[Congressional Record Volume 158, Number 113 (Thursday, July 26, 2012)]
[Senate]
[Pages S5495-S5622]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
TEXT OF AMENDMENTS
SA 2581. Mrs. HUTCHISON (for herself, Mr. McCain, Mr. Chambliss, Mr.
Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of
Wisconsin) submitted an amendment intended to be proposed by her to the
bill S. 3414, to enhance the security and resiliency of the cyber and
communications infrastructure of the United States; which was ordered
to lie on the table; as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the
``Strengthening and Enhancing Cybersecurity by Using
Research, Education, Information, and Technology Act of
2012'' or ``SECURE IT''.
(b) Table of Contents.--The table of contents of this Act
is as follows:
Sec. 1. Short title; table of contents.
TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION
Sec. 101. Definitions.
Sec. 102. Authorization to share cyber threat information.
Sec. 103. Information sharing by the Federal government.
Sec. 104. Construction.
Sec. 105. Report on implementation.
Sec. 106. Inspector General review.
Sec. 107. Technical amendments.
Sec. 108. Access to classified information.
TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY
Sec. 201. Coordination of Federal information security policy.
Sec. 202. Management of information technology.
Sec. 203. No new funding.
Sec. 204. Technical and conforming amendments.
Sec. 205. Clarification of authorities.
TITLE III--CRIMINAL PENALTIES
Sec. 301. Penalties for fraud and related activity in connection with
computers.
Sec. 302. Trafficking in passwords.
Sec. 303. Conspiracy and attempted computer fraud offenses.
Sec. 304. Criminal and civil forfeiture for fraud and related activity
in connection with computers.
Sec. 305. Damage to critical infrastructure computers.
Sec. 306. Limitation on actions involving unauthorized use.
Sec. 307. No new funding.
TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT
Sec. 401. National High-Performance Computing Program planning and
coordination.
Sec. 402. Research in areas of national importance.
Sec. 403. Program improvements.
Sec. 404. Improving education of networking and information technology,
including high performance computing.
Sec. 405. Conforming and technical amendments to the High-Performance
Computing Act of 1991.
Sec. 406. Federal cyber scholarship-for-service program.
Sec. 407. Study and analysis of certification and training of
information infrastructure professionals.
Sec. 408. International cybersecurity technical standards.
Sec. 409. Identity management research and development.
Sec. 410. Federal cybersecurity research and development.
TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION
SEC. 101. DEFINITIONS.
In this title:
(1) Agency.--The term ``agency'' has the meaning given the
term in section 3502 of title 44, United States Code.
(2) Antitrust laws.--The term ``antitrust laws''--
(A) has the meaning given the term in section 1(a) of the
Clayton Act (15 U.S.C. 12(a));
(B) includes section 5 of the Federal Trade Commission Act
(15 U.S.C. 45) to the extent that section 5 of that Act
applies to unfair methods of competition; and
(C) includes any State law that has the same intent and
effect as the laws under subparagraphs (A) and (B).
(3) Countermeasure.--The term ``countermeasure'' means an
automated or a manual action with defensive intent to
mitigate cyber threats.
(4) Cyber threat information.--The term ``cyber threat
information'' means information that indicates or describes--
(A) a technical or operation vulnerability or a cyber
threat mitigation measure;
(B) an action or operation to mitigate a cyber threat;
(C) malicious reconnaissance, including anomalous patterns
of network activity that appear to be transmitted for the
purpose of gathering technical information related to a
cybersecurity threat;
(D) a method of defeating a technical control;
(E) a method of defeating an operational control;
(F) network activity or protocols known to be associated
with a malicious cyber actor or that signify malicious cyber
intent;
(G) a method of causing a user with legitimate access to an
information system or information that is stored on,
processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational
control;
(H) any other attribute of a cybersecurity threat or cyber
defense information that would foster situational awareness
of the United States cybersecurity posture, if disclosure of
such attribute or information is not otherwise prohibited by
law;
(I) the actual or potential harm caused by a cyber
incident, including information exfiltrated when it is
necessary in order to identify or describe a cybersecurity
threat; or
(J) any combination of subparagraphs (A) through (I).
(5) Cybersecurity center.--The term ``cybersecurity
center'' means the Department of Defense Cyber Crime Center,
the Intelligence Community Incident Response Center, the
United States Cyber Command Joint
[[Page S5496]]
Operations Center, the National Cyber Investigative Joint
Task Force, the National Security Agency/Central Security
Service Threat Operations Center, the National Cybersecurity
and Communications Integration Center, and any successor
center.
(6) Cybersecurity system.--The term ``cybersecurity
system'' means a system designed or employed to ensure the
integrity, confidentiality, or availability of, or to
safeguard, a system or network, including measures intended
to protect a system or network from--
(A) efforts to degrade, disrupt, or destroy such system or
network; or
(B) theft or misappropriations of private or government
information, intellectual property, or personally
identifiable information.
(7) Entity.--
(A) In general.--The term ``entity'' means any private
entity, non-Federal government agency or department, or
State, tribal, or local government agency or department
(including an officer, employee, or agent thereof).
(B) Inclusions.--The term ``entity'' includes a government
agency or department (including an officer, employee, or
agent thereof) of the District of Columbia, the Commonwealth
of Puerto Rico, the Virgin Islands, Guam, American Samoa, the
Northern Mariana Islands, and any other territory or
possession of the United States.
(8) Federal information system.--The term ``Federal
information system'' means an information system of a Federal
department or agency used or operated by an executive agency,
by a contractor of an executive agency, or by another
organization on behalf of an executive agency.
(9) Information security.--The term ``information
security'' means protecting information and information
systems from disruption or unauthorized access, use,
disclosure, modification, or destruction in order to
provide--
(A) integrity, by guarding against improper information
modification or destruction, including by ensuring
information nonrepudiation and authenticity;
(B) confidentiality, by preserving authorized restrictions
on access and disclosure, including means for protecting
personal privacy and proprietary information; or
(C) availability, by ensuring timely and reliable access to
and use of information.
(10) Information system.--The term ``information system''
has the meaning given the term in section 3502 of title 44,
United States Code.
(11) Local government.--The term ``local government'' means
any borough, city, county, parish, town, township, village,
or other general purpose political subdivision of a State.
(12) Malicious reconnaissance.--The term ``malicious
reconnaissance'' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning technical vulnerabilities of the information
system, if such method is associated with a known or
suspected cybersecurity threat.
(13) Operational control.--The term ``operational control''
means a security control for an information system that
primarily is implemented and executed by people.
(14) Operational vulnerability.--The term ``operational
vulnerability'' means any attribute of policy, process, or
procedure that could enable or facilitate the defeat of an
operational control.
(15) Private entity.--The term ``private entity'' means any
individual or any private group, organization, or
corporation, including an officer, employee, or agent
thereof.
(16) Significant cyber incident.--The term ``significant
cyber incident'' means a cyber incident resulting in, or an
attempted cyber incident that, if successful, would have
resulted in--
(A) the exfiltration from a Federal information system of
data that is essential to the operation of the Federal
information system; or
(B) an incident in which an operational or technical
control essential to the security or operation of a Federal
information system was defeated.
(17) Technical control.--The term ``technical control''
means a hardware or software restriction on, or audit of,
access or use of an information system or information that is
stored on, processed by, or transiting an information system
that is intended to ensure the confidentiality, integrity, or
availability of that system.
(18) Technical vulnerability.--The term ``technical
vulnerability'' means any attribute of hardware or software
that could enable or facilitate the defeat of a technical
control.
(19) Tribal.--The term ``tribal'' has the meaning given the
term ``Indian tribe'' in section 4 of the Indian Self-
Determination and Education Assistance Act (25 U.S.C. 450b).
SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION.
(a) Voluntary Disclosure.--
(1) Private entities.--Notwithstanding any other provision
of law, a private entity may, for the purpose of preventing,
investigating, or otherwise mitigating threats to information
security, on its own networks, or as authorized by another
entity, on such entity's networks, employ countermeasures and
use cybersecurity systems in order to obtain, identify, or
otherwise possess cyber threat information.
(2) Entities.--Notwithstanding any other provision of law,
an entity may disclose cyber threat information to--
(A) a cybersecurity center; or
(B) any other entity in order to assist with preventing,
investigating, or otherwise mitigating threats to information
security.
(3) Information security providers.--If the cyber threat
information described in paragraph (1) is obtained,
identified, or otherwise possessed in the course of providing
information security products or services under contract to
another entity, that entity shall be given, at any time prior
to disclosure of such information, a reasonable opportunity
to authorize or prevent such disclosure, to request
anonymization of such information, or to request that
reasonable efforts be made to safeguard such information that
identifies specific persons from unauthorized access or
disclosure.
(b) Significant Cyber Incidents Involving Federal
Information Systems.--
(1) In general.--An entity providing electronic
communication services, remote computing services, or
information security services to a Federal department or
agency shall inform the Federal department or agency of a
significant cyber incident involving the Federal information
system of that Federal department or agency that--
(A) is directly known to the entity as a result of
providing such services;
(B) is directly related to the provision of such services
by the entity; and
(C) as determined by the entity, has impeded or will impede
the performance of a critical mission of the Federal
department or agency.
(2) Advance coordination.--A Federal department or agency
receiving the services described in paragraph (1) shall
coordinate in advance with an entity described in paragraph
(1) to develop the parameters of any information that may be
provided under paragraph (1), including clarification of the
type of significant cyber incident that will impede the
performance of a critical mission of the Federal department
or agency.
(3) Report.--A Federal department or agency shall report
information provided under this subsection to a cybersecurity
center.
(4) Construction.--Any information provided to a
cybersecurity center under paragraph (3) shall be treated in
the same manner as information provided to a cybersecurity
center under subsection (a).
(c) Information Shared With or Provided to a Cybersecurity
Center.--Cyber threat information provided to a cybersecurity
center under this section--
(1) may be disclosed to, retained by, and used by,
consistent with otherwise applicable Federal law, any Federal
agency or department, component, officer, employee, or agent
of the Federal government for a cybersecurity purpose, a
national security purpose, or in order to prevent,
investigate, or prosecute any of the offenses listed in
section 2516 of title 18, United States Code, and such
information shall not be disclosed to, retained by, or used
by any Federal agency or department for any use not permitted
under this paragraph;
(2) may, with the prior written consent of the entity
submitting such information, be disclosed to and used by a
State, tribal, or local government or government agency for
the purpose of protecting information systems, or in
furtherance of preventing, investigating, or prosecuting a
criminal act, except that if the need for immediate
disclosure prevents obtaining written consent, such consent
may be provided orally with subsequent documentation of such
consent;
(3) shall be considered the commercial, financial, or
proprietary information of the entity providing such
information to the Federal government and any disclosure
outside the Federal government may only be made upon the
prior written consent by such entity and shall not constitute
a waiver of any applicable privilege or protection provided
by law, except that if the need for immediate disclosure
prevents obtaining written consent, such consent may be
provided orally with subsequent documentation of such
consent;
(4) shall be deemed voluntarily shared information and
exempt from disclosure under section 552 of title 5, United
States Code, and any State, tribal, or local law requiring
disclosure of information or records;
(5) shall be, without discretion, withheld from the public
under section 552(b)(3)(B) of title 5, United States Code,
and any State, tribal, or local law requiring disclosure of
information or records;
(6) shall not be subject to the rules of any Federal agency
or department or any judicial doctrine regarding ex parte
communications with a decision-making official;
(7) shall not, if subsequently provided to a State, tribal,
or local government or government agency, otherwise be
disclosed or distributed to any entity by such State, tribal,
or local government or government agency without the prior
written consent of the entity submitting such information,
notwithstanding any State, tribal, or local law requiring
disclosure of information or records, except that if the need
for immediate disclosure prevents obtaining written consent,
such consent may be provided orally with subsequent
documentation of such consent; and
(8) shall not be directly used by any Federal, State,
tribal, or local department or agency to regulate the lawful
activities of an entity, including activities relating to
obtaining, identifying, or otherwise possessing
[[Page S5497]]
cyber threat information, except that the procedures required
to be developed and implemented under this title shall not be
considered regulations within the meaning of this paragraph.
(d) Procedures Relating to Information Sharing With a
Cybersecurity Center.--Not later than 60 days after the date
of enactment of this Act, the heads of each department or
agency containing a cybersecurity center shall jointly
develop, promulgate, and submit to Congress procedures to
ensure that cyber threat information shared with or provided
to--
(1) a cybersecurity center under this section--
(A) may be submitted to a cybersecurity center by an
entity, to the greatest extent possible, through a uniform,
publicly available process or format that is easily
accessible on the website of such cybersecurity center, and
that includes the ability to provide relevant details about
the cyber threat information and written consent to any
subsequent disclosures authorized by this paragraph;
(B) shall immediately be further shared with each
cybersecurity center in order to prevent, investigate, or
otherwise mitigate threats to information security across the
Federal government;
(C) is handled by the Federal government in a reasonable
manner, including consideration of the need to protect the
privacy and civil liberties of individuals through
anonymization or other appropriate methods, while fully
accomplishing the objectives of this title, and the
Federal government may undertake efforts consistent with
this subparagraph to limit the impact on privacy and civil
liberties of the sharing of cyber threat information with
the Federal government; and
(D) except as provided in this section, shall only be used,
disclosed, or handled in accordance with the provisions of
subsection (c); and
(2) a Federal agency or department under subsection (b) is
provided immediately to a cybersecurity center in order to
prevent, investigate, or otherwise mitigate threats to
information security across the Federal government.
(e) Information Shared Between Entities.--
(1) In general.--An entity sharing cyber threat information
with another entity under this title may restrict the use or
sharing of such information by such other entity.
(2) Further sharing.--Cyber threat information shared by
any entity with another entity under this title--
(A) shall only be further shared in accordance with any
restrictions placed on the sharing of such information by the
entity authorizing such sharing, such as appropriate
anonymization of such information; and
(B) may not be used by any entity to gain an unfair
competitive advantage to the detriment of the entity
authorizing the sharing of such information, except that the
conduct described in paragraph (3) shall not constitute
unfair competitive conduct.
(3) Information shared with state, tribal, or local
government or government agency.--Cyber threat information
shared with a State, tribal, or local government or
government agency under this title--
(A) may, with the prior written consent of the entity
sharing such information, be disclosed to and used by a
State, tribal, or local government or government agency for
the purpose of protecting information systems, or in
furtherance of preventing, investigating, or prosecuting a
criminal act, except if the need for immediate disclosure
prevents obtaining written consent, consent may be provided
orally with subsequent documentation of the consent;
(B) shall be deemed voluntarily shared information and
exempt from disclosure under any State, tribal, or local law
requiring disclosure of information or records;
(C) shall not be disclosed or distributed to any entity by
the State, tribal, or local government or government agency
without the prior written consent of the entity submitting
such information, notwithstanding any State, tribal, or local
law requiring disclosure of information or records, except if
the need for immediate disclosure prevents obtaining written
consent, consent may be provided orally with subsequent
documentation of the consent; and
(D) shall not be directly used by any State, tribal, or
local department or agency to regulate the lawful activities
of an entity, including activities relating to obtaining,
identifying, or otherwise possessing cyber threat
information, except that the procedures required to be
developed and implemented under this title shall not be
considered regulations within the meaning of this
subparagraph.
(4) Antitrust exemption.--The exchange or provision of
cyber threat information or assistance between 2 or more
private entities under this title shall not be considered a
violation of any provision of antitrust laws if exchanged or
provided in order to assist with--
(A) facilitating the prevention, investigation, or
mitigation of threats to information security; or
(B) communicating or disclosing of cyber threat information
to help prevent, investigate or otherwise mitigate the
effects of a threat to information security.
(5) No right or benefit.--The provision of cyber threat
information to an entity under this section shall not create
a right or a benefit to similar information by such entity or
any other entity.
(f) Federal Preemption.--
(1) In general.--This section supersedes any statute or
other law of a State or political subdivision of a State that
restricts or otherwise expressly regulates an activity
authorized under this section.
(2) State law enforcement.--Nothing in this section shall
be construed to supersede any statute or other law of a State
or political subdivision of a State concerning the use of
authorized law enforcement techniques.
(3) Public disclosure.--No information shared with or
provided to a State, tribal, or local government or
government agency pursuant to this section shall be made
publicly available pursuant to any State, tribal, or local
law requiring disclosure of information or records.
(g) Civil and Criminal Liability.--
(1) General protections.--
(A) Private entities.--No cause of action shall lie or be
maintained in any court against any private entity for--
(i) the use of countermeasures and cybersecurity systems as
authorized by this title;
(ii) the use, receipt, or disclosure of any cyber threat
information as authorized by this title; or
(iii) the subsequent actions or inactions of any lawful
recipient of cyber threat information provided by such
private entity.
(B) Entities.--No cause of action shall lie or be
maintained in any court against any entity for--
(i) the use, receipt, or disclosure of any cyber threat
information as authorized by this title; or
(ii) the subsequent actions or inactions of any lawful
recipient of cyber threat information provided by such
entity.
(2) Construction.--Nothing in this subsection shall be
construed as creating any immunity against, or otherwise
affecting, any action brought by the Federal government, or
any agency or department thereof, to enforce any law,
executive order, or procedure governing the appropriate
handling, disclosure, and use of classified information.
(h) Otherwise Lawful Disclosures.--Nothing in this section
shall be construed to limit or prohibit otherwise lawful
disclosures of communications, records, or other information
by a private entity to any other governmental or private
entity not covered under this section.
(i) Whistleblower Protection.--Nothing in this Act shall be
construed to preempt or preclude any employee from exercising
rights currently provided under any whistleblower law, rule,
or regulation.
(j) Relationship to Other Laws.--The submission of cyber
threat information under this section to a cybersecurity
center shall not affect any requirement under any other
provision of law for an entity to provide information to the
Federal government.
SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT.
(a) Classified Information.--
(1) Procedures.--Consistent with the protection of
intelligence sources and methods, and as otherwise determined
appropriate, the Director of National Intelligence and the
Secretary of Defense, in consultation with the heads of the
appropriate Federal departments or agencies, shall develop
and promulgate procedures to facilitate and promote--
(A) the immediate sharing, through the cybersecurity
centers, of classified cyber threat information in the
possession of the Federal government with appropriately
cleared representatives of any appropriate entity; and
(B) the declassification and immediate sharing, through the
cybersecurity centers, with any entity or, if appropriate,
public availability of cyber threat information in the
possession of the Federal government;
(2) Handling of classified information.--The procedures
developed under paragraph (1) shall ensure that each entity
receiving classified cyber threat information pursuant to
this section has acknowledged in writing the ongoing
obligation to comply with all laws, executive orders, and
procedures concerning the appropriate handling, disclosure,
or use of classified information.
(b) Unclassified Cyber Threat Information.--The heads of
each department or agency containing a cybersecurity center
shall jointly develop and promulgate procedures that ensure
that, consistent with the provisions of this section,
unclassified, including controlled unclassified, cyber threat
information in the possession of the Federal government--
(1) is shared, through the cybersecurity centers, in an
immediate and adequate manner with appropriate entities; and
(2) if appropriate, is made publicly available.
(c) Development of Procedures.--
(1) In general.--The procedures developed under this
section shall incorporate, to the greatest extent possible,
existing processes utilized by sector specific information
sharing and analysis centers.
(2) Coordination with entities.--In developing the
procedures required under this section, the Director of
National Intelligence and the heads of each department or
agency containing a cybersecurity center shall coordinate
with appropriate entities to ensure that protocols are
implemented that will facilitate and promote the sharing of
cyber threat information by the Federal government.
[[Page S5498]]
(d) Additional Responsibilities of Cybersecurity Centers.--
Consistent with section 102, a cybersecurity center shall--
(1) facilitate information sharing, interaction, and
collaboration among and between cybersecurity centers and--
(A) other Federal entities;
(B) any entity; and
(C) international partners, in consultation with the
Secretary of State;
(2) disseminate timely and actionable cybersecurity threat,
vulnerability, mitigation, and warning information, including
alerts, advisories, indicators, signatures, and mitigation
and response measures, to improve the security and protection
of information systems; and
(3) coordinate with other Federal entities, as appropriate,
to integrate information from across the Federal government
to provide situational awareness of the cybersecurity posture
of the United States.
(e) Sharing Within the Federal Government.--The heads of
appropriate Federal departments and agencies shall ensure
that cyber threat information in the possession of such
Federal departments or agencies that relates to the
prevention, investigation, or mitigation of threats to
information security across the Federal government is shared
effectively with the cybersecurity centers.
(f) Submission to Congress.--Not later than 60 days after
the date of enactment of this Act, the Director of National
Intelligence, in coordination with the appropriate head of a
department or an agency containing a cybersecurity center,
shall submit the procedures required by this section to
Congress.
SEC. 104. CONSTRUCTION.
(a) Information Sharing Relationships.--Nothing in this
title shall be construed--
(1) to limit or modify an existing information sharing
relationship;
(2) to prohibit a new information sharing relationship;
(3) to require a new information sharing relationship
between any entity and the Federal government, except as
specified under section 102(b); or
(4) to modify the authority of a department or agency of
the Federal government to protect sources and methods and the
national security of the United States.
(b) Anti-tasking Restriction.--Nothing in this title shall
be construed to permit the Federal government--
(1) to require an entity to share information with the
Federal government, except as expressly provided under
section 102(b); or
(2) to condition the sharing of cyber threat information
with an entity on such entity's provision of cyber threat
information to the Federal government.
(c) No Liability for Non-participation.--Nothing in this
title shall be construed to subject any entity to liability
for choosing not to engage in the voluntary activities
authorized under this title.
(d) Use and Retention of Information.--Nothing in this
title shall be construed to authorize, or to modify any
existing authority of, a department or agency of the Federal
government to retain or use any information shared under
section 102 for any use other than a use permitted under
subsection 102(c)(1).
(e) No New Funding.--An applicable Federal agency shall
carry out the provisions of this title with existing
facilities and funds otherwise available, through such means
as the head of the agency considers appropriate.
SEC. 105. REPORT ON IMPLEMENTATION.
(a) Content of Report.--Not later than 1 year after the
date of enactment of this Act, and biennially thereafter, the
heads of each department or agency containing a cybersecurity
center shall jointly submit, in coordination with the privacy
and civil liberties officials of such departments or agencies
and the Privacy and Civil Liberties Oversight Board, a
detailed report to Congress concerning the implementation of
this title, including--
(1) an assessment of the sufficiency of the procedures
developed under section 103 of this Act in ensuring that
cyber threat information in the possession of the Federal
government is provided in an immediate and adequate manner to
appropriate entities or, if appropriate, is made publicly
available;
(2) an assessment of whether information has been
appropriately classified and an accounting of the number of
security clearances authorized by the Federal government for
purposes of this title;
(3) a review of the type of cyber threat information shared
with a cybersecurity center under section 102 of this Act,
including whether such information meets the definition of
cyber threat information under section 101, the degree to
which such information may impact the privacy and civil
liberties of individuals, any appropriate metrics to
determine any impact of the sharing of such information with
the Federal government on privacy and civil liberties, and
the adequacy of any steps taken to reduce such impact;
(4) a review of actions taken by the Federal government
based on information provided to a cybersecurity center under
section 102 of this Act, including the appropriateness of any
subsequent use under section 102(c)(1) of this Act and
whether there was inappropriate stovepiping within the
Federal government of any such information;
(5) a description of any violations of the requirements of
this title by the Federal government;
(6) a classified list of entities that received classified
information from the Federal government under section 103 of
this Act and a description of any indication that such
information may not have been appropriately handled;
(7) a summary of any breach of information security, if
known, attributable to a specific failure by any entity or
the Federal government to act on cyber threat information in
the possession of such entity or the Federal government that
resulted in substantial economic harm or injury to a specific
entity or the Federal government; and
(8) any recommendation for improvements or modifications to
the authorities under this title.
(b) Form of Report.--The report under subsection (a) shall
be submitted in unclassified form, but shall include a
classified annex.
SEC. 106. INSPECTOR GENERAL REVIEW.
