112th CONGRESS 1st Session H. R. 3674 To amend the Homeland Security Act of 2002 to make certain improvements in the laws relating to cybersecurity, and for other purposes. IN THE HOUSE OF REPRESENTATIVES December 15, 2011 Mr. DANIEL E. LUNGREN of California (for himself, Mr. KING of New York, Mr. MCCAUL, Mr. BILIRAKIS, Mrs. MILLER of Michigan, Mr. WALBERG, Mr. MARINO, Mr. LONG, Mr. TURNER of New York, Mr. STIVERS, and Mr. LANGEVIN) introduced the following bill; which was referred to the Committee on Homeland Security, and in addition to the Committees on Oversight and Government Reform, Science, Space, and Technology, the Judiciary, and Select Intelligence (Permanent Select), for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned
A BILL To amend the Homeland Security Act of 2002 to make certain improvements in the laws relating to cybersecurity, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ‘Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011’ or the ‘PRECISE Act of 2011’. SEC. 2. DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY ACTIVITIES. (a) In General- Subtitle C of title II of the Homeland Security Act of 2002 is amended by adding at the end the following new sections: ‘SEC. 226. NATIONAL CYBERSECURITY AUTHORITY. ‘(a) In General- To protect Federal systems and critical infrastructure information systems and to prepare the Nation to respond to, recover from, and mitigate against acts of terrorism and other incidents involving such systems and infrastructure, the Secretary shall-- ‘(1) develop and conduct risk assessments for Federal systems and, upon request and subject to the availability of resources, critical infrastructure information systems in consultation with the heads of other agencies or governmental and private entities that own and operate such systems, that may include threat, vulnerability, and impact assessments and penetration testing, or other comprehensive assessments techniques; ‘(2) foster the development, in conjunction with other governmental entities and the private sector, of essential information security technologies and capabilities for protecting Federal systems and critical infrastructure information systems, including comprehensive protective capabilities and other technological solutions; ‘(3) acquire, integrate, and facilitate the adoption of new cybersecurity technologies and practices in a technologically and vendor-neutral manner to keep pace with emerging terrorist and other cybersecurity threats and developments, including through research and development, technical service agreements, and making such technologies available to governmental and private entities that own or operate critical infrastructure information systems, as necessary to accomplish the purpose of this section; ‘(4) maintain the capability to serve as a focal point with the Federal Government for cybersecurity, responsible for-- ‘(A) the coordination of the protection of Federal systems and critical infrastructure information systems; ‘(B) the coordination of national cyber incident response; ‘(C) facilitating information sharing, interactions, and collaborations among and between Federal agencies, State and local governments, the private sector, academia, and international partners; ‘(D) working with appropriate Federal agencies, State and local governments, the private sector, academia, and international partners to prevent and respond to terrorist and other cybersecurity threats and incidents involving Federal systems and critical infrastructure information systems pursuant to the national cyber incident response plan and supporting plans developed in accordance with paragraph (8); ‘(E) the dissemination of timely and actionable terrorist and other cybersecurity threat, vulnerability, mitigation, and warning information, including alerts, advisories, indicators, signatures, and mitigation and response measures, to improve the security and protection of Federal systems and critical infrastructure information systems; ‘(F) the integration of information from Federal Government and non-federal network operation centers and security operations centers; ‘(G) the compilation and analysis of information about risks and incidents regarding terrorism or other causes that threaten Federal systems and critical infrastructure information systems; ‘(H) the provision of incident prediction, detection, analysis, mitigation, and response information and remote or on-site technical assistance to heads of Federal agencies and, upon request, governmental and private entities that own or operate critical infrastructure; and ‘(I) acting as the Federal Government representative with the organization or organizations designated under section 241; ‘(5) assist in national efforts to mitigate communications and information technology supply chain vulnerabilities to enhance the security and the resiliency of Federal systems and critical infrastructure information systems; ‘(6) develop and lead a nationwide awareness and outreach effort to educate the public about-- ‘(A) the importance of cybersecurity and cyber ethics; ‘(B) ways to promote cybersecurity best practices at home and in the workplace; and ‘(C) training opportunities to support the development of an effective national cybersecurity workforce and educational paths to cybersecurity professions; ‘(7) establish, in coordination with the Director of the National Institute of Standards and Technology and the heads of other appropriate agencies, benchmarks and guidelines for making critical infrastructure information systems more secure at a fundamental level, including through automation, interoperability, and privacy-enhancing authentication; ‘(8) develop a national cybersecurity incident response plan and supporting cyber incident response and restoration plans, in consultation with the heads of other relevant Federal agencies, owners and operators of critical infrastructure, sector coordinating councils, State and local governments, and relevant