15 December 2015
S.754 Cybersecurity Information Sharing Act of 2015
The PRESIDING OFFICER. The bill having been read the third time, the
question is, Shall it pass?
Mr. TILLIS. I ask for the yeas and nays.
The PRESIDING OFFICER. Is there a sufficient second?
There is a sufficient second.
The clerk will call the roll.
The bill clerk called the roll.
Mr. CORNYN. The following Senators are necessarily absent: the
Senator from Texas (Mr. Cruz), the Senator from South Carolina (Mr.
Graham), the Senator from Kentucky (Mr. Paul), the Senator from Florida
(Mr. Rubio), and the Senator from Louisiana (Mr. Vitter).
The PRESIDING OFFICER. Are there any other Senators in the Chamber
desiring to vote?
The result was announced--yeas 74, nays 21, as follows:
[Rollcall Vote No. 291 Leg.]
YEAS--74
Alexander
Ayotte
Barrasso
Bennet
Blumenthal
Blunt
Boozman
Boxer
Burr
Cantwell
Capito
Carper
Casey
Cassidy
Coats
Cochran
Collins
Corker
Cornyn
Cotton
Donnelly
Durbin
Enzi
Ernst
Feinstein
Fischer
Flake
Gardner
Gillibrand
Grassley
Hatch
Heinrich
Heitkamp
Hirono
Hoeven
Inhofe
Isakson
Johnson
Kaine
King
Kirk
Klobuchar
Lankford
Manchin
McCain
McCaskill
McConnell
Mikulski
Moran
Murkowski
Murphy
Murray
Nelson
Perdue
Peters
Portman
Reed
Reid
Roberts
Rounds
Sasse
Schatz
Schumer
Scott
Sessions
Shaheen
Shelby
Stabenow
Thune
Tillis
Toomey
Warner
Whitehouse
Wicker
NAYS--21
Baldwin
Booker
Brown
Cardin
Coons
Crapo
Daines
Franken
Heller
Leahy
Lee
Markey
Menendez
Merkley
Risch
Sanders
Sullivan
Tester
Udall
Warren
Wyden
NOT VOTING--5
Cruz
Graham
Paul
Rubio
Vitter
The bill (S. 754), as amended, was passed, as follows:
S. 754
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. TABLE OF CONTENTS.
The table of contents of this Act is as follows:
Sec. 1. Table of contents.
TITLE I--CYBERSECURITY INFORMATION SHARING
Sec. 101. Short title.
Sec. 102. Definitions.
Sec. 103. Sharing of information by the Federal Government.
Sec. 104. Authorizations for preventing, detecting, analyzing, and
mitigating cybersecurity threats.
Sec. 105. Sharing of cyber threat indicators and defensive measures
with the Federal Government.
Sec. 106. Protection from liability.
Sec. 107. Oversight of Government activities.
Sec. 108. Construction and preemption.
Sec. 109. Report on cybersecurity threats.
Sec. 110. Conforming amendment.
TITLE II--FEDERAL CYBERSECURITY ENHANCEMENT
Sec. 201. Short title.
Sec. 202. Definitions.
Sec. 203. Improved Federal network security.
Sec. 204. Advanced internal defenses.
Sec. 205. Federal cybersecurity requirements.
Sec. 206. Assessment; reports.
Sec. 207. Termination.
Sec. 208. Identification of information systems relating to national
security.
Sec. 209. Direction to agencies.
TITLE III--FEDERAL CYBERSECURITY WORKFORCE ASSESSMENT
Sec. 301. Short title.
Sec. 302. Definitions.
Sec. 303. National cybersecurity workforce measurement initiative.
Sec. 304. Identification of cyber-related roles of critical need.
Sec. 305. Government Accountability Office status reports.
TITLE IV--OTHER CYBER MATTERS
Sec. 401. Study on mobile device security.
Sec. 402. Department of State international cyberspace policy strategy.
Sec. 403. Apprehension and prosecution of international cyber
criminals.
Sec. 404. Enhancement of emergency services.
Sec. 405. Improving cybersecurity in the health care industry.
Sec. 406. Federal computer security.
Sec. 407. Strategy to protect critical infrastructure at greatest risk.
Sec. 408. Stopping the fraudulent sale of financial information of
people of the United States.
Sec. 409. Effective period.
TITLE I--CYBERSECURITY INFORMATION SHARING
SEC. 101. SHORT TITLE.
This title may be cited as the ``Cybersecurity Information
Sharing Act of 2015''.
SEC. 102. DEFINITIONS.
In this title:
(1) Agency.--The term ``agency'' has the meaning given the
term in section 3502 of title 44, United States Code.
(2) Antitrust laws.--The term ``antitrust laws''--
(A) has the meaning given the term in section 1 of the
Clayton Act (15 U.S.C. 12);
(B) includes section 5 of the Federal Trade Commission Act
(15 U.S.C. 45) to the extent that section 5 of that Act
applies to unfair methods of competition; and
(C) includes any State law that has the same intent and
effect as the laws under subparagraphs (A) and (B).
