You are on page 1of 45

I

112TH CONGRESS 1ST SESSION

H. R. 3674

To amend the Homeland Security Act of 2002 to make certain improvements in the laws relating to cybersecurity, and for other purposes.

IN THE HOUSE OF REPRESENTATIVES
DECEMBER 15, 2011 Mr. DANIEL E. LUNGREN of California (for himself, Mr. KING of New York, Mr. MCCAUL, Mr. BILIRAKIS, Mrs. MILLER of Michigan, Mr. WALBERG, Mr. MARINO, Mr. LONG, Mr. TURNER of New York, Mr. STIVERS, and Mr. LANGEVIN) introduced the following bill; which was referred to the Committee on Homeland Security, and in addition to the Committees on Oversight and Government Reform, Science, Space, and Technology, the Judiciary, and Select Intelligence (Permanent Select), for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned

A BILL
To amend the Homeland Security Act of 2002 to make certain improvements in the laws relating to cybersecurity, and for other purposes. 1 Be it enacted by the Senate and House of Representa-

2 tives of the United States of America in Congress assembled, 3 4
jbell on DSK7SPTVN1PROD with BILLS

SECTION 1. SHORT TITLE.

This Act may be cited as the ‘‘Promoting and En-

5 hancing Cybersecurity and Information Sharing Effective6 ness Act of 2011’’ or the ‘‘PRECISE Act of 2011’’.
VerDate Mar 15 2010 02:08 Dec 21, 2011 Jkt 019200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\H3674.IH H3674

2 1 2 3
SEC. 2. DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY ACTIVITIES.

(a) IN GENERAL.—Subtitle C of title II of the Home-

4 land Security Act of 2002 is amended by adding at the 5 end the following new sections: 6 7
‘‘SEC. 226. NATIONAL CYBERSECURITY AUTHORITY.

‘‘(a) IN GENERAL.—To protect Federal systems and

8 critical infrastructure information systems and to prepare 9 the Nation to respond to, recover from, and mitigate 10 against acts of terrorism and other incidents involving 11 such systems and infrastructure, the Secretary shall— 12 13 14 15 16 17 18 19 20 21 22 23 24
jbell on DSK7SPTVN1PROD with BILLS

‘‘(1) develop and conduct risk assessments for Federal systems and, upon request and subject to the availability of resources, critical infrastructure information systems in consultation with the heads of other agencies or governmental and private entities that own and operate such systems, that may include threat, vulnerability, and impact assessments and penetration testing, or other comprehensive assessments techniques; ‘‘(2) foster the development, in conjunction with other governmental entities and the private sector, of essential information security technologies and capabilities for protecting Federal systems and critical infrastructure information systems, including com-

25

•HR 3674 IH
VerDate Mar 15 2010 02:08 Dec 21, 2011 Jkt 019200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\H3674.IH H3674

3 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
jbell on DSK7SPTVN1PROD with BILLS

prehensive protective capabilities and other technological solutions; ‘‘(3) acquire, integrate, and facilitate the adoption of new cybersecurity technologies and practices in a technologically and vendor-neutral manner to keep pace with emerging terrorist and other cybersecurity threats and developments, including through research and development, technical service agreements, and making such technologies available to governmental and private entities that own or operate critical infrastructure information systems, as necessary to accomplish the purpose of this section; ‘‘(4) maintain the capability to serve as a focal point with the Federal Government for cybersecurity, responsible for— ‘‘(A) the coordination of the protection of Federal systems and critical infrastructure information systems; ‘‘(B) the coordination of national cyber incident response; ‘‘(C) facilitating information sharing, interactions, and collaborations among and between Federal agencies, State and local governments, the private sector, academia, and international partners;

24 25

•HR 3674 IH
VerDate Mar 15 2010 02:08 Dec 21, 2011 Jkt 019200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\H3674.IH H3674

4 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
jbell on DSK7SPTVN1PROD with BILLS

‘‘(D) working with appropriate Federal agencies, State and local governments, the private sector, academia, and international partners to prevent and respond to terrorist and other cybersecurity threats and incidents involving Federal systems and critical infrastructure information systems pursuant to the national cyber incident response plan and supporting plans developed in accordance with paragraph (8); ‘‘(E) the dissemination of timely and actionable terrorist and other cybersecurity

threat, vulnerability, mitigation, and warning information, including alerts, advisories, indicators, signatures, and mitigation and response measures, to improve the security and protection of Federal systems and critical infrastructure information systems; ‘‘(F) the integration of information from Federal Government and non-federal network operation centers and security operations centers; ‘‘(G) the compilation and analysis of information about risks and incidents regarding terrorism or other causes that threaten Federal

24 25

•HR 3674 IH
VerDate Mar 15 2010 02:08 Dec 21, 2011 Jkt 019200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\H3674.IH H3674

mitigation. and response information and remote or on-site technical assistance to heads of Federal agencies and. detection. ‘‘(B) ways to promote cybersecurity best practices at home and in the workplace. and ‘‘(C) training opportunities to support the development of an effective national cybersecu- 24 •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. ‘‘(6) develop and lead a nationwide awareness and outreach effort to educate the public about— ‘‘(A) the importance of cybersecurity and cyber ethics. upon request. 2011 Jkt 019200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. ‘‘(5) assist in national efforts to mitigate communications and information technology supply chain vulnerabilities to enhance the security and the resiliency of Federal systems and critical infrastructure information systems.5 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS systems and critical infrastructure information systems. governmental and private entities that own or operate critical infrastructure.IH H3674 . ‘‘(H) the provision of incident prediction. analysis. and ‘‘(I) acting as the Federal Government representative with the organization or organizations designated under section 241.

interoperability. in consultation with the heads of other relevant Federal agencies. and other activities designed to support the national response to terrorism and other cybersecurity threats and incidents and evaluate the national 24 •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. 2011 Jkt 019200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. ‘‘(9) develop and conduct exercises. ‘‘(7) establish. and privacy-enhancing authentication. benchmarks and guidelines for making critical infrastructure information systems more secure at a fundamental level. simulations.6 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS rity workforce and educational paths to cybersecurity professions. including through automation. in coordination with the Director of the National Institute of Standards and Technology and the heads of other appropriate agencies. sector coordinating councils. owners and operators of critical infrastructure. and relevant non-governmental organizations and based on applicable law that describe the specific roles and responsibilities of governmental and private entities during cyber incidents to ensure essential government operations continue. State and local governments. ‘‘(8) develop a national cybersecurity incident response plan and supporting cyber incident response and restoration plans.IH H3674 .

