation, for protecting federal information systems and their contents from cybersecurity risks.

- to detect cybersecurity risks in network traffic to and from agency systems, and
- to stop such traffic or remove the risks.

——

——

'(2)' Requires the Secretary to regularly modify technologies and employ new ones to improve capabilities.

'(b) Activities'

'(c) Activities'

Authorizes the Secretary to

——

Authorizes the Secretary to

'(1)' access information traveling to or from or stored on an agency system regardless of location, and permits agency heads to disclose such information to the Secretary or a private entity assisting the Secretary, notwithstanding any other provision of law that would otherwise restrict such disclosure,

——

'(1)' access information traveling to or from an agency system regardless of location, and permits agency heads to disclose such information to the Secretary or a private entity assisting the Secretary, notwithstanding any other provision of law that would otherwise restrict such disclosure,

'(2)' obtain assistance through agreements or otherwise from private entities for implementing technologies under '(a),'

——

'(2)' [Similar to NCPAA]

'(3)' use, retain, and disclose information obtained under this section only to protect federal systems and their contents,

——

'(3)' [Similar to NCPAA]

or with approval of the AG, to respond to
violations of 18 U.S.C. 1030 [on computer fraud and related activities],
threats of death or serious bodily harm,
serious threats to minors, including sexual exploitation and threats to physical safety, or
attempts or conspiracy to commit such offenses.

[Note: Sec. 104(d)(5) has related provisions for information shared with the federal government (see p. 38).]

[Note: Sec. 105(d)(5) has related provisions for information shared with the federal government (see p. 3838).]

——

——

Requires the Secretary to

——

——

'(4)' regularly test, and utilize when appropriate, commercial and noncommercial technologies to improve capabilities,

——

——

'(5)' establish a pilot for acquiring, testing, and deploying such technologies,

——

——

'(6)' periodically update privacy impact assessments required under 44 U.S.C. 3501 note, and

——

——

'(7)' ensure that
- activities under the section are reasonably necessary to protect systems and their information,
- information accessed by the Secretary is retained no longer than reasonably necessary for such protection,
- notice is provided to users about access to communications for purposes of such protection, and
- operation of the intrusion detection and prevention capabilities is implemented pursuant to governing policies and procedures.

'(d) Private Entities'

'(c) Conditions'

'(1) Conditions'

Requires that the agreements under '(b)(2)' bar

——

Prohibits a private entity described in (2) from

- disclosure of identifying information reasonably believed to be unrelated to a cybersecurity risk except to DHS or the disclosing agency, and

——

- disclosure of network traffic from an agency system without consent from the disclosing agency, and

- use of information accessed under the section by a private entity for any purpose other than protecting agency information systems and their contents or administration of the agreement.

——

- use of network traffic accessed under the section by a private entity for any purpose other than protecting agency information systems and their contents or administration of the agreement under '(c)(2)' or as part of another contract with the Secretary.

'(d) Limitation'

'(2) Limitation on Liability'

States that no cause of action shall lie against a private entity for assistance provided in accordance with this section and an agreement under '(b)(2).'

——

States that no cause of action shall lie against a private entity for assistance provided in accordance with this section and an agreement pursuant to '(b)(2).'

'(3) Rule of Construction'

——

——

Stipulates that '(2)' does not authorize an Internet service provider to break a user agreement without the customer's consent.

'(e) Attorney General Review'

——

——

Requires the AG to review policies and procedures for the program under this section to ensure consistency with applicable communications law.

(b) Prioritizing Advanced Security Tools

——

——

Requires the OMB Director and the Secretary, in consultation with appropriate agencies, to (1) review and update and (2) brief HSGAC and HSC on government-wide policies and programs to ensure appropriate prioritization and use of monitoring tools within agency networks.

(c) Agency Responsibilities

——

——

(1) Requires the head of each federal agency to begin using the capabilities under 'Sec. 230(b)(1)' between agency systems an any other systems by the later of one year after enactment or two months after the Secretary makes the capabilities available, (2) except for DOD, NSS, and the IC.

——

——

(3) defines, for (c) only, Agency Information System to mean "an information system owned or operated by an agency." [Note: this definition excludes systems operated on behalf of an agency; see p. 52.]