(3) Appropriate federal entities.--The term ``appropriate
Federal entities'' means the following:
(A) The Department of Commerce.
(B) The Department of Defense.
(C) The Department of Energy.
(D) The Department of Homeland Security.
(E) The Department of Justice.
(F) The Department of the Treasury.
(G) The Office of the Director of National Intelligence.
(4) Cybersecurity purpose.--The term ``cybersecurity
purpose'' means the purpose of protecting an information
system or information that is stored on, processed by, or
transiting an information system from a cybersecurity threat
or security vulnerability.
(5) Cybersecurity threat.--
(A) In general.--Except as provided in subparagraph (B),
the term ``cybersecurity threat'' means an action, not
protected by the First Amendment to the Constitution of the
United States, on or through an information system that may
result in an unauthorized effort to adversely impact the
security, availability, confidentiality, or integrity of an
information system or information that is stored on,
processed by, or transiting an information system.
(B) Exclusion.--The term ``cybersecurity threat'' does not
include any action that solely involves a violation of a
consumer term of service or a consumer licensing agreement.
(6) Cyber threat indicator.--The term ``cyber threat
indicator'' means information that is necessary to describe
or identify--
(A) malicious reconnaissance, including anomalous patterns
of communications that appear to be transmitted for the
purpose of gathering technical information related to a
cybersecurity threat or security vulnerability;
(B) a method of defeating a security control or
exploitation of a security vulnerability;
(C) a security vulnerability, including anomalous activity
that appears to indicate the existence of a security
vulnerability;
(D) a method of causing a user with legitimate access to an
information system or information that is stored on,
processed by, or transiting an information system to
unwittingly enable the defeat of a security control or
exploitation of a security vulnerability;
(E) malicious cyber command and control;
(F) the actual or potential harm caused by an incident,
including a description of the information exfiltrated as a
result of a particular cybersecurity threat;
(G) any other attribute of a cybersecurity threat, if
disclosure of such attribute is not otherwise prohibited by
law; or
(H) any combination thereof.
(7) Defensive measure.--
(A) In general.--Except as provided in subparagraph (B),
the term ``defensive measure'' means an action, device,
procedure, signature, technique, or other measure applied to
an information system or information that is stored on,
processed by, or transiting an information system that
detects, prevents, or mitigates a known or suspected
cybersecurity threat or security vulnerability.
(B) Exclusion.--The term ``defensive measure'' does not
include a measure that destroys, renders unusable, provides
unauthorized access to, or substantially harms an information
system or data on an information system not belonging to--
(i) the private entity operating the measure; or
(ii) another entity or Federal entity that is authorized to
provide consent and has provided consent to that private
entity for operation of such measure.
(8) Entity.--
(A) In general.--Except as otherwise provided in this
paragraph, the term ``entity'' means any private entity, non-
Federal government agency or department, or State,
[[Page S7523]]
tribal, or local government (including a political
subdivision, department, or component thereof).
(B) Inclusions.--The term ``entity'' includes a government
agency or department of the District of Columbia, the
Commonwealth of Puerto Rico, the Virgin Islands, Guam,
American Samoa, the Northern Mariana Islands, and any other
territory or possession of the United States.
(C) Exclusion.--The term ``entity'' does not include a
foreign power as defined in section 101 of the Foreign
Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).
(9) Federal entity.--The term ``Federal entity'' means a
department or agency of the United States or any component of
such department or agency.
(10) Information system.--The term ``information system''--
(A) has the meaning given the term in section 3502 of title
44, United States Code; and
(B) includes industrial control systems, such as
supervisory control and data acquisition systems, distributed
control systems, and programmable logic controllers.
(11) Local government.--The term ``local government'' means
any borough, city, county, parish, town, township, village,
or other political subdivision of a State.
(12) Malicious cyber command and control.--The term
``malicious cyber command and control'' means a method for
unauthorized remote identification of, access to, or use of,
an information system or information that is stored on,
processed by, or transiting an information system.
(13) Malicious reconnaissance.--The term ``malicious
reconnaissance'' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning security vulnerabilities of the information
system, if such method is associated with a known or
suspected cybersecurity threat.
(14) Monitor.--The term ``monitor'' means to acquire,
identify, or scan, or to possess, information that is stored
on, processed by, or transiting an information system.
(15) Private entity.--
(A) In general.--Except as otherwise provided in this
paragraph, the term ``private entity'' means any person or
private group, organization, proprietorship, partnership,
trust, cooperative, corporation, or other commercial or
nonprofit entity, including an officer, employee, or agent
thereof.
(B) Inclusion.--The term ``private entity'' includes a
State, tribal, or local government performing electric or
other utility services.
(C) Exclusion.--The term ``private entity'' does not
include a foreign power as defined in section 101 of the
Foreign Intelligence Surveillance Act of 1978 (50 U.S.C.
1801).
(16) Security control.--The term ``security control'' means
the management, operational, and technical controls used to
protect against an unauthorized effort to adversely affect
the confidentiality, integrity, and availability of an
information system or its information.
(17) Security vulnerability.--The term ``security
vulnerability'' means any attribute of hardware, software,
process, or procedure that could enable or facilitate the
defeat of a security control.
