Donate for the Cryptome archive of files from June 1996 to the present


15 December 2015

S.754 Cybersecurity Information Sharing Act of 2015


  The PRESIDING OFFICER. The bill having been read the third time, the 
question is, Shall it pass?
  Mr. TILLIS. I ask for the yeas and nays.
  The PRESIDING OFFICER. Is there a sufficient second?
  There is a sufficient second.
  The clerk will call the roll.
  The bill clerk called the roll.
  Mr. CORNYN. The following Senators are necessarily absent: the 
Senator from Texas (Mr. Cruz), the Senator from South Carolina (Mr. 
Graham), the Senator from Kentucky (Mr. Paul), the Senator from Florida 
(Mr. Rubio), and the Senator from Louisiana (Mr. Vitter).
  The PRESIDING OFFICER. Are there any other Senators in the Chamber 
desiring to vote?
  The result was announced--yeas 74, nays 21, as follows:

                      [Rollcall Vote No. 291 Leg.]

                                YEAS--74

     Alexander
     Ayotte
     Barrasso
     Bennet
     Blumenthal
     Blunt
     Boozman
     Boxer
     Burr
     Cantwell
     Capito
     Carper
     Casey
     Cassidy
     Coats
     Cochran
     Collins
     Corker
     Cornyn
     Cotton
     Donnelly
     Durbin
     Enzi
     Ernst
     Feinstein
     Fischer
     Flake
     Gardner
     Gillibrand
     Grassley
     Hatch
     Heinrich
     Heitkamp
     Hirono
     Hoeven
     Inhofe
     Isakson
     Johnson
     Kaine
     King
     Kirk
     Klobuchar
     Lankford
     Manchin
     McCain
     McCaskill
     McConnell
     Mikulski
     Moran
     Murkowski
     Murphy
     Murray
     Nelson
     Perdue
     Peters
     Portman
     Reed
     Reid
     Roberts
     Rounds
     Sasse
     Schatz
     Schumer
     Scott
     Sessions
     Shaheen
     Shelby
     Stabenow
     Thune
     Tillis
     Toomey
     Warner
     Whitehouse
     Wicker

                                NAYS--21

     Baldwin
     Booker
     Brown
     Cardin
     Coons
     Crapo
     Daines
     Franken
     Heller
     Leahy
     Lee
     Markey
     Menendez
     Merkley
     Risch
     Sanders
     Sullivan
     Tester
     Udall
     Warren
     Wyden

                             NOT VOTING--5

     Cruz
     Graham
     Paul
     Rubio
     Vitter
  The bill (S. 754), as amended, was passed, as follows:

                                 S. 754

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. TABLE OF CONTENTS.

       The table of contents of this Act is as follows:

Sec. 1. Table of contents.

               TITLE I--CYBERSECURITY INFORMATION SHARING

Sec. 101. Short title.
Sec. 102. Definitions.
Sec. 103. Sharing of information by the Federal Government.
Sec. 104. Authorizations for preventing, detecting, analyzing, and 
              mitigating cybersecurity threats.
Sec. 105. Sharing of cyber threat indicators and defensive measures 
              with the Federal Government.
Sec. 106. Protection from liability.
Sec. 107. Oversight of Government activities.
Sec. 108. Construction and preemption.
Sec. 109. Report on cybersecurity threats.
Sec. 110. Conforming amendment.

              TITLE II--FEDERAL CYBERSECURITY ENHANCEMENT

Sec. 201. Short title.
Sec. 202. Definitions.
Sec. 203. Improved Federal network security.
Sec. 204. Advanced internal defenses.
Sec. 205. Federal cybersecurity requirements.
Sec. 206. Assessment; reports.
Sec. 207. Termination.
Sec. 208. Identification of information systems relating to national 
              security.
Sec. 209. Direction to agencies.

         TITLE III--FEDERAL CYBERSECURITY WORKFORCE ASSESSMENT

Sec. 301. Short title.
Sec. 302. Definitions.
Sec. 303. National cybersecurity workforce measurement initiative.
Sec. 304. Identification of cyber-related roles of critical need.
Sec. 305. Government Accountability Office status reports.

                     TITLE IV--OTHER CYBER MATTERS

Sec. 401. Study on mobile device security.
Sec. 402. Department of State international cyberspace policy strategy.
Sec. 403. Apprehension and prosecution of international cyber 
              criminals.
Sec. 404. Enhancement of emergency services.
Sec. 405. Improving cybersecurity in the health care industry.
Sec. 406. Federal computer security.
Sec. 407. Strategy to protect critical infrastructure at greatest risk.
Sec. 408. Stopping the fraudulent sale of financial information of 
              people of the United States.
Sec. 409. Effective period.

               TITLE I--CYBERSECURITY INFORMATION SHARING

     SEC. 101. SHORT TITLE.

       This title may be cited as the ``Cybersecurity Information 
     Sharing Act of 2015''.

     SEC. 102. DEFINITIONS.

       In this title:
       (1) Agency.--The term ``agency'' has the meaning given the 
     term in section 3502 of title 44, United States Code.
       (2) Antitrust laws.--The term ``antitrust laws''--
       (A) has the meaning given the term in section 1 of the 
     Clayton Act (15 U.S.C. 12);
       (B) includes section 5 of the Federal Trade Commission Act 
     (15 U.S.C. 45) to the extent that section 5 of that Act 
     applies to unfair methods of competition; and
       (C) includes any State law that has the same intent and 
     effect as the laws under subparagraphs (A) and (B).
       (3) Appropriate federal entities.--The term ``appropriate 
     Federal entities'' means the following:
       (A) The Department of Commerce.
       (B) The Department of Defense.
       (C) The Department of Energy.
       (D) The Department of Homeland Security.
       (E) The Department of Justice.
       (F) The Department of the Treasury.
       (G) The Office of the Director of National Intelligence.
       (4) Cybersecurity purpose.--The term ``cybersecurity 
     purpose'' means the purpose of protecting an information 
     system or information that is stored on, processed by, or 
     transiting an information system from a cybersecurity threat 
     or security vulnerability.
       (5) Cybersecurity threat.--
       (A) In general.--Except as provided in subparagraph (B), 
     the term ``cybersecurity threat'' means an action, not 
     protected by the First Amendment to the Constitution of the 
     United States, on or through an information system that may 
     result in an unauthorized effort to adversely impact the 
     security, availability, confidentiality, or integrity of an 
     information system or information that is stored on, 
     processed by, or transiting an information system.
       (B) Exclusion.--The term ``cybersecurity threat'' does not 
     include any action that solely involves a violation of a 
     consumer term of service or a consumer licensing agreement.
       (6) Cyber threat indicator.--The term ``cyber threat 
     indicator'' means information that is necessary to describe 
     or identify--
       (A) malicious reconnaissance, including anomalous patterns 
     of communications that appear to be transmitted for the 
     purpose of gathering technical information related to a 
     cybersecurity threat or security vulnerability;
       (B) a method of defeating a security control or 
     exploitation of a security vulnerability;
       (C) a security vulnerability, including anomalous activity 
     that appears to indicate the existence of a security 
     vulnerability;
       (D) a method of causing a user with legitimate access to an 
     information system or information that is stored on, 
     processed by, or transiting an information system to 
     unwittingly enable the defeat of a security control or 
     exploitation of a security vulnerability;
       (E) malicious cyber command and control;
       (F) the actual or potential harm caused by an incident, 
     including a description of the information exfiltrated as a 
     result of a particular cybersecurity threat;
       (G) any other attribute of a cybersecurity threat, if 
     disclosure of such attribute is not otherwise prohibited by 
     law; or
       (H) any combination thereof.
       (7) Defensive measure.--
       (A) In general.--Except as provided in subparagraph (B), 
     the term ``defensive measure'' means an action, device, 
     procedure, signature, technique, or other measure applied to 
     an information system or information that is stored on, 
     processed by, or transiting an information system that 
     detects, prevents, or mitigates a known or suspected 
     cybersecurity threat or security vulnerability.
       (B) Exclusion.--The term ``defensive measure'' does not 
     include a measure that destroys, renders unusable, provides 
     unauthorized access to, or substantially harms an information 
     system or data on an information system not belonging to--
       (i) the private entity operating the measure; or
       (ii) another entity or Federal entity that is authorized to 
     provide consent and has provided consent to that private 
     entity for operation of such measure.
       (8) Entity.--
       (A) In general.--Except as otherwise provided in this 
     paragraph, the term ``entity'' means any private entity, non-
     Federal government agency or department, or State,

[[Page S7523]]

     tribal, or local government (including a political 
     subdivision, department, or component thereof).
       (B) Inclusions.--The term ``entity'' includes a government 
     agency or department of the District of Columbia, the 
     Commonwealth of Puerto Rico, the Virgin Islands, Guam, 
     American Samoa, the Northern Mariana Islands, and any other 
     territory or possession of the United States.
       (C) Exclusion.--The term ``entity'' does not include a 
     foreign power as defined in section 101 of the Foreign 
     Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).
       (9) Federal entity.--The term ``Federal entity'' means a 
     department or agency of the United States or any component of 
     such department or agency.
       (10) Information system.--The term ``information system''--
       (A) has the meaning given the term in section 3502 of title 
     44, United States Code; and
       (B) includes industrial control systems, such as 
     supervisory control and data acquisition systems, distributed 
     control systems, and programmable logic controllers.
       (11) Local government.--The term ``local government'' means 
     any borough, city, county, parish, town, township, village, 
     or other political subdivision of a State.
       (12) Malicious cyber command and control.--The term 
     ``malicious cyber command and control'' means a method for 
     unauthorized remote identification of, access to, or use of, 
     an information system or information that is stored on, 
     processed by, or transiting an information system.
       (13) Malicious reconnaissance.--The term ``malicious 
     reconnaissance'' means a method for actively probing or 
     passively monitoring an information system for the purpose of 
     discerning security vulnerabilities of the information 
     system, if such method is associated with a known or 
     suspected cybersecurity threat.
       (14) Monitor.--The term ``monitor'' means to acquire, 
     identify, or scan, or to possess, information that is stored 
     on, processed by, or transiting an information system.
       (15) Private entity.--
       (A) In general.--Except as otherwise provided in this 
     paragraph, the term ``private entity'' means any person or 
     private group, organization, proprietorship, partnership, 
     trust, cooperative, corporation, or other commercial or 
     nonprofit entity, including an officer, employee, or agent 
     thereof.
       (B) Inclusion.--The term ``private entity'' includes a 
     State, tribal, or local government performing electric or 
     other utility services.
       (C) Exclusion.--The term ``private entity'' does not 
     include a foreign power as defined in section 101 of the 
     Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 
     1801).
       (16) Security control.--The term ``security control'' means 
     the management, operational, and technical controls used to 
     protect against an unauthorized effort to adversely affect 
     the confidentiality, integrity, and availability of an 
     information system or its information.
       (17) Security vulnerability.--The term ``security 
     vulnerability'' means any attribute of hardware, software, 
     process, or procedure that could enable or facilitate the 
     defeat of a security control.
       (18) Tribal.--The term ``tribal'' has the meaning given the 
     term ``Indian tribe'' in section 4 of the Indian Self-
     Determination and Education Assistance Act (25 U.S.C. 450b).

     SEC. 103. SHARING OF INFORMATION BY THE FEDERAL GOVERNMENT.

       (a) In General.--Consistent with the protection of 
     classified information, intelligence sources and methods, and 
     privacy and civil liberties, the Director of National 
     Intelligence, the Secretary of Homeland Security, the 
     Secretary of Defense, and the Attorney General, in 
     consultation with the heads of the appropriate Federal 
     entities, shall develop and promulgate procedures to 
     facilitate and promote--
       (1) the timely sharing of classified cyber threat 
     indicators in the possession of the Federal Government with 
     cleared representatives of relevant entities;
       (2) the timely sharing with relevant entities of cyber 
     threat indicators or information in the possession of the 
     Federal Government that may be declassified and shared at an 
     unclassified level;
       (3) the sharing with relevant entities, or the public if 
     appropriate, of unclassified, including controlled 
     unclassified, cyber threat indicators in the possession of 
     the Federal Government;
       (4) the sharing with entities, if appropriate, of 
     information in the possession of the Federal Government about 
     cybersecurity threats to such entities to prevent or mitigate 
     adverse effects from such cybersecurity threats; and
       (5) the periodic sharing, through publication and targeted 
     outreach, of cybersecurity best practices that are developed 
     based on ongoing analysis of cyber threat indicators and 
     information in possession of the Federal Government, with 
     attention to accessibility and implementation challenges 
     faced by small business concerns (as defined in section 3 of 
     the Small Business Act (15 U.S.C. 632)).
       (b) Development of Procedures.--
       (1) In general.--The procedures developed and promulgated 
     under subsection (a) shall--
       (A) ensure the Federal Government has and maintains the 
     capability to share cyber threat indicators in real time 
     consistent with the protection of classified information;
       (B) incorporate, to the greatest extent practicable, 
     existing processes and existing roles and responsibilities of 
     Federal and non-Federal entities for information sharing by 
     the Federal Government, including sector specific information 
     sharing and analysis centers;
       (C) include procedures for notifying, in a timely manner, 
     entities that have received a cyber threat indicator from a 
     Federal entity under this title that is known or determined 
     to be in error or in contravention of the requirements of 
     this title or another provision of Federal law or policy of 
     such error or contravention;
       (D) include requirements for Federal entities sharing cyber 
     threat indicators or defensive measures to implement and 
     utilize security controls to protect against unauthorized 
     access to or acquisition of such cyber threat indicators or 
     defensive measures;
       (E) include procedures that require a Federal entity, prior 
     to the sharing of a cyber threat indicator--
       (i) to review such cyber threat indicator to assess whether 
     such cyber threat indicator contains any information that 
     such Federal entity knows at the time of sharing to be 
     personal information or information that identifies a 
     specific person not directly related to a cybersecurity 
     threat and remove such information; or
       (ii) to implement and utilize a technical capability 
     configured to remove any personal information or information 
     that identifies a specific person not directly related to a 
     cybersecurity threat; and
       (F) include procedures for notifying, in a timely manner, 
     any United States person whose personal information is known 
     or determined to have been shared by a Federal entity in 
     violation of this Act.
       (2) Coordination.--In developing the procedures required 
     under this section, the Director of National Intelligence, 
     the Secretary of Homeland Security, the Secretary of Defense, 
     and the Attorney General shall coordinate with appropriate 
     Federal entities, including the Small Business Administration 
     and the National Laboratories (as defined in section 2 of the 
     Energy Policy Act of 2005 (42 U.S.C. 15801)), to ensure that 
     effective protocols are implemented that will facilitate and 
     promote the sharing of cyber threat indicators by the Federal 
     Government in a timely manner.
       (c) Submittal to Congress.--Not later than 60 days after 
     the date of the enactment of this Act, the Director of 
     National Intelligence, in consultation with the heads of the 
     appropriate Federal entities, shall submit to Congress the 
     procedures required by subsection (a).