——

——

(4) stipulates that (c) does not limit agencies from applying capabilities under 'Sec. 230(b)(1)' at the discretion of agency heads or as provided in relevant policies, directives, and guidelines.

(b) Clerical Amendment

(d) Table of Contents Amendment

Amends the table of contents of the HSA to include the new section.

——

Amends the table of contents of the HSA to include the changes made by this section.

Sec. 207. Termination

(a) In General

——

——

Terminates authorities provided under 'Sec. 230' seven years after enactment.

(b) Rule of Construction

——

——

Stipulates that (a) does not affect limitations on liability for private entities under 'Sec. 230(d)(2)' for assistance rendered before the termination date in (a) or as otherwise authorized.

Title IV. Other Cyber Matters

Sec. 217. Sunset

Sec. 112. Sunset

Sec. 409. Effective Period

(a) In General

Terminates the provisions in the title seven years after enactment.

[Identical to NCPAA]

Terminates the provisions in the bill ten years after enactment, except that

(b) Exception

——

——

actions shall continue in effect if authorized and occurring under the bill or information obtained pursuant to it before the termination date.

Sec. 220. GAO Report on Impact Privacy and Civil Liberties

Sec. 111. Comptroller General Report on Removal of Personal Identifying Information

(a) Report

Requires a GAO report to HSC and HSGAC within five years of enactment assessing the impacts of NCCIC activities on privacy and civil liberties.

Requires a GAO report to Congress within three years of enactment on federal actions to remove personal information from threat indicators pursuant to Sec. 104(b).

——

(b) Form

——

Requires that the report be unclassified but permits a classified annex.

——

Sec. 110. Conforming Amendment

——

——

Amends Sec. 941(c)(3) of the FY2013 National Defense Authorization Act (10 U.S.C. 2224 note) to permit sharing by the Secretary of Defense of threat indicators and defensive measures consistent with the procedures promulgated by the AG and the Secretary under Sec. 105 of the bill.

Cybersecurity of Federal Agencies and Information Systems

NCPAA: Sec. 205. Streamlining of Department of Homeland Security Cybersecurity and Infrastructure Protection Organization

(a) Cybersecurity and Infrastructure Protection Directorate

Renames the DHS National Protection and Programs Directorate as the Cybersecurity and Infrastructure Protection. [Sic.]

(b) Senior Leadership of the Cybersecurity and Infrastructure Protection Directorate

Provides a specific title for the undersecretary in charge of critical infrastructure protection as U/S-CIP. Also adds two deputy undersecretaries, one for cybersecurity and the other for infrastructure protection. Does not require new appointments for current officeholders and specifies that appointment of the undersecretaries does not require Senate confirmation.

(c) Report

Requires a report to HSC and HSGAC from the U/S-CIP within 90 days of enactment on the feasibility of becoming an operational component of DHS. If that is determined to be the best option for mission fulfillment, requires submission of a legislative proposal and implementation plan. Also requires that the report include plans for more effective execution of the cybersecurity mission, including expediting of information sharing agreements.

NCPAA: Sec. 209. Report on Reducing Cybersecurity Risks in DHS Data Centers

Requires a report to HSC and HSGAC within one year of enactment on the feasibility of creating an environment within DHS for reduction in cybersecurity risks in data centers, including but not limited to increased compartmentalization of systems with a mix of security controls among compartments.

CISA: Sec. 204. Advanced Internal Defenses

(a) Advanced Network Security Tools

(1) requires the Secretary to include advanced—including commercial, free, and open-source—tools in the Continuous Diagnostics and Mitigation Program.

(2) requires the OMB Director to develop and implement a plan to ensure that agencies use advanced network tools to detect and mitigate intrusions and anomalous activity.

(b) Improved Metrics

Requires the Secretary to collaborate with the OMB Director to review and update metrics used to measure security under 44 U.S.C. 3554 [FISMA] to include "measures of intrusion and incident detection and response times."

(c) Transparency and Accountability

Requires the Director, in consultation with the Secretary to increase public transparency on agency cybersecurity posture, including displaying metrics on federal websites for as many agencies and department components as practicable.

(d) Maintenance of Technologies

Revises 44 U.S.C. 3553(b)(6)(B) [FISMA] to require the Secretary to operate and maintain, as well as deploy, continuous diagnostics and mitigation tools to agencies upon request.