and ‘‘(F) international organizations and foreign partners. as appropriate. 2011 Jkt 019200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6201 E:\BILLS\H3674.— In carrying out the cybersecurity activities under this section. the Secretary shall coordinate.— ‘‘(1) COORDINATION WITH OTHER ENTITIES. 24 •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. including owners and operators of critical infrastructure.IH H3674 .7 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS cyber incident response plan and supporting plans developed in accordance with paragraph (8). ‘‘(10) ensure that the technology and tools used to accomplish the requirements of this section are scientifically and operationally validated. with— ‘‘(A) the head of any relevant agency or entity. and ‘‘(11) take such other lawful action as may be necessary and appropriate to accomplish the requirements of this section. ‘‘(D) suppliers of technology for critical infrastructure. ‘‘(b) COORDINATION. ‘‘(C) the private sector. ‘‘(E) academia. ‘‘(B) representatives of State and local governments.

‘‘(4) REPORTS TO CONGRESS. respond to. 2011 Jkt 019200 PO 00000 Frm 00008 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. recover from. anticipate. •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. including those of any intelligence or law enforcement components or entities within the Department. recognize. and mitigate against risk of acts of terrorism and other incidents involving such systems and infrastructure.— The Secretary shall coordinate the activities undertaken by agencies to protect Federal systems and critical infrastructure information systems and prepare the Nation to predict.IH H3674 .8 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS ‘‘(2) COORDINATION OF AGENCY ACTIVITIES.—The lead cyber- security official shall make regular reports to the appropriate committees of Congress on the coordination of cyber-related programs across the Department. ‘‘(3) LEAD CYBERSECURITY OFFICIAL.—The Secretary shall designate a lead cybersecurity official to provide leadership to the cybersecurity activities of the Department and to ensure that the Department’s cybersecurity activities under this subtitle are coordinated with all other infrastructure protection and cyber-related programs and activities of the Department.

9 1 ‘‘(c) STRATEGY. The 25 provision of certain assistance or information to one gov- •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. the Secretary shall develop 3 and maintain a strategy that— 4 5 6 7 8 9 10 11 12 13 14 ‘‘(1) articulates the actions necessary to assure the readiness.—The Secretary shall 15 ensure that the organization or organizations designated 16 under section 241 have full and timely access to properly 17 anonymized cyber incident information originating within 18 the Federal civilian networks to populate the common op19 erating picture described in section 242.—The provision of as- 21 sistance or information to governmental or private entities 22 that own or operate critical infrastructure information sys23 tems under this section shall be at the discretion of the jbell on DSK7SPTVN1PROD with BILLS 24 Secretary and subject to the availability of resources. and ‘‘(3) protects privacy rights and preserves civil liberties of United States persons. integrity. 2011 Jkt 019200 PO 00000 Frm 00009 Fmt 6652 Sfmt 6201 E:\BILLS\H3674.IH H3674 .—In carrying out the cybersecurity 2 functions of the Department. continuity. reliability. 20 ‘‘(e) NO RIGHT OR BENEFIT. ‘‘(d) ACCESS TO INFORMATION. ‘‘(2) is informed by the need to maintain economic prosperity and facilitate market leadership for the United States information and communications industry. and resilience of Federal systems and critical infrastructure information systems.

transmits. processes.10 1 ernmental or private entity pursuant to this section shall 2 not create a right or benefit. 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS ‘‘(g) DEFINITIONS. receives. or otherwise controlled by an agency. or stores electronic information in any form. that is— ‘‘(A) vital to the functioning of critical infrastructure as defined in section 5195c(e) of title 42.—In this section: ‘‘(1) The term ‘Federal systems’ means all information systems owned. substantive or procedural. operated.—Nothing in this subtitle shall 6 be interpreted to alter or amend the law enforcement or 7 intelligence authorities of any agency. or ‘‘(B) owned or operated by or on behalf of a State or local government entity that is nec- 24 •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. or on behalf of an agency. leased. voice. ‘‘(2) The term ‘critical infrastructure information systems’ means any physical or virtual information system that controls.IH H3674 . including data. 2011 Jkt 019200 PO 00000 Frm 00010 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. 5 ‘‘(f) SAVINGS CLAUSE. 3 to similar assistance or information for any other govern4 mental or private entity. or video. except for national security systems or those information systems under the control of the Department of Defense.

11 1 2 3 4 5 essary to ensure essential government operations continue.IH H3674 . 227. ‘‘(2) The head of any agency with responsibilities for regulating the critical infrastructure. on a contin- 6 uous and sector-by-sector basis. In carrying out 8 this subsection. in co- 18 ordination with the individuals and entities referred to in 19 subsection (a). the Secretary shall coordinate.—The Secretary. IDENTIFICATION OF SECTOR SPECIFIC CYBERSECURITY RISKS. 24 25 •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. as appro9 priate. preparedness. including a consideration of adversary capabilities and intent. 2011 Jkt 019200 PO 00000 Frm 00011 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. ‘‘(a) IN GENERAL. ‘‘SEC. identify and evaluate cy7 bersecurity risks to critical infrastructure. with the following: 10 11 12 13 14 15 16 17 ‘‘(1) The head of the sector specific agency with responsibility for critical infrastructure. ‘‘(b) EVALUATION OF RISKS. and deterrence capabilities. ‘‘(3) The owners and operators of critical infrastructure and any private sector entity determined appropriate by the Secretary. target attractiveness.—The Secretary shall. shall evaluate the cybersecurity risks iden20 tified under subsection (a) by taking into account each of 21 the following: 22 23 jbell on DSK7SPTVN1PROD with BILLS ‘‘(1) The actual or assessed threat.

‘‘(c) AVAILABILITY OF IDENTIFIED RISKS.IH H3674 . or national and economic security. •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21.—The Sec- 22 retary shall ensure that the risks identified and evaluated 23 under this section for each sector and subsector are made jbell on DSK7SPTVN1PROD with BILLS 24 available to the owners and operators of critical infrastruc25 ture within each sector and subsector. injury.12 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 ‘‘(2) The extent and likelihood of death. or serious adverse effects to human health and safety caused by a disruption. ‘‘(4) The harm to the economy that would result from the disruption. in consultation with the head of the sector specific agency with responsibility for critical infrastructure and the head of any Federal agency that is not a sector specific agency with responsibilities for regulating critical infrastructure. ‘‘(3) The threat to national security caused by the disruption. ‘‘(5) Other risk-based security factors that the Secretary. destruction. destruction. destruction or unauthorized use of critical infrastructure. and in consultation with any private sector entity determined appropriate by the Secretary to protect public health and safety. critical infrastructure. or unauthorized use of critical infrastructure. or unauthorized use of critical infrastructure. 2011 Jkt 019200 PO 00000 Frm 00012 Fmt 6652 Sfmt 6201 E:\BILLS\H3674.