non-governmental organizations and based on applicable law that describe the specific roles and responsibilities of governmental and private entities during cyber incidents to ensure essential government operations continue; ‘(9) develop and conduct exercises, simulations, and other activities designed to support the national response to terrorism and other cybersecurity threats and incidents and evaluate the national cyber incident response plan and supporting plans developed in accordance with paragraph (8); ‘(10) ensure that the technology and tools used to accomplish the requirements of this section are scientifically and operationally validated; and ‘(11) take such other lawful action as may be necessary and appropriate to accomplish the requirements of this section. ‘(b) Coordination- ‘(1) COORDINATION WITH OTHER ENTITIES- In carrying out the cybersecurity activities under this section, the Secretary shall coordinate, as appropriate, with-- ‘(A) the head of any relevant agency or entity; ‘(B) representatives of State and local governments; ‘(C) the private sector, including owners and operators of critical infrastructure; ‘(D) suppliers of technology for critical infrastructure; ‘(E) academia; and ‘(F) international organizations and foreign partners. ‘(2) COORDINATION OF AGENCY ACTIVITIES- The Secretary shall coordinate the activities undertaken by agencies to protect Federal systems and critical infrastructure information systems and prepare the Nation to predict, anticipate, recognize, respond to, recover from, and mitigate against risk of acts of terrorism and other incidents involving such systems and infrastructure. ‘(3) LEAD CYBERSECURITY OFFICIAL- The Secretary shall designate a lead cybersecurity official to provide leadership to the cybersecurity activities of the Department and to ensure that the Department’s cybersecurity activities under this subtitle are coordinated with all other infrastructure protection and cyber-related programs and activities of the Department, including those of any intelligence or law enforcement components or entities within the Department. ‘(4) REPORTS TO CONGRESS- The lead cybersecurity official shall make regular reports to the appropriate committees of Congress on the coordination of cyber-related programs across the Department. ‘(c) Strategy- In carrying out the cybersecurity functions of the Department, the Secretary shall develop and maintain a strategy that-- ‘(1) articulates the actions necessary to assure the readiness, reliability, continuity, integrity, and resilience of Federal systems and critical infrastructure information systems; ‘(2) is informed by the need to maintain economic prosperity and facilitate market leadership for the United States information and communications industry; and ‘(3) protects privacy rights and preserves civil liberties of United States persons. ‘(d) Access to Information- The Secretary shall ensure that the organization or organizations designated under section 241 have full and timely access to properly anonymized cyber incident information originating within the Federal civilian networks to populate the common operating picture described in section 242. ‘(e) No Right or Benefit- The provision of assistance or information to governmental or private entities that own or operate critical infrastructure information systems under this section shall be at the discretion of the Secretary and subject to the availability of resources. The provision of certain assistance or information to one governmental or private entity pursuant to this section shall not create a right or benefit, substantive or procedural, to similar assistance or information for any other governmental or private entity. ‘(f) Savings Clause- Nothing in this subtitle shall be interpreted to alter or amend the law enforcement or intelligence authorities of any agency. ‘(g) Definitions- In this section: ‘(1) The term ‘Federal systems’ means all information systems owned, operated, leased, or otherwise controlled by an agency, or on behalf of an agency, except for national security systems or those information systems under the control of the Department of Defense. ‘(2) The term ‘critical infrastructure information systems’ means any physical or virtual information system that controls, processes, transmits, receives, or stores electronic information in any form, including data, voice, or video, that is-- ‘(A) vital to the functioning of critical infrastructure as defined in section 5195c(e) of title 42; or ‘(B) owned or operated by or on behalf of a State or local government entity that is necessary to ensure essential government operations continue. ‘SEC. 227. IDENTIFICATION OF SECTOR SPECIFIC CYBERSECURITY RISKS. ‘(a) In General- The Secretary shall, on a continuous and sector-by-sector basis, identify and evaluate cybersecurity risks to critical infrastructure. In carrying out this subsection, the Secretary shall coordinate, as appropriate, with the following: ‘(1) The head of the sector specific agency with responsibility for critical infrastructure. ‘(2) The head of any agency with responsibilities for regulating the critical infrastructure. ‘(3) The owners and operators of critical infrastructure and any private sector entity determined appropriate by the Secretary. ‘(b) Evaluation of Risks- The Secretary, in coordination with the individuals and entities referred to in subsection (a), shall evaluate the cybersecurity risks identified under subsection (a) by taking into account each of the following: ‘(1) The actual or assessed threat, including a consideration of adversary capabilities and intent, preparedness, target attractiveness, and deterrence capabilities. ‘(2) The extent and likelihood of death, injury, or serious adverse effects to human health and safety caused by a disruption, destruction, or unauthorized use of critical infrastructure. ‘(3) The threat to national security caused by the disruption, destruction or unauthorized use of critical