Subscribe to ODNI news via emailSubscribe via RSStumblr offtwitter off 2Like ODNI on FacebookView ODNI photos on FlickrVisit ODNI’s YouTube Channelscribd off

DNI

Ref Book - Presidential Memorandum: National Insider Threat Policy & Minimum Standards for Insider Threat Program

Thursday, October 27, 2016

PM: NITP & Minimum Standards for ITP

> Back to the Table of Contents <

PRESIDENTIAL MEMORANDUM:
NATIONAL INSIDER THREAT POLICY AND MINIMUM STANDARDS
FOR EXECUTIVE BRANCH INSIDER THREAT PROGRAMS

MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

SUBJECT: National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs

This Presidential Memorandum transmits the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs (Minimum Standards) to provide direction and guidance to promote the development of effective insider threat programs within departments and agencies to deter, detect, and mitigate actions by employees who may represent a threat to national security. These threats encompass potential espionage, violent acts against the Government or the Nation, and unauthorized disclosure of classified information, including the vast amounts of classified data available on interconnected United States Government computer networks and systems.

The Minimum Standards provide departments and agencies with the minimum elements necessary to establish effective insider threat programs. These elements include the capability to gather, integrate, and centrally analyze and respond to key threat-related information; monitor employee use of classified networks; provide the workforce with insider threat awareness training; and protect the civil liberties and privacy of all personnel.

The resulting insider threat capabilities will strengthen the protection of classified information across the executive branch and reinforce our defenses against both adversaries and insiders who misuse their access and endanger our national security.

BARACK OBAMA
November 21, 2012

NATIONAL INSIDER THREAT POLICY

The National Insider Threat Policy aims to strengthen the protection and safeguarding of classified information by: establishing common expectations; institutionalizing executive branch best practices; and enabling flexible implementation across the executive branch.

A. Policy

Executive Order 13587 directs United States Government executive branch departments and agencies (departments and agencies) to establish, implement, monitor, and report on the effectiveness of insider threat programs to protect classified national security information (as defined in Executive Order 13526; hereinafter classified information), and requires the development of an executive branch program for the deterrence, detection, and mitigation of insider threats, including the safeguarding of classified information from exploitation, compromise, or other unauthorized disclosure. Executive Order 12968 promulgates classified information access eligibility policy and establishes a uniform Federal personnel security program for employees considered for initial or continued access to classified information. Consistent with Executive Orders 13587 and 12968, this policy is applicable to all executive branch departments and agencies with access to classified information, or that operate or access classified computer networks; all employees with access to classified information, including classified computer networks (and including contractors and others who access classified information, or operate or access classified computer networks controlled by the federal government); and all classified information on those networks.

This policy leverages existing federal laws, statutes, authorities, policies, programs, systems, architectures and resources in order to counter the threat of those insiders who may use their authorized access to compromise classified information. Insider threat programs shall employ risk management principles, tailored to meet the distinct needs, mission, and systems of individual agencies, and shall include appropriate protections for privacy, civil rights, and civil liberties.

B. General Responsibilities of Departments and Agencies

  1. Within 180 days of the effective date of this policy, establish a program for deterring, detecting, and mitigating insider threat; leveraging counterintelligence (CI), security, information assurance, and other relevant functions and resources to identify and counter the insider threat.
  2. Establish an integrated capability to monitor and audit information for insider threat detection and mitigation. Critical program requirements include but are not limited to: (1) monitoring user activity on classified computer networks controlled by the Federal Government; (2) evaluation of personnel security information; (3) employee awareness training of the insider threat and employees' reporting responsibilities; and (4) gathering information for a centralized analysis, reporting, and response capability.
  3. Develop and implement sharing policies and procedures whereby the organization's insider threat program accesses, shares, and integrates information and data derived from offices across the organization, including CI, security, information assurance, and human resources offices.
  4. Designate a senior official(s) with authority to provide management, accountability, and oversight of the organization's insider threat program and make resource recommendations to the appropriate agency official.
  5. Consult with records management, legal counsel, and civil liberties and privacy officials to ensure any legal, privacy, civil rights, civil liberties issues (including use of personally identifiable information) are appropriately addressed.
  6. Promulgate additional department and agency guidance, if needed, to reflect unique mission requirements, but not inhibit meeting the minimum standards issued by the Insider Threat Task Force (ITTF) pursuant to this policy.
  7. Perform self-assessments of compliance with insider threat policies and standards; the results of which shall be reported to the Senior Information Sharing and Safeguarding Steering Committee (hereinafter Steering Committee).
  8. Enable independent assessments, in accordance with Section 2.1(d) of Executive Order 13587, of compliance with established insider threat policy and standards by providing information and access to personnel of the ITTF.

C. Insider Threat Task Force roles and responsibilities

The JTIF, established under Executive Order 13587, is the principal interagency task force responsible for developing an executive branch insider threat detection and prevention program to be implemented by all departments and agencies covered by this policy. This program shall include development of policies, objectives, and priorities for establishing and integrating security, counterintelligence, user audits and monitoring, and other safeguarding capabilities and practices within departments and agencies.

The ITIF shall:

  1. In coordination with appropriate agencies, develop and issue minimum standards and guidance for implementing insider threat program capabilities throughout the executive branch. These standards shall include, but are not limited to, the following:
    • Monitoring of user activity on United States Government networks. This refers to audit data collection strategies for insider threat detection, leveraging hardware and/or software with triggers deployed on classified networks to detect, monitor, and analyze anomalous user behavior for indicators of misuse.
    • Continued evaluation of personnel security information whereby information is gathered from, including but not limited to, an individual's security background investigation, clearance adjudication, foreign travel reporting, foreign contact reporting, financial disclosure, polygraph examination results (where applicable) or other personnel actions, and made available to authorized insider threat program personnel to assess, in conjunction with anomalous user behavior data, and/or any other insider threat concern or allegation.
    • Employee awareness training of the insider threat, the inherent risk posed to classified information by malicious insiders and, specifically, recognition of insider threat behaviors; developing a reporting structure to ensure all employees and contractors report suspected insider threat activity consistently and securely; informing employees, subject to monitoring, of the policies and processes in place to protect their privacy, civil rights, and civil liberties rights against unnecessary monitoring (to include retaliation against whistleblowers); and, ensuring employee awareness of their responsibility to report, as well as how and to whom to report, suspected insider threat activity.
    • Analysis, Reporting and Response: gathering and integrating available information to conduct a preliminary review of any potential insider threat issues; and, where it appears a potential threat may exist, taking action by referring the matter as appropriate to CI, security, information assurance, the Office of Inspector General, or to the proper law enforcement authority.
  2. Review and update ITTF standards and guidance, as appropriate.
  3. Provide continual assistance to departments and agencies to establish and/or improve insider threat detection and prevention programs. The nature of assistance will involve a collaborative process wherein subject matter expert(s) provide expertise, guidance, and advice through various forums including on site visits.
  4. Conduct independent assessments at individual organizations, as directed by the Steering Committee and in coordination with Executive Agent for Safeguarding (EA/S) and the Classified Information Sharing and Safeguarding Office (CISSO) established by Executive Order 13587, to determine the level of organizational compliance with this policy and minimum insider threat standards.
  5. Use the results of relevant insider threat data sources to include, but not limited to, the agency's Key Information Sharing and Safeguarding Indicators self-assessments, applicable portions of the Office of the National Counterintelligence Executive Mission Reviews and Program Assessments, and the results of assistance visits and independent assessments to determine the adequacy of insider threat programs at individual agencies, and Government-wide.
  6. Coordinate with the Information Security Oversight Office (ISOO), EA/S, and the CISSO to report results of independent assessments to the Steering Committee for use in the annual reports submitted to the President assessing the executive branch's effectiveness in implementing insider threat programs, and to inform related program and budget recommendations.
  7. Refer to the Steering Committee for resolution any unresolved issues delaying the timely development and issuance of minimum standards.
  8. Provide strategic analysis of new and continuing insider threat challenges facing the United States Government.

D. Definitions

Classified information: Information that has been determined pursuant to Executive Order 13526, or any successor order, Executive Order 12951, or any successor order, or the Atomic Energy Act of 1954 (42 U.S.C. 2011), to require protection against unauthorized disclosure and that is marked to indicate its classified status when in documentary form.

Counterintelligence: Information gathered and activities conducted to identify, deceive, exploit, disrupt or protect against espionage, or other intelligence activities, sabotage, or assassinations conducted for or on behalf of foreign powers, organizations, or persons, or their agents, or international terrorist organizations or activities. (Executive Order 12333, as amended)

Departments and agencies: Any "Executive agency," as defined in 5 U.S.C. 105; any "Military department" as defined in 5 U.S.C. 102; any "independent establishment," as defined in 5 U.S.C. 104(1).

Employee: For purposes of this policy, "employee" has the meaning provided in section 1.1(e) of Executive Order 12968; specifically: a person, other than the President and Vice President, employed by, detailed or assigned to, a department or agency, including members of the Armed Forces; an expert or consultant to a department or agency; an industrial or commercial contractor, licensee, certificate holder, or grantee of a department or agency, including all subcontractors; a personal services contractor; or any other category of person who acts for or on behalf of a department or agency as determined by the appropriate department or agency head.

Insider: Any person with authorized access to any United States Government resource to include personnel, facilities, information, equipment, networks or systems.

Insider Threat: The threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to the security of the United States. This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of departmental resources or capabilities.

Key Information Sharing and Safeguarding Indicators: The Steering Committee developed these key performance indicators to serve as the basis for addressing reporting requirements directed by the President, and to assist in tracking progress and identifying areas for attention or additional funding to continue and strengthen the sharing and safeguarding of classified information on computer networks.

E. General Provisions

Nothing in this policy shall be construed to supersede or change the requirements of the National Security Act of 1947, as amended; the Atomic Energy Act of 1954, as amended; the Intelligence Reform and Terrorism Prevention Act of 2004; Executive Order 12333, as amended (2008); Executive Order 13467, (2008); Executive Order 13526, (2009); Executive Order 12829, as amended, (1993); Executive Order 13549 (2010); and Executive Order 12968, (1995) and their successor orders or directives.

MINIMUM STANDARDS FOR EXECUTIVE BRANCH INSIDER THREAT PROGRAMS

A. AUTHORITY: Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information; Executive Order 12968, Access to Classified Information; National Policy on Insider Threat.


B. PURPOSE

  1. Executive Order 13587 establishes the Insider Threat Task Force, co-chaired by the Director of National Intelligence and the Attorney General, and requires, in coordination with appropriate agencies, the development of minimum standards and guidance for implementation of a government-wide insider threat policy. This policy provides those minimum requirements and guidance for executive branch insider threat detection and prevention programs.
  2. Insider threat programs are intended to: deter cleared employees from becoming insider threats; detect insiders who pose a risk to classified information; and mitigate the risks through administrative, investigative or other response actions as outlined in Section E.2.
  3. The standards herein shall serve as minimum requirements for all applicable executive branch agencies. Nothing in this document shall be construed to supersede existing or future Intelligence Community or Department of Defense policy, which may impose more stringent requirements beyond these minimum standards for insider threat programs. Agencies may establish additional standards, provided that they are not inconsistent with the requirements contained herein.
  4. Agency heads are ultimately responsible for the establishment and operations of their respective insider threat programs. Designated senior official(s), as described in Section D, shall be responsible for implementing the minimum standards contained herein.

C. APPLICABILITY: These standards shall apply to any “executive agency,” as defined in 5 U.S.C. §105; any “military department” as defined in 5 U.S.C. §102; any “independent Establishment” as defined in 5 U.S.C. §104(1); any intelligence community element as defined in Executive Order 12333.

D. DESIGNATION OF SENIOR OFFICIAL(S): Each agency head shall designate a senior official or officials, who shall be principally responsible for establishing a process to gather, integrate, and centrally analyze, and respond to Counterintelligence (CI), Security, Information Assurance (IA), Human Resources (HR), Law Enforcement (LE), and other relevant information indicative of a potential insider threat. Senior Official(s) shall:

  1. Provide management and oversight of the insider threat program and provide resource recommendations to the agency head.
  2. Develop and promulgate a comprehensive agency insider threat policy to be approved by the agency head within 180 days of the effective date of the National Insider Threat Policy. Agency policies shall include internal guidelines and procedures for the implementation of the standards contained herein.
  3. Submit to the agency head an implementation plan for establishing an insider threat program and annually thereafter a report regarding progress and/or status within that agency. At a minimum, the annual reports shall document annual accomplishments, resources allocated, insider threat risks to the agency, recommendations and goals for program improvement, and major impediments or challenges.
  4. Ensure the agency's insider threat program is developed and implemented in consultation with that agency's Office of General Counsel and civil liberties and privacy officials so that all insider threat program activities to include training are conducted in accordance with applicable laws, whistleblower protections, and civil liberties and privacy policies.
  5. Establish oversight mechanisms or procedures to ensure proper handling and use of records and data described below, and ensure that access to such records and data is restricted to insider threat personnel who require the information to perform their authorized functions.
  6. Ensure the establishment of guidelines and procedures for the retention of records and documents necessary to complete assessments required by Executive Order 13587.
  7. Facilitate oversight reviews by cleared officials designated by the agency head to ensure compliance with insider threat policy guidelines, as well as applicable legal, privacy and civil liberty protections.

E. INFORMATION INTEGRATION, ANALYSIS AND RESPONSE: Agency heads shall:

1. Build and maintain an insider threat analytic and response capability to manually and/or electronically gather, integrate, review, assess, and respond to information derived from CI, Security, IA, HR, LE, the monitoring of user activity, and other sources as necessary and appropriate.

2. Establish procedures for insider threat response action(s), such as inquiries, to clarify or resolve insider threat matters while ensuring that such response action(s) are centrally managed by the insider threat program within the agency or one of its subordinate entities.

3. Develop guidelines and procedures for documenting each insider threat matter reported and response action(s) taken, and ensure the timely resolution of each matter.

F. INSIDER THREAT PROGRAM PERSONNEL: Agency heads shall ensure personnel assigned to the insider threat program are fully trained in:

1. Counterintelligence and security fundamentals to include applicable legal issues;

2. Agency procedures for conducting insider threat response action(s);

3. Applicable laws and regulations regarding the gathering, integration, retention, safeguarding, and use of records and data, including the consequences of misuse of such information;

4. Applicable civil liberties and privacy laws, regulations, and policies; and

5. Investigative referral requirements of Section 811 of the Intelligence Authorization Act for FY 1995, as well as other policy or statutory requirements that require referrals to an internal entity, such as a security office or Office of Inspector General, or external investigative entities such as the Federal Bureau of Investigation, the Department of Justice, or military investigative services.

G. ACCESS TO INFORMATION: Agency heads shall:

  1. Direct CI, Security, IA, HR, and other relevant organizational components to securely provide insider threat program personnel regular, timely, and, if possible, electronic access to the information necessary to identify, analyze, and resolve insider threat matters. Such access and information includes, but is not limited to, the following:
    1. Counterintelligence and Security. All relevant databases and files to include, but not limited to, personnel security files, polygraph examination reports, facility access records, security violation files, travel records, foreign contact reports, and financial disclosure filings.
    2. Information Assurance. All relevant unclassified and classified network information generated by IA elements to include, but not limited to, personnel usernames and aliases, levels of network access, audit data, unauthorized use of removable media, print logs, and other data needed for clarification or resolution of an insider threat concern.
    3. Human Resources. All relevant HR databases and files to include, but not limited to, personnel files, payroll and voucher files, outside work and activities requests disciplinary files, and personal contact records, as may be necessary for resolving or clarifying insider threat matters.
  2. Establish procedures for access requests by the insider threat program involving particularly sensitive or protected information, such as information held by special access, law enforcement, inspector general, or other investigative sources or programs, which may require that access be obtained upon request of the Senior Official(s).
  3. Establish reporting guidelines for CI, Security, IA, HR, and other relevant organizational components to refer relevant insider threat information directly to the insider threat program.
  4. Ensure insider threat programs have timely access, as otherwise permitted, to available United States Government intelligence and counterintelligence reporting information and analytic products pertaining to adversarial threats.

H. MONITORING USER ACTIVITY ON NETWORKS: Agency heads shall ensure insider threat programs include:

  1. Either internally or via agreement with external agencies, the technical capability, subject to appropriate approvals, to monitor user activity on all classified networks in order to detect activity indicative of insider threat behavior. When necessary, Service Level Agreements (SLAs) shall be executed with all other agencies that operate or provide classified network connectivity or systems. SLAs shall outline the capabilities the provider will employ to identify suspicious user behavior and how that information shall be reported to the subscriber's insider threat personnel.
  2. Policies and procedures for properly protecting, interpreting, storing, and limiting access to user activity monitoring methods and results to authorized personnel.
  3. Agreements signed by all cleared employees acknowledging that their activity on any agency classified or unclassified network, to include portable electronic devices, is subject to monitoring and could be used against them in a criminal, security, or administrative proceeding. Agreement language shall be approved by the Senior Official(s) in consultation with legal counsel.
  4. Classified and unclassified network banners informing users that their activity on the network is being monitored for lawful United States Government-authorized purposes and can result in criminal or administrative actions against the user. Banner language shall be approved by the Senior Official(s) in consultation with legal counsel.

I. EMPLOYEE TRAINING AND AWARENESS: Agency heads shall ensure insider threat programs:

  1. Provide insider threat awareness training, either in-person or computer-based, to all cleared employees within 30 days of initial employment, entry-on-duty (EOD), or following the granting of access to classified information, and annually thereafter. Training shall address current and potential threats in the work and personal environment, and shall include, at a minimum, the following topics:
    1. The importance of detecting potential insider threats by cleared employees and reporting suspected activity to insider threat personnel or other designated officials;
    2. Methodologies of adversaries to recruit trusted insiders and collect classified information;
    3. Indicators of insider threat behavior and procedures to report such behavior; and
    4. Counterintelligence and security reporting requirements, as applicable.
  2. Verify that all cleared employees have completed the required insider threat awareness training contained in these standards.
  3. Establish and promote an internal network site accessible to all cleared employees to provide insider threat reference material, including indicators of insider threat behavior, applicable reporting requirements and procedures, and provide a secure electronic means of reporting matters to the insider threat program.

J. DEFINITIONS

“Agency Head” means the head of any: “executive agency,” as defined in 5 U.S.C. § 105; “military department” as defined in 5 U.S.C. § 102; “independent establishment” as defined in 5 U.S.C. § 104; intelligence community element as defined in Executive Order 12333; and any other entity within the executive branch that comes into the possession of classified information.

“Classified Information” means information that has been determined pursuant to Executive Order 13526, or the Atomic Energy Act of 1954 (42 U.S.C. §2162), to require protection against unauthorized disclosure and that it is marked to indicate its classified status when in documentary form.

“Cleared Employee” means a person who has been granted access to classified information, other than the President and Vice President, employed by, or detailed or assigned to, a department or agency, including members of the Armed Forces; an expert or consultant to a department or agency; an industrial or commercial contractor, licensee, certificate holder, or grantee of a department or agency including all subcontractors; a personal services contractor; or any other category of person who acts for or on behalf of a department or agency as determined by the appropriate department or agency head.

“Insider Threat” means the threat that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the security of United States. This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of departmental resources or capabilities.

“Insider Threat Response Action(s)” means activities to ascertain whether certain matters or information indicates the presence of an insider threat, as well as activities to mitigate the threat. Such an inquiry or investigation can be conducted under the auspices of CI, Security, LE, or IG elements depending on statutory authority and internal policies governing the conduct of such in each agency.

“Subordinate Entity” means an office, command, or similar organization, subordinate to the agency, which manages its own insider threat program.

> Back to the Table of Contents <

Ref Book - Committee on Foreign Investment in the U.S.

Monday, October 24, 2016

Committee on Foreign Investment in the U.S.