‘‘(3) INCLUSION IN REGULATORY REGIMES.— 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS ‘‘(1) REVIEW AND ESTABLISHMENT. in coordination with the heads of other appropriate agencies. shall develop market-based incentives designed to encourage the use of the collection established under paragraph (1).—The Sec- retary.— 24 25 The heads of sector specific agencies with responsibility for covered critical infrastructure and the head •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21.—The Secretary. shall review existing internationally recognized consensus-developed risk-based performance standards. including such standards developed by the National Institute of Standards and Technology. ‘‘(2) USE OF COLLECTION. for each such riskbased performance standard. an analysis of each of the following: ‘‘(A) How well the performance standard addresses the identified risks.IH H3674 . for inclusion in a common collection. in conjunction with the heads of other appropriate agencies. ‘‘(B) How cost-effective the standard implementation of the performance standard can be. Such collection shall include. 2011 Jkt 019200 PO 00000 Frm 00013 Fmt 6652 Sfmt 6201 E:\BILLS\H3674.13 1 ‘‘(d) COLLECTION OF RISK-BASED PERFORMANCE 2 STANDARDS.

and ‘‘(2) engage with the National Institute of Standards and Technology and appropriate international consensus bodies that develop and strengthen standards and practices to address the identified risk. in consultation with the Secretary and with any private sector entity determined appropriate by the Secretary. 24 25 •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. shall propose through notice and comment rulemaking to include the most effective and cost-efficient risk-based performance standards identified in the collection established under paragraph (1) in the regulatory regimes applicable to covered critical infrastructure.14 1 2 3 4 5 6 7 8 9 10 11 of any Federal agency that is not a sector specific agency with responsibilities for regulating covered critical infrastructure. the Secretary shall— 15 16 17 18 19 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS ‘‘(1) work with owners and operators of critical infrastructure and suppliers of technology to appropriately mitigate the identified risk.—If the Secretary deter- 12 mines that no existing internationally-recognized risk13 based performance standard mitigates a risk identified 14 under subsection (a). 2011 Jkt 019200 PO 00000 Frm 00014 Fmt 6652 Sfmt 6201 E:\BILLS\H3674.IH H3674 . including determining appropriate market-based incentives for development and implementation of the identified mitigation. ‘‘(e) MITIGATION OF RISKS.

including intelligence and defense functions. including— ‘‘(A) the immediate failure of. United States Code.IH H3674 . 2011 Jkt 019200 PO 00000 Frm 00015 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. the term ‘covered critical infra- 3 structure’ means any facility or function that. the Secretary shall develop a mechanism. but excluding military facilities.— ‘‘(1) IN GENERAL. or ‘‘(4) severe degradation of national security or national security capabilities. or ‘‘(B) the sustained disruption of financial systems that would lead to long term catastrophic economic damage to the United States. the destruction or disruption of or un5 authorized access to could result in— 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS ‘‘(1) a significant loss of life. consistent with subchapter II of chapter 5 of title 5. ‘‘(2) a major economic disruption. ‘‘(g) REDRESS. for an owner or operator notified under subsection (f) to appeal the identification 24 •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21.15 1 2 ‘‘(f) COVERED CRITICAL INFRASTRUCTURE DEFINED. or loss of confidence in. ‘‘(3) mass evacuations of a major population center for an extended length of time.—In this section.—Subject to paragraphs (2) and (3). by way of 4 cyber vulnerability. a major financial market.

‘‘(a) CYBERSECURITY INFORMATION. 2011 Jkt 019200 PO 00000 Frm 00016 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. ‘‘(2) APPEAL TO FEDERAL COURT.16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 of a facility or function as covered critical infrastructure under this section.—A civil ac- tion seeking judicial review of a final agency action taken under the mechanism developed under paragraph (1) shall be filed in the United States District Court for the District of Columbia. based on— ‘‘(A) an appeal under paragraph (1). 228.IH H3674 . INFORMATION SHARING.—The owner or operator of a facility or function identified as covered critical infrastructure shall comply with any requirement of this subtitle relating to covered critical infrastructure until such time as the facility or function is no longer identified as covered critical infrastructure. ‘‘SEC. provided pursuant to section 202 of this title. ‘‘(3) COMPLIANCE. ‘‘(B) a determination of the Secretary unrelated to an appeal. avail25 able to appropriate owners and operators of critical infra- •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. or ‘‘(C) a final judgment entered in a civil action seeking judicial review brought in accordance with paragraph (2).—The Secretary 23 shall be responsible for making all cyber threat informajbell on DSK7SPTVN1PROD with BILLS 24 tion.

including by expediting necessary secu14 rity clearances for designated points of contact for critical 15 infrastructure information systems. with all Federal agencies. 5 ‘‘(b) INFORMATION SHARING. 16 ‘‘(c) PROTECTION OF INFORMATION. share relevant information regarding cyberse9 curity threats and vulnerabilities. storage. and dissemination of any such informa- •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. and ap12 propriate critical infrastructure information systems own13 ers and operators.—The Secretary shall. consistent with rules for 7 the handling of classified and sensitive but unclassified in8 formation.17 1 structure on a timely basis consistent with the responsibil2 ities of the Secretary to provide information related to 3 threats to critical infrastructures to the organization des4 ignated under section 241. 2011 Jkt 019200 PO 00000 Frm 00017 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. 6 to the maximum extent possible. appro11 priate State or local government representatives.IH H3674 . information received from 18 Federal agencies and from critical infrastructure informa19 tion systems owners and operators and information pro20 vided to Federal agencies or critical infrastructure infor21 mation systems owners and operators pursuant to this sec22 tion as sensitive security information and shall require and 23 enforce sensitive security information requirements for jbell on DSK7SPTVN1PROD with BILLS 24 handling. and any proposed ac10 tions to mitigate them. as appropriate.—The Secretary 17 shall designate.