infrastructure. ‘(4) The harm to the economy that would result from the disruption, destruction, or unauthorized use of critical infrastructure. ‘(5) Other risk-based security factors that the Secretary, in consultation with the head of the sector specific agency with responsibility for critical infrastructure and the head of any Federal agency that is not a sector specific agency with responsibilities for regulating critical infrastructure, and in consultation with any private sector entity determined appropriate by the Secretary to protect public health and safety, critical infrastructure, or national and economic security. ‘(c) Availability of Identified Risks- The Secretary shall ensure that the risks identified and evaluated under this section for each sector and subsector are made available to the owners and operators of critical infrastructure within each sector and subsector. ‘(d) Collection of Risk-Based Performance Standards- ‘(1) REVIEW AND ESTABLISHMENT- The Secretary, in coordination with the heads of other appropriate agencies, shall review existing internationally recognized consensus-developed risk-based performance standards, including such standards developed by the National Institute of Standards and Technology, for inclusion in a common collection. Such collection shall include, for each such risk-based performance standard, an analysis of each of the following: ‘(A) How well the performance standard addresses the identified risks. ‘(B) How cost-effective the standard implementation of the performance standard can be. ‘(2) USE OF COLLECTION- The Secretary, in conjunction with the heads of other appropriate agencies, shall develop market-based incentives designed to encourage the use of the collection established under paragraph (1). ‘(3) INCLUSION IN REGULATORY REGIMES- The heads of sector specific agencies with responsibility for covered critical infrastructure and the head of any Federal agency that is not a sector specific agency with responsibilities for regulating covered critical infrastructure, in consultation with the Secretary and with any private sector entity determined appropriate by the Secretary, shall propose through notice and comment rulemaking to include the most effective and cost-efficient risk-based performance standards identified in the collection established under paragraph (1) in the regulatory regimes applicable to covered critical infrastructure. ‘(e) Mitigation of Risks- If the Secretary determines that no existing internationally-recognized risk-based performance standard mitigates a risk identified under subsection (a), the Secretary shall-- ‘(1) work with owners and operators of critical infrastructure and suppliers of technology to appropriately mitigate the identified risk, including determining appropriate market-based incentives for development and implementation of the identified mitigation; and ‘(2) engage with the National Institute of Standards and Technology and appropriate international consensus bodies that develop and strengthen standards and practices to address the identified risk. ‘(f) Covered Critical Infrastructure Defined- In this section, the term ‘covered critical infrastructure’ means any facility or function that, by way of cyber vulnerability, the destruction or disruption of or unauthorized access to could result in-- ‘(1) a significant loss of life; ‘(2) a major economic disruption, including-- ‘(A) the immediate failure of, or loss of confidence in, a major financial market; or ‘(B) the sustained disruption of financial systems that would lead to long term catastrophic economic damage to the United States; ‘(3) mass evacuations of a major population center for an extended length of time; or ‘(4) severe degradation of national security or national security capabilities, including intelligence and defense functions, but excluding military facilities. ‘(g) Redress- ‘(1) IN GENERAL- Subject to paragraphs (2) and (3), the Secretary shall develop a mechanism, consistent with subchapter II of chapter 5 of title 5, United States Code, for an owner or operator notified under subsection (f) to appeal the identification of a facility or function as covered critical infrastructure under this section. ‘(2) APPEAL TO FEDERAL COURT- A civil action seeking judicial review of a final agency action taken under the mechanism developed under paragraph (1) shall be filed in the United States District Court for the District of Columbia. ‘(3) COMPLIANCE- The owner or operator of a facility or function identified as covered critical infrastructure shall comply with any requirement of this subtitle relating to covered critical infrastructure until such time as the facility or function is no longer identified as covered critical infrastructure, based on-- ‘(A) an appeal under paragraph (1); ‘(B) a determination of the Secretary unrelated to an appeal; or ‘(C) a final judgment entered in a civil action seeking judicial review brought in accordance with paragraph (2). ‘SEC. 228. INFORMATION SHARING. ‘(a) Cybersecurity Information- The Secretary shall be responsible for making all cyber threat information, provided pursuant to section 202 of this title, available to appropriate owners and operators of critical infrastructure on a timely basis consistent with the responsibilities of the Secretary to provide information related to threats to critical infrastructures to the organization designated under section 241. ‘(b) Information Sharing- The Secretary shall, to the maximum extent possible, consistent with rules for the handling of classified and sensitive but unclassified information, share relevant information regarding cybersecurity threats and vulnerabilities, and any proposed actions to mitigate them, with all Federal agencies, appropriate State or local government representatives, and appropriate critical infrastructure information systems owners and operators, including by expediting necessary security clearances for designated points of contact for critical infrastructure