> Back to the Table of Contents <

AUTHORITY TO REVIEW CERTAIN MERGERS, ACQUISITIONS, AND TAKEOVERS

50 U.S.C. § 4565:

(a) DEFINITIONS.—For purposes of this section, the following definitions shall apply:

  1. Committee; chairperson.—The terms "Committee" and "chairperson" mean the Committee on Foreign Investment in the United States and the chairperson thereof, respectively.
  2. Control.—The term "control" has the meaning given to such term in regulations which the Committee shall prescribe.
  3. Covered transaction.—The term "covered transaction" means any merger, acquisition, or takeover that is proposed or pending after August 23, 1988, by or with any foreign person which could result in foreign control of any person engaged in interstate commerce in the United States.
  4. Foreign government-controlled transaction.—The term "foreign government-controlled transaction" means any covered transaction that could result in the control of any person engaged in interstate commerce in the United States by a foreign government or an entity controlled by or acting on behalf of a foreign government.
  5. Clarification.—The term "national security" shall be construed so as to include those issues relating to "homeland security", including its application to critical infrastructure.
  6. Critical infrastructure.—The term "critical infrastructure" means, subject to rules issued under this section, systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on national security.
  7. Critical technologies.—The term "critical technologies" means critical technology, critical components, or critical technology items essential to national defense, identified pursuant to this section, subject to regulations issued at the direction of the President, in accordance with subsection (h).
  8. Lead agency.—The term "lead agency" means the agency, or agencies, designated as the lead agency or agencies pursuant to subsection (k)(5) for the review of a transaction.
(b) NATIONAL SECURITY REVIEWS AND INVESTIGATIONS.—

  1. National security reviews.—
    1. In general.—Upon receiving written notification under subparagraph (C) of any covered transaction, or pursuant to a unilateral notification initiated under subparagraph (D) with respect to any covered transaction, the President, acting through the Committee—
      1. shall review the covered transaction to determine the effects of the transaction on the national security of the United States; and
      2. shall consider the factors specified in subsection (f) for such purpose, as appropriate.
    2. Control by foreign government.—If the Committee determines that the covered transaction is a foreign government-controlled transaction, the Committee shall conduct an investigation of the transaction under paragraph (2).
    3. Written notice.—
      1. In general.—Any party or parties to any covered transaction may initiate a review of the transaction under this paragraph by submitting a written notice of the transaction to the Chairperson of the Committee.
      2. Withdrawal of notice.—No covered transaction for which a notice was submitted under clause (i) may be withdrawn from review, unless a written request for such withdrawal is submitted to the Committee by any party to the transaction and approved by the Committee.
      3. Continuing discussions.—A request for withdrawal under clause (ii) shall not be construed to preclude any party to the covered transaction from continuing informal discussions with the Committee or any member thereof regarding possible resubmission for review pursuant to this paragraph.
    4. Unilateral initiation of review.—Subject to subparagraph (F), the President or the Committee may initiate a review under subparagraph (A) of—
      1. any covered transaction;
      2. any covered transaction that has previously been reviewed or investigated under this section, if any party to the transaction submitted false or misleading material information to the Committee in connection with the review or investigation or omitted material information, including material documents, from information submitted to the Committee; or
      3. any covered transaction that has previously been reviewed or investigated under this section, if—
        1. any party to the transaction or the entity resulting from consummation of the transaction intentionally materially breaches a mitigation agreement or condition described in subsection (l)(1)(A);
        2. such breach is certified to the Committee by the lead department or agency monitoring and enforcing such agreement or condition as an intentional material breach; and
        3. the Committee determines that there are no other remedies or enforcement tools available to address such breach.
    5. Timing.—Any review under this paragraph shall be completed before the end of the 30-day period beginning on the date of the acceptance of written notice under subparagraph (C) by the chairperson, or beginning on the date of the initiation of the review in accordance with subparagraph (D), as applicable.
    6. Limit on delegation of certain authority.—The authority of the Committee to initiate a review under subparagraph (D) may not be delegated to any person, other than the Deputy Secretary or an appropriate Under Secretary of the department or agency represented on the Committee.
  2. National security investigations.—
    1. In general.—In each case described in subparagraph (B), the Committee shall immediately conduct an investigation of the effects of a covered transaction on the national security of the United States, and take any necessary actions in connection with the transaction to protect the national security of the United States.
    2. Applicability.—Subparagraph (A) shall apply in each case in which-
      1. a review of a covered transaction under paragraph (1) results in a determination that—
        1. the transaction threatens to impair the national security of the United States and that threat has not been mitigated during or prior to the review of a covered transaction under paragraph (1);
        2. the transaction is a foreign government-controlled transaction; or
        3. the transaction would result in control of any critical infrastructure of or within the United States by or on behalf of any foreign person, if the Committee determines that the transaction could impair national security, and that such impairment to national security has not been mitigated by assurances provided or renewed with the approval of the Committee, as described in subsection (l), during the review period under paragraph (1); or
      2. the lead agency recommends, and the Committee concurs, that an investigation be undertaken.
    3. Timing.—Any investigation under subparagraph (A) shall be completed before the end of the 45-day period beginning on the date on which the investigation commenced.
    4. Exception.—
      1. In general.—Notwithstanding subparagraph (B)(i), an investigation of a foreign government-controlled transaction described in subclause (II) of subparagraph (B)(i) or a transaction involving critical infrastructure described in subclause (III) of subparagraph (B)(i) shall not be required under this paragraph, if the Secretary of the Treasury and the head of the lead agency jointly determine, on the basis of the review of the transaction under paragraph (1), that the transaction will not impair the national security of the United States.
      2. Nondelegation.—The authority of the Secretary or the head of an agency referred to in clause (i) may not be delegated to any person, other than the Deputy Secretary of the Treasury or the deputy head (or the equivalent thereof) of the lead agency, respectively.
    5. Guidance on certain transactions with national security implications.—The Chairperson shall, not later than 180 days after the effective date of the Foreign Investment and National Security Act of 2007, publish in the Federal Register guidance on the types of transactions that the Committee has reviewed and that have presented national security considerations, including transactions that may constitute covered transactions that would result in control of critical infrastructure relating to United States national security by a foreign government or an entity controlled by or acting on behalf of a foreign government.
  3. Certifications to Congress.—
    1. Certified notice at completion of review.—Upon completion of a review under subsection (b) that concludes action under this section, the chairperson and the head of the lead agency shall transmit a certified notice to the members of Congress specified in subparagraph (C)(iii).
    2. Certified report at completion of investigation.—As soon as is practicable after completion of an investigation under subsection (b) that concludes action under this section, the chairperson and the head of the lead agency shall transmit to the members of Congress specified in subparagraph (C)(iii) a certified written report (consistent with the requirements of subsection (c)) on the results of the investigation, unless the matter under investigation has been sent to the President for decision.
    3. Certification procedures.—
      1. In general.—Each certified notice and report required under subparagraphs (A) and (B), respectively, shall be submitted to the members of Congress specified in clause (iii), and shall include—
        1. a description of the actions taken by the Committee with respect to the transaction; and
        2. identification of the determinative factors considered under subsection (f).
      2. Content of certification.—Each certified notice and report required under subparagraphs (A) and (B), respectively, shall be signed by the chairperson and the head of the lead agency, and shall state that, in the determination of the Committee, there are no unresolved national security concerns with the transaction that is the subject of the notice or report.
      3. Members of Congress.—Each certified notice and report required under subparagraphs (A) and (B), respectively, shall be transmitted—
        1. to the Majority Leader and the Minority Leader of the Senate;
        2. to the chair and ranking member of the Committee on Banking, Housing, and Urban Affairs of the Senate and of any committee of the Senate having oversight over the lead agency;\
        3. to the Speaker and the Minority Leader of the House of Representatives;
        4. to the chair and ranking member of the Committee on Financial Services of the House of Representatives and of any committee of the House of Representatives having oversight over the lead agency; and
        5. with respect to covered transactions involving critical infrastructure, to the members of the Senate from the State in which the principal place of business of the acquired United States person is located, and the member from the Congressional District in which such principal place of business is located.
      4. Signatures; limit on delegation.—
        1. In general.—Each certified notice and report required under subparagraphs (A) and (B), respectively, shall be signed by the chairperson and the head of the lead agency, which signature requirement may only be delegated in accordance with subclause (II).
        2. Limitation on delegation of certifications.—The chairperson and the head of the lead agency may delegate the signature requirement under subclause (I)—
          • (aa) only to an appropriate employee of the Department of the Treasury (in the case of the Secretary of the Treasury) or to an appropriate employee of the lead agency (in the case of the lead agency) who was appointed by the President, by and with the advice and consent of the Senate, with respect to any notice provided under paragraph (1) following the completion of a review under this section; or
          • (bb) only to a Deputy Secretary of the Treasury (in the case of the Secretary of the Treasury) or a person serving in the Deputy position or the equivalent thereof at the lead agency (in the case of the lead agency), with respect to any report provided under subparagraph (B) following an investigation under this section.
  4. Analysis by Director of National Intelligence.—
    1. In general.—The Director of National Intelligence shall expeditiously carry out a thorough analysis of any threat to the national security of the United States posed by any covered transaction. The Director of National Intelligence shall also seek and incorporate the views of all affected or appropriate intelligence agencies with respect to the transaction.
    2. Timing.—The analysis required under subparagraph (A) shall be provided by the Director of National Intelligence to the Committee not later than 20 days after the date on which notice of the transaction is accepted by the Committee under paragraph (1)(C), but such analysis may be supplemented or amended, as the Director considers necessary or appropriate, or upon a request for additional information by the Committee. The Director may begin the analysis at any time prior to acceptance of the notice, in accordance with otherwise applicable law.
    3. Interaction with intelligence community.—The Director of National Intelligence shall ensure that the intelligence community remains engaged in the collection, analysis, and dissemination to the Committee of any additional relevant information that may become available during the course of any investigation conducted under subsection (b) with respect to a transaction.
    4. Independent role of Director.—The Director of National Intelligence shall be a nonvoting, ex officio member of the Committee, and shall be provided with all notices received by the Committee under paragraph (1)(C) regarding covered transactions, but shall serve no policy role on the Committee, other than to provide analysis under subparagraphs (A) and (C) in connection with a covered transaction.
  5. Submission of additional information.—No provision of this subsection shall be construed as prohibiting any party to a covered transaction from submitting additional information concerning the transaction, including any proposed restructuring of the transaction or any modifications to any agreements in connection with the transaction, while any review or investigation of the transaction is ongoing.
  6. Notice of results to parties.—The Committee shall notify the parties to a covered transaction of the results of a review or investigation under this section, promptly upon completion of all action under this section.
  7. Regulations.—Regulations prescribed under this section shall include standard procedures for—
    1. submitting any notice of a covered transaction to the Committee;
    2. submitting a request to withdraw a covered transaction from review;
    3. resubmitting a notice of a covered transaction that was previously withdrawn from review; and
    4. providing notice of the results of a review or investigation to the parties to the covered transaction, upon completion of all action under this section.

(c) CONFIDENTIALITY OF INFORMATION.—Any information or documentary material filed with the President or the President's designee pursuant to this section shall be exempt from disclosure under section 552 of title 5 and no such information or documentary material may be made public, except as may be relevant to any administrative or judicial action or proceeding. Nothing in this subsection shall be construed to prevent disclosure to either House of Congress or to any duly authorized committee or subcommittee of the Congress.

(d) ACTION BY THE PRESIDENT.—

  1. In general.—Subject to paragraph (4), the President may take such action for such time as the President considers appropriate to suspend or prohibit any covered transaction that threatens to impair the national security of the United States.
  2. Announcement by the President.—The President shall announce the decision on whether or not to take action pursuant to paragraph (1) not later than 15 days after the date on which an investigation described in subsection (b) is completed.
  3. Enforcement.—The President may direct the Attorney General of the United States to seek appropriate relief, including divestment relief, in the district courts of the United States, in order to implement and enforce this subsection.
  4. Findings of the President.—The President may exercise the authority conferred by paragraph (1), only if the President finds that—
    1. there is credible evidence that leads the President to believe that the foreign interest exercising control might take action that threatens to impair the national security; and
    2. provisions of law, other than this section and the International Emergency Economic Powers Act [50 U.S.C. 1701 et seq.], do not, in the judgment of the President, provide adequate and appropriate authority for the President to protect the national security in the matter before the President.
  5. Factors to be considered.—For purposes of determining whether to take action under paragraph (1), the President shall consider, among other factors each of the factors described in subsection (f), as appropriate.

(e) ACTIONS AND FINDINGS NONREVIEWABLE.—The actions of the President under paragraph (1) of subsection (d) and the findings of the President under paragraph (4) of subsection (d) shall not be subject to judicial review.

(f) FACTORS TO BE CONSIDERED.—For purposes of this section, the President or the President's designee may, taking into account the requirements of national security, consider—

  1. domestic production needed for projected national defense requirements,
  2. the capability and capacity of domestic industries to meet national defense requirements, including the availability of human resources, products, technology, materials, and other supplies and services,
  3. the control of domestic industries and commercial activity by foreign citizens as it affects the capability and capacity of the United States to meet the requirements of national security,
  4. the potential effects of the proposed or pending transaction on sales of military goods, equipment, or technology to any country—
    1. identified by the Secretary of State—
      1. under section 4605(j) of this title, as a country that supports terrorism;
      2. under section 4605(l) of this title, as a country of concern regarding missile proliferation; or
      3. under section 4605(m) of this title, as a country of concern regarding the proliferation of chemical and biological weapons;
    2. identified by the Secretary of Defense as posing a potential regional military threat to the interests of the United States; or
    3. listed under section 2139a(c) of title 42 on the "Nuclear Non-Proliferation-Special Country List" (15 C.F.R. Part 778, Supplement No. 4) or any successor list;
  5. the potential effects of the proposed or pending transaction on United States international technological leadership in areas affecting United States national security;
  6. the potential national security-related effects on United States critical infrastructure, including major energy assets;
  7. the potential national security-related effects on United States critical technologies;
  8. whether the covered transaction is a foreign government-controlled transaction, as determined under subsection (b)(1)(B);
  9. as appropriate, and particularly with respect to transactions requiring an investigation under subsection (b)(1)(B), a review of the current assessment of—
    1. the adherence of the subject country to nonproliferation control regimes, including treaties and multilateral supply guidelines, which shall draw on, but not be limited to, the annual report on "Adherence to and Compliance with Arms Control, Nonproliferation and Disarmament Agreements and Commitments" required by section 2593a of title 22;
    2. the relationship of such country with the United States, specifically on its record on cooperating in counter-terrorism efforts, which shall draw on, but not be limited to, the report of the President to Congress under section 7120 of the Intelligence Reform and Terrorism Prevention Act of 2004; and
    3. the potential for transshipment or diversion of technologies with military applications, including an analysis of national export control laws and regulations;
  10. the long-term projection of United States requirements for sources of energy and other critical resources and material; and
  11. such other factors as the President or the Committee may determine to be appropriate, generally or in connection with a specific review or investigation.

(g) ADDITIONAL INFORMATION TO CONGRESS; CONFIDENTIALITY.—

  1. Briefing requirement on request.—The Committee shall, upon request from any Member of Congress specified in subsection (b)(3)(C)(iii), promptly provide briefings on a covered transaction for which all action has concluded under this section, or on compliance with a mitigation agreement or condition imposed with respect to such transaction, on a classified basis, if deemed necessary by the sensitivity of the information. Briefings under this paragraph may be provided to the congressional staff of such a Member of Congress having appropriate security clearance.
  2. Application of confidentiality provisions.—
    1. In general.—The disclosure of information under this subsection shall be consistent with the requirements of subsection (c). Members of Congress and staff of either House of Congress or any committee of Congress, shall be subject to the same limitations on disclosure of information as are applicable under subsection (c).
    2. Proprietary information.—Proprietary information which can be associated with a particular party to a covered transaction shall be furnished in accordance with subparagraph (A) only to a committee of Congress, and only when the committee provides assurances of confidentiality, unless such party otherwise consents in writing to such disclosure.

(h) REGULATIONS.—

  1. In general.—The President shall direct, subject to notice and comment, the issuance of regulations to carry out this section.
  2. Effective date.—Regulations issued under this section shall become effective not later than 180 days after the effective date of the Foreign Investment and National Security Act of 2007.
  3. Content.—Regulations issued under this subsection shall-
    1. provide for the imposition of civil penalties for any violation of this section, including any mitigation agreement entered into or conditions imposed pursuant to subsection (l);
    2. to the extent possible—
      1. minimize paperwork burdens; and
      2. coordinate reporting requirements under this section with reporting requirements under any other provision of Federal law; and
    3. provide for an appropriate role for the Secretary of Labor with respect to mitigation agreements.
      1. EFFECT ON OTHER LAW.—No provision of this section shall be construed as altering or affecting any other authority, process, regulation, investigation, enforcement measure, or review provided by or established under any other provision of Federal law, including the International Emergency Economic Powers Act [50 U.S.C. 1701 et seq.], or any other authority of the President or the Congress under the Constitution of the United States.

(j) TECHNOLOGY RISK ASSESSMENTS.—In any case in which an assessment of the risk of diversion of defense critical technology is performed by a designee of the President, a copy of such assessment shall be provided to any other designee of the President responsible for reviewing or investigating a merger, acquisition, or takeover under this section.

(k) COMMITTEE ON FOREIGN INVESTMENT IN THE UNITED STATES

  1. Establishment.—The Committee on Foreign Investment in the United States, established pursuant to Executive Order No. 11858, shall be a multi agency committee to carry out this section and such other assignments as the President may designate.
  2. Membership.—The Committee shall be comprised of the following members or the designee of any such member:
    1. The Secretary of the Treasury.
    2. The Secretary of Homeland Security.
    3. The Secretary of Commerce.
    4. The Secretary of Defense.
    5. The Secretary of State.
    6. The Attorney General of the United States.
    7. The Secretary of Energy.
    8. The Secretary of Labor (nonvoting, ex officio).
    9. The Director of National Intelligence (nonvoting, ex officio).
    10. The heads of any other executive department, agency, or office, as the President determines appropriate, generally or on a case-by-case basis.
  3. Chairperson.—The Secretary of the Treasury shall serve as the chairperson of the Committee.
  4. Assistant Secretary for the Department of the Treasury.—There shall be established an additional position of Assistant Secretary of the Treasury, who shall be appointed by the President, by and with the advice and consent of the Senate. The Assistant Secretary appointed under this paragraph shall report directly to the Undersecretary of the Treasury for International Affairs. The duties of the Assistant Secretary shall include duties related to the Committee on Foreign Investment in the United States, as delegated by the Secretary of the Treasury under this section.
  5. Designation of lead agency.—The Secretary of the Treasury shall designate, as appropriate, a member or members of the Committee to be the lead agency or agencies on behalf of the Committee—
    1. for each covered transaction, and for negotiating any mitigation agreements or other conditions necessary to protect national security; and
    2. for all matters related to the monitoring of the completed transaction, to ensure compliance with such agreements or conditions and with this section.
  6. Other members.—The chairperson shall consult with the heads of such other Federal departments, agencies, and independent establishments in any review or investigation under subsection (a), as the chairperson determines to be appropriate, on the basis of the facts and circumstances of the covered transaction under review or investigation (or the designee of any such department or agency head).
  7. Meetings.—The Committee shall meet upon the direction of the President or upon the call of the chairperson, without regard to section 552b of title 5 (if otherwise applicable).

(l)MITIGATION, TRACKING, AND POSTCONSUMMATION MONITORING AND ENFORCEMENT.—

  1. (1) Mitigation.—
    1. In general.—The Committee or a lead agency may, on behalf of the Committee, negotiate, enter into or impose, and enforce any agreement or condition with any party to the covered transaction in order to mitigate any threat to the national security of the United States that arises as a result of the covered transaction.
    2. Risk-based analysis required.—Any agreement entered into or condition imposed under subparagraph (A) shall be based on a risk-based analysis, conducted by the Committee, of the threat to national security of the covered transaction.
  2. Tracking authority for withdrawn notices.—
    1. In general.—If any written notice of a covered transaction that was submitted to the Committee under this section is withdrawn before any review or investigation by the Committee under subsection (b) is completed, the Committee shall establish, as appropriate—
      1. interim protections to address specific concerns with such transaction that have been raised in connection with any such review or investigation pending any resubmission of any written notice under this section with respect to such transaction and further action by the President under this section;
      2. specific time frames for resubmitting any such written notice; and
      3. a process for tracking any actions that may be taken by any party to the transaction, in connection with the transaction, before the notice referred to in clause (ii) is resubmitted.
    2. Designation of agency.—The lead agency, other than any entity of the intelligence community (as defined in the National Security Act of 1947 [50 U.S.C. 3001 et seq.]), shall, on behalf of the Committee, ensure that the requirements of subparagraph (A) with respect to any covered transaction that is subject to such subparagraph are met.
  3. Negotiation, modification, monitoring, and enforcement.—
    1. Designation of lead agency.—The lead agency shall negotiate, modify, monitor, and enforce, on behalf of the Committee, any agreement entered into or condition imposed under paragraph (1) with respect to a covered transaction, based on the expertise with and knowledge of the issues related to such transaction on the part of the designated department or agency. Nothing in this paragraph shall prohibit other departments or agencies in assisting the lead agency in carrying out the purposes of this paragraph.
    2. Reporting by designated agency.—
      1. Modification reports.—The lead agency in connection with any agreement entered into or condition imposed with respect to a covered transaction shall—
        1. provide periodic reports to the Committee on any material modification to any such agreement or condition imposed with respect to the transaction; and
        2. ensure that any material modification to any such agreement or condition is reported to the Director of National Intelligence, the Attorney General of the United States, and any other Federal department or agency that may have a material interest in such modification.
      2. Compliance.—The Committee shall develop and agree upon methods for evaluating compliance with any agreement entered into or condition imposed with respect to a covered transaction that will allow the Committee to adequately assure compliance, without—
        1. unnecessarily diverting Committee resources from assessing any new covered transaction for which a written notice has been filed pursuant to subsection (b)(1)(C), and if necessary, reaching a mitigation agreement with or imposing a condition on a party to such covered transaction or any covered transaction for which a review has been reopened for any reason; or
        2. placing unnecessary burdens on a party to a covered transaction.

(m) ANNUAL REPORT TO CONGRESS.—

  1. In general.—The chairperson shall transmit a report to the chairman and ranking member of the committee of jurisdiction in the Senate and the House of Representatives, before July 31 of each year on all of the reviews and investigations of covered transactions completed under subsection (b) during the 12-month period covered by the report.
  2. Contents of report relating to covered transactions.—The annual report under paragraph (1) shall contain the following information, with respect to each covered transaction, for the reporting period:
    1. A list of all notices filed and all reviews or investigations completed during the period, with basic information on each party to the transaction, the nature of the business activities or products of all pertinent persons, along with information about any withdrawal from the process, and any decision or action by the President under this section.
    2. Specific, cumulative, and, as appropriate, trend information on the numbers of filings, investigations, withdrawals, and decisions or actions by the President under this section.
    3. Cumulative and, as appropriate, trend information on the business sectors involved in the filings which have been made, and the countries from which the investments have originated.
    4. Information on whether companies that withdrew notices to the Committee in accordance with subsection (b)(1)(C)(ii) have later refiled such notices, or, alternatively, abandoned the transaction.
    5. The types of security arrangements and conditions the Committee has used to mitigate national security concerns about a transaction, including a discussion of the methods that the Committee and any lead agency are using to determine compliance with such arrangements or conditions.
    6. A detailed discussion of all perceived adverse effects of covered transactions on the national security or critical infrastructure of the United States that the Committee will take into account in its deliberations during the period before delivery of the next report, to the extent possible.
  3. Contents of report relating to critical technologies.—
    1. In general.—In order to assist Congress in its oversight responsibilities with respect to this section, the President and such agencies as the President shall designate shall include in the annual report submitted under paragraph (1) —
      1. an evaluation of whether there is credible evidence of a coordinated strategy by 1 or more countries or companies to acquire United States companies involved in research, development, or production of critical technologies for which the United States is a leading producer; and
      2. an evaluation of whether there are industrial espionage activities directed or directly assisted by foreign governments against private United States companies aimed at obtaining commercial secrets related to critical technologies.
    2. Release of unclassified study.—All appropriate portions of the annual report under paragraph (1) may be classified. An unclassified version of the report, as appropriate, consistent with safeguarding national security and privacy, shall be made available to the public.

(n) CERTIFICATION OF NOTICES AND ASSURANCES.—Each notice, and any followup information, submitted under this section and regulations prescribed under this section to the President or the Committee by a party to a covered transaction, and any information submitted by any such party in connection with any action for which a report is required pursuant to paragraph (3)(B) of subsection (l), with respect to the implementation of any mitigation agreement or condition described in paragraph (1)(A) of subsection (l), or any material change in circumstances, shall be accompanied by a written statement by the chief executive officer or the designee of the person required to submit such notice or information certifying that, to the best of the knowledge and belief of that person—

  1. the notice or information submitted fully complies with the requirements of this section or such regulation, agreement, or condition; and
  2. the notice or information is accurate and complete in all material respects.