     SEC. 104. AUTHORIZATIONS FOR PREVENTING, DETECTING, 
                   ANALYZING, AND MITIGATING CYBERSECURITY 
                   THREATS.

       (a) Authorization for Monitoring.--
       (1) In general.--Notwithstanding any other provision of 
     law, a private entity may, for cybersecurity purposes, 
     monitor--
       (A) an information system of such private entity;
       (B) an information system of another entity, upon the 
     authorization and written consent of such other entity;
       (C) an information system of a Federal entity, upon the 
     authorization and written consent of an authorized 
     representative of the Federal entity; and
       (D) information that is stored on, processed by, or 
     transiting an information system monitored by the private 
     entity under this paragraph.
       (2) Construction.--Nothing in this subsection shall be 
     construed--
       (A) to authorize the monitoring of an information system, 
     or the use of any information obtained through such 
     monitoring, other than as provided in this title; or
       (B) to limit otherwise lawful activity.
       (b) Authorization for Operation of Defensive Measures.--
       (1) In general.--Notwithstanding any other provision of 
     law, a private entity may, for cybersecurity purposes, 
     operate a defensive measure that is applied to--
       (A) an information system of such private entity in order 
     to protect the rights or property of the private entity;
       (B) an information system of another entity upon written 
     consent of such entity for operation of such defensive 
     measure to protect the rights or property of such entity; and
       (C) an information system of a Federal entity upon written 
     consent of an authorized representative of such Federal 
     entity for operation of such defensive measure to protect the 
     rights or property of the Federal Government.
       (2) Construction.--Nothing in this subsection shall be 
     construed--
       (A) to authorize the use of a defensive measure other than 
     as provided in this subsection; or
       (B) to limit otherwise lawful activity.
       (c) Authorization for Sharing or Receiving Cyber Threat 
     Indicators or Defensive Measures.--
       (1) In general.--Except as provided in paragraph (2) and 
     notwithstanding any other provision of law, an entity may, 
     for a cybersecurity purpose and consistent with the 
     protection of classified information, share with, or receive 
     from, any other entity or the Federal Government a cyber 
     threat indicator or defensive measure.
       (2) Lawful restriction.--An entity receiving a cyber threat 
     indicator or defensive measure from another entity or Federal 
     entity shall comply with otherwise lawful restrictions placed 
     on the sharing or use of such cyber threat indicator or 
     defensive

[[Page S7524]]

     measure by the sharing entity or Federal entity.
       (3) Construction.--Nothing in this subsection shall be 
     construed--
       (A) to authorize the sharing or receiving of a cyber threat 
     indicator or defensive measure other than as provided in this 
     subsection; or
       (B) to limit otherwise lawful activity.
       (d) Protection and Use of Information.--
       (1) Security of information.--An entity monitoring an 
     information system, operating a defensive measure, or 
     providing or receiving a cyber threat indicator or defensive 
     measure under this section shall implement and utilize a 
     security control to protect against unauthorized access to or 
     acquisition of such cyber threat indicator or defensive 
     measure.
       (2) Removal of certain personal information.--An entity 
     sharing a cyber threat indicator pursuant to this title 
     shall, prior to such sharing--
       (A) review such cyber threat indicator to assess whether 
     such cyber threat indicator contains any information that the 
     entity knows at the time of sharing to be personal 
     information or information that identifies a specific person 
     not directly related to a cybersecurity threat and remove 
     such information; or
       (B) implement and utilize a technical capability configured 
     to remove any information contained within such indicator 
     that the entity knows at the time of sharing to be personal 
     information or information that identifies a specific person 
     not directly related to a cybersecurity threat.
       (3) Use of cyber threat indicators and defensive measures 
     by entities.--
       (A) In general.--Consistent with this title, a cyber threat 
     indicator or defensive measure shared or received under this 
     section may, for cybersecurity purposes--
       (i) be used by an entity to monitor or operate a defensive 
     measure that is applied to--

       (I) an information system of the entity; or
       (II) an information system of another entity or a Federal 
     entity upon the written consent of that other entity or that 
     Federal entity; and

       (ii) be otherwise used, retained, and further shared by an 
     entity subject to--

       (I) an otherwise lawful restriction placed by the sharing 
     entity or Federal entity on such cyber threat indicator or 
     defensive measure; or
       (II) an otherwise applicable provision of law.

       (B) Construction.--Nothing in this paragraph shall be 
     construed to authorize the use of a cyber threat indicator or 
     defensive measure other than as provided in this section.
       (4) Use of cyber threat indicators by state, tribal, or 
     local government.--
       (A) Law enforcement use.--
       (i) Prior written consent.--Except as provided in clause 
     (ii), a cyber threat indicator shared with a State, tribal, 
     or local government under this section may, with the prior 
     written consent of the entity sharing such indicator, be used 
     by a State, tribal, or local government for the purpose of 
     preventing, investigating, or prosecuting any of the offenses 
     described in section 105(d)(5)(A)(vi).
       (ii) Oral consent.--If exigent circumstances prevent 
     obtaining written consent under clause (i), such consent may 
     be provided orally with subsequent documentation of the 
     consent.
       (B) Exemption from disclosure.--A cyber threat indicator 
     shared with a State, tribal, or local government under this 
     section shall be--
       (i) deemed voluntarily shared information; and
       (ii) exempt from disclosure under any State, tribal, or 
     local law requiring disclosure of information or records.
       (C) State, tribal, and local regulatory authority.--
       (i) In general.--Except as provided in clause (ii), a cyber 
     threat indicator or defensive measure shared with a State, 
     tribal, or local government under this title shall not be 
     directly used by any State, tribal, or local government to 
     regulate, including an enforcement action, the lawful 
     activity of any entity, including an activity relating to 
     monitoring, operating a defensive measure, or sharing of a 
     cyber threat indicator.
       (ii) Regulatory authority specifically relating to 
     prevention or mitigation of cybersecurity threats.--A cyber 
     threat indicator or defensive measure shared as described in 
     clause (i) may, consistent with a State, tribal, or local 
     government regulatory authority specifically relating to the 
     prevention or mitigation of cybersecurity threats to 
     information systems, inform the development or implementation 
     of a regulation relating to such information systems.
       (e) Antitrust Exemption.--
       (1) In general.--Except as provided in section 108(e), it 
     shall not be considered a violation of any provision of 
     antitrust laws for 2 or more private entities to exchange or 
     provide a cyber threat indicator, or assistance relating to 
     the prevention, investigation, or mitigation of a 
     cybersecurity threat, for cybersecurity purposes under this 
     title.
       (2) Applicability.--Paragraph (1) shall apply only to 
     information that is exchanged or assistance provided in order 
     to assist with--
       (A) facilitating the prevention, investigation, or 
     mitigation of a cybersecurity threat to an information system 
     or information that is stored on, processed by, or transiting 
     an information system; or
       (B) communicating or disclosing a cyber threat indicator to 
     help prevent, investigate, or mitigate the effect of a 
     cybersecurity threat to an information system or information 
     that is stored on, processed by, or transiting an information 
     system.
       (f) No Right or Benefit.--The sharing of a cyber threat 
     indicator with an entity under this title shall not create a 
     right or benefit to similar information by such entity or any 
     other entity.

     SEC. 105. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE 
                   MEASURES WITH THE FEDERAL GOVERNMENT.

       (a) Requirement for Policies and Procedures.--
       (1) Interim policies and procedures.--Not later than 60 
     days after the date of the enactment of this Act, the 
     Attorney General and the Secretary of Homeland Security 
     shall, in coordination with the heads of the appropriate 
     Federal entities, develop and submit to Congress interim 
     policies and procedures relating to the receipt of cyber 
     threat indicators and defensive measures by the Federal 
     Government.
       (2) Final policies and procedures.--Not later than 180 days 
     after the date of the enactment of this Act, the Attorney 
     General and the Secretary of Homeland Security shall, in 
     coordination with the heads of the appropriate Federal 
     entities, promulgate final policies and procedures relating 
     to the receipt of cyber threat indicators and defensive 
     measures by the Federal Government.
       (3) Requirements concerning policies and procedures.--
     Consistent with the guidelines required by subsection (b), 
     the policies and procedures developed and promulgated under 
     this subsection shall--
       (A) ensure that cyber threat indicators shared with the 
     Federal Government by any entity pursuant to section 104(c) 
     through the real-time process described in subsection (c) of 
     this section--
       (i) are shared in an automated manner with all of the 
     appropriate Federal entities;
       (ii) are only subject to a delay, modification, or other 
     action due to controls established for such real-time process 
     that could impede real-time receipt by all of the appropriate 
     Federal entities when the delay, modification, or other 
     action is due to controls--

       (I) agreed upon unanimously by all of the heads of the 
     appropriate Federal entities;
       (II) carried out before any of the appropriate Federal 
     entities retains or uses the cyber threat indicators or 
     defensive measures; and
       (III) uniformly applied such that each of the appropriate 
     Federal entities is subject to the same delay, modification, 
     or other action; and

       (iii) may be provided to other Federal entities;
       (B) ensure that cyber threat indicators shared with the 
     Federal Government by any entity pursuant to section 104 in a 
     manner other than the real time process described in 
     subsection (c) of this section--
       (i) are shared as quickly as operationally practicable with 
     all of the appropriate Federal entities;
       (ii) are not subject to any unnecessary delay, 
     interference, or any other action that could impede receipt 
     by all of the appropriate Federal entities; and
       (iii) may be provided to other Federal entities;
       (C) consistent with this title, any other applicable 
     provisions of law, and the fair information practice 
     principles set forth in appendix A of the document entitled 
     ``National Strategy for Trusted Identities in Cyberspace'' 
     and published by the President in April, 2011, govern the 
     retention, use, and dissemination by the Federal Government 
     of cyber threat indicators shared with the Federal Government 
     under this title, including the extent, if any, to which such 
     cyber threat indicators may be used by the Federal 
     Government; and
       (D) ensure there are--
       (i) audit capabilities; and
       (ii) appropriate sanctions in place for officers, 
     employees, or agents of a Federal entity who knowingly and 
     willfully conduct activities under this title in an 
     unauthorized manner.
       (4) Guidelines for entities sharing cyber threat indicators 
     with federal government.--
       (A) In general.--Not later than 60 days after the date of 
     the enactment of this Act, the Attorney General and the 
     Secretary of Homeland Security shall develop and make 
     publicly available guidance to assist entities and promote 
     sharing of cyber threat indicators with Federal entities 
     under this title.
       (B) Contents.--The guidelines developed and made publicly 
     available under subparagraph (A) shall include guidance on 
     the following:
       (i) Identification of types of information that would 
     qualify as a cyber threat indicator under this title that 
     would be unlikely to include personal information or 
     information that identifies a specific person not directly 
     related to a cyber security threat.
       (ii) Identification of types of information protected under 
     otherwise applicable privacy laws that are unlikely to be 
     directly related to a cybersecurity threat.
       (iii) Such other matters as the Attorney General and the 
     Secretary of Homeland Security consider appropriate for 
     entities sharing cyber threat indicators with Federal 
     entities under this title.
       (b) Privacy and Civil Liberties.--

[[Page S7525]]