(e) Exception

Stipulates that the section requirements do not apply to DOD, NSS, or the IC.

CISA: Sec. 205. Federal Cybersecurity Requirements

(a) Implementation of Federal Cybersecurity Standards

Requires the Secretary, in consultation with the OMB Director, to issue binding operational directives, consistent with 44 U.S.C. 3553, to assist the Director in ensuring timely agency adoption of and compliance with standards and policies promulgated under 40 U.S.C. 11331.

(b) Cybersecurity Requirements at Agencies

(1) requires the head of each agency, within one year of enactment and consistent with FISMA and 40 U.S.C. 11331, to
- identify sensitive and mission-critical agency data consistent with the inventories required under 44 U.S.C. 3505,
- assess access controls to such data as well as the need for readily accessible storage and for individuals to access the data,
- render such data indecipherable to unauthorized users,
- implement a single sign-on trusted identity platform, developed by the Administrator of General Services in collaboration with the Secretary, for individuals accessing agency public websites that require user authentication, and
- implement identity management consistent with 15 U.S.C. 7464, including multi-factor authentication, for remote access to and each user account with elevated privileges on an agency system, except

(2) systems for which the agency head has personally certified to the OMB Director that
- operational requirements related to the system and articulated in the certification would make implementation excessively burdensome,
- the requirements are unnecessary for securing the system and its contents,
- the agency has taken all steps needed to secure the system and its contents, and
- the agency head or designee has submitted the certification to HSGAC and HSC and the agency authorizing committees.

(3) stipulates that the section does not
- alter the authority of the Secretary or the Directors of OMB or NIST in implementing FISMA, or
- affect NIST processes or requirements for coordination of the development of standards and guidelines in 44 U.S.C. 3553(a)(4), or discourage continuous improvement and advances in technology, standards, policies, and guidelines promoting federal information security. technology, standards, policies, and guidelines used to promote Federal information security.

(c) Exception

Stipulates that the section requirements do not apply to DOD, NSS, or the IC.

CISA: Sec. 206. Assessment; Reports

(a) Definitions

Defines, in the section,

Intrusion Assessment Plan: The plan required under 'Sec. 228(b)(1)' of HSA [see p. 52].

Intrusion Assessments: Actions taken under the plan to identify and remove intruders in agency systems.

Intrusion Detection and Prevention Capabilities: Those required in 'Sec. 230(b)' of the HSA [see p. 53].

(b) Third Party Assessment

Requires a GAO study within three years of enactment on the effectiveness of efforts to secure agency systems, including the intrusion plan and capabilities for detection and prevention.

(c) Reports to Congress

(1) Requires the Secretary, within six months of enactment and annually thereafter, to submit reports to HSGAC and HSC on implementation of intrusion detection and prevention capabilities, including
- descriptions of privacy controls and

- technologies, including commercial and noncommercial, and capabilities used to detect risks in network traffic and to prevent traffic associated with risks from moving to or from agency systems,

-for each iteration of the capabilities, types and numbers of identifiers and techniques used to detect risks in network traffic,

- instances where the capabilities detected risks and blocked associated traffic,

- description of the pilot required under Sec. 230(c)(5) [see p. 54], including the numbers of new technologies tested and participating agencies.

Requires the OMB Director, within 18 months of enactment, to include, in the annual FISMA report to Congress (44 U.S.C. 3553(c)), analysis of agency application of the capabilities, with

- the degree to which each agency has applied the capabilities to its systems,

- a list by agency of the number of instances where the capabilities detected a risk in network traffic, the indicators, identifiers, and techniques used for detection, and the number of instances where such traffic was blocked.

(2) requires the OMB Director to submit the intrusion assessment plan to HSGAC and HSC within six months of enactment and with 30 days of each subsequent update, and

within one year of enactment, to include in the annual FISMA report to Congress

- a description of implementation of the plan,

- findings of assessments conducted pursuant to it,

- advanced tools in the Continuous Diagnostics and Mitigation Program in Sec., 204(a)(1),

- results of the Secretary's assessment of best federal cybersecurity practices pursuant to Sec. 205(a) [Note: That provision refers to standards and policies but not best practices], and

- a list by agency of compliance with Sec. 205(b) requirements.