(a) In General.--The Council of the Inspectors General on
Integrity and Efficiency are authorized to review compliance
by the cybersecurity centers, and by any Federal department
or agency receiving cyber threat information from such
cybersecurity centers, with the procedures required under
section 102 of this Act.
(b) Scope of Review.--The review under subsection (a) shall
consider whether the Federal government has handled such
cyber threat information in a reasonable manner, including
consideration of the need to protect the privacy and civil
liberties of individuals through anonymization or other
appropriate methods, while fully accomplishing the objectives
of this title.
(c) Report to Congress.--Each review conducted under this
section shall be provided to Congress not later than 30 days
after the date of completion of the review.
SEC. 107. TECHNICAL AMENDMENTS.
Section 552(b) of title 5, United States Code, is amended--
(1) in paragraph (8), by striking ``or'';
(2) in paragraph (9), by striking ``wells.'' and inserting
``wells; or''; and
(3) by adding at the end the following:
``(10) information shared with or provided to a
cybersecurity center under section 102 of title I of the
Strengthening and Enhancing Cybersecurity by Using Research,
Education, Information, and Technology Act of 2012.''.
SEC. 108. ACCESS TO CLASSIFIED INFORMATION.
(a) Authorization Required.--No person shall be provided
with access to classified information (as defined in section
6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to
classified national security information)) relating to cyber
security threats or cyber security vulnerabilities under this
title without the appropriate security clearances.
(b) Security Clearances.--The appropriate Federal agencies
or departments shall, consistent with applicable procedures
and requirements, and if otherwise deemed appropriate, assist
an individual in timely obtaining an appropriate security
clearance where such individual has been determined to be
eligible for such clearance and has a need-to-know (as
defined in section 6.1 of that Executive Order) classified
information to carry out this title.
TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY
SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY
POLICY.
(a) In General.--Chapter 35 of title 44, United States
Code, is amended by striking subchapters II and III and
inserting the following:
``SUBCHAPTER II--INFORMATION SECURITY
``Sec. 3551. Purposes
``The purposes of this subchapter are--
``(1) to provide a comprehensive framework for ensuring the
effectiveness of information security controls over
information resources that support Federal operations and
assets;
``(2) to recognize the highly networked nature of the
current Federal computing environment and provide effective
government-wide management of policies, directives,
standards, and guidelines, as well as effective and nimble
oversight of and response to information security risks,
including coordination of information security efforts
throughout the Federal civilian, national security, and law
enforcement communities;
``(3) to provide for development and maintenance of
controls required to protect agency information and
information systems and contribute to the overall improvement
of agency information security posture;
``(4) to provide for the development of tools and methods
to assess and respond to real-time situational risk for
Federal information system operations and assets; and
``(5) to provide a mechanism for improving agency
information security programs through continuous monitoring
of agency information systems and streamlined reporting
requirements rather than overly prescriptive manual
reporting.
``Sec. 3552. Definitions
``In this subchapter:
``(1) Adequate security.--The term `adequate security'
means security commensurate with the risk and magnitude of
the harm resulting from the unauthorized access to or loss,
misuse, destruction, or modification of information.
``(2) Agency.--The term `agency' has the meaning given the
term in section 3502 of title 44.
[[Page S5499]]
``(3) Cybersecurity center.--The term `cybersecurity
center' means the Department of Defense Cyber Crime Center,
the Intelligence Community Incident Response Center, the
United States Cyber Command Joint Operations Center, the
National Cyber Investigative Joint Task Force, the National
Security Agency/Central Security Service Threat Operations
Center, the National Cybersecurity and Communications
Integration Center, and any successor center.
``(4) Cyber threat information.--The term `cyber threat
information' means information that indicates or describes--
``(A) a technical or operation vulnerability or a cyber
threat mitigation measure;
``(B) an action or operation to mitigate a cyber threat;
``(C) malicious reconnaissance, including anomalous
patterns of network activity that appear to be transmitted
for the purpose of gathering technical information related to
a cybersecurity threat;
``(D) a method of defeating a technical control;
``(E) a method of defeating an operational control;
``(F) network activity or protocols known to be associated
with a malicious cyber actor or that signify malicious cyber
intent;
``(G) a method of causing a user with legitimate access to
an information system or information that is stored on,
processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational
control;
``(H) any other attribute of a cybersecurity threat or
cyber defense information that would foster situational
awareness of the United States cybersecurity posture, if
disclosure of such attribute or information is not otherwise
prohibited by law;
``(I) the actual or potential harm caused by a cyber
incident, including information exfiltrated when it is
necessary in order to identify or describe a cybersecurity
threat; or
``(J) any combination of subparagraphs (A) through (I).
``(5) Director.--The term `Director' means the Director of
the Office of Management and Budget unless otherwise
specified.
``(6) Environment of operation.--The term `environment of
operation' means the information system and environment in
which those systems operate, including changing threats,
vulnerabilities, technologies, and missions and business
practices.
``(7) Federal information system.--The term `Federal
information system' means an information system used or
operated by an executive agency, by a contractor of an
executive agency, or by another organization on behalf of an
executive agency.
``(8) Incident.--The term `incident' means an occurrence
that--
``(A) actually or imminently jeopardizes the integrity,
confidentiality, or availability of an information system or
the information that system controls, processes, stores, or
transmits; or
``(B) constitutes a violation of law or an imminent threat
of violation of a law, a security policy, a security
procedure, or an acceptable use policy.
``(9) Information resources.--The term `information
resources' has the meaning given the term in section 3502 of
title 44.
``(10) Information security.--The term `information
security' means protecting information and information
systems from disruption or unauthorized access, use,
disclosure, modification, or destruction in order to
provide--
``(A) integrity, by guarding against improper information
modification or destruction, including by ensuring
information nonrepudiation and authenticity;
``(B) confidentiality, by preserving authorized
restrictions on access and disclosure, including means for
protecting personal privacy and proprietary information; or
``(C) availability, by ensuring timely and reliable access
to and use of information.
``(11) Information system.--The term `information system'
has the meaning given the term in section 3502 of title 44.
``(12) Information technology.--The term `information
technology' has the meaning given the term in section 11101
of title 40.
``(13) Malicious reconnaissance.--The term `malicious
reconnaissance' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning technical vulnerabilities of the information
system, if such method is associated with a known or
suspected cybersecurity threat.
``(14) National security system.--
``(A) In general.--The term `national security system'
means any information system (including any
telecommunications system) used or operated by an agency or
by a contractor of an agency, or other organization on behalf
of an agency--
``(i) the function, operation, or use of which--
``(I) involves intelligence activities;
``(II) involves cryptologic activities related to national
security;
``(III) involves command and control of military forces;
``(IV) involves equipment that is an integral part of a
weapon or weapons system; or
``(V) subject to subparagraph (B), is critical to the
direct fulfillment of military or intelligence missions; or
``(ii) is protected at all times by procedures established
for information that have been specifically authorized under
criteria established by an Executive Order or an Act of
Congress to be kept classified in the interest of national
defense or foreign policy.
``(B) Limitation.--Subparagraph (A)(i)(V) does not include
a system that is to be used for routine administrative and
business applications (including payroll, finance, logistics,
and personnel management applications).
``(15) Operational control.--The term `operational control'
means a security control for an information system that
primarily is implemented and executed by people.
``(16) Person.--The term `person' has the meaning given the
term in section 3502 of title 44.
``(17) Secretary.--The term `Secretary' means the Secretary
of Commerce unless otherwise specified.
``(18) Security control.--The term `security control' means
the management, operational, and technical controls,
including safeguards or countermeasures, prescribed for an
information system to protect the confidentiality, integrity,
and availability of the system and its information.
``(19) Significant cyber incident.--The term `significant
cyber incident' means a cyber incident resulting in, or an
attempted cyber incident that, if successful, would have
resulted in--
``(A) the exfiltration from a Federal information system of
data that is essential to the operation of the Federal
information system; or
``(B) an incident in which an operational or technical
control essential to the security or operation of a Federal
information system was defeated.
``(20) Technical control.--The term `technical control'
means a hardware or software restriction on, or audit of,
access or use of an information system or information that is
stored on, processed by, or transiting an information system
that is intended to ensure the confidentiality, integrity, or
availability of that system.
``Sec. 3553. Federal information security authority and
coordination
``(a) In General.--The Secretary, in consultation with the
Secretary of Homeland Security, shall--
``(1) issue compulsory and binding policies and directives
governing agency information security operations, and require
implementation of such policies and directives, including--
``(A) policies and directives consistent with the standards
and guidelines promulgated under section 11331 of title 40 to
identify and provide information security protections
prioritized and commensurate with the risk and impact
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of--
``(i) information collected or maintained by or on behalf
of an agency; or
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(B) minimum operational requirements for Federal
Government to protect agency information systems and provide
common situational awareness across all agency information
systems;
``(C) reporting requirements, consistent with relevant law,
regarding information security incidents and cyber threat
information;
``(D) requirements for agencywide information security
programs;
``(E) performance requirements and metrics for the security
of agency information systems;
``(F) training requirements to ensure that agencies are
able to fully and timely comply with the policies and
directives issued by the Secretary under this subchapter;
``(G) training requirements regarding privacy, civil
rights, and civil liberties, and information oversight for
agency information security personnel;
``(H) requirements for the annual reports to the Secretary
under section 3554(d);
``(I) any other information security operations or
information security requirements as determined by the
Secretary in coordination with relevant agency heads; and
``(J) coordinating the development of standards and
guidelines under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3) with agencies
and offices operating or exercising control of national
security systems (including the National Security Agency) to
assure, to the maximum extent feasible, that such standards
and guidelines are complementary with standards and
guidelines developed for national security systems;
``(2) review the agencywide information security programs
under section 3554; and
``(3) designate an individual or an entity at each
cybersecurity center, among other responsibilities--
``(A) to receive reports and information about information
security incidents, cyber threat information, and
deterioration of security control affecting agency
information systems; and
``(B) to act on or share the information under subparagraph
(A) in accordance with this subchapter.
``(b) Considerations.--When issuing policies and directives
under subsection (a), the Secretary shall consider any
applicable standards or guidelines developed by the National
Institute of Standards and Technology under section 11331 of
title 40.
``(c) Limitation of Authority.--The authorities of the
Secretary under this section
[[Page S5500]]
shall not apply to national security systems. Information
security policies, directives, standards and guidelines for
national security systems shall be overseen as directed by
the President and, in accordance with that direction, carried
out under the authority of the heads of agencies that operate
or exercise authority over such national security systems.
``(d) Statutory Construction.--Nothing in this subchapter
shall be construed to alter or amend any law regarding the
authority of any head of an agency over such agency.
``Sec. 3554. Agency responsibilities
``(a) In General.--The head of each agency shall--
``(1) be responsible for--
``(A) complying with the policies and directives issued
under section 3553;
``(B) providing information security protections
commensurate with the risk resulting from unauthorized
access, use, disclosure, disruption, modification, or
destruction of--
``(i) information collected or maintained by the agency or
by a contractor of an agency or other organization on behalf
of an agency; and
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(C) complying with the requirements of this subchapter,
including--
``(i) information security standards and guidelines
promulgated under section 11331 of title 40;
``(ii) for any national security systems operated or
controlled by that agency, information security policies,
directives, standards and guidelines issued as directed by
the President; and
``(iii) for any non-national security systems operated or
controlled by that agency, information security policies,
directives, standards and guidelines issued under section
3553;
``(D) ensuring that information security management
processes are integrated with agency strategic and
operational planning processes;
``(E) reporting and sharing, for an agency operating or
exercising control of a national security system, information
about information security incidents, cyber threat
information, and deterioration of security controls to the
individual or entity designated at each cybersecurity center
and to other appropriate entities consistent with policies
and directives for national security systems issued as
directed by the President; and
``(F) reporting and sharing, for those agencies operating
or exercising control of non-national security systems,
information about information security incidents, cyber
threat information, and deterioration of security controls to
the individual or entity designated at each cybersecurity
center and to other appropriate entities consistent with
policies and directives for non-national security systems as
prescribed under section 3553(a), including information to
assist the entity designated under section 3555(a) with the
ongoing security analysis under section 3555;
``(2) ensure that each senior agency official provides
information security for the information and information
systems that support the operations and assets under the
senior agency official's control, including by--
``(A) assessing the risk and impact that could result from
the unauthorized access, use, disclosure, disruption,
modification, or destruction of such information or
information systems;
``(B) determining the level of information security
appropriate to protect such information and information
systems in accordance with policies and directives issued
under section 3553(a), and standards and guidelines
promulgated under section 11331 of title 40 for information
security classifications and related requirements;
``(C) implementing policies, procedures, and capabilities
to reduce risks to an acceptable level in a cost-effective
manner;
``(D) actively monitoring the effective implementation of
information security controls and techniques; and
``(E) reporting information about information security
incidents, cyber threat information, and deterioration of
security controls in a timely and adequate manner to the
entity designated under section 3553(a)(3) in accordance with
paragraph (1);
``(3) assess and maintain the resiliency of information
technology systems critical to agency mission and operations;
``(4) designate the agency Inspector General (or an
independent entity selected in consultation with the Director
and the Council of Inspectors General on Integrity and
Efficiency if the agency does not have an Inspector General)
to conduct the annual independent evaluation required under
section 3556, and allow the agency Inspector General to
contract with an independent entity to perform such
evaluation;
``(5) delegate to the Chief Information Officer or
equivalent (or to a senior agency official who reports to the
Chief Information Officer or equivalent)--
``(A) the authority and primary responsibility to implement
an agencywide information security program; and
``(B) the authority to provide information security for the
information collected and maintained by the agency (or by a
contractor, other agency, or other source on behalf of the
agency) and for the information systems that support the
operations, assets, and mission of the agency (including any
information system provided or managed by a contractor, other
agency, or other source on behalf of the agency);
``(6) delegate to the appropriate agency official (who is
responsible for a particular agency system or subsystem) the
responsibility to ensure and enforce compliance with all
requirements of the agency's agencywide information security
program in coordination with the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5);
``(7) ensure that an agency has trained personnel who have
obtained any necessary security clearances to permit them to
assist the agency in complying with this subchapter;
``(8) ensure that the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5),
in coordination with other senior agency officials, reports
to the agency head on the effectiveness of the agencywide
information security program, including the progress of any
remedial actions; and
``(9) ensure that the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5)
has the necessary qualifications to administer the functions
described in this subchapter and has information security
duties as a primary duty of that official.
``(b) Chief Information Officers.--Each Chief Information
Officer or equivalent (or the senior agency official who
reports to the Chief Information Officer or equivalent) under
subsection (a)(5) shall--
``(1) establish and maintain an enterprise security
operations capability that on a continuous basis--
``(A) detects, reports, contains, mitigates, and responds
to information security incidents that impair adequate
security of the agency's information or information system in
a timely manner and in accordance with the policies and
directives under section 3553; and
``(B) reports any information security incident under
subparagraph (A) to the entity designated under section 3555;
``(2) develop, maintain, and oversee an agencywide
information security program;
``(3) develop, maintain, and oversee information security
policies, procedures, and control techniques to address
applicable requirements, including requirements under section
3553 of this title and section 11331 of title 40; and
``(4) train and oversee the agency personnel who have
significant responsibility for information security with
respect to that responsibility.
``(c) Agencywide Information Security Programs.--
``(1) In general.--Each agencywide information security
program under subsection (b)(2) shall include--
``(A) relevant security risk assessments, including
technical assessments and others related to the acquisition
process;
``(B) security testing commensurate with risk and impact;
``(C) mitigation of deterioration of security controls
commensurate with risk and impact;
``(D) risk-based continuous monitoring and threat
assessment of the operational status and security of agency
information systems to enable evaluation of the effectiveness
of and compliance with information security policies,
procedures, and practices, including a relevant and
appropriate selection of security controls of information
systems identified in the inventory under section 3505(c);
``(E) operation of appropriate technical capabilities in
order to detect, mitigate, report, and respond to information
security incidents, cyber threat information, and
deterioration of security controls in a manner that is
consistent with the policies and directives under section
3553, including--
``(i) mitigating risks associated with such information
security incidents;
``(ii) notifying and consulting with the entity designated
under section 3555; and
``(iii) notifying and consulting with, as appropriate--
``(I) law enforcement and the relevant Office of the
Inspector General; and
``(II) any other entity, in accordance with law and as
directed by the President;
``(F) a process to ensure that remedial action is taken to
address any deficiencies in the information security
policies, procedures, and practices of the agency; and
``(G) a plan and procedures to ensure the continuity of
operations for information systems that support the
operations and assets of the agency.
``(2) Risk management strategies.--Each agencywide
information security program under subsection (b)(2) shall
include the development and maintenance of a risk management
strategy for information security. The risk management
strategy shall include--
``(A) consideration of information security incidents,
cyber threat information, and deterioration of security
controls; and
``(B) consideration of the consequences that could result
from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information and information
systems that support the operations and assets of the agency,
including any information system provided or managed by a
contractor, other agency, or other source on behalf of the
agency;
[[Page S5501]]
``(3) Policies and procedures.--Each agencywide information
security program under subsection (b)(2) shall include
policies and procedures that--
``(A) are based on the risk management strategy under
paragraph (2);
``(B) reduce information security risks to an acceptable
level in a cost-effective manner;
``(C) ensure that cost-effective and adequate information
security is addressed as part of the acquisition and ongoing
management of each agency information system; and
``(D) ensure compliance with--
``(i) this subchapter; and
``(ii) any other applicable requirements.
``(4) Training requirements.--Each agencywide information
security program under subsection (b)(2) shall include
information security, privacy, civil rights, civil liberties,
and information oversight training that meets any applicable
requirements under section 3553. The training shall inform
each information security personnel that has access to agency
information systems (including contractors and other users of
information systems that support the operations and assets of
the agency) of--
``(A) the information security risks associated with the
information security personnel's activities; and
``(B) the individual's responsibility to comply with the
agency policies and procedures that reduce the risks under
subparagraph (A).
``(d) Annual Report.--Each agency shall submit a report
annually to the Secretary of Homeland Security on its
agencywide information security program and information
systems.
``Sec. 3555. Multiagency ongoing threat assessment
``(a) Implementation.--The Director of the Office of
Management and Budget, in coordination with the Secretary of
Homeland Security, shall designate an entity to implement
ongoing security analysis concerning agency information
systems--
``(1) based on cyber threat information;
``(2) based on agency information system and environment of
operation changes, including--
``(A) an ongoing evaluation of the information system
security controls; and
``(B) the security state, risk level, and environment of
operation of an agency information system, including--
``(i) a change in risk level due to a new cyber threat;
``(ii) a change resulting from a new technology;
``(iii) a change resulting from the agency's mission; and
``(iv) a change resulting from the business practice; and
``(3) using automated processes to the maximum extent
possible--
``(A) to increase information system security;
``(B) to reduce paper-based reporting requirements; and
``(C) to maintain timely and actionable knowledge of the
state of the information system security.
``(b) Standards.--The National Institute of Standards and
Technology may promulgate standards, in coordination with the
Secretary of Homeland Security, to assist an agency with its
duties under this section.
``(c) Compliance.--The head of each appropriate department
and agency shall be responsible for ensuring compliance and
implementing necessary procedures to comply with this
section. The head of each appropriate department and agency,
in consultation with the Director of the Office of Management
and Budget and the Secretary of Homeland Security, shall--
``(1) monitor compliance under this section;
``(2) develop a timeline and implement for the department
or agency--
``(A) adoption of any technology, system, or method that
facilitates continuous monitoring and threat assessments of
an agency information system;
``(B) adoption or updating of any technology, system, or
method that prevents, detects, or remediates a significant
cyber incident to a Federal information system of the
department or agency that has impeded, or is reasonably
likely to impede, the performance of a critical mission of
the department or agency; and
``(C) adoption of any technology, system, or method that
satisfies a requirement under this section.
``(d) Limitation of Authority.--The authorities of the
Director of the Office of Management and Budget and of the
Secretary of Homeland Security under this section shall not
apply to national security systems.
``(e) Report.--Not later than 6 months after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the Government Accountability Office shall issue a
report evaluating each agency's status toward implementing
this section.
``Sec. 3556. Independent evaluations
``(a) In General.--The Council of the Inspectors General on
Integrity and Efficiency, in consultation with the Director
and the Secretary of Homeland Security, the Secretary of
Commerce, and the Secretary of Defense, shall issue and
maintain criteria for the timely, cost-effective, risk-based,
and independent evaluation of each agencywide information
security program (and practices) to determine the
effectiveness of the agencywide information security program
(and practices). The criteria shall include measures to
assess any conflicts of interest in the performance of the
evaluation and whether the agencywide information security
program includes appropriate safeguards against disclosure of
information where such disclosure may adversely affect
information security.
``(b) Annual Independent Evaluations.--Each agency shall
perform an annual independent evaluation of its agencywide
information security program (and practices) in accordance
with the criteria under subsection (a).
``(c) Distribution of Reports.--Not later than 30 days
after receiving an independent evaluation under subsection
(b), each agency head shall transmit a copy of the
independent evaluation to the Secretary of Homeland Security,
the Secretary of Commerce, and the Secretary of Defense.
``(d) National Security Systems.--Evaluations involving
national security systems shall be conducted as directed by
President.
``Sec. 3557. National security systems.
``The head of each agency operating or exercising control
of a national security system shall be responsible for
ensuring that the agency--
``(1) provides information security protections
commensurate with the risk and magnitude of the harm
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of the information
contained in such system; and
``(2) implements information security policies and
practices as required by standards and guidelines for
national security systems, issued in accordance with law and
as directed by the President.''.
(b) Savings Provisions.--
(1) Policy and compliance guidance.--Policy and compliance
guidance issued by the Director before the date of enactment
of this Act under section 3543(a)(1) of title 44, United
States Code (as in effect on the day before the date of
enactment of this Act), shall continue in effect, according
to its terms, until modified, terminated, superseded, or
repealed pursuant to section 3553(a)(1) of title 44, United
States Code.
(2) Standards and guidelines.--Standards and guidelines
issued by the Secretary of Commerce or by the Director before
the date of enactment of this Act under section 11331(a)(1)
of title 40, United States Code, (as in effect on the day
before the date of enactment of this Act) shall continue in
effect, according to their terms, until modified, terminated,
superseded, or repealed pursuant to section 11331(a)(1) of
title 40, United States Code, as amended by this Act.
(c) Technical and Conforming Amendments.--
(1) Chapter analysis.--The chapter analysis for chapter 35
of title 44, United States Code, is amended--
(A) by striking the items relating to sections 3531 through
3538;
(B) by striking the items relating to sections 3541 through
3549; and
(C) by inserting the following:
``3551. Purposes.
``3552. Definitions.
``3553. Federal information security authority and coordination.
``3554. Agency responsibilities.
``3555. Multiagency ongoing threat assessment.
``3556. Independent evaluations.
``3557. National security systems.''.
(2) Other references.--
(A) Section 1001(c)(1)(A) of the Homeland Security Act of
2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section
3532(3)'' and inserting ``section 3552''.
(B) Section 2222(j)(5) of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(C) Section 2223(c)(3) of title 10, United States Code, is
amended, by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(D) Section 2315 of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(E) Section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3) is amended--
(i) in subsection (a)(2), by striking ``section
3532(b)(2)'' and inserting ``section 3552'';
(ii) in subsection (c)(3), by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(iii) in subsection (d)(1), by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(iv) in subsection (d)(8) by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(v) in subsection (d)(8), by striking ``submitted to the
Director'' and inserting ``submitted to the Secretary'';
(vi) in subsection (e)(2), by striking ``section 3532(1) of
such title'' and inserting ``section 3552 of title 44''; and
(vii) in subsection (e)(5), by striking ``section
3532(b)(2) of such title'' and inserting ``section 3552 of
title 44''.
(F) Section 8(d)(1) of the Cyber Security Research and
Development Act (15 U.S.C. 7406(d)(1)) is amended by striking
``section 3534(b)'' and inserting ``section 3554(b)(2)''.
SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.