including proper protections for personally identifi2 able information. protect against. and transition of cybersecurity technology. and transition supported under sub17 section (a) shall include work to— 18 19 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS ‘‘(1) advance the development and accelerate the deployment of more secure versions of fundamental Internet protocols and architectures. and recover from acts of terrorism and 11 cyber attacks. CYBERSECURITY RESEARCH AND DEVELOPMENT.IH H3674 . 10 detect. 8 including fundamental. development. 14 or national public health and safety. and advance the research and development of techniques and technologies for 24 •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. national economic security.—The Under Secretary for Science 6 and Technology shall support research. evaluation.18 1 tion.—The research and development 16 testing. including for the domain name system and routing protocols. ‘‘(2) improve. evaluation. with an emphasis on research and develop12 ment relevant to attacks that would cause a debilitating 13 impact on national security. create. ‘‘(a) IN GENERAL. test7 ing. 3 4 5 ‘‘SEC. 15 ‘‘(b) ACTIVITIES. 229. respond to. 2011 Jkt 019200 PO 00000 Frm 00018 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. long-term research to improve the 9 ability of the United States to prevent.

‘‘(3) advance technologies for detecting attacks or intrusions. attacks.19 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS proactive detection and identification of threats. ‘‘(5) develop and support infrastructure and tools to support cybersecurity research and development efforts. ‘‘(8) test. ‘‘(6) assist in the development and support of technologies to reduce vulnerabilities in process control systems. including modeling. and facilitate the transfer of technologies associated with the engineering of less vulnerable software and securing the information technology software development lifecycle. test beds. including real-time monitoring and real-time analytic technologies. 2011 Jkt 019200 PO 00000 Frm 00019 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. ‘‘(7) develop and support cyber forensics and attack attribution. 24 25 •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. and data sets for assessment of new cybersecurity technologies. including techniques and policies for real-time containment of attacks and development of resilient networks and systems. evaluate. ‘‘(4) improve and create mitigation and recovery methodologies.IH H3674 . and ‘‘(9) ensure new cybersecurity technologies are scientifically and operationally validated. and acts of terrorism before they occur.

2 the Under Secretary shall coordinate activities with— 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 ‘‘(1) the Under Secretary for National Protection and Programs Directorate. including the National Science Foundation.IH H3674 . the Department of Commerce.20 1 ‘‘(c) COORDINATION. ‘‘(a) IN GENERAL. and other appropriate working groups established by the President to identify unmet needs and cooperatively support activities. PERSONNEL AUTHORITIES RELATED TO THE OFFICE OF CYBERSECURITY AND COMMUNICATIONS. or may 25 establish new positions within the Office of Cybersecurity •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. within the Office of Cybersejbell on DSK7SPTVN1PROD with BILLS 24 curity and Communications to excepted service.—In carrying out this section. the National Institute of Standards and Technology. the Secretary may.—In order to assure that the De- 19 partment has the necessary resources to carry out the mis20 sion of securing Federal systems and critical infrastruc21 ture information systems. as appropriate. academic institutions. convert competitive service positions. and ‘‘(2) the heads of other relevant Federal departments and agencies. ‘‘SEC. 230. as nec22 essary. the Defense Advanced Research Projects Agency. the Information Assurance Directorate of the National Security Agency. and the in23 cumbents of such positions. 2011 Jkt 019200 PO 00000 Frm 00020 Fmt 6652 Sfmt 6201 E:\BILLS\H3674.

—Notwithstanding any 19 other provision of law.IH H3674 .—The Secretary may— ‘‘(1) fix the compensation of individuals who serve in positions referred to in subsection (a) in relation to the rates of pay provided for comparable positions in the Department and subject to the same limitations on maximum rates of pay established for employees of the Department by law or regulations. if the 21 Secretary determines that the bonus is needed to retain 22 essential personnel. United States Code.21 1 and Communications in the excepted service. and ‘‘(2) provide additional forms of compensation. to the extent 2 that the Secretary determines such positions are necessary 3 to carry out the cybersecurity functions of the Depart4 ment. that are consistent with and not in excess of the level authorized for comparable positions authorized under title 5. and allowances. including benefits. Before announcing the payment of a 23 bonus under this subsection. incentives. the Secretary may pay a retention 20 bonus to any employee appointed under this section. 2011 Jkt 019200 PO 00000 Frm 00021 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. the Secretary shall submit jbell on DSK7SPTVN1PROD with BILLS 24 a written explanation of such determination to the Com25 mittee on Homeland Security of the House of Representa- •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. ‘‘(c) RETENTION BONUSES. 5 6 7 8 9 10 11 12 13 14 15 16 17 18 ‘‘(b) COMPENSATION.

and ‘‘(E) the number and amounts of recruitment. relocation. level.—Not later than one year 4 after the date of the enactment of this section. including— ‘‘(A) the number of qualified employees hired by occupation and grade.IH H3674 . ‘‘(B) the total number of veterans hired. and retention incentives paid 24 •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. ‘‘(C) the number of separations of qualified employees. the Secretary shall submit to the Com6 mittee on Homeland Security of the House of Representa7 tives and the Committee on Homeland Security and Gov8 ernment Affairs of the Senate a detailed report that in9 cludes. ‘‘(2) metrics on relevant personnel actions. 2011 Jkt 019200 PO 00000 Frm 00022 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. and annu5 ally thereafter. for the period covered by the report— 10 11 12 13 14 15 16 17 18 19 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS ‘‘(1) a discussion the Secretary’s use of the flexible authority authorized under this section to recruit and retain qualified employees. or pay band.22 1 tives and the Committee on Homeland Security and Gov2 ernmental Affairs of the Senate. 3 ‘‘(d) ANNUAL REPORT. ‘‘(D) the number of retirements of qualified employees.