Requires the Director, within one year of enactment, to submit to HSGAC and HSC a copy of the plan required by Sec. 204(a)(2) and the metrics required by Sec. 204(b).

Sec. 207(a) [see p. 56] terminates the reporting requirements under Sec. 206(c) seven years after enactment.

CISA: Sec. 208. Identification of Information Systems Relating to National Security

(a) In General

Requires, within 180 days of enactment, (1) the DNI and the OMB Director, in coordination with other agency heads, to

- identify unclassified systems that may give an adversary the ability to derive information that would be considered classified,

- assess the risks from breaches of those systems and the costs and mission impacts to agencies from designating such systems as NSS, and

- to report those findings to HSGAC, HSC, and the House and Senate Intelligence Committees.

(b) Form

Requires that the report be unclassified but permits a classified annex.

(c) Exception

Stipulates that the section requirements do not apply to DOD, NSS, or the IC.

(d) Rule of Construction

Stipulates that the section does not designate any system as NSS.

CISA: Sec. 209. Direction to Agencies

(a) In General

Adds a new subsection to 44 U.S.C. 3553 [FISMA]:

'(h) Direction to Agencies'

'(1)' Except for systems described in 44 U.S.C. 3553(d) or (e) [NSS and mission-critical systems of DOD and the IC], permits the Secretary, in response to a substantial known or reasonably suspected threat to agency information security, to issue an emergency directive to the agency head to take lawful actions to protect the system or mitigate the threat.

'(2)' Requires the Secretary to

- establish, in coordination with the OMB Director, procedures on when such a directive may be issued, including criteria, privacy and civil liberties protections, and notice to potentially affected third parties,

- specify the reasons for and duration of the directive,

- minimize impacts by adopting the least intrusive security measures possible for the shortest practicable period,

- notify the OMB Director and the heads of affected agencies immediately upon issuance of a directive,

- consult with the NIST Director about directives implementing NIST standards and guidelines,

- consider applicable standards and guidelines under 40 U.S.C. 11331 and ensure that directives do not conflict with them, and

- submit annually to the appropriate congressional committees a report on the specific actions taken under '(h)(1).'

'(3)' permits the Secretary, notwithstanding 44 U.S.C. 3554 [on federal agency responsibilities under FISMA], to authorize, without delegation, the capabilities under 'Sec. 230(b)(1)' [see p. 53] to ensure the security of agency systems, consistent with applicable law, if the Secretary

- determines that there is an imminent threat to them, an emergency directive is not likely to result in a timely response, and the risk outweighs adverse consequences of action,

- provides notice prior to action to the OMB Director and the head and CIO of affected agencies, and within seven days to the appropriate congressional committees and the authorizing committees for the agencies, including the actions taken, and the reasons for and duration of them, and

- authorizes the use of the capabilities in accordance with advance procedures developed in coordination with the OMB Director and in consultation with federal agency heads and submitted to Congress.

'(4)' limits the actions of the Secretary to "protect[ing] agency information from unauthorized access, use, disclosure, disruption, modification, or destruction" or requiring remediation of or protection against risks to agency information or parts of systems used or operated by an agency or by another organization on its behalf.

'(i) Annual Report to Congress'

Requires an annual report by the OMB Director to the appropriate congressional committees on actions taken under 44 U.S.C. 3553(a)(5) [on overseeing agency compliance with FISMA requirements] and

'(j)' Appropriate Congressional Committees Defined

Defines, in this section, Appropriate Congressional Committees to mean the House and Senate Committees on Appropriations, HSGAC, HSC, the House Committees on Oversight and Government Reform and on Science, Space, and Technology.

(b) Conforming Amendment

Modifies 44 U.S.C. 3554(a(1)(B) [requiring agencies to comply with FISMA requirements] to include the emergency directives under this section.

CISA: Title III. Federal Cybersecurity Workforce Assessment

CISA: Sec. 301. Short Title

Federal Cybersecurity Workforce Assessment Act of 2015

CISA: Sec. 302. Definitions

Defines, in this title,

Appropriate Congressional Committees: The House and Senate Committees on Armed Services and on Intelligence, HSGAC, HSC, the House Committee on Oversight and Government Reform, and the Senate Committee on Commerce, Science, and Transportation.