       (1) Guidelines of attorney general.--Not later than 60 days 
     after the date of the enactment of this Act, the Attorney 
     General shall, in coordination with heads of the appropriate 
     Federal entities and in consultation with officers designated 
     under section 1062 of the National Security Intelligence 
     Reform Act of 2004 (42 U.S.C. 2000ee-1), develop, submit to 
     Congress, and make available to the public interim guidelines 
     relating to privacy and civil liberties which shall govern 
     the receipt, retention, use, and dissemination of cyber 
     threat indicators by a Federal entity obtained in connection 
     with activities authorized in this title.
       (2) Final guidelines.--
       (A) In general.--Not later than 180 days after the date of 
     the enactment of this Act, the Attorney General shall, in 
     coordination with heads of the appropriate Federal entities 
     and in consultation with officers designated under section 
     1062 of the National Security Intelligence Reform Act of 2004 
     (42 U.S.C. 2000ee-1) and such private entities with industry 
     expertise as the Attorney General considers relevant, 
     promulgate final guidelines relating to privacy and civil 
     liberties which shall govern the receipt, retention, use, and 
     dissemination of cyber threat indicators by a Federal entity 
     obtained in connection with activities authorized in this 
     title.
       (B) Periodic review.--The Attorney General shall, in 
     coordination with heads of the appropriate Federal entities 
     and in consultation with officers and private entities 
     described in subparagraph (A), periodically, but not less 
     frequently than once every two years, review the guidelines 
     promulgated under subparagraph (A).
       (3) Content.--The guidelines required by paragraphs (1) and 
     (2) shall, consistent with the need to protect information 
     systems from cybersecurity threats and mitigate cybersecurity 
     threats--
       (A) limit the effect on privacy and civil liberties of 
     activities by the Federal Government under this title;
       (B) limit the receipt, retention, use, and dissemination of 
     cyber threat indicators containing personal information or 
     information that identifies specific persons, including by 
     establishing--
       (i) a process for the timely destruction of such 
     information that is known not to be directly related to uses 
     authorized under this title; and
       (ii) specific limitations on the length of any period in 
     which a cyber threat indicator may be retained;
       (C) include requirements to safeguard cyber threat 
     indicators containing personal information or information 
     that identifies specific persons from unauthorized access or 
     acquisition, including appropriate sanctions for activities 
     by officers, employees, or agents of the Federal Government 
     in contravention of such guidelines;
       (D) include procedures for notifying entities and Federal 
     entities if information received pursuant to this section is 
     known or determined by a Federal entity receiving such 
     information not to constitute a cyber threat indicator;
       (E) protect the confidentiality of cyber threat indicators 
     containing personal information or information that 
     identifies specific persons to the greatest extent 
     practicable and require recipients to be informed that such 
     indicators may only be used for purposes authorized under 
     this title; and
       (F) include steps that may be needed so that dissemination 
     of cyber threat indicators is consistent with the protection 
     of classified and other sensitive national security 
     information.
       (c) Capability and Process Within the Department of 
     Homeland Security.--
       (1) In general.--Not later than 90 days after the date of 
     the enactment of this Act, the Secretary of Homeland 
     Security, in coordination with the heads of the appropriate 
     Federal entities, shall develop and implement a capability 
     and process within the Department of Homeland Security that--
       (A) shall accept from any entity in real time cyber threat 
     indicators and defensive measures, pursuant to this section;
       (B) shall, upon submittal of the certification under 
     paragraph (2) that such capability and process fully and 
     effectively operates as described in such paragraph, be the 
     process by which the Federal Government receives cyber threat 
     indicators and defensive measures under this title that are 
     shared by a private entity with the Federal Government 
     through electronic mail or media, an interactive form on an 
     Internet website, or a real time, automated process between 
     information systems except--
       (i) consistent with section 104, communications between a 
     Federal entity and a private entity regarding a previously 
     shared cyber threat indicator to describe the relevant 
     cybersecurity threat or develop a defensive measure based on 
     such cyber threat indicator; and
       (ii) communications by a regulated entity with such 
     entity's Federal regulatory authority regarding a 
     cybersecurity threat;
       (C) ensures that all of the appropriate Federal entities 
     receive in an automated manner such cyber threat indicators 
     shared through the real-time process within the Department of 
     Homeland Security;
       (D) is in compliance with the policies, procedures, and 
     guidelines required by this section; and
       (E) does not limit or prohibit otherwise lawful disclosures 
     of communications, records, or other information, including--
       (i) reporting of known or suspected criminal activity, by 
     an entity to any other entity or a Federal entity;
       (ii) voluntary or legally compelled participation in a 
     Federal investigation; and
       (iii) providing cyber threat indicators or defensive 
     measures as part of a statutory or authorized contractual 
     requirement.
       (2) Certification.--Not later than 10 days prior to the 
     implementation of the capability and process required by 
     paragraph (1), the Secretary of Homeland Security shall, in 
     consultation with the heads of the appropriate Federal 
     entities, certify to Congress whether such capability and 
     process fully and effectively operates--
       (A) as the process by which the Federal Government receives 
     from any entity a cyber threat indicator or defensive measure 
     under this title; and
       (B) in accordance with the policies, procedures, and 
     guidelines developed under this section.
       (3) Public notice and access.--The Secretary of Homeland 
     Security shall ensure there is public notice of, and access 
     to, the capability and process developed and implemented 
     under paragraph (1) so that--
       (A) any entity may share cyber threat indicators and 
     defensive measures through such process with the Federal 
     Government; and
       (B) all of the appropriate Federal entities receive such 
     cyber threat indicators and defensive measures in real time 
     with receipt through the process within the Department of 
     Homeland Security.
       (4) Other federal entities.--The process developed and 
     implemented under paragraph (1) shall ensure that other 
     Federal entities receive in a timely manner any cyber threat 
     indicators and defensive measures shared with the Federal 
     Government through such process.
       (5)  Report on development and implementation.--
       (A) In general.--Not later than 60 days after the date of 
     the enactment of this Act, the Secretary of Homeland Security 
     shall submit to Congress a report on the development and 
     implementation of the capability and process required by 
     paragraph (1), including a description of such capability and 
     process and the public notice of, and access to, such 
     process.
       (B) Classified annex.--The report required by subparagraph 
     (A) shall be submitted in unclassified form, but may include 
     a classified annex.
       (d) Information Shared With or Provided to the Federal 
     Government.--
       (1) No waiver of privilege or protection.--The provision of 
     cyber threat indicators and defensive measures to the Federal 
     Government under this title shall not constitute a waiver of 
     any applicable privilege or protection provided by law, 
     including trade secret protection.
       (2) Proprietary information.--Consistent with section 
     104(c)(2), a cyber threat indicator or defensive measure 
     provided by an entity to the Federal Government under this 
     title shall be considered the commercial, financial, and 
     proprietary information of such entity when so designated by 
     the originating entity or a third party acting in accordance 
     with the written authorization of the originating entity.
       (3) Exemption from disclosure.--Cyber threat indicators and 
     defensive measures provided to the Federal Government under 
     this title shall be--
       (A) deemed voluntarily shared information and exempt from 
     disclosure under section 552 of title 5, United States Code, 
     and any State, tribal, or local law requiring disclosure of 
     information or records; and
       (B) withheld, without discretion, from the public under 
     section 552(b)(3)(B) of title 5, United States Code, and any 
     State, tribal, or local provision of law requiring disclosure 
     of information or records.
       (4) Ex parte communications.--The provision of a cyber 
     threat indicator or defensive measure to the Federal 
     Government under this title shall not be subject to a rule of 
     any Federal agency or department or any judicial doctrine 
     regarding ex parte communications with a decision-making 
     official.
       (5) Disclosure, retention, and use.--
       (A) Authorized activities.--Cyber threat indicators and 
     defensive measures provided to the Federal Government under 
     this title may be disclosed to, retained by, and used by, 
     consistent with otherwise applicable provisions of Federal 
     law, any Federal agency or department, component, officer, 
     employee, or agent of the Federal Government solely for--
       (i) a cybersecurity purpose;
       (ii) the purpose of identifying a cybersecurity threat, 
     including the source of such cybersecurity threat, or a 
     security vulnerability;
       (iii) the purpose of identifying a cybersecurity threat 
     involving the use of an information system by a foreign 
     adversary or terrorist;
       (iv) the purpose of responding to, or otherwise preventing 
     or mitigating, an imminent threat of death, serious bodily 
     harm, or serious economic harm, including a terrorist act or 
     a use of a weapon of mass destruction;
       (v) the purpose of responding to, or otherwise preventing 
     or mitigating, a serious threat to a minor, including sexual 
     exploitation and threats to physical safety; or
       (vi) the purpose of preventing, investigating, disrupting, 
     or prosecuting an offense arising out of a threat described 
     in clause (iv) or any of the offenses listed in--

[[Page S7526]]

       (I) sections 1028 through 1030 of title 18, United States 
     Code (relating to fraud and identity theft);
       (II) chapter 37 of such title (relating to espionage and 
     censorship); and
       (III) chapter 90 of such title (relating to protection of 
     trade secrets).

       (B) Prohibited activities.--Cyber threat indicators and 
     defensive measures provided to the Federal Government under 
     this title shall not be disclosed to, retained by, or used by 
     any Federal agency or department for any use not permitted 
     under subparagraph (A).
       (C) Privacy and civil liberties.--Cyber threat indicators 
     and defensive measures provided to the Federal Government 
     under this title shall be retained, used, and disseminated by 
     the Federal Government--
       (i) in accordance with the policies, procedures, and 
     guidelines required by subsections (a) and (b);
       (ii) in a manner that protects from unauthorized use or 
     disclosure any cyber threat indicators that may contain 
     personal information or information that identifies specific 
     persons; and
       (iii) in a manner that protects the confidentiality of 
     cyber threat indicators containing personal information or 
     information that identifies a specific person.
       (D) Federal regulatory authority.--
       (i) In general.--Except as provided in clause (ii), cyber 
     threat indicators and defensive measures provided to the 
     Federal Government under this title shall not be directly 
     used by any Federal, State, tribal, or local government to 
     regulate, including an enforcement action, the lawful 
     activities of any entity, including activities relating to 
     monitoring, operating defensive measures, or sharing cyber 
     threat indicators.
       (ii) Exceptions.--

       (I) Regulatory authority specifically relating to 
     prevention or mitigation of cybersecurity threats.--Cyber 
     threat indicators and defensive measures provided to the 
     Federal Government under this title may, consistent with 
     Federal or State regulatory authority specifically relating 
     to the prevention or mitigation of cybersecurity threats to 
     information systems, inform the development or implementation 
     of regulations relating to such information systems.
       (II) Procedures developed and implemented under this 
     title.--Clause (i) shall not apply to procedures developed 
     and implemented under this title.

     SEC. 106. PROTECTION FROM LIABILITY.

       (a) Monitoring of Information Systems.--No cause of action 
     shall lie or be maintained in any court against any private 
     entity, and such action shall be promptly dismissed, for the 
     monitoring of information systems and information under 
     section 104(a) that is conducted in accordance with this 
     title.
       (b) Sharing or Receipt of Cyber Threat Indicators.--No 
     cause of action shall lie or be maintained in any court 
     against any entity, and such action shall be promptly 
     dismissed, for the sharing or receipt of cyber threat 
     indicators or defensive measures under section 104(c) if--
       (1) such sharing or receipt is conducted in accordance with 
     this title; and
       (2) in a case in which a cyber threat indicator or 
     defensive measure is shared with the Federal Government, the 
     cyber threat indicator or defensive measure is shared in a 
     manner that is consistent with section 105(c)(1)(B) and the 
     sharing or receipt, as the case may be, occurs after the 
     earlier of--
       (A) the date on which the interim policies and procedures 
     are submitted to Congress under section 105(a)(1) and 
     guidelines are submitted to Congress under section 105(b)(1); 
     or
       (B) the date that is 60 days after the date of the 
     enactment of this Act.
       (c) Construction.--Nothing in this section shall be 
     construed--
       (1) to require dismissal of a cause of action against an 
     entity that has engaged in gross negligence or willful 
     misconduct in the course of conducting activities authorized 
     by this title; or
       (2) to undermine or limit the availability of otherwise 
     applicable common law or statutory defenses.

     SEC. 107. OVERSIGHT OF GOVERNMENT ACTIVITIES.