(a) In General.--Section 11331 of title 40, United States
Code, is amended to read as follows:
[[Page S5502]]
``Sec. 11331. Responsibilities for Federal information
systems standards
``(a) Standards and Guidelines.--
``(1) Authority to prescribe.--Except as provided under
paragraph (2), the Secretary of Commerce shall prescribe
standards and guidelines pertaining to Federal information
systems--
``(A) in consultation with the Secretary of Homeland
Security; and
``(B) on the basis of standards and guidelines developed by
the National Institute of Standards and Technology under
paragraphs (2) and (3) of section 20(a) of the National
Institute of Standards and Technology Act (15 U.S.C. 278g-
3(a)(2) and (a)(3)).
``(2) National security systems.--Standards and guidelines
for national security systems shall be developed, prescribed,
enforced, and overseen as otherwise authorized by law and as
directed by the President.
``(b) Mandatory Standards and Guidelines.--
``(1) Authority to make mandatory standards and
guidelines.--The Secretary of Commerce shall make standards
and guidelines under subsection (a)(1) compulsory and binding
to the extent determined necessary by the Secretary of
Commerce to improve the efficiency of operation or security
of Federal information systems.
``(2) Required mandatory standards and guidelines.--
``(A) In general.--Standards and guidelines under
subsection (a)(1) shall include information security
standards that--
``(i) provide minimum information security requirements as
determined under section 20(b) of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3(b)); and
``(ii) are otherwise necessary to improve the security of
Federal information and information systems.
``(B) Binding effect.--Information security standards under
subparagraph (A) shall be compulsory and binding.
``(c) Exercise of Authority.--To ensure fiscal and policy
consistency, the Secretary of Commerce shall exercise the
authority conferred by this section subject to direction by
the President and in coordination with the Director.
``(d) Application of More Stringent Standards and
Guidelines.--The head of an executive agency may employ
standards for the cost-effective information security for
information systems within or under the supervision of that
agency that are more stringent than the standards and
guidelines the Secretary of Commerce prescribes under this
section if the more stringent standards and guidelines--
``(1) contain at least the applicable standards and
guidelines made compulsory and binding by the Secretary of
Commerce; and
``(2) are otherwise consistent with the policies,
directives, and implementation memoranda issued under section
3553(a) of title 44.
``(e) Decisions on Promulgation of Standards and
Guidelines.--The decision by the Secretary of Commerce
regarding the promulgation of any standard or guideline under
this section shall occur not later than 6 months after the
date of submission of the proposed standard to the Secretary
of Commerce by the National Institute of Standards and
Technology under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3).
``(f) Notice and Comment.--A decision by the Secretary of
Commerce to significantly modify, or not promulgate, a
proposed standard submitted to the Secretary by the National
Institute of Standards and Technology under section 20 of the
National Institute of Standards and Technology Act (15 U.S.C.
278g-3) shall be made after the public is given an
opportunity to comment on the Secretary's proposed decision.
``(g) Definitions.--In this section:
``(1) Federal information system.--The term `Federal
information system' has the meaning given the term in section
3552 of title 44.
``(2) Information security.--The term `information
security' has the meaning given the term in section 3552 of
title 44.
``(3) National security system.--The term `national
security system' has the meaning given the term in section
3552 of title 44.''.
SEC. 203. NO NEW FUNDING.
An applicable Federal agency shall carry out the provisions
of this title with existing facilities and funds otherwise
available, through such means as the head of the agency
considers appropriate.
SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS.
Section 21(b) of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-4(b)) is amended--
(1) in paragraph (2), by striking ``and the Director of the
Office of Management and Budget'' and inserting ``, the
Secretary of Commerce, and the Secretary of Homeland
Security''; and
(2) in paragraph (3), by inserting ``, the Secretary of
Homeland Security,'' after ``the Secretary of Commerce''.
SEC. 205. CLARIFICATION OF AUTHORITIES.
Nothing in this title shall be construed to convey any new
regulatory authority to any government entity implementing or
complying with any provision of this title.
TITLE III--CRIMINAL PENALTIES
SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN
CONNECTION WITH COMPUTERS.
Section 1030(c) of title 18, United States Code, is amended
to read as follows:
``(c) The punishment for an offense under subsection (a) or
(b) of this section is--
``(1) a fine under this title or imprisonment for not more
than 20 years, or both, in the case of an offense under
subsection (a)(1) of this section;
``(2)(A) except as provided in subparagraph (B), a fine
under this title or imprisonment for not more than 3 years,
or both, in the case of an offense under subsection (a)(2);
or
``(B) a fine under this title or imprisonment for not more
than ten years, or both, in the case of an offense under
subsection (a)(2) of this section, if--
``(i) the offense was committed for purposes of commercial
advantage or private financial gain;
``(ii) the offense was committed in the furtherance of any
criminal or tortious act in violation of the Constitution or
laws of the United States, or of any State; or
``(iii) the value of the information obtained, or that
would have been obtained if the offense was completed,
exceeds $5,000;
``(3) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(3) of this section;
``(4) a fine under this title or imprisonment of not more
than 20 years, or both, in the case of an offense under
subsection (a)(4) of this section;
``(5)(A) except as provided in subparagraph (C), a fine
under this title, imprisonment for not more than 20 years, or
both, in the case of an offense under subsection (a)(5)(A) of
this section, if the offense caused--
``(i) loss to 1 or more persons during any 1-year period
(and, for purposes of an investigation, prosecution, or other
proceeding brought by the United States only, loss resulting
from a related course of conduct affecting 1 or more other
protected computers) aggregating at least $5,000 in value;
``(ii) the modification or impairment, or potential
modification or impairment, of the medical examination,
diagnosis, treatment, or care of 1 or more individuals;
``(iii) physical injury to any person;
``(iv) a threat to public health or safety;
``(v) damage affecting a computer used by, or on behalf of,
an entity of the United States Government in furtherance of
the administration of justice, national defense, or national
security; or
``(vi) damage affecting 10 or more protected computers
during any 1-year period;
``(B) a fine under this title, imprisonment for not more
than 20 years, or both, in the case of an offense under
subsection (a)(5)(B), if the offense caused a harm provided
in clause (i) through (vi) of subparagraph (A) of this
subsection;
``(C) if the offender attempts to cause or knowingly or
recklessly causes death from conduct in violation of
subsection (a)(5)(A), a fine under this title, imprisonment
for any term of years or for life, or both;
``(D) a fine under this title, imprisonment for not more
than 10 years, or both, for any other offense under
subsection (a)(5);
``(E) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(6) of this section; or
``(F) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(7) of this section.''.
SEC. 302. TRAFFICKING IN PASSWORDS.
Section 1030(a)(6) of title 18, United States Code, is
amended to read as follows:
``(6) knowingly and with intent to defraud traffics (as
defined in section 1029) in any password or similar
information or means of access through which a protected
computer (as defined in subparagraphs (A) and (B) of
subsection (e)(2)) may be accessed without authorization.''.
SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.
Section 1030(b) of title 18, United States Code, is amended
by inserting ``as if for the completed offense'' after
``punished as provided''.
SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED
ACTIVITY IN CONNECTION WITH COMPUTERS.
Section 1030 of title 18, United States Code, is amended by
striking subsections (i) and (j) and inserting the following:
``(i) Criminal Forfeiture.--
``(1) The court, in imposing sentence on any person
convicted of a violation of this section, or convicted of
conspiracy to violate this section, shall order, in addition
to any other sentence imposed and irrespective of any
provision of State law, that such person forfeit to the
United States--
``(A) such persons interest in any property, real or
personal, that was used, or intended to be used, to commit or
facilitate the commission of such violation; and
``(B) any property, real or personal, constituting or
derived from any gross proceeds, or any property traceable to
such property, that such person obtained, directly or
indirectly, as a result of such violation.
``(2) The criminal forfeiture of property under this
subsection, including any seizure and disposition of the
property, and any related judicial or administrative
proceeding, shall be governed by the provisions of section
413 of the Comprehensive Drug Abuse Prevention and Control
Act of 1970 (21 U.S.C. 853), except subsection (d) of that
section.
``(j) Civil Forfeiture.--
``(1) The following shall be subject to forfeiture to the
United States and no property right, real or personal, shall
exist in them:
``(A) Any property, real or personal, that was used, or
intended to be used, to commit
[[Page S5503]]
or facilitate the commission of any violation of this
section, or a conspiracy to violate this section.
``(B) Any property, real or personal, constituting or
derived from any gross proceeds obtained directly or
indirectly, or any property traceable to such property, as a
result of the commission of any violation of this section, or
a conspiracy to violate this section.
``(2) Seizures and forfeitures under this subsection shall
be governed by the provisions in chapter 46 relating to civil
forfeitures, except that such duties as are imposed on the
Secretary of the Treasury under the customs laws described in
section 981(d) shall be performed by such officers, agents
and other persons as may be designated for that purpose by
the Secretary of Homeland Security or the Attorney
General.''.
SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.
(a) In General.--Chapter 47 of title 18, United States
Code, is amended by inserting after section 1030 the
following:
``Sec. 1030A. Aggravated damage to a critical infrastructure
computer
``(a) Definitions.--In this section--
``(1) the term `computer' has the meaning given the term in
section 1030;
``(2) the term `critical infrastructure computer' means a
computer that manages or controls systems or assets vital to
national defense, national security, national economic
security, public health or safety, or any combination of
those matters, whether publicly or privately owned or
operated, including--
``(A) oil and gas production, storage, conversion, and
delivery systems;
``(B) water supply systems;
``(C) telecommunication networks;
``(D) electrical power generation and delivery systems;
``(E) finance and banking systems;
``(F) emergency services;
``(G) transportation systems and services; and
``(H) government operations that provide essential services
to the public; and
``(3) the term `damage' has the meaning given the term in
section 1030.
``(b) Offense.--It shall be unlawful, during and in
relation to a felony violation of section 1030, to knowingly
cause or attempt to cause damage to a critical infrastructure
computer if the damage results in (or, in the case of an
attempt, if completed, would have resulted in) the
substantial impairment--
``(1) of the operation of the critical infrastructure
computer; or
``(2) of the critical infrastructure associated with the
computer.
``(c) Penalty.--Any person who violates subsection (b)
shall be--
``(1) fined under this title;
``(2) imprisoned for not less than 3 years but not more
than 20 years; or
``(3) penalized under paragraphs (1) and (2).
``(d) Consecutive Sentence.--Notwithstanding any other
provision of law--
``(1) a court shall not place on probation any person
convicted of a violation of this section;
``(2) except as provided in paragraph (4), no term of
imprisonment imposed on a person under this section shall run
concurrently with any other term of imprisonment, including
any term of imprisonment imposed on the person under any
other provision of law, including any term of imprisonment
imposed for a felony violation of section 1030;
``(3) in determining any term of imprisonment to be imposed
for a felony violation of section 1030, a court shall not in
any way reduce the term to be imposed for such crime so as to
compensate for, or otherwise take into account, any separate
term of imprisonment imposed or to be imposed for a violation
of this section; and
``(4) a term of imprisonment imposed on a person for a
violation of this section may, in the discretion of the
court, run concurrently, in whole or in part, only with
another term of imprisonment that is imposed by the court at
the same time on that person for an additional violation of
this section, provided that such discretion shall be
exercised in accordance with any applicable guidelines and
policy statements issued by the United States Sentencing
Commission pursuant to section 994 of title 28.''.
(b) Technical and Conforming Amendment.--The chapter
analysis for chapter 47 of title 18, United States Code, is
amended by inserting after the item relating to section 1030
the following:
``1030A. Aggravated damage to a critical infrastructure computer.''.
SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.
Section 1030(e)(6) of title 18, United States Code, is
amended by striking ``alter;'' and inserting ``alter, but
does not include access in violation of a contractual
obligation or agreement, such as an acceptable use policy or
terms of service agreement, with an Internet service
provider, Internet website, or non-government employer, if
such violation constitutes the sole basis for determining
that access to a protected computer is unauthorized;''.
SEC. 307. NO NEW FUNDING.
An applicable Federal agency shall carry out the provisions
of this title with existing facilities and funds otherwise
available, through such means as the head of the agency
considers appropriate.
TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT
SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM
PLANNING AND COORDINATION.
(a) Goals and Priorities.--Section 101 of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511) is amended
by adding at the end the following:
``(d) Goals and Priorities.--The goals and priorities for
Federal high-performance computing research, development,
networking, and other activities under subsection (a)(2)(A)
shall include--
``(1) encouraging and supporting mechanisms for
interdisciplinary research and development in networking and
information technology, including--
``(A) through collaborations across agencies;
``(B) through collaborations across Program Component
Areas;
``(C) through collaborations with industry;
``(D) through collaborations with institutions of higher
education;
``(E) through collaborations with Federal laboratories (as
defined in section 4 of the Stevenson-Wydler Technology
Innovation Act of 1980 (15 U.S.C. 3703)); and
``(F) through collaborations with international
organizations;
``(2) addressing national, multi-agency, multi-faceted
challenges of national importance; and
``(3) fostering the transfer of research and development
results into new technologies and applications for the
benefit of society.''.
(b) Development of Strategic Plan.--Section 101 of the
High-Performance Computing Act of 1991 (15 U.S.C. 5511) is
amended by adding at the end the following:
``(e) Strategic Plan.--
``(1) In general.--Not later than 1 year after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the agencies under subsection (a)(3)(B), working
through the National Science and Technology Council and with
the assistance of the Office of Science and Technology Policy
shall develop a 5-year strategic plan to guide the activities
under subsection (a)(1).
``(2) Contents.--The strategic plan shall specify--
``(A) the near-term objectives for the Program;
``(B) the long-term objectives for the Program;
``(C) the anticipated time frame for achieving the near-
term objectives;
``(D) the metrics that will be used to assess any progress
made toward achieving the near-term objectives and the long-
term objectives; and
``(E) how the Program will achieve the goals and priorities
under subsection (d).
``(3) Implementation roadmap.--
``(A) In general.--The agencies under subsection (a)(3)(B)
shall develop and annually update an implementation roadmap
for the strategic plan.
``(B) Requirements.--The information in the implementation
roadmap shall be coordinated with the database under section
102(c) and the annual report under section 101(a)(3). The
implementation roadmap shall--
``(i) specify the role of each Federal agency in carrying
out or sponsoring research and development to meet the
research objectives of the strategic plan, including a
description of how progress toward the research objectives
will be evaluated, with consideration of any relevant
recommendations of the advisory committee;
``(ii) specify the funding allocated to each major research
objective of the strategic plan and the source of funding by
agency for the current fiscal year; and
``(iii) estimate the funding required for each major
research objective of the strategic plan for the next 3
fiscal years.
``(4) Recommendations.--The agencies under subsection
(a)(3)(B) shall take into consideration when developing the
strategic plan under paragraph (1) the recommendations of--
``(A) the advisory committee under subsection (b); and
``(B) the stakeholders under section 102(a)(3).
``(5) Report to congress.--The Director of the Office of
Science and Technology Policy shall transmit the strategic
plan under this subsection, including the implementation
roadmap and any updates under paragraph (3), to--
``(A) the advisory committee under subsection (b);
``(B) the Committee on Commerce, Science, and
Transportation of the Senate; and
``(C) the Committee on Science and Technology of the House
of Representatives.''.
(c) Periodic Reviews.--Section 101 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511) is amended by adding
at the end the following:
``(f) Periodic Reviews.--The agencies under subsection
(a)(3)(B) shall--
``(1) periodically assess the contents and funding levels
of the Program Component Areas and restructure the Program
when warranted, taking into consideration any relevant
recommendations of the advisory committee under subsection
(b); and
``(2) ensure that the Program includes national, multi-
agency, multi-faceted research and development activities,
including activities described in section 104.''.
(d) Additional Responsibilities of Director.--Section
101(a)(2) of the High-Performance Computing Act of 1991 (15
U.S.C. 5511(a)(2)) is amended--
[[Page S5504]]
(1) by redesignating subparagraphs (E) and (F) as
subparagraphs (G) and (H), respectively; and
(2) by inserting after subparagraph (D) the following:
``(E) encourage and monitor the efforts of the agencies
participating in the Program to allocate the level of
resources and management attention necessary--
``(i) to ensure that the strategic plan under subsection
(e) is developed and executed effectively; and
``(ii) to ensure that the objectives of the Program are
met;
``(F) working with the Office of Management and Budget and
in coordination with the creation of the database under
section 102(c), direct the Office of Science and Technology
Policy and the agencies participating in the Program to
establish a mechanism (consistent with existing law) to track
all ongoing and completed research and development projects
and associated funding;''.
(e) Advisory Committee.--Section 101(b) of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is
amended--
(1) in paragraph (1)--
(A) by inserting after the first sentence the following:
``The co-chairs of the advisory committee shall meet the
qualifications of committee members and may be members of the
Presidents Council of Advisors on Science and Technology.'';
and
(B) by striking ``high-performance'' in subparagraph (D)
and inserting ``high-end''; and
(2) by amending paragraph (2) to read as follows:
``(2) In addition to the duties under paragraph (1), the
advisory committee shall conduct periodic evaluations of the
funding, management, coordination, implementation, and
activities of the Program. The advisory committee shall
report its findings and recommendations not less frequently
than once every 3 fiscal years to the Committee on Commerce,
Science, and Transportation of the Senate and the Committee
on Science and Technology of the House of Representatives.
The report shall be submitted in conjunction with the update
of the strategic plan.''.
(f) Report.--Section 101(a)(3) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended--
(1) in subparagraph (C)--
(A) by striking ``is submitted,'' and inserting ``is
submitted, the levels for the previous fiscal year,''; and
(B) by striking ``each Program Component Area'' and
inserting ``each Program Component Area and each research
area supported in accordance with section 104'';
(2) in subparagraph (D)--
(A) by striking ``each Program Component Area,'' and
inserting ``each Program Component Area and each research
area supported in accordance with section 104,'';
(B) by striking ``is submitted,'' and inserting ``is
submitted, the levels for the previous fiscal year,''; and
(C) by striking ``and'' after the semicolon;
(3) by redesignating subparagraph (E) as subparagraph (G);
and
(4) by inserting after subparagraph (D) the following:
``(E) include a description of how the objectives for each
Program Component Area, and the objectives for activities
that involve multiple Program Component Areas, relate to the
objectives of the Program identified in the strategic plan
under subsection (e);
``(F) include--
``(i) a description of the funding required by the Office
of Science and Technology Policy to perform the functions
under subsections (a) and (c) of section 102 for the next
fiscal year by category of activity;
``(ii) a description of the funding required by the Office
of Science and Technology Policy to perform the functions
under subsections (a) and (c) of section 102 for the current
fiscal year by category of activity; and
``(iii) the amount of funding provided for the Office of
Science and Technology Policy for the current fiscal year by
each agency participating in the Program; and''.
(g) Definitions.--Section 4 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5503) is amended--
(1) by redesignating paragraphs (1) and (2) as paragraphs
(2) and (3), respectively;
(2) by redesignating paragraph (3) as paragraph (6);
(3) by redesignating paragraphs (6) and (7) as paragraphs
(7) and (8), respectively;
(4) by inserting before paragraph (2), as redesignated, the
following:
``(1) `cyber-physical systems' means physical or engineered
systems whose networking and information technology functions
and physical elements are deeply integrated and are actively
connected to the physical world through sensors, actuators,
or other means to perform monitoring and control
functions;'';
(5) in paragraph (3), as redesignated, by striking ``high-
performance computing'' and inserting ``networking and
information technology'';
(6) in paragraph (6), as redesignated--
(A) by striking ``high-performance computing'' and
inserting ``networking and information technology''; and
(B) by striking ``supercomputer'' and inserting ``high-end
computing'';
(7) in paragraph (5), by striking ``network referred to
as'' and all that follows through the semicolon and inserting
``network, including advanced computer networks of Federal
agencies and departments''; and
(8) in paragraph (7), as redesignated, by striking
``National High-Performance Computing Program'' and inserting
``networking and information technology research and
development program''.
SEC. 402. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.
(a) Research in Areas of National Importance.--Title I of
the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et
seq.) is amended by adding at the end the following:
``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.
``(a) In General.--The Program shall encourage agencies
under section 101(a)(3)(B) to support, maintain, and improve
national, multi-agency, multi-faceted, research and
development activities in networking and information
technology directed toward application areas that have the
potential for significant contributions to national economic
competitiveness and for other significant societal benefits.
``(b) Technical Solutions.--An activity under subsection
(a) shall be designed to advance the development of research
discoveries by demonstrating technical solutions to important
problems in areas including--
``(1) cybersecurity;
``(2) health care;
``(3) energy management and low-power systems and devices;
``(4) transportation, including surface and air
transportation;
``(5) cyber-physical systems;
``(6) large-scale data analysis and modeling of physical
phenomena;
``(7) large scale data analysis and modeling of behavioral
phenomena;
``(8) supply chain quality and security; and
``(9) privacy protection and protected disclosure of
confidential data.
``(c) Recommendations.--The advisory committee under
section 101(b) shall make recommendations to the Program for
candidate research and development areas for support under
this section.
``(d) Characteristics.--
``(1) In general.--Research and development activities
under this section--
``(A) shall include projects selected on the basis of
applications for support through a competitive, merit-based
process;
``(B) shall leverage, when possible, Federal investments
through collaboration with related State initiatives;
``(C) shall include a plan for fostering the transfer of
research discoveries and the results of technology
demonstration activities, including from institutions of
higher education and Federal laboratories, to industry for
commercial development;
``(D) shall involve collaborations among researchers in
institutions of higher education and industry; and
``(E) may involve collaborations among nonprofit research
institutions and Federal laboratories, as appropriate.
``(2) Cost-sharing.--In selecting applications for support,
the agencies under section 101(a)(3)(B) shall give special
consideration to projects that include cost sharing from non-
Federal sources.
``(3) Multidisciplinary research centers.--Research and
development activities under this section shall be supported
through multidisciplinary research centers, including Federal
laboratories, that are organized to investigate basic
research questions and carry out technology demonstration
activities in areas described in subsection (a). Research may
be carried out through existing multidisciplinary centers,
including those authorized under section 7024(b)(2) of the
America COMPETES Act (42 U.S.C. 1862o-10(2)).''.
(b) Cyber-Physical Systems.--Section 101(a)(1) of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is
amended--
(1) in subparagraph (H), by striking ``and'' after the
semicolon;
(2) in subparagraph (I), by striking the period at the end
and inserting a semicolon; and
(3) by adding at the end the following:
``(J) provide for increased understanding of the scientific
principles of cyber-physical systems and improve the methods
available for the design, development, and operation of
cyber-physical systems that are characterized by high
reliability, safety, and security; and
``(K) provide for research and development on human-
computer interactions, visualization, and big data.''.
(c) Task Force.--Title I of the High-Performance Computing
Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section
402(a) of this Act, is amended by adding at the end the
following:
``SEC. 105. TASK FORCE.
``(a) Establishment.--Not later than 180 days after the
date of enactment the Strengthening and Enhancing
Cybersecurity by Using Research, Education, Information, and
Technology Act of 2012, the Director of the Office of Science
and Technology Policy under section 102 shall convene a task
force to explore mechanisms for carrying out collaborative
research and development activities for cyber-physical
systems (including the related technologies required to
enable these systems) through a consortium or other
appropriate entity with participants from institutions of
higher education, Federal laboratories, and industry.
``(b) Functions.--The task force shall--
``(1) develop options for a collaborative model and an
organizational structure for such entity under which the
joint research and development activities could be planned,
[[Page S5505]]
managed, and conducted effectively, including mechanisms for
the allocation of resources among the participants in such
entity for support of such activities;
``(2) propose a process for developing a research and
development agenda for such entity, including guidelines to
ensure an appropriate scope of work focused on nationally
significant challenges and requiring collaboration and to
ensure the development of related scientific and
technological milestones;
``(3) define the roles and responsibilities for the
participants from institutions of higher education, Federal
laboratories, and industry in such entity;
``(4) propose guidelines for assigning intellectual
property rights and for transferring research results to the
private sector; and
``(5) make recommendations for how such entity could be
funded from Federal, State, and non-governmental sources.