(18) Tribal.--The term ``tribal'' has the meaning given the
term ``Indian tribe'' in section 4 of the Indian Self-
Determination and Education Assistance Act (25 U.S.C. 450b).
SEC. 103. SHARING OF INFORMATION BY THE FEDERAL GOVERNMENT.
(a) In General.--Consistent with the protection of
classified information, intelligence sources and methods, and
privacy and civil liberties, the Director of National
Intelligence, the Secretary of Homeland Security, the
Secretary of Defense, and the Attorney General, in
consultation with the heads of the appropriate Federal
entities, shall develop and promulgate procedures to
facilitate and promote--
(1) the timely sharing of classified cyber threat
indicators in the possession of the Federal Government with
cleared representatives of relevant entities;
(2) the timely sharing with relevant entities of cyber
threat indicators or information in the possession of the
Federal Government that may be declassified and shared at an
unclassified level;
(3) the sharing with relevant entities, or the public if
appropriate, of unclassified, including controlled
unclassified, cyber threat indicators in the possession of
the Federal Government;
(4) the sharing with entities, if appropriate, of
information in the possession of the Federal Government about
cybersecurity threats to such entities to prevent or mitigate
adverse effects from such cybersecurity threats; and
(5) the periodic sharing, through publication and targeted
outreach, of cybersecurity best practices that are developed
based on ongoing analysis of cyber threat indicators and
information in possession of the Federal Government, with
attention to accessibility and implementation challenges
faced by small business concerns (as defined in section 3 of
the Small Business Act (15 U.S.C. 632)).
(b) Development of Procedures.--
(1) In general.--The procedures developed and promulgated
under subsection (a) shall--
(A) ensure the Federal Government has and maintains the
capability to share cyber threat indicators in real time
consistent with the protection of classified information;
(B) incorporate, to the greatest extent practicable,
existing processes and existing roles and responsibilities of
Federal and non-Federal entities for information sharing by
the Federal Government, including sector specific information
sharing and analysis centers;
(C) include procedures for notifying, in a timely manner,
entities that have received a cyber threat indicator from a
Federal entity under this title that is known or determined
to be in error or in contravention of the requirements of
this title or another provision of Federal law or policy of
such error or contravention;
(D) include requirements for Federal entities sharing cyber
threat indicators or defensive measures to implement and
utilize security controls to protect against unauthorized
access to or acquisition of such cyber threat indicators or
defensive measures;
(E) include procedures that require a Federal entity, prior
to the sharing of a cyber threat indicator--
(i) to review such cyber threat indicator to assess whether
such cyber threat indicator contains any information that
such Federal entity knows at the time of sharing to be
personal information or information that identifies a
specific person not directly related to a cybersecurity
threat and remove such information; or
(ii) to implement and utilize a technical capability
configured to remove any personal information or information
that identifies a specific person not directly related to a
cybersecurity threat; and
(F) include procedures for notifying, in a timely manner,
any United States person whose personal information is known
or determined to have been shared by a Federal entity in
violation of this Act.
(2) Coordination.--In developing the procedures required
under this section, the Director of National Intelligence,
the Secretary of Homeland Security, the Secretary of Defense,
and the Attorney General shall coordinate with appropriate
Federal entities, including the Small Business Administration
and the National Laboratories (as defined in section 2 of the
Energy Policy Act of 2005 (42 U.S.C. 15801)), to ensure that
effective protocols are implemented that will facilitate and
promote the sharing of cyber threat indicators by the Federal
Government in a timely manner.
(c) Submittal to Congress.--Not later than 60 days after
the date of the enactment of this Act, the Director of
National Intelligence, in consultation with the heads of the
appropriate Federal entities, shall submit to Congress the
procedures required by subsection (a).
SEC. 104. AUTHORIZATIONS FOR PREVENTING, DETECTING,
ANALYZING, AND MITIGATING CYBERSECURITY
THREATS.
(a) Authorization for Monitoring.--
(1) In general.--Notwithstanding any other provision of
law, a private entity may, for cybersecurity purposes,
monitor--
(A) an information system of such private entity;
(B) an information system of another entity, upon the
authorization and written consent of such other entity;
(C) an information system of a Federal entity, upon the
authorization and written consent of an authorized
representative of the Federal entity; and
(D) information that is stored on, processed by, or
transiting an information system monitored by the private
entity under this paragraph.
(2) Construction.--Nothing in this subsection shall be
construed--
(A) to authorize the monitoring of an information system,
or the use of any information obtained through such
monitoring, other than as provided in this title; or
(B) to limit otherwise lawful activity.
(b) Authorization for Operation of Defensive Measures.--
(1) In general.--Notwithstanding any other provision of
law, a private entity may, for cybersecurity purposes,
operate a defensive measure that is applied to--
(A) an information system of such private entity in order
to protect the rights or property of the private entity;
(B) an information system of another entity upon written
consent of such entity for operation of such defensive
measure to protect the rights or property of such entity; and
(C) an information system of a Federal entity upon written
consent of an authorized representative of such Federal
entity for operation of such defensive measure to protect the
rights or property of the Federal Government.