information systems. ‘(c) Protection of Information- The Secretary shall designate, as appropriate, information received from Federal agencies and from critical infrastructure information systems owners and operators and information provided to Federal agencies or critical infrastructure information systems owners and operators pursuant to this section as sensitive security information and shall require and enforce sensitive security information requirements for handling, storage, and dissemination of any such information, including proper protections for personally identifiable information. ‘SEC. 229. CYBERSECURITY RESEARCH AND DEVELOPMENT. ‘(a) In General- The Under Secretary for Science and Technology shall support research, development, testing, evaluation, and transition of cybersecurity technology, including fundamental, long-term research to improve the ability of the United States to prevent, protect against, detect, respond to, and recover from acts of terrorism and cyber attacks, with an emphasis on research and development relevant to attacks that would cause a debilitating impact on national security, national economic security, or national public health and safety. ‘(b) Activities- The research and development testing, evaluation, and transition supported under subsection (a) shall include work to-- ‘(1) advance the development and accelerate the deployment of more secure versions of fundamental Internet protocols and architectures, including for the domain name system and routing protocols; ‘(2) improve, create, and advance the research and development of techniques and technologies for proactive detection and identification of threats, attacks, and acts of terrorism before they occur; ‘(3) advance technologies for detecting attacks or intrusions, including real-time monitoring and real-time analytic technologies; ‘(4) improve and create mitigation and recovery methodologies, including techniques and policies for real-time containment of attacks and development of resilient networks and systems; ‘(5) develop and support infrastructure and tools to support cybersecurity research and development efforts, including modeling, test beds, and data sets for assessment of new cybersecurity technologies; ‘(6) assist in the development and support of technologies to reduce vulnerabilities in process control systems; ‘(7) develop and support cyber forensics and attack attribution; ‘(8) test, evaluate, and facilitate the transfer of technologies associated with the engineering of less vulnerable software and securing the information technology software development lifecycle; and ‘(9) ensure new cybersecurity technologies are scientifically and operationally validated. ‘(c) Coordination- In carrying out this section, the Under Secretary shall coordinate activities with-- ‘(1) the Under Secretary for National Protection and Programs Directorate; and ‘(2) the heads of other relevant Federal departments and agencies, including the National Science Foundation, the Defense Advanced Research Projects Agency, the Information Assurance Directorate of the National Security Agency, the National Institute of Standards and Technology, the Department of Commerce, academic institutions, and other appropriate working groups established by the President to identify unmet needs and cooperatively support activities, as appropriate. ‘SEC. 230. PERSONNEL AUTHORITIES RELATED TO THE OFFICE OF CYBERSECURITY AND COMMUNICATIONS. ‘(a) In General- In order to assure that the Department has the necessary resources to carry out the mission of securing Federal systems and critical infrastructure information systems, the Secretary may, as necessary, convert competitive service positions, and the incumbents of such positions, within the Office of Cybersecurity and Communications to excepted service, or may establish new positions within the Office of Cybersecurity and Communications in the excepted service, to the extent that the Secretary determines such positions are necessary to carry out the cybersecurity functions of the Department. ‘(b) Compensation- The Secretary may-- ‘(1) fix the compensation of individuals who serve in positions referred to in subsection (a) in relation to the rates of pay provided for comparable positions in the Department and subject to the same limitations on maximum rates of pay established for employees of the Department by law or regulations; and ‘(2) provide additional forms of compensation, including benefits, incentives, and allowances, that are consistent with and not in excess of the level authorized for comparable positions authorized under title 5, United States Code. ‘(c) Retention Bonuses- Notwithstanding any other provision of law, the Secretary may pay a retention bonus to any employee appointed under this section, if the Secretary determines that the bonus is needed to retain essential personnel. Before announcing the payment of a bonus under this subsection, the Secretary shall submit a written explanation of such determination to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate. ‘(d) Annual Report- Not later than one year after the date of the enactment of this section, and annually thereafter, the Secretary shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Government Affairs of the Senate a detailed report that includes, for the period covered by the report-- ‘(1) a discussion the Secretary’s use of the flexible authority authorized under this section to recruit and retain qualified employees; ‘(2) metrics on relevant personnel actions, including-- ‘(A) the number of qualified employees hired by occupation and grade, level, or pay band; ‘(B) the total number of veterans hired; ‘(C) the number of separations of qualified employees; ‘(D) the number of retirements of qualified employees; and ‘(E) the number and amounts of recruitment, relocation, and retention incentives paid to qualified employees by occupation and grade, level, or pay band; and ‘(3) long-term and short-term strategic goals to address critical skills deficiencies, including an analysis of the numbers of and reasons for attrition of employees and barriers to recruiting and hiring individuals qualified in cybersecurity.’