``(c) Composition.--In establishing the task force under
subsection (a), the Director of the Office of Science and
Technology Policy shall appoint an equal number of
individuals from institutions of higher education and from
industry with knowledge and expertise in cyber-physical
systems, and may appoint not more than 2 individuals from
Federal laboratories.
``(d) Report.--Not later than 1 year after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the Director of the Office of Science and Technology
Policy shall transmit to the Committee on Commerce, Science,
and Transportation of the Senate and the Committee on Science
and Technology of the House of Representatives a report
describing the findings and recommendations of the task
force.
``(e) Termination.--The task force shall terminate upon
transmittal of the report required under subsection (d).
``(f) Compensation and Expenses.--Members of the task force
shall serve without compensation.''.
SEC. 403. PROGRAM IMPROVEMENTS.
Section 102 of the High-Performance Computing Act of 1991
(15 U.S.C. 5512) is amended to read as follows:
``SEC. 102. PROGRAM IMPROVEMENTS.
``(a) Functions.--The Director of the Office of Science and
Technology Policy shall continue--
``(1) to provide technical and administrative support to--
``(A) the agencies participating in planning and
implementing the Program, including support needed to develop
the strategic plan under section 101(e); and
``(B) the advisory committee under section 101(b);
``(2) to serve as the primary point of contact on Federal
networking and information technology activities for
government agencies, academia, industry, professional
societies, State computing and networking technology
programs, interested citizen groups, and others to exchange
technical and programmatic information;
``(3) to solicit input and recommendations from a wide
range of stakeholders during the development of each
strategic plan under section 101(e) by convening at least 1
workshop with invitees from academia, industry, Federal
laboratories, and other relevant organizations and
institutions;
``(4) to conduct public outreach, including the
dissemination of the advisory committee's findings and
recommendations, as appropriate;
``(5) to promote access to and early application of the
technologies, innovations, and expertise derived from Program
activities to agency missions and systems across the Federal
Government and to United States industry;
``(6) to ensure accurate and detailed budget reporting of
networking and information technology research and
development investment; and
``(7) to encourage agencies participating in the Program to
use existing programs and resources to strengthen networking
and information technology education and training, and
increase participation in such fields, including by women and
underrepresented minorities.
``(b) Source of Funding.--
``(1) In general.--The functions under this section shall
be supported by funds from each agency participating in the
Program.
``(2) Specifications.--The portion of the total budget of
the Office of Science and Technology Policy that is provided
by each agency participating in the Program for each fiscal
year shall be in the same proportion as each agency's share
of the total budget for the Program for the previous fiscal
year, as specified in the database under section 102(c).
``(c) Database.--
``(1) In general.--The Director of the Office of Science
and Technology Policy shall develop and maintain a database
of projects funded by each agency for the fiscal year for
each Program Component Area.
``(2) Public accessibility.--The Director of the Office of
Science and Technology Policy shall make the database
accessible to the public.
``(3) Database contents.--The database shall include, for
each project in the database--
``(A) a description of the project;
``(B) each agency, industry, institution of higher
education, Federal laboratory, or international institution
involved in the project;
``(C) the source funding of the project (set forth by
agency);
``(D) the funding history of the project; and
``(E) whether the project has been completed.''.
SEC. 404. IMPROVING EDUCATION OF NETWORKING AND INFORMATION
TECHNOLOGY, INCLUDING HIGH PERFORMANCE
COMPUTING.
Section 201(a) of the High-Performance Computing Act of
1991 (15 U.S.C. 5521(a)) is amended--
(1) by redesignating paragraphs (2) through (4) as
paragraphs (3) through (5), respectively; and
(2) by inserting after paragraph (1) the following:
``(2) the National Science Foundation shall use its
existing programs, in collaboration with other agencies, as
appropriate, to improve the teaching and learning of
networking and information technology at all levels of
education and to increase participation in networking and
information technology fields;''.
SEC. 405. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH-
PERFORMANCE COMPUTING ACT OF 1991.
(a) Section 3.--Section 3 of the High-Performance Computing
Act of 1991 (15 U.S.C. 5502) is amended--
(1) in the matter preceding paragraph (1), by striking
``high-performance computing'' and inserting ``networking and
information technology'';
(2) in paragraph (1)--
(A) in the matter preceding subparagraph (A), by striking
``high-performance computing'' and inserting ``networking and
information technology'';
(B) in subparagraphs (A), (F), and (G), by striking ``high-
performance computing'' each place it appears and inserting
``networking and information technology''; and
(C) in subparagraph (H), by striking ``high-performance''
and inserting ``high-end''; and
(3) in paragraph (2)--
(A) by striking ``high-performance computing and'' and
inserting ``networking and information technology, and''; and
(B) by striking ``high-performance computing network'' and
inserting ``networking and information technology''.
(b) Title Heading.--The heading of title I of the High-
Performance Computing Act of 1991 (105 Stat. 1595) is amended
by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting
``NETWORKING AND INFORMATION TECHNOLOGY''.
(c) Section 101.--Section 101 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511) is amended--
(1) in the section heading, by striking ``high-performance
computing'' and inserting ``networking and information
technology research and development'';
(2) in subsection (a)--
(A) in the subsection heading, by striking ``National High-
Performance Computing'' and inserting ``Networking and
Information Technology Research and Development'';
(B) in paragraph (1)--
(i) by striking ``National High-Performance Computing
Program'' and inserting ``networking and information
technology research and development program'';
(ii) in subparagraph (A), by striking ``high-performance
computing, including networking'' and inserting ``networking
and information technology'';
(iii) in subparagraphs (B) and (G), by striking ``high-
performance'' each place it appears and inserting ``high-
end''; and
(iv) in subparagraph (C), by striking ``high-performance
computing and networking'' and inserting ``high-end
computing, distributed, and networking''; and
(C) in paragraph (2)--
(i) in subparagraphs (A) and (C)--
(I) by striking ``high-performance computing'' each place
it appears and inserting ``networking and information
technology''; and
(II) by striking ``development, networking,'' each place it
appears and inserting ``development,''; and
(ii) in subparagraphs (G) and (H), as redesignated by
section 401(d) of this Act, by striking ``high-performance''
each place it appears and inserting ``high-end'';
(3) in subsection (b)(1), in the matter preceding
subparagraph (A), by striking ``high-performance computing''
each place it appears and inserting ``networking and
information technology''; and
(4) in subsection (c)(1)(A), by striking ``high-performance
computing'' and inserting ``networking and information
technology''.
(d) Section 201.--Section 201(a)(1) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by
striking ``high-performance computing and advanced high-speed
computer networking'' and inserting ``networking and
information technology research and development''.
(e) Section 202.--Section 202(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by
striking ``high-performance computing'' and inserting
``networking and information technology''.
(f) Section 203.--Section 203(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5523(a)) is amended--
(1) in paragraph (1), by striking ``high-performance
computing and networking'' and inserting ``networking and
information technology''; and
(2) in paragraph (2)(A), by striking ``high-performance''
and inserting ``high-end''.
(g) Section 204.--Section 204 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5524) is amended--
[[Page S5506]]
(1) in subsection (a)(1)--
(A) in subparagraph (A), by striking ``high-performance
computing systems and networks'' and inserting ``networking
and information technology systems and capabilities'';
(B) in subparagraph (B), by striking ``interoperability of
high-performance computing systems in networks and for common
user interfaces to systems'' and inserting ``interoperability
and usability of networking and information technology
systems''; and
(C) in subparagraph (C), by striking ``high-performance
computing'' and inserting ``networking and information
technology''; and
(2) in subsection (b)--
(A) by striking ``High-Performance Computing and Network''
in the heading and inserting ``Networking and Information
Technology''; and
(B) by striking ``sensitive''.
(h) Section 205.--Section 205(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by
striking ``computational'' and inserting ``networking and
information technology''.
(i) Section 206.--Section 206(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by
striking ``computational research'' and inserting
``networking and information technology research''.
(j) Section 207.--Section 207 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5527) is amended by striking
``high-performance computing'' and inserting ``networking and
information technology''.
(k) Section 208.--Section 208 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5528) is amended--
(1) in the section heading, by striking ``HIGH-PERFORMANCE
COMPUTING'' and inserting ``NETWORKING AND INFORMATION
TECHNOLOGY''; and
(2) in subsection (a)--
(A) in paragraph (1), by striking ``High-performance
computing and associated'' and inserting ``Networking and
information'';
(B) in paragraph (2), by striking ``high-performance
computing'' and inserting ``networking and information
technologies'';
(C) in paragraph (3), by striking ``high-performance'' and
inserting ``high-end'';
(D) in paragraph (4), by striking ``high-performance
computers and associated'' and inserting ``networking and
information''; and
(E) in paragraph (5), by striking ``high-performance
computing and associated'' and inserting ``networking and
information''.
SEC. 406. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.
(a) In General.--The Director of the National Science
Foundation, in coordination with the Secretary of Homeland
Security, shall carry out a Federal cyber scholarship-for-
service program to recruit and train the next generation of
information technology professionals and security managers to
meet the needs of the cybersecurity mission for the Federal
government.
(b) Program Description and Components.--The program
shall--
(1) annually assess the workforce needs of the Federal
government for cybersecurity professionals, including network
engineers, software engineers, and other experts in order to
determine how many scholarships should be awarded annually to
ensure that the workforce needs following graduation match
the number of scholarships awarded;
(2) provide scholarships for up to 1,000 students per year
in their pursuit of undergraduate or graduate degrees in the
cybersecurity field, in an amount that may include coverage
for full tuition, fees, and a stipend;
(3) require each scholarship recipient, as a condition of
receiving a scholarship under the program, to serve in a
Federal information technology workforce for a period equal
to one and one-half times each year, or partial year, of
scholarship received, in addition to an internship in the
cybersecurity field, if applicable, following graduation;
(4) provide a procedure for the National Science Foundation
or a Federal agency, consistent with regulations of the
Office of Personnel Management, to request and fund a
security clearance for a scholarship recipient, including
providing for clearance during a summer internship and upon
graduation; and
(5) provide opportunities for students to receive temporary
appointments for meaningful employment in the Federal
information technology workforce during school vacation
periods and for internships.
(c) Hiring Authority.--
(1) In general.--For purposes of any law or regulation
governing the appointment of an individual in the Federal
civil service, upon the successful completion of the
student's studies, a student receiving a scholarship under
the program may--
(A) be hired under section 213.3102(r) of title 5, Code of
Federal Regulations; and
(B) be exempt from competitive service.
(2) Competitive service.--Upon satisfactory fulfillment of
the service term under paragraph (1), an individual may be
converted to a competitive service position without
competition if the individual meets the requirements for that
position.
(d) Eligibility.--The eligibility requirements for a
scholarship under this section shall include that a
scholarship applicant--
(1) be a citizen of the United States;
(2) be eligible to be granted a security clearance;
(3) maintain a grade point average of 3.2 or above on a 4.0
scale for undergraduate study or a 3.5 or above on a 4.0
scale for postgraduate study;
(4) demonstrate a commitment to a career in improving the
security of the information infrastructure; and
(5) has demonstrated a level of proficiency in math or
computer sciences.
(e) Failure to Complete Service Obligation.--
(1) In general.--A scholarship recipient under this section
shall be liable to the United States under paragraph (2) if
the scholarship recipient--
(A) fails to maintain an acceptable level of academic
standing in the educational institution in which the
individual is enrolled, as determined by the Director;
(B) is dismissed from such educational institution for
disciplinary reasons;
(C) withdraws from the program for which the award was made
before the completion of such program;
(D) declares that the individual does not intend to fulfill
the service obligation under this section;
(E) fails to fulfill the service obligation of the
individual under this section; or
(F) loses a security clearance or becomes ineligible for a
security clearance.
(2) Repayment amounts.--
(A) Less than 1 year of service.--If a circumstance under
paragraph (1) occurs before the completion of 1 year of a
service obligation under this section, the total amount of
awards received by the individual under this section shall be
repaid.
(B) One or more years of service.--If a circumstance
described in subparagraph (D) or (E) of paragraph (1) occurs
after the completion of 1 year of a service obligation under
this section, the total amount of scholarship awards received
by the individual under this section, reduced by the ratio of
the number of years of service completed divided by the
number of years of service required, shall be repaid.
(f) Evaluation and Report.--The Director of the National
Science Foundation shall--
(1) evaluate the success of recruiting individuals for
scholarships under this section and of hiring and retaining
those individuals in the public sector workforce, including
the annual cost and an assessment of how the program actually
improves the Federal workforce; and
(2) periodically report the findings under paragraph (1) to
Congress.
(g) Authorization of Appropriations.--From amounts made
available under section 503 of the America COMPETES
Reauthorization Act of 2010 (124 Stat. 4005), the Secretary
may use funds to carry out the requirements of this section
for fiscal years 2012 through 2013.
SEC. 407. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF
INFORMATION INFRASTRUCTURE PROFESSIONALS.
(a) Study.--The President shall enter into an agreement
with the National Academies to conduct a comprehensive study
of government, academic, and private-sector accreditation,
training, and certification programs for personnel working in
information infrastructure. The agreement shall require the
National Academies to consult with sector coordinating
councils and relevant governmental agencies, regulatory
entities, and nongovernmental organizations in the course of
the study.
(b) Scope.--The study shall include--
(1) an evaluation of the body of knowledge and various
skills that specific categories of personnel working in
information infrastructure should possess in order to secure
information systems;
(2) an assessment of whether existing government, academic,
and private-sector accreditation, training, and certification
programs provide the body of knowledge and various skills
described in paragraph (1);
(3) an analysis of any barriers to the Federal Government
recruiting and hiring cybersecurity talent, including
barriers relating to compensation, the hiring process, job
classification, and hiring flexibility; and
(4) an analysis of the sources and availability of
cybersecurity talent, a comparison of the skills and
expertise sought by the Federal Government and the private
sector, an examination of the current and future capacity of
United States institutions of higher education, including
community colleges, to provide current and future
cybersecurity professionals, through education and training
activities, with those skills sought by the Federal
Government, State and local entities, and the private sector.
(c) Report.--Not later than 1 year after the date of
enactment of this Act, the National Academies shall submit to
the President and Congress a report on the results of the
study. The report shall include--
(1) findings regarding the state of information
infrastructure accreditation, training, and certification
programs, including specific areas of deficiency and
demonstrable progress; and
(2) recommendations for the improvement of information
infrastructure accreditation, training, and certification
programs.
SEC. 408. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.
(a) In General.--The Director of the National Institute of
Standards and Technology, in coordination with appropriate
Federal authorities, shall--
(1) as appropriate, ensure coordination of Federal agencies
engaged in the development of international technical
standards related to information system security; and
(2) not later than 1 year after the date of enactment of
this Act, develop and transmit to Congress a plan for
ensuring such Federal agency coordination.
[[Page S5507]]
(b) Consultation With the Private Sector.--In carrying out
the activities under subsection (a)(1), the Director shall
ensure consultation with appropriate private sector
stakeholders.
SEC. 409. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.
The Director of the National Institute of Standards and
Technology shall continue a program to support the
development of technical standards, metrology, testbeds, and
conformance criteria, taking into account appropriate user
concerns--
(1) to improve interoperability among identity management
technologies;
(2) to strengthen authentication methods of identity
management systems;
(3) to improve privacy protection in identity management
systems, including health information technology systems,
through authentication and security protocols; and
(4) to improve the usability of identity management
systems.
SEC. 410. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.
(a) National Science Foundation Computer and Network
Security Research Grant Areas.--Section 4(a)(1) of the Cyber
Security Research and Development Act (15 U.S.C. 7403(a)(1))
is amended--
(1) in subparagraph (H), by striking ``and'' after the
semicolon;
(2) in subparagraph (I), by striking ``property.'' and
inserting ``property;''; and
(3) by adding at the end the following:
``(J) secure fundamental protocols that are at the heart of
inter-network communications and data exchange;
``(K) system security that addresses the building of secure
systems from trusted and untrusted components;
``(L) monitoring and detection; and
``(M) resiliency and rapid recovery methods.''.
(b) National Science Foundation Computer and Network
Security Grants.--Section 4(a)(3) of the Cyber Security
Research and Development Act (15 U.S.C. 7403(a)(3)) is
amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Secretary finds necessary to carry out
the requirements of this subsection for fiscal years 2012
through 2013.''.
(c) Computer and Network Security Centers.--Section 4(b)(7)
of the Cyber Security Research and Development Act (15 U.S.C.
7403(b)(7)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Secretary finds necessary to carry out
the requirements of this subsection for fiscal years 2012
through 2013.''.
(d) Computer and Network Security Capacity Building
Grants.--Section 5(a)(6) of the Cyber Security Research and
Development Act (15 U.S.C. 7404(a)(6)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Secretary finds necessary to carry out
the requirements of this subsection for fiscal years 2012
through 2013.''.
(e) Scientific and Advanced Technology Act Grants.--Section
5(b)(2) of the Cyber Security Research and Development Act
(15 U.S.C. 7404(b)(2)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Secretary finds necessary to carry out
the requirements of this subsection for fiscal years 2012
through 2013.''.
(f) Graduate Traineeships in Computer and Network Security
Research.--Section 5(c)(7) of the Cyber Security Research and
Development Act (15 U.S.C. 7404(c)(7)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Secretary finds necessary to carry out
the requirements of this subsection for fiscal years 2012
through 2013.''.
______
SA 2582. Mrs. HUTCHISON (for herself, Mr. McCain, Mr. Chambliss, Mr.
Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of
Wisconsin) submitted an amendment intended to be proposed by her to the
bill S. 3414, to enhance the security and resiliency of the cyber and
communications infrastructure of the United States; which was ordered
to lie on the table; as follows:
Beginning on page 1, strike line 3 and all that follows
through page 211, line 6 and insert the following:
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the
``Strengthening and Enhancing Cybersecurity by Using
Research, Education, Information, and Technology Act of
2012'' or ``SECURE IT''.
(b) Table of Contents.--The table of contents of this Act
is as follows:
Sec. 1. Short title; table of contents.
TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION
Sec. 101. Definitions.
Sec. 102. Authorization to share cyber threat information.
Sec. 103. Information sharing by the Federal government.
Sec. 104. Construction.
Sec. 105. Report on implementation.
Sec. 106. Inspector General review.
Sec. 107. Technical amendments.
Sec. 108. Access to classified information.
TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY
Sec. 201. Coordination of Federal information security policy.
Sec. 202. Management of information technology.
Sec. 203. No new funding.
Sec. 204. Technical and conforming amendments.
Sec. 205. Clarification of authorities.
TITLE III--CRIMINAL PENALTIES
Sec. 301. Penalties for fraud and related activity in connection with
computers.
Sec. 302. Trafficking in passwords.
Sec. 303. Conspiracy and attempted computer fraud offenses.
Sec. 304. Criminal and civil forfeiture for fraud and related activity
in connection with computers.
Sec. 305. Damage to critical infrastructure computers.
Sec. 306. Limitation on actions involving unauthorized use.
Sec. 307. No new funding.
TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT
Sec. 401. National High-Performance Computing Program planning and
coordination.
Sec. 402. Research in areas of national importance.
Sec. 403. Program improvements.
Sec. 404. Improving education of networking and information technology,
including high performance computing.
Sec. 405. Conforming and technical amendments to the High-Performance
Computing Act of 1991.
Sec. 406. Federal cyber scholarship-for-service program.
Sec. 407. Study and analysis of certification and training of
information infrastructure professionals.
Sec. 408. International cybersecurity technical standards.
Sec. 409. Identity management research and development.
Sec. 410. Federal cybersecurity research and development.
TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION
SEC. 101. DEFINITIONS.
In this title:
(1) Agency.--The term ``agency'' has the meaning given the
term in section 3502 of title 44, United States Code.
(2) Antitrust laws.--The term ``antitrust laws''--
(A) has the meaning given the term in section 1(a) of the
Clayton Act (15 U.S.C. 12(a));
(B) includes section 5 of the Federal Trade Commission Act
(15 U.S.C. 45) to the extent that section 5 of that Act
applies to unfair methods of competition; and
(C) includes any State law that has the same intent and
effect as the laws under subparagraphs (A) and (B).
(3) Countermeasure.--The term ``countermeasure'' means an
automated or a manual action with defensive intent to
mitigate cyber threats.
(4) Cyber threat information.--The term ``cyber threat
information'' means information that indicates or describes--
(A) a technical or operation vulnerability or a cyber
threat mitigation measure;
(B) an action or operation to mitigate a cyber threat;
(C) malicious reconnaissance, including anomalous patterns
of network activity that appear to be transmitted for the
purpose of gathering technical information related to a
cybersecurity threat;
(D) a method of defeating a technical control;
(E) a method of defeating an operational control;
(F) network activity or protocols known to be associated
with a malicious cyber actor or that signify malicious cyber
intent;
(G) a method of causing a user with legitimate access to an
information system or information that is stored on,
processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational
control;
(H) any other attribute of a cybersecurity threat or cyber
defense information that would foster situational awareness
of the United States cybersecurity posture, if disclosure of
such attribute or information is not otherwise prohibited by
law;
(I) the actual or potential harm caused by a cyber
incident, including information exfiltrated when it is
necessary in order to
[[Page S5508]]
identify or describe a cybersecurity threat; or
(J) any combination of subparagraphs (A) through (I).
(5) Cybersecurity center.--The term ``cybersecurity
center'' means the Department of Defense Cyber Crime Center,
the Intelligence Community Incident Response Center, the
United States Cyber Command Joint Operations Center, the
National Cyber Investigative Joint Task Force, the National
Security Agency/Central Security Service Threat Operations
Center, the National Cybersecurity and Communications
Integration Center, and any successor center.
(6) Cybersecurity system.--The term ``cybersecurity
system'' means a system designed or employed to ensure the
integrity, confidentiality, or availability of, or to
safeguard, a system or network, including measures intended
to protect a system or network from--
(A) efforts to degrade, disrupt, or destroy such system or
network; or
(B) theft or misappropriations of private or government
information, intellectual property, or personally
identifiable information.
(7) Entity.--
(A) In general.--The term ``entity'' means any private
entity, non-Federal government agency or department, or
State, tribal, or local government agency or department
(including an officer, employee, or agent thereof).
(B) Inclusions.--The term ``entity'' includes a government
agency or department (including an officer, employee, or
agent thereof) of the District of Columbia, the Commonwealth
of Puerto Rico, the Virgin Islands, Guam, American Samoa, the
Northern Mariana Islands, and any other territory or
possession of the United States.
(8) Federal information system.--The term ``Federal
information system'' means an information system of a Federal
department or agency used or operated by an executive agency,
by a contractor of an executive agency, or by another
organization on behalf of an executive agency.
(9) Information security.--The term ``information
security'' means protecting information and information
systems from disruption or unauthorized access, use,
disclosure, modification, or destruction in order to
provide--
(A) integrity, by guarding against improper information
modification or destruction, including by ensuring
information nonrepudiation and authenticity;
(B) confidentiality, by preserving authorized restrictions
on access and disclosure, including means for protecting
personal privacy and proprietary information; or
(C) availability, by ensuring timely and reliable access to
and use of information.
(10) Information system.--The term ``information system''
has the meaning given the term in section 3502 of title 44,
United States Code.
(11) Local government.--The term ``local government'' means
any borough, city, county, parish, town, township, village,
or other general purpose political subdivision of a State.
(12) Malicious reconnaissance.--The term ``malicious
reconnaissance'' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning technical vulnerabilities of the information
system, if such method is associated with a known or
suspected cybersecurity threat.
(13) Operational control.--The term ``operational control''
means a security control for an information system that
primarily is implemented and executed by people.
(14) Operational vulnerability.--The term ``operational
vulnerability'' means any attribute of policy, process, or
procedure that could enable or facilitate the defeat of an
operational control.
(15) Private entity.--The term ``private entity'' means any
individual or any private group, organization, or
corporation, including an officer, employee, or agent
thereof.
(16) Significant cyber incident.--The term ``significant
cyber incident'' means a cyber incident resulting in, or an
attempted cyber incident that, if successful, would have
resulted in--
(A) the exfiltration from a Federal information system of
data that is essential to the operation of the Federal
information system; or
(B) an incident in which an operational or technical
control essential to the security or operation of a Federal
information system was defeated.