(2) Construction.--Nothing in this subsection shall be
construed--
(A) to authorize the use of a defensive measure other than
as provided in this subsection; or
(B) to limit otherwise lawful activity.
(c) Authorization for Sharing or Receiving Cyber Threat
Indicators or Defensive Measures.--
(1) In general.--Except as provided in paragraph (2) and
notwithstanding any other provision of law, an entity may,
for a cybersecurity purpose and consistent with the
protection of classified information, share with, or receive
from, any other entity or the Federal Government a cyber
threat indicator or defensive measure.
(2) Lawful restriction.--An entity receiving a cyber threat
indicator or defensive measure from another entity or Federal
entity shall comply with otherwise lawful restrictions placed
on the sharing or use of such cyber threat indicator or
defensive
[[Page S7524]]
measure by the sharing entity or Federal entity.
(3) Construction.--Nothing in this subsection shall be
construed--
(A) to authorize the sharing or receiving of a cyber threat
indicator or defensive measure other than as provided in this
subsection; or
(B) to limit otherwise lawful activity.
(d) Protection and Use of Information.--
(1) Security of information.--An entity monitoring an
information system, operating a defensive measure, or
providing or receiving a cyber threat indicator or defensive
measure under this section shall implement and utilize a
security control to protect against unauthorized access to or
acquisition of such cyber threat indicator or defensive
measure.
(2) Removal of certain personal information.--An entity
sharing a cyber threat indicator pursuant to this title
shall, prior to such sharing--
(A) review such cyber threat indicator to assess whether
such cyber threat indicator contains any information that the
entity knows at the time of sharing to be personal
information or information that identifies a specific person
not directly related to a cybersecurity threat and remove
such information; or
(B) implement and utilize a technical capability configured
to remove any information contained within such indicator
that the entity knows at the time of sharing to be personal
information or information that identifies a specific person
not directly related to a cybersecurity threat.
(3) Use of cyber threat indicators and defensive measures
by entities.--
(A) In general.--Consistent with this title, a cyber threat
indicator or defensive measure shared or received under this
section may, for cybersecurity purposes--
(i) be used by an entity to monitor or operate a defensive
measure that is applied to--
(I) an information system of the entity; or
(II) an information system of another entity or a Federal
entity upon the written consent of that other entity or that
Federal entity; and
(ii) be otherwise used, retained, and further shared by an
entity subject to--
(I) an otherwise lawful restriction placed by the sharing
entity or Federal entity on such cyber threat indicator or
defensive measure; or
(II) an otherwise applicable provision of law.
(B) Construction.--Nothing in this paragraph shall be
construed to authorize the use of a cyber threat indicator or
defensive measure other than as provided in this section.
(4) Use of cyber threat indicators by state, tribal, or
local government.--
(A) Law enforcement use.--
(i) Prior written consent.--Except as provided in clause
(ii), a cyber threat indicator shared with a State, tribal,
or local government under this section may, with the prior
written consent of the entity sharing such indicator, be used
by a State, tribal, or local government for the purpose of
preventing, investigating, or prosecuting any of the offenses
described in section 105(d)(5)(A)(vi).
(ii) Oral consent.--If exigent circumstances prevent
obtaining written consent under clause (i), such consent may
be provided orally with subsequent documentation of the
consent.
(B) Exemption from disclosure.--A cyber threat indicator
shared with a State, tribal, or local government under this
section shall be--
(i) deemed voluntarily shared information; and
(ii) exempt from disclosure under any State, tribal, or
local law requiring disclosure of information or records.
(C) State, tribal, and local regulatory authority.--
(i) In general.--Except as provided in clause (ii), a cyber
threat indicator or defensive measure shared with a State,
tribal, or local government under this title shall not be
directly used by any State, tribal, or local government to
regulate, including an enforcement action, the lawful
activity of any entity, including an activity relating to
monitoring, operating a defensive measure, or sharing of a
cyber threat indicator.
(ii) Regulatory authority specifically relating to
prevention or mitigation of cybersecurity threats.--A cyber
threat indicator or defensive measure shared as described in
clause (i) may, consistent with a State, tribal, or local
government regulatory authority specifically relating to the
prevention or mitigation of cybersecurity threats to
information systems, inform the development or implementation
of a regulation relating to such information systems.
(e) Antitrust Exemption.--
(1) In general.--Except as provided in section 108(e), it
shall not be considered a violation of any provision of
antitrust laws for 2 or more private entities to exchange or
provide a cyber threat indicator, or assistance relating to
the prevention, investigation, or mitigation of a
cybersecurity threat, for cybersecurity purposes under this
title.
(2) Applicability.--Paragraph (1) shall apply only to
information that is exchanged or assistance provided in order
to assist with--
(A) facilitating the prevention, investigation, or
mitigation of a cybersecurity threat to an information system
or information that is stored on, processed by, or transiting
an information system; or
(B) communicating or disclosing a cyber threat indicator to
help prevent, investigate, or mitigate the effect of a
cybersecurity threat to an information system or information
that is stored on, processed by, or transiting an information
system.