Director: The Director of the Office of Personnel Management.

Roles: As in the National Initiative for Cybersecurity Education's Cybersecurity Workforce Framework.

CISA: Sec. 303. National Cybersecurity Workforce Measurement Initiative

(a) In General

Requires each agency head to (1) identify all positions in the agency requiring cybersecurity performance or other "cyber-related" functions, and (2) assign the corresponding employment code in accordance with (b). [Note: "Cyber" is not defined in the bill but generally refers broadly to matters associated with information and communications technology.]

(b) Employment Codes

(1) requires the Secretary of Commerce, acting through NIST, to update the NICE Cybersecurity Workforce Framework to include a corresponding coding structure, within 180 days of enactment.

Requires the establishment of procedures to implement the NICE coding structure to identify all federal positions with cyber-related functions,
- by the OPM Director, in coordination with the NIST Director and the DNI, within nine months of enactment for civilian positions,
- by the Secretary of Defense, within 18 months of enactment for noncivilian positions.

Requires the head of each agency within three months after development of those procedures, to

submit a report to appropriate congressional committees of jurisdiction that identifies
- the percentage of personnel with cyber-related functions currently holding appropriate industry-recognized certifications as identified in the NICE framework,
- the level of preparedness of other cyber personnel to take certification exams, and
- a strategy for mitigating gaps with appropriate training and certification.

establish procedures for
- identifying all encumbered and vacant positions with cyber-related functions as defined by the NICE coding structure, and
- assigning appropriate employment codes to each position, using agreed standards and definitions.

(2) requires agency heads to assign codes to each cyber-related position within one year of establishment of those procedures.

(c) Progress Report

Requires the OPM Director to submit a report on implementation of the section to the appropriate congressional committees within 180 days of enactment.

CISA: Sec. 304. Identification of Cyber-Related Roles of Critical Need

(a) In General

Requires agency heads, beginning within one year after their assignment of employment codes and in consultation with the OPM and NIST Directors and the Secretary of Homeland Security, to identify annually critically needed cyber-related workforce roles and to submit to the OPM Director a report describing and substantiating those needs.

(b) Guidance

Requires the OPM Director to provide agencies timely guidance for identifying those roles of critical need, including cyber-related roles with acute and emerging skill shortages.

(c) Cybersecurity Needs Report

Requires the OPM Director, within two years of enactment and in consultation with the Secretary, to identify critical cyber-related workforce needs across all agencies and submit a report on implementation of the section to the appropriate congressional committees.

Sec. 305. Government Accountability Office Status Reports

Requires GAO to analyze and monitor implementation of Secs. 303 and 304, and submit a report describing the status of implementation within three years of enactment.

CISA: Sec. 401. Study on Mobile Device Security

(a) In General

Requires the Secretary, within one year of enactment and in consultation with the NIST Director, to (1) complete a study on security threats to federal mobile devices and (2) submit an unclassified report to Congress, with a classified annex if necessary on findings, along with recommendations, deficiencies, and the plan described in (b).

(b) Matters Studied

Requires the Secretary, in carrying out the study under (a)(1), to

(1) assess the evolution of mobile security techniques from a desktop approach and whether they are adequate to meet current challenges,

(2) assess the effect that threats to federal mobile devices may have on the cybersecurity of federal systems and networks, except for NSS, DOD, and the IC,

(3) develop recommendations, based on industry standards and best practices, to address the threats,

(4) identify deficiencies in current authorities that might inhibit the ability of the Secretary to address the security of federal mobile devices, except for NSS, DOD, and the IC, and

(5) develop a plan for accelerated adoption of secure mobile technology by DHS.

(c) Intelligence Community Defined

Defines intelligence community as in 50 U.S.C. 3003.

CISA: SEC. 406. Federal Computer Security

(a) Definitions

Defines, in this section,

Covered System: As in 40 U.S.C. 11103 or a federal system providing access to personally identifiable information.

Covered Agency: An agency operating a covered system.

Logical Access Control: "A process of granting or denying specific requests to obtain and use information and related information processing services."

Multi-Factor Logical Access Controls: Two of more of
- information known to a user,
- an access device provided to a user, and
- a unique biometric characteristic of a user.