(17) Technical control.--The term ``technical control''
means a hardware or software restriction on, or audit of,
access or use of an information system or information that is
stored on, processed by, or transiting an information system
that is intended to ensure the confidentiality, integrity, or
availability of that system.
(18) Technical vulnerability.--The term ``technical
vulnerability'' means any attribute of hardware or software
that could enable or facilitate the defeat of a technical
control.
(19) Tribal.--The term ``tribal'' has the meaning given the
term ``Indian tribe'' in section 4 of the Indian Self-
Determination and Education Assistance Act (25 U.S.C. 450b).
SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION.
(a) Voluntary Disclosure.--
(1) Private entities.--Notwithstanding any other provision
of law, a private entity may, for the purpose of preventing,
investigating, or otherwise mitigating threats to information
security, on its own networks, or as authorized by another
entity, on such entity's networks, employ countermeasures and
use cybersecurity systems in order to obtain, identify, or
otherwise possess cyber threat information.
(2) Entities.--Notwithstanding any other provision of law,
an entity may disclose cyber threat information to--
(A) a cybersecurity center; or
(B) any other entity in order to assist with preventing,
investigating, or otherwise mitigating threats to information
security.
(3) Information security providers.--If the cyber threat
information described in paragraph (1) is obtained,
identified, or otherwise possessed in the course of providing
information security products or services under contract to
another entity, that entity shall be given, at any time prior
to disclosure of such information, a reasonable opportunity
to authorize or prevent such disclosure, to request
anonymization of such information, or to request that
reasonable efforts be made to safeguard such information that
identifies specific persons from unauthorized access or
disclosure.
(b) Significant Cyber Incidents Involving Federal
Information Systems.--
(1) In general.--An entity providing electronic
communication services, remote computing services, or
information security services to a Federal department or
agency shall inform the Federal department or agency of a
significant cyber incident involving the Federal information
system of that Federal department or agency that--
(A) is directly known to the entity as a result of
providing such services;
(B) is directly related to the provision of such services
by the entity; and
(C) as determined by the entity, has impeded or will impede
the performance of a critical mission of the Federal
department or agency.
(2) Advance coordination.--A Federal department or agency
receiving the services described in paragraph (1) shall
coordinate in advance with an entity described in paragraph
(1) to develop the parameters of any information that may be
provided under paragraph (1), including clarification of the
type of significant cyber incident that will impede the
performance of a critical mission of the Federal department
or agency.
(3) Report.--A Federal department or agency shall report
information provided under this subsection to a cybersecurity
center.
(4) Construction.--Any information provided to a
cybersecurity center under paragraph (3) shall be treated in
the same manner as information provided to a cybersecurity
center under subsection (a).
(c) Information Shared With or Provided to a Cybersecurity
Center.--Cyber threat information provided to a cybersecurity
center under this section--
(1) may be disclosed to, retained by, and used by,
consistent with otherwise applicable Federal law, any Federal
agency or department, component, officer, employee, or agent
of the Federal government for a cybersecurity purpose, a
national security purpose, or in order to prevent,
investigate, or prosecute any of the offenses listed in
section 2516 of title 18, United States Code, and such
information shall not be disclosed to, retained by, or used
by any Federal agency or department for any use not permitted
under this paragraph;
(2) may, with the prior written consent of the entity
submitting such information, be disclosed to and used by a
State, tribal, or local government or government agency for
the purpose of protecting information systems, or in
furtherance of preventing, investigating, or prosecuting a
criminal act, except that if the need for immediate
disclosure prevents obtaining written consent, such consent
may be provided orally with subsequent documentation of such
consent;
(3) shall be considered the commercial, financial, or
proprietary information of the entity providing such
information to the Federal government and any disclosure
outside the Federal government may only be made upon the
prior written consent by such entity and shall not constitute
a waiver of any applicable privilege or protection provided
by law, except that if the need for immediate disclosure
prevents obtaining written consent, such consent may be
provided orally with subsequent documentation of such
consent;
(4) shall be deemed voluntarily shared information and
exempt from disclosure under section 552 of title 5, United
States Code, and any State, tribal, or local law requiring
disclosure of information or records;
(5) shall be, without discretion, withheld from the public
under section 552(b)(3)(B) of title 5, United States Code,
and any State, tribal, or local law requiring disclosure of
information or records;
(6) shall not be subject to the rules of any Federal agency
or department or any judicial doctrine regarding ex parte
communications with a decision-making official;
(7) shall not, if subsequently provided to a State, tribal,
or local government or government agency, otherwise be
disclosed or distributed to any entity by such State, tribal,
or local government or government agency without the prior
written consent of the entity submitting such information,
notwithstanding any State, tribal, or local law requiring
disclosure of information or records,
[[Page S5509]]
except that if the need for immediate disclosure prevents
obtaining written consent, such consent may be provided
orally with subsequent documentation of such consent; and
(8) shall not be directly used by any Federal, State,
tribal, or local department or agency to regulate the lawful
activities of an entity, including activities relating to
obtaining, identifying, or otherwise possessing cyber threat
information, except that the procedures required to be
developed and implemented under this title shall not be
considered regulations within the meaning of this paragraph.
(d) Procedures Relating to Information Sharing With a
Cybersecurity Center.--Not later than 60 days after the date
of enactment of this Act, the heads of each department or
agency containing a cybersecurity center shall jointly
develop, promulgate, and submit to Congress procedures to
ensure that cyber threat information shared with or provided
to--
(1) a cybersecurity center under this section--
(A) may be submitted to a cybersecurity center by an
entity, to the greatest extent possible, through a uniform,
publicly available process or format that is easily
accessible on the website of such cybersecurity center, and
that includes the ability to provide relevant details about
the cyber threat information and written consent to any
subsequent disclosures authorized by this paragraph;
(B) shall immediately be further shared with each
cybersecurity center in order to prevent, investigate, or
otherwise mitigate threats to information security across the
Federal government;
(C) is handled by the Federal government in a reasonable
manner, including consideration of the need to protect the
privacy and civil liberties of individuals through
anonymization or other appropriate methods, while fully
accomplishing the objectives of this title, and the Federal
government may undertake efforts consistent with this
subparagraph to limit the impact on privacy and civil
liberties of the sharing of cyber threat information with the
Federal government; and
(D) except as provided in this section, shall only be used,
disclosed, or handled in accordance with the provisions of
subsection (c); and
(2) a Federal agency or department under subsection (b) is
provided immediately to a cybersecurity center in order to
prevent, investigate, or otherwise mitigate threats to
information security across the Federal government.
(e) Information Shared Between Entities.--
(1) In general.--An entity sharing cyber threat information
with another entity under this title may restrict the use or
sharing of such information by such other entity.
(2) Further sharing.--Cyber threat information shared by
any entity with another entity under this title--
(A) shall only be further shared in accordance with any
restrictions placed on the sharing of such information by the
entity authorizing such sharing, such as appropriate
anonymization of such information; and
(B) may not be used by any entity to gain an unfair
competitive advantage to the detriment of the entity
authorizing the sharing of such information, except that the
conduct described in paragraph (3) shall not constitute
unfair competitive conduct.
(3) Information shared with state, tribal, or local
government or government agency.--Cyber threat information
shared with a State, tribal, or local government or
government agency under this title--
(A) may, with the prior written consent of the entity
sharing such information, be disclosed to and used by a
State, tribal, or local government or government agency for
the purpose of protecting information systems, or in
furtherance of preventing, investigating, or prosecuting a
criminal act, except if the need for immediate disclosure
prevents obtaining written consent, consent may be provided
orally with subsequent documentation of the consent;
(B) shall be deemed voluntarily shared information and
exempt from disclosure under any State, tribal, or local law
requiring disclosure of information or records;
(C) shall not be disclosed or distributed to any entity by
the State, tribal, or local government or government agency
without the prior written consent of the entity submitting
such information, notwithstanding any State, tribal, or local
law requiring disclosure of information or records, except if
the need for immediate disclosure prevents obtaining written
consent, consent may be provided orally with subsequent
documentation of the consent; and
(D) shall not be directly used by any State, tribal, or
local department or agency to regulate the lawful activities
of an entity, including activities relating to obtaining,
identifying, or otherwise possessing cyber threat
information, except that the procedures required to be
developed and implemented under this title shall not be
considered regulations within the meaning of this
subparagraph.
(4) Antitrust exemption.--The exchange or provision of
cyber threat information or assistance between 2 or more
private entities under this title shall not be considered a
violation of any provision of antitrust laws if exchanged or
provided in order to assist with--
(A) facilitating the prevention, investigation, or
mitigation of threats to information security; or
(B) communicating or disclosing of cyber threat information
to help prevent, investigate or otherwise mitigate the
effects of a threat to information security.
(5) No right or benefit.--The provision of cyber threat
information to an entity under this section shall not create
a right or a benefit to similar information by such entity or
any other entity.
(f) Federal Preemption.--
(1) In general.--This section supersedes any statute or
other law of a State or political subdivision of a State that
restricts or otherwise expressly regulates an activity
authorized under this section.
(2) State law enforcement.--Nothing in this section shall
be construed to supersede any statute or other law of a State
or political subdivision of a State concerning the use of
authorized law enforcement techniques.
(3) Public disclosure.--No information shared with or
provided to a State, tribal, or local government or
government agency pursuant to this section shall be made
publicly available pursuant to any State, tribal, or local
law requiring disclosure of information or records.
(g) Civil and Criminal Liability.--
(1) General protections.--
(A) Private entities.--No cause of action shall lie or be
maintained in any court against any private entity for--
(i) the use of countermeasures and cybersecurity systems as
authorized by this title;
(ii) the use, receipt, or disclosure of any cyber threat
information as authorized by this title; or
(iii) the subsequent actions or inactions of any lawful
recipient of cyber threat information provided by such
private entity.
(B) Entities.--No cause of action shall lie or be
maintained in any court against any entity for--
(i) the use, receipt, or disclosure of any cyber threat
information as authorized by this title; or
(ii) the subsequent actions or inactions of any lawful
recipient of cyber threat information provided by such
entity.
(2) Construction.--Nothing in this subsection shall be
construed as creating any immunity against, or otherwise
affecting, any action brought by the Federal government, or
any agency or department thereof, to enforce any law,
executive order, or procedure governing the appropriate
handling, disclosure, and use of classified information.
(h) Otherwise Lawful Disclosures.--Nothing in this section
shall be construed to limit or prohibit otherwise lawful
disclosures of communications, records, or other information
by a private entity to any other governmental or private
entity not covered under this section.
(i) Whistleblower Protection.--Nothing in this Act shall be
construed to preempt or preclude any employee from exercising
rights currently provided under any whistleblower law, rule,
or regulation.
(j) Relationship to Other Laws.--The submission of cyber
threat information under this section to a cybersecurity
center shall not affect any requirement under any other
provision of law for an entity to provide information to the
Federal government.
SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT.
(a) Classified Information.--
(1) Procedures.--Consistent with the protection of
intelligence sources and methods, and as otherwise determined
appropriate, the Director of National Intelligence and the
Secretary of Defense, in consultation with the heads of the
appropriate Federal departments or agencies, shall develop
and promulgate procedures to facilitate and promote--
(A) the immediate sharing, through the cybersecurity
centers, of classified cyber threat information in the
possession of the Federal government with appropriately
cleared representatives of any appropriate entity; and
(B) the declassification and immediate sharing, through the
cybersecurity centers, with any entity or, if appropriate,
public availability of cyber threat information in the
possession of the Federal government;
(2) Handling of classified information.--The procedures
developed under paragraph (1) shall ensure that each entity
receiving classified cyber threat information pursuant to
this section has acknowledged in writing the ongoing
obligation to comply with all laws, executive orders, and
procedures concerning the appropriate handling, disclosure,
or use of classified information.
(b) Unclassified Cyber Threat Information.--The heads of
each department or agency containing a cybersecurity center
shall jointly develop and promulgate procedures that ensure
that, consistent with the provisions of this section,
unclassified, including controlled unclassified, cyber threat
information in the possession of the Federal government--
(1) is shared, through the cybersecurity centers, in an
immediate and adequate manner with appropriate entities; and
(2) if appropriate, is made publicly available.
(c) Development of Procedures.--
(1) In general.--The procedures developed under this
section shall incorporate, to the greatest extent possible,
existing processes utilized by sector specific information
sharing and analysis centers.
[[Page S5510]]
(2) Coordination with entities.--In developing the
procedures required under this section, the Director of
National Intelligence and the heads of each department or
agency containing a cybersecurity center shall coordinate
with appropriate entities to ensure that protocols are
implemented that will facilitate and promote the sharing of
cyber threat information by the Federal government.
(d) Additional Responsibilities of Cybersecurity Centers.--
Consistent with section 102, a cybersecurity center shall--
(1) facilitate information sharing, interaction, and
collaboration among and between cybersecurity centers and--
(A) other Federal entities;
(B) any entity; and
(C) international partners, in consultation with the
Secretary of State;
(2) disseminate timely and actionable cybersecurity threat,
vulnerability, mitigation, and warning information, including
alerts, advisories, indicators, signatures, and mitigation
and response measures, to improve the security and protection
of information systems; and
(3) coordinate with other Federal entities, as appropriate,
to integrate information from across the Federal government
to provide situational awareness of the cybersecurity posture
of the United States.
(e) Sharing Within the Federal Government.--The heads of
appropriate Federal departments and agencies shall ensure
that cyber threat information in the possession of such
Federal departments or agencies that relates to the
prevention, investigation, or mitigation of threats to
information security across the Federal government is shared
effectively with the cybersecurity centers.
(f) Submission to Congress.--Not later than 60 days after
the date of enactment of this Act, the Director of National
Intelligence, in coordination with the appropriate head of a
department or an agency containing a cybersecurity center,
shall submit the procedures required by this section to
Congress.
SEC. 104. CONSTRUCTION.
(a) Information Sharing Relationships.--Nothing in this
title shall be construed--
(1) to limit or modify an existing information sharing
relationship;
(2) to prohibit a new information sharing relationship;
(3) to require a new information sharing relationship
between any entity and the Federal government, except as
specified under section 102(b); or
(4) to modify the authority of a department or agency of
the Federal government to protect sources and methods and the
national security of the United States.
(b) Anti-tasking Restriction.--Nothing in this title shall
be construed to permit the Federal government--
(1) to require an entity to share information with the
Federal government, except as expressly provided under
section 102(b); or
(2) to condition the sharing of cyber threat information
with an entity on such entity's provision of cyber threat
information to the Federal government.
(c) No Liability for Non-participation.--Nothing in this
title shall be construed to subject any entity to liability
for choosing not to engage in the voluntary activities
authorized under this title.
(d) Use and Retention of Information.--Nothing in this
title shall be construed to authorize, or to modify any
existing authority of, a department or agency of the Federal
government to retain or use any information shared under
section 102 for any use other than a use permitted under
subsection 102(c)(1).
(e) No New Funding.--An applicable Federal agency shall
carry out the provisions of this title with existing
facilities and funds otherwise available, through such means
as the head of the agency considers appropriate.
SEC. 105. REPORT ON IMPLEMENTATION.
(a) Content of Report.--Not later than 1 year after the
date of enactment of this Act, and biennially thereafter, the
heads of each department or agency containing a cybersecurity
center shall jointly submit, in coordination with the privacy
and civil liberties officials of such departments or agencies
and the Privacy and Civil Liberties Oversight Board, a
detailed report to Congress concerning the implementation of
this title, including--
(1) an assessment of the sufficiency of the procedures
developed under section 103 of this Act in ensuring that
cyber threat information in the possession of the Federal
government is provided in an immediate and adequate manner to
appropriate entities or, if appropriate, is made publicly
available;
(2) an assessment of whether information has been
appropriately classified and an accounting of the number of
security clearances authorized by the Federal government for
purposes of this title;
(3) a review of the type of cyber threat information shared
with a cybersecurity center under section 102 of this Act,
including whether such information meets the definition of
cyber threat information under section 101, the degree to
which such information may impact the privacy and civil
liberties of individuals, any appropriate metrics to
determine any impact of the sharing of such information with
the Federal government on privacy and civil liberties, and
the adequacy of any steps taken to reduce such impact;
(4) a review of actions taken by the Federal government
based on information provided to a cybersecurity center under
section 102 of this Act, including the appropriateness of any
subsequent use under section 102(c)(1) of this Act and
whether there was inappropriate stovepiping within the
Federal government of any such information;
(5) a description of any violations of the requirements of
this title by the Federal government;
(6) a classified list of entities that received classified
information from the Federal government under section 103 of
this Act and a description of any indication that such
information may not have been appropriately handled;
(7) a summary of any breach of information security, if
known, attributable to a specific failure by any entity or
the Federal government to act on cyber threat information in
the possession of such entity or the Federal government that
resulted in substantial economic harm or injury to a specific
entity or the Federal government; and
(8) any recommendation for improvements or modifications to
the authorities under this title.
(b) Form of Report.--The report under subsection (a) shall
be submitted in unclassified form, but shall include a
classified annex.
SEC. 106. INSPECTOR GENERAL REVIEW.
(a) In General.--The Council of the Inspectors General on
Integrity and Efficiency are authorized to review compliance
by the cybersecurity centers, and by any Federal department
or agency receiving cyber threat information from such
cybersecurity centers, with the procedures required under
section 102 of this Act.
(b) Scope of Review.--The review under subsection (a) shall
consider whether the Federal government has handled such
cyber threat information in a reasonable manner, including
consideration of the need to protect the privacy and civil
liberties of individuals through anonymization or other
appropriate methods, while fully accomplishing the objectives
of this title.
(c) Report to Congress.--Each review conducted under this
section shall be provided to Congress not later than 30 days
after the date of completion of the review.
SEC. 107. TECHNICAL AMENDMENTS.
Section 552(b) of title 5, United States Code, is amended--
(1) in paragraph (8), by striking ``or'';
(2) in paragraph (9), by striking ``wells.'' and inserting
``wells; or''; and
(3) by adding at the end the following:
``(10) information shared with or provided to a
cybersecurity center under section 102 of title I of the
Strengthening and Enhancing Cybersecurity by Using Research,
Education, Information, and Technology Act of 2012.''.
SEC. 108. ACCESS TO CLASSIFIED INFORMATION.
(a) Authorization Required.--No person shall be provided
with access to classified information (as defined in section
6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to
classified national security information)) relating to cyber
security threats or cyber security vulnerabilities under this
title without the appropriate security clearances.
(b) Security Clearances.--The appropriate Federal agencies
or departments shall, consistent with applicable procedures
and requirements, and if otherwise deemed appropriate, assist
an individual in timely obtaining an appropriate security
clearance where such individual has been determined to be
eligible for such clearance and has a need-to-know (as
defined in section 6.1 of that Executive Order) classified
information to carry out this title.
TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY
SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY
POLICY.
(a) In General.--Chapter 35 of title 44, United States
Code, is amended by striking subchapters II and III and
inserting the following:
``SUBCHAPTER II--INFORMATION SECURITY
``Sec. 3551. Purposes
``The purposes of this subchapter are--
``(1) to provide a comprehensive framework for ensuring the
effectiveness of information security controls over
information resources that support Federal operations and
assets;
``(2) to recognize the highly networked nature of the
current Federal computing environment and provide effective
government-wide management of policies, directives,
standards, and guidelines, as well as effective and nimble
oversight of and response to information security risks,
including coordination of information security efforts
throughout the Federal civilian, national security, and law
enforcement communities;
``(3) to provide for development and maintenance of
controls required to protect agency information and
information systems and contribute to the overall improvement
of agency information security posture;
``(4) to provide for the development of tools and methods
to assess and respond to real-time situational risk for
Federal information system operations and assets; and
``(5) to provide a mechanism for improving agency
information security programs through continuous monitoring
of agency information systems and streamlined reporting
requirements rather than overly prescriptive manual
reporting.
``Sec. 3552. Definitions
``In this subchapter:
``(1) Adequate security.--The term `adequate security'
means security commensurate with the risk and magnitude of
the
[[Page S5511]]
harm resulting from the unauthorized access to or loss,
misuse, destruction, or modification of information.
``(2) Agency.--The term `agency' has the meaning given the
term in section 3502 of title 44.
``(3) Cybersecurity center.--The term `cybersecurity
center' means the Department of Defense Cyber Crime Center,
the Intelligence Community Incident Response Center, the
United States Cyber Command Joint Operations Center, the
National Cyber Investigative Joint Task Force, the National
Security Agency/Central Security Service Threat Operations
Center, the National Cybersecurity and Communications
Integration Center, and any successor center.
``(4) Cyber threat information.--The term `cyber threat
information' means information that indicates or describes--
``(A) a technical or operation vulnerability or a cyber
threat mitigation measure;
``(B) an action or operation to mitigate a cyber threat;
``(C) malicious reconnaissance, including anomalous
patterns of network activity that appear to be transmitted
for the purpose of gathering technical information related to
a cybersecurity threat;
``(D) a method of defeating a technical control;
``(E) a method of defeating an operational control;
``(F) network activity or protocols known to be associated
with a malicious cyber actor or that signify malicious cyber
intent;
``(G) a method of causing a user with legitimate access to
an information system or information that is stored on,
processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational
control;
``(H) any other attribute of a cybersecurity threat or
cyber defense information that would foster situational
awareness of the United States cybersecurity posture, if
disclosure of such attribute or information is not otherwise
prohibited by law;
``(I) the actual or potential harm caused by a cyber
incident, including information exfiltrated when it is
necessary in order to identify or describe a cybersecurity
threat; or
``(J) any combination of subparagraphs (A) through (I).
``(5) Director.--The term `Director' means the Director of
the Office of Management and Budget unless otherwise
specified.
``(6) Environment of operation.--The term `environment of
operation' means the information system and environment in
which those systems operate, including changing threats,
vulnerabilities, technologies, and missions and business
practices.
``(7) Federal information system.--The term `Federal
information system' means an information system used or
operated by an executive agency, by a contractor of an
executive agency, or by another organization on behalf of an
executive agency.
``(8) Incident.--The term `incident' means an occurrence
that--
``(A) actually or imminently jeopardizes the integrity,
confidentiality, or availability of an information system or
the information that system controls, processes, stores, or
transmits; or
``(B) constitutes a violation of law or an imminent threat
of violation of a law, a security policy, a security
procedure, or an acceptable use policy.
``(9) Information resources.--The term `information
resources' has the meaning given the term in section 3502 of
title 44.
``(10) Information security.--The term `information
security' means protecting information and information
systems from disruption or unauthorized access, use,
disclosure, modification, or destruction in order to
provide--
``(A) integrity, by guarding against improper information
modification or destruction, including by ensuring
information nonrepudiation and authenticity;
``(B) confidentiality, by preserving authorized
restrictions on access and disclosure, including means for
protecting personal privacy and proprietary information; or
``(C) availability, by ensuring timely and reliable access
to and use of information.
``(11) Information system.--The term `information system'
has the meaning given the term in section 3502 of title 44.
``(12) Information technology.--The term `information
technology' has the meaning given the term in section 11101
of title 40.
``(13) Malicious reconnaissance.--The term `malicious
reconnaissance' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning technical vulnerabilities of the information
system, if such method is associated with a known or
suspected cybersecurity threat.
``(14) National security system.--
``(A) In general.--The term `national security system'
means any information system (including any
telecommunications system) used or operated by an agency or
by a contractor of an agency, or other organization on behalf
of an agency--
``(i) the function, operation, or use of which--
``(I) involves intelligence activities;
``(II) involves cryptologic activities related to national
security;
``(III) involves command and control of military forces;
``(IV) involves equipment that is an integral part of a
weapon or weapons system; or
``(V) subject to subparagraph (B), is critical to the
direct fulfillment of military or intelligence missions; or
``(ii) is protected at all times by procedures established
for information that have been specifically authorized under
criteria established by an Executive Order or an Act of
Congress to be kept classified in the interest of national
defense or foreign policy.