(f) No Right or Benefit.--The sharing of a cyber threat
indicator with an entity under this title shall not create a
right or benefit to similar information by such entity or any
other entity.
SEC. 105. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE
MEASURES WITH THE FEDERAL GOVERNMENT.
(a) Requirement for Policies and Procedures.--
(1) Interim policies and procedures.--Not later than 60
days after the date of the enactment of this Act, the
Attorney General and the Secretary of Homeland Security
shall, in coordination with the heads of the appropriate
Federal entities, develop and submit to Congress interim
policies and procedures relating to the receipt of cyber
threat indicators and defensive measures by the Federal
Government.
(2) Final policies and procedures.--Not later than 180 days
after the date of the enactment of this Act, the Attorney
General and the Secretary of Homeland Security shall, in
coordination with the heads of the appropriate Federal
entities, promulgate final policies and procedures relating
to the receipt of cyber threat indicators and defensive
measures by the Federal Government.
(3) Requirements concerning policies and procedures.--
Consistent with the guidelines required by subsection (b),
the policies and procedures developed and promulgated under
this subsection shall--
(A) ensure that cyber threat indicators shared with the
Federal Government by any entity pursuant to section 104(c)
through the real-time process described in subsection (c) of
this section--
(i) are shared in an automated manner with all of the
appropriate Federal entities;
(ii) are only subject to a delay, modification, or other
action due to controls established for such real-time process
that could impede real-time receipt by all of the appropriate
Federal entities when the delay, modification, or other
action is due to controls--
(I) agreed upon unanimously by all of the heads of the
appropriate Federal entities;
(II) carried out before any of the appropriate Federal
entities retains or uses the cyber threat indicators or
defensive measures; and
(III) uniformly applied such that each of the appropriate
Federal entities is subject to the same delay, modification,
or other action; and
(iii) may be provided to other Federal entities;
(B) ensure that cyber threat indicators shared with the
Federal Government by any entity pursuant to section 104 in a
manner other than the real time process described in
subsection (c) of this section--
(i) are shared as quickly as operationally practicable with
all of the appropriate Federal entities;
(ii) are not subject to any unnecessary delay,
interference, or any other action that could impede receipt
by all of the appropriate Federal entities; and
(iii) may be provided to other Federal entities;
(C) consistent with this title, any other applicable
provisions of law, and the fair information practice
principles set forth in appendix A of the document entitled
``National Strategy for Trusted Identities in Cyberspace''
and published by the President in April, 2011, govern the
retention, use, and dissemination by the Federal Government
of cyber threat indicators shared with the Federal Government
under this title, including the extent, if any, to which such
cyber threat indicators may be used by the Federal
Government; and
(D) ensure there are--
(i) audit capabilities; and
(ii) appropriate sanctions in place for officers,
employees, or agents of a Federal entity who knowingly and
willfully conduct activities under this title in an
unauthorized manner.
(4) Guidelines for entities sharing cyber threat indicators
with federal government.--
(A) In general.--Not later than 60 days after the date of
the enactment of this Act, the Attorney General and the
Secretary of Homeland Security shall develop and make
publicly available guidance to assist entities and promote
sharing of cyber threat indicators with Federal entities
under this title.
(B) Contents.--The guidelines developed and made publicly
available under subparagraph (A) shall include guidance on
the following:
(i) Identification of types of information that would
qualify as a cyber threat indicator under this title that
would be unlikely to include personal information or
information that identifies a specific person not directly
related to a cyber security threat.
(ii) Identification of types of information protected under
otherwise applicable privacy laws that are unlikely to be
directly related to a cybersecurity threat.
(iii) Such other matters as the Attorney General and the
Secretary of Homeland Security consider appropriate for
entities sharing cyber threat indicators with Federal
entities under this title.
(b) Privacy and Civil Liberties.--
[[Page S7525]]
(1) Guidelines of attorney general.--Not later than 60 days
after the date of the enactment of this Act, the Attorney
General shall, in coordination with heads of the appropriate
Federal entities and in consultation with officers designated
under section 1062 of the National Security Intelligence
Reform Act of 2004 (42 U.S.C. 2000ee-1), develop, submit to
Congress, and make available to the public interim guidelines
relating to privacy and civil liberties which shall govern
the receipt, retention, use, and dissemination of cyber
threat indicators by a Federal entity obtained in connection
with activities authorized in this title.
(2) Final guidelines.--
(A) In general.--Not later than 180 days after the date of
the enactment of this Act, the Attorney General shall, in
coordination with heads of the appropriate Federal entities
and in consultation with officers designated under section
1062 of the National Security Intelligence Reform Act of 2004
(42 U.S.C. 2000ee-1) and such private entities with industry
expertise as the Attorney General considers relevant,
promulgate final guidelines relating to privacy and civil
liberties which shall govern the receipt, retention, use, and
dissemination of cyber threat indicators by a Federal entity
obtained in connection with activities authorized in this
title.