Privileged User: "A user who, by virtue of function or seniority, has been allocated powers within a covered system, which are significantly greater than those available to a majority of users."

(b) Inspector General Reports on Covered Systems

(1) requires the IG of each covered agency to submit, within 240 days of enactment, a report to the appropriate congressional committees of jurisdiction, including information described in (2).

(2) requires that the report include, for covered systems in the agency, descriptions of
- the logical access standards used by the agency, including an aggregate list and whether the agency is using multi-factor controls,
- the logical access controls for privileged users,
- for agencies not using such controls, the reasons they are not being used,
- data security management practices, including policies and procedures used to conduct software inventories and associated licenses, capabilities used to monitor and detect threats, including data loss prevention and digital rights management, how the agency is using those capabilities, and reasons why not for agencies not using them, and
- policies and procedures to ensure that entities providing services are implementing the data management practices.

(3) permits the reports to be based on other reports, audits, or evaluations, and to be submitted as parts of other reports.

(4) requires that the reports be unclassified but permits a classified annex.

Critical Infrastructure Cybersecurity

NCPAA: Sec. 206. Cyber Incident Response Plans

(a) In General

Amends Sec. 227 of the HSA to change "Plan" to "Plans" in the title, to specify the U/S-CIP as the responsible official, and to add a new subsection:

'(b) Updates to the Cyber Incident Annex to the National Response Framework'

Requires the Secretary, in coordination with other agency heads and in accordance with the National Cybersecurity Incident Response Plan, to update, maintain, and exercise regularly the Cyber Incident Annex to the DHS National Response Framework.

(b) Clerical Amendment

Amends the table of contents of the act to reflect the title change made by (a).

NCPAA: Sec. 208. Critical Infrastructure Protection Research and Development

(a) Strategic Plan; Public-Private Consortiums

Adds a new section to the HSA:

'Sec. 318. Research and Development Strategy for Critical Infrastructure Protection'

'(a) In General'

Requires the Secretary to submit to Congress within 180 days of enactment, and biennially thereafter, a strategic plan to guide federal R&D in technology relating to both cyber- and physical security for CI.

'(b) Contents of Plan'

Requires the plan to include
- CI risks and technology gaps identified in consultation with stakeholders and a resulting risk and gap analysis,
- prioritized needs based on that analysis, emphasizing technologies to address rapidly evolving threats and technology and including clearly defined roadmaps,
- facilities and capabilities required to meet those needs,
- current and planned programmatic initiatives to foster technology advancement and deployment, including collaborative opportunities, and
- progress on meeting plan requirements.

'(c) Coordination'

Requires coordination between the DHS Under Secretaries for Science and Technology and for the National Protection and Programs Directorate. [Note: Sec. 205 renames the latter position as the U/S-CIP.]

'(d) Consultation'

Requires the Under Secretary for Science and Technology to consult with CI Sector Coordinating Councils, heads of other relevant federal agencies, and state, local, and tribal governments as appropriate.

(b) Clerical Amendment

Amends the table of contents of the act to include the new section.

NCPAA: Sec. 211. Consultation

Requires a report from the U/S-CIP on the feasibility of a prioritization plan in the event of simultaneous multi-CI incidents.

NCPAA: Sec. 212. Technical Assistance

Requires the DHS IG to review US-CERT and ICS-CERT operations to assess their capacity for responding to current and potentially increasing requests for technical assistance from nonfederal entities.

NPAA: Sec. 218. Report on Cybersecurity Vulnerabilities of United States Ports

Requires a report with recommendations from the Secretary to HSC, HSGAC, House Committee on Transportation and Infrastructure, and Senate Committee on Commerce, Science, and Transportation within 180 days of enactment on cybersecurity vulnerabilities for the ten ports that the Secretary determines are at greatest risk of an incident.

NPAA: Sec. 219. Report on Cybersecurity and Critical Infrastructure

Authorizes the Secretary to consult with sector-specific entities on a report to HSC and HSGAC on federally funded cybersecurity R&D with private-sector efforts to protect privacy and civil liberties while protecting CI, including promoting R&D for secure and resilient design and construction, enhanced modeling of impacts from incidents or threats, and facilitating incentivization of investments to strengthen cybersecurity and resilience of CI.