’’. or pay band. 230. Personnel authorities related to the Office of Cybersecurity and Communications. NATIONAL INFORMATION SHARING ORGANIZATION. ‘‘Sec. ‘‘Sec. 226. 2011 Jkt 019200 PO 00000 Frm 00023 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. the Secretary of Homeland Security shall submit 14 to the Committee on Homeland Security of the House of 15 Representatives and the Committee on Homeland Security 16 and Governmental Affairs of the Senate a report con17 taining a plan for the execution of the authorities con18 tained in the amendment made by subsection (a). including an analysis of the numbers of and reasons for attrition of employees and barriers to recruiting and hiring individuals qualified in cybersecurity. 227. level. (b) CLERICAL AMENDMENT. 3. ‘‘Sec. 229. Cybersecurity research and development. and ‘‘(3) long-term and short-term strategic goals to address critical skills deficiencies. National cybersecurity authority. 19 20 jbell on DSK7SPTVN1PROD with BILLS SEC. (a) NATIONAL INFORMATION SHARING ORGANIZATION.—Not 12 later than 120 days after the date of the enactment of 13 this Act.IH H3674 .’’.— 21 •HR 3674 IH VerDate Mar 15 2010 23:33 Dec 21. ‘‘Sec. Information sharing.23 1 2 3 4 5 6 7 8 to qualified employees by occupation and grade.—The table of contents 9 in section 2(b) of such Act is amended by inserting after 10 the item relating to section 225 the following new items: ‘‘Sec. 11 (c) PLAN FOR EXECUTION OF AUTHORITIES. 228. Identification of sector specific cybersecurity risks.

‘‘(a) ESTABLISHMENT. and local 20 governments. Such organization shall be des13 ignated as the ‘National Information Sharing Organiza14 tion’.24 1 2 3 4 5 6 7 8 (1) IN GENERAL.IH H3674 . 2011 Jkt 019200 PO 00000 Frm 00024 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. jbell on DSK7SPTVN1PROD with BILLS 24 ‘‘(c) DESIGNATION. entities operating critical infrastructure.—The National Information Sharing 16 Organization shall serve as a national clearinghouse for 17 the exchange of cyber threat information so that the own18 ers and operators of networks or systems in the private 19 sector. tribal.—There is established a not- 9 for-profit organization for sharing cyber threat informa10 tion and exchanging technical assistance. and sup11 port and developing and disseminating necessary informa12 tion security technology. as amended by section 2.—Not later than 120 days after 25 the date of the enactment of this subtitle. State. 15 ‘‘(b) PURPOSE. educational institutions. is further amended by adding at the end the following: ‘‘Subtitle E—National Information Sharing Organization ‘‘SEC. ESTABLISHMENT OF NATIONAL INFORMATION SHARING ORGANIZATION. advice. 241. and 21 the Federal Government have access to timely and action22 able information in order to protect their networks or sys23 tems as effectively as possible.—Title II of the Homeland Se- curity Act of 2002. the board of •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21.

seven days a week.25 1 directors established in section 243 shall designate the ap2 propriate organization or organizations as the National 3 Information Sharing Organization. ‘‘(4) Whether the organization or organizations have an operational center that is open 24 hours a day.IH H3674 . and mitigation of cyber-related issues. 4 ‘‘(d) CRITERIA FOR DESIGNATION.—The board of di- 5 rectors shall select the organization or organizations to 6 function as the National Information Sharing Organiza7 tion by taking into consideration the following criteria and 8 other criteria found appropriate by the board: 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS ‘‘(1) Whether the organization or organizations have received recognition from the Secretary of Homeland Security for its cyber capabilities. ‘‘(3) Whether the organization or organizations have demonstrated the capability to deploy cybersecurity services for the detection. prevention. analyzing. •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. ‘‘(2) Whether the organization or organizations have demonstrated the ability to address cyber-related issues in a trusted and cooperative environment maximizing public-private partnerships. 2011 Jkt 019200 PO 00000 Frm 00025 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. and responding to cyber events. and is capable of determining.

and support related to the security of public. including personally identifiable information. best practices. 2011 Jkt 019200 PO 00000 Frm 00026 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. including by— ‘‘(A) ensuring that the information exchanged shall be stripped of all information identifying the submitter and of any unnecessary personally identifiable information and shall be available to members of the National Information Sharing Organization. State. including Federal. and ‘‘(B) sharing timely and actionable threat and vulnerability information originating 24 25 through intelligence collection with appro- •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. sensitive information.IH H3674 . 242. in transit and at rest. private. ‘‘(6) Whether the organization or organizations have experience implementing privacy protections to safeguard. ‘‘The National Information Sharing Organization 10 shall— 11 12 13 14 15 16 17 18 19 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS ‘‘(1) facilitate the exchange of information. and critical infrastructure information networks. MISSION AND ACTIVITIES. and local government agencies. ‘‘SEC. technical assistance.26 1 2 3 4 5 6 7 8 9 ‘‘(5) Whether the organization or organizations have a proven relationship with the private sector critical infrastructure sectors.

as appropriate. including the Federal Government. ‘‘(2) create a common operating picture by combining agreed upon network and cyber threat warning information to be shared— ‘‘(A) through a secure automated mechanism to be determined by the board. 2011 Jkt 019200 PO 00000 Frm 00027 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. and ‘‘(B) with designated members of the National Information Sharing Organization. and vendor neutrality. ‘‘(3) undertake collaborative research and development projects to improve the level of cybersecurity in critical infrastructure information systems while maintaining impartiality.IH H3674 . ‘‘(4) develop language to be incorporated into the membership agreement regarding the transferability and use of intellectual property developed by the National Information Sharing Organization and its members under this subtitle. 24 25 •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21.27 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS priately cleared members of the National Information Sharing Organization. the independence of members of the National Information Sharing Organization. and ‘‘(5) integrate with the Federal Government through the National Cybersecurity and Communications Integration Center and other existing information sharing and analysis centers.

BOARD OF DIRECTORS. ‘‘(a) IN GENERAL. ‘‘(b) COMPOSITION. ‘‘(3) Ten representatives from the private sector.—The board shall be composed of 14 the following members: 15 16 17 18 19 20 21 22 23 24 jbell on DSK7SPTVN1PROD with BILLS ‘‘(1) One representative from the Department of Homeland Security.28 1 2 ‘‘SEC. including matters relating to funding and promotion of the National Information Sharing Organization. •HR 3674 IH Jkt 019200 PO 00000 Frm 00028 Fmt 6652 Sfmt 6201 E:\BILLS\H3674.—The National Information Shar- 3 ing Organization shall have a board of directors which 4 shall be responsible for— 5 6 7 8 9 10 11 12 13 ‘‘(1) the executive and administrative operation of the National Information Sharing Organization. 243. 2011 . ‘‘(2) Four representatives from three different Federal agencies with significant responsibility for cybersecurity.IH H3674 25 26 VerDate Mar 15 2010 02:08 Dec 21. ‘‘(B) Communications. including at least one member representing a small business interest and members representing each of the following critical infrastructure sectors and subsectors: ‘‘(A) Banking and finance. and ‘‘(2) ensuring and facilitating compliance by members of the National Information Sharing Organization with the requirements of this subtitle.