       (a) Biennial Report on Implementation.--
       (1) In general.--Not later than 1 year after the date of 
     the enactment of this Act, and not less frequently than once 
     every 2 years thereafter, the heads of the appropriate 
     Federal entities shall jointly submit and the Inspector 
     General of the Department of Homeland Security, the Inspector 
     General of the Intelligence Community, the Inspector General 
     of the Department of Justice, the Inspector General of the 
     Department of Defense, and the Inspector General of the 
     Department of Energy, in consultation with the Council of 
     Inspectors General on Financial Oversight, shall jointly 
     submit to Congress a detailed report concerning the 
     implementation of this title during--
       (A) in the case of the first report submitted under this 
     paragraph, the most recent 1-year period; and
       (B) in the case of any subsequent report submitted under 
     this paragraph, the most recent 2-year period.
       (2) Contents.--Each report submitted under paragraph (1) 
     shall include, for the period covered by the report, the 
     following:
       (A) An assessment of the sufficiency of the policies, 
     procedures, and guidelines required by section 105 in 
     ensuring that cyber threat indicators are shared effectively 
     and responsibly within the Federal Government.
       (B) An evaluation of the effectiveness of real-time 
     information sharing through the capability and process 
     developed under section 105(c), including any impediments to 
     such real-time sharing.
       (C) An assessment of the sufficiency of the procedures 
     developed under section 103 in ensuring that cyber threat 
     indicators in the possession of the Federal Government are 
     shared in a timely and adequate manner with appropriate 
     entities, or, if appropriate, are made publicly available.
       (D) An assessment of whether cyber threat indicators have 
     been properly classified and an accounting of the number of 
     security clearances authorized by the Federal Government for 
     the purposes of this title.
       (E) A review of the type of cyber threat indicators shared 
     with the appropriate Federal entities under this title, 
     including the following:
       (i) The number of cyber threat indicators received through 
     the capability and process developed under section 105(c).
       (ii) The number of times that information shared under this 
     title was used by a Federal entity to prosecute an offense 
     consistent with section 105(d)(5)(A).
       (iii) The degree to which such information may affect the 
     privacy and civil liberties of specific persons.
       (iv) A quantitative and qualitative assessment of the 
     effect of the sharing of such cyber threat indicators with 
     the Federal Government on privacy and civil liberties of 
     specific persons, including the number of notices that were 
     issued with respect to a failure to remove personal 
     information or information that identified a specific person 
     not directly related to a cybersecurity threat in accordance 
     with the procedures required by section 105(b)(3)(D).
       (v) The adequacy of any steps taken by the Federal 
     Government to reduce such effect.
       (F) A review of actions taken by the Federal Government 
     based on cyber threat indicators shared with the Federal 
     Government under this title, including the appropriateness of 
     any subsequent use or dissemination of such cyber threat 
     indicators by a Federal entity under section 105.
       (G) A description of any significant violations of the 
     requirements of this title by the Federal Government.
       (H) A summary of the number and type of entities that 
     received classified cyber threat indicators from the Federal 
     Government under this title and an evaluation of the risks 
     and benefits of sharing such cyber threat indicators.
       (3) Recommendations.--Each report submitted under paragraph 
     (1) may include recommendations for improvements or 
     modifications to the authorities and processes under this 
     title.
       (4) Form of report.--Each report required by paragraph (1) 
     shall be submitted in unclassified form, but may include a 
     classified annex.
       (b) Reports on Privacy and Civil Liberties.--
       (1) Biennial report from privacy and civil liberties 
     oversight board.--Not later than 2 years after the date of 
     the enactment of this Act and not less frequently than once 
     every 2 years thereafter, the Privacy and Civil Liberties 
     Oversight Board shall submit to Congress and the President a 
     report providing--
       (A) an assessment of the effect on privacy and civil 
     liberties by the type of activities carried out under this 
     title; and
       (B) an assessment of the sufficiency of the policies, 
     procedures, and guidelines established pursuant to section 
     105 in addressing concerns relating to privacy and civil 
     liberties.
       (2) Biennial report of inspectors general.--
       (A) In general.--Not later than 2 years after the date of 
     the enactment of this Act and not less frequently than once 
     every 2 years thereafter, the Inspector General of the 
     Department of Homeland Security, the Inspector General of the 
     Intelligence Community, the Inspector General of the 
     Department of Justice, the Inspector General of the 
     Department of Defense, and the Inspector General of the 
     Department of Energy shall, in consultation with the Council 
     of Inspectors General on Financial Oversight, jointly submit 
     to Congress a report on the receipt, use, and dissemination 
     of cyber threat indicators and defensive measures that have 
     been shared with Federal entities under this title.
       (B) Contents.--Each report submitted under subparagraph (A) 
     shall include the following:
       (i) A review of the types of cyber threat indicators shared 
     with Federal entities.
       (ii) A review of the actions taken by Federal entities as a 
     result of the receipt of such cyber threat indicators.
       (iii) A list of Federal entities receiving such cyber 
     threat indicators.
       (iv) A review of the sharing of such cyber threat 
     indicators among Federal entities to identify inappropriate 
     barriers to sharing information.
       (3) Recommendations.--Each report submitted under this 
     subsection may include such recommendations as the Privacy 
     and Civil Liberties Oversight Board, with respect to a report 
     submitted under paragraph (1), or the Inspectors General 
     referred to in paragraph (2)(A), with respect to a report 
     submitted under paragraph (2), may have for improvements or 
     modifications to the authorities under this title.

[[Page S7527]]

       (4) Form.--Each report required under this subsection shall 
     be submitted in unclassified form, but may include a 
     classified annex.
     SEC. 108. CONSTRUCTION AND PREEMPTION.
       (a) Otherwise Lawful Disclosures.--Nothing in this title 
     shall be construed--
       (1) to limit or prohibit otherwise lawful disclosures of 
     communications, records, or other information, including 
     reporting of known or suspected criminal activity, by an 
     entity to any other entity or the Federal Government under 
     this title; or
       (2) to limit or prohibit otherwise lawful use of such 
     disclosures by any Federal entity, even when such otherwise 
     lawful disclosures duplicate or replicate disclosures made 
     under this title.
       (b) Whistle Blower Protections.--Nothing in this title 
     shall be construed to prohibit or limit the disclosure of 
     information protected under section 2302(b)(8) of title 5, 
     United States Code (governing disclosures of illegality, 
     waste, fraud, abuse, or public health or safety threats), 
     section 7211 of title 5, United States Code (governing 
     disclosures to Congress), section 1034 of title 10, United 
     States Code (governing disclosure to Congress by members of 
     the military), section 1104 of the National Security Act of 
     1947 (50 U.S.C. 3234) (governing disclosure by employees of 
     elements of the intelligence community), or any similar 
     provision of Federal or State law.
       (c) Protection of Sources and Methods.--Nothing in this 
     title shall be construed--
       (1) as creating any immunity against, or otherwise 
     affecting, any action brought by the Federal Government, or 
     any agency or department thereof, to enforce any law, 
     executive order, or procedure governing the appropriate 
     handling, disclosure, or use of classified information;
       (2) to affect the conduct of authorized law enforcement or 
     intelligence activities; or
       (3) to modify the authority of a department or agency of 
     the Federal Government to protect classified information and 
     sources and methods and the national security of the United 
     States.
       (d) Relationship to Other Laws.--Nothing in this title 
     shall be construed to affect any requirement under any other 
     provision of law for an entity to provide information to the 
     Federal Government.
       (e) Prohibited Conduct.--Nothing in this title shall be 
     construed to permit price-fixing, allocating a market between 
     competitors, monopolizing or attempting to monopolize a 
     market, boycotting, or exchanges of price or cost 
     information, customer lists, or information regarding future 
     competitive planning.
       (f) Information Sharing Relationships.--Nothing in this 
     title shall be construed--
       (1) to limit or modify an existing information sharing 
     relationship;
       (2) to prohibit a new information sharing relationship;
       (3) to require a new information sharing relationship 
     between any entity and another entity or a Federal entity; or
       (4) to require the use of the capability and process within 
     the Department of Homeland Security developed under section 
     105(c).
       (g) Preservation of Contractual Obligations and Rights.--
     Nothing in this title shall be construed--
       (1) to amend, repeal, or supersede any current or future 
     contractual agreement, terms of service agreement, or other 
     contractual relationship between any entities, or between any 
     entity and a Federal entity; or
       (2) to abrogate trade secret or intellectual property 
     rights of any entity or Federal entity.
       (h) Anti-tasking Restriction.--Nothing in this title shall 
     be construed to permit a Federal entity--
       (1) to require an entity to provide information to a 
     Federal entity or another entity;
       (2) to condition the sharing of cyber threat indicators 
     with an entity on such entity's provision of cyber threat 
     indicators to a Federal entity or another entity; or
       (3) to condition the award of any Federal grant, contract, 
     or purchase on the provision of a cyber threat indicator to a 
     Federal entity or another entity.
       (i) No Liability for Non-participation.--Nothing in this 
     title shall be construed to subject any entity to liability 
     for choosing not to engage in the voluntary activities 
     authorized in this title.
       (j) Use and Retention of Information.--Nothing in this 
     title shall be construed to authorize, or to modify any 
     existing authority of, a department or agency of the Federal 
     Government to retain or use any information shared under this 
     title for any use other than permitted in this title.
       (k) Federal Preemption.--
       (1) In general.--This title supersedes any statute or other 
     provision of law of a State or political subdivision of a 
     State that restricts or otherwise expressly regulates an 
     activity authorized under this title.
       (2) State law enforcement.--Nothing in this title shall be 
     construed to supersede any statute or other provision of law 
     of a State or political subdivision of a State concerning the 
     use of authorized law enforcement practices and procedures.
       (l) Regulatory Authority.--Nothing in this title shall be 
     construed--
       (1) to authorize the promulgation of any regulations not 
     specifically authorized by this title;
       (2) to establish or limit any regulatory authority not 
     specifically established or limited under this title; or
       (3) to authorize regulatory actions that would duplicate or 
     conflict with regulatory requirements, mandatory standards, 
     or related processes under another provision of Federal law.
       (m) Authority of Secretary of Defense To Respond to Cyber 
     Attacks.--Nothing in this title shall be construed to limit 
     the authority of the Secretary of Defense to develop, 
     prepare, coordinate, or, when authorized by the President to 
     do so, conduct a military cyber operation in response to a 
     malicious cyber activity carried out against the United 
     States or a United States person by a foreign government or 
     an organization sponsored by a foreign government or a 
     terrorist organization.

     SEC. 109. REPORT ON CYBERSECURITY THREATS.

       (a) Report Required.--Not later than 180 days after the 
     date of the enactment of this Act, the Director of National 
     Intelligence, in coordination with the heads of other 
     appropriate elements of the intelligence community, shall 
     submit to the Select Committee on Intelligence of the Senate 
     and the Permanent Select Committee on Intelligence of the 
     House of Representatives a report on cybersecurity threats, 
     including cyber attacks, theft, and data breaches.
       (b) Contents.--The report required by subsection (a) shall 
     include the following:
       (1) An assessment of the current intelligence sharing and 
     cooperation relationships of the United States with other 
     countries regarding cybersecurity threats, including cyber 
     attacks, theft, and data breaches, directed against the 
     United States and which threaten the United States national 
     security interests and economy and intellectual property, 
     specifically identifying the relative utility of such 
     relationships, which elements of the intelligence community 
     participate in such relationships, and whether and how such 
     relationships could be improved.
       (2) A list and an assessment of the countries and nonstate 
     actors that are the primary threats of carrying out a 
     cybersecurity threat, including a cyber attack, theft, or 
     data breach, against the United States and which threaten the 
     United States national security, economy, and intellectual 
     property.
       (3) A description of the extent to which the capabilities 
     of the United States Government to respond to or prevent 
     cybersecurity threats, including cyber attacks, theft, or 
     data breaches, directed against the United States private 
     sector are degraded by a delay in the prompt notification by 
     private entities of such threats or cyber attacks, theft, and 
     breaches.
       (4) An assessment of additional technologies or 
     capabilities that would enhance the ability of the United 
     States to prevent and to respond to cybersecurity threats, 
     including cyber attacks, theft, and data breaches.
       (5) An assessment of any technologies or practices utilized 
     by the private sector that could be rapidly fielded to assist 
     the intelligence community in preventing and responding to 
     cybersecurity threats.
       (c) Additional Report.--At the time the report required by 
     subsection (a) is submitted, the Director of National 
     Intelligence shall submit to the Committee on Foreign 
     Relations of the Senate and the Committee on Foreign Affairs 
     of the House of Representatives a report containing the 
     information required by subsection (b)(2).
       (d) Form of Report.--The report required by subsection (a) 
     shall be made available in classified and unclassified forms.
       (e) Intelligence Community Defined.--In this section, the 
     term ``intelligence community'' has the meaning given that 
     term in section 3 of the National Security Act of 1947 (50 
     U.S.C. 3003).

     SEC. 110. CONFORMING AMENDMENT.

       Section 941(c)(3) of the National Defense Authorization Act 
     for Fiscal Year 2013 (Public Law 112-239; 10 U.S.C. 2224 
     note) is amended by inserting at the end the following: ``The 
     Secretary may share such information with other Federal 
     entities if such information consists of cyber threat 
     indicators and defensive measures and such information is 
     shared consistent with the policies and procedures 
     promulgated by the Attorney General and the Secretary of 
     Homeland Security under section 105 of the Cybersecurity 
     Information Sharing Act of 2015.''.

              TITLE II--FEDERAL CYBERSECURITY ENHANCEMENT

     SEC. 201. SHORT TITLE.

       This title may be cited as the ``Federal Cybersecurity 
     Enhancement Act of 2015''.

     SEC. 202. DEFINITIONS.

       In this title--
       (1) the term ``agency'' has the meaning given the term in 
     section 3502 of title 44, United States Code;
       (2) the term ``agency information system'' has the meaning 
     given the term in section 228 of the Homeland Security Act of 
     2002, as added by section 203(a);
       (3) the term ``appropriate congressional committees'' 
     means--
       (A) the Committee on Homeland Security and Governmental 
     Affairs of the Senate; and
       (B) the Committee on Homeland Security of the House of 
     Representatives;
       (4) the terms ``cybersecurity risk'' and ``information 
     system'' have the meanings given those terms in section 227 
     of the Homeland Security Act of 2002, as so redesignated by 
     section 203(a);
       (5) the term ``Director'' means the Director of the Office 
     of Management and Budget;
       (6) the term ``intelligence community'' has the meaning 
     given the term in section 3(4) of the National Security Act 
     of 1947 (50 U.S.C. 3003(4));

[[Page S7528]]

       (7) the term ``national security system'' has the meaning 
     given the term in section 11103 of title 40, United States 
     Code; and
       (8) the term ``Secretary'' means the Secretary of Homeland 
     Security.

     SEC. 203. IMPROVED FEDERAL NETWORK SECURITY.

       (a) In General.--Subtitle C of title II of the Homeland 
     Security Act of 2002 (6 U.S.C. 141 et seq.) is amended--
       (1) by redesignating section 228 as section 229;
       (2) by redesignating section 227 as subsection (c) of 
     section 228, as added by paragraph (4), and adjusting the 
     margins accordingly;
       (3) by redesignating the second section designated as 
     section 226 (relating to the national cybersecurity and 
     communications integration center) as section 227;
       (4) by inserting after section 227, as so redesignated, the 
     following:

     ``SEC. 228. CYBERSECURITY PLANS.