CISA: SEC. 405. Improving Cybersecurity in the Health Care Industry

(a) Definitions

Defines, in the section,

Business Associate, Covered Entity Health Care Clearinghouse; Health Care Provider; and Health Plan: As in 45 C.F.R. 160.103.

Health Care Industry Stakeholder: Any of the following—a health plan, health care clearinghouse, health care provider, patient advocate, pharmacist, developer of health information technology, laboratory, pharmaceutical or medical device manufacturer, or other stakeholder as determined necessary by the HHS Secretary for purposes of (d)(1), (d)(3), or (e).

Secretary: The HHS Secretary.

(b) Report

Requires the HHS Secretary, within one year of enactment, to submit to the Senate Committee on Health, Education, Labor, and Pensions and the House Committee on Energy and Commerce a report on the preparedness of the health care industry for responding to cybersecurity threats.

(c) Contents of Report

Requires that the report include, with respect to the internal response of the HHS Department to emerging cybersecurity threats,

(1) identification of the HHS official responsible for leading and coordinating departmental efforts regarding industry threats, and

(2) a plan for each relevant departmental division and subdivision on how they will address such threats, including communication among with other divisions and subdivisions on efforts to address the threats and division of responsibilities among personnel.

(d) Health Care Industry Cybersecurity Task Force

(1) requires the HHS Secretary, within 60 days of enactment and in consultation with the NIST Director and the Secretary of Homeland Security, to convene health care industry stakeholders, cybersecurity experts, and appropriate federal entities as determined by the HHS Secretary to establish a task force to
- analyze how other industries have implemented cybersecurity strategies and safeguards,
- analyze challenges and barriers faced by private entities (but not including state, tribal, or local governments) in the health care industry in securing against cyberattacks,
- review challenges faced by covered entities and business associates in securing networked medical devices and other software and systems connecting to electronic health records,
- provide the HHS Secretary with information to disseminate to stakeholders for improving their preparedness and responses to cybersecurity threats affecting the health care industry, which (3) the Secretary must disseminate with 60 days after termination of the task force,
- (1) establish a plan to create a single federal system for sharing information on actionable intelligence regarding such threats in near real time, with no fee to recipients, and including which entity may be best suited to serve as the central conduit for such sharing, and
- report to Congress on the findings and recommendations of the task force.

(2) terminates the task force one year after enactment.

(4) Stipulates that (d) does not limit the antitrust exemptions under Sec. 104(e) or liability protections under Sec. 106.

(e) Cybersecurity Framework

(1) requires the HHS Secretary to establish, through a collaborative process with the Secretary of Homeland Security, health care industry stakeholders, NIST, and other federal entities the HHS Secretary determines appropriate, a single, national, health-specific cybersecurity framework that
- establishes a common set of voluntary, consensus-based, and industry-led standards and other measures for cost-effectively reducing cybersecurity risks to health care organizations,
- supports voluntary adoption and implementation efforts,
- is consistent with security and privacy regulations under relevant provisions of the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act, and
- is updated regularly and applicable to a range of health care organizations.

(2) Stipulates that (e) does not grant the HHS Secretary authority to audit health care organizations for compliance with the voluntary framework or to mandate, direct, or condition awarding of federal grants, contracts, or purchases on such compliance.

(3) stipulates that nothing in the title subjects health care organizations to liability for choosing not to engage in the voluntary activities under (e).

CISA: Sec. 407. Strategy to Protect Critical Infrastructure at Greatest Risk

(a) Definitions

Defines, in this section,

Appropriate Agency: The applicable sector-specific agency or the federal entity that regulates a covered entity.

Appropriate Agency Head: the head of an appropriate agency.

Covered Entity: An entity identified pursuant to Sec. 9(a) of Executive Order 13636, on identifying CI where a cybersecurity incident could result in catastrophic effects.

Appropriate Congressional Committees: The House and Senate Intelligence Committees, HSGAC, HSC, The Senate Committees on Energy and Natural Resources and on Commerce, Science, and Transportation, and the House Energy and Commerce Committee.

Secretary: the Secretary of Homeland Security

(b) Status of Existing Cyber Incident Reporting

(1) requires the Secretary, within 120 days of enactment and in conjunction with the appropriate agency head, to submit to the appropriate congressional committees the extent to which each covered entity reports to DHS or the appropriate agency head in a timely manner significant intrusions of information systems essential to the operation of CI.