‘‘(F) Heath care and public health.— ‘‘(1) REPRESENTATIVES AGENCIES.IH H3674 . the Sec13 retary of Homeland Security.—Each OF CERTAIN FEDERAL member of the board described in subsection (b)(1) and (b)(2) shall be appointed for a term that is not less than one year and not longer 24 •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. ‘‘(4) Two representatives from the privacy and civil liberties community. ‘‘(E) Energy. 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS ‘‘(d) TERMS. ‘‘(G) Information technology. in consultation with the 14 heads of the sector specific agencies of the sectors and 15 subsectors referred to in subsection (b)(3). ‘‘(5) The Chair of the National Council of Information Sharing and Analysis Centers.29 1 2 3 4 5 6 7 8 9 10 11 ‘‘(C) Defense industrial base. 2011 Jkt 019200 PO 00000 Frm 00029 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. ‘‘(D) Energy. oil. shall appoint 16 the members of the board described under subsection 17 (b)(3) from individuals identified by the sector coordi18 nating councils of sectors and subsectors referred to in 19 subsection (b)(3).—Not later than 30 days 12 after the date of the enactment of this subtitle. electricity subsector. ‘‘(c) INITIAL APPOINTMENT. and natural gas subsector.

18 who shall serve under such terms and conditions as the 19 board may establish.—The board shall elect from 17 among its members a chair and vice-chair of the board. 2011 Jkt 019200 PO 00000 Frm 00030 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. or other advisory 23 groups or panels. ‘‘(2) OTHER REPRESENTATIVES. at which time the members of the National Information Sharing Organization shall conduct elections in accordance with the procedures established under subsection (e). 21 ‘‘(g) SUB-BOARDS. ‘‘(e) RULES AND PROCEDURES. The board 25 shall establish an advisory group made up of the members •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21.—The board shall have the au- 22 thority to constitute such sub-boards. The chair of the board may not be 20 a Federal employee. the board 13 shall establish rules and procedures for the election and 14 service of members of the board described in paragraphs 15 (3) and (4) of subsection (b).—The original private sector members of the board described subsection (b) shall serve an initial term of one year from the date of appointment under subsection (c). 16 ‘‘(f) LEADERSHIP.30 1 2 3 4 5 6 7 8 9 10 11 than three years from the date of the member’s appointment.—Not later than 90 12 days after the date of the enactment of this Act.IH H3674 . as may be necessary to assist the board jbell on DSK7SPTVN1PROD with BILLS 24 in carrying out its functions under this section.

2011 Jkt 019200 PO 00000 Frm 00031 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. ‘‘The board shall develop a charter to govern the op- 7 erations and administration of the National Information 8 Sharing Organization. ‘‘(2) The governance of the National Information Sharing Organization. ‘‘(4) Criteria for membership of the National Information Sharing Organization and for termination of such membership. including the treatment and ownership of intellectual property provided by or to the National In- 24 25 •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. for membership. ‘‘(3) A mission statement of the National Information Sharing Organization. including costs. sharing procedures. 5 6 ‘‘SEC. and operational pro4 tocols in creating the common operating picture. CHARTER.IH H3674 . ‘‘(5) A funding model of the National Information Sharing Organization. if any.31 1 determined appropriate to participate in the common oper2 ation picture described in section 242(2) and to determine 3 information sets. ‘‘(6) Rules for sharing information with members of the National Information Sharing Organization. 244. The charter shall cover each of the 9 following: 10 11 12 13 14 15 16 17 18 19 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS ‘‘(1) The organizational structure of the National Information Sharing Organization.

2011 Jkt 019200 PO 00000 Frm 00032 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. MEMBERSHIP. agencies. pri- •HR 3674 IH VerDate Mar 15 2010 23:33 Dec 21. the board of directors of the National 23 Information Sharing Organization shall establish criteria jbell on DSK7SPTVN1PROD with BILLS 24 procedures for the voluntary membership by State and 25 local government departments. ‘‘(10) Security requirements and member obligations for the protection of information from other sources. including appropriate measures for public transparency and oversight. ‘‘(8) Rules for participating in collaborative research and development projects. ‘‘(9) Protections of privacy and civil liberties to be used by the National Information Sharing Organization and its members. real-time sharing among members and Federal Government agencies. and entities. ‘‘(11) Procedures for making anonymized cyber incident information available to outside groups for academic research and insurance actuarial purposes. and consideration of any necessary measures to mitigate anti-trust concerns. ‘‘Not later than 90 days after the date of the enact- 22 ment of this subtitle. including private and governmental. ‘‘SEC. limitations on liability. 245.32 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 formation Sharing Organization. ‘‘(7) Technical requirements for participation in the common operating picture and a technical architecture that enables an automated.IH H3674 .

in conjunction 12 with the Director of National Intelligence. 2011 Jkt 019200 PO 00000 Frm 00033 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. and ‘‘(2) the declassification and sharing of information in the possession of a Federal agency related to threats to information networks with members of the National Information Sharing Organization. and academic in2 stitutions in the National Information Sharing Organiza3 tion. CLASSIFIED INFORMATION. the Secretary. 4 5 ‘‘SEC. 24 •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. including representatives of the private sector and of public and private sector entities operating critical infrastructure. ‘‘Annual administrative and operational expenses for 6 the National Information Sharing Organization shall be 7 paid by the members of such Organization. ‘‘Consistent with the protection of sensitive intel- 11 ligence sources and methods. FUNDING.33 1 vate sector businesses and organizations. 9 10 ‘‘SEC.IH H3674 . 247. shall facili13 tate— 14 15 16 17 18 19 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS ‘‘(1) the sharing of classified information in the possession of a Federal agency related to threats to information networks with cleared members of the National Information Sharing Organization. as determined 8 by the board of directors of the Organization. 246.