. (b) Clerical Amendment- The table of contents in section 2(b) of such Act is amended by inserting after the item relating to section 225 the following new items: ‘Sec. 226. National cybersecurity authority. ‘Sec. 227. Identification of sector specific cybersecurity risks. ‘Sec. 228. Information sharing. ‘Sec. 229. Cybersecurity research and development. ‘Sec. 230. Personnel authorities related to the Office of Cybersecurity and Communications.’. (c) Plan for Execution of Authorities- Not later than 120 days after the date of the enactment of this Act, the Secretary of Homeland Security shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report containing a plan for the execution of the authorities contained in the amendment made by subsection (a). SEC. 3. NATIONAL INFORMATION SHARING ORGANIZATION. (a) National Information Sharing Organization- (1) IN GENERAL- Title II of the Homeland Security Act of 2002, as amended by section 2, is further amended by adding at the end the following: ‘Subtitle E--National Information Sharing Organization ‘SEC. 241. ESTABLISHMENT OF NATIONAL INFORMATION SHARING ORGANIZATION. ‘(a) Establishment- There is established a not-for-profit organization for sharing cyber threat information and exchanging technical assistance, advice, and support and developing and disseminating necessary information security technology. Such organization shall be designated as the ‘National Information Sharing Organization’. ‘(b) Purpose- The National Information Sharing Organization shall serve as a national clearinghouse for the exchange of cyber threat information so that the owners and operators of networks or systems in the private sector, educational institutions, State, tribal, and local governments, entities operating critical infrastructure, and the Federal Government have access to timely and actionable information in order to protect their networks or systems as effectively as possible. ‘(c) Designation- Not later than 120 days after the date of the enactment of this subtitle, the board of directors established in section 243 shall designate the appropriate organization or organizations as the National Information Sharing Organization. ‘(d) Criteria for Designation- The board of directors shall select the organization or organizations to function as the National Information Sharing Organization by taking into consideration the following criteria and other criteria found appropriate by the board: ‘(1) Whether the organization or organizations have received recognition from the Secretary of Homeland Security for its cyber capabilities. ‘(2) Whether the organization or organizations have demonstrated the ability to address cyber-related issues in a trusted and cooperative environment maximizing public-private partnerships. ‘(3) Whether the organization or organizations have demonstrated the capability to deploy cybersecurity services for the detection, prevention, and mitigation of cyber-related issues. ‘(4) Whether the organization or organizations have an operational center that is open 24 hours a day, seven days a week, and is capable of determining, analyzing, and responding to cyber events. ‘(5) Whether the organization or organizations have a proven relationship with the private sector critical infrastructure sectors. ‘(6) Whether the organization or organizations have experience implementing privacy protections to safeguard, sensitive information, including personally identifiable information, in transit and at rest. ‘SEC. 242. MISSION AND ACTIVITIES. ‘The National Information Sharing Organization shall-- ‘(1) facilitate the exchange of information, best practices, technical assistance, and support related to the security of public, private, and critical infrastructure information networks, including by-- ‘(A) ensuring that the information exchanged shall be stripped of all information identifying the submitter and of any unnecessary personally identifiable information and shall be available to members of the National Information Sharing Organization, including Federal, State, and local government agencies; and ‘(B) sharing timely and actionable threat and vulnerability information originating through intelligence collection with appropriately cleared members of the National Information Sharing Organization; ‘(2) create a common operating picture by combining agreed upon network and cyber threat warning information to be shared-- ‘(A) through a secure automated mechanism to be determined by the board; and ‘(B) with designated members of the National Information Sharing Organization, including the Federal Government; ‘(3) undertake collaborative research and development projects to improve the level of cybersecurity in critical infrastructure information systems while maintaining impartiality, the independence of members of the National Information Sharing Organization, and vendor neutrality; ‘(4) develop language to be incorporated into the membership agreement regarding the transferability and use of intellectual property developed by the National Information Sharing Organization and its members under this subtitle; and ‘(5) integrate with the Federal Government through the National Cybersecurity and Communications Integration Center and other existing information sharing and analysis centers, as appropriate. ‘SEC. 243. BOARD OF DIRECTORS. ‘(a) In General- The National Information Sharing Organization shall have a board of directors which shall be responsible for-- ‘(1) the executive and administrative operation of the National Information Sharing Organization, including matters relating to funding and promotion of the National Information Sharing Organization; and ‘(2) ensuring and facilitating compliance by members of the National Information Sharing Organization with the requirements