PROHIBITION ON PURCHASE OF UNITED STATES DEFENSE CONTRACTORS BY ENTITIES CONTROLLED BY FOREIGN GOVERNMENTS

50 U.S.C. § 4566:

(a) IN GENERAL.—No entity controlled by a foreign government may merge with, acquire, or take over a company engaged in interstate commerce in the United States that—

  1. is performing a Department of Defense contract, or a Department of Energy contract under a national security program, that cannot be performed satisfactorily unless that company is given access to information in a proscribed category of information; or
  2. during the previous fiscal year, was awarded—
    1. Department of Defense prime contracts in an aggregate amount in excess of $500,000,000; or
    2. Department of Energy prime contracts under national security programs in an aggregate amount in excess of $500,000,000.

(b) INAPPLICABILITY TO CERTAIN CASES.—The limitation in subsection (a) shall not apply if a merger, acquisition, or takeover is not suspended or prohibited pursuant to section 4565 of this title.

(c) DEFINITIONS.—In this section:

  1. The term "entity controlled by a foreign government" includes—
    1. any domestic or foreign organization or corporation that is effectively owned or controlled by a foreign government; and
    2. any individual acting on behalf of a foreign government, as determined by the President.
  2. The term "proscribed category of information" means a category of information that—
    1. with respect to Department of Defense contracts—
      1. includes special access information;
      2. is determined by the Secretary of Defense to include information the disclosure of which to an entity controlled by a foreign government is not in the national security interests of the United States; and
      3. is defined in regulations prescribed by the Secretary of Defense for the purposes of this section; and
    2. with respect to Department of Energy contracts—
      1. is determined by the Secretary of Energy to include information described in subparagraph (A)(ii); and
      2. is defined in regulations prescribed by the Secretary of Energy for the purposes of this section.

> Back to the Table of Contents <

Ref Book - Cybersecurity Act of 2015

Tuesday, October 18, 2016

Cybersecurity Act of 2015

> Back to the Table of Contents <

 Division N of the Consolidated Appropriations Act of 2016.

(Public Law 114-113 of December 18, 2015; 129 STAT. 2242)

SEC. 1. SHORT TITLE; TABLE OF CONTENTS.

(a) Short Title. —This division may be cited as the “Cybersecurity Act of 2015”.

(b) Table of Contents. —The table of contents for this division is as follows:

Sec. 1. Short title; table of contents.

TITLE I—CYBERSECURITY INFORMATION SHARING


Sec. 101. Short title.
Sec. 102. Definitions.
Sec. 103. Sharing of information by the Federal Government.
Sec. 104. Authorizations for preventing, detecting, analyzing, and mitigating cybersecurity threats.
Sec. 105. Sharing of cyber threat indicators and defensive measures with the Federal Government.
Sec. 106. Protection from liability.
Sec. 107. Oversight of Government activities.
Sec. 108. Construction and preemption.
Sec. 109. Report on cybersecurity threats.
Sec. 110. Exception to limitation on authority of Secretary of Defense to disseminate certain information.
Sec. 111. Effective period.

TITLE II—NATIONAL CYBERSECURITY ADVANCEMENT

SUBTITLE A—NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER


Sec. 201. Short title.
Sec. 202. Definitions.
Sec. 203. Information sharing structure and processes.
Sec. 204. Information sharing and analysis organizations.
Sec. 205. National response framework.
Sec. 206. Report on reducing cybersecurity risks in DHS data centers.
Sec. 207. Assessment.
Sec. 208. Multiple simultaneous cyber incidents at critical infrastructure.
Sec. 209. Report on cybersecurity vulnerabilities of United States ports.
Sec. 210. Prohibition on new regulatory authority.
Sec. 211. Termination of reporting requirements.

SUBTITLE B—FEDERAL CYBERSECURITY ENHANCEMENT


Sec. 221. Short title.
Sec. 222. Definitions.
Sec. 223. Improved Federal network security.
Sec. 224. Advanced internal defenses.
Sec. 225. Federal cybersecurity requirements.
Sec. 226. Assessment; reports.
Sec. 227. Termination.
Sec. 228. Identification of information systems relating to national security.
Sec. 229. Direction to agencies.

TITLE III—FEDERAL CYBERSECURITY WORKFORCE ASSESSMENT


Sec. 301. Short title.
Sec. 302. Definitions.
Sec. 303. National cybersecurity workforce measurement initiative.
Sec. 304. Identification of cyber-related work roles of critical need.
Sec. 305. Government Accountability Office status reports.

TITLE IV—OTHER CYBER MATTERS

Sec. 401. Study on mobile device security.
Sec. 402. Department of State international cyberspace policy strategy.
Sec. 403. Apprehension and prosecution of international cyber criminals.
Sec. 404. Enhancement of emergency services.
Sec. 405. Improving cybersecurity in the health care industry.
Sec. 406. Federal computer security.
Sec. 407. Stopping the fraudulent sale of financial information of people of the United States.

TITLE I—CYBERSECURITY INFORMATION SHARING

SEC. 101. SHORT TITLE.

This title may be cited as the “Cybersecurity Information Sharing Act of 2015”.

SEC. 102. DEFINITIONS.

In this title:
  1. AGENCY.—The term “agency” has the meaning given the term in section 3502 of title 44, United States Code.
  2. ANTITRUST LAWS.—The term “antitrust laws”—
    1. has the meaning given the term in the first section of the Clayton Act (15 U.S.C. 12);
    2. includes section 5 of the Federal Trade Commission Act (15 U.S.C. 45) to the extent that section 5 of that Act applies to unfair methods of competition; and
    3. includes any State antitrust law, but only to the extent that such law is consistent with the law referred to in subparagraph (A) or the law referred to in subparagraph (B).
  3. APPROPRIATE FEDERAL ENTITIES.—The term “appropriate Federal entities” means the following:
    1. The Department of Commerce.
    2. The Department of Defense.
    3. The Department of Energy.
    4. The Department of Homeland Security.
    5. The Department of Justice.
    6. The Department of the Treasury.
    7. The Office of the Director of National Intelligence.
  4.  CYBERSECURITY PURPOSE.—The term “cybersecurity purpose” means the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.

  5. CYBERSECURITY THREAT.—
    1. IN GENERAL.—Except as provided in subparagraph (B), the term “cybersecurity threat” means an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.
    2. EXCLUSION.—The term “cybersecurity threat” does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement.
  6. CYBER THREAT INDICATOR.—The term “cyber threat indicator” means information that is necessary to describe or identify—
    1. malicious reconnaissance, including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability;
    2. a method of defeating a security control or exploitation of a security vulnerability;
    3. a security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability;
    4. a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;
    5. malicious cyber command and control;
    6. the actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat;
    7. any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or
    8. any combination thereof.
  7. DEFENSIVE MEASURE.—
    1. IN GENERAL.—Except as provided in subparagraph (B), the term “defensive measure” means an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.
    2. EXCLUSION.—The term “defensive measure” does not include a measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information system or information stored on, processed by, or transiting such information system not owned by—
      1. the private entity operating the measure; or
      2. another entity or Federal entity that is authorized to provide consent and has provided consent to that private entity for operation of such measure.
  8. FEDERAL ENTITY.—The term “Federal entity” means a department or agency of the United States or any component of such department or agency.
  9. INFORMATION SYSTEM.—The term “information system”—
    1. has the meaning given the term in section 3502 of title 44, United States Code; and
    2. includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers.
  10. LOCAL GOVERNMENT.—The term “local government” means any borough, city, county, parish, town, township, village, or other political subdivision of a State.
  11. MALICIOUS CYBER COMMAND AND CONTROL.—The term “malicious cyber command and control” means a method for unauthorized remote identification of, access to, or use of, an information system or information that is stored on, processed by, or transiting an information system.
  12. MALICIOUS RECONNAISSANCE.—The term “malicious reconnaissance” means a method for actively probing or passively monitoring an information system for the purpose of discerning security vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat.
  13. MONITOR.—The term “monitor” means to acquire, identify, or scan, or to possess, information that is stored on, processed by, or transiting an information system.
  14. NON-FEDERAL ENTITY.—
    1. IN GENERAL.—Except as otherwise provided in this paragraph, the term “non-Federal entity” means any private entity, non-Federal government agency or department, or State, tribal, or local government (including a political subdivision, department, or component thereof).
    2. INCLUSIONS.—The term “non-Federal entity” includes a government agency or department of the District of Columbia, the Commonwealth of Puerto Rico, the United States Virgin Islands, Guam, American Samoa, the Northern Mariana Islands, and any other territory or possession of the United States.
    3. EXCLUSION.—The term “non-Federal entity” does not include a foreign power as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).
  15. PRIVATE ENTITY.—
    1. IN GENERAL.—Except as otherwise provided in this paragraph, the term “private entity” means any person or private group, organization, proprietorship, partnership, trust, cooperative, corporation, or other commercial or nonprofit entity, including an officer, employee, or agent thereof.
    2. INCLUSION.—The term “private entity” includes a State, tribal, or local government performing utility services, such as electric, natural gas, or water services.
    3. EXCLUSION.—The term “private entity” does not include a foreign power as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).
  16. SECURITY CONTROL.—The term “security control” means the management, operational, and technical controls used to protect against an unauthorized effort to adversely affect the confidentiality, integrity, and availability of an information system or its information.
  17. SECURITY VULNERABILITY.—The term “security vulnerability” means any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control.
  18. TRIBAL.—The term “tribal” has the meaning given the term “Indian tribe” in section 4 of the Indian Self-Determination and Education Assistance Act (25 U.S.C. 450b).

SEC. 103. SHARING OF INFORMATION BY THE FEDERAL GOVERNMENT.

(a) IN GENERAL.—Consistent with the protection of classified information, intelligence sources and methods, and privacy and civil liberties, the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General, in consultation with the heads of the appropriate Federal entities, shall jointly develop and issue procedures to facilitate and promote—

  1. the timely sharing of classified cyber threat indicators and defensive measures in the possession of the Federal Government with representatives of relevant Federal entities and non-Federal entities that have appropriate security clearances;
  2. the timely sharing with relevant Federal entities and non-Federal entities of cyber threat indicators, defensive measures, and information relating to cybersecurity threats or authorized uses under this title, in the possession of the Federal Government that may be declassified and shared at an unclassified level;
  3. the timely sharing with relevant Federal entities and non-Federal entities, or the public if appropriate, of unclassified, including controlled unclassified, cyber threat indicators and defensive measures in the possession of the Federal Government;
  4.  the timely sharing with Federal entities and non-Federal entities, if appropriate, of information relating to cybersecurity threats or authorized uses under this title, in the possession of the Federal Government about cybersecurity threats to such entities to prevent or mitigate adverse effects from such cybersecurity threats; and
  5. the periodic sharing, through publication and targeted outreach, of cybersecurity best practices that are developed based on ongoing analyses of cyber threat indicators, defensive measures, and information relating to cybersecurity threats or authorized uses under this title, in the possession of the Federal Government, with attention to accessibility and implementation challenges faced by small business concerns (as defined in section 3 of the Small Business Act (15 U.S.C. 632)).

(b) DEVELOPMENT OF PROCEDURES.—

  1. IN GENERAL.—The procedures developed under subsection (a) shall—
    1. ensure the Federal Government has and maintains the capability to share cyber threat indicators and defensive measures in real time consistent with the protection of classified information;
    2. incorporate, to the greatest extent practicable, existing processes and existing roles and responsibilities of Federal entities and non-Federal entities for information sharing by the Federal Government, including sector specific information sharing and analysis centers;
    3. include procedures for notifying, in a timely manner, Federal entities and non-Federal entities that have received a cyber threat indicator or defensive measure from a Federal entity under this title that is known or determined to be in error or in contravention of the requirements of this title or another provision of Federal law or policy of such error or contravention;
    4. include requirements for Federal entities sharing cyber threat indicators or defensive measures to implement and utilize security controls to protect against unauthorized access to or acquisition of such cyber threat indicators or defensive measures;
    5. include procedures that require a Federal entity, prior to the sharing of a cyber threat indicator—
      1. to review such cyber threat indicator to assess whether such cyber threat indicator contains any information not directly related to a cybersecurity threat that such Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual and remove such information; or
      2. to implement and utilize a technical capability configured to remove any information not directly related to a cybersecurity threat that the Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual; and
    6. include procedures for notifying, in a timely manner, any United States person whose personal information is known or determined to have been shared by a Federal entity in violation of this title.
  2. CONSULTATION.—In developing the procedures required under this section, the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General shall consult with appropriate Federal entities, including the Small Business Administration and the National Laboratories (as defined in section 2 of the Energy Policy Act of 2005 (42 U.S.C. 15801)), to ensure that effective protocols are implemented that will facilitate and promote the sharing of cyber threat indicators by the Federal Government in a timely manner.

(c) SUBMITTAL TO CONGRESS.—Not later than 60 days after the date of the enactment of this Act, the Director of National Intelligence, in consultation with the heads of the appropriate Federal entities, shall submit to Congress the procedures required by subsection (a).

SEC. 104. AUTHORIZATIONS FOR PREVENTING, DETECTING, ANALYZING, AND MITIGATING CYBERSECURITY THREATS.


(a) AUTHORIZATION FOR MONITORING.—

  1. IN GENERAL.—Notwithstanding any other provision of law, a private entity may, for cybersecurity purposes, monitor—
    1. an information system of such private entity;
    2. an information system of another non-Federal entity, upon the authorization and written consent of such other entity;
    3. an information system of a Federal entity, upon the authorization and written consent of an authorized representative of the Federal entity; and (D) information that is stored on, processed by, or transiting an information system monitored by the private entity under this paragraph.
  2. CONSTRUCTION.—Nothing in this subsection shall be construed—
    1.  to authorize the monitoring of an information system, or the use of any information obtained through such monitoring, other than as provided in this title; or
    2. to limit otherwise lawful activity.\

(b) AUTHORIZATION FOR OPERATION OF DEFENSIVE MEASURES.—

  1. IN GENERAL.—Notwithstanding any other provision of law, a private entity may, for cybersecurity purposes, operate a defensive measure that is applied to—
    1. an information system of such private entity in order to protect the rights or property of the private entity;
    2. an information system of another non-Federal entity upon written consent of such entity for operation of such defensive measure to protect the rights or property of such entity; and
    3. an information system of a Federal entity upon written consent of an authorized representative of such Federal entity for operation of such defensive measure to protect the rights or property of the Federal Government.
  2. CONSTRUCTION.—Nothing in this subsection shall be construed—
    1. to authorize the use of a defensive measure other than as provided in this subsection; or
    2. to limit otherwise lawful activity.

(c) AUTHORIZATION FOR SHARING OR RECEIVING CYBER THREAT INDICATORS OR DEFENSIVE MEASURES.—

  1. IN GENERAL.—Except as provided in paragraph (2) and notwithstanding any other provision of law, a non-Federal entity may, for a cybersecurity purpose and consistent with the protection of classified information, share with, or receive from, any other non-Federal entity or the Federal Government a cyber threat indicator or defensive measure.
  2. LAWFUL RESTRICTION.—A non-Federal entity receiving a cyber threat indicator or defensive measure from another non-Federal entity or a Federal entity shall comply with otherwise lawful restrictions placed on the sharing or use of such cyber threat indicator or defensive measure by the sharing non-Federal entity or Federal entity.
  3. CONSTRUCTION.—Nothing in this subsection shall be construed—
    1. to authorize the sharing or receiving of a cyber threat indicator or defensive measure other than as provided in this subsection; or to limit otherwise lawful activity.

(d) PROTECTION AND USE OF INFORMATION.—

  1. SECURITY OF INFORMATION.—A non-Federal entity monitoring an information system, operating a defensive measure, or providing or receiving a cyber threat indicator or defensive measure under this section shall implement and utilize a security control to protect against unauthorized access to or acquisition of such cyber threat indicator or defensive measure.
  2. REMOVAL OF CERTAIN PERSONAL INFORMATION.—A non-Federal entity sharing a cyber threat indicator pursuant to this title shall, prior to such sharing—
    1. review such cyber threat indicator to assess whether such cyber threat indicator contains any information not directly related to a cybersecurity threat that the non-Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual and remove such information; or
    2. implement and utilize a technical capability configured to remove any information not directly related to a cybersecurity threat that the non-Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual.
  3. USE OF CYBER THREAT INDICATORS AND DEFENSIVE MEASURES BY NON-FEDERAL ENTITIES.—
    1. IN GENERAL.—Consistent with this title, a cyber threat indicator or defensive measure shared or received under this section may, for cybersecurity purposes—
      1. be used by a non-Federal entity to monitor or operate a defensive measure that is applied to—
        1. an information system of the non-Federal entity; or
        2. an information system of another non-Federal entity or a Federal entity upon the written consent of that other non-Federal entity or that Federal entity; and
      2. be otherwise used, retained, and further shared by a non-Federal entity subject to—
        1. an otherwise lawful restriction placed by the sharing non-Federal entity or Federal entity on such cyber threat indicator or defensive measure; or
        2. an otherwise applicable provision of law.
    2. CONSTRUCTION.—Nothing in this paragraph shall be construed to authorize the use of a cyber threat indicator or defensive measure other than as provided in this section.
  4. USE OF CYBER THREAT INDICATORS BY STATE, TRIBAL, OR LOCAL GOVERNMENT.—
    1. LAW ENFORCEMENT USE.—A State, tribal, or local government that receives a cyber threat indicator or defensive measure under this title may use such cyber threat indicator or defensive measure for the purposes described in section 105(d)(5)(A).
    2. EXEMPTION FROM DISCLOSURE.—A cyber threat indicator or defensive measure shared by or with a State, tribal, or local government, including a component of a State, tribal, or local government that is a private entity, under this section shall be—
      1. deemed voluntarily shared information; and
      2. exempt from disclosure under any provision of State, tribal, or local freedom of information law, open government law, open meetings law, open records law, sunshine law, or similar law requiring disclosure of information or records.
    3. STATE, TRIBAL, AND LOCAL REGULATORY AUTHORITY.—
      1. IN GENERAL.—Except as provided in clause (ii), a cyber threat indicator or defensive measure shared with a State, tribal, or local government under this title shall not be used by any State, tribal, or local government to regulate, including an enforcement action, the lawful activity of any non-Federal entity or any activity taken by a non-Federal entity pursuant to mandatory standards, including an activity relating to monitoring, operating a defensive measure, or sharing of a cyber threat indicator.
      2. REGULATORY AUTHORITY SPECIFICALLY RELATING TO PREVENTION OR MITIGATION OF CYBERSECURITY THREATS.—A cyber threat indicator or defensive measure shared as described in clause (i) may, consistent with a State, tribal, or local government regulatory authority specifically relating to the prevention or mitigation of cybersecurity threats to information systems, inform the development or implementation of a regulation relating to such information systems.

(e) ANTITRUST EXEMPTION.—

  1. IN GENERAL.—Except as provided in section 108(e), it shall not be considered a violation of any provision of antitrust laws for 2 or more private entities to exchange or provide a cyber threat indicator or defensive measure, or assistance relating to the prevention, investigation, or mitigation of a cybersecurity threat, for cybersecurity purposes under this title.
  2. APPLICABILITY.—Paragraph (1) shall apply only to information that is exchanged or assistance provided in order to assist with—
    1. facilitating the prevention, investigation, or mitigation of a cybersecurity threat to an information system or information that is stored on, processed by, or transiting an information system; or
    2. communicating or disclosing a cyber threat indicator to help prevent, investigate, or mitigate the effect of a cybersecurity threat to an information system or information that is stored on, processed by, or transiting an information system.
(f) NO RIGHT OR BENEFIT.—The sharing of a cyber threat indicator or defensive measure with a non-Federal entity under this title shall not create a right or benefit to similar information by such non-Federal entity or any other non-Federal entity.

SEC. 105. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE MEASURES WITH THE FEDERAL GOVERNMENT.


(a) REQUIREMENT FOR POLICIES AND PROCEDURES.—

  1. INTERIM POLICIES AND PROCEDURES.—Not later than 60 days after the date of the enactment of this Act, the Attorney General and the Secretary of Homeland Security shall, in consultation with the heads of the appropriate Federal entities, jointly develop and submit to Congress interim policies and procedures relating to the receipt of cyber threat indicators and defensive measures by the Federal Government.
  2. FINAL POLICIES AND PROCEDURES.—Not later than 180 days after the date of the enactment of this Act, the Attorney General and the Secretary of Homeland Security shall, in consultation with the heads of the appropriate Federal entities, jointly issue and make publicly available final policies and procedures relating to the receipt of cyber threat indicators and defensive measures by the Federal Government.
  3. REQUIREMENTS CONCERNING POLICIES AND PROCEDURES.—Consistent with the guidelines required by subsection (b), the policies and procedures developed or issued under this subsection shall—
    1. ensure that cyber threat indicators shared with the Federal Government by any non-Federal entity pursuant to section 104(c) through the real-time process described in subsection (c) of this section—
      1. are shared in an automated manner with all of the appropriate Federal entities;
      2. are only subject to a delay, modification, or other action due to controls established for such real-time process that could impede real-time receipt by all of the appropriate Federal entities when the delay, modification, or other action is due to controls—
        1. agreed upon unanimously by all of the heads of the appropriate Federal entities;
        2. carried out before any of the appropriate Federal entities retains or uses the cyber threat indicators or defensive measures; and
        3. uniformly applied such that each of the appropriate Federal entities is subject to the same delay, modification, or other action; and
      3. may be provided to other Federal entities;
    2. ensure that cyber threat indicators shared with the Federal Government by any non-Federal entity pursuant to section 104 in a manner other than the real-time process described in subsection (c) of this section—
      1. are shared as quickly as operationally practicable with all of the appropriate Federal entities;
      2. are not subject to any unnecessary delay, interference, or any other action that could impede receipt by all of the appropriate Federal entities; and
      3. may be provided to other Federal entities; and
    3. ensure there are—
      1. audit capabilities; and
      2. appropriate sanctions in place for officers, employees, or agents of a Federal entity who knowingly and willfully conduct activities under this title in an unauthorized manner.
  4. GUIDELINES FOR ENTITIES SHARING CYBER THREAT INDICATORS WITH FEDERAL GOVERNMENT.—
    1. IN GENERAL.—Not later than 60 days after the date of the enactment of this Act, the Attorney General and the Secretary of Homeland Security shall jointly develop and make publicly available guidance to assist entities and promote sharing of cyber threat indicators with Federal entities under this title.
    2. CONTENTS.—The guidelines developed and made publicly available under subparagraph (A) shall include guidance on the following:
      1. Identification of types of information that would qualify as a cyber threat indicator under this title that would be unlikely to include information that—
        1. is not directly related to a cybersecurity threat; and
        2. is personal information of a specific individual or information that identifies a specific individual.
      2. Identification of types of information protected under otherwise applicable privacy laws that are unlikely to be directly related to a cybersecurity threat.
      3. Such other matters as the Attorney General and the Secretary of Homeland Security consider appropriate for entities sharing cyber threat indicators with Federal entities under this title.