—Notwith- standing any other provision of law.IH H3674 25 26 VerDate Mar 15 2010 02:08 Dec 21. with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes. 2011 . including the Federal Government. use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity. a cybersecurity provider may. VOLUNTARY INFORMATION SHARING. 248. ‘‘(a) IN GENERAL. a self-protected entity may. ‘‘(3) SELF-PROTECTED ENTITIES.—Notwithstanding any other provision of law. for cybersecurity purposes— ‘‘(A) share cyber threat information with the National Information Sharing Organization and its membership.—Notwith- standing any other provision of law. ‘‘(2) PROTECTED ENTITIES. or ‘‘(B) authorize their cybersecurity provider to share on their behalf with the National Information Sharing Organization and its membership. including the Federal Government. for cybersecurity purposes— ‘‘(A) use cybersecurity systems to identify and obtain cyber threat information to protect •HR 3674 IH Jkt 019200 PO 00000 Frm 00034 Fmt 6652 Sfmt 6201 E:\BILLS\H3674.— ‘‘(1) CYBERSECURITY PROVIDERS.34 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 jbell on DSK7SPTVN1PROD with BILLS ‘‘SEC. a protected entity may.

be used directly by any Federal agency. tribal. and ‘‘(B) share such cyber threat information with the National Information Sharing Organization and its membership.IH H3674 . State. including the Federal Government. information shared 9 with or provided to the National Information Sharing Or10 ganization or to a Federal agency or private entity 11 through the National Information Sharing Organization 12 by any member of the National Information Sharing Or13 ganization that is not a Federal agency in furtherance of 14 the mission and activities of the National Information 15 Sharing Organization as described in section 242— 16 17 18 19 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS ‘‘(1) shall be exempt from disclosure under section 552 of title 5. or local authority. United States Code (commonly referred to as the Freedom of Information Act). ‘‘(2) shall not. any other Federal. or any third party. in any civil action arising under Federal or State law if such information is submitted to the National Information Sharing Organization for the 24 25 •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. without the written consent of the person or entity submitting such information.35 1 2 3 4 5 6 7 the rights and property of such self-protected entity.—Notwith- 8 standing any other provision of law. 2011 Jkt 019200 PO 00000 Frm 00035 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. ‘‘(b) USES OF SHARED INFORMATION.

without the written consent of the person or entity submitting such information. as articulated in the mission statement required under section 244.IH H3674 . or ‘‘(B) to disclose the information to the appropriate congressional committee. ‘‘(B) otherwise be disclosed or distributed to any party by such State or local government or government agency without the written consent of the person or entity submitting such information. if subsequently provided to a State or local government or government agency— ‘‘(A) be made available pursuant to any State or local law requiring disclosure of information or records. including any regulatory purpose. ‘‘(3) shall not. 2011 Jkt 019200 PO 00000 Frm 00036 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. ‘‘(4) shall not.36 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS purpose of facilitating the missions of such Organization. or 24 •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. be used or disclosed by any officer or employee of the United States for purposes other than the purposes of this title. except— ‘‘(A) to further an investigation or the prosecution of a cybersecurity related criminal act.

) shall not apply to any communication 20 of information to a Federal agency made pursuant to this 21 title. App.— ‘‘(1) IN GENERAL.S. ‘‘(5) does not constitute a waiver of any applicable privilege or protection provided under law. 22 23 jbell on DSK7SPTVN1PROD with BILLS ‘‘(d) PROCEDURES. the board of directors of the National Information Shar- •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. and ‘‘(6) shall not be the basis for any civil or criminal right of action in Federal or State court for a failure to warn or disclose provided that the information is shared with the Federal Government through the National Information Sharing Organization in accordance with the procedures established under this section.C.IH H3674 . or in furtherance of an investigation or the prosecution of a criminal act. 2011 Jkt 019200 PO 00000 Frm 00037 Fmt 6652 Sfmt 6201 E:\BILLS\H3674.—Not later than 90 days 24 25 after the date of the enactment of this subtitle. such as information that is proprietary.37 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 ‘‘(C) be used other than for the purpose of protecting information systems.—The Federal Advisory Committee 19 Act (5 U. business sensitive. or is otherwise not appropriately in the public domain. relates specifically to the submitting person or entity. ‘‘(c) LIMITATION.

care.IH H3674 .—The procedures established under paragraph (1) shall include procedures for— ‘‘(A) the acknowledgment of receipt by the National Information Sharing Organization of cyber threat information that is voluntarily submitted to the National Information Sharing Organization. and ‘‘(F) the protection and maintenance of the confidentiality of such information so as to permit the sharing of such information within 24 25 •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. ‘‘(2) ELEMENTS. ‘‘(C) the care and storage of such information. ‘‘(D) limiting subsequent dissemination of such information to ensure that such information is not used for an unauthorized purpose. 2011 Jkt 019200 PO 00000 Frm 00038 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. and storage of information that is voluntarily submitted to the Federal Government through the National Information Sharing Organization. ‘‘(B) the maintenance of the identification of such information.38 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS ing Organization shall establish uniform procedures for the receipt. ‘‘(E) the protection of the privacy rights and civil liberties of any individuals who are subjects of such information.

or any third 15 party— 16 17 18 19 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS ‘‘(1) to obtain or disseminate cyber threat information in a manner other than through the National Information Sharing Organization. tribal. relates specifically to the submitting person or entity. ‘‘(e) INDEPENDENTLY OBTAINED INFORMATION. 14 or local government or government agency.IH H3674 .—In this section: ‘‘(1) The term ‘cybersecurity provider’ means a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes. and the issuance of notices and warnings related to the protection of information networks.— 12 Nothing in this section shall be construed to limit or other13 wise affect the ability of a Federal agency. in such manner as to protect from public disclosure the identity of the submitting person or entity. business sensitive. and is otherwise not appropriately in the public domain. 24 •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. 2011 Jkt 019200 PO 00000 Frm 00039 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. and local governments. a State. tribal. ‘‘(f) DEFINITIONS.39 1 2 3 4 5 6 7 8 9 10 11 the Federal Government and with State. or information that is proprietary. and ‘‘(2) to use such information in any manner permitted by law.

intellectual property. disrupt or destroy such system or network. or safeguarding. confidentiality. 2011 Jkt 019200 PO 00000 Frm 00040 Fmt 6652 Sfmt 6201 E:\BILLS\H3674.IH H3674 . or personally identifiable information. disrupt or destroy such system or network. or ‘‘(B) theft or misappropriation of private or government information. a system or network. including protecting a system or network from— ‘‘(A) efforts to degrade. or availability of. or safeguarding. or ‘‘(B) theft or misappropriation of private or government information. including protecting a system or network from— ‘‘(A) efforts to degrade. intellectual property. or availability of.40 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS ‘‘(2) The term ‘cybersecurity purpose’ means the purpose of ensuring the integrity. confidentiality. ‘‘(4) The term ‘cyber threat information’ means information that is— ‘‘(A) necessary to describe a method of defeating technical controls on a system or network that corresponds to a cyber threat. or personally identifiable information. a system or network. ‘‘(3) The term ‘cybersecurity system’ means a system designed or employed to ensure the integrity. and 24 25 •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21.