       ``(a) Definitions.--In this section--
       ``(1) the term `agency information system' means an 
     information system used or operated by an agency or by 
     another entity on behalf of an agency;
       ``(2) the terms `cybersecurity risk' and `information 
     system' have the meanings given those terms in section 227;
       ``(3) the term `intelligence community' has the meaning 
     given the term in section 3(4) of the National Security Act 
     of 1947 (50 U.S.C. 3003(4)); and
       ``(4) the term `national security system' has the meaning 
     given the term in section 11103 of title 40, United States 
     Code.
       ``(b) Intrusion Assessment Plan.--
       ``(1) Requirement.--The Secretary, in coordination with the 
     Director of the Office of Management and Budget, shall 
     develop and implement an intrusion assessment plan to 
     identify and remove intruders in agency information systems.
       ``(2) Exception.--The intrusion assessment plan required 
     under paragraph (1) shall not apply to the Department of 
     Defense, a national security system, or an element of the 
     intelligence community.'';
       (5) in section 228(c), as so redesignated, by striking 
     ``section 226'' and inserting ``section 227''; and
       (6) by inserting after section 229, as so redesignated, the 
     following:

     ``SEC. 230. FEDERAL INTRUSION DETECTION AND PREVENTION 
                   SYSTEM.

       ``(a) Definitions.--In this section--
       ``(1) the term `agency' has the meaning given that term in 
     section 3502 of title 44, United States Code;
       ``(2) the term `agency information' means information 
     collected or maintained by or on behalf of an agency;
       ``(3) the term `agency information system' has the meaning 
     given the term in section 228; and
       ``(4) the terms `cybersecurity risk' and `information 
     system' have the meanings given those terms in section 227.
       ``(b) Requirement.--
       ``(1) In general.--Not later than 1 year after the date of 
     enactment of this section, the Secretary shall deploy, 
     operate, and maintain, to make available for use by any 
     agency, with or without reimbursement--
       ``(A) a capability to detect cybersecurity risks in network 
     traffic transiting or traveling to or from an agency 
     information system; and
       ``(B) a capability to prevent network traffic associated 
     with such cybersecurity risks from transiting or traveling to 
     or from an agency information system or modify such network 
     traffic to remove the cybersecurity risk.
       ``(2) Regular improvement.--The Secretary shall regularly 
     deploy new technologies and modify existing technologies to 
     the intrusion detection and prevention capabilities described 
     in paragraph (1) as appropriate to improve the intrusion 
     detection and prevention capabilities.
       ``(c) Activities.--In carrying out subsection (b), the 
     Secretary--
       ``(1) may access, and the head of an agency may disclose to 
     the Secretary or a private entity providing assistance to the 
     Secretary under paragraph (2), information transiting or 
     traveling to or from an agency information system, regardless 
     of the location from which the Secretary or a private entity 
     providing assistance to the Secretary under paragraph (2) 
     accesses such information, notwithstanding any other 
     provision of law that would otherwise restrict or prevent the 
     head of an agency from disclosing such information to the 
     Secretary or a private entity providing assistance to the 
     Secretary under paragraph (2);
       ``(2) may enter into contracts or other agreements with, or 
     otherwise request and obtain the assistance of, private 
     entities to deploy and operate technologies in accordance 
     with subsection (b);
       ``(3) may retain, use, and disclose information obtained 
     through the conduct of activities authorized under this 
     section only to protect information and information systems 
     from cybersecurity risks;
       ``(4) shall regularly assess through operational test and 
     evaluation in real world or simulated environments available 
     advanced protective technologies to improve detection and 
     prevention capabilities, including commercial and non-
     commercial technologies and detection technologies beyond 
     signature-based detection, and utilize such technologies when 
     appropriate;
       ``(5) shall establish a pilot to acquire, test, and deploy, 
     as rapidly as possible, technologies described in paragraph 
     (4);
       ``(6) shall periodically update the privacy impact 
     assessment required under section 208(b) of the E-Government 
     Act of 2002 (44 U.S.C. 3501 note); and
       ``(7) shall ensure that--
       ``(A) activities carried out under this section are 
     reasonably necessary for the purpose of protecting agency 
     information and agency information systems from a 
     cybersecurity risk;
       ``(B) information accessed by the Secretary will be 
     retained no longer than reasonably necessary for the purpose 
     of protecting agency information and agency information 
     systems from a cybersecurity risk;
       ``(C) notice has been provided to users of an agency 
     information system concerning access to communications of 
     users of the agency information system for the purpose of 
     protecting agency information and the agency information 
     system; and
       ``(D) the activities are implemented pursuant to policies 
     and procedures governing the operation of the intrusion 
     detection and prevention capabilities.
       ``(d) Private Entities.--
       ``(1) Conditions.--A private entity described in subsection 
     (c)(2) may not--
       ``(A) disclose any network traffic transiting or traveling 
     to or from an agency information system to any entity without 
     the consent of the Department or the agency that disclosed 
     the information under subsection (c)(1); or
       ``(B) use any network traffic transiting or traveling to or 
     from an agency information system to which the private entity 
     gains access in accordance with this section for any purpose 
     other than to protect agency information and agency 
     information systems against cybersecurity risks or to 
     administer a contract or other agreement entered into 
     pursuant to subsection (c)(2) or as part of another contract 
     with the Secretary.
       ``(2) Limitation on liability.--No cause of action shall 
     lie in any court against a private entity for assistance 
     provided to the Secretary in accordance with this section and 
     any contract or agreement entered into pursuant to subsection 
     (c)(2).
       ``(3) Rule of construction.--Nothing in paragraph (2) shall 
     be construed to authorize an Internet service provider to 
     break a user agreement with a customer without the consent of 
     the customer.
       ``(e) Attorney General Review.--Not later than 1 year after 
     the date of enactment of this section, the Attorney General 
     shall review the policies and guidelines for the program 
     carried out under this section to ensure that the policies 
     and guidelines are consistent with applicable law governing 
     the acquisition, interception, retention, use, and disclosure 
     of communications.''.
       (b) Prioritizing Advanced Security Tools.--The Director and 
     the Secretary, in consultation with appropriate agencies, 
     shall--
       (1) review and update governmentwide policies and programs 
     to ensure appropriate prioritization and use of network 
     security monitoring tools within agency networks; and
       (2) brief appropriate congressional committees on such 
     prioritization and use.
       (c) Agency Responsibilities.--
       (1) In general.--Except as provided in paragraph (2)--
       (A) not later than 1 year after the date of enactment of 
     this Act or 2 months after the date on which the Secretary 
     makes available the intrusion detection and prevention 
     capabilities under section 230(b)(1) of the Homeland Security 
     Act of 2002, as added by subsection (a), whichever is later, 
     the head of each agency shall apply and continue to utilize 
     the capabilities to all information traveling between an 
     agency information system and any information system other 
     than an agency information system; and
       (B) not later than 6 months after the date on which the 
     Secretary makes available improvements to the intrusion 
     detection and prevention capabilities pursuant to section 
     230(b)(2) of the Homeland Security Act of 2002, as added by 
     subsection (a), the head of each agency shall apply and 
     continue to utilize the improved intrusion detection and 
     prevention capabilities.
       (2) Exception.--The requirements under paragraph (1) shall 
     not apply to the Department of Defense, a national security 
     system, or an element of the intelligence community.
       (3) Definition.--In this subsection only, the term ``agency 
     information system'' means an information system owned or 
     operated by an agency.
       (4) Rule of construction.--Nothing in this subsection shall 
     be construed to limit an agency from applying the intrusion 
     detection and prevention capabilities under section 230(b)(1) 
     of the Homeland Security Act of 2002, as added by subsection 
     (a), at the discretion of the head of the agency or as 
     provided in relevant policies, directives, and guidelines.
       (d) Table of Contents Amendment.--The table of contents in 
     section 1(b) of the Homeland Security Act of 2002 (6 U.S.C. 
     101 note) is amended by striking the items relating to the 
     first section designated as section 226, the second section 
     designated as section 226 (relating to the national 
     cybersecurity and communications integration center), section 
     227, and section 228 and inserting the following:

``Sec. 226. Cybersecurity recruitment and retention.
``Sec. 227. National cybersecurity and communications integration 
              center.

[[Page S7529]]

``Sec. 228. Cybersecurity plans.
``Sec. 229. Clearances.
``Sec. 230. Federal intrusion detection and prevention system.''.


     SEC. 204. ADVANCED INTERNAL DEFENSES.

       (a) Advanced Network Security Tools.--
       (1) In general.--The Secretary shall include in the 
     Continuous Diagnostics and Mitigation Program advanced 
     network security tools to improve visibility of network 
     activity, including through the use of commercial and free or 
     open source tools, to detect and mitigate intrusions and 
     anomalous activity.
       (2) Development of plan.--The Director shall develop and 
     implement a plan to ensure that each agency utilizes advanced 
     network security tools, including those described in 
     paragraph (1), to detect and mitigate intrusions and 
     anomalous activity.
       (b) Improved Metrics.--The Secretary, in collaboration with 
     the Director, shall review and update the metrics used to 
     measure security under section 3554 of title 44, United 
     States Code, to include measures of intrusion and incident 
     detection and response times.
       (c) Transparency and Accountability.--The Director, in 
     consultation with the Secretary, shall increase transparency 
     to the public on agency cybersecurity posture, including by 
     increasing the number of metrics available on Federal 
     Government performance websites and, to the greatest extent 
     practicable, displaying metrics for department components, 
     small agencies, and micro agencies.
       (d) Maintenance of Technologies.--Section 3553(b)(6)(B) of 
     title 44, United States Code, is amended by inserting ``, 
     operating, and maintaining'' after ``deploying''.
       (e) Exception.--The requirements under this section shall 
     not apply to the Department of Defense, a national security 
     system, or an element of the intelligence community.

     SEC. 205. FEDERAL CYBERSECURITY REQUIREMENTS.

       (a) Implementation of Federal Cybersecurity Standards.--
     Consistent with section 3553 of title 44, United States Code, 
     the Secretary, in consultation with the Director, shall 
     exercise the authority to issue binding operational 
     directives to assist the Director in ensuring timely agency 
     adoption of and compliance with policies and standards 
     promulgated under section 11331 of title 40, United States 
     Code, for securing agency information systems.
       (b) Cybersecurity Requirements at Agencies.--
       (1) In general.--Consistent with policies, standards, 
     guidelines, and directives on information security under 
     subchapter II of chapter 35 of title 44, United States Code, 
     and the standards and guidelines promulgated under section 
     11331 of title 40, United States Code, and except as provided 
     in paragraph (2), not later than 1 year after the date of the 
     enactment of this Act, the head of each agency shall--
       (A) identify sensitive and mission critical data stored by 
     the agency consistent with the inventory required under the 
     first subsection (c) (relating to the inventory of major 
     information systems) and the second subsection (c) (relating 
     to the inventory of information systems) of section 3505 of 
     title 44, United States Code;
       (B) assess access controls to the data described in 
     subparagraph (A), the need for readily accessible storage of 
     the data, and individuals' need to access the data;
       (C) encrypt or otherwise render indecipherable to 
     unauthorized users the data described in subparagraph (A) 
     that is stored on or transiting agency information systems;
       (D) implement a single sign-on trusted identity platform 
     for individuals accessing each public website of the agency 
     that requires user authentication, as developed by the 
     Administrator of General Services in collaboration with the 
     Secretary; and
       (E) implement identity management consistent with section 
     504 of the Cybersecurity Enhancement Act of 2014 (Public Law 
     113-274; 15 U.S.C. 7464), including multi-factor 
     authentication, for--
       (i) remote access to an agency information system; and
       (ii) each user account with elevated privileges on an 
     agency information system.
       (2) Exception.--The requirements under paragraph (1) shall 
     not apply to an agency information system for which--
       (A) the head of the agency has personally certified to the 
     Director with particularity that--
       (i) operational requirements articulated in the 
     certification and related to the agency information system 
     would make it excessively burdensome to implement the 
     cybersecurity requirement;
       (ii) the cybersecurity requirement is not necessary to 
     secure the agency information system or agency information 
     stored on or transiting it; and
       (iii) the agency has taken all necessary steps to secure 
     the agency information system and agency information stored 
     on or transiting it; and
       (B) the head of the agency or the designee of the head of 
     the agency has submitted the certification described in 
     subparagraph (A) to the appropriate congressional committees 
     and the agency's authorizing committees.
       (3) Construction.--Nothing in this section shall be 
     construed to alter the authority of the Secretary, the 
     Director, or the Director of the National Institute of 
     Standards and Technology in implementing subchapter II of 
     chapter 35 of title 44, United States Code. Nothing in this 
     section shall be construed to affect the National Institute 
     of Standards and Technology standards process or the 
     requirement under section 3553(a)(4) of such title or to 
     discourage continued improvements and advancements in the 
     technology, standards, policies, and guidelines used to 
     promote Federal information security.
       (c) Exception.--The requirements under this section shall 
     not apply to the Department of Defense, a national security 
     system, or an element of the intelligence community.

     SEC. 206. ASSESSMENT; REPORTS.