(b) PRIVACY AND CIVIL LIBERTIES.—

  1. INTERIM GUIDELINES.—Not later than 60 days after the date of the enactment of this Act, the Attorney General and the Secretary of Homeland Security shall, in consultation with heads of the appropriate Federal entities and in consultation with officers designated under section 1062 of the National Security Intelligence Reform Act of 2004 (42 U.S.C. 2000ee–1), jointly develop, submit to Congress, and make available to the public interim guidelines relating to privacy and civil liberties which shall govern the receipt, retention, use, and dissemination of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this title.
  2. FINAL GUIDELINES.—
    1. IN GENERAL.—Not later than 180 days after the date of the enactment of this Act, the Attorney General and the Secretary of Homeland Security shall, in coordination with heads of the appropriate Federal entities and in consultation with officers designated under section 1062 of the National Security Intelligence Reform Act of 2004 (42 U.S.C. 2000ee–1) and such private entities with industry expertise as the Attorney General and the Secretary consider relevant, jointly issue and make publicly available final guidelines relating to privacy and civil liberties which shall govern the receipt, retention, use, and dissemination of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this title.
    2. PERIODIC REVIEW.—The Attorney General and the Secretary of Homeland Security shall, in coordination with heads of the appropriate Federal entities and in consultation with officers and private entities described in subparagraph (A), periodically, but not less frequently than once every 2 years, jointly review the guidelines issued under subparagraph (A).
  3. CONTENT.—The guidelines required by paragraphs (1) and (2) shall, consistent with the need to protect information systems from cybersecurity threats and mitigate cybersecurity threats—
    1. limit the effect on privacy and civil liberties of activities by the Federal Government under this title;
    2. (B) limit the receipt, retention, use, and dissemination of cyber threat indicators containing personal information of specific individuals or information that identifies specific individuals, including by establishing—
      1. a process for the timely destruction of such information that is known not to be directly related to uses authorized under this title; and
      2. specific limitations on the length of any period in which a cyber threat indicator may be retained;
    3. include requirements to safeguard cyber threat indicators containing personal information of specific individuals or information that identifies specific individuals from unauthorized access or acquisition, including appropriate sanctions for activities by officers, employees, or agents of the Federal Government in contravention of such guidelines;
    4. consistent with this title, any other applicable provisions of law, and the fair information practice principles set forth in appendix A of the document entitled “National Strategy for Trusted Identities in Cyberspace” and published by the President in April 2011, govern the retention, use, and dissemination by the Federal Government of cyber threat indicators shared with the Federal Government under this title, including the extent, if any, to which such cyber threat indicators may be used by the Federal Government;
    5. include procedures for notifying entities and Federal entities if information received pursuant to this section is known or determined by a Federal entity receiving such information not to constitute a cyber threat indicator;
    6. protect the confidentiality of cyber threat indicators containing personal information of specific individuals or information that identifies specific individuals to the greatest extent practicable and require recipients to be informed that such indicators may only be used for purposes authorized under this title; and
    7. include steps that may be needed so that dissemination of cyber threat indicators is consistent with the protection of classified and other sensitive national security information.

(c) CAPABILITY AND PROCESS WITHIN THE DEPARTMENT OF HOMELAND SECURITY.—

  1. IN GENERAL.—Not later than 90 days after the date of the enactment of this Act, the Secretary of Homeland Security, in coordination with the heads of the appropriate Federal entities, shall develop and implement a capability and process within the Department of Homeland Security that—
    1.  shall accept from any non-Federal entity in real time cyber threat indicators and defensive measures, pursuant to this section;
    2. shall, upon submittal of the certification under paragraph (2) that such capability and process fully and effectively operates as described in such paragraph, be the process by which the Federal Government receives cyber threat indicators and defensive measures under this title that are shared by a non-Federal entity with the Federal Government through electronic mail or media, an interactive form on an Internet website, or a real time, automated process between information systems except—
      1. consistent with section 104, communications between a Federal entity and a non-Federal entity regarding a previously shared cyber threat indicator to describe the relevant cybersecurity threat or develop a defensive measure based on such cyber threat indicator; and
      2. communications by a regulated non-Federal entity with such entity's Federal regulatory authority regarding a cybersecurity threat;
    3. ensures that all of the appropriate Federal entities receive in an automated manner such cyber threat indicators and defensive measures shared through the real-time process within the Department of Homeland Security;
    4. is in compliance with the policies, procedures, and guidelines required by this section; and
    5. does not limit or prohibit otherwise lawful disclosures of communications, records, or other information, including—
      1. reporting of known or suspected criminal activity, by a non-Federal entity to any other non-Federal entity or a Federal entity, including cyber threat indicators or defensive measures shared with a Federal entity in furtherance of opening a Federal law enforcement investigation;
      2. voluntary or legally compelled participation in a Federal investigation; and
      3. providing cyber threat indicators or defensive measures as part of a statutory or authorized contractual requirement.
  2. CERTIFICATION AND DESIGNATION.—
    1. CERTIFICATION OF CAPABILITY AND PROCESS.—Not later than 90 days after the date of the enactment of this Act, the Secretary of Homeland Security shall, in consultation with the heads of the appropriate Federal entities, submit to Congress a certification as to whether the capability and process required by paragraph (1) fully and effectively operates—
      1. as the process by which the Federal Government receives from any non-Federal entity a cyber threat indicator or defensive measure under this title; and
      2. in accordance with the interim policies, procedures, and guidelines developed under this title.
    2. DESIGNATION.—
      1. IN GENERAL.—At any time after certification is submitted under subparagraph (A), the President may designate an appropriate Federal entity, other than the Department of Defense (including the National Security Agency), to develop and implement a capability and process as described in paragraph (1) in addition to the capability and process developed under such paragraph by the Secretary of Homeland Security, if, not fewer than 30 days before making such designation, the President submits to Congress a certification and explanation that
        1. such designation is necessary to ensure that full, effective, and secure operation of a capability and process for the Federal Government to receive from any non-Federal entity cyber threat indicators or defensive measures under this title;
        2. the designated appropriate Federal entity will receive and share cyber threat indicators and defensive measures in accordance with the policies, procedures, and guidelines developed under this title, including subsection (a)(3)(A); and
        3. such designation is consistent with the mission of such appropriate Federal entity and improves the ability of the Federal Government to receive, share, and use cyber threat indicators and defensive measures as authorized under this title.
      2. APPLICATION TO ADDITIONAL CAPABILITY AND PROCESS.—If the President designates an appropriate Federal entity to develop and implement a capability and process under clause (i), the provisions of this title that apply to the capability and process required by paragraph (1) shall also be construed to apply to the capability and process developed and implemented under clause (i).
  3. PUBLIC NOTICE AND ACCESS.—The Secretary of Homeland Security shall ensure there is public notice of, and access to, the capability and process developed and implemented under paragraph (1) so that—
    1. any non-Federal entity may share cyber threat indicators and defensive measures through such process with the Federal Government; and
    2. all of the appropriate Federal entities receive such cyber threat indicators and defensive measures in real time with receipt through the process within the Department of Homeland Security consistent with the policies and procedures issued under subsection (a).
  4. OTHER FEDERAL ENTITIES.—The process developed and implemented under paragraph (1) shall ensure that other Federal entities receive in a timely manner any cyber threat indicators and defensive measures shared with the Federal Government through such process.

(d) INFORMATION SHARED WITH OR PROVIDED TO THE FEDERAL GOVERNMENT.—

  1. NO WAIVER OF PRIVILEGE OR PROTECTION.—The provision of cyber threat indicators and defensive measures to the Federal Government under this title shall not constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection.
  2. PROPRIETARY INFORMATION.—Consistent with section 104(c)(2) and any other applicable provision of law, a cyber threat indicator or defensive measure provided by a non-Federal entity to the Federal Government under this title shall be considered the commercial, financial, and proprietary information of such non-Federal entity when so designated by the originating non-Federal entity or a third party acting in accordance with the written authorization of the originating non-Federal entity.
  3. EXEMPTION FROM DISCLOSURE.—A cyber threat indicator or defensive measure shared with the Federal Government under this title shall be—
    1. deemed voluntarily shared information and exempt from disclosure under section 552 of title 5, United States Code, and any State, tribal, or local provision of law requiring disclosure of information or records; and
    2. withheld, without discretion, from the public under section 552(b)(3)(B) of title 5, United States Code, and any State, tribal, or local provision of law requiring disclosure of information or records.
  4. EX PARTE COMMUNICATIONS.—The provision of a cyber threat indicator or defensive measure to the Federal Government under this title shall not be subject to a rule of any Federal agency or department or any judicial doctrine regarding ex parte communications with a decision-making official.
  5. DISCLOSURE, RETENTION, AND USE.—
    1. AUTHORIZED ACTIVITIES.—Cyber threat indicators and defensive measures provided to the Federal Government under this title may be disclosed to, retained by, and used by, consistent with otherwise applicable provisions of Federal law, any Federal agency or department, component, officer, employee, or agent of the Federal Government solely for—
      1.  a cybersecurity purpose;
      2. the purpose of identifying—
        1. a cybersecurity threat, including the source of such cybersecurity threat; or
        2. a security vulnerability;
      3. the purpose of responding to, or otherwise preventing or mitigating, a specific threat of death, a specific threat of serious bodily harm, or a specific threat of serious economic harm, including a terrorist act or a use of a weapon of mass destruction;
      4. the purpose of responding to, investigating, prosecuting, or otherwise preventing or mitigating, a serious threat to a minor, including sexual exploitation and threats to physical safety; or
      5. the purpose of preventing, investigating, disrupting, or prosecuting an offense arising out of a threat described in clause (iii) or any of the offenses listed in—
        1. sections 1028 through 1030 of title 18, United States Code (relating to fraud and identity theft);
        2. chapter 37 of such title (relating to espionage and censorship); and
        3. chapter 90 of such title (relating to protection of trade secrets).
    2. PROHIBITED ACTIVITIES.—Cyber threat indicators and defensive measures provided to the Federal Government under this title shall not be disclosed to, retained by, or used by any Federal agency or department for any use not permitted under subparagraph (A).
    3. PRIVACY AND CIVIL LIBERTIES.—Cyber threat indicators and defensive measures provided to the Federal Government under this title shall be retained, used, and disseminated by the Federal Government—
      1. in accordance with the policies, procedures, and guidelines required by subsections (a) and (b);
      2. in a manner that protects from unauthorized use or disclosure any cyber threat indicators that may contain—
        1. personal information of a specific individual; or
        2. information that identifies a specific individual; and
      3. in a manner that protects the confidentiality of cyber threat indicators containing—
        1. personal information of a specific individual; or
        2. information that identifies a specific individual.
    4. FEDERAL REGULATORY AUTHORITY.—
      1. IN GENERAL.—Except as provided in clause (ii), cyber threat indicators and defensive measures provided to the Federal Government under this title shall not be used by any Federal, State, tribal, or local government to regulate, including an enforcement action, the lawful activities of any non-Federal entity or any activities taken by a non-Federal entity pursuant to mandatory standards, including activities relating to monitoring, operating defensive measures, or sharing cyber threat indicators.
      2. EXCEPTIONS.—
        1. REGULATORY AUTHORITY SPECIFICALLY RELATING TO PREVENTION OR MITIGATION OF CYBERSECURITY THREATS.—Cyber threat indicators and defensive measures provided to the Federal Government under this title may, consistent with Federal or State regulatory authority specifically relating to the prevention or mitigation of cybersecurity threats to information systems, inform the development or implementation of regulations relating to such information systems.
        2. PROCEDURES DEVELOPED AND IMPLEMENTED UNDER THIS TITLE.—Clause (i) shall not apply to procedures developed and implemented under this title.


SEC. 106. PROTECTION FROM LIABILITY.

(a) MONITORING OF INFORMATION SYSTEMS.—No cause of action shall lie or be maintained in any court against any private entity, and such action shall be promptly dismissed, for the monitoring of an information system and information under section 104(a) that is conducted in accordance with this title.

(b) SHARING OR RECEIPT OF CYBER THREAT INDICATORS.—No cause of action shall lie or be maintained in any court against any private entity, and such action shall be promptly dismissed, for the sharing or receipt of a cyber threat indicator or defensive measure under section 104(c) if—

  1. such sharing or receipt is conducted in accordance with this title; and
  2. in a case in which a cyber threat indicator or defensive measure is shared with the Federal Government, the cyber threat indicator or defensive measure is shared in a manner that is consistent with section 105(c)(1)(B) and the sharing or receipt, as the case may be, occurs after the earlier of—
    1. the date on which the interim policies and procedures are submitted to Congress under section 105(a)(1) and guidelines are submitted to Congress under section 105(b)(1); or
    2. the date that is 60 days after the date of the enactment of this Act.

(c) CONSTRUCTION.—Nothing in this title shall be construed—

  1. to create—
    1. a duty to share a cyber threat indicator or defensive measure; or
    2. a duty to warn or act based on the receipt of a cyber threat indicator or defensive measure; or
  2. to undermine or limit the availability of otherwise applicable common law or statutory defenses.

SEC. 107. OVERSIGHT OF GOVERNMENT ACTIVITIES.

(a) REPORT ON IMPLEMENTATION.—

  1. IN GENERAL.—Not later than 1 year after the date of the enactment of this title, the heads of the appropriate Federal entities shall jointly submit to Congress a detailed report concerning the implementation of this title.
  2. CONTENTS.—The report required by paragraph (1) may include such recommendations as the heads of the appropriate Federal entities may have for improvements or modifications to the authorities, policies, procedures, and guidelines under this title and shall include the following:
    1. An evaluation of the effectiveness of real-time information sharing through the capability and process developed under section 105(c), including any impediments to such real-time sharing.
    2. An assessment of whether cyber threat indicators or defensive measures have been properly classified and an accounting of the number of security clearances authorized by the Federal Government for the purpose of sharing cyber threat indicators or defensive measures with the private sector.
    3. The number of cyber threat indicators or defensive measures received through the capability and process developed under section 105(c).
    4. A list of Federal entities that have received cyber threat indicators or defensive measures under this title.

(b) BIENNIAL REPORT ON COMPLIANCE.—

  1. IN GENERAL.—Not later than 2 years after the date of the enactment of this Act and not less frequently than once every 2 years thereafter, the inspectors general of the appropriate Federal entities, in consultation with the Inspector General of the Intelligence Community and the Council of Inspectors General on Financial Oversight, shall jointly submit to Congress an interagency report on the actions of the executive branch of the Federal Government to carry out this title during the most recent 2-year period.
  2. CONTENTS.—Each report submitted under paragraph (1) shall include, for the period covered by the report, the following:
    1. An assessment of the sufficiency of the policies, procedures, and guidelines relating to the sharing of cyber threat indicators within the Federal Government, including those policies, procedures, and guidelines relating to the removal of information not directly related to a cybersecurity threat that is personal information of a specific individual or information that identifies a specific individual.
    2. An assessment of whether cyber threat indicators or defensive measures have been properly classified and an accounting of the number of security clearances authorized by the Federal Government for the purpose of sharing cyber threat indicators or defensive measures with the private sector.
    3. A review of the actions taken by the Federal Government based on cyber threat indicators or defensive measures shared with the Federal Government under this title, including a review of the following:
      1. The appropriateness of subsequent uses and disseminations of cyber threat indicators or defensive measures.
      2. Whether cyber threat indicators or defensive measures were shared in a timely and adequate manner with appropriate entities, or, if appropriate, were made publicly available.
    4. An assessment of the cyber threat indicators or defensive measures shared with the appropriate Federal entities under this title, including the following:
      1. The number of cyber threat indicators or defensive measures shared through the capability and process developed under section 105(c).
      2. An assessment of any information not directly related to a cybersecurity threat that is personal information of a specific individual or information identifying a specific individual and was shared by a non-Federal government entity with the Federal government in contravention of this title, or was shared within the Federal Government in contravention of the guidelines required by this title, including a description of any significant violation of this title.
      3. The number of times, according to the Attorney General, that information shared under this title was used by a Federal entity to prosecute an offense listed in section 105(d)(5)(A).
      4. A quantitative and qualitative assessment of the effect of the sharing of cyber threat indicators or defensive measures with the Federal Government on privacy and civil liberties of specific individuals, including the number of notices that were issued with respect to a failure to remove information not directly related to a cybersecurity threat that was personal information of a specific individual or information that identified a specific individual in accordance with the procedures required by section 105(b)(3)(E).
      5. The adequacy of any steps taken by the Federal Government to reduce any adverse effect from activities carried out under this title on the privacy and civil liberties of United States persons.
    5. An assessment of the sharing of cyber threat indicators or defensive measures among Federal entities to identify inappropriate barriers to sharing information.
  3. RECOMMENDATIONS.—Each report submitted under this subsection may include such recommendations as the inspectors general may have for improvements or modifications to the authorities and processes under this title.

(c) INDEPENDENT REPORT ON REMOVAL OF PERSONAL INFORMATION.—Not later than 3 years after the date of the enactment of this Act, the Comptroller General of the United States shall submit to Congress a report on the actions taken by the Federal Government to remove personal information from cyber threat indicators or defensive measures pursuant to this title. Such report shall include an assessment of the sufficiency of the policies, procedures, and guidelines established under this title in addressing concerns relating to privacy and civil liberties.

(d) FORM OF REPORTS.—Each report required under this section shall be submitted in an unclassified form, but may include a classified annex.

(e) PUBLIC AVAILABILITY OF REPORTS.—The unclassified portions of the reports required under this section shall be made available to the public.

SEC. 108. CONSTRUCTION AND PREEMPTION

(a) OTHERWISE LAWFUL DISCLOSURES.—Nothing in this title shall be construed—

  1. to limit or prohibit otherwise lawful disclosures of communications, records, or other information, including reporting of known or suspected criminal activity, by a non-Federal entity to any other non-Federal entity or the Federal Government under this title; or
  2.  to limit or prohibit otherwise lawful use of such disclosures by any Federal entity, even when such otherwise lawful disclosures duplicate or replicate disclosures made under this title.
(b) WHISTLE BLOWER PROTECTIONS.—Nothing in this title shall be construed to prohibit or limit the disclosure of information protected under section 2302(b)(8) of title 5, United States Code (governing disclosures of illegality, waste, fraud, abuse, or public health or safety threats), section 7211 of title 5, United States Code (governing disclosures to Congress), section 1034 of title 10, United States Code (governing disclosure to Congress by members of the military), section 1104 of the National Security Act of 1947 (50 U.S.C. 3234) (governing disclosure by employees of elements of the intelligence community), or any similar provision of Federal or State law.

(c) PROTECTION OF SOURCES AND METHODS.—Nothing in this title shall be construed—

  1. as creating any immunity against, or otherwise affecting, any action brought by the Federal Government, or any agency or department thereof, to enforce any law, executive order, or procedure governing the appropriate handling, disclosure, or use of classified information;
  2. to affect the conduct of authorized law enforcement or intelligence activities; or
  3. to modify the authority of a department or agency of the Federal Government to protect classified information and sources and methods and the national security of the United States.

(d) RELATIONSHIP TO OTHER LAWS.—Nothing in this title shall be construed to affect any requirement under any other provision of law for a non-Federal entity to provide information to the Federal Government.

(e) PROHIBITED CONDUCT.—Nothing in this title shall be construed to permit price-fixing, allocating a market between competitors, monopolizing or attempting to monopolize a market, boycotting, or exchanges of price or cost information, customer lists, or information regarding future competitive planning.

(f) INFORMATION SHARING RELATIONSHIPS.—Nothing in this title shall be construed—

  1. to limit or modify an existing information sharing relationship;
  2. to prohibit a new information sharing relationship;
  3. to require a new information sharing relationship between any non-Federal entity and a Federal entity or another non-Federal entity; or
  4. to require the use of the capability and process within the Department of Homeland Security developed under section 105(c).

(g) PRESERVATION OF CONTRACTUAL OBLIGATIONS AND RIGHTS.—Nothing in this title shall be construed—

  1. to amend, repeal, or supersede any current or future contractual agreement, terms of service agreement, or other contractual relationship between any non-Federal entities, or between any non-Federal entity and a Federal entity; or
  2. to abrogate trade secret or intellectual property rights of any non-Federal entity or Federal entity.

(h) ANTI-TASKING RESTRICTION.—Nothing in this title shall be construed to permit a Federal entity—

  1. to require a non-Federal entity to provide information to a Federal entity or another non-Federal entity;
  2. to condition the sharing of cyber threat indicators with a non-Federal entity on such entity's provision of cyber threat indicators to a Federal entity or another non-Federal entity; or
  3. to condition the award of any Federal grant, contract, or purchase on the provision of a cyber threat indicator to a Federal entity or another non-Federal entity.

(i) NO LIABILITY FOR NON-PARTICIPATION.—Nothing in this title shall be construed to subject any entity to liability for choosing not to engage in the voluntary activities authorized in this title.

(j) USE AND RETENTION OF INFORMATION.—Nothing in this title shall be construed to authorize, or to modify any existing authority of, a department or agency of the Federal Government to retain or use any information shared under this title for any use other than permitted in this title.

(k) FEDERAL PREEMPTION.—

  1. IN GENERAL.—This title supersedes any statute or other provision of law of a State or political subdivision of a State that restricts or otherwise expressly regulates an activity authorized under this title.
  2. STATE LAW ENFORCEMENT.—Nothing in this title shall be construed to supersede any statute or other provision of law of a State or political subdivision of a State concerning the use of authorized law enforcement practices and procedures.

(l) REGULATORY AUTHORITY.—Nothing in this title shall be construed—

  1. to authorize the promulgation of any regulations not specifically authorized to be issued under this title;
  2. to establish or limit any regulatory authority not specifically established or limited under this title; or
  3. to authorize regulatory actions that would duplicate or conflict with regulatory requirements, mandatory standards, or related processes under another provision of Federal law.

(m) AUTHORITY OF SECRETARY OF DEFENSE TO RESPOND TO MALICIOUS CYBER ACTIVITY CARRIED OUT BY FOREIGN POWERS.—Nothing in this title shall be construed to limit the authority of the Secretary of Defense under section 130g of title 10, United States Code.