``(B) Limitation.--Subparagraph (A)(i)(V) does not include
a system that is to be used for routine administrative and
business applications (including payroll, finance, logistics,
and personnel management applications).
``(15) Operational control.--The term `operational control'
means a security control for an information system that
primarily is implemented and executed by people.
``(16) Person.--The term `person' has the meaning given the
term in section 3502 of title 44.
``(17) Secretary.--The term `Secretary' means the Secretary
of Commerce unless otherwise specified.
``(18) Security control.--The term `security control' means
the management, operational, and technical controls,
including safeguards or countermeasures, prescribed for an
information system to protect the confidentiality, integrity,
and availability of the system and its information.
``(19) Significant cyber incident.--The term `significant
cyber incident' means a cyber incident resulting in, or an
attempted cyber incident that, if successful, would have
resulted in--
``(A) the exfiltration from a Federal information system of
data that is essential to the operation of the Federal
information system; or
``(B) an incident in which an operational or technical
control essential to the security or operation of a Federal
information system was defeated.
``(20) Technical control.--The term `technical control'
means a hardware or software restriction on, or audit of,
access or use of an information system or information that is
stored on, processed by, or transiting an information system
that is intended to ensure the confidentiality, integrity, or
availability of that system.
``Sec. 3553. Federal information security authority and
coordination
``(a) In General.--The Secretary, in consultation with the
Secretary of Homeland Security, shall--
``(1) issue compulsory and binding policies and directives
governing agency information security operations, and require
implementation of such policies and directives, including--
``(A) policies and directives consistent with the standards
and guidelines promulgated under section 11331 of title 40 to
identify and provide information security protections
prioritized and commensurate with the risk and impact
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of--
``(i) information collected or maintained by or on behalf
of an agency; or
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(B) minimum operational requirements for Federal
Government to protect agency information systems and provide
common situational awareness across all agency information
systems;
``(C) reporting requirements, consistent with relevant law,
regarding information security incidents and cyber threat
information;
``(D) requirements for agencywide information security
programs;
``(E) performance requirements and metrics for the security
of agency information systems;
``(F) training requirements to ensure that agencies are
able to fully and timely comply with the policies and
directives issued by the Secretary under this subchapter;
``(G) training requirements regarding privacy, civil
rights, and civil liberties, and information oversight for
agency information security personnel;
``(H) requirements for the annual reports to the Secretary
under section 3554(d);
``(I) any other information security operations or
information security requirements as determined by the
Secretary in coordination with relevant agency heads; and
``(J) coordinating the development of standards and
guidelines under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3) with agencies
and offices operating or exercising control of national
security systems (including the National Security Agency) to
assure, to the maximum extent feasible, that such standards
and guidelines are complementary with standards and
guidelines developed for national security systems;
``(2) review the agencywide information security programs
under section 3554; and
``(3) designate an individual or an entity at each
cybersecurity center, among other responsibilities--
``(A) to receive reports and information about information
security incidents, cyber threat information, and
deterioration of security control affecting agency
information systems; and
``(B) to act on or share the information under subparagraph
(A) in accordance with this subchapter.
``(b) Considerations.--When issuing policies and directives
under subsection (a), the
[[Page S5512]]
Secretary shall consider any applicable standards or
guidelines developed by the National Institute of Standards
and Technology under section 11331 of title 40.
``(c) Limitation of Authority.--The authorities of the
Secretary under this section shall not apply to national
security systems. Information security policies, directives,
standards and guidelines for national security systems shall
be overseen as directed by the President and, in accordance
with that direction, carried out under the authority of the
heads of agencies that operate or exercise authority over
such national security systems.
``(d) Statutory Construction.--Nothing in this subchapter
shall be construed to alter or amend any law regarding the
authority of any head of an agency over such agency.
``Sec. 3554. Agency responsibilities
``(a) In General.--The head of each agency shall--
``(1) be responsible for--
``(A) complying with the policies and directives issued
under section 3553;
``(B) providing information security protections
commensurate with the risk resulting from unauthorized
access, use, disclosure, disruption, modification, or
destruction of--
``(i) information collected or maintained by the agency or
by a contractor of an agency or other organization on behalf
of an agency; and
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(C) complying with the requirements of this subchapter,
including--
``(i) information security standards and guidelines
promulgated under section 11331 of title 40;
``(ii) for any national security systems operated or
controlled by that agency, information security policies,
directives, standards and guidelines issued as directed by
the President; and
``(iii) for any non-national security systems operated or
controlled by that agency, information security policies,
directives, standards and guidelines issued under section
3553;
``(D) ensuring that information security management
processes are integrated with agency strategic and
operational planning processes;
``(E) reporting and sharing, for an agency operating or
exercising control of a national security system, information
about information security incidents, cyber threat
information, and deterioration of security controls to the
individual or entity designated at each cybersecurity center
and to other appropriate entities consistent with policies
and directives for national security systems issued as
directed by the President; and
``(F) reporting and sharing, for those agencies operating
or exercising control of non-national security systems,
information about information security incidents, cyber
threat information, and deterioration of security controls to
the individual or entity designated at each cybersecurity
center and to other appropriate entities consistent with
policies and directives for non-national security systems as
prescribed under section 3553(a), including information to
assist the entity designated under section 3555(a) with the
ongoing security analysis under section 3555;
``(2) ensure that each senior agency official provides
information security for the information and information
systems that support the operations and assets under the
senior agency official's control, including by--
``(A) assessing the risk and impact that could result from
the unauthorized access, use, disclosure, disruption,
modification, or destruction of such information or
information systems;
``(B) determining the level of information security
appropriate to protect such information and information
systems in accordance with policies and directives issued
under section 3553(a), and standards and guidelines
promulgated under section 11331 of title 40 for information
security classifications and related requirements;
``(C) implementing policies, procedures, and capabilities
to reduce risks to an acceptable level in a cost-effective
manner;
``(D) actively monitoring the effective implementation of
information security controls and techniques; and
``(E) reporting information about information security
incidents, cyber threat information, and deterioration of
security controls in a timely and adequate manner to the
entity designated under section 3553(a)(3) in accordance with
paragraph (1);
``(3) assess and maintain the resiliency of information
technology systems critical to agency mission and operations;
``(4) designate the agency Inspector General (or an
independent entity selected in consultation with the Director
and the Council of Inspectors General on Integrity and
Efficiency if the agency does not have an Inspector General)
to conduct the annual independent evaluation required under
section 3556, and allow the agency Inspector General to
contract with an independent entity to perform such
evaluation;
``(5) delegate to the Chief Information Officer or
equivalent (or to a senior agency official who reports to the
Chief Information Officer or equivalent)--
``(A) the authority and primary responsibility to implement
an agencywide information security program; and
``(B) the authority to provide information security for the
information collected and maintained by the agency (or by a
contractor, other agency, or other source on behalf of the
agency) and for the information systems that support the
operations, assets, and mission of the agency (including any
information system provided or managed by a contractor, other
agency, or other source on behalf of the agency);
``(6) delegate to the appropriate agency official (who is
responsible for a particular agency system or subsystem) the
responsibility to ensure and enforce compliance with all
requirements of the agency's agencywide information security
program in coordination with the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5);
``(7) ensure that an agency has trained personnel who have
obtained any necessary security clearances to permit them to
assist the agency in complying with this subchapter;
``(8) ensure that the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5),
in coordination with other senior agency officials, reports
to the agency head on the effectiveness of the agencywide
information security program, including the progress of any
remedial actions; and
``(9) ensure that the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5)
has the necessary qualifications to administer the functions
described in this subchapter and has information security
duties as a primary duty of that official.
``(b) Chief Information Officers.--Each Chief Information
Officer or equivalent (or the senior agency official who
reports to the Chief Information Officer or equivalent) under
subsection (a)(5) shall--
``(1) establish and maintain an enterprise security
operations capability that on a continuous basis--
``(A) detects, reports, contains, mitigates, and responds
to information security incidents that impair adequate
security of the agency's information or information system in
a timely manner and in accordance with the policies and
directives under section 3553; and
``(B) reports any information security incident under
subparagraph (A) to the entity designated under section 3555;
``(2) develop, maintain, and oversee an agencywide
information security program;
``(3) develop, maintain, and oversee information security
policies, procedures, and control techniques to address
applicable requirements, including requirements under section
3553 of this title and section 11331 of title 40; and
``(4) train and oversee the agency personnel who have
significant responsibility for information security with
respect to that responsibility.
``(c) Agencywide Information Security Programs.--
``(1) In general.--Each agencywide information security
program under subsection (b)(2) shall include--
``(A) relevant security risk assessments, including
technical assessments and others related to the acquisition
process;
``(B) security testing commensurate with risk and impact;
``(C) mitigation of deterioration of security controls
commensurate with risk and impact;
``(D) risk-based continuous monitoring and threat
assessment of the operational status and security of agency
information systems to enable evaluation of the effectiveness
of and compliance with information security policies,
procedures, and practices, including a relevant and
appropriate selection of security controls of information
systems identified in the inventory under section 3505(c);
``(E) operation of appropriate technical capabilities in
order to detect, mitigate, report, and respond to information
security incidents, cyber threat information, and
deterioration of security controls in a manner that is
consistent with the policies and directives under section
3553, including--
``(i) mitigating risks associated with such information
security incidents;
``(ii) notifying and consulting with the entity designated
under section 3555; and
``(iii) notifying and consulting with, as appropriate--
``(I) law enforcement and the relevant Office of the
Inspector General; and
``(II) any other entity, in accordance with law and as
directed by the President;
``(F) a process to ensure that remedial action is taken to
address any deficiencies in the information security
policies, procedures, and practices of the agency; and
``(G) a plan and procedures to ensure the continuity of
operations for information systems that support the
operations and assets of the agency.
``(2) Risk management strategies.--Each agencywide
information security program under subsection (b)(2) shall
include the development and maintenance of a risk management
strategy for information security. The risk management
strategy shall include--
``(A) consideration of information security incidents,
cyber threat information, and deterioration of security
controls; and
[[Page S5513]]
``(B) consideration of the consequences that could result
from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information and information
systems that support the operations and assets of the agency,
including any information system provided or managed by a
contractor, other agency, or other source on behalf of the
agency;
``(3) Policies and procedures.--Each agencywide information
security program under subsection (b)(2) shall include
policies and procedures that--
``(A) are based on the risk management strategy under
paragraph (2);
``(B) reduce information security risks to an acceptable
level in a cost-effective manner;
``(C) ensure that cost-effective and adequate information
security is addressed as part of the acquisition and ongoing
management of each agency information system; and
``(D) ensure compliance with--
``(i) this subchapter; and
``(ii) any other applicable requirements.
``(4) Training requirements.--Each agencywide information
security program under subsection (b)(2) shall include
information security, privacy, civil rights, civil liberties,
and information oversight training that meets any applicable
requirements under section 3553. The training shall inform
each information security personnel that has access to agency
information systems (including contractors and other users of
information systems that support the operations and assets of
the agency) of--
``(A) the information security risks associated with the
information security personnel's activities; and
``(B) the individual's responsibility to comply with the
agency policies and procedures that reduce the risks under
subparagraph (A).
``(d) Annual Report.--Each agency shall submit a report
annually to the Secretary of Homeland Security on its
agencywide information security program and information
systems.
``Sec. 3555. Multiagency ongoing threat assessment
``(a) Implementation.--The Director of the Office of
Management and Budget, in coordination with the Secretary of
Homeland Security, shall designate an entity to implement
ongoing security analysis concerning agency information
systems--
``(1) based on cyber threat information;
``(2) based on agency information system and environment of
operation changes, including--
``(A) an ongoing evaluation of the information system
security controls; and
``(B) the security state, risk level, and environment of
operation of an agency information system, including--
``(i) a change in risk level due to a new cyber threat;
``(ii) a change resulting from a new technology;
``(iii) a change resulting from the agency's mission; and
``(iv) a change resulting from the business practice; and
``(3) using automated processes to the maximum extent
possible--
``(A) to increase information system security;
``(B) to reduce paper-based reporting requirements; and
``(C) to maintain timely and actionable knowledge of the
state of the information system security.
``(b) Standards.--The National Institute of Standards and
Technology may promulgate standards, in coordination with the
Secretary of Homeland Security, to assist an agency with its
duties under this section.
``(c) Compliance.--The head of each appropriate department
and agency shall be responsible for ensuring compliance and
implementing necessary procedures to comply with this
section. The head of each appropriate department and agency,
in consultation with the Director of the Office of Management
and Budget and the Secretary of Homeland Security, shall--
``(1) monitor compliance under this section;
``(2) develop a timeline and implement for the department
or agency--
``(A) adoption of any technology, system, or method that
facilitates continuous monitoring and threat assessments of
an agency information system;
``(B) adoption or updating of any technology, system, or
method that prevents, detects, or remediates a significant
cyber incident to a Federal information system of the
department or agency that has impeded, or is reasonably
likely to impede, the performance of a critical mission of
the department or agency; and
``(C) adoption of any technology, system, or method that
satisfies a requirement under this section.
``(d) Limitation of Authority.--The authorities of the
Director of the Office of Management and Budget and of the
Secretary of Homeland Security under this section shall not
apply to national security systems.
``(e) Report.--Not later than 6 months after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the Government Accountability Office shall issue a
report evaluating each agency's status toward implementing
this section.
``Sec. 3556. Independent evaluations
``(a) In General.--The Council of the Inspectors General on
Integrity and Efficiency, in consultation with the Director
and the Secretary of Homeland Security, the Secretary of
Commerce, and the Secretary of Defense, shall issue and
maintain criteria for the timely, cost-effective, risk-based,
and independent evaluation of each agencywide information
security program (and practices) to determine the
effectiveness of the agencywide information security program
(and practices). The criteria shall include measures to
assess any conflicts of interest in the performance of the
evaluation and whether the agencywide information security
program includes appropriate safeguards against disclosure of
information where such disclosure may adversely affect
information security.
``(b) Annual Independent Evaluations.--Each agency shall
perform an annual independent evaluation of its agencywide
information security program (and practices) in accordance
with the criteria under subsection (a).
``(c) Distribution of Reports.--Not later than 30 days
after receiving an independent evaluation under subsection
(b), each agency head shall transmit a copy of the
independent evaluation to the Secretary of Homeland Security,
the Secretary of Commerce, and the Secretary of Defense.
``(d) National Security Systems.--Evaluations involving
national security systems shall be conducted as directed by
President.
``Sec. 3557. National security systems.
``The head of each agency operating or exercising control
of a national security system shall be responsible for
ensuring that the agency--
``(1) provides information security protections
commensurate with the risk and magnitude of the harm
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of the information
contained in such system; and
``(2) implements information security policies and
practices as required by standards and guidelines for
national security systems, issued in accordance with law and
as directed by the President.''.
(b) Savings Provisions.--
(1) Policy and compliance guidance.--Policy and compliance
guidance issued by the Director before the date of enactment
of this Act under section 3543(a)(1) of title 44, United
States Code (as in effect on the day before the date of
enactment of this Act), shall continue in effect, according
to its terms, until modified, terminated, superseded, or
repealed pursuant to section 3553(a)(1) of title 44, United
States Code.
(2) Standards and guidelines.--Standards and guidelines
issued by the Secretary of Commerce or by the Director before
the date of enactment of this Act under section 11331(a)(1)
of title 40, United States Code, (as in effect on the day
before the date of enactment of this Act) shall continue in
effect, according to their terms, until modified, terminated,
superseded, or repealed pursuant to section 11331(a)(1) of
title 40, United States Code, as amended by this Act.
(c) Technical and Conforming Amendments.--
(1) Chapter analysis.--The chapter analysis for chapter 35
of title 44, United States Code, is amended--
(A) by striking the items relating to sections 3531 through
3538;
(B) by striking the items relating to sections 3541 through
3549; and
(C) by inserting the following:
``3551. Purposes.
``3552. Definitions.
``3553. Federal information security authority and coordination.
``3554. Agency responsibilities.
``3555. Multiagency ongoing threat assessment.
``3556. Independent evaluations.
``3557. National security systems.''.
(2) Other references.--
(A) Section 1001(c)(1)(A) of the Homeland Security Act of
2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section
3532(3)'' and inserting ``section 3552''.
(B) Section 2222(j)(5) of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(C) Section 2223(c)(3) of title 10, United States Code, is
amended, by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(D) Section 2315 of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(E) Section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3) is amended--
(i) in subsection (a)(2), by striking ``section
3532(b)(2)'' and inserting ``section 3552'';
(ii) in subsection (c)(3), by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(iii) in subsection (d)(1), by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(iv) in subsection (d)(8) by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(v) in subsection (d)(8), by striking ``submitted to the
Director'' and inserting ``submitted to the Secretary'';
(vi) in subsection (e)(2), by striking ``section 3532(1) of
such title'' and inserting ``section 3552 of title 44''; and
(vii) in subsection (e)(5), by striking ``section
3532(b)(2) of such title'' and inserting ``section 3552 of
title 44''.
[[Page S5514]]
(F) Section 8(d)(1) of the Cyber Security Research and
Development Act (15 U.S.C. 7406(d)(1)) is amended by striking
``section 3534(b)'' and inserting ``section 3554(b)(2)''.
SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.
(a) In General.--Section 11331 of title 40, United States
Code, is amended to read as follows:
``Sec. 11331. Responsibilities for Federal information
systems standards
``(a) Standards and Guidelines.--
``(1) Authority to prescribe.--Except as provided under
paragraph (2), the Secretary of Commerce shall prescribe
standards and guidelines pertaining to Federal information
systems--
``(A) in consultation with the Secretary of Homeland
Security; and
``(B) on the basis of standards and guidelines developed by
the National Institute of Standards and Technology under
paragraphs (2) and (3) of section 20(a) of the National
Institute of Standards and Technology Act (15 U.S.C. 278g-
3(a)(2) and (a)(3)).
``(2) National security systems.--Standards and guidelines
for national security systems shall be developed, prescribed,
enforced, and overseen as otherwise authorized by law and as
directed by the President.
``(b) Mandatory Standards and Guidelines.--
``(1) Authority to make mandatory standards and
guidelines.--The Secretary of Commerce shall make standards
and guidelines under subsection (a)(1) compulsory and binding
to the extent determined necessary by the Secretary of
Commerce to improve the efficiency of operation or security
of Federal information systems.
``(2) Required mandatory standards and guidelines.--
``(A) In general.--Standards and guidelines under
subsection (a)(1) shall include information security
standards that--
``(i) provide minimum information security requirements as
determined under section 20(b) of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3(b)); and
``(ii) are otherwise necessary to improve the security of
Federal information and information systems.
``(B) Binding effect.--Information security standards under
subparagraph (A) shall be compulsory and binding.
``(c) Exercise of Authority.--To ensure fiscal and policy
consistency, the Secretary of Commerce shall exercise the
authority conferred by this section subject to direction by
the President and in coordination with the Director.
``(d) Application of More Stringent Standards and
Guidelines.--The head of an executive agency may employ
standards for the cost-effective information security for
information systems within or under the supervision of that
agency that are more stringent than the standards and
guidelines the Secretary of Commerce prescribes under this
section if the more stringent standards and guidelines--
``(1) contain at least the applicable standards and
guidelines made compulsory and binding by the Secretary of
Commerce; and
``(2) are otherwise consistent with the policies,
directives, and implementation memoranda issued under section
3553(a) of title 44.
``(e) Decisions on Promulgation of Standards and
Guidelines.--The decision by the Secretary of Commerce
regarding the promulgation of any standard or guideline under
this section shall occur not later than 6 months after the
date of submission of the proposed standard to the Secretary
of Commerce by the National Institute of Standards and
Technology under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3).
``(f) Notice and Comment.--A decision by the Secretary of
Commerce to significantly modify, or not promulgate, a
proposed standard submitted to the Secretary by the National
Institute of Standards and Technology under section 20 of the
National Institute of Standards and Technology Act (15 U.S.C.
278g-3) shall be made after the public is given an
opportunity to comment on the Secretary's proposed decision.
``(g) Definitions.--In this section:
``(1) Federal information system.--The term `Federal
information system' has the meaning given the term in section
3552 of title 44.
``(2) Information security.--The term `information
security' has the meaning given the term in section 3552 of
title 44.
``(3) National security system.--The term `national
security system' has the meaning given the term in section
3552 of title 44.''.
SEC. 203. NO NEW FUNDING.
An applicable Federal agency shall carry out the provisions
of this title with existing facilities and funds otherwise
available, through such means as the head of the agency
considers appropriate.
SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS.
Section 21(b) of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-4(b)) is amended--
(1) in paragraph (2), by striking ``and the Director of the
Office of Management and Budget'' and inserting ``, the
Secretary of Commerce, and the Secretary of Homeland
Security''; and
(2) in paragraph (3), by inserting ``, the Secretary of
Homeland Security,'' after ``the Secretary of Commerce''.
SEC. 205. CLARIFICATION OF AUTHORITIES.
Nothing in this title shall be construed to convey any new
regulatory authority to any government entity implementing or
complying with any provision of this title.
TITLE III--CRIMINAL PENALTIES
SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN
CONNECTION WITH COMPUTERS.
Section 1030(c) of title 18, United States Code, is amended
to read as follows:
``(c) The punishment for an offense under subsection (a) or
(b) of this section is--
``(1) a fine under this title or imprisonment for not more
than 20 years, or both, in the case of an offense under
subsection (a)(1) of this section;
``(2)(A) except as provided in subparagraph (B), a fine
under this title or imprisonment for not more than 3 years,
or both, in the case of an offense under subsection (a)(2);
or
``(B) a fine under this title or imprisonment for not more
than ten years, or both, in the case of an offense under
subsection (a)(2) of this section, if--
``(i) the offense was committed for purposes of commercial
advantage or private financial gain;
``(ii) the offense was committed in the furtherance of any
criminal or tortious act in violation of the Constitution or
laws of the United States, or of any State; or
``(iii) the value of the information obtained, or that
would have been obtained if the offense was completed,
exceeds $5,000;
``(3) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(3) of this section;
``(4) a fine under this title or imprisonment of not more
than 20 years, or both, in the case of an offense under
subsection (a)(4) of this section;
``(5)(A) except as provided in subparagraph (C), a fine
under this title, imprisonment for not more than 20 years, or
both, in the case of an offense under subsection (a)(5)(A) of
this section, if the offense caused--
``(i) loss to 1 or more persons during any 1-year period
(and, for purposes of an investigation, prosecution, or other
proceeding brought by the United States only, loss resulting
from a related course of conduct affecting 1 or more other
protected computers) aggregating at least $5,000 in value;
``(ii) the modification or impairment, or potential
modification or impairment, of the medical examination,
diagnosis, treatment, or care of 1 or more individuals;
``(iii) physical injury to any person;
``(iv) a threat to public health or safety;
``(v) damage affecting a computer used by, or on behalf of,
an entity of the United States Government in furtherance of
the administration of justice, national defense, or national
security; or
``(vi) damage affecting 10 or more protected computers
during any 1-year period;
``(B) a fine under this title, imprisonment for not more
than 20 years, or both, in the case of an offense under
subsection (a)(5)(B), if the offense caused a harm provided
in clause (i) through (vi) of subparagraph (A) of this
subsection;
``(C) if the offender attempts to cause or knowingly or
recklessly causes death from conduct in violation of
subsection (a)(5)(A), a fine under this title, imprisonment
for any term of years or for life, or both;
``(D) a fine under this title, imprisonment for not more
than 10 years, or both, for any other offense under
subsection (a)(5);
``(E) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(6) of this section; or
``(F) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(7) of this section.''.
SEC. 302. TRAFFICKING IN PASSWORDS.
Section 1030(a)(6) of title 18, United States Code, is
amended to read as follows:
``(6) knowingly and with intent to defraud traffics (as
defined in section 1029) in any password or similar
information or means of access through which a protected
computer (as defined in subparagraphs (A) and (B) of
subsection (e)(2)) may be accessed without authorization.''.
SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.
Section 1030(b) of title 18, United States Code, is amended
by inserting ``as if for the completed offense'' after
``punished as provided''.
SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED
ACTIVITY IN CONNECTION WITH COMPUTERS.
Section 1030 of title 18, United States Code, is amended by
striking subsections (i) and (j) and inserting the following:
``(i) Criminal Forfeiture.--
``(1) The court, in imposing sentence on any person
convicted of a violation of this section, or convicted of
conspiracy to violate this section, shall order, in addition
to any other sentence imposed and irrespective of any
provision of State law, that such person forfeit to the
United States--
``(A) such persons interest in any property, real or
personal, that was used, or intended to be used, to commit or
facilitate the commission of such violation; and
``(B) any property, real or personal, constituting or
derived from any gross proceeds, or any property traceable to
such property, that such person obtained, directly or
indirectly, as a result of such violation.
``(2) The criminal forfeiture of property under this
subsection, including any seizure and disposition of the
property, and any related judicial or administrative
proceeding, shall be governed by the provisions of section
413 of the Comprehensive Drug Abuse
[[Page S5515]]
Prevention and Control Act of 1970 (21 U.S.C. 853), except
subsection (d) of that section.
``(j) Civil Forfeiture.--
``(1) The following shall be subject to forfeiture to the
United States and no property right, real or personal, shall
exist in them:
``(A) Any property, real or personal, that was used, or
intended to be used, to commit or facilitate the commission
of any violation of this section, or a conspiracy to violate
this section.
``(B) Any property, real or personal, constituting or
derived from any gross proceeds obtained directly or
indirectly, or any property traceable to such property, as a
result of the commission of any violation of this section, or
a conspiracy to violate this section.
``(2) Seizures and forfeitures under this subsection shall
be governed by the provisions in chapter 46 relating to civil
forfeitures, except that such duties as are imposed on the
Secretary of the Treasury under the customs laws described in
section 981(d) shall be performed by such officers, agents
and other persons as may be designated for that purpose by
the Secretary of Homeland Security or the Attorney
General.''.
SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.
(a) In General.--Chapter 47 of title 18, United States
Code, is amended by inserting after section 1030 the
following:
``Sec. 1030A. Aggravated damage to a critical infrastructure
computer
``(a) Definitions.--In this section--
``(1) the term `computer' has the meaning given the term in
section 1030;
``(2) the term `critical infrastructure computer' means a
computer that manages or controls systems or assets vital to
national defense, national security, national economic
security, public health or safety, or any combination of
those matters, whether publicly or privately owned or
operated, including--
``(A) oil and gas production, storage, conversion, and
delivery systems;
``(B) water supply systems;
``(C) telecommunication networks;
``(D) electrical power generation and delivery systems;
``(E) finance and banking systems;
``(F) emergency services;
``(G) transportation systems and services; and
``(H) government operations that provide essential services
to the public; and
``(3) the term `damage' has the meaning given the term in
section 1030.
``(b) Offense.--It shall be unlawful, during and in
relation to a felony violation of section 1030, to knowingly
cause or attempt to cause damage to a critical infrastructure
computer if the damage results in (or, in the case of an
attempt, if completed, would have resulted in) the
substantial impairment--
``(1) of the operation of the critical infrastructure
computer; or
``(2) of the critical infrastructure associated with the
computer.
``(c) Penalty.--Any person who violates subsection (b)
shall be--
``(1) fined under this title;
``(2) imprisoned for not less than 3 years but not more
than 20 years; or
``(3) penalized under paragraphs (1) and (2).
``(d) Consecutive Sentence.--Notwithstanding any other
provision of law--
``(1) a court shall not place on probation any person
convicted of a violation of this section;
``(2) except as provided in paragraph (4), no term of
imprisonment imposed on a person under this section shall run
concurrently with any other term of imprisonment, including
any term of imprisonment imposed on the person under any
other provision of law, including any term of imprisonment
imposed for a felony violation of section 1030;
``(3) in determining any term of imprisonment to be imposed
for a felony violation of section 1030, a court shall not in
any way reduce the term to be imposed for such crime so as to
compensate for, or otherwise take into account, any separate
term of imprisonment imposed or to be imposed for a violation
of this section; and
``(4) a term of imprisonment imposed on a person for a
violation of this section may, in the discretion of the
court, run concurrently, in whole or in part, only with
another term of imprisonment that is imposed by the court at
the same time on that person for an additional violation of
this section, provided that such discretion shall be
exercised in accordance with any applicable guidelines and
policy statements issued by the United States Sentencing
Commission pursuant to section 994 of title 28.''.
(b) Technical and Conforming Amendment.--The chapter
analysis for chapter 47 of title 18, United States Code, is
amended by inserting after the item relating to section 1030
the following:
``1030A. Aggravated damage to a critical infrastructure computer.''.
SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.
Section 1030(e)(6) of title 18, United States Code, is
amended by striking ``alter;'' and inserting ``alter, but
does not include access in violation of a contractual
obligation or agreement, such as an acceptable use policy or
terms of service agreement, with an Internet service
provider, Internet website, or non-government employer, if
such violation constitutes the sole basis for determining
that access to a protected computer is unauthorized;''.
SEC. 307. NO NEW FUNDING.
An applicable Federal agency shall carry out the provisions
of this title with existing facilities and funds otherwise
available, through such means as the head of the agency
considers appropriate.
TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT
SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM
PLANNING AND COORDINATION.
(a) Goals and Priorities.--Section 101 of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511) is amended
by adding at the end the following:
``(d) Goals and Priorities.--The goals and priorities for
Federal high-performance computing research, development,
networking, and other activities under subsection (a)(2)(A)
shall include--
``(1) encouraging and supporting mechanisms for
interdisciplinary research and development in networking and
information technology, including--
``(A) through collaborations across agencies;
``(B) through collaborations across Program Component
Areas;
``(C) through collaborations with industry;
``(D) through collaborations with institutions of higher
education;
``(E) through collaborations with Federal laboratories (as
defined in section 4 of the Stevenson-Wydler Technology
Innovation Act of 1980 (15 U.S.C. 3703)); and
``(F) through collaborations with international
organizations;
``(2) addressing national, multi-agency, multi-faceted
challenges of national importance; and
``(3) fostering the transfer of research and development
results into new technologies and applications for the
benefit of society.''.
(b) Development of Strategic Plan.--Section 101 of the
High-Performance Computing Act of 1991 (15 U.S.C. 5511) is
amended by adding at the end the following:
``(e) Strategic Plan.--
``(1) In general.--Not later than 1 year after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the agencies under subsection (a)(3)(B), working
through the National Science and Technology Council and with
the assistance of the Office of Science and Technology Policy
shall develop a 5-year strategic plan to guide the activities
under subsection (a)(1).
``(2) Contents.--The strategic plan shall specify--
``(A) the near-term objectives for the Program;
``(B) the long-term objectives for the Program;
``(C) the anticipated time frame for achieving the near-
term objectives;
``(D) the metrics that will be used to assess any progress
made toward achieving the near-term objectives and the long-
term objectives; and
``(E) how the Program will achieve the goals and priorities
under subsection (d).
``(3) Implementation roadmap.--
``(A) In general.--The agencies under subsection (a)(3)(B)
shall develop and annually update an implementation roadmap
for the strategic plan.
``(B) Requirements.--The information in the implementation
roadmap shall be coordinated with the database under section
102(c) and the annual report under section 101(a)(3). The
implementation roadmap shall--
``(i) specify the role of each Federal agency in carrying
out or sponsoring research and development to meet the
research objectives of the strategic plan, including a
description of how progress toward the research objectives
will be evaluated, with consideration of any relevant
recommendations of the advisory committee;
``(ii) specify the funding allocated to each major research
objective of the strategic plan and the source of funding by
agency for the current fiscal year; and
``(iii) estimate the funding required for each major
research objective of the strategic plan for the next 3
fiscal years.
``(4) Recommendations.--The agencies under subsection
(a)(3)(B) shall take into consideration when developing the
strategic plan under paragraph (1) the recommendations of--
``(A) the advisory committee under subsection (b); and
``(B) the stakeholders under section 102(a)(3).
``(5) Report to congress.--The Director of the Office of
Science and Technology Policy shall transmit the strategic
plan under this subsection, including the implementation
roadmap and any updates under paragraph (3), to--
``(A) the advisory committee under subsection (b);
``(B) the Committee on Commerce, Science, and
Transportation of the Senate; and
``(C) the Committee on Science and Technology of the House
of Representatives.''.
(c) Periodic Reviews.--Section 101 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511) is amended by adding
at the end the following:
``(f) Periodic Reviews.--The agencies under subsection
(a)(3)(B) shall--
``(1) periodically assess the contents and funding levels
of the Program Component Areas and restructure the Program
when warranted, taking into consideration any relevant
recommendations of the advisory committee under subsection
(b); and
[[Page S5516]]
``(2) ensure that the Program includes national, multi-
agency, multi-faceted research and development activities,
including activities described in section 104.''.
(d) Additional Responsibilities of Director.--Section
101(a)(2) of the High-Performance Computing Act of 1991 (15
U.S.C. 5511(a)(2)) is amended--
(1) by redesignating subparagraphs (E) and (F) as
subparagraphs (G) and (H), respectively; and
(2) by inserting after subparagraph (D) the following:
``(E) encourage and monitor the efforts of the agencies
participating in the Program to allocate the level of
resources and management attention necessary--
``(i) to ensure that the strategic plan under subsection
(e) is developed and executed effectively; and
``(ii) to ensure that the objectives of the Program are
met;
``(F) working with the Office of Management and Budget and
in coordination with the creation of the database under
section 102(c), direct the Office of Science and Technology
Policy and the agencies participating in the Program to
establish a mechanism (consistent with existing law) to track
all ongoing and completed research and development projects
and associated funding;''.
(e) Advisory Committee.--Section 101(b) of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is
amended--
(1) in paragraph (1)--
(A) by inserting after the first sentence the following:
``The co-chairs of the advisory committee shall meet the
qualifications of committee members and may be members of the
Presidents Council of Advisors on Science and Technology.'';
and
(B) by striking ``high-performance'' in subparagraph (D)
and inserting ``high-end''; and
(2) by amending paragraph (2) to read as follows:
``(2) In addition to the duties under paragraph (1), the
advisory committee shall conduct periodic evaluations of the
funding, management, coordination, implementation, and
activities of the Program. The advisory committee shall
report its findings and recommendations not less frequently
than once every 3 fiscal years to the Committee on Commerce,
Science, and Transportation of the Senate and the Committee
on Science and Technology of the House of Representatives.
The report shall be submitted in conjunction with the update
of the strategic plan.''.
(f) Report.--Section 101(a)(3) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended--
(1) in subparagraph (C)--
(A) by striking ``is submitted,'' and inserting ``is
submitted, the levels for the previous fiscal year,''; and
(B) by striking ``each Program Component Area'' and
inserting ``each Program Component Area and each research
area supported in accordance with section 104'';
(2) in subparagraph (D)--
(A) by striking ``each Program Component Area,'' and
inserting ``each Program Component Area and each research
area supported in accordance with section 104,'';
(B) by striking ``is submitted,'' and inserting ``is
submitted, the levels for the previous fiscal year,''; and
(C) by striking ``and'' after the semicolon;
(3) by redesignating subparagraph (E) as subparagraph (G);
and
(4) by inserting after subparagraph (D) the following:
``(E) include a description of how the objectives for each
Program Component Area, and the objectives for activities
that involve multiple Program Component Areas, relate to the
objectives of the Program identified in the strategic plan
under subsection (e);
``(F) include--
``(i) a description of the funding required by the Office
of Science and Technology Policy to perform the functions
under subsections (a) and (c) of section 102 for the next
fiscal year by category of activity;
``(ii) a description of the funding required by the Office
of Science and Technology Policy to perform the functions
under subsections (a) and (c) of section 102 for the current
fiscal year by category of activity; and
``(iii) the amount of funding provided for the Office of
Science and Technology Policy for the current fiscal year by
each agency participating in the Program; and''.
(g) Definitions.--Section 4 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5503) is amended--
(1) by redesignating paragraphs (1) and (2) as paragraphs
(2) and (3), respectively;
(2) by redesignating paragraph (3) as paragraph (6);
(3) by redesignating paragraphs (6) and (7) as paragraphs
(7) and (8), respectively;
(4) by inserting before paragraph (2), as redesignated, the
following:
``(1) `cyber-physical systems' means physical or engineered
systems whose networking and information technology functions
and physical elements are deeply integrated and are actively
connected to the physical world through sensors, actuators,
or other means to perform monitoring and control
functions;'';
(5) in paragraph (3), as redesignated, by striking ``high-
performance computing'' and inserting ``networking and
information technology'';
(6) in paragraph (6), as redesignated--
(A) by striking ``high-performance computing'' and
inserting ``networking and information technology''; and
(B) by striking ``supercomputer'' and inserting ``high-end
computing'';
(7) in paragraph (5), by striking ``network referred to
as'' and all that follows through the semicolon and inserting
``network, including advanced computer networks of Federal
agencies and departments''; and
(8) in paragraph (7), as redesignated, by striking
``National High-Performance Computing Program'' and inserting
``networking and information technology research and
development program''.
SEC. 402. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.
(a) Research in Areas of National Importance.--Title I of
the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et
seq.) is amended by adding at the end the following:
``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.
``(a) In General.--The Program shall encourage agencies
under section 101(a)(3)(B) to support, maintain, and improve
national, multi-agency, multi-faceted, research and
development activities in networking and information
technology directed toward application areas that have the
potential for significant contributions to national economic
competitiveness and for other significant societal benefits.
``(b) Technical Solutions.--An activity under subsection
(a) shall be designed to advance the development of research
discoveries by demonstrating technical solutions to important
problems in areas including--
``(1) cybersecurity;
``(2) health care;
``(3) energy management and low-power systems and devices;
``(4) transportation, including surface and air
transportation;
``(5) cyber-physical systems;
``(6) large-scale data analysis and modeling of physical
phenomena;
``(7) large scale data analysis and modeling of behavioral
phenomena;
``(8) supply chain quality and security; and
``(9) privacy protection and protected disclosure of
confidential data.
``(c) Recommendations.--The advisory committee under
section 101(b) shall make recommendations to the Program for
candidate research and development areas for support under
this section.
``(d) Characteristics.--
``(1) In general.--Research and development activities
under this section--
``(A) shall include projects selected on the basis of
applications for support through a competitive, merit-based
process;
``(B) shall leverage, when possible, Federal investments
through collaboration with related State initiatives;
``(C) shall include a plan for fostering the transfer of
research discoveries and the results of technology
demonstration activities, including from institutions of
higher education and Federal laboratories, to industry for
commercial development;
``(D) shall involve collaborations among researchers in
institutions of higher education and industry; and
``(E) may involve collaborations among nonprofit research
institutions and Federal laboratories, as appropriate.
``(2) Cost-sharing.--In selecting applications for support,
the agencies under section 101(a)(3)(B) shall give special
consideration to projects that include cost sharing from non-
Federal sources.
``(3) Multidisciplinary research centers.--Research and
development activities under this section shall be supported
through multidisciplinary research centers, including Federal
laboratories, that are organized to investigate basic
research questions and carry out technology demonstration
activities in areas described in subsection (a). Research may
be carried out through existing multidisciplinary centers,
including those authorized under section 7024(b)(2) of the
America COMPETES Act (42 U.S.C. 1862o-10(2)).''.
(b) Cyber-Physical Systems.--Section 101(a)(1) of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is
amended--
(1) in subparagraph (H), by striking ``and'' after the
semicolon;
(2) in subparagraph (I), by striking the period at the end
and inserting a semicolon; and
(3) by adding at the end the following:
``(J) provide for increased understanding of the scientific
principles of cyber-physical systems and improve the methods
available for the design, development, and operation of
cyber-physical systems that are characterized by high
reliability, safety, and security; and
``(K) provide for research and development on human-
computer interactions, visualization, and big data.''.
(c) Task Force.--Title I of the High-Performance Computing
Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section
402(a) of this Act, is amended by adding at the end the
following:
``SEC. 105. TASK FORCE.
``(a) Establishment.--Not later than 180 days after the
date of enactment the Strengthening and Enhancing
Cybersecurity by Using Research, Education, Information, and
Technology Act of 2012, the Director of the Office of Science
and Technology Policy under section 102 shall convene a task
force to explore mechanisms for carrying out collaborative
research and development activities for cyber-physical
systems (including the related technologies required to
enable
[[Page S5517]]
these systems) through a consortium or other appropriate
entity with participants from institutions of higher
education, Federal laboratories, and industry.
``(b) Functions.--The task force shall--
``(1) develop options for a collaborative model and an
organizational structure for such entity under which the
joint research and development activities could be planned,
managed, and conducted effectively, including mechanisms for
the allocation of resources among the participants in such
entity for support of such activities;
``(2) propose a process for developing a research and
development agenda for such entity, including guidelines to
ensure an appropriate scope of work focused on nationally
significant challenges and requiring collaboration and to
ensure the development of related scientific and
technological milestones;
``(3) define the roles and responsibilities for the
participants from institutions of higher education, Federal
laboratories, and industry in such entity;
``(4) propose guidelines for assigning intellectual
property rights and for transferring research results to the
private sector; and
``(5) make recommendations for how such entity could be
funded from Federal, State, and non-governmental sources.
``(c) Composition.--In establishing the task force under
subsection (a), the Director of the Office of Science and
Technology Policy shall appoint an equal number of
individuals from institutions of higher education and from
industry with knowledge and expertise in cyber-physical
systems, and may appoint not more than 2 individuals from
Federal laboratories.
``(d) Report.--Not later than 1 year after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the Director of the Office of Science and Technology
Policy shall transmit to the Committee on Commerce, Science,
and Transportation of the Senate and the Committee on Science
and Technology of the House of Representatives a report
describing the findings and recommendations of the task
force.
``(e) Termination.--The task force shall terminate upon
transmittal of the report required under subsection (d).
``(f) Compensation and Expenses.--Members of the task force
shall serve without compensation.''.
SEC. 403. PROGRAM IMPROVEMENTS.
Section 102 of the High-Performance Computing Act of 1991
(15 U.S.C. 5512) is amended to read as follows:
``SEC. 102. PROGRAM IMPROVEMENTS.
``(a) Functions.--The Director of the Office of Science and
Technology Policy shall continue--
``(1) to provide technical and administrative support to--
``(A) the agencies participating in planning and
implementing the Program, including support needed to develop
the strategic plan under section 101(e); and
``(B) the advisory committee under section 101(b);
``(2) to serve as the primary point of contact on Federal
networking and information technology activities for
government agencies, academia, industry, professional
societies, State computing and networking technology
programs, interested citizen groups, and others to exchange
technical and programmatic information;
``(3) to solicit input and recommendations from a wide
range of stakeholders during the development of each
strategic plan under section 101(e) by convening at least 1
workshop with invitees from academia, industry, Federal
laboratories, and other relevant organizations and
institutions;
``(4) to conduct public outreach, including the
dissemination of the advisory committee's findings and
recommendations, as appropriate;
``(5) to promote access to and early application of the
technologies, innovations, and expertise derived from Program
activities to agency missions and systems across the Federal
Government and to United States industry;
``(6) to ensure accurate and detailed budget reporting of
networking and information technology research and
development investment; and
``(7) to encourage agencies participating in the Program to
use existing programs and resources to strengthen networking
and information technology education and training, and
increase participation in such fields, including by women and
underrepresented minorities.
``(b) Source of Funding.--
``(1) In general.--The functions under this section shall
be supported by funds from each agency participating in the
Program.
``(2) Specifications.--The portion of the total budget of
the Office of Science and Technology Policy that is provided
by each agency participating in the Program for each fiscal
year shall be in the same proportion as each agency's share
of the total budget for the Program for the previous fiscal
year, as specified in the database under section 102(c).
``(c) Database.--
``(1) In general.--The Director of the Office of Science
and Technology Policy shall develop and maintain a database
of projects funded by each agency for the fiscal year for
each Program Component Area.
``(2) Public accessibility.--The Director of the Office of
Science and Technology Policy shall make the database
accessible to the public.
``(3) Database contents.--The database shall include, for
each project in the database--
``(A) a description of the project;
``(B) each agency, industry, institution of higher
education, Federal laboratory, or international institution
involved in the project;
``(C) the source funding of the project (set forth by
agency);
``(D) the funding history of the project; and
``(E) whether the project has been completed.''.
SEC. 404. IMPROVING EDUCATION OF NETWORKING AND INFORMATION
TECHNOLOGY, INCLUDING HIGH PERFORMANCE
COMPUTING.
Section 201(a) of the High-Performance Computing Act of
1991 (15 U.S.C. 5521(a)) is amended--
(1) by redesignating paragraphs (2) through (4) as
paragraphs (3) through (5), respectively; and
(2) by inserting after paragraph (1) the following:
``(2) the National Science Foundation shall use its
existing programs, in collaboration with other agencies, as
appropriate, to improve the teaching and learning of
networking and information technology at all levels of
education and to increase participation in networking and
information technology fields;''.
SEC. 405. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH-
PERFORMANCE COMPUTING ACT OF 1991.
(a) Section 3.--Section 3 of the High-Performance Computing
Act of 1991 (15 U.S.C. 5502) is amended--
(1) in the matter preceding paragraph (1), by striking
``high-performance computing'' and inserting ``networking and
information technology'';
(2) in paragraph (1)--
(A) in the matter preceding subparagraph (A), by striking
``high-performance computing'' and inserting ``networking and
information technology'';
(B) in subparagraphs (A), (F), and (G), by striking ``high-
performance computing'' each place it appears and inserting
``networking and information technology''; and
(C) in subparagraph (H), by striking ``high-performance''
and inserting ``high-end''; and
(3) in paragraph (2)--
(A) by striking ``high-performance computing and'' and
inserting ``networking and information technology, and''; and
(B) by striking ``high-performance computing network'' and
inserting ``networking and information technology''.
(b) Title Heading.--The heading of title I of the High-
Performance Computing Act of 1991 (105 Stat. 1595) is amended
by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting
``NETWORKING AND INFORMATION TECHNOLOGY''.
(c) Section 101.--Section 101 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511) is amended--
(1) in the section heading, by striking ``high-performance
computing'' and inserting ``networking and information
technology research and development'';
(2) in subsection (a)--
(A) in the subsection heading, by striking ``National High-
Performance Computing'' and inserting ``Networking and
Information Technology Research and Development'';
(B) in paragraph (1)--
(i) by striking ``National High-Performance Computing
Program'' and inserting ``networking and information
technology research and development program'';
(ii) in subparagraph (A), by striking ``high-performance
computing, including networking'' and inserting ``networking
and information technology'';
(iii) in subparagraphs (B) and (G), by striking ``high-
performance'' each place it appears and inserting ``high-
end''; and
(iv) in subparagraph (C), by striking ``high-performance
computing and networking'' and inserting ``high-end
computing, distributed, and networking''; and
(C) in paragraph (2)--
(i) in subparagraphs (A) and (C)--
(I) by striking ``high-performance computing'' each place
it appears and inserting ``networking and information
technology''; and
(II) by striking ``development, networking,'' each place it
appears and inserting ``development,''; and
(ii) in subparagraphs (G) and (H), as redesignated by
section 401(d) of this Act, by striking ``high-performance''
each place it appears and inserting ``high-end'';
(3) in subsection (b)(1), in the matter preceding
subparagraph (A), by striking ``high-performance computing''
each place it appears and inserting ``networking and
information technology''; and
(4) in subsection (c)(1)(A), by striking ``high-performance
computing'' and inserting ``networking and information
technology''.
(d) Section 201.--Section 201(a)(1) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by
striking ``high-performance computing and advanced high-speed
computer networking'' and inserting ``networking and
information technology research and development''.
(e) Section 202.--Section 202(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by
striking ``high-performance computing'' and inserting
``networking and information technology''.
(f) Section 203.--Section 203(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5523(a)) is amended--
[[Page S5518]]
(1) in paragraph (1), by striking ``high-performance
computing and networking'' and inserting ``networking and
information technology''; and
(2) in paragraph (2)(A), by striking ``high-performance''
and inserting ``high-end''.