(2) permits the report to include a classified annex.

(c) Mitigation Strategy Required for Critical Infrastructure at Greatest Risk

(1) requires the Secretary, within 180 days of enactment and in conjunction with the appropriate agency head, to conduct an assessment and develop a strategy addressing each covered entity to ensure that, to the greatest extent feasible, a cybersecurity incident affecting the entity would not reasonably result in catastrophic effects.

(2) requires the strategy to include
- an assessment of whether each entity should be required to report incidents,
- a description of security gaps identified that must be addressed, and
- additional statutory authority needed to reduce the likelihood of an incident with catastrophic effects.

(3) requires the Secretary to submit the assessment and strategy to the appropriate congressional committees.

(4) permits the assessment and strategy to include classified annexes.

Other Cybersecurity Provisions

CISA: SEC. 402. Department of State International Cyberspace Policy Strategy

(a) In General

Requires the Secretary of State to produce a comprehensive strategy on U.S. international cyberspace policy within 90 days of enactment.

(b) Elements

Requires that the strategy include

(1) a review of the actions and activities of the secretary of state supporting the goal of the president's 2011 International Strategy for Cyberspace,

(2) an action plan to guide diplomacy by the Secretary of State, including activities with foreign countries to develop norms for behavior, and review of existing discussions in multilateral for a to obtain agreements on such norms,

(3) a review of alternative concepts on norms offered by prominent countries, including China, Russia, Brazil, and India,

(4) a detailed description of threats to U.S. national security in cyberspace, including infrastructure, intellectual property, and privacy, from countries and state-sponsored and private actors,

(5) a review of policy tools available to the President to deter such actors, including those in Executive Order 13694, and

(6) a review of the Office of the Coordinator for Cyber Issues and other resources required by the Secretary of State to conduct norm-building activities.

(c) Consultation

Requires the Secretary of State, in preparing the strategy, to consult with other federal agencies, the private sector, and U.S. nongovernmental organizations with recognized foreign policy, national security, and cybersecurity credentials and expertise.

(d) Form of Strategy

Requires that the strategy be unclassified but permits a classified annex.

(e) Availability of Information

Requires the Secretary of State to (1) make the strategy publicly available and (2) brief the Senate Foreign Relations and House Foreign Affairs Committees on it, including any material in a classified annex.

CISA: Sec. 403. Apprehension and Prosecution of International Cyber Criminals

(a) International Cyber Criminal Defined

Defines, in this section,

International Cyber Criminal: An individual (1) who is believed to have committed a cybercrime or intellectual property crime against U.S. interests or citizens, or (2) for whom a U.S. arrest warrant has been issued or an international wanted notice has been circulated by Interpol.

(b) Consultations for Noncooperation

Requires the Secretary of State or designee to consult with appropriate government officials of countries in which international cyber criminals are physically present and from which extradition is not likely, to determine what actions those governments have taken to apprehend and prosecute the criminals and to prevent them from criminal activities against U.S. interests or citizens.

(c) Annual Report

(1) requires the Secretary of State to submit an annual report to (3) the House and Senate Appropriations, Intelligence, and Judiciary Committees, the House Foreign Affairs and Senate Foreign Relations Committees, HSC, HSGAC, the House Banking, Housing, and Urban Affairs Committee, and the Senate Financial Services Committee, including (1)
- the number of international cyber criminals located in other countries, by country, and noting from which ones extradition is not likely,
- the nature and number of significant discussions by State Department officials with officials of other countries, including the names of those countries, on ways to thwart or prosecute such criminals, and
- the names, crimes charged, country of extradition, and country of previous residence for each such criminal extradited to the United States in the previous year, and

(2) requires that the report be unclassified to the maximum extent possible but permits a classified annex.

CISA: Sec. 408. Stopping the Fraudulent Sale of Financial Information of People of the United States

Amends 18 U.S.C. 1029(h) by broadening the entities for which an offense against them is covered to include any organized under laws of the United States, states, the District of Columbia, or U.S. territories, and by deleting the requirement that the offense involve articles used to assist in committing it that are within or pass through U.S. jurisdiction.