(n) CRIMINAL PROSECUTION.—Nothing in this title shall be construed to prevent the disclosure of a cyber threat indicator or defensive measure shared under this title in a case of criminal prosecution, when an applicable provision of Federal, State, tribal, or local law requires disclosure in such case.

SEC. 109. REPORT ON CYBERSECURITY THREATS.

(a) REPORT REQUIRED.—Not later than 180 days after the date of the enactment of this Act, the Director of National Intelligence, in coordination with the heads of other appropriate elements of the intelligence community, shall submit to the Select Committee on Intelligence of the Senate and the Permanent Select Committee on Intelligence of the House of Representatives a report on cybersecurity threats, including cyber attacks, theft, and data breaches.

(b) CONTENTS.—The report required by subsection (a) shall include the following:

  1. An assessment of the current intelligence sharing and cooperation relationships of the United States with other countries regarding cybersecurity threats, including cyber attacks, theft, and data breaches, directed against the United States and which threaten the United States national security interests and economy and intellectual property, specifically identifying the relative utility of such relationships, which elements of the intelligence community participate in such relationships, and whether and how such relationships could be improved.
  2. A list and an assessment of the countries and nonstate actors that are the primary threats of carrying out a cybersecurity threat, including a cyber attack, theft, or data breach, against the United States and which threaten the United States national security, economy, and intellectual property.
  3. A description of the extent to which the capabilities of the United States Government to respond to or prevent cybersecurity threats, including cyber attacks, theft, or data breaches, directed against the United States private sector are degraded by a delay in the prompt notification by private entities of such threats or cyber attacks, theft, and data breaches.
  4. An assessment of additional technologies or capabilities that would enhance the ability of the United States to prevent and to respond to cybersecurity threats, including cyber attacks, theft, and data breaches.
  5. An assessment of any technologies or practices utilized by the private sector that could be rapidly fielded to assist the intelligence community in preventing and responding to cybersecurity threats.

(c) FORM OF REPORT.—The report required by subsection (a) shall be made available in classified and unclassified forms.

(d) INTELLIGENCE COMMUNITY DEFINED.—In this section, the term “intelligence community” has the meaning given that term in section 3 of the National Security Act of 1947 (50 U.S.C. 3003).

SEC. 110. EXCEPTION TO LIMITATION ON AUTHORITY OF SECRETARY OF DEFENSE TO DISSEMINATE CERTAIN INFORMATION.



Notwithstanding subsection (c)(3) of section 393 of title 10, United States Code, the Secretary of Defense may authorize the sharing of cyber threat indicators and defensive measures pursuant to the policies, procedures, and guidelines developed or issued under this title.

SEC. 111. EFFECTIVE PERIOD.

(a) IN GENERAL.—Except as provided in subsection (b), this title and the amendments made by this title shall be effective during the period beginning on the date of the enactment of this Act and ending on September 30, 2025.

(b) EXCEPTION.—With respect to any action authorized by this title or information obtained pursuant to an action authorized by this title, which occurred before the date on which the provisions referred to in subsection (a) cease to have effect, the provisions of this title shall continue in effect.

TITLE II—  National Cybersecurity And Communications Integration Center
Subtitle A—National Cybersecurity And Communications Integration Center

SEC. 201. SHORT TITLE.

This subtitle may be cited as the “National Cybersecurity Protection Advancement Act of 2015”.

SEC. 202. DEFINITIONS.

In this subtitle:

  1. APPROPRIATE CONGRESSIONAL COMMITTEES.—The term “appropriate congressional committees” means—
    1. the Committee on Homeland Security and Governmental Affairs of the Senate; and
    2. the Committee on Homeland Security of the House of Representatives.
  2. CYBERSECURITY RISK; INCIDENT.—The terms “cybersecurity risk” and “incident” have the meanings given those terms in section 227 of the Homeland Security Act of 2002, as so redesignated by section 223(a)(3) of this division.
  3. CYBER THREAT INDICATOR; DEFENSIVE MEASURE.—The terms “cyber threat indicator” and “defensive measure” have the meanings given those terms in section 102.
  4. DEPARTMENT.—The term “Department” means the Department of Homeland Security.
  5. SECRETARY.—The term “Secretary” means the Secretary of Homeland Security.

SEC. 203. INFORMATION SHARING STRUCTURE AND PROCESSES.

Section 227 of the Homeland Security Act of 2002, as so redesignated by section 223(a)(3) of this division, is amended—

  1. in subsection (a)—
    1. by redesignating paragraphs (3) and (4) as paragraphs (4) and (5), respectively;
    2. by striking paragraphs (1) and (2) and inserting the following:
      • “(1) the term ‘cybersecurity risk’—
      • “(A) means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism; and
      • “(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;
      • “(2) the terms ‘cyber threat indicator’ and ‘defensive measure’ have the meanings given those terms in section 102 of the Cybersecurity Act of 2015;
      • “(3) the term ‘incident’ means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system;”;
    3. in paragraph (4), as so redesignated, by striking “and” at the end;
    4. in paragraph (5), as so redesignated, by striking the period at the end and inserting “; and”; and
    5. by adding at the end the following:
      • “(6) the term ‘sharing’ (including all conjugations thereof) means providing, receiving, and disseminating (including all conjugations of each of such terms).”;
  2. in subsection (c)—
    1. in paragraph (1)—
      1. by inserting “, including the implementation of title I of the Cybersecurity Act of 2015” before the semicolon at the end; and
      2. by inserting “cyber threat indicators, defensive measures,” before “cybersecurity risks”;
    2. in paragraph (3), by striking “cybersecurity risks” and inserting “cyber threat indicators, defensive measures, cybersecurity risks,”;
    3. in paragraph (5)(A), by striking “cybersecurity risks” and inserting “cyber threat indicators, defensive measures, cybersecurity risks,”;
    4. in paragraph (6)—
      1. by striking “cybersecurity risks” and inserting “cyber threat indicators, defensive measures, cybersecurity risks,”; and
      2. by striking “and” at the end;
    5. in paragraph (7)—
      1. in subparagraph (A), by striking “and” at the end;
      2. in subparagraph (B), by striking the period at the end and inserting “; and”; and
      3. by adding at the end the following:
      • “(C) sharing cyber threat indicators and defensive measures;”; and
    6. (F) by adding at the end the following:
      • “(8) engaging with international partners, in consultation with other appropriate agencies, to—
        1. collaborate on cyber threat indicators, defensive measures, and information related to cybersecurity risks and incidents; and
        2. enhance the security and resilience of global cybersecurity;
      • “(9) sharing cyber threat indicators, defensive measures, and other information related to cybersecurity risks and incidents with Federal and non-Federal entities, including across sectors of critical infrastructure and with State and major urban area fusion centers, as appropriate;
      • “(10) participating, as appropriate, in national exercises run by the Department; and
      • “(11) in coordination with the Office of Emergency Communications of the Department, assessing and evaluating consequence, vulnerability, and threat information regarding cyber incidents to public safety communications to help facilitate continuous improvements to the security and resiliency of such communications.”;
  3. (3) in subsection (d)(1)—
    1. in subparagraph (B)—
      1. in clause (i), by striking “and local” and inserting “, local, and tribal”;
      2. in clause (ii), by striking “; and” and inserting “, including information sharing and analysis centers;”;
      3. in clause (iii), by adding “and” at the end; and
      4. by adding at the end the following:
      5. “(iv) private entities;”.
    2. in subparagraph (D), by striking “and” at the end;
    3. by redesignating subparagraph (E) as subparagraph (F); and
    4. by inserting after subparagraph (D) the following:
      • “(E) an entity that collaborates with State and local governments on cybersecurity risks and incidents, and has entered into a voluntary information sharing relationship with the Center; and”;
  4. in subsection (e)—
    1. in paragraph (1)—
      1. in subparagraph (A), by inserting “cyber threat indicators, defensive measures, and” before “information”;
      2. in subparagraph (B), by inserting “cyber threat indicators, defensive measures, and” before “information related”;
      3. in subparagraph (F)—
        1. by striking “cybersecurity risks” and inserting “cyber threat indicators, defensive measures, cybersecurity risks,”; and
        2.  by striking “and” at the end;
      4. in subparagraph (G), by striking “cybersecurity risks and incidents” and inserting “cyber threat indicators, defensive measures, cybersecurity risks, and incidents; and”; and
      5. by adding at the end the following: “(H) the Center designates an agency contact for non-Federal entities;”;
    2. in paragraph (2)—
      1. by striking “cybersecurity risks” and inserting “cyber threat indicators, defensive measures, cybersecurity risks,”; and
      2. by inserting “or disclosure” after “access”; and
    3. in paragraph (3), by inserting before the period at the end the following: “, including by working with the Privacy Officer appointed under section 222 to ensure that the Center follows the policies and procedures specified in subsections (b) and (d)(5)(C) of section 105 of the Cybersecurity Act of 2015”; and
  5. by adding at the end the following:
    • “(g) AUTOMATED INFORMATION SHARING.—
      1. IN GENERAL.—The Under Secretary appointed under section 103(a)(1)(H), in coordination with industry and other stakeholders, shall develop capabilities making use of existing information technology industry standards and best practices, as appropriate, that support and rapidly advance the development, adoption, and implementation of automated mechanisms for the sharing of cyber threat indicators and defensive measures in accordance with title I of the Cybersecurity Act of 2015.
      2. ANNUAL REPORT.—The Under Secretary appointed under section 103(a)(1)(H) shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives an annual report on the status and progress of the development of the capabilities described in paragraph (1). Such reports shall be required until such capabilities are fully implemented.
    • “(h) VOLUNTARY INFORMATION SHARING PROCEDURES.—
      1. PROCEDURES.—
        1. IN GENERAL.—The Center may enter into a voluntary information sharing relationship with any consenting non-Federal entity for the sharing of cyber threat indicators and defensive measures for cybersecurity purposes in accordance with this section. Nothing in this subsection may be construed to require any non-Federal entity to enter into any such information sharing relationship with the Center or any other entity. The Center may terminate a voluntary information sharing relationship under this subsection, at the sole and unreviewable discretion of the Secretary, acting through the Under Secretary appointed under section 103(a)(1)(H), for any reason, including if the Center determines that the non-Federal entity with which the Center has entered into such a relationship has violated the terms of this subsection.
        2. NATIONAL SECURITY.—The Secretary may decline to enter into a voluntary information sharing relationship under this subsection, at the sole and unreviewable discretion of the Secretary, acting through the Under Secretary appointed under section 103(a)(1)(H), for any reason, including if the Secretary determines that such is appropriate for national security.
      2. VOLUNTARY INFORMATION SHARING RELATIONSHIPS.—A voluntary information sharing relationship under this subsection may be characterized as an agreement described in this paragraph.
        1. STANDARD AGREEMENT.—For the use of a non-Federal entity, the Center shall make available a standard agreement, consistent with this section, on the Department's website.
        2. NEGOTIATED AGREEMENT.—At the request of a non-Federal entity, and if determined appropriate by the Center, at the sole and unreviewable discretion of the Secretary, acting through the Under Secretary appointed under section 103(a)(1)(H), the Department shall negotiate a non-standard agreement, consistent with this section.
        3. EXISTING AGREEMENTS.—An agreement between the Center and a non-Federal entity that is entered into before the date of enactment of this subsection, or such an agreement that is in effect before such date, shall be deemed in compliance with the requirements of this subsection, notwithstanding any other provision or requirement of this subsection. An agreement under this subsection shall include the relevant privacy protections as in effect under the Cooperative Research and Development Agreement for Cybersecurity Information Sharing and Collaboration, as of December 31, 2014. Nothing in this subsection may be construed to require a non-Federal entity to enter into either a standard or negotiated agreement to be in compliance with this subsection.
    • “(i) DIRECT REPORTING.—The Secretary shall develop policies and procedures for direct reporting to the Secretary by the Director of the Center regarding significant cybersecurity risks and incidents.
    • “(j) REPORTS ON INTERNATIONAL COOPERATION.—Not later than 180 days after the date of enactment of this subsection, and periodically thereafter, the Secretary of Homeland Security shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the range of efforts underway to bolster cybersecurity collaboration with relevant international partners in accordance with subsection (c)(8).
    • “(k) OUTREACH.—Not later than 60 days after the date of enactment of this subsection, the Secretary, acting through the Under Secretary appointed under section 103(a)(1)(H), shall—
      1. disseminate to the public information about how to voluntarily share cyber threat indicators and defensive measures with the Center; and
      2. enhance outreach to critical infrastructure owners and operators for purposes of such sharing.
    • “(l) COORDINATED VULNERABILITY DISCLOSURE.—The Secretary, in coordination with industry and other stakeholders, may develop and adhere to Department policies and procedures for coordinating vulnerability disclosures.”

SEC. 204. INFORMATION SHARING AND ANALYSIS ORGANIZATIONS.


Section 212 of the Homeland Security Act of 2002 (6 U.S.C. 131) is amended—

  1. in paragraph (5)—
    1.  in subparagraph (A)—
      1. by inserting “, including information related to cybersecurity risks and incidents,” after “critical infrastructure information”; and
      2. by inserting “, including cybersecurity risks and incidents,” after “related to critical infrastructure”;
    2. in subparagraph (B)—
      1. by inserting “, including cybersecurity risks and incidents,” after “critical infrastructure information”; and
      2. by inserting “, including cybersecurity risks and incidents,” after “related to critical infrastructure”; and
    3. in subparagraph (C), by inserting “, including cybersecurity risks and incidents,” after “critical infrastructure information”; and
  2. by adding at the end the following: “(8) CYBERSECURITY RISK; INCIDENT.—The terms ‘cybersecurity risk’ and ‘incident’ have the meanings given those terms in section 227.”.

SEC. 205. NATIONAL RESPONSE FRAMEWORK.

Section 228 of the Homeland Security Act of 2002, as added by section 223(a)(4) of this division, is amended by adding at the end the following:

  • “(d) NATIONAL RESPONSE FRAMEWORK.—The Secretary, in coordination with the heads of other appropriate Federal departments and agencies, and in accordance with the National Cybersecurity Incident Response Plan required under subsection (c), shall regularly update, maintain, and exercise the Cyber Incident Annex to the National Response Framework of the Department.”.

SEC. 206. REPORT ON REDUCING CYBERSECURITY RISKS IN DHS DATA CENTERS.

Not later than 1 year after the date of the enactment of this Act, the Secretary shall submit to the appropriate congressional committees a report on the feasibility of the Department creating an environment for the reduction in cybersecurity risks in Department data centers, including by increasing compartmentalization between systems, and providing a mix of security controls between such compartments.

SEC. 207. ASSESSMENT.

Not later than 2 years after the date of enactment of this Act, the Comptroller General of the United States shall submit to the appropriate congressional committees a report that includes—

  1. an assessment of the implementation by the Secretary of this title and the amendments made by this title; and
  2. to the extent practicable, findings regarding increases in the sharing of cyber threat indicators, defensive measures, and information relating to cybersecurity risks and incidents at the center established under section 227 of the Homeland Security Act of 2002, as redesignated by section 223(a) of this division, and throughout the United States.

SEC. 208. MULTIPLE SIMULTANEOUS CYBER INCIDENTS AT CRITICAL INFRASTRUCTURE.

Not later than 1 year after the date of enactment of this Act, the Under Secretary appointed under section 103(a)(1)(H) of the Homeland Security Act of 2002 (6 U.S.C. 113(a)(1)(H)) shall provide information to the appropriate congressional committees on the feasibility of producing a risk-informed plan to address the risk of multiple simultaneous cyber incidents affecting critical infrastructure, including cyber incidents that may have a cascading effect on other critical infrastructure.

SEC. 209. REPORT ON CYBERSECURITY VULNERABILITIES OF UNITED STATES PORTS.

Not later than 180 days after the date of enactment of this Act, the Secretary shall submit to the appropriate congressional committees, the Committee on Commerce, Science and Transportation of the Senate, and the Committee on Transportation and Infrastructure of the House of Representatives a report on cybersecurity vulnerabilities for the 10 United States ports that the Secretary determines are at greatest risk of a cybersecurity incident and provide recommendations to mitigate such vulnerabilities.

SEC. 210. PROHIBITION ON NEW REGULATORY AUTHORITY.

Nothing in this subtitle or the amendments made by this subtitle may be construed to grant the Secretary any authority to promulgate regulations or set standards relating to the cybersecurity of non-Federal entities, not including State, local, and tribal governments, that was not in effect on the day before the date of enactment of this Act.

SEC. 211. TERMINATION OF REPORTING REQUIREMENTS.

Any reporting requirements in this subtitle shall terminate on the date that is 7 years after the date of enactment of this Act.

Subtitle B—Federal Cybersecurity Enhancement

SEC. 221. SHORT TITLE.

This subtitle may be cited as the “Federal Cybersecurity Enhancement Act of 2015”.

SEC. 222. DEFINITIONS.

In this subtitle:

  1. AGENCY.—The term “agency” has the meaning given the term in section 3502 of title 44, United States Code.
  2. AGENCY INFORMATION SYSTEM.—The term “agency information system” has the meaning given the term in section 228 of the Homeland Security Act of 2002, as added by section 223(a)(4) of this division.
  3. APPROPRIATE CONGRESSIONAL COMMITTEES.—The term “appropriate congressional committees” means—
    1. the Committee on Homeland Security and Governmental Affairs of the Senate; and
    2. the Committee on Homeland Security of the House of Representatives.
  4. CYBERSECURITY RISK; INFORMATION SYSTEM.—The terms “cybersecurity risk” and “information system” have the meanings given those terms in section 227 of the Homeland Security Act of 2002, as so redesignated by section 223(a)(3) of this division.
  5. DIRECTOR.—The term “Director” means the Director of the Office of Management and Budget.
  6. INTELLIGENCE COMMUNITY.—The term “intelligence community” has the meaning given the term in section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)).
  7. NATIONAL SECURITY SYSTEM.—The term “national security system” has the meaning given the term in section 11103 of title 40, United States Code.
  8. SECRETARY.—The term “Secretary” means the Secretary of Homeland Security.

SEC. 223. IMPROVED FEDERAL NETWORK SECURITY.

(a) IN GENERAL.—Subtitle C of title II of the Homeland Security Act of 2002 (6 U.S.C. 141 et seq.) is amended—

  1. by redesignating section 228 as section 229;
  2. by redesignating section 227 as subsection (c) of section 228, as added by paragraph (4), and adjusting the margins accordingly;
  3. by redesignating the second section designated as section 226 (relating to the national cybersecurity and communications integration center) as section 227;
  4. by inserting after section 227, as so redesignated, the following:
    • “SEC. 228 CYBERSECURITY PLANS.“
      1. DEFINITIONS.—In this section—
        1. the term ‘agency information system’ means an information system used or operated by an agency or by another entity on behalf of an agency;
        2. the terms ‘cybersecurity risk’ and ‘information system’ have the meanings given those terms in section 227;
        3. the term ‘intelligence community’ has the meaning given the term in section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)); and
        4. the term ‘national security system’ has the meaning given the term in section 11103 of title 40, United States Code.
      2. INTRUSION ASSESSMENT PLAN.—
        1. REQUIREMENT.—The Secretary, in coordination with the Director of the Office of Management and Budget, shall—
          1. develop and implement an intrusion assessment plan to proactively detect, identify, and remove intruders in agency information systems on a routine basis; and
          2. update such plan as necessary.
        2. EXCEPTION.—The intrusion assessment plan required under paragraph (1) shall not apply to the Department of Defense, a national security system, or an element of the intelligence community.
  5. in section 228(c), as so redesignated, by striking “section 226” and inserting “section 227”; and
  6. by inserting after section 229, as so redesignated, the following:
    • “SEC. 230 FEDERAL INTRUSION DETECTION AND PREVENTION SYSTEM.
      1. DEFINITIONS.—In this section—
        1. the term ‘agency’ has the meaning given the term in section 3502 of title 44, United States Code;
        2. the term ‘agency information’ means information collected or maintained by or on behalf of an agency;
        3. the term ‘agency information system’ has the meaning given the term in section 228; and
        4. the terms ‘cybersecurity risk’ and ‘information system’ have the meanings given those terms in section 227.
      2. REQUIREMENT.—
        1. IN GENERAL.—Not later than 1 year after the date of enactment of this section, the Secretary shall deploy, operate, and maintain, to make available for use by any agency, with or without reimbursement—
          1. a capability to detect cybersecurity risks in network traffic transiting or traveling to or from an agency information system; and
          2. a capability to prevent network traffic associated with such cybersecurity risks from transiting or traveling to or from an agency information system or modify such network traffic to remove the cybersecurity risk.
        2. REGULAR IMPROVEMENT.—The Secretary shall regularly deploy new technologies and modify existing technologies to the intrusion detection and prevention capabilities described in paragraph (1) as appropriate to improve the intrusion detection and prevention capabilities.
      3. ACTIVITIES.—In carrying out subsection (b), the Secretary—
        1. may access, and the head of an agency may disclose to the Secretary or a private entity providing assistance to the Secretary under paragraph (2), information transiting or traveling to or from an agency information system, regardless of the location from which the Secretary or a private entity providing assistance to the Secretary under paragraph (2) accesses such information, notwithstanding any other provision of law that would otherwise restrict or prevent the head of an agency from disclosing such information to the Secretary or a private entity providing assistance to the Secretary under paragraph (2);
        2. may enter into contracts or other agreements with, or otherwise request and obtain the assistance of, private entities to deploy, operate, and maintain technologies in accordance with subsection (b);
        3. may retain, use, and disclose information obtained through the conduct of activities authorized under this section only to protect information and information systems from cybersecurity risks;
        4. shall regularly assess through operational test and evaluation in real world or simulated environments available advanced protective technologies to improve detection and prevention capabilities, including commercial and noncommercial technologies and detection technologies beyond signature-based detection, and acquire, test, and deploy such technologies when appropriate;
        5. shall establish a pilot through which the Secretary may acquire, test, and deploy, as rapidly as possible, technologies described in paragraph (4); and
        6. shall periodically update the privacy impact assessment required under section 208(b) of the E-Government Act of 2002 (44 U.S.C. 3501 note).
      4. PRINCIPLES.—In carrying out subsection (b), the Secretary shall ensure that—
        1. activities carried out under this section are reasonably necessary for the purpose of protecting agency information and agency information systems from a cybersecurity risk;
        2. information accessed by the Secretary will be retained no longer than reasonably necessary for the purpose of protecting agency information and agency information systems from a cybersecurity risk;
        3. notice has been provided to users of an agency information system concerning access to communications of users of the agency information system for the purpose of protecting agency information and the agency information system; and
        4. the activities are implemented pursuant to policies and procedures governing the operation of the intrusion detection and prevention capabilities.
      5. PRIVATE ENTITIES.—
        1. CONDITIONS.—A private entity described in subsection (c)(2) may not—
          1. disclose any network traffic transiting or traveling to or from an agency information system to any entity other than the Department or the agency that disclosed the information under subsection (c)(1), including personal information of a specific individual or information that identifies a specific individual not directly related to a cybersecurity risk; or
          2. use any network traffic transiting or traveling to or from an agency information system to which the private entity gains access in accordance with this section for any purpose other than to protect agency information and agency information systems against cybersecurity risks or to administer a contract or other agreement entered into pursuant to subsection (c)(2) or as part of another contract with the Secretary.
        2. LIMITATION ON LIABILITY.—No cause of action shall lie in any court against a private entity for assistance provided to the Secretary in accordance with this section and any contract or agreement entered into pursuant to subsection (c)(2).
        3. RULE OF CONSTRUCTION.—Nothing in paragraph (2) shall be construed to authorize an Internet service provider to break a user agreement with a customer without the consent of the customer.
      6. PRIVACY OFFICER REVIEW.—Not later than 1 year after the date of enactment of this section, the Privacy Officer appointed under section 222, in consultation with the Attorney General, shall review the policies and guidelines for the program carried out under this section to ensure that the policies and guidelines are consistent with applicable privacy laws, including those governing the acquisition, interception, retention, use, and disclosure of communications.”.