       (a) Definitions.--In this section--
       (1) the term ``intrusion assessments'' means actions taken 
     under the intrusion assessment plan to identify and remove 
     intruders in agency information systems;
       (2) the term ``intrusion assessment plan'' means the plan 
     required under section 228(b)(1) of the Homeland Security Act 
     of 2002, as added by section 203(a) of this Act; and
       (3) the term ``intrusion detection and prevention 
     capabilities'' means the capabilities required under section 
     230(b) of the Homeland Security Act of 2002, as added by 
     section 203(a) of this Act.
       (b) Third Party Assessment.--Not later than 3 years after 
     the date of enactment of this Act, the Government 
     Accountability Office shall conduct a study and publish a 
     report on the effectiveness of the approach and strategy of 
     the Federal Government to securing agency information 
     systems, including the intrusion detection and prevention 
     capabilities and the intrusion assessment plan.
       (c) Reports to Congress.--
       (1) Intrusion detection and prevention capabilities.--
       (A) Secretary of homeland security report.--Not later than 
     6 months after the date of enactment of this Act, and 
     annually thereafter, the Secretary shall submit to the 
     appropriate congressional committees a report on the status 
     of implementation of the intrusion detection and prevention 
     capabilities, including--
       (i) a description of privacy controls;
       (ii) a description of the technologies and capabilities 
     utilized to detect cybersecurity risks in network traffic, 
     including the extent to which those technologies and 
     capabilities include existing commercial and non-commercial 
     technologies;
       (iii) a description of the technologies and capabilities 
     utilized to prevent network traffic associated with 
     cybersecurity risks from transiting or traveling to or from 
     agency information systems, including the extent to which 
     those technologies and capabilities include existing 
     commercial and non-commercial technologies;
       (iv) a list of the types of indicators or other identifiers 
     or techniques used to detect cybersecurity risks in network 
     traffic transiting or traveling to or from agency information 
     systems on each iteration of the intrusion detection and 
     prevention capabilities and the number of each such type of 
     indicator, identifier, and technique;
       (v) the number of instances in which the intrusion 
     detection and prevention capabilities detected a 
     cybersecurity risk in network traffic transiting or traveling 
     to or from agency information systems and the number of times 
     the intrusion detection and prevention capabilities blocked 
     network traffic associated with cybersecurity risk; and
       (vi) a description of the pilot established under section 
     230(c)(5) of the Homeland Security Act of 2002, as added by 
     section 203(a) of this Act, including the number of new 
     technologies tested and the number of participating agencies.
       (B) OMB report.--Not later than 18 months after the date of 
     enactment of this Act, and annually thereafter, the Director 
     shall submit to Congress, as part of the report required 
     under section 3553(c) of title 44, United States Code, an 
     analysis of agency application of the intrusion detection and 
     prevention capabilities, including--
       (i) a list of each agency and the degree to which each 
     agency has applied the intrusion detection and prevention 
     capabilities to an agency information system; and
       (ii) a list by agency of--

       (I) the number of instances in which the intrusion 
     detection and prevention capabilities detected a 
     cybersecurity risk in network traffic transiting or traveling 
     to or from an agency information system and the types of 
     indicators, identifiers, and techniques used to detect such 
     cybersecurity risks; and
       (II) the number of instances in which the intrusion 
     detection and prevention capabilities prevented network 
     traffic associated with a cybersecurity risk from transiting 
     or traveling to or from an agency information system and the 
     types of indicators, identifiers, and techniques used to 
     detect such agency information systems.

       (2) OMB report on development and implementation of 
     intrusion assessment plan, advanced internal defenses, and 
     federal cybersecurity best practices.--The Director shall--
       (A) not later than 6 months after the date of enactment of 
     this Act, and 30 days after any update thereto, submit the 
     intrusion assessment plan to the appropriate congressional 
     committees;
       (B) not later than 1 year after the date of enactment of 
     this Act, and annually thereafter, submit to Congress, as 
     part of the report required under section 3553(c) of title 
     44, United States Code--

[[Page S7530]]

       (i) a description of the implementation of the intrusion 
     assessment plan;
       (ii) the findings of the intrusion assessments conducted 
     pursuant to the intrusion assessment plan;
       (iii) advanced network security tools included in the 
     Continuous Diagnostics and Mitigation Program pursuant to 
     section 204(a)(1);
       (iv) the results of the assessment of the Secretary of best 
     practices for Federal cybersecurity pursuant to section 
     205(a); and
       (v) a list by agency of compliance with the requirements of 
     section 205(b); and
       (C) not later than 1 year after the date of enactment of 
     this Act, submit to the appropriate congressional 
     committees--
       (i) a copy of the plan developed pursuant to section 
     204(a)(2); and
       (ii) the improved metrics developed pursuant to section 
     204(b).

     SEC. 207. TERMINATION.

       (a) In General.--The authority provided under section 230 
     of the Homeland Security Act of 2002, as added by section 
     203(a) of this Act, and the reporting requirements under 
     section 206(c) shall terminate on the date that is 7 years 
     after the date of enactment of this Act.
       (b) Rule of Construction.--Nothing in subsection (a) shall 
     be construed to affect the limitation of liability of a 
     private entity for assistance provided to the Secretary under 
     section 230(d)(2) of the Homeland Security Act of 2002, as 
     added by section 203(a) of this Act, if such assistance was 
     rendered before the termination date under subsection (a) or 
     otherwise during a period in which the assistance was 
     authorized.

     SEC. 208. IDENTIFICATION OF INFORMATION SYSTEMS RELATING TO 
                   NATIONAL SECURITY.

       (a) In General.--Except as provided in subsection (c), not 
     later than 180 days after the date of enactment of this Act--
       (1) the Director of National Intelligence and the Director 
     of the Office of Management and Budget, in coordination with 
     the heads of other agencies, shall--
       (A) identify all unclassified information systems that 
     provide access to information that may provide an adversary 
     with the ability to derive information that would otherwise 
     be considered classified;
       (B) assess the risks that would result from the breach of 
     each unclassified information system identified in 
     subparagraph (A); and
       (C) assess the cost and impact on the mission carried out 
     by each agency that owns an unclassified information system 
     identified in subparagraph (A) if the system were to be 
     subsequently designated as a national security system; and
       (2) the Director of National Intelligence and the Director 
     of the Office of Management and Budget shall submit to the 
     appropriate congressional committees, the Select Committee on 
     Intelligence of the Senate, and the Permanent Select 
     Committee on Intelligence of the House of Representatives a 
     report that includes the findings under paragraph (1).
       (b) Form.--The report submitted under subsection (a)(2) 
     shall be in unclassified form, and shall include a classified 
     annex.
       (c) Exception.--The requirements under subsection (a)(1) 
     shall not apply to the Department of Defense, a national 
     security system, or an element of the intelligence community.
       (d) Rule of Construction.--Nothing in this section shall be 
     construed to designate an information system as a national 
     security system.

     SEC. 209. DIRECTION TO AGENCIES.

       (a) In General.--Section 3553 of title 44, United States 
     Code, is amended by adding at the end the following:
       ``(h) Direction to Agencies.--
       ``(1) Authority.--
       ``(A) In general.--Subject to subparagraph (B), in response 
     to a known or reasonably suspected information security 
     threat, vulnerability, or incident that represents a 
     substantial threat to the information security of an agency, 
     the Secretary may issue an emergency directive to the head of 
     an agency to take any lawful action with respect to the 
     operation of the information system, including such systems 
     used or operated by another entity on behalf of an agency, 
     that collects, processes, stores, transmits, disseminates, or 
     otherwise maintains agency information, for the purpose of 
     protecting the information system from, or mitigating, an 
     information security threat.
       ``(B) Exception.--The authorities of the Secretary under 
     this subsection shall not apply to a system described 
     subsection (d) or to a system described in paragraph (2) or 
     (3) of subsection (e).
       ``(2) Procedures for use of authority.--The Secretary 
     shall--
       ``(A) in coordination with the Director, establish 
     procedures governing the circumstances under which a 
     directive may be issued under this subsection, which shall 
     include--
       ``(i) thresholds and other criteria;
       ``(ii) privacy and civil liberties protections; and
       ``(iii) providing notice to potentially affected third 
     parties;
       ``(B) specify the reasons for the required action and the 
     duration of the directive;
       ``(C) minimize the impact of a directive under this 
     subsection by--
       ``(i) adopting the least intrusive means possible under the 
     circumstances to secure the agency information systems; and
       ``(ii) limiting directives to the shortest period 
     practicable;
       ``(D) notify the Director and the head of any affected 
     agency immediately upon the issuance of a directive under 
     this subsection;
       ``(E) consult with the Director of the National Institute 
     of Standards and Technology regarding any directive under 
     this subsection that implements standards and guidelines 
     developed by the National Institute of Standards and 
     Technology;
       ``(F) ensure that directives issued under this subsection 
     do not conflict with the standards and guidelines issued 
     under section 11331 of title 40;
       ``(G) consider any applicable standards or guidelines 
     developed by the National Institute of Standards and issued 
     by the Secretary of Commerce under section 11331 of title 40; 
     and
       ``(H) not later than February 1 of each year, submit to the 
     appropriate congressional committees a report regarding the 
     specific actions the Secretary has taken pursuant to 
     paragraph (1)(A).
       ``(3) Imminent threats.--
       ``(A) In general.--Notwithstanding section 3554, the 
     Secretary may authorize the intrusion detection and 
     prevention capabilities under section 230(b)(1) of the 
     Homeland Security Act of 2002 for the purpose of ensuring the 
     security of agency information systems, if--
       ``(i) the Secretary determines there is an imminent threat 
     to agency information systems;
       ``(ii) the Secretary determines a directive under 
     subsection (b)(2)(C) or paragraph (1)(A) is not reasonably 
     likely to result in a timely response to the threat;
       ``(iii) the Secretary determines the risk posed by the 
     imminent threat outweighs any adverse consequences reasonably 
     expected to result from the use of protective capabilities 
     under the control of the Secretary;
       ``(iv) the Secretary provides prior notice to the Director, 
     and the head and chief information officer (or equivalent 
     official) of each agency to which specific actions will be 
     taken pursuant to subparagraph (A), and notifies the 
     appropriate congressional committees and authorizing 
     committees of each such agencies within seven days of taking 
     an action under this subsection of--

       ``(I) any action taken under this subsection; and
       ``(II) the reasons for and duration and nature of the 
     action;

       ``(v) the action of the Secretary is consistent with 
     applicable law; and
       ``(vi) the Secretary authorizes the use of protective 
     capabilities in accordance with the advance procedures 
     established under subparagraph (C).
       ``(B) Limitation on delegation.--The authority under this 
     subsection may not be delegated by the Secretary.
       ``(C) Advance procedures.--The Secretary shall, in 
     coordination with the Director, and in consultation with the 
     heads of Federal agencies, establish procedures governing the 
     circumstances under which the Secretary may authorize the use 
     of protective capabilities subparagraph (A). The Secretary 
     shall submit the procedures to Congress.
       ``(4) Limitation.--The Secretary may direct or authorize 
     lawful action or protective capability under this subsection 
     only to--
       ``(A) protect agency information from unauthorized access, 
     use, disclosure, disruption, modification, or destruction; or
       ``(B) require the remediation of or protect against 
     identified information security risks with respect to--
       ``(i) information collected or maintained by or on behalf 
     of an agency; or
       ``(ii) that portion of an information system used or 
     operated by an agency or by a contractor of an agency or 
     other organization on behalf of an agency.
       ``(i) Annual Report to Congress.--Not later than February 1 
     of each year, the Director shall submit to the appropriate 
     congressional committees a report regarding the specific 
     actions the Director has taken pursuant to subsection (a)(5), 
     including any actions taken pursuant to section 11303(b)(5) 
     of title 40.
       ``(j) Appropriate Congressional Committees Defined.--In 
     this section, the term `appropriate congressional committees' 
     means--
       ``(1) the Committee on Appropriations and the Committee on 
     Homeland Security and Governmental Affairs of the Senate; and
       ``(2) the Committee on Appropriations, the Committee on 
     Homeland Security, the Committee on Oversight and Government 
     Reform, and the Committee on Science, Space, and Technology 
     of the House of Representatives.''.
       (b) Conforming Amendment.--Section 3554(a)(1)(B) of title 
     44, United States Code, is amended--
       (1) in clause (iii), by striking ``and'' at the end; and
       (2) by adding at the end the following:
       ``(v) emergency directives issued by the Secretary under 
     section 3553(h); and''.

         TITLE III--FEDERAL CYBERSECURITY WORKFORCE ASSESSMENT

     SEC. 301. SHORT TITLE.

       This title may be cited as the ``Federal Cybersecurity 
     Workforce Assessment Act of 2015''.

     SEC. 302. DEFINITIONS.

       In this title:
       (1) Appropriate congressional committees.--The term 
     ``appropriate congressional committees'' means--
       (A) the Committee on Armed Services of the Senate;

[[Page S7531]]

       (B) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       (C) the Select Committee on Intelligence of the Senate;
       (D) the Committee on Commerce, Science, and Transportation 
     of the Senate;
       (E) the Committee on Armed Services in the House of 
     Representatives;
       (F) the Committee on Homeland Security of the House of 
     Representatives;
       (G) the Committee on Oversight and Government Reform of the 
     House of Representatives; and
       (H) the Permanent Select Committee on Intelligence of the 
     House of Representatives.
       (2) Director.--The term ``Director'' means the Director of 
     the Office of Personnel Management.
       (3) Roles.--The term ``roles'' has the meaning given the 
     term in the National Initiative for Cybersecurity Education's 
     Cybersecurity Workforce Framework.

     SEC. 303. NATIONAL CYBERSECURITY WORKFORCE MEASUREMENT 
                   INITIATIVE.