(g) Section 204.--Section 204 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5524) is amended--
(1) in subsection (a)(1)--
(A) in subparagraph (A), by striking ``high-performance
computing systems and networks'' and inserting ``networking
and information technology systems and capabilities'';
(B) in subparagraph (B), by striking ``interoperability of
high-performance computing systems in networks and for common
user interfaces to systems'' and inserting ``interoperability
and usability of networking and information technology
systems''; and
(C) in subparagraph (C), by striking ``high-performance
computing'' and inserting ``networking and information
technology''; and
(2) in subsection (b)--
(A) by striking ``High-Performance Computing and Network''
in the heading and inserting ``Networking and Information
Technology''; and
(B) by striking ``sensitive''.
(h) Section 205.--Section 205(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by
striking ``computational'' and inserting ``networking and
information technology''.
(i) Section 206.--Section 206(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by
striking ``computational research'' and inserting
``networking and information technology research''.
(j) Section 207.--Section 207 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5527) is amended by striking
``high-performance computing'' and inserting ``networking and
information technology''.
(k) Section 208.--Section 208 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5528) is amended--
(1) in the section heading, by striking ``high-performance
computing'' and inserting ``networking and information
technology''; and
(2) in subsection (a)--
(A) in paragraph (1), by striking ``High-performance
computing and associated'' and inserting ``Networking and
information'';
(B) in paragraph (2), by striking ``high-performance
computing'' and inserting ``networking and information
technologies'';
(C) in paragraph (3), by striking ``high-performance'' and
inserting ``high-end'';
(D) in paragraph (4), by striking ``high-performance
computers and associated'' and inserting ``networking and
information''; and
(E) in paragraph (5), by striking ``high-performance
computing and associated'' and inserting ``networking and
information''.
SEC. 406. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.
(a) In General.--The Director of the National Science
Foundation, in coordination with the Secretary of Homeland
Security, shall carry out a Federal cyber scholarship-for-
service program to recruit and train the next generation of
information technology professionals and security managers to
meet the needs of the cybersecurity mission for the Federal
government.
(b) Program Description and Components.--The program
shall--
(1) annually assess the workforce needs of the Federal
government for cybersecurity professionals, including network
engineers, software engineers, and other experts in order to
determine how many scholarships should be awarded annually to
ensure that the workforce needs following graduation match
the number of scholarships awarded;
(2) provide scholarships for up to 1,000 students per year
in their pursuit of undergraduate or graduate degrees in the
cybersecurity field, in an amount that may include coverage
for full tuition, fees, and a stipend;
(3) require each scholarship recipient, as a condition of
receiving a scholarship under the program, to serve in a
Federal information technology workforce for a period equal
to one and one-half times each year, or partial year, of
scholarship received, in addition to an internship in the
cybersecurity field, if applicable, following graduation;
(4) provide a procedure for the National Science Foundation
or a Federal agency, consistent with regulations of the
Office of Personnel Management, to request and fund a
security clearance for a scholarship recipient, including
providing for clearance during a summer internship and upon
graduation; and
(5) provide opportunities for students to receive temporary
appointments for meaningful employment in the Federal
information technology workforce during school vacation
periods and for internships.
(c) Hiring Authority.--
(1) In general.--For purposes of any law or regulation
governing the appointment of an individual in the Federal
civil service, upon the successful completion of the
student's studies, a student receiving a scholarship under
the program may--
(A) be hired under section 213.3102(r) of title 5, Code of
Federal Regulations; and
(B) be exempt from competitive service.
(2) Competitive service.--Upon satisfactory fulfillment of
the service term under paragraph (1), an individual may be
converted to a competitive service position without
competition if the individual meets the requirements for that
position.
(d) Eligibility.--The eligibility requirements for a
scholarship under this section shall include that a
scholarship applicant--
(1) be a citizen of the United States;
(2) be eligible to be granted a security clearance;
(3) maintain a grade point average of 3.2 or above on a 4.0
scale for undergraduate study or a 3.5 or above on a 4.0
scale for postgraduate study;
(4) demonstrate a commitment to a career in improving the
security of the information infrastructure; and
(5) has demonstrated a level of proficiency in math or
computer sciences.
(e) Failure to Complete Service Obligation.--
(1) In general.--A scholarship recipient under this section
shall be liable to the United States under paragraph (2) if
the scholarship recipient--
(A) fails to maintain an acceptable level of academic
standing in the educational institution in which the
individual is enrolled, as determined by the Director;
(B) is dismissed from such educational institution for
disciplinary reasons;
(C) withdraws from the program for which the award was made
before the completion of such program;
(D) declares that the individual does not intend to fulfill
the service obligation under this section;
(E) fails to fulfill the service obligation of the
individual under this section; or
(F) loses a security clearance or becomes ineligible for a
security clearance.
(2) Repayment amounts.--
(A) Less than 1 year of service.--If a circumstance under
paragraph (1) occurs before the completion of 1 year of a
service obligation under this section, the total amount of
awards received by the individual under this section shall be
repaid.
(B) One or more years of service.--If a circumstance
described in subparagraph (D) or (E) of paragraph (1) occurs
after the completion of 1 year of a service obligation under
this section, the total amount of scholarship awards received
by the individual under this section, reduced by the ratio of
the number of years of service completed divided by the
number of years of service required, shall be repaid.
(f) Evaluation and Report.--The Director of the National
Science Foundation shall--
(1) evaluate the success of recruiting individuals for
scholarships under this section and of hiring and retaining
those individuals in the public sector workforce, including
the annual cost and an assessment of how the program actually
improves the Federal workforce; and
(2) periodically report the findings under paragraph (1) to
Congress.
(g) Authorization of Appropriations.--From amounts made
available under section 503 of the America COMPETES
Reauthorization Act of 2010 (124 Stat. 4005), the Secretary
may use funds to carry out the requirements of this section
for fiscal years 2012 through 2013.
SEC. 407. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF
INFORMATION INFRASTRUCTURE PROFESSIONALS.
(a) Study.--The President shall enter into an agreement
with the National Academies to conduct a comprehensive study
of government, academic, and private-sector accreditation,
training, and certification programs for personnel working in
information infrastructure. The agreement shall require the
National Academies to consult with sector coordinating
councils and relevant governmental agencies, regulatory
entities, and nongovernmental organizations in the course of
the study.
(b) Scope.--The study shall include--
(1) an evaluation of the body of knowledge and various
skills that specific categories of personnel working in
information infrastructure should possess in order to secure
information systems;
(2) an assessment of whether existing government, academic,
and private-sector accreditation, training, and certification
programs provide the body of knowledge and various skills
described in paragraph (1);
(3) an analysis of any barriers to the Federal Government
recruiting and hiring cybersecurity talent, including
barriers relating to compensation, the hiring process, job
classification, and hiring flexibility; and
(4) an analysis of the sources and availability of
cybersecurity talent, a comparison of the skills and
expertise sought by the Federal Government and the private
sector, an examination of the current and future capacity of
United States institutions of higher education, including
community colleges, to provide current and future
cybersecurity professionals, through education and training
activities, with those skills sought by the Federal
Government, State and local entities, and the private sector.
(c) Report.--Not later than 1 year after the date of
enactment of this Act, the National Academies shall submit to
the President and Congress a report on the results of the
study. The report shall include--
(1) findings regarding the state of information
infrastructure accreditation, training, and certification
programs, including specific areas of deficiency and
demonstrable progress; and
(2) recommendations for the improvement of information
infrastructure accreditation, training, and certification
programs.
SEC. 408. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.
(a) In General.--The Director of the National Institute of
Standards and Technology, in coordination with appropriate
Federal authorities, shall--
[[Page S5519]]
(1) as appropriate, ensure coordination of Federal agencies
engaged in the development of international technical
standards related to information system security; and
(2) not later than 1 year after the date of enactment of
this Act, develop and transmit to Congress a plan for
ensuring such Federal agency coordination.
(b) Consultation With the Private Sector.--In carrying out
the activities under subsection (a)(1), the Director shall
ensure consultation with appropriate private sector
stakeholders.
SEC. 409. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.
The Director of the National Institute of Standards and
Technology shall continue a program to support the
development of technical standards, metrology, testbeds, and
conformance criteria, taking into account appropriate user
concerns--
(1) to improve interoperability among identity management
technologies;
(2) to strengthen authentication methods of identity
management systems;
(3) to improve privacy protection in identity management
systems, including health information technology systems,
through authentication and security protocols; and
(4) to improve the usability of identity management
systems.
SEC. 410. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.
(a) National Science Foundation Computer and Network
Security Research Grant Areas.--Section 4(a)(1) of the Cyber
Security Research and Development Act (15 U.S.C. 7403(a)(1))
is amended--
(1) in subparagraph (H), by striking ``and'' after the
semicolon;
(2) in subparagraph (I), by striking ``property.'' and
inserting ``property;''; and
(3) by adding at the end the following:
``(J) secure fundamental protocols that are at the heart of
inter-network communications and data exchange;
``(K) system security that addresses the building of secure
systems from trusted and untrusted components;
``(L) monitoring and detection; and
``(M) resiliency and rapid recovery methods.''.
(b) National Science Foundation Computer and Network
Security Grants.--Section 4(a)(3) of the Cyber Security
Research and Development Act (15 U.S.C. 7403(a)(3)) is
amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Secretary finds necessary to carry out
the requirements of this subsection for fiscal years 2012
through 2013.''.
(c) Computer and Network Security Centers.--Section 4(b)(7)
of the Cyber Security Research and Development Act (15 U.S.C.
7403(b)(7)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Secretary finds necessary to carry out
the requirements of this subsection for fiscal years 2012
through 2013.''.
(d) Computer and Network Security Capacity Building
Grants.--Section 5(a)(6) of the Cyber Security Research and
Development Act (15 U.S.C. 7404(a)(6)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Secretary finds necessary to carry out
the requirements of this subsection for fiscal years 2012
through 2013.''.
(e) Scientific and Advanced Technology Act Grants.--Section
5(b)(2) of the Cyber Security Research and Development Act
(15 U.S.C. 7404(b)(2)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Secretary finds necessary to carry out
the requirements of this subsection for fiscal years 2012
through 2013.''.
(f) Graduate Traineeships in Computer and Network Security
Research.--Section 5(c)(7) of the Cyber Security Research and
Development Act (15 U.S.C. 7404(c)(7)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Secretary finds necessary to carry out
the requirements of this subsection for fiscal years 2012
through 2013.''.
______
SA 2583. Mr. GRASSLEY submitted an amendment intended to be proposed
by him to the bill S. 3414, to enhance the security and resiliency of
the cyber and communications infrastructure of the United States; which
was ordered to lie on the table; as follows:
Beginning on page 192, strike line 11 and all that follows
through page 193, line 22.
______
SA 2584. Mr. GRASSLEY submitted an amendment intended to be proposed
by him to the bill S. 3414, to enhance the security and resiliency of
the cyber and communications infrastructure of the United States; which
was ordered to lie on the table; as follows:
On page 18, strike line 16 and all that follows through
page 19, line 2, and insert the following:
(5) Limitation.--The Council may not identify critical
infrastructure as a category of critical cyber infrastructure
under this section based solely on activities protected by
the first amendment to the Constitution of the United States.
______
SA 2585. Mr. GRASSLEY submitted an amendment intended to be proposed
by him to the bill S. 3414, to enhance the security and resiliency of
the cyber and communications infrastructure of the United States; which
was ordered to lie on the table; as follows:
At the end, add the following:
TITLE VIII--CRIMINAL PENALTIES
SEC. 801. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN
CONNECTION WITH COMPUTERS.
Section 1030(c) of title 18, United States Code, is amended
to read as follows:
``(c) The punishment for an offense under subsection (a) or
(b) of this section is--
``(1) a fine under this title or imprisonment for not more
than 20 years, or both, in the case of an offense under
subsection (a)(1) of this section;
``(2)(A) except as provided in subparagraph (B), a fine
under this title or imprisonment for not more than 3 years,
or both, in the case of an offense under subsection (a)(2);
or
``(B) a fine under this title or imprisonment for not more
than ten years, or both, in the case of an offense under
subsection (a)(2) of this section, if--
``(i) the offense was committed for purposes of commercial
advantage or private financial gain;
``(ii) the offense was committed in the furtherance of any
criminal or tortious act in violation of the Constitution or
laws of the United States, or of any State; or
``(iii) the value of the information obtained, or that
would have been obtained if the offense was completed,
exceeds $5,000;
``(3) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(3) of this section;
``(4) a fine under this title or imprisonment of not more
than 20 years, or both, in the case of an offense under
subsection (a)(4) of this section; and
``(5)(A) except as provided in subparagraph (C), a fine
under this title, imprisonment for not more than 20 years, or
both, in the case of an offense under subsection (a)(5)(A) of
this section, if the offense caused--
``(i) loss to 1 or more persons during any 1-year period
(and, for purposes of an investigation, prosecution, or other
proceeding brought by the United States only, loss resulting
from a related course of conduct affecting 1 or more other
protected computers) aggregating at least $5,000 in value;
``(ii) the modification or impairment, or potential
modification or impairment, of the medical examination,
diagnosis, treatment, or care of 1 or more individuals;
``(iii) physical injury to any person;
``(iv) a threat to public health or safety;
``(v) damage affecting a computer used by, or on behalf of,
an entity of the United States Government in furtherance of
the administration of justice, national defense, or national
security; or
``(vi) damage affecting 10 or more protected computers
during any 1-year period;
``(B) a fine under this title, imprisonment for not more
than 20 years, or both, in the case of an offense under
subsection (a)(5)(B), if the offense caused a harm described
in clause (i) through (vi) of subparagraph (A) of this
subsection;
``(C) if the offender attempts to cause or knowingly or
recklessly causes death from conduct in violation of
subsection (a)(5)(A), a fine under this title, imprisonment
for any term of years or for life, or both;
``(D) a fine under this title, imprisonment for not more
than 10 years, or both, for any other offense under
subsection (a)(5);
``(E) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(6) of this section; or
``(F) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(7) of this section.''.
SEC. 802. TRAFFICKING IN PASSWORDS.
Section 1030(a)(6) of title 18, United States Code, is
amended to read as follows:
``(6) knowingly and with intent to defraud traffics (as
defined in section 1029) in any password or similar
information or means of access through which a protected
computer (as defined in subparagraphs (A) and (B) of
subsection (e)(2)) may be accessed without authorization;
or''.
SEC. 803. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.
Section 1030(b) of title 18, United States Code, is amended
by inserting ``as if for the
[[Page S5520]]
completed offense'' after ``punished as provided''.
SEC. 804. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED
ACTIVITY IN CONNECTION WITH COMPUTERS.
Section 1030 of title 18, United States Code, is amended by
striking subsections (i) and (j) and inserting the following:
``(i) Criminal Forfeiture.--
``(1) The court, in imposing sentence on any person
convicted of a violation of this section, or convicted of
conspiracy to violate this section, shall order, in addition
to any other sentence imposed and irrespective of any
provision of State law, that such person forfeit to the
United States--
``(A) such person's interest in any property, real or
personal, that was used, or intended to be used, to commit or
facilitate the commission of such violation; and
``(B) any property, real or personal, constituting or
derived from any gross proceeds, or any property traceable to
such property, that such person obtained, directly or
indirectly, as a result of such violation.
``(2) The criminal forfeiture of property under this
subsection, including any seizure and disposition of the
property, and any related judicial or administrative
proceeding, shall be governed by the provisions of section
413 of the Comprehensive Drug Abuse Prevention and Control
Act of 1970 (21 U.S.C. 853), except subsection (d) of that
section.
``(j) Civil Forfeiture.--
``(1) The following shall be subject to forfeiture to the
United States and no property right, real or personal, shall
exist in them:
``(A) Any property, real or personal, that was used, or
intended to be used, to commit or facilitate the commission
of any violation of this section, or a conspiracy to violate
this section.
``(B) Any property, real or personal, constituting or
derived from any gross proceeds obtained directly or
indirectly, or any property traceable to such property, as a
result of the commission of any violation of this section, or
a conspiracy to violate this section.
``(2) Seizures and forfeitures under this subsection shall
be governed by the provisions in chapter 46 relating to civil
forfeitures, except that such duties as are imposed on the
Secretary of the Treasury under the customs laws described in
section 981(d) shall be performed by such officers, agents
and other persons as may be designated for that purpose by
the Secretary of Homeland Security or the Attorney
General.''.
SEC. 805. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.
(a) In General.--Chapter 47 of title 18, United States
Code, is amended by inserting after section 1030 the
following:
``Sec. 1030A. Aggravated damage to a critical infrastructure
computer
``(a) Definitions.--In this section--
``(1) the term `computer' has the meaning given the term in
section 1030;
``(2) the term `critical infrastructure computer' means a
computer that manages or controls systems or assets vital to
national defense, national security, national economic
security, public health or safety, or any combination of
those matters, whether publicly or privately owned or
operated, including--
``(A) oil and gas production, storage, conversion, and
delivery systems;
``(B) water supply systems;
``(C) telecommunication networks;
``(D) electrical power generation and delivery systems;
``(E) finance and banking systems;
``(F) emergency services;
``(G) transportation systems and services; and
``(H) government operations that provide essential services
to the public; and
``(3) the term `damage' has the meaning given the term in
section 1030.
``(b) Offense.--It shall be unlawful, during and in
relation to a felony violation of section 1030, to knowingly
cause or attempt to cause damage to a critical infrastructure
computer if the damage results in (or, in the case of an
attempt, if completed, would have resulted in) the
substantial impairment--
``(1) of the operation of the critical infrastructure
computer; or
``(2) of the critical infrastructure associated with the
computer.
``(c) Penalty.--Any person who violates subsection (b)
shall be fined under this title, imprisoned for not less than
3 years but not more than 20 years, or both.
``(d) Consecutive Sentence.--Notwithstanding any other
provision of law--
``(1) a court shall not place on probation any person
convicted of a violation of this section;
``(2) except as provided in paragraph (4), no term of
imprisonment imposed on a person under this section shall run
concurrently with any other term of imprisonment, including
any term of imprisonment imposed on the person under any
other provision of law, including any term of imprisonment
imposed for a felony violation of section 1030;
``(3) in determining any term of imprisonment to be imposed
for a felony violation of section 1030, a court shall not in
any way reduce the term to be imposed for such crime so as to
compensate for, or otherwise take into account, any separate
term of imprisonment imposed or to be imposed for a violation
of this section; and
``(4) a term of imprisonment imposed on a person for a
violation of this section may, in the discretion of the
court, run concurrently, in whole or in part, only with
another term of imprisonment that is imposed by the court at
the same time on that person for an additional violation of
this section, provided that such discretion shall be
exercised in accordance with any applicable guidelines and
policy statements issued by the United States Sentencing
Commission pursuant to section 994 of title 28.''.
(b) Technical and Conforming Amendment.--The chapter
analysis for chapter 47 of title 18, United States Code, is
amended by inserting after the item relating to section 1030
the following:
``1030A. Aggravated damage to a critical infrastructure computer.''.
SEC. 806. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.
Section 1030(e)(6) of title 18, United States Code, is
amended by striking ``alter;'' and inserting ``alter, but
does not include access in violation of a contractual
obligation or agreement, such as an acceptable use policy or
terms of service agreement, with an Internet service
provider, Internet website, or non-government employer, if
such violation constitutes the sole basis for determining
that access to a protected computer is unauthorized;''.
SEC. 807. NO NEW FUNDING.
An applicable Federal agency shall carry out the provisions
of this title with existing facilities and funds otherwise
available, through such means as the head of the agency
considers appropriate.
______
SA 2586. Mr. McCAIN submitted an amendment intended to be proposed by
him to the bill S. 3414, to enhance the security and resiliency of the
cyber and communications infrastructure of the United States; which was
ordered to lie on the table; as follows:
On page 22, strike lines 8 through 18.
______
SA 2587. Mr. McCAIN submitted an amendment intended to be proposed by
him to the bill S. 3414, to enhance the security and resiliency of the
cyber and communications infrastructure of the United States; which was
ordered to lie on the table; as follows:
On page 30, after line 24, add the following:
(C) Rule of construction.--Nothing in this paragraph shall
be construed to establish a civil cause of action, or a
presumption of negligence in a civil action, against an owner
that does not participate in the Voluntary Cybersecurity
Program for Critical Infrastructure established under this
section.
______
SA 2588. Mr. McCAIN submitted an amendment intended to be proposed by
him to the bill S. 3414, to enhance the security and resiliency of the
cyber and communications infrastructure of the United States; which was
ordered to lie on the table; as follows:
On page 22, line 10, strike ``fails'' and all that follows
through line 18 and insert ``chooses not to propose to the
Council cybersecurity practices under subsection (a), not
later than 180 days after the date of enactment of this Act
the sector coordinating council shall submit a report to the
Council explaining why it chose not to propose cybersecurity
practices.''.
______
SA 2589. Mr. McCAIN submitted an amendment intended to be proposed by
him to the bill S. 3414, to enhance the security and resiliency of the
cyber and communications infrastructure of the United States; which was
ordered to lie on the table; as follows:
On page 30, line 8, after ``106'' insert the following:
``and may not be used for other regulatory purposes by the
Federal Government or a State or local government''.
______
SA 2590. Mr. McCAIN submitted an amendment intended to be proposed by
him to the bill S. 3414, to enhance the security and resiliency of the
cyber and communications infrastructure of the United States; which was
ordered to lie on the table; as follows:
On page 21, strike line 8 and all that follows through page
22, line 7, and insert the following:
(B) review relevant regulations or compulsory standards or
guidelines; and
(C) review cybersecurity practices proposed under
subsection (a) to ensure sufficient protection against cyber
risks.
(2) Adoption.--
(A) In general.--Not later than 1 year after the date of
enactment of this Act, the Council shall--
(i) adopt any cybersecurity practices proposed under
subsection (a) that adequately remediate or mitigate
identified cyber risks and any associated consequences
identified through an assessment conducted under section
102(a); and
(ii) conduct a cost-benefit analysis in accordance with
Executive Order 13563 (5 U.S.C. 601 note; relating to
improving regulation and regulatory review), including
sections 1 and 3 of such Executive Order.
______
SA 2591. Mr. McCAIN submitted an amendment intended to be proposed by
him to the bill S. 3414, to enhance the security and resiliency of the
cyber and communications infrastructure of the United States; which was
ordered to lie on the table; as follows:
On page 16, line 8, after ``mechanism'' insert ``, under
which it shall be unlawful for
[[Page S5521]]
the Federal Government to compel participation,''.
______
SA 2592. Mr. McCAIN submitted an amendment intended to be proposed by
him to the bill S. 3414, to enhance the security and resiliency of the
cyber and communications infrastructure of the United States; which was
ordered to lie on the table; as follows:
Strike title IV.
______
SA 2593. Mr. McCAIN submitted an amendment intended to be proposed by
him to the bill S. 3414, to enhance the security and resiliency of the
cyber and communications infrastructure of the United States; which was
ordered to lie on the table; as follows:
On page 10, line 12, after ``shall'' insert the following:
``designate a Federal agency subject to full congressional
oversight to''.
______
SA 2594. Mr. McCAIN submitted an amendment intended to be proposed by
him to the bill S. 3414, to enhance the security and resiliency of the
cyber and communications infrastructure of the United States; which was
ordered to lie on the table; as follows:
On page 20, line 2, after ``paragraph (1).'' insert the
following: ``If Congress passes a resolution of disapproval
of the identification of a category of critical
infrastructure as critical cyber infrastructure, the category
shall be removed from the list of identified categories of
critical cyber infrastructure and may not be identified as a
category of critical cyber infrastructure during the 2 year
period beginning on the date on which Congress passes the
resolution of disapproval.''.
______
SA 2595. Mr. McCAIN submitted an amendment intended to be proposed by
him to the bill S. 3414, to enhance the security and resiliency of the
cyber and communications infrastructure of the United States; which was
ordered to lie on the table; as follows:
On page 23, strike line 22 and all that follows through
page 24, line 13, and insert the following:
critical infrastructure may not adopt