(b) AGENCY RESPONSIBILITIES.—

  1. IN GENERAL.—Except as provided in paragraph (2)—
    1. not later than 1 year after the date of enactment of this Act or 2 months after the date on which the Secretary makes available the intrusion detection and prevention capabilities under section 230(b)(1) of the Homeland Security Act of 2002, as added by subsection (a), whichever is later, the head of each agency shall apply and continue to utilize the capabilities to all information traveling between an agency information system and any information system other than an agency information system; and
    2. not later than 6 months after the date on which the Secretary makes available improvements to the intrusion detection and prevention capabilities pursuant to section 230(b)(2) of the Homeland Security Act of 2002, as added by subsection (a), the head of each agency shall apply and continue to utilize the improved intrusion detection and prevention capabilities.
  2. EXCEPTION.—The requirements under paragraph (1) shall not apply to the Department of Defense, a national security system, or an element of the intelligence community.
  3. DEFINITION.—Notwithstanding section 222, in this subsection, the term “agency information system” means an information system owned or operated by an agency.
  4. RULE OF CONSTRUCTION.—Nothing in this subsection shall be construed to limit an agency from applying the intrusion detection and prevention capabilities to an information system other than an agency information system under section 230(b)(1) of the Homeland Security Act of 2002, as added by subsection (a), at the discretion of the head of the agency or as provided in relevant policies, directives, and guidelines.

(c) TABLE OF CONTENTS AMENDMENT.—The table of contents in section 1(b) of the Homeland Security Act of 2002 (6 U.S.C. 101 note) is amended by striking the items relating to the first section designated as section 226, the second section designated as section 226 (relating to the national cybersecurity and communications integration center), section 227, and section 228 and inserting the following:

“Sec. 226. Cybersecurity recruitment and retention.
“Sec. 227. National cybersecurity and communications integration center.
“Sec. 228. Cybersecurity plans.
“Sec. 229. Clearances.
“Sec. 230. Federal intrusion detection and prevention system.”.

SEC. 224. ADVANCED INTERNAL DEFENSES.

(a) ADVANCED NETWORK SECURITY TOOLS.—

  1. IN GENERAL.—The Secretary shall include, in the efforts of the Department to continuously diagnose and mitigate cybersecurity risks, advanced network security tools to improve visibility of network activity, including through the use of commercial and free or open source tools, and to detect and mitigate intrusions and anomalous activity.
  2. DEVELOPMENT OF PLAN.—The Director shall develop and the Secretary shall implement a plan to ensure that each agency utilizes advanced network security tools, including those described in paragraph (1), to detect and mitigate intrusions and anomalous activity.

(b) PRIORITIZING ADVANCED SECURITY TOOLS.—The Director and the Secretary, in consultation with appropriate agencies, shall—

  1. review and update Government-wide policies and programs to ensure appropriate prioritization and use of network security monitoring tools within agency networks; and
  2. brief appropriate congressional committees on such prioritization and use.

(c) IMPROVED METRICS.—The Secretary, in collaboration with the Director, shall review and update the metrics used to measure security under section 3554 of title 44, United States Code, to include measures of intrusion and incident detection and response times.

(d) TRANSPARENCY AND ACCOUNTABILITY.—The Director, in consultation with the Secretary, shall increase transparency to the public on agency cybersecurity posture, including by increasing the number of metrics available on Federal Government performance websites and, to the greatest extent practicable, displaying metrics for department components, small agencies, and micro-agencies.

(e) MAINTENANCE OF TECHNOLOGIES.—Section 3553(b)(6)(B) of title 44, United States Code, is amended by inserting “, operating, and maintaining” after “deploying”.

(f) EXCEPTION.—The requirements under this section shall not apply to the Department of Defense, a national security system, or an element of the intelligence community.

SEC. 225. FEDERAL CYBERSECURITY REQUIREMENTS.

(a) IMPLEMENTATION OF FEDERAL CYBERSECURITY STANDARDS.—Consistent with section 3553 of title 44, United States Code, the Secretary, in consultation with the Director, shall exercise the authority to issue binding operational directives to assist the Director in ensuring timely agency adoption of and compliance with policies and standards promulgated under section 11331 of title 40, United States Code, for securing agency information systems.

(b) CYBERSECURITY REQUIREMENTS AT AGENCIES.—

  1. IN GENERAL.—Consistent with policies, standards, guidelines, and directives on information security under subchapter II of chapter 35 of title 44, United States Code, and the standards and guidelines promulgated under section 11331 of title 40, United States Code, and except as provided in paragraph (2), not later than 1 year after the date of the enactment of this Act, the head of each agency shall—
    1. identify sensitive and mission critical data stored by the agency consistent with the inventory required under the first subsection (c) (relating to the inventory of major information systems) and the second subsection (c) (relating to the inventory of information systems) of section 3505 of title 44, United States Code;
    2. assess access controls to the data described in subparagraph (A), the need for readily accessible storage of the data, and individuals' need to access the data;
    3. encrypt or otherwise render indecipherable to unauthorized users the data described in subparagraph (A) that is stored on or transiting agency information systems;
    4. implement a single sign-on trusted identity platform for individuals accessing each public website of the agency that requires user authentication, as developed by the Administrator of General Services in collaboration with the Secretary; and
    5. implement identity management consistent with section 504 of the Cybersecurity Enhancement Act of 2014 (Public Law 113–274; 15 U.S.C. 7464), including multi-factor authentication, for—
      1. remote access to an agency information system; and
      2. each user account with elevated privileges on an agency information system.
  2. EXCEPTION.—The requirements under paragraph (1) shall not apply to an agency information system for which—
    1. the head of the agency has personally certified to the Director with particularity that—
      1. operational requirements articulated in the certification and related to the agency information system would make it excessively burdensome to implement the cybersecurity requirement;
      2. the cybersecurity requirement is not necessary to secure the agency information system or agency information stored on or transiting it; and
      3. the agency has taken all necessary steps to secure the agency information system and agency information stored on or transiting it; and (B) the head of the agency or the designee of the head of the agency has submitted the certification described in subparagraph (A) to the appropriate congressional committees and the agency's authorizing committees.
  3. CONSTRUCTION.—Nothing in this section shall be construed to alter the authority of the Secretary, the Director, or the Director of the National Institute of Standards and Technology in implementing subchapter II of chapter 35 of title 44, United States Code. Nothing in this section shall be construed to affect the National Institute of Standards and Technology standards process or the requirement under section 3553(a)(4) of such title or to discourage continued improvements and advancements in the technology, standards, policies, and guidelines used to promote Federal information security.

(c) EXCEPTION.—The requirements under this section shall not apply to the Department of Defense, a national security system, or an element of the intelligence community.

SEC. 226. ASSESSMENT; REPORTS.

(a) DEFINITIONS.—In this section:

  1. AGENCY INFORMATION.—The term “agency information” has the meaning given the term in section 230 of the Homeland Security Act of 2002, as added by section 223(a)(6) of this division.
  2. CYBER THREAT INDICATOR; DEFENSIVE MEASURE.—The terms “cyber threat indicator” and “defensive measure” have the meanings given those terms in section 102.
  3. INTRUSION ASSESSMENTS.—The term “intrusion assessments” means actions taken under the intrusion assessment plan to identify and remove intruders in agency information systems.
  4. INTRUSION ASSESSMENT PLAN.—The term “intrusion assessment plan” means the plan required under section 228(b)(1) of the Homeland Security Act of 2002, as added by section 223(a)(4) of this division.
  5. INTRUSION DETECTION AND PREVENTION CAPABILITIES.—The term “intrusion detection and prevention capabilities” means the capabilities required under section 230(b) of the Homeland Security Act of 2002, as added by section 223(a)(6) of this division.

(b) THIRD-PARTY ASSESSMENT.—Not later than 3 years after the date of enactment of this Act, the Comptroller General of the United States shall conduct a study and publish a report on the effectiveness of the approach and strategy of the Federal Government to securing agency information systems, including the intrusion detection and prevention capabilities and the intrusion assessment plan.

(c) REPORTS TO CONGRESS.—

  1. INTRUSION DETECTION AND PREVENTION CAPABILITIES.—
    1. SECRETARY OF HOMELAND SECURITY REPORT.—Not later than 6 months after the date of enactment of this Act, and annually thereafter, the Secretary shall submit to the appropriate congressional committees a report on the status of implementation of the intrusion detection and prevention capabilities, including—
      1. a description of privacy controls;
      2. a description of the technologies and capabilities utilized to detect cybersecurity risks in network traffic, including the extent to which those technologies and capabilities include existing commercial and noncommercial technologies;
      3. a description of the technologies and capabilities utilized to prevent network traffic associated with cybersecurity risks from transiting or traveling to or from agency information systems, including the extent to which those technologies and capabilities include existing commercial and noncommercial technologies;
      4. a list of the types of indicators or other identifiers or techniques used to detect cybersecurity risks in network traffic transiting or traveling to or from agency information systems on each iteration of the intrusion detection and prevention capabilities and the number of each such type of indicator, identifier, and technique;
      5. the number of instances in which the intrusion detection and prevention capabilities detected a cybersecurity risk in network traffic transiting or traveling to or from agency information systems and the number of times the intrusion detection and prevention capabilities blocked network traffic associated with cybersecurity risk; and
      6. a description of the pilot established under section 230(c)(5) of the Homeland Security Act of 2002, as added by section 223(a)(6) of this division, including the number of new technologies tested and the number of participating agencies.
    2. OMB REPORT.—Not later than 18 months after the date of enactment of this Act, and annually thereafter, the Director shall submit to Congress, as part of the report required under section 3553(c) of title 44, United States Code, an analysis of agency application of the intrusion detection and prevention capabilities, including—
      1. a list of each agency and the degree to which each agency has applied the intrusion detection and prevention capabilities to an agency information system; and
      2. a list by agency of—
        1. the number of instances in which the intrusion detection and prevention capabilities detected a cybersecurity risk in network traffic transiting or traveling to or from an agency information system and the types of indicators, identifiers, and techniques used to detect such cybersecurity risks; and
        2.  the number of instances in which the intrusion detection and prevention capabilities prevented network traffic associated with a cybersecurity risk from transiting or traveling to or from an agency information system and the types of indicators, identifiers, and techniques used to detect such agency information systems.
    3. CHIEF INFORMATION OFFICER.—Not earlier than 18 months after the date of enactment of this Act and not later than 2 years after the date of enactment of this Act, the Federal Chief Information Officer shall review and submit to the appropriate congressional committees a report assessing the intrusion detection and intrusion prevention capabilities, including—
      1. the effectiveness of the system in detecting, disrupting, and preventing cyber-threat actors, including advanced persistent threats, from accessing agency information and agency information systems;
      2. whether the intrusion detection and prevention capabilities, continuous diagnostics and mitigation, and other systems deployed under subtitle D of title II of the Homeland Security Act of 2002 (6 U.S.C. 231 et seq.) are effective in securing Federal information systems;
      3. the costs and benefits of the intrusion detection and prevention capabilities, including as compared to commercial technologies and tools and including the value of classified cyber threat indicators; and
      4. the capability of agencies to protect sensitive cyber threat indicators and defensive measures if they were shared through unclassified mechanisms for use in commercial technologies and tools.
  2. OMB REPORT ON DEVELOPMENT AND IMPLEMENTATION OF INTRUSION ASSESSMENT PLAN, ADVANCED INTERNAL DEFENSES, AND FEDERAL CYBERSECURITY REQUIREMENTS.—The Director shall—
    1. not later than 6 months after the date of enactment of this Act, and 30 days after any update thereto, submit the intrusion assessment plan to the appropriate congressional committees;
    2. not later than 1 year after the date of enactment of this Act, and annually thereafter, submit to Congress, as part of the report required under section 3553(c) of title 44, United States Code—
      1. a description of the implementation of the intrusion assessment plan;
      2. the findings of the intrusion assessments conducted pursuant to the intrusion assessment plan;
      3. a description of the advanced network security tools included in the efforts to continuously diagnose and mitigate cybersecurity risks pursuant to section 224(a)(1); and
      4. a list by agency of compliance with the requirements of section 225(b); and
    3. not later than 1 year after the date of enactment of this Act, submit to the appropriate congressional committees—
      1. a copy of the plan developed pursuant to section 224(a)(2); and
      2. the improved metrics developed pursuant to section 224(c).

(d) FORM.—Each report required under this section shall be submitted in unclassified form, but may include a classified annex.

SEC. 227. TERMINATION.

(a) IN GENERAL.—The authority provided under section 230 of the Homeland Security Act of 2002, as added by section 223(a)(6) of this division, and the reporting requirements under section 226(c) of this division shall terminate on the date that is 7 years after the date of enactment of this Act.

(b) RULE OF CONSTRUCTION.—Nothing in subsection (a) shall be construed to affect the limitation of liability of a private entity for assistance provided to the Secretary under section 230(d)(2) of the Homeland Security Act of 2002, as added by section 223(a)(6) of this division, if such assistance was rendered before the termination date under subsection (a) or otherwise during a period in which the assistance was authorized.

SEC. 228. IDENTIFICATION OF INFORMATION SYSTEMS RELATING TO NATIONAL SECURITY.

(a) IN GENERAL.—Except as provided in subsection (c), not later than 180 days after the date of enactment of this Act—

  1. the Director of National Intelligence and the Director of the Office of Management and Budget, in coordination with the heads of other agencies, shall—
    1. identify all unclassified information systems that provide access to information that may provide an adversary with the ability to derive information that would otherwise be considered classified;
    2. assess the risks that would result from the breach of each unclassified information system identified in subparagraph (A); and
    3. assess the cost and impact on the mission carried out by each agency that owns an unclassified information system identified in subparagraph (A) if the system were to be subsequently designated as a national security system; and
  2. the Director of National Intelligence and the Director of the Office of Management and Budget shall submit to the appropriate congressional committees, the Select Committee on Intelligence of the Senate, and the Permanent Select Committee on Intelligence of the House of Representatives a report that includes the findings under paragraph (1).

(b) FORM.—The report submitted under subsection (a)(2) shall be in unclassified form, and shall include a classified annex.

(c) EXCEPTION.—The requirements under subsection (a)(1) shall not apply to the Department of Defense, a national security system, or an element of the intelligence community.

(d) RULE OF CONSTRUCTION.—Nothing in this section shall be construed to designate an information system as a national security system.

SEC. 229. DIRECTION TO AGENCIES.

(a) IN GENERAL.—Section 3553 of title 44, United States Code, is amended by adding at the end the following:

  • “(h) DIRECTION TO AGENCIES.—
    1. AUTHORITY.—
      1. IN GENERAL.—Subject to subparagraph (B), in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, the Secretary may issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.
      2. EXCEPTION.—The authorities of the Secretary under this subsection shall not apply to a system described subsection (d) or to a system described in paragraph (2) or (3) of subsection (e).
    2. PROCEDURES FOR USE OF AUTHORITY.—The Secretary shall—
      1. in coordination with the Director, and in consultation with Federal contractors as appropriate, establish procedures governing the circumstances under which a directive may be issued under this subsection, which shall include—
        1. thresholds and other criteria;
        2. privacy and civil liberties protections; and
        3. providing notice to potentially affected third parties;
      1. specify the reasons for the required action and the duration of the directive;
      2. minimize the impact of a directive under this subsection by—
        1. adopting the least intrusive means possible under the circumstances to secure the agency information systems; and 
        2. limiting directives to the shortest period practicable;
      3. notify the Director and the head of any affected agency immediately upon the issuance of a directive under this subsection;
      4. consult with the Director of the National Institute of Standards and Technology regarding any directive under this subsection that implements standards and guidelines developed by the National Institute of Standards and Technology;
      5. ensure that directives issued under this subsection do not conflict with the standards and guidelines issued under section 11331 of title 40;
      6. consider any applicable standards or guidelines developed by the National Institute of Standards and Technology issued by the Secretary of Commerce under section 11331 of title 40; and
      7. not later than February 1 of each year, submit to the appropriate congressional committees a report regarding the specific actions the Secretary has taken pursuant to paragraph (1)(A).
    3. IMMINENT THREATS.—
      1. IN GENERAL.—Notwithstanding section 3554, the Secretary may authorize the use under this subsection of the intrusion detection and prevention capabilities established under section 230(b)(1) of the Homeland Security Act of 2002 for the purpose of ensuring the security of agency information systems, if—
        1. the Secretary determines there is an imminent threat to agency information systems;
        2. the Secretary determines a directive under subsection (b)(2)(C) or paragraph (1)(A) is not reasonably likely to result in a timely response to the threat;
        3. the Secretary determines the risk posed by the imminent threat outweighs any adverse consequences reasonably expected to result from the use of the intrusion detection and prevention capabilities under the control of the Secretary;
        4. the Secretary provides prior notice to the Director, and the head and chief information officer (or equivalent official) of each agency to which specific actions will be taken pursuant to this paragraph, and notifies the appropriate congressional committees and authorizing committees of each such agency within 7 days of taking an action under this paragraph of—
          1. any action taken under this paragraph; and
          2. the reasons for and duration and nature of the action;
        5. the action of the Secretary is consistent with applicable law; and
        6. the Secretary authorizes the use of the intrusion detection and prevention capabilities in accordance with the advance procedures established under subparagraph (C).
      2. LIMITATION ON DELEGATION.—The authority under this paragraph may not be delegated by the Secretary.
      3. ADVANCE PROCEDURES.—The Secretary shall, in coordination with the Director, and in consultation with the heads of Federal agencies, establish procedures governing the circumstances under which the Secretary may authorize the use of the intrusion detection and prevention capabilities under subparagraph (A). The Secretary shall submit the procedures to Congress.
    4. LIMITATION.—The Secretary may direct or authorize lawful action or the use of the intrusion detection and prevention capabilities under this subsection only to—
      1. protect agency information from unauthorized access, use, disclosure, disruption, modification, or destruction; or
      2. require the remediation of or protect against identified information security risks with respect to—
        1. information collected or maintained by or on behalf of an agency; or
        2. that portion of an information system used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.
  • “(i) ANNUAL REPORT TO CONGRESS.—Not later than February 1 of each year, the Director and the Secretary shall submit to the appropriate congressional committees a report regarding the specific actions the Director and the Secretary have taken pursuant to subsection (a)(5), including any actions taken pursuant to section 11303(b)(5) of title 40.
  • “(j) APPROPRIATE CONGRESSIONAL COMMITTEES DEFINED.—In this section, the term ‘appropriate congressional committees’ means—
    1. the Committee on Appropriations and the Committee on Homeland Security and Governmental Affairs of the Senate; and
    2. the Committee on Appropriations, the Committee on Homeland Security, the Committee on Oversight and Government Reform, and the Committee on Science, Space, and Technology of the House of Representatives.”.

(b) CONFORMING AMENDMENT.—Section 3554(a)(1)(B) of title 44, United States Code, is amended—

  1. in clause (iii), by striking “and” at the end; and
  2. by adding at the end the following: “(v) emergency directives issued by the Secretary under section 3553(h); and”.

TITLE III—FEDERAL CYBERSECURITY WORKFORCE ASSESSMENT

SEC. 301. SHORT TITLE.

This title may be cited as the “Federal Cybersecurity Workforce Assessment Act of 2015”.

SEC. 302. DEFINITIONS.

In this title:

  1. (1) APPROPRIATE CONGRESSIONAL COMMITTEES.—The term “appropriate congressional committees” means—
    1. the Committee on Armed Services of the Senate;
    2. the Committee on Homeland Security and Governmental Affairs of the Senate;
    3. the Select Committee on Intelligence of the Senate;
    4. the Committee on Commerce, Science, and Transportation of the Senate;
    5. the Committee on Armed Services of the House of Representatives;
    6.  the Committee on Homeland Security of the House of Representatives;
    7. the Committee on Oversight and Government Reform of the House of Representatives; and
    8. the Permanent Select Committee on Intelligence of the House of Representatives.
  2. DIRECTOR.—The term “Director” means the Director of the Office of Personnel Management.
  3. NATIONAL INITIATIVE FOR CYBERSECURITY EDUCATION.—The term “National Initiative for Cybersecurity Education” means the initiative under the national cybersecurity awareness and education program, as authorized under section 401 of the Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7451).
  4. WORK ROLES.—The term “work roles” means a specialized set of tasks and functions requiring specific knowledge, skills, and abilities.

SEC. 303. NATIONAL CYBERSECURITY WORKFORCE MEASUREMENT INITIATIVE.

(a) IN GENERAL.—The head of each Federal agency shall—

  1. identify all positions within the agency that require the performance of cybersecurity or other cyber-related functions; and
  2. assign the corresponding employment code under the National Initiative for Cybersecurity Education in accordance with subsection (b).