       (a) In General.--The head of each Federal agency shall--
       (1) identify all positions within the agency that require 
     the performance of cybersecurity or other cyber-related 
     functions; and
       (2) assign the corresponding employment code, which shall 
     be added to the National Initiative for Cybersecurity 
     Education's National Cybersecurity Workforce Framework, in 
     accordance with subsection (b).
       (b) Employment Codes.--
       (1) Procedures.--
       (A) Coding structure.--Not later than 180 days after the 
     date of the enactment of this Act, the Secretary of Commerce, 
     acting through the National Institute of Standards and 
     Technology, shall update the National Initiative for 
     Cybersecurity Education's Cybersecurity Workforce Framework 
     to include a corresponding coding structure.
       (B) Identification of civilian cyber personnel.--Not later 
     than 9 months after the date of enactment of this Act, the 
     Director, in coordination with the Director of the National 
     Institute of Standards and Technology and the Director of 
     National Intelligence, shall establish procedures to 
     implement the National Initiative for Cybersecurity 
     Education's coding structure to identify all Federal civilian 
     positions that require the performance of information 
     technology, cybersecurity, or other cyber-related functions.
       (C) Identification of noncivilian cyber personnel.--Not 
     later than 18 months after the date of enactment of this Act, 
     the Secretary of Defense shall establish procedures to 
     implement the National Initiative for Cybersecurity 
     Education's coding structure to identify all Federal 
     noncivilian positions that require the performance of 
     information technology, cybersecurity, or other cyber-related 
     functions.
       (D) Baseline assessment of existing cybersecurity 
     workforce.--Not later than 3 months after the date on which 
     the procedures are developed under subparagraphs (B) and (C), 
     respectively, the head of each Federal agency shall submit to 
     the appropriate congressional committees of jurisdiction a 
     report that identifies--
       (i) the percentage of personnel with information 
     technology, cybersecurity, or other cyber-related job 
     functions who currently hold the appropriate industry-
     recognized certifications as identified in the National 
     Initiative for Cybersecurity Education's Cybersecurity 
     Workforce Framework;
       (ii) the level of preparedness of other civilian and 
     noncivilian cyber personnel without existing credentials to 
     take certification exams; and
       (iii) a strategy for mitigating any gaps identified in 
     clause (i) or (ii) with the appropriate training and 
     certification for existing personnel.
       (E) Procedures for assigning codes.--Not later than 3 
     months after the date on which the procedures are developed 
     under subparagraphs (B) and (C), respectively, the head of 
     each Federal agency shall establish procedures--
       (i) to identify all encumbered and vacant positions with 
     information technology, cybersecurity, or other cyber-related 
     functions (as defined in the National Initiative for 
     Cybersecurity Education's coding structure); and
       (ii) to assign the appropriate employment code to each such 
     position, using agreed standards and definitions.
       (2) Code assignments.--Not later than 1 year after the date 
     after the procedures are established under paragraph (1)(E), 
     the head of each Federal agency shall complete assignment of 
     the appropriate employment code to each position within the 
     agency with information technology, cybersecurity, or other 
     cyber-related functions.
       (c) Progress Report.--Not later than 180 days after the 
     date of enactment of this Act, the Director shall submit a 
     progress report on the implementation of this section to the 
     appropriate congressional committees.

     SEC. 304. IDENTIFICATION OF CYBER-RELATED ROLES OF CRITICAL 
                   NEED.

       (a) In General.--Beginning not later than 1 year after the 
     date on which the employment codes are assigned to employees 
     pursuant to section 203(b)(2), and annually through 2022, the 
     head of each Federal agency, in consultation with the 
     Director, the Director of the National Institute of Standards 
     and Technology, and the Secretary of Homeland Security, 
     shall--
       (1) identify information technology, cybersecurity, or 
     other cyber-related roles of critical need in the agency's 
     workforce; and
       (2) submit a report to the Director that--
       (A) describes the information technology, cybersecurity, or 
     other cyber-related roles identified under paragraph (1); and
       (B) substantiates the critical need designations.
       (b) Guidance.--The Director shall provide Federal agencies 
     with timely guidance for identifying information technology, 
     cybersecurity, or other cyber-related roles of critical need, 
     including--
       (1) current information technology, cybersecurity, and 
     other cyber-related roles with acute skill shortages; and
       (2) information technology, cybersecurity, or other cyber-
     related roles with emerging skill shortages.
       (c) Cybersecurity Needs Report.--Not later than 2 years 
     after the date of the enactment of this Act, the Director, in 
     consultation with the Secretary of Homeland Security, shall--
       (1) identify critical needs for information technology, 
     cybersecurity, or other cyber-related workforce across all 
     Federal agencies; and
       (2) submit a progress report on the implementation of this 
     section to the appropriate congressional committees.

     SEC. 305. GOVERNMENT ACCOUNTABILITY OFFICE STATUS REPORTS.

       The Comptroller General of the United States shall--
       (1) analyze and monitor the implementation of sections 303 
     and 304; and
       (2) not later than 3 years after the date of the enactment 
     of this Act, submit a report to the appropriate congressional 
     committees that describes the status of such implementation.	  
                     TITLE IV--OTHER CYBER MATTERS

     SEC. 401. STUDY ON MOBILE DEVICE SECURITY.

       (a) In General.--Not later than 1 year after the date of 
     the enactment of this Act, the Secretary of Homeland 
     Security, in consultation with the Director of the National 
     Institute of Standards and Technology, shall--
       (1) complete a study on threats relating to the security of 
     the mobile devices of the Federal Government; and
       (2) submit an unclassified report to Congress, with a 
     classified annex if necessary, that contains the findings of 
     such study, the recommendations developed under paragraph (3) 
     of subsection (b), the deficiencies, if any, identified under 
     (4) of such subsection, and the plan developed under 
     paragraph (5) of such subsection.
       (b) Matters Studied.--In carrying out the study under 
     subsection (a)(1), the Secretary, in consultation with the 
     Director of the National Institute of Standards and 
     Technology, shall--
       (1) assess the evolution of mobile security techniques from 
     a desktop-centric approach, and whether such techniques are 
     adequate to meet current mobile security challenges;
       (2) assess the effect such threats may have on the 
     cybersecurity of the information systems and networks of the 
     Federal Government (except for national security systems or 
     the information systems and networks of the Department of 
     Defense and the intelligence community);
       (3) develop recommendations for addressing such threats 
     based on industry standards and best practices;
       (4) identify any deficiencies in the current authorities of 
     the Secretary that may inhibit the ability of the Secretary 
     to address mobile device security throughout the Federal 
     Government (except for national security systems and the 
     information systems and networks of the Department of Defense 
     and intelligence community); and
       (5) develop a plan for accelerated adoption of secure 
     mobile device technology by the Department of Homeland 
     Security.
       (c) Intelligence Community Defined.--In this section, the 
     term ``intelligence community'' has the meaning given such 
     term in section 3 of the National Security Act of 1947 (50 
     U.S.C. 3003).

     SEC. 402. DEPARTMENT OF STATE INTERNATIONAL CYBERSPACE POLICY 
                   STRATEGY.

       (a) In General.--Not later than 90 days after the date of 
     the enactment of this Act, the Secretary of State shall 
     produce a comprehensive strategy relating to United States 
     international policy with regard to cyberspace.
       (b) Elements.--The strategy required by subsection (a) 
     shall include the following:
       (1) A review of actions and activities undertaken by the 
     Secretary of State to date to support the goal of the 
     President's International Strategy for Cyberspace, released 
     in May 2011, to ``work internationally to promote an open, 
     interoperable, secure, and reliable information and 
     communications infrastructure that supports international 
     trade and commerce, strengthens international security, and 
     fosters free expression and innovation.''.
       (2) A plan of action to guide the diplomacy of the 
     Secretary of State, with regard to foreign countries, 
     including conducting bilateral and multilateral activities to 
     develop the norms of responsible international behavior in 
     cyberspace, and status review of existing discussions in 
     multilateral fora to obtain agreements on international norms 
     in cyberspace.
       (3) A review of the alternative concepts with regard to 
     international norms in cyberspace offered by foreign 
     countries that are prominent actors, including China, Russia, 
     Brazil, and India.

[[Page S7532]]

       (4) A detailed description of threats to United States 
     national security in cyberspace from foreign countries, 
     state-sponsored actors, and private actors to Federal and 
     private sector infrastructure of the United States, 
     intellectual property in the United States, and the privacy 
     of citizens of the United States.
       (5) A review of policy tools available to the President to 
     deter foreign countries, state-sponsored actors, and private 
     actors, including those outlined in Executive Order 13694, 
     released on April 1, 2015.
       (6) A review of resources required by the Secretary, 
     including the Office of the Coordinator for Cyber Issues, to 
     conduct activities to build responsible norms of 
     international cyber behavior.
       (c) Consultation.--In preparing the strategy required by 
     subsection (a), the Secretary of State shall consult, as 
     appropriate, with other agencies and departments of the 
     United States and the private sector and nongovernmental 
     organizations in the United States with recognized 
     credentials and expertise in foreign policy, national 
     security, and cybersecurity.
       (d) Form of Strategy.--The strategy required by subsection 
     (a) shall be in unclassified form, but may include a 
     classified annex.
       (e) Availability of Information.--The Secretary of State 
     shall--
       (1) make the strategy required in subsection (a) available 
     the public; and
       (2) brief the Committee on Foreign Relations of the Senate 
     and the Committee on Foreign Affairs of the House of 
     Representatives on the strategy, including any material 
     contained in a classified annex.

     SEC. 403. APPREHENSION AND PROSECUTION OF INTERNATIONAL CYBER 
                   CRIMINALS.

       (a) International Cyber Criminal Defined.--In this section, 
     the term ``international cyber criminal'' means an 
     individual--
       (1) who is believed to have committed a cybercrime or 
     intellectual property crime against the interests of the 
     United States or the citizens of the United States; and
       (2) for whom--
       (A) an arrest warrant has been issued by a judge in the 
     United States; or
       (B) an international wanted notice (commonly referred to as 
     a ``Red Notice'') has been circulated by Interpol.
       (b) Consultations for Noncooperation.--The Secretary of 
     State, or designee, shall consult with the appropriate 
     government official of each country from which extradition is 
     not likely due to the lack of an extradition treaty with the 
     United States or other reasons, in which one or more 
     international cyber criminals are physically present, to 
     determine what actions the government of such country has 
     taken--
       (1) to apprehend and prosecute such criminals; and
       (2) to prevent such criminals from carrying out cybercrimes 
     or intellectual property crimes against the interests of the 
     United States or its citizens.
       (c) Annual Report.--
       (1) In general.--The Secretary of State shall submit to the 
     appropriate congressional committees an annual report that 
     includes--
       (A) the number of international cyber criminals located in 
     other countries, disaggregated by country, and indicating 
     from which countries extradition is not likely due to the 
     lack of an extradition treaty with the United States or other 
     reasons;
       (B) the nature and number of significant discussions by an 
     official of the Department of State on ways to thwart or 
     prosecute international cyber criminals with an official of 
     another country, including the name of each such country; and
       (C) for each international cyber criminal who was 
     extradited to the United States during the most recently 
     completed calendar year--
       (i) his or her name;
       (ii) the crimes for which he or she was charged;
       (iii) his or her previous country of residence; and
       (iv) the country from which he or she was extradited into 
     the United States.
       (2) Form.--The report required by this subsection shall be 
     in unclassified form to the maximum extent possible, but may 
     include a classified annex.
       (3) Appropriate congressional committees.--For purposes of 
     this subsection, the term ``appropriate congressional 
     committees'' means--
       (A) the Committee on Foreign Relations, the Committee on 
     Appropriations, the Committee on Homeland Security and 
     Governmental Affairs, the Committee on Banking, Housing, and 
     Urban Affairs, the Select Committee on Intelligence, and the 
     Committee on the Judiciary of the Senate; and
       (B) the Committee on Foreign Affairs, the Committee on 
     Appropriations, the Committee on Homeland Security, the 
     Committee on Financial Services, the Permanent Select 
     Committee on Intelligence, and the Committee on the Judiciary 
     of the House of Representatives.

     SEC. 404. ENHANCEMENT OF EMERGENCY SERVICES.

       (a) Collection of Data.--Not later than 90 days after the 
     date of enactment of this Act, the Secretary of Homeland 
     Security, acting through the National Cybersecurity and 
     Communications Integration Center, in coordination with 
     appropriate Federal entities and the Director for Emergency 
     Communications, shall establish a process by which a 
     Statewide Interoperability Coordinator may report data on any 
     cybersecurity risk or incident involving any information 
     system or network used by emergency response providers (as 
     defined in section 2 of the Homeland Security Act of 2002 (6 
     U.S.C. 101)) within the State.
       (b) Analysis of Data.--Not later than 1 year after the date 
     of enactment of this Act, the Secretary of Homeland Security, 
     acting through the Director of the National Cybersecurity and 
     Communications Integration Center, in coordination with 
     appropriate entities and the Director for Emergency 
     Communications, and in consultation with the Director of the 
     National Institute of Standards and Technology, shall conduct 
     integration and analysis of the data reported under 
     subsection (a) to develop information and recommendations on 
     security and resilience measures for any information system 
     or network used by State emergency response providers.
       (c) Best Practices.--
       (1) In general.--Using the results of the integration and 
     analysis conducted under subsection (b), and any other 
     relevant information, the Director of the National Institute 
     of Standards and Technology shall, on an ongoing basis, 
     facilitate and support the development of methods for 
     reducing cybersecurity risks to emergency response providers 
     using the process described in section 2(e) of the National 
     Institute of Standards and Technology Act (15 U.S.C. 272(e)).
       (2) Report.--The Director of the National Institute of 
     Standards and Technology shall submit a report to Congress on 
     the methods developed under paragraph (1) and shall make such 
     report publically available on the website of the National 
     Institute of Standards and Technology.
       (d) Rule of Construction.--Nothing in this section shall be 
     construed to--
       (1) require a State to report data under subsection (a); or
       (2) require an entity to--
       (A) adopt a recommended measure developed under subsection 
     (b); or
       (B) follow the best practices developed under subsection 
     (c).