(B) Periodic review.--The Attorney General shall, in
coordination with heads of the appropriate Federal entities
and in consultation with officers and private entities
described in subparagraph (A), periodically, but not less
frequently than once every two years, review the guidelines
promulgated under subparagraph (A).
(3) Content.--The guidelines required by paragraphs (1) and
(2) shall, consistent with the need to protect information
systems from cybersecurity threats and mitigate cybersecurity
threats--
(A) limit the effect on privacy and civil liberties of
activities by the Federal Government under this title;
(B) limit the receipt, retention, use, and dissemination of
cyber threat indicators containing personal information or
information that identifies specific persons, including by
establishing--
(i) a process for the timely destruction of such
information that is known not to be directly related to uses
authorized under this title; and
(ii) specific limitations on the length of any period in
which a cyber threat indicator may be retained;
(C) include requirements to safeguard cyber threat
indicators containing personal information or information
that identifies specific persons from unauthorized access or
acquisition, including appropriate sanctions for activities
by officers, employees, or agents of the Federal Government
in contravention of such guidelines;
(D) include procedures for notifying entities and Federal
entities if information received pursuant to this section is
known or determined by a Federal entity receiving such
information not to constitute a cyber threat indicator;
(E) protect the confidentiality of cyber threat indicators
containing personal information or information that
identifies specific persons to the greatest extent
practicable and require recipients to be informed that such
indicators may only be used for purposes authorized under
this title; and
(F) include steps that may be needed so that dissemination
of cyber threat indicators is consistent with the protection
of classified and other sensitive national security
information.
(c) Capability and Process Within the Department of
Homeland Security.--
(1) In general.--Not later than 90 days after the date of
the enactment of this Act, the Secretary of Homeland
Security, in coordination with the heads of the appropriate
Federal entities, shall develop and implement a capability
and process within the Department of Homeland Security that--
(A) shall accept from any entity in real time cyber threat
indicators and defensive measures, pursuant to this section;
(B) shall, upon submittal of the certification under
paragraph (2) that such capability and process fully and
effectively operates as described in such paragraph, be the
process by which the Federal Government receives cyber threat
indicators and defensive measures under this title that are
shared by a private entity with the Federal Government
through electronic mail or media, an interactive form on an
Internet website, or a real time, automated process between
information systems except--
(i) consistent with section 104, communications between a
Federal entity and a private entity regarding a previously
shared cyber threat indicator to describe the relevant
cybersecurity threat or develop a defensive measure based on
such cyber threat indicator; and
(ii) communications by a regulated entity with such
entity's Federal regulatory authority regarding a
cybersecurity threat;
(C) ensures that all of the appropriate Federal entities
receive in an automated manner such cyber threat indicators
shared through the real-time process within the Department of
Homeland Security;
(D) is in compliance with the policies, procedures, and
guidelines required by this section; and
(E) does not limit or prohibit otherwise lawful disclosures
of communications, records, or other information, including--
(i) reporting of known or suspected criminal activity, by
an entity to any other entity or a Federal entity;
(ii) voluntary or legally compelled participation in a
Federal investigation; and
(iii) providing cyber threat indicators or defensive
measures as part of a statutory or authorized contractual
requirement.
(2) Certification.--Not later than 10 days prior to the
implementation of the capability and process required by
paragraph (1), the Secretary of Homeland Security shall, in
consultation with the heads of the appropriate Federal
entities, certify to Congress whether such capability and
process fully and effectively operates--
(A) as the process by which the Federal Government receives
from any entity a cyber threat indicator or defensive measure
under this title; and
(B) in accordance with the policies, procedures, and
guidelines developed under this section.
(3) Public notice and access.--The Secretary of Homeland
Security shall ensure there is public notice of, and access
to, the capability and process developed and implemented
under paragraph (1) so that--
(A) any entity may share cyber threat indicators and
defensive measures through such process with the Federal
Government; and
(B) all of the appropriate Federal entities receive such
cyber threat indicators and defensive measures in real time
with receipt through the process within the Department of
Homeland Security.
(4) Other federal entities.--The process developed and
implemented under paragraph (1) shall ensure that other
Federal entities receive in a timely manner any cyber threat
indicators and defensive measures shared with the Federal
Government through such process.
(5) Report on development and implementation.--
(A) In general.--Not later than 60 days after the date of
the enactment of this Act, the Secretary of Homeland Security
shall submit to Congress a report on the development and
implementation of the capability and process required by
paragraph (1), including a description of such capability and
process and the public notice of, and access to, such
process.
(B) Classified annex.--The report required by subparagraph
(A) shall be submitted in unclassified form, but may include
a classified annex.
(d) Information Shared With or Provided to the Federal
Government.--
(1) No waiver of privilege or protection.--The provision of
cyber threat indicators and defensive measures to the Federal
Government under this title shall not constitute a waiver of
any applicable privilege or protection provided by law,
including trade secret protection.
(2) Proprietary information.--Consistent with section
104(c)(2), a cyber threat indicator or defensive measure
provided by an entity to the Federal Government under this
title shall be considered the commercial, financial, and
proprietary information of such entity when so designated by
the originating entity or a third party acting in accordance
with the written authorization of the originating entity.