(b) EMPLOYMENT CODES.—

  1. PROCEDURES.—
    1. CODING STRUCTURE.—Not later than 180 days after the date of the enactment of this Act, the Director, in coordination with the National Institute of Standards and Technology, shall develop a coding structure under the National Initiative for Cybersecurity Education.
    2. IDENTIFICATION OF CIVILIAN CYBER PERSONNEL.—Not later than 9 months after the date of enactment of this Act, the Director, in coordination with the Secretary of Homeland Security, the Director of the National Institute of Standards and Technology, and the Director of National Intelligence, shall establish procedures to implement the National Initiative for Cybersecurity Education coding structure to identify all Federal civilian positions that require the performance of information technology, cybersecurity, or other cyber-related functions.
    3. IDENTIFICATION OF NONCIVILIAN CYBER PERSONNEL.—Not later than 18 months after the date of enactment of this Act, the Secretary of Defense shall establish procedures to implement the National Initiative for Cybersecurity Education's coding structure to identify all Federal noncivilian positions that require the performance of information technology, cybersecurity, or other cyber-related functions.
    4. BASELINE ASSESSMENT OF EXISTING CYBERSECURITY WORKFORCE.—Not later than 3 months after the date on which the procedures are developed under subparagraphs (B) and (C), respectively, the head of each Federal agency shall submit to the appropriate congressional committees of jurisdiction a report that identifies—
      1. the percentage of personnel with information technology, cybersecurity, or other cyber-related job functions who currently hold the appropriate industry-recognized certifications as identified under the National Initiative for Cybersecurity Education;
      2. the level of preparedness of other civilian and noncivilian cyber personnel without existing credentials to take certification exams; and
      3. a strategy for mitigating any gaps identified in clause (i) or (ii) with the appropriate training and certification for existing personnel.
    5. PROCEDURES FOR ASSIGNING CODES.—Not later than 3 months after the date on which the procedures are developed under subparagraphs (B) and (C), respectively, the head of each Federal agency shall establish procedures—
      1. to identify all encumbered and vacant positions with information technology, cybersecurity, or other cyber-related functions (as defined in the National Initiative for Cybersecurity Education's coding structure); and
      2. to assign the appropriate employment code to each such position, using agreed standards and definitions.
  2. CODE ASSIGNMENTS.—Not later than 1 year after the date after the procedures are established under paragraph (1)(E), the head of each Federal agency shall complete assignment of the appropriate employment code to each position within the agency with information technology, cybersecurity, or other cyber-related functions.

(c) PROGRESS REPORT.—Not later than 180 days after the date of enactment of this Act, the Director shall submit a progress report on the implementation of this section to the appropriate congressional committees.

SEC. 304. IDENTIFICATION OF CYBER-RELATED WORK ROLES OF CRITICAL NEED.

(a) IN GENERAL.—Beginning not later than 1 year after the date on which the employment codes are assigned to employees pursuant to section 303(b)(2), and annually thereafter through 2022, the head of each Federal agency, in consultation with the Director, the Director of the National Institute of Standards and Technology, and the Secretary of Homeland Security, shall—

  1. identify information technology, cybersecurity, or other cyber-related work roles of critical need in the agency's workforce; and
  2. submit a report to the Director that—
    1. describes the information technology, cybersecurity, or other cyber-related roles identified under paragraph (1); and
    2. substantiates the critical need designations.

(b) GUIDANCE.—The Director shall provide Federal agencies with timely guidance for identifying information technology, cybersecurity, or other cyber-related roles of critical need, including—

  1. current information technology, cybersecurity, and other cyber-related roles with acute skill shortages; and
  2. information technology, cybersecurity, or other cyber-related roles with emerging skill shortages.

(c) CYBERSECURITY NEEDS REPORT.—Not later than 2 years after the date of the enactment of this Act, the Director, in consultation with the Secretary of Homeland Security, shall—

  1. identify critical needs for information technology, cybersecurity, or other cyber-related workforce across all Federal agencies; and
  2. submit a progress report on the implementation of this section to the appropriate congressional committees.

SEC. 305. GOVERNMENT ACCOUNTABILITY OFFICE STATUS REPORTS.

The Comptroller General of the United States shall—
(1) analyze and monitor the implementation of sections 303 and 304; and
(2) not later than 3 years after the date of the enactment of this Act, submit a report to the appropriate congressional committees that describes the status of such implementation.

TITLE IV—OTHER CYBER MATTERS

SEC. 401. STUDY ON MOBILE DEVICE SECURITY.

(a) IN GENERAL.—Not later than 1 year after the date of the enactment of this Act, the Secretary of Homeland Security, in consultation with the Director of the National Institute of Standards and Technology, shall—

  1. complete a study on threats relating to the security of the mobile devices of the Federal Government; and
  2. submit an unclassified report to Congress, with a classified annex if necessary, that contains the findings of such study, the recommendations developed under paragraph (3) of subsection (b), the deficiencies, if any, identified under (4) of such subsection, and the plan developed under paragraph (5) of such subsection.

(b) MATTERS STUDIED.—In carrying out the study under subsection (a)(1), the Secretary, in consultation with the Director of the National Institute of Standards and Technology, shall—

  1. assess the evolution of mobile security techniques from a desktop-centric approach, and whether such techniques are adequate to meet current mobile security challenges;
  2. assess the effect such threats may have on the cybersecurity of the information systems and networks of the Federal Government (except for national security systems or the information systems and networks of the Department of Defense and the intelligence community);
  3. develop recommendations for addressing such threats based on industry standards and best practices;
  4. identify any deficiencies in the current authorities of the Secretary that may inhibit the ability of the Secretary to address mobile device security throughout the Federal Government (except for national security systems and the information systems and networks of the Department of Defense and intelligence community); and
  5. develop a plan for accelerated adoption of secure mobile device technology by the Department of Homeland Security.

(c) INTELLIGENCE COMMUNITY DEFINED.—In this section, the term “intelligence community” has the meaning given such term in section 3 of the National Security Act of 1947 (50 U.S.C. 3003).

SEC. 402. DEPARTMENT OF STATE INTERNATIONAL CYBERSPACE POLICY STRATEGY.

(a) IN GENERAL.—Not later than 90 days after the date of the enactment of this Act, the Secretary of State shall produce a comprehensive strategy relating to United States international policy with regard to cyberspace.

(b) ELEMENTS.—The strategy required by subsection (a) shall include the following:

  1. A review of actions and activities undertaken by the Secretary of State to date to support the goal of the President's International Strategy for Cyberspace, released in May 2011, to “work internationally to promote an open, interoperable, secure, and reliable information and communications infrastructure that supports international trade and commerce, strengthens international security, and fosters free expression and innovation.”.
  2. A plan of action to guide the diplomacy of the Secretary of State, with regard to foreign countries, including conducting bilateral and multilateral activities to develop the norms of responsible international behavior in cyberspace, and status review of existing discussions in multilateral fora to obtain agreements on international norms in cyberspace.
  3. A review of the alternative concepts with regard to international norms in cyberspace offered by foreign countries that are prominent actors, including China, Russia, Brazil, and India.
  4. A detailed description of threats to United States national security in cyberspace from foreign countries, state-sponsored actors, and private actors to Federal and private sector infrastructure of the United States, intellectual property in the United States, and the privacy of citizens of the United States.
  5. A review of policy tools available to the President to deter foreign countries, state-sponsored actors, and private actors, including those outlined in Executive Order 13694, released on April 1, 2015.
  6. A review of resources required by the Secretary, including the Office of the Coordinator for Cyber Issues, to conduct activities to build responsible norms of international cyber behavior.

(c) CONSULTATION.—In preparing the strategy required by subsection (a), the Secretary of State shall consult, as appropriate, with other agencies and departments of the United States and the private sector and nongovernmental organizations in the United States with recognized credentials and expertise in foreign policy, national security, and cybersecurity.

(d) FORM OF STRATEGY.—The strategy required by subsection (a) shall be in unclassified form, but may include a classified annex.

(e) AVAILABILITY OF INFORMATION.—The Secretary of State shall—

  1. make the strategy required in subsection (a) available the public; and
  2. brief the Committee on Foreign Relations of the Senate and the Committee on Foreign Affairs of the House of Representatives on the strategy, including any material contained in a classified annex.

SEC. 403. APPREHENSION AND PROSECUTION OF INTERNATIONAL CYBER CRIMINALS.

(a) INTERNATIONAL CYBER CRIMINAL DEFINED.—In this section, the term “international cyber criminal” means an individual—

  1. who is believed to have committed a cybercrime or intellectual property crime against the interests of the United States or the citizens of the United States; and
  2. for whom—
    1. an arrest warrant has been issued by a judge in the United States; or
    2. an international wanted notice (commonly referred to as a “Red Notice”) has been circulated by Interpol.

(b) CONSULTATIONS FOR NONCOOPERATION.—The Secretary of State, or designee, shall consult with the appropriate government official of each country from which extradition is not likely due to the lack of an extradition treaty with the United States or other reasons, in which one or more international cyber criminals are physically present, to determine what actions the government of such country has taken—

  1. to apprehend and prosecute such criminals; and
  2. to prevent such criminals from carrying out cybercrimes or intellectual property crimes against the interests of the United States or its citizens.

(c) ANNUAL REPORT.—

  1. IN GENERAL.—The Secretary of State shall submit to the appropriate congressional committees an annual report that includes—
    1. the number of international cyber criminals located in other countries, disaggregated by country, and indicating from which countries extradition is not likely due to the lack of an extradition treaty with the United States or other reasons;
    2. the nature and number of significant discussions by an official of the Department of State on ways to thwart or prosecute international cyber criminals with an official of another country, including the name of each such country; and
    3. for each international cyber criminal who was extradited to the United States during the most recently completed calendar year—
      1. his or her name;
      2. the crimes for which he or she was charged;
      3. his or her previous country of residence; and
      4. (the country from which he or she was extradited into the United States.
  2. FORM.—The report required by this subsection shall be in unclassified form to the maximum extent possible, but may include a classified annex.
  3. APPROPRIATE CONGRESSIONAL COMMITTEES.—For purposes of this subsection, the term “appropriate congressional committees” means—
    1. the Committee on Foreign Relations, the Committee on Appropriations, the Committee on Homeland Security and Governmental Affairs, the Committee on Banking, Housing, and Urban Affairs, the Select Committee on Intelligence, and the Committee on the Judiciary of the Senate; and
    2. the Committee on Foreign Affairs, the Committee on Appropriations, the Committee on Homeland Security, the Committee on Financial Services, the Permanent Select Committee on Intelligence, and the Committee on the Judiciary of the House of Representatives.

SEC. 404. ENHANCEMENT OF EMERGENCY SERVICES.

(a) COLLECTION OF DATA.—Not later than 90 days after the date of the enactment of this Act, the Secretary of Homeland Security, acting through the center established under section 227 of the Homeland Security Act of 2002, as redesignated by section 223(a)(3) of this division, in coordination with appropriate Federal entities and the Director for Emergency Communications, shall establish a process by which a Statewide Interoperability Coordinator may report data on any cybersecurity risk or incident involving any information system or network used by emergency response providers (as defined in section 2 of the Homeland Security Act of 2002 (6 U.S.C. 101)) within the State.

(b) ANALYSIS OF DATA.—Not later than 1 year after the date of the enactment of this Act, the Secretary of Homeland Security, acting through the Director of the National Cybersecurity and Communications Integration Center, in coordination with appropriate entities and the Director for Emergency Communications, and in consultation with the Secretary of Commerce, acting through the Director of the National Institute of Standards and Technology, shall conduct integration and analysis of the data reported under subsection (a) to develop information and recommendations on security and resilience measures for any information system or network used by State emergency response providers.

(c) BEST PRACTICES.—

  1. IN GENERAL.—Using the results of the integration and analysis conducted under subsection (b), and any other relevant information, the Director of the National Institute of Standards and Technology shall, on an ongoing basis, facilitate and support the development of methods for reducing cybersecurity risks to emergency response providers using the process described in section 2(e) of the National Institute of Standards and Technology Act (15 U.S.C. 272(e)).
  2. REPORT.—The Director of the National Institute of Standards and Technology shall submit to Congress a report on the result of the activities of the Director under paragraph (1), including any methods developed by the Director under such paragraph, and shall make such report publicly available on the website of the National Institute of Standards and Technology.

(d) RULE OF CONSTRUCTION.—Nothing in this section shall be construed to—

  1. require a State to report data under subsection (a); or
  2. require a non-Federal entity (as defined in section 102) to—
    1. adopt a recommended measure developed under subsection (b); or
    2. follow the result of the activities carried out under subsection (c), including any methods developed under such subsection.

SEC. 405. IMPROVING CYBERSECURITY IN THE HEALTH CARE INDUSTRY.

(a) DEFINITIONS.—In this section:

  1. APPROPRIATE CONGRESSIONAL COMMITTEES.—The term “appropriate congressional committees” means—
    1. the Committee on Health, Education, Labor, and Pensions, the Committee on Homeland Security and Governmental Affairs, and the Select Committee on Intelligence of the Senate; and
    2. the Committee on Energy and Commerce, the Committee on Homeland Security, and the Permanent Select Committee on Intelligence of the House of Representatives.
  2. BUSINESS ASSOCIATE.—The term “business associate” has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations (as in effect on the day before the date of the enactment of this Act).
  3. COVERED ENTITY.—The term “covered entity” has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations (as in effect on the day before the date of the enactment of this Act).
  4. CYBERSECURITY THREAT; CYBER THREAT INDICATOR; DEFENSIVE MEASURE; FEDERAL ENTITY; NON-FEDERAL ENTITY; PRIVATE ENTITY.—The terms “cybersecurity threat”, “cyber threat indicator”, “defensive measure”, “Federal entity”, “non-Federal entity”, and “private entity” have the meanings given such terms in section 102 of this division.
  5. HEALTH CARE CLEARINGHOUSE; HEALTH CARE PROVIDER; HEALTH PLAN.—The terms “health care clearinghouse”, “health care provider”, and “health plan” have the meanings given such terms in section 160.103 of title 45, Code of Federal Regulations (as in effect on the day before the date of the enactment of this Act).
  6. HEALTH CARE INDUSTRY STAKEHOLDER.—The term “health care industry stakeholder” means any—
    1. health plan, health care clearinghouse, or health care provider;
    2. advocate for patients or consumers;
    3. pharmacist;
    4. developer or vendor of health information technology;
    5. laboratory;
    6. pharmaceutical or medical device manufacturer; or
    7. additional stakeholder the Secretary determines necessary for purposes of subsection (b)(1), (c)(1), (c)(3), or (d)(1).
  7. SECRETARY.—The term “Secretary” means the Secretary of Health and Human Services.

(b) REPORT.—

  1. IN GENERAL.—Not later than 1 year after the date of enactment of this Act, the Secretary shall submit to the Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Energy and Commerce of the House of Representatives a report on the preparedness of the Department of Health and Human Services and health care industry stakeholders in responding to cybersecurity threats.
  2. CONTENTS OF REPORT.—With respect to the internal response of the Department of Health and Human Services to emerging cybersecurity threats, the report under paragraph (1) shall include—
    1. a clear statement of the official within the Department of Health and Human Services to be responsible for leading and coordinating efforts of the Department regarding cybersecurity threats in the health care industry; and
    2. a plan from each relevant operating division and subdivision of the Department of Health and Human Services on how such division or subdivision will address cybersecurity threats in thehealth care industry, including a clear delineation of how each such division or subdivision will divide responsibility among the personnel of such division or subdivision and communicate with other such divisions and subdivisions regarding efforts to address such threats.

(c) HEALTH CARE INDUSTRY CYBERSECURITY TASK FORCE.—

  1. IN GENERAL.—Not later than 90 days after the date of the enactment of this Act, the Secretary, in consultation with the Director of the National Institute of Standards and Technology and the Secretary of Homeland Security, shall convene health care industry stakeholders, cybersecurity experts, and any Federal agencies or entities the Secretary determines appropriate to establish a task force to—
    1. analyze how industries, other than the health care industry, have implemented strategies and safeguards for addressing cybersecurity threats within their respective industries;
    2. analyze challenges and barriers private entities (excluding any State, tribal, or local government) in the health care industry face securing themselves against cyber attacks;
    3. review challenges that covered entities and business associates face in securing networked medical devices and other software or systems that connect to an electronic health record;
    4. provide the Secretary with information to disseminate to health care industry stakeholders of all sizes for purposes of improving their preparedness for, and response to, cybersecurity threats affecting the health care industry;
    5. establish a plan for implementing title I of this division, so that the Federal Government and health care industry stakeholders may in real time, share actionable cyber threat indicators and defensive measures; and
    6. report to the appropriate congressional committees on the findings and recommendations of the task force regarding carrying out subparagraphs (A) through (E).
  2. TERMINATION.—The task force established under this subsection shall terminate on the date that is 1 year after the date on which such task force is established.
  3. DISSEMINATION.—Not later than 60 days after the termination of the task force established under this subsection, the Secretary shall disseminate the information described in paragraph (1)(D) to health care industry stakeholders in accordance with such paragraph.

(d) ALIGNING HEALTH CARE INDUSTRY SECURITY APPROACHES.—

  1. IN GENERAL.—The Secretary shall establish, through a collaborative process with the Secretary of Homeland Security, health care industry stakeholders, the Director of the National Institute of Standards and Technology, and any Federal entity or non-Federal entity the Secretary determines appropriate, a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes that—
    1. serve as a resource for cost-effectively reducing cybersecurity risks for a range of health care organizations;
    2. support voluntary adoption and implementation efforts to improve safeguards to address cybersecurity threats;
    3. are consistent with—
      1. the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act (15 U.S.C. 272(c)(15));
      2. the security and privacy regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note); and
      3. the provisions of the Health Information Technology for Economic and Clinical Health Act (title XIII of division A, and title IV of division B, of Public Law 111–5), and the amendments made by such Act; and
    4. are updated on a regular basis and applicable to a range of health care organizations.
  2. LIMITATION.—Nothing in this subsection shall be interpreted as granting the Secretary authority to—
    1. provide for audits to ensure that health care organizations are in compliance with this subsection; or
    2. mandate, direct, or condition the award of any Federal grant, contract, or purchase, on compliance with this subsection.
  3. NO LIABILITY FOR NONPARTICIPATION.—Nothing in this section shall be construed to subject a health care industry stakeholder to liability for choosing not to engage in the voluntary activities authorized or guidelines developed under this subsection.

(e) INCORPORATING ONGOING ACTIVITIES.—In carrying out the activities under this section, the Secretary may incorporate activities that are ongoing as of the day before the date of enactment of this Act and that are consistent with the objectives of this section.

(f) RULE OF CONSTRUCTION.—Nothing in this section shall be construed to limit the antitrust exemption under section 104(e) or the protection from liability under section 106.

SEC. 406. FEDERAL COMPUTER SECURITY.

(a) DEFINITIONS.—In this section:

  1. COVERED SYSTEM.—The term “covered system” shall mean a national security system as defined in section 11103 of title 40, United States Code, or a Federal computer system that provides access to personally identifiable information.
  2. COVERED AGENCY.—The term “covered agency” means an agency that operates a covered system.
  3. LOGICAL ACCESS CONTROL.—The term “logical access control” means a process of granting or denying specific requests to obtain and use information and related information processing services.
  4. MULTI-FACTOR AUTHENTICATION.—The term “multi-factor authentication” means the use of not fewer than 2 authentication factors, such as the following:
    1. Something that is known to the user, such as a password or personal identification number.
    2. An access device that is provided to the user, such as a cryptographic identification device or token.
    3. A unique biometric characteristic of the user.
  5. PRIVILEGED USER.—The term “privileged user” means a user who has access to system control, monitoring, or administrative functions.

(b) INSPECTOR GENERAL REPORTS ON COVERED SYSTEMS.—

  1. IN GENERAL.—Not later than 240 days after the date of enactment of this Act, the Inspector General of each covered agency shall submit to the appropriate committees of jurisdiction in the Senate and the House of Representatives a report, which shall include information collected from the covered agency for the contents described in paragraph (2) regarding the Federal computer systems of the covered agency.
  2. CONTENTS.—The report submitted by each Inspector General of a covered agency under paragraph (1) shall include, with respect to the covered agency, the following:
    1. A description of the logical access policies and practices used by the covered agency to access a covered system, including whether appropriate standards were followed.
    2. A description and list of the logical access controls and multi-factor authentication used by the covered agency to govern access to covered systems by privileged users.
    3. If the covered agency does not use logical access controls or multi-factor authentication to access a covered system, a description of the reasons for not using such logical access controls or multi-factor authentication.
    4. A description of the following information security management practices used by the covered agency regarding covered systems:
      1. The policies and procedures followed to conduct inventories of the software present on the covered systems of the covered agency and the licenses associated with such software.
      2. What capabilities the covered agency utilizes to monitor and detect exfiltration and other threats, including—
        1. data loss prevention capabilities;
        2. forensics and visibility capabilities; or
        3. digital rights management capabilities.
      3. A description of how the covered agency is using the capabilities described in clause (ii).
      4. If the covered agency is not utilizing capabilities described in clause (ii), a description of the reasons for not utilizing such capabilities.
    5. A description of the policies and procedures of the covered agency with respect to ensuring that entities, including contractors, that provide services to the covered agency are implementing the information security management practices described in subparagraph (D).
  3. EXISTING REVIEW.—The reports required under this subsection may be based in whole or in part on an audit, evaluation, or report relating to programs or practices of the covered agency, and may be submitted as part of another report, including the report required under section 3555 of title 44, United States Code.
  4. CLASSIFIED INFORMATION.—Reports submitted under this subsection shall be in unclassified form, but may include a classified annex.

SEC. 407. STOPPING THE FRAUDULENT SALE OF FINANCIAL INFORMATION OF PEOPLE OF THE UNITED STATES.

Section 1029(h) of title 18, United States Code, is amended by striking “title if—” and all that follows through “therefrom.” and inserting “title if the offense involves an access device issued, owned, managed, or controlled by a financial institution, account issuer, credit card system member, or other entity organized under the laws of the United States, or any State, the District of Columbia, or other territory of the United States.”.


> Back to the Table of Contents <

Ref Book - Title 10 Chapter 83

Thursday, October 13, 2016

Title 10, Chapter 83, Civilian Defense Intel Employees

> Back to the Table of Contents <

Subchapter I – Defense-Wide Intelligence Personnel Policy

CIVILIAN INTELLIGENCE PERSONNEL: GENERAL AUTHORITY TO ESTABLISH EXCEPTED POSITIONS, APPOINT PERSONNEL, AND FIX RATES OF PAY

SEC. 1601.

(a) GENERAL AUTHORITY.—The Secretary of Defense may—

  1. establish, as positions in the excepted service, such defense intelligence positions in the Department of Defense as the Secretary determines necessary to carry out the intelligence functions of the Department, including—
    1. Intelligence Senior Level positions designated under section 1607 of this title; and
    2. positions in the Defense Intelligence Senior Executive Service;
  2. appoint individuals to those positions (after taking into consideration the availability of preference eligibles for appointment to those positions); and
  3. fix the compensation of such individuals for service in those positions.