     SEC. 405. IMPROVING CYBERSECURITY IN THE HEALTH CARE 
                   INDUSTRY.

       (a) Definitions.--In this section:
       (1) Business associate.--The term ``business associate'' 
     has the meaning given such term in section 160.103 of title 
     45, Code of Federal Regulations.
       (2) Covered entity.--The term ``covered entity'' has the 
     meaning given such term in section 160.103 of title 45, Code 
     of Federal Regulations.
       (3) Health care clearinghouse; health care provider; health 
     plan.--The terms ``health care clearinghouse'', ``health care 
     provider'', and ``health plan'' have the meanings given the 
     terms in section 160.103 of title 45, Code of Federal 
     Regulations.
       (4) Health care industry stakeholder.--The term ``health 
     care industry stakeholder'' means any--
       (A) health plan, health care clearinghouse, or health care 
     provider;
       (B) patient advocate;
       (C) pharmacist;
       (D) developer of health information technology;
       (E) laboratory;
       (F) pharmaceutical or medical device manufacturer; or
       (G) additional stakeholder the Secretary determines 
     necessary for purposes of subsection (d)(1), (d)(3), or (e).
       (5) Secretary.--The term ``Secretary'' means the Secretary 
     of Health and Human Services.
       (b) Report.--Not later than 1 year after the date of 
     enactment of this Act, the Secretary shall submit, to the 
     Committee on Health, Education, Labor, and Pensions of the 
     Senate and the Committee on Energy and Commerce of the House 
     of Representatives, a report on the preparedness of the 
     health care industry in responding to cybersecurity threats.
       (c) Contents of Report.--With respect to the internal 
     response of the Department of Health and Human Services to 
     emerging cybersecurity threats, the report shall include--
       (1) a clear statement of the official within the Department 
     of Health and Human Services to be responsible for leading 
     and coordinating efforts of the Department regarding 
     cybersecurity threats in the health care industry; and
       (2) a plan from each relevant operating division and 
     subdivision of the Department of Health and Human Services on 
     how such division or subdivision will address cybersecurity 
     threats in the health care industry, including a clear 
     delineation of how each such division or subdivision will 
     divide responsibility among the personnel of such division or 
     subdivision and communicate with other such divisions and 
     subdivisions regarding efforts to address such threats.
       (d) Health Care Industry Cybersecurity Task Force.--
       (1) In general.--Not later than 60 days after the date of 
     enactment of this Act, the Secretary, in consultation with 
     the Director of the National Institute of Standards and 
     Technology and the Secretary of Homeland Security, shall 
     convene health care industry stakeholders, cybersecurity 
     experts, and any Federal agencies or entities the Secretary 
     determines appropriate to establish a task force to--
       (A) analyze how industries, other than the health care 
     industry, have implemented strategies and safeguards for 
     addressing cybersecurity threats within their respective 
     industries;

[[Page S7533]]

       (B) analyze challenges and barriers private entities 
     (notwithstanding section 102(15)(B), excluding any State, 
     tribal, or local government) in the health care industry face 
     securing themselves against cyber attacks;
       (C) review challenges that covered entities and business 
     associates face in securing networked medical devices and 
     other software or systems that connect to an electronic 
     health record;
       (D) provide the Secretary with information to disseminate 
     to health care industry stakeholders for purposes of 
     improving their preparedness for, and response to, 
     cybersecurity threats affecting the health care industry;
       (E) establish a plan for creating a single system for the 
     Federal Government to share information on actionable 
     intelligence regarding cybersecurity threats to the health 
     care industry in near real time, requiring no fee to the 
     recipients of such information, including which Federal 
     agency or other entity may be best suited to be the central 
     conduit to facilitate the sharing of such information; and
       (F) report to Congress on the findings and recommendations 
     of the task force regarding carrying out subparagraphs (A) 
     through (E).
       (2) Termination.--The task force established under this 
     subsection shall terminate on the date that is 1 year after 
     the date of enactment of this Act.
       (3) Dissemination.--Not later than 60 days after the 
     termination of the task force established under this 
     subsection, the Secretary shall disseminate the information 
     described in paragraph (1)(D) to health care industry 
     stakeholders in accordance with such paragraph.
       (4) Rule of construction.--Nothing in this subsection shall 
     be construed to limit the antitrust exemption under section 
     104(e) or the protection from liability under section 106.
       (e) Cybersecurity Framework.--
       (1) In general.--The Secretary shall establish, through a 
     collaborative process with the Secretary of Homeland 
     Security, health care industry stakeholders, the National 
     Institute of Standards and Technology, and any Federal agency 
     or entity the Secretary determines appropriate, a single, 
     voluntary, national health-specific cybersecurity framework 
     that--
       (A) establishes a common set of voluntary, consensus-based, 
     and industry-led standards, security practices, guidelines, 
     methodologies, procedures, and processes that serve as a 
     resource for cost-effectively reducing cybersecurity risks 
     for a range of health care organizations;
       (B) supports voluntary adoption and implementation efforts 
     to improve safeguards to address cybersecurity threats;
       (C) is consistent with the security and privacy regulations 
     promulgated under section 264(c) of the Health Insurance 
     Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2 
     note) and with the Health Information Technology for Economic 
     and Clinical Health Act (title XIII of division A, and title 
     IV of division B, of Public Law 111-5), and the amendments 
     made by such Act; and
       (D) is updated on a regular basis and applicable to the 
     range of health care organizations described in subparagraph 
     (A).
       (2) Limitation.--Nothing in this subsection shall be 
     interpreted as granting the Secretary authority to--
       (A) provide for audits to ensure that health care 
     organizations are in compliance with the voluntary framework 
     under this subsection; or
       (B) mandate, direct, or condition the award of any Federal 
     grant, contract, or purchase on compliance with such 
     voluntary framework.
       (3) No liability for nonparticipation.--Nothing in this 
     title shall be construed to subject a health care 
     organization to liability for choosing not to engage in the 
     voluntary activities authorized under this subsection.

     SEC. 406. FEDERAL COMPUTER SECURITY.

       (a) Definitions.--In this section:
       (1) Covered system.--The term ``covered system'' shall mean 
     a national security system as defined in section 11103 of 
     title 40, United States Code, or a Federal computer system 
     that provides access to personally identifiable information.
       (2) Covered agency.--The term ``covered agency'' means an 
     agency that operates a covered system.
       (3) Logical access control.--The term ``logical access 
     control'' means a process of granting or denying specific 
     requests to obtain and use information and related 
     information processing services.
       (4) Multi-factor logical access controls.--The term 
     ``multi-factor logical access controls'' means a set of not 
     less than 2 of the following logical access controls:
       (A) Information that is known to the user, such as a 
     password or personal identification number.
       (B) An access device that is provided to the user, such as 
     a cryptographic identification device or token.
       (C) A unique biometric characteristic of the user.
       (5) Privileged user.--The term ``privileged user'' means a 
     user who, by virtue of function or seniority, has been 
     allocated powers within a covered system, which are 
     significantly greater than those available to the majority of 
     users.
       (b) Inspector General Reports on Covered Systems.--
       (1) In general.--Not later than 240 days after the date of 
     enactment of this Act, the Inspector General of each covered 
     agency shall submit to the appropriate committees of 
     jurisdiction in the Senate and the House of Representatives a 
     report, which shall include information collected from the 
     covered agency for the contents described in paragraph (2) 
     regarding the Federal computer systems of the covered agency.
       (2) Contents.--The report submitted by each Inspector 
     General of a covered agency under paragraph (1) shall 
     include, with respect to the covered agency, the following:
       (A) A description of the logical access standards used by 
     the covered agency to access a covered system, including--
       (i) in aggregate, a list and description of logical access 
     controls used to access such a covered system; and
       (ii) whether the covered agency is using multi-factor 
     logical access controls to access such a covered system.
       (B) A description of the logical access controls used by 
     the covered agency to govern access to covered systems by 
     privileged users.
       (C) If the covered agency does not use logical access 
     controls or multi-factor logical access controls to access a 
     covered system, a description of the reasons for not using 
     such logical access controls or multi-factor logical access 
     controls.
       (D) A description of the following data security management 
     practices used by the covered agency:
       (i) The policies and procedures followed to conduct 
     inventories of the software present on the covered systems of 
     the covered agency and the licenses associated with such 
     software.
       (ii) What capabilities the covered agency utilizes to 
     monitor and detect exfiltration and other threats, 
     including--

       (I) data loss prevention capabilities; or
       (II) digital rights management capabilities.

       (iii) A description of how the covered agency is using the 
     capabilities described in clause (ii).
       (iv) If the covered agency is not utilizing capabilities 
     described in clause (ii), a description of the reasons for 
     not utilizing such capabilities.
       (E) A description of the policies and procedures of the 
     covered agency with respect to ensuring that entities, 
     including contractors, that provide services to the covered 
     agency are implementing the data security management 
     practices described in subparagraph (D).
       (3) Existing review.--The reports required under this 
     subsection may be based in whole or in part on an audit, 
     evaluation, or report relating to programs or practices of 
     the covered agency, and may be submitted as part of another 
     report, including the report required under section 3555 of 
     title 44, United States Code.
       (4) Classified information.--Reports submitted under this 
     subsection shall be in unclassified form, but may include a 
     classified annex.

     SEC. 407. STRATEGY TO PROTECT CRITICAL INFRASTRUCTURE AT 
                   GREATEST RISK.

       (a) Definitions.--In this section:
       (1) Appropriate agency.--The term ``appropriate agency'' 
     means, with respect to a covered entity--
       (A) except as provided in subparagraph (B), the applicable 
     sector-specific agency; or
       (B) in the case of a covered entity that is regulated by a 
     Federal entity, such Federal entity.
       (2) Appropriate agency head.--The term ``appropriate agency 
     head'' means, with respect to a covered entity, the head of 
     the appropriate agency.
       (3) Covered entity.--The term ``covered entity'' means an 
     entity identified pursuant to section 9(a) of Executive Order 
     13636 of February 12, 2013 (78 Fed. Reg. 11742), relating to 
     identification of critical infrastructure where a 
     cybersecurity incident could reasonably result in 
     catastrophic regional or national effects on public health or 
     safety, economic security, or national security.
       (4) Appropriate congressional committees.--The term 
     ``appropriate congressional committees'' means--
       (A) the Select Committee on Intelligence of the Senate;
       (B) the Permanent Select Committee on Intelligence of the 
     House of Representatives;
       (C) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       (D) the Committee on Homeland Security of the House of 
     Representatives;
       (E) the Committee on Energy and Natural Resources of the 
     Senate;
       (F) the Committee on Energy and Commerce of the House of 
     Representatives; and
       (G) the Committee on Commerce, Science, and Transportation 
     of the Senate.
       (5) Secretary.--The term ``Secretary'' means the Secretary 
     of the Department of Homeland Security.
       (b) Status of Existing Cyber Incident Reporting.--
       (1) In general.--No later than 120 days after the date of 
     the enactment of this Act, the Secretary, in conjunction with 
     the appropriate agency head (as the case may be), shall 
     submit to the appropriate congressional committees describing 
     the extent to which each covered entity reports significant 
     intrusions of information systems essential to the operation 
     of critical infrastructure to the Department of Homeland 
     Security or the appropriate agency head in a timely manner.
       (2) Form.--The report submitted under paragraph (1) may 
     include a classified annex.

[[Page S7534]]

       (c) Mitigation Strategy Required for Critical 
     Infrastructure at Greatest Risk.--
       (1) In general.--No later than 180 days after the date of 
     the enactment of this Act, the Secretary, in conjunction with 
     the appropriate agency head (as the case may be), shall 
     conduct an assessment and develop a strategy that addresses 
     each of the covered entities, to ensure that, to the greatest 
     extent feasible, a cyber security incident affecting such 
     entity would no longer reasonably result in catastrophic 
     regional or national effects on public health or safety, 
     economic security, or national security.
       (2) Elements.--The strategy submitted by the Secretary with 
     respect to a covered entity shall include the following:
       (A) An assessment of whether each entity should be required 
     to report cyber security incidents.
       (B) A description of any identified security gaps that must 
     be addressed.
       (C) Additional statutory authority necessary to reduce the 
     likelihood that a cyber incident could cause catastrophic 
     regional or national effects on public health or safety, 
     economic security, or national security.
       (3) Submittal.--The Secretary shall submit to the 
     appropriate congressional committees the assessment and 
     strategy required by paragraph (1).
       (4) Form.--The assessment and strategy submitted under 
     paragraph (3) may each include a classified annex.

     SEC. 408. STOPPING THE FRAUDULENT SALE OF FINANCIAL 
                   INFORMATION OF PEOPLE OF THE UNITED STATES.

       Section 1029(h) of title 18, United States Code, is amended 
     by striking ``title if--'' and all that follows through 
     ``therefrom.'' and inserting ``title if the offense involves 
     an access device issued, owned, managed, or controlled by a 
     financial institution, account issuer, credit card system 
     member, or other entity organized under the laws of the 
     United States, or any State, the District of Columbia, or 
     other Territory of the United States.''.

     SEC. 409. EFFECTIVE PERIOD.

       (a) In General.--Except as provided in subsection (b), this 
     Act and the amendments made by this Act shall be in effect 
     during the 10-year period beginning on the date of the 
     enactment of this Act.
       (b) Exception.--With respect to any action authorized by 
     this Act or information obtained pursuant to an action 
     authorized by this Act, which occurred before the date on 
     which the provisions referred to in subsection (a) cease to 
     have effect, the provisions of this Act shall continue in 
     effect.

  The PRESIDING OFFICER. The majority leader.