of this subtitle. ‘(b) Composition- The board shall be composed of the following members: ‘(1) One representative from the Department of Homeland Security. ‘(2) Four representatives from three different Federal agencies with significant responsibility for cybersecurity. ‘(3) Ten representatives from the private sector, including at least one member representing a small business interest and members representing each of the following critical infrastructure sectors and subsectors: ‘(A) Banking and finance. ‘(B) Communications. ‘(C) Defense industrial base. ‘(D) Energy, electricity subsector. ‘(E) Energy, oil, and natural gas subsector. ‘(F) Heath care and public health. ‘(G) Information technology. ‘(4) Two representatives from the privacy and civil liberties community. ‘(5) The Chair of the National Council of Information Sharing and Analysis Centers. ‘(c) Initial Appointment- Not later than 30 days after the date of the enactment of this subtitle, the Secretary of Homeland Security, in consultation with the heads of the sector specific agencies of the sectors and subsectors referred to in subsection (b)(3), shall appoint the members of the board described under subsection (b)(3) from individuals identified by the sector coordinating councils of sectors and subsectors referred to in subsection (b)(3). ‘(d) Terms- ‘(1) REPRESENTATIVES OF CERTAIN FEDERAL AGENCIES- Each member of the board described in subsection (b)(1) and (b)(2) shall be appointed for a term that is not less than one year and not longer than three years from the date of the member’s appointment. ‘(2) OTHER REPRESENTATIVES- The original private sector members of the board described subsection (b) shall serve an initial term of one year from the date of appointment under subsection (c), at which time the members of the National Information Sharing Organization shall conduct elections in accordance with the procedures established under subsection (e). ‘(e) Rules and Procedures- Not later than 90 days after the date of the enactment of this Act, the board shall establish rules and procedures for the election and service of members of the board described in paragraphs (3) and (4) of subsection (b). ‘(f) Leadership- The board shall elect from among its members a chair and vice-chair of the board, who shall serve under such terms and conditions as the board may establish. The chair of the board may not be a Federal employee. ‘(g) Sub-Boards- The board shall have the authority to constitute such sub-boards, or other advisory groups or panels, as may be necessary to assist the board in carrying out its functions under this section. The board shall establish an advisory group made up of the members determined appropriate to participate in the common operation picture described in section 242(2) and to determine information sets, sharing procedures, and operational protocols in creating the common operating picture. ‘SEC. 244. CHARTER. ‘The board shall develop a charter to govern the operations and administration of the National Information Sharing Organization. The charter shall cover each of the following: ‘(1) The organizational structure of the National Information Sharing Organization. ‘(2) The governance of the National Information Sharing Organization. ‘(3) A mission statement of the National Information Sharing Organization. ‘(4) Criteria for membership of the National Information Sharing Organization and for termination of such membership. ‘(5) A funding model of the National Information Sharing Organization, including costs, if any, for membership. ‘(6) Rules for sharing information with members of the National Information Sharing Organization, including the treatment and ownership of intellectual property provided by or to the National Information Sharing Organization, limitations on liability, and consideration of any necessary measures to mitigate anti-trust concerns. ‘(7) Technical requirements for participation in the common operating picture and a technical architecture that enables an automated, real-time sharing among members and Federal Government agencies. ‘(8) Rules for participating in collaborative research and development projects. ‘(9) Protections of privacy and civil liberties to be used by the National Information Sharing Organization and its members, including appropriate measures for public transparency and oversight. ‘(10) Security requirements and member obligations for the protection of information from other sources, including private and governmental. ‘(11) Procedures for making anonymized cyber incident information available to outside groups for academic research and insurance actuarial purposes. ‘SEC. 245. MEMBERSHIP. ‘Not later than 90 days after the date of the enactment of this subtitle, the board of directors of the National Information Sharing Organization shall establish criteria procedures for the voluntary membership by State and local government departments, agencies, and entities, private sector businesses and organizations, and academic institutions in the National Information Sharing Organization. ‘SEC. 246. FUNDING. ‘Annual administrative and operational expenses for the National Information Sharing Organization shall be paid by the members of such Organization, as determined by the board of directors of the Organization. ‘SEC. 247. CLASSIFIED INFORMATION. ‘Consistent with the protection of sensitive intelligence sources and methods, the Secretary, in conjunction with the Director of National Intelligence, shall facilitate-- ‘(1) the sharing of classified information in the possession of a Federal agency related to threats to information networks with cleared members of the National Information Sharing Organization, including representatives of the private sector and of public and private sector entities operating critical infrastructure; and ‘(2) the declassification and sharing of information in the possession of a Federal agency related to threats to information networks with members of the National Information