(3) Exemption from disclosure.--Cyber threat indicators and
defensive measures provided to the Federal Government under
this title shall be--
(A) deemed voluntarily shared information and exempt from
disclosure under section 552 of title 5, United States Code,
and any State, tribal, or local law requiring disclosure of
information or records; and
(B) withheld, without discretion, from the public under
section 552(b)(3)(B) of title 5, United States Code, and any
State, tribal, or local provision of law requiring disclosure
of information or records.
(4) Ex parte communications.--The provision of a cyber
threat indicator or defensive measure to the Federal
Government under this title shall not be subject to a rule of
any Federal agency or department or any judicial doctrine
regarding ex parte communications with a decision-making
official.
(5) Disclosure, retention, and use.--
(A) Authorized activities.--Cyber threat indicators and
defensive measures provided to the Federal Government under
this title may be disclosed to, retained by, and used by,
consistent with otherwise applicable provisions of Federal
law, any Federal agency or department, component, officer,
employee, or agent of the Federal Government solely for--
(i) a cybersecurity purpose;
(ii) the purpose of identifying a cybersecurity threat,
including the source of such cybersecurity threat, or a
security vulnerability;
(iii) the purpose of identifying a cybersecurity threat
involving the use of an information system by a foreign
adversary or terrorist;
(iv) the purpose of responding to, or otherwise preventing
or mitigating, an imminent threat of death, serious bodily
harm, or serious economic harm, including a terrorist act or
a use of a weapon of mass destruction;
(v) the purpose of responding to, or otherwise preventing
or mitigating, a serious threat to a minor, including sexual
exploitation and threats to physical safety; or
(vi) the purpose of preventing, investigating, disrupting,
or prosecuting an offense arising out of a threat described
in clause (iv) or any of the offenses listed in--
[[Page S7526]]
(I) sections 1028 through 1030 of title 18, United States
Code (relating to fraud and identity theft);
(II) chapter 37 of such title (relating to espionage and
censorship); and
(III) chapter 90 of such title (relating to protection of
trade secrets).
(B) Prohibited activities.--Cyber threat indicators and
defensive measures provided to the Federal Government under
this title shall not be disclosed to, retained by, or used by
any Federal agency or department for any use not permitted
under subparagraph (A).
(C) Privacy and civil liberties.--Cyber threat indicators
and defensive measures provided to the Federal Government
under this title shall be retained, used, and disseminated by
the Federal Government--
(i) in accordance with the policies, procedures, and
guidelines required by subsections (a) and (b);
(ii) in a manner that protects from unauthorized use or
disclosure any cyber threat indicators that may contain
personal information or information that identifies specific
persons; and
(iii) in a manner that protects the confidentiality of
cyber threat indicators containing personal information or
information that identifies a specific person.
(D) Federal regulatory authority.--
(i) In general.--Except as provided in clause (ii), cyber
threat indicators and defensive measures provided to the
Federal Government under this title shall not be directly
used by any Federal, State, tribal, or local government to
regulate, including an enforcement action, the lawful
activities of any entity, including activities relating to
monitoring, operating defensive measures, or sharing cyber
threat indicators.
(ii) Exceptions.--
(I) Regulatory authority specifically relating to
prevention or mitigation of cybersecurity threats.--Cyber
threat indicators and defensive measures provided to the
Federal Government under this title may, consistent with
Federal or State regulatory authority specifically relating
to the prevention or mitigation of cybersecurity threats to
information systems, inform the development or implementation
of regulations relating to such information systems.
(II) Procedures developed and implemented under this
title.--Clause (i) shall not apply to procedures developed
and implemented under this title.
SEC. 106. PROTECTION FROM LIABILITY.
(a) Monitoring of Information Systems.--No cause of action
shall lie or be maintained in any court against any private
entity, and such action shall be promptly dismissed, for the
monitoring of information systems and information under
section 104(a) that is conducted in accordance with this
title.
(b) Sharing or Receipt of Cyber Threat Indicators.--No
cause of action shall lie or be maintained in any court
against any entity, and such action shall be promptly
dismissed, for the sharing or receipt of cyber threat
indicators or defensive measures under section 104(c) if--
(1) such sharing or receipt is conducted in accordance with
this title; and
(2) in a case in which a cyber threat indicator or
defensive measure is shared with the Federal Government, the
cyber threat indicator or defensive measure is shared in a
manner that is consistent with section 105(c)(1)(B) and the
sharing or receipt, as the case may be, occurs after the
earlier of--
(A) the date on which the interim policies and procedures
are submitted to Congress under section 105(a)(1) and
guidelines are submitted to Congress under section 105(b)(1);
or
(B) the date that is 60 days after the date of the
enactment of this Act.
(c) Construction.--Nothing in this section shall be
construed--
(1) to require dismissal of a cause of action against an
entity that has engaged in gross negligence or willful
misconduct in the course of conducting activities authorized
by this title; or
(2) to undermine or limit the availability of otherwise
applicable common law or statutory defenses.
SEC. 107. OVERSIGHT OF GOVERNMENT ACTIVITIES.