Such 20 audit— 21 22 23 jbell on DSK7SPTVN1PROD with BILLS ‘‘(1) shall identify instances in which information may have been shared in a manner inconsistent with procedures required under section 248 or with the information sharing rules established by the board pursuant to section 244. on an annual 13 basis. independent auditing firm 14 approved by the Secretary. ‘‘(6) The term ‘self-protected entity’ means an entity. ‘‘SEC. ‘‘(5) The term ‘protected entity’ means an entity.IH H3674 . other than an individual.41 1 2 3 4 5 6 7 8 9 10 11 ‘‘(B) omits all other information not necessary to describe such threat. other than an individual. with the National In- 24 25 •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. ANNUAL INDEPENDENT AUDITS. ‘‘The board of directors of the National Information 12 Sharing Organization shall commission. an audit by a qualified. that contracts with a cybersecurity provider for goods or services to be used for cybersecurity purposes. 249. that provides goods or services for cybersecurity purposes to itself. 2011 Jkt 019200 PO 00000 Frm 00041 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. to review the compliance of the 15 National Information Sharing Organization and its mem16 bers with the information sharing rules set forth in section 17 248 and the information sharing rules established by the 18 board pursuant to the National Information Sharing Or19 ganization charter required under section 244.

250. or any employee or offi18 cer of the National Information Sharing Organization. 2011 Jkt 019200 PO 00000 Frm 00042 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. employee. or agent of the United 17 States or of any Federal agency. or by the National Information Sharing Organization with a National Information Sharing Organization member or other entity or individual. ‘‘(2) shall be provided to the Secretary and to the Committee on Homeland Security of the House of Representatives and to the Homeland Security and Governmental Affairs Committee of the Senate.42 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 formation Sharing Organization.IH H3674 . any cyber threat information protected from disclojbell on DSK7SPTVN1PROD with BILLS 24 sure by this title coming to such officer or employee in 25 the course of the employee’s employment or official duties •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. and any representatives or agents of the 20 National Information Sharing Organization or its member 21 entities to knowingly publish.—It shall be unlawful for any offi- 16 cer. ‘‘(3) shall be made public. and ‘‘(4) may include a classified annex. representative. or make 22 known in any manner or to any extent not authorized by 23 law. ‘‘SEC. divulge. with appropriate redactions to protect the identity of National Information Sharing Organization members. PENALTIES. with members of the National Information Sharing Organization. its 19 member entities. disclose. ‘‘(a) IN GENERAL.

‘‘SEC. relates specifically to the submitting person or entity. report. AUTHORITY TO ISSUE WARNINGS. 2 or return.—Any person who violates subsection 5 (a) shall be fined under title 18. EXEMPTION FROM ANTITRUST PROHIBITIONS. other 11 government entities. and shall 7 be removed from office or employment. or both. or is otherwise not appropriate for disclosure in the public domain. 252. im6 prisoned for not more than one year. 8 9 ‘‘SEC. the Secretary 14 shall take appropriate actions to protect from disclosure— 15 16 17 18 19 20 21 22 23 jbell on DSK7SPTVN1PROD with BILLS ‘‘(1) the source of any voluntarily submitted information that forms the basis for the advisory. 4 ‘‘(b) PENALTY. ‘‘The exchange of information by and between private 24 sector members of the National Information Sharing Or25 ganization in furtherance of the mission and activities of •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. business sensitive. 251. United States Code. 2011 Jkt 019200 PO 00000 Frm 00043 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. or warning. and 10 warnings to relevant companies. or warning.43 1 or by reason of any examination or investigation made by. or record made to or filed with. and ‘‘(2) information that is proprietary. alerts. alert. ‘‘The Secretary may provide advisories. alert.IH H3674 . In 13 issuing such an advisory. or the general public regarding poten12 tial threats to information networks as appropriate. or agency. such 3 officer. targeted sectors. employee.

‘‘For any fiscal year after fiscal year 2015. Charter. ‘‘Sec. 250. 253. 12 13 14 15 ‘‘Sec. 246. Penalties. 244. Mission and activities. Establishment of National Information Sharing Organization. is further amended by adding at the end of the items relating to title II the following new items: ‘‘Subtitle E—National Information Sharing Organization 241. ‘‘Sec. ‘‘Sec. 245.—There is authorized to be 17 appropriated $10. 252. Authority to issue warnings. ‘‘Sec. Voluntary information sharing. ‘‘Sec. 5 6 ‘‘SEC. as amended by section 2.44 1 the National Information Sharing Organization shall not 2 be considered a violation of any provision of the antitrust 3 laws (as such term is defined in the first section of the 4 Clayton Act (15 U. 2011 Jkt 019200 PO 00000 Frm 00044 Fmt 6652 Sfmt 6201 E:\BILLS\H3674. ‘‘Sec. Classified information.’’. 18 2014. Exemption from antitrust prohibitions. 16 jbell on DSK7SPTVN1PROD with BILLS (b) INITIAL EXPENSES.S.000.IH H3674 .’’. 251. 242. 12)). Limitation. LIMITATION. and 2015 for initial expenses associated with the •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. Board of directors. Funding. (2) CLERICAL AMENDMENT. Annual independent audits. 253. ‘‘Sec. 249. Membership. 243. the 7 amount authorized to be appropriated for the National In8 formation Sharing Organization may not exceed the 9 amount provided by the largest private sector member of 10 the National Information Sharing Organization for that 11 fiscal year.C.—The table of con- tents in section 2(b) of such Act. ‘‘Sec. ‘‘Sec. 248.000 for each of fiscal years 2013. ‘‘Sec. ‘‘Sec. 247. ‘‘Sec.

as added by subsection (a). Æ jbell on DSK7SPTVN1PROD with BILLS •HR 3674 IH VerDate Mar 15 2010 02:08 Dec 21. 2011 Jkt 019200 PO 00000 Frm 00045 Fmt 6652 Sfmt 6301 E:\BILLS\H3674.IH H3674 .45 1 establishment of the National Information Sharing Orga2 nization under subtitle E of title II of the Homeland Secu3 rity Act of 2002. Such 4 amounts shall be derived from amounts appropriated for 5 the operations of the Management Office for the Direc6 torate of Science and Technology of the Department of 7 Homeland Security.