Sharing Organization. ‘SEC. 248. VOLUNTARY INFORMATION SHARING. ‘(a) In General- ‘(1) CYBERSECURITY PROVIDERS- Notwithstanding any other provision of law, a cybersecurity provider may, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity. ‘(2) PROTECTED ENTITIES- Notwithstanding any other provision of law, a protected entity may, for cybersecurity purposes-- ‘(A) share cyber threat information with the National Information Sharing Organization and its membership, including the Federal Government; or ‘(B) authorize their cybersecurity provider to share on their behalf with the National Information Sharing Organization and its membership, including the Federal Government. ‘(3) SELF-PROTECTED ENTITIES- Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes-- ‘(A) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and ‘(B) share such cyber threat information with the National Information Sharing Organization and its membership, including the Federal Government. ‘(b) Uses of Shared Information- Notwithstanding any other provision of law, information shared with or provided to the National Information Sharing Organization or to a Federal agency or private entity through the National Information Sharing Organization by any member of the National Information Sharing Organization that is not a Federal agency in furtherance of the mission and activities of the National Information Sharing Organization as described in section 242-- ‘(1) shall be exempt from disclosure under section 552 of title 5, United States Code (commonly referred to as the Freedom of Information Act); ‘(2) shall not, without the written consent of the person or entity submitting such information, be used directly by any Federal agency, any other Federal, State, tribal, or local authority, or any third party, in any civil action arising under Federal or State law if such information is submitted to the National Information Sharing Organization for the purpose of facilitating the missions of such Organization, as articulated in the mission statement required under section 244; ‘(3) shall not, without the written consent of the person or entity submitting such information, be used or disclosed by any officer or employee of the United States for purposes other than the purposes of this title, including any regulatory purpose, except-- ‘(A) to further an investigation or the prosecution of a cybersecurity related criminal act; or ‘(B) to disclose the information to the appropriate congressional committee; ‘(4) shall not, if subsequently provided to a State or local government or government agency-- ‘(A) be made available pursuant to any State or local law requiring disclosure of information or records; ‘(B) otherwise be disclosed or distributed to any party by such State or local government or government agency without the written consent of the person or entity submitting such information; or ‘(C) be used other than for the purpose of protecting information systems, or in furtherance of an investigation or the prosecution of a criminal act; ‘(5) does not constitute a waiver of any applicable privilege or protection provided under law, such as information that is proprietary, business sensitive, relates specifically to the submitting person or entity, or is otherwise not appropriately in the public domain; and ‘(6) shall not be the basis for any civil or criminal right of action in Federal or State court for a failure to warn or disclose provided that the information is shared with the Federal Government through the National Information Sharing Organization in accordance with the procedures established under this section. ‘(c) Limitation- The Federal Advisory Committee Act (5 U.S.C. App.) shall not apply to any communication of information to a Federal agency made pursuant to this title. ‘(d) Procedures- ‘(1) IN GENERAL- Not later than 90 days after the date of the enactment of this subtitle, the board of directors of the National Information Sharing Organization shall establish uniform procedures for the receipt, care, and storage of information that is voluntarily submitted to the Federal Government through the National Information Sharing Organization. ‘(2) ELEMENTS- The procedures established under paragraph (1) shall include procedures for-- ‘(A) the acknowledgment of receipt by the National Information Sharing Organization of cyber threat information that is voluntarily submitted to the National Information Sharing Organization; ‘(B) the maintenance of the identification of such information; ‘(C) the care and storage of such information; ‘(D) limiting subsequent dissemination of such information to ensure that such information is not used for an unauthorized purpose; ‘(E) the protection of the privacy rights and civil liberties of any individuals who are subjects of such information; and ‘(F) the protection and maintenance of the confidentiality of such information so as to permit the sharing of such information within the Federal Government and with State, tribal, and local governments, and the issuance of notices and warnings related to the protection of information networks, in such manner as to protect from public disclosure the identity of the submitting person or entity, or information that is proprietary, business sensitive, relates specifically to the submitting person or entity, and is otherwise not appropriately in the public domain. ‘(e) Independently Obtained Information- Nothing in this section shall be construed to limit or otherwise affect the ability of a Federal agency, a State, tribal, or local government or government agency, or any third party-- ‘(1) to obtain or disseminate cyber threat information in a manner other than through the National Information Sharing Organization; and ‘(2) to use such information in any manner permitted by law. ‘(f) Definitions- In this section: ‘(1) The term ‘cybersecurity provider’ means a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes. ‘(2) The term ‘cybersecurity purpose’ means