(a) Biennial Report on Implementation.--
(1) In general.--Not later than 1 year after the date of
the enactment of this Act, and not less frequently than once
every 2 years thereafter, the heads of the appropriate
Federal entities shall jointly submit and the Inspector
General of the Department of Homeland Security, the Inspector
General of the Intelligence Community, the Inspector General
of the Department of Justice, the Inspector General of the
Department of Defense, and the Inspector General of the
Department of Energy, in consultation with the Council of
Inspectors General on Financial Oversight, shall jointly
submit to Congress a detailed report concerning the
implementation of this title during--
(A) in the case of the first report submitted under this
paragraph, the most recent 1-year period; and
(B) in the case of any subsequent report submitted under
this paragraph, the most recent 2-year period.
(2) Contents.--Each report submitted under paragraph (1)
shall include, for the period covered by the report, the
following:
(A) An assessment of the sufficiency of the policies,
procedures, and guidelines required by section 105 in
ensuring that cyber threat indicators are shared effectively
and responsibly within the Federal Government.
(B) An evaluation of the effectiveness of real-time
information sharing through the capability and process
developed under section 105(c), including any impediments to
such real-time sharing.
(C) An assessment of the sufficiency of the procedures
developed under section 103 in ensuring that cyber threat
indicators in the possession of the Federal Government are
shared in a timely and adequate manner with appropriate
entities, or, if appropriate, are made publicly available.
(D) An assessment of whether cyber threat indicators have
been properly classified and an accounting of the number of
security clearances authorized by the Federal Government for
the purposes of this title.
(E) A review of the type of cyber threat indicators shared
with the appropriate Federal entities under this title,
including the following:
(i) The number of cyber threat indicators received through
the capability and process developed under section 105(c).
(ii) The number of times that information shared under this
title was used by a Federal entity to prosecute an offense
consistent with section 105(d)(5)(A).
(iii) The degree to which such information may affect the
privacy and civil liberties of specific persons.
(iv) A quantitative and qualitative assessment of the
effect of the sharing of such cyber threat indicators with
the Federal Government on privacy and civil liberties of
specific persons, including the number of notices that were
issued with respect to a failure to remove personal
information or information that identified a specific person
not directly related to a cybersecurity threat in accordance
with the procedures required by section 105(b)(3)(D).
(v) The adequacy of any steps taken by the Federal
Government to reduce such effect.
(F) A review of actions taken by the Federal Government
based on cyber threat indicators shared with the Federal
Government under this title, including the appropriateness of
any subsequent use or dissemination of such cyber threat
indicators by a Federal entity under section 105.
(G) A description of any significant violations of the
requirements of this title by the Federal Government.
(H) A summary of the number and type of entities that
received classified cyber threat indicators from the Federal
Government under this title and an evaluation of the risks
and benefits of sharing such cyber threat indicators.
(3) Recommendations.--Each report submitted under paragraph
(1) may include recommendations for improvements or
modifications to the authorities and processes under this
title.
(4) Form of report.--Each report required by paragraph (1)
shall be submitted in unclassified form, but may include a
classified annex.
(b) Reports on Privacy and Civil Liberties.--
(1) Biennial report from privacy and civil liberties
oversight board.--Not later than 2 years after the date of
the enactment of this Act and not less frequently than once
every 2 years thereafter, the Privacy and Civil Liberties
Oversight Board shall submit to Congress and the President a
report providing--
(A) an assessment of the effect on privacy and civil
liberties by the type of activities carried out under this
title; and
(B) an assessment of the sufficiency of the policies,
procedures, and guidelines established pursuant to section
105 in addressing concerns relating to privacy and civil
liberties.
(2) Biennial report of inspectors general.--
(A) In general.--Not later than 2 years after the date of
the enactment of this Act and not less frequently than once
every 2 years thereafter, the Inspector General of the
Department of Homeland Security, the Inspector General of the
Intelligence Community, the Inspector General of the
Department of Justice, the Inspector General of the
Department of Defense, and the Inspector General of the
Department of Energy shall, in consultation with the Council
of Inspectors General on Financial Oversight, jointly submit
to Congress a report on the receipt, use, and dissemination
of cyber threat indicators and defensive measures that have
been shared with Federal entities under this title.
(B) Contents.--Each report submitted under subparagraph (A)
shall include the following:
(i) A review of the types of cyber threat indicators shared
with Federal entities.
(ii) A review of the actions taken by Federal entities as a
result of the receipt of such cyber threat indicators.
(iii) A list of Federal entities receiving such cyber
threat indicators.
(iv) A review of the sharing of such cyber threat
indicators among Federal entities to identify inappropriate
barriers to sharing information.
(3) Recommendations.--Each report submitted under this
subsection may include such recommendations as the Privacy
and Civil Liberties Oversight Board, with respect to a report
submitted under paragraph (1), or the Inspectors General
referred to in paragraph (2)(A), with respect to a report
submitted under paragraph (2), may have for improvements or
modifications to the authorities under this title.
[[Page S7527]]
(4) Form.--Each report required under this subsection shall
be submitted in unclassified form, but may include a
classified annex.
|