(b) CONSTRUCTION WITH OTHER LAWS.—The authority of the Secretary of Defense under subsection (a) applies without regard to the provisions of any other law relating to the appointment, number, classification, or compensation of employees. 

BASIC PAY

SEC. 1602.

(a) AUTHORITY TO FIX RATES OF BASIC PAY.—The Secretary of Defense (subject to the provisions of this section) shall fix the rates of basic pay for positions established under section 1601 of this title in relation to the rates of pay provided for comparable positions in the Department of Defense and subject to the same limitations on maximum rates of pay established for employees of the Department of Defense by law or regulation.

(b) PREVAILING RATE SYSTEMS.—The Secretary of Defense may, consistent with section 5341 of title 5, adopt such provisions of that title as provide for prevailing rate systems of basic pay and may apply those provisions to positions for civilian employees in or under which the Department of Defense may employ individuals described by section 5342(a)(2)(A) of that title.

ADDITIONAL COMPENSATION, INCENTIVES, AND ALLOWANCES

SEC. 1603.

(a) ADDITIONAL COMPENSATION BASED ON TITLE 5 AUTHORITIES.—The Secretary of Defense may provide employees in defense intelligence positions compensation (in addition to basic pay), including benefits, incentives, and allowances, consistent with, and not in excess of the level authorized for, comparable positions authorized by title 5.
(b) ALLOWANCES BASED ON LIVING COSTS AND ENVIRONMENT.—
  1. In addition to basic pay, employees in defense intelligence positions who are citizens or nationals of the United States and are stationed outside the continental United States or in Alaska may be paid an allowance, in accordance with regulations prescribed by the Secretary of Defense, while they are so stationed.
  2. An allowance under this subsection shall be based on—
    1. living costs substantially higher than in the District of Columbia;
    2. conditions of environment which (i) differ substantially from conditions of environment in the continental United States, and (ii) warrant an allowance as a recruitment incentive; or
    3. both of the factors specified in subparagraphs (A) and (B).
  3. An allowance under this subsection may not exceed the allowance authorized to be paid by section 5941(a) of title 5 for employees whose rates of basic pay are fixed by statute.
SEC. 1604. [Repealed.]

BENEFITS FOR CERTAIN EMPLOYEES ASSIGNED OUTSIDE THE UNITED STATES

SEC. 1605.

(a)
  1. The Secretary of Defense may provide to civilian personnel described in subsection (d) allowances and benefits comparable to those provided by the Secretary of State to officers and employees of the Foreign Service under paragraphs (2), (3), (4), (5), (6), (7), (8), and (13) of section 901 and sections 705 and 903 of the Foreign Service Act of 1980 (22 U.S.C. 4081(2), (3), (4), (5), (6), (7), (8), and (13), 4025, 4083) and under section 5924(4) of title 5.
  2. The Secretary may also provide to any such civilian personnel special retirement accrual benefits in the same manner provided for certain officers and employees of the Central Intelligence Agency in section 303 of the Central Intelligence Agency Retirement Act (50 U.S.C. 2153) and in section 18 of the Central Intelligence Agency Act of 1949 (50 U.S.C. 3518).
(b) The authority of the Secretary of Defense to make payments under subsection (a) is effective for any fiscal year only to the extent that appropriated funds are available for such purpose.

(c) Regulations prescribed under subsection (a) may not take effect until the Secretary of Defense has submitted such regulations to—
  1. the Committee on Armed Services and the Select Committee on Intelligence of the Senate; and
  2. the Committee on Armed Services and the Permanent Select Committee on Intelligence of the House of Representatives.

(d) Subsection (a) applies to civilian personnel of the Department of Defense who—

  1. are United States nationals;
  2. in the case of employees of the Defense Intelligence Agency, are assigned to duty outside the United States and, in the case of other employees, are assigned to Defense Attaché Offices or Defense Intelligence Agency Liaison Offices outside the United States; and
  3. are designated by the Secretary of Defense for the purposes of subsection (a).

DEFENSE INTELLIGENCE SENIOR EXECUTIVE SERVICE

SEC. 1606.

(a) ESTABLISHMENT.—The Secretary of Defense may establish a Defense Intelligence Senior Executive Service for defense intelligence positions established pursuant to section 1601(a) of this title that are equivalent to Senior Executive Service positions. The number of positions in the Defense Intelligence Senior Executive Service may not exceed 594.

(b) REGULATIONS CONSISTENT WITH TITLE 5 PROVISIONS.—The Secretary of Defense shall prescribe regulations for the Defense Intelligence Senior Executive Service which are consistent with the requirements set forth in sections 3131, 3132(a)(2), 3396(c), 3592, 3595(a), 5384, and 6304 of title 5, subsections (a), (b), and (c) of section 7543 of such title (except that any hearing or appeal to which a member of the Defense Intelligence Senior Executive Service is entitled shall be held or decided pursuant to those regulations), and subchapter II of chapter 43 of such title. To the extent that the Secretary determines it practicable to apply to members of, or applicants for, the Defense Intelligence Senior Executive Service other provisions of title 5 that apply to members of, or applicants for, the Senior Executive Service, the Secretary shall also prescribe regulations to implement those provisions with respect to the Defense Intelligence Senior Executive Service.

(c) AWARD OF RANK TO MEMBERS OF THE DEFENSE INTELLIGENCE SENIOR EXECUTIVE SERVICE.—The President, based on the recommendations of the Secretary of Defense, may award a rank referred to in section 4507 of title 5 to members of the Defense Intelligence Senior Executive Service. The award of such rank shall be made in a manner consistent with the provisions of that section.

(d) PERFORMANCE APPRAISALS.—
  1. The Defense Intelligence Senior Executive Service shall be subject to a performance appraisal system which, as designed and applied, is certified by the Secretary of Defense under section 5307 of title 5 as making meaningful distinctions based on relative performance.
  2. The performance appraisal system applicable to the Defense Intelligence Senior Executive Service under paragraph (1) may be the same performance appraisal system that is established and implemented within the Department of Defense for members of the Senior Executive Service.

INTELLIGENCE SENIOR LEVEL POSITIONS

SEC. 1607.

(a) DESIGNATION OF POSITIONS.—The Secretary of Defense may designate as an Intelligence Senior Level position any defense intelligence position that, as determined by the Secretary—
  1. is classifiable above grade GS–15 of the General Schedule;
  2. does not satisfy functional or program management criteria for being designated a Defense Intelligence Senior Executive Service position; and
  3. has no more than minimal supervisory responsibilities.

(b) REGULATIONS.—Subsection (a) shall be carried out in accordance with regulations prescribed by the Secretary of Defense.

(c) AWARD OF RANK TO EMPLOYEES IN INTELLIGENCE SENIOR LEVEL POSITIONS.—The President, based on the recommendations of the Secretary of Defense, may award a rank referred to in section 4507a of title 5 to employees in Intelligence Senior Level positions designated under subsection (a). The award of   such rank shall be made in a manner consistent with the provisions of that section.

TIME-LIMITED APPOINTMENTS

SEC. 1608.

(a) AUTHORITY FOR TIME-LIMITED APPOINTMENTS.—The Secretary of Defense may by regulation authorize appointing officials to make time-limited appointments to defense intelligence positions specified in the regulations.

(b) REVIEW OF USE OF AUTHORITY.—The Secretary of Defense shall review each time-limited appointment in a defense intelligence position at the end of the first year of the period of the appointment and determine whether the appointment should be continued for the remainder of the period. The continuation of a time-limited appointment after the first year shall be subject to the approval of the Secretary.

(c) CONDITION ON PERMANENT APPOINTMENT TO DEFENSE INTELLIGENCE SENIOR EXECUTIVE SERVICE.—An employee serving in a defense intelligence position pursuant to a time-limited appointment is not eligible for a permanent appointment to a Defense Intelligence Senior Executive Service position (including a position in which the employee is serving) unless the employee is selected for the permanent appointment on a competitive basis.

(d) TIME-LIMITED APPOINTMENT DEFINED.—In this section, the term "time-limited appointment" means an appointment (subject to the condition in subsection (b)) for a period not to exceed two years.

TERMINATION OF DEFENSE INTELLIGENCE EMPLOYEES

SEC.1609.

(a) TERMINATION AUTHORITY.—Notwithstanding any other provision of law, the Secretary of Defense may terminate the employment of any employee in a defense intelligence position if the Secretary—

  1. considers that action to be in the interests of the United States; and
  2. determines that the procedures prescribed in other provisions of law that authorize the termination of the employment of such employee cannot be invoked in a manner consistent with the national security.

(b) FINALITY.—A decision by the Secretary of Defense to terminate the employment of an employee under this section is final and may not be appealed or reviewed outside the Department of Defense.

(c) NOTIFICATION TO CONGRESSIONAL COMMITTEES.—Whenever the Secretary of Defense terminates the employment of an employee under the authority of this section, the Secretary shall promptly notify the congressional oversight committees of such termination.

(d) PRESERVATION OF RIGHT TO SEEK OTHER EMPLOYMENT.—Any termination of employment under this section does not affect the right of the employee involved to seek or accept employment with any other department or agency of the United States if that employee is declared eligible for such employment by the Director of the Office of Personnel Management.

(e) LIMITATION ON DELEGATION.—The authority of the Secretary of Defense under this section may be delegated only to the Deputy Secretary of Defense, the head of an intelligence component of the Department of Defense (with respect to employees of that component), or the Secretary of a military department (with respect to employees of that department). An action to terminate employment of such an employee by any such official may be appealed to the Secretary of Defense.

REDUCTIONS AND OTHER ADJUSTMENTS IN FORCE

SEC. 1610.

(a) IN GENERAL.—The Secretary of Defense shall prescribe regulations for the separation of employees in defense intelligence positions, including members of the Defense Intelligence Senior Executive Service and employees in Intelligence Senior Level positions, during a reduction in force or other adjustment in force. The regulations shall apply to such a reduction in force or other adjustment in force notwithstanding sections 3501(b) and 3502 of title 5.

(b) MATTERS TO BE GIVEN EFFECT.—The regulations shall give effect to the following:

  1. Tenure of employment.
  2. Military preference, subject to sections 3501(a)(3) and 3502(b) of title 5.
  3. The veteran's preference under section 3502(b) of title 5.
  4. Peformance.
  5. Length of service computed in accordance with the second sentence of section 3502(a) of title 5.

(c) REGULATIONS RELATING TO DEFENSE INTELLIGENCE SES.—The regulations relating to removal from the Defense Intelligence Senior Executive Service in a reduction in force or other adjustment in force shall be consistent with section 3595(a) of title 5.

(d) RIGHT OF APPEAL.—

  1. The regulations shall provide a right of appeal regarding a personnel action under the regulations. The appeal shall be determined within the Department of Defense. An appeal determined at the highest level provided in the regulations shall be final and not subject to review outside the Department of Defense. A personnel action covered by the regulations is not subject to any other provision of law that provides appellate rights or procedures.
  2. Notwithstanding paragraph (1), a preference eligible referred to in section 7511(a)(1)(B) of title 5 may elect to have an appeal of a personnel action taken against the preference eligible under the regulation determined by the Merit Systems Protection Board instead of having the appeal determined within the Department of Defense. Section 7701 of title 5 shall apply to any such appeal to the Merit Systems Protection Board.

(e) CONSULTATION WITH OPM.—Regulations under this section shall be prescribed in consultation with the Director of the Office of Personnel Management.


POSTEMPLOYMENT ASSISTANCE: CERTAIN TERMINATED INTELLIGENCE EMPLOYEES

SEC. 1611.

(a) AUTHORITY.—Subject to subsection (c), the Secretary of Defense may, in the case of any individual who is a qualified former intelligence employee, use appropriated funds—

  1. to assist that individual in finding and qualifying for employment other than in a defense intelligence position;
  2. to assist that individual in meeting the expenses of treatment of medical or psychological disabilities of that individual; and
  3. to provide financial support to that individual during periods of unemployment.

(b) QUALIFIED FORMER INTELLIGENCE EMPLOYEES.—For purposes of this section, a qualified former intelligence employee is an individual who was employed as a civilian employee of the Department of Defense in a sensitive defense intelligence position—

  1. who has been found to be ineligible for continued access to information designated as "Sensitive Compartmented Information" and employment in a defense intelligence position; or
  2. whose employment in a defense intelligence position has been terminated.

(c) CONDITIONS.—Assistance may be provided to a qualified former intelligence employee under subsection (a) only if the Secretary determines that such assistance is essential to—

  1. maintain the judgment and emotional stability of the qualified former intelligence employee; and
  2. avoid circumstances that might lead to the unlawful disclosure of classified information to which the qualified former intelligence employee had access.

(d) DURATION OF ASSISTANCE.—Assistance may not be provided under this section in the case of any individual after the end of the five-year period beginning on the date of the termination of the employment of the individual in a defense intelligence position.


MERIT SYSTEM PRINCIPLES AND CIVIL SERVICE PROTECTIONS: APPLICABILITY

SEC. 1612.

(a) APPLICABILITY OF MERIT SYSTEM PRINCIPLES.—Section 2301 of title 5 shall apply to the exercise of authority under this subchapter (other than sections 1605 and 1611).

(b) CIVIL SERVICE PROTECTIONS.—

  1. If, in the case of a position established under authority other than section 1601(a)(1) of this title that is reestablished as an excepted service position under that section, the provisions of law referred to in paragraph (2) applied to the person serving in that position immediately before the position is so reestablished and such provisions of law would not otherwise apply to the person while serving in the position as so reestablished, then such provisions of law shall, subject to paragraph (3), continue to apply to the person with respect to service in that position for as long as the person continues to serve in the position without a break in service.
  2. The provisions of law referred to in paragraph (1) are the following provisions of title 5:
    1. Section 2302, relating to prohibited personnel practices.
    2. Chapter 75, relating to adverse actions.

    1. Notwithstanding any provision of chapter 75 of title 5, an appeal of an adverse action by an individual employee covered by paragraph (1) shall be determined within the Department of Defense if the employee so elects.
    2. The Secretary of Defense shall prescribe the procedures for initiating and determining appeals of adverse actions pursuant to elections made under subparagraph (A).

MISCELLANEOUS PROVISIONS

SEC. 1613.

(a) COLLECTIVE BARGAINING AGREEMENTS.—Nothing in sections 1601 through 1603 and 1606 through 1610 may be construed to impair the continued effectiveness of a collective bargaining agreement with respect to an agency or office that is a successor to an agency or office covered by the agreement before the succession.

(b) NOTICE TO CONGRESS OF REGULATIONS.—The Secretary of Defense shall notify Congress of any regulations prescribed to carry out this subchapter (other than sections 1605 and 1611). Such notice shall be provided by submitting a copy of the regulations to the congressional oversight committees not less than 60 days before such regulations take effect.


DEFINITIONS

SEC. 1614.

In this subchapter:

  1. The term "defense intelligence position" means a civilian position as an intelligence officer or intelligence employee of the Department of Defense.
  2. The term "intelligence component of the Department of Defense" means any of the following:
    1. The National Security Agency.
    2. The Defense Intelligence Agency.
    3. The National Geospatial-Intelligence Agency.
    4. Any other component of the Department of Defense that performs intelligence functions and is designated by the Secretary of Defense as an intelligence component of the Department of Defense.
    5. Any successor to a component specified in, or designated pursuant to, this paragraph.
  3. The term "congressional oversight committees" means—
    1. the Committee on Armed Services and the Select Committee on Intelligence of the Senate; and
    2. the Committee on Armed Services and the Permanent Select Committee on Intelligence of the House of Representatives.
  4. The term "excepted service" has the meaning given such term in section 2103 of title 5.
  5. The term "preference eligible" has the meaning given such term in section 2108(3) of title 5.
  6. The term "Senior Executive Service position" has the meaning given such term in section 3132(a)(2) of title 5.
  7. The term "collective bargaining agreement" has the meaning given such term in section 7103(8) of title 5

Subchapter II—Defense Intelligence Agency Personnel

DEFENSE INTELLIGENCE AGENCY MERIT PAY SYSTEM

SEC. 1621.

The Secretary of Defense may by regulation establish a merit pay system for such employees of the Defense Intelligence Agency as the Secretary considers appropriate. The merit pay system shall be designed to carry out purposes consistent with those set forth in section 5401 of title 5, as in effect on October 31, 1993.

UNIFORM ALLOWANCE: CIVILIAN EMPLOYEES

SEC. 1622.

(a) The Secretary of Defense may pay an allowance under this section to any civilian employee of the Defense Intelligence Agency who—
  1. is assigned to a Defense Attaché Office outside the United States; and
  2. is required by regulation to wear a prescribed uniform in performance of official duties.

(b) Notwithstanding section 5901(a) of title 5, the amount of any such allowance shall be the greater of the following:

  1. The amount provided for employees of the Department of State assigned to positions outside the United States and required by regulation to wear a prescribed uniform in performance of official duties.
  2. The maximum allowance provided under section 1593(b) of this title.

(c) An allowance paid under this section shall be treated in the same manner as is provided in subsection (c) of section 5901 of title 5 for an allowance paid under that section.

FINANCIAL ASSISTANCE TO CERTAIN EMPLOYEES IN ACQUISITION OF CRITICAL SKILLS

SEC. 1623.

(a) The Secretary of Defense shall establish an undergraduate training program with respect to civilian employees of the Defense Intelligence Agency that is similar in purpose, conditions, content, and administration to the program which the Secretary of Defense is authorized to establish under section 16 of the National Security Agency Act of 1959 (50 U.S.C. 3614) for civilian employees of the National Security Agency.

(b) Any payments made by the Secretary to carry out the program required to be established by subsection (a) may be made in any fiscal year only to the extent that appropriated funds are available for that purpose.

> Back to the Table of Contents <

Ref Book - Limitation on Interrogation Techniques

Thursday, October 13, 2016

Limitation on Interrogation Techniques

> Back to the Table of Contents <

(Public Law 114-92, of November 25, 2015; 129 STAT. 979)

SEC. 1045 [42 U.S.C. § 2000dd-2].

(a) LIMITATION ON INTERROGATION TECHNIQUES TO THOSE IN THE ARMY FIELD MANUAL.—

  1. ARMY FIELD MANUAL 2–22.3 DEFINED.—In this subsection, the term ‘‘Army Field Manual 2–22.3’’ means the Army Field Manual 2–22.3 entitled ‘‘Human Intelligence Collector Operations’’ in effect on the date of the enactment of this Act or any similar successor Army Field Manual.
  2. RESTRICTION.—
    1. IN GENERAL.—An individual described in subparagraph (B) shall not be subjected to any interrogation technique or approach, or any treatment related to interrogation, that is not authorized by and listed in the Army Field Manual 2–22.3.
    2. INDIVIDUAL DESCRIBED.—An individual described in this subparagraph is an individual who is—
      1. in the custody or under the effective control of an officer, employee, or other agent of the United States Government; or
      2. detained within a facility owned, operated, or controlled by a department or agency of the United States, in any armed conflict.
    3. IMPLEMENTATION.—Interrogation techniques, approaches, and treatments described in Army Field Manual 2–22.3 shall be implemented strictly in accord with the principles, processes, conditions, and limitations prescribed by Army Field Manual 2–22.3.
    4. AGENCIES OTHER THAN THE DEPARTMENT OF DEFENSE.— If a process required by Army Field Manual 2–22.3, such as a requirement of approval by a specified Department of Defense official, is inapposite to a department or an agency other than the Department of Defense, the head of such department or agency shall ensure that a process that is substantially equivalent to the process prescribed by Army Field Manual 2–22.3 for the Department of Defense is utilized by all officers, employees, or other agents of such department or agency.
    5. INTERROGATION BY FEDERAL LAW ENFORCEMENT.—The limitations in this subsection shall not apply to officers, employees, or agents of the Federal Bureau of Investigation, the Department of Homeland Security, or other Federal law enforcement entities.
    6. UPDATE OF THE ARMY FIELD MANUAL.—
      1. REQUIREMENT TO UPDATE.—
        1. IN GENERAL.—Not sooner than three years after the date of the enactment of this Act, and once every three years thereafter, the Secretary of Defense, in consultation with the Attorney General, the Director of the Federal Bureau of Investigation, and the Director of National Intelligence, shall complete a thorough review of Army Field Manual 2–22.3, and revise Army Field Manual 2–22.3, as necessary to ensure that Army Field Manual 2–22.3 complies with the legal obligations of the United States and the practices for interrogation described therein do not involve the use or threat of force.
        2. AVAILABILITY TO THE PUBLIC.—Army Field Manual 2–22.3 shall remain available to the public and any revisions to the Army Field Manual 2–22.3 adopted by the Secretary of Defense shall be made available to the public 30 days prior to the date the revisions take effect.
      2. REPORT ON BEST PRACTICES OF INTERROGATIONS.—
        1. REQUIREMENT FOR REPORT.—Not later than 120 days after the date of the enactment of this Act, the interagency body established pursuant to Executive Order 13491 (commonly known as the High-Value Detainee Interrogation Group) shall submit to the Secretary of Defense, the Director of National Intelligence, the Attorney General, and other appropriate officials a report on best practices for interrogation that do not involve the use of force.
        2. RECOMMENDATIONS.—The report required by clause (i) may include recommendations for revisions to Army Field Manual 2–22.3 based on the body of research commissioned by the High-Value Detainee Interrogation Group.
        3. AVAILABILITY TO THE PUBLIC.—Not later than 30 days after the report required by clause (i) is submitted such report shall be made available to the public.

(b) INTERNATIONAL COMMITTEE OF THE RED CROSS ACCESS TO DETAINEES.—

  1. REQUIREMENT.—The head of any department or agency of the United States Government shall provide the International Committee of the Red Cross with notification of, and prompt access to, any individual detained in any armed conflict in the custody or under the effective control of an officer, employee, contractor, subcontractor, or other agent of the United States Government or detained within a facility owned, operated, or effectively controlled by a department, agency, contractor, or subcontractor of the United States Government, consistent with Department of Defense regulations and policies.
  2. CONSTRUCTION.—Nothing in this subsection shall be construed—
    1. to create or otherwise imply the authority to detain; or
    2. to limit or otherwise affect any other individual rights or state obligations which may arise under United States law or international agreements to which the United States is a party, including the Geneva Conventions, or to state all of the situations under which notification to and access for the International Committee of the Red Cross is required or allowed.

> Back to the Table of Contents <


You are leaving DNI.gov

You have selected to open
http://www.anotherwebsite.com

If you would like to not see this alert again, please click the
"Do not show me this again" check box below