the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from-- ‘(A) efforts to degrade, disrupt or destroy such system or network; or ‘(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information. ‘(3) The term ‘cybersecurity system’ means a system designed or employed to ensure the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from-- ‘(A) efforts to degrade, disrupt or destroy such system or network; or ‘(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information. ‘(4) The term ‘cyber threat information’ means information that is-- ‘(A) necessary to describe a method of defeating technical controls on a system or network that corresponds to a cyber threat; and ‘(B) omits all other information not necessary to describe such threat. ‘(5) The term ‘protected entity’ means an entity, other than an individual, that contracts with a cybersecurity provider for goods or services to be used for cybersecurity purposes. ‘(6) The term ‘self-protected entity’ means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself. ‘SEC. 249. ANNUAL INDEPENDENT AUDITS. ‘The board of directors of the National Information Sharing Organization shall commission, on an annual basis, an audit by a qualified, independent auditing firm approved by the Secretary, to review the compliance of the National Information Sharing Organization and its members with the information sharing rules set forth in section 248 and the information sharing rules established by the board pursuant to the National Information Sharing Organization charter required under section 244. Such audit-- ‘(1) shall identify instances in which information may have been shared in a manner inconsistent with procedures required under section 248 or with the information sharing rules established by the board pursuant to section 244, with the National Information Sharing Organization, with members of the National Information Sharing Organization, or by the National Information Sharing Organization with a National Information Sharing Organization member or other entity or individual; ‘(2) shall be provided to the Secretary and to the Committee on Homeland Security of the House of Representatives and to the Homeland Security and Governmental Affairs Committee of the Senate; ‘(3) shall be made public, with appropriate redactions to protect the identity of National Information Sharing Organization members; and ‘(4) may include a classified annex. ‘SEC. 250. PENALTIES. ‘(a) In General- It shall be unlawful for any officer, employee, representative, or agent of the United States or of any Federal agency, or any employee or officer of the National Information Sharing Organization, its member entities, and any representatives or agents of the National Information Sharing Organization or its member entities to knowingly publish, divulge, disclose, or make known in any manner or to any extent not authorized by law, any cyber threat information protected from disclosure by this title coming to such officer or employee in the course of the employee’s employment or official duties or by reason of any examination or investigation made by, or return, report, or record made to or filed with, such officer, employee, or agency. ‘(b) Penalty- Any person who violates subsection (a) shall be fined under title 18, United States Code, imprisoned for not more than one year, or both, and shall be removed from office or employment. ‘SEC. 251. AUTHORITY TO ISSUE WARNINGS. ‘The Secretary may provide advisories, alerts, and warnings to relevant companies, targeted sectors, other government entities, or the general public regarding potential threats to information networks as appropriate. In issuing such an advisory, alert, or warning, the Secretary shall take appropriate actions to protect from disclosure-- ‘(1) the source of any voluntarily submitted information that forms the basis for the advisory, alert, or warning; and ‘(2) information that is proprietary, business sensitive, relates specifically to the submitting person or entity, or is otherwise not appropriate for disclosure in the public domain. ‘SEC. 252. EXEMPTION FROM ANTITRUST PROHIBITIONS. ‘The exchange of information by and between private sector members of the National Information Sharing Organization in furtherance of the mission and activities of the National Information Sharing Organization shall not be considered a violation of any provision of the antitrust laws (as such term is defined in the first section of the Clayton Act (15 U.S.C. 12)). ‘SEC. 253. LIMITATION. ‘For any fiscal year after fiscal year 2015, the amount authorized to be appropriated for the National Information Sharing Organization may not exceed the amount provided by the largest private sector member of the National Information Sharing Organization for that fiscal year.’. (2) CLERICAL AMENDMENT- The table of contents in section 2(b) of such Act, as amended by section 2, is further amended by adding at the end of the items relating to title II the following new items: ‘Subtitle E--National Information Sharing Organization ‘Sec. 241. Establishment of National Information Sharing Organization. ‘Sec. 242. Mission and activities. ‘Sec. 243. Board of directors. ‘Sec. 244. Charter. ‘Sec. 245. Membership. ‘Sec. 246. Funding. ‘Sec. 247. Classified information. ‘Sec. 248. Voluntary information sharing. ‘Sec. 249. Annual independent audits. ‘Sec. 250. Penalties. ‘Sec. 251. Authority to issue warnings. ‘Sec. 252. Exemption from antitrust prohibitions. ‘Sec. 253. Limitation.’. (b) Initial Expenses- There is authorized to be appropriated $10,000,000 for each of fiscal years 2013, 2014, and 2015 for initial expenses associated with the establishment of the National Information Sharing Organization under subtitle E of title II of the Homeland Security Act of 2002, as added by subsection (a). Such amounts shall be derived from amounts appropriated for the operations of the Management Office for the Directorate of Science and Technology of the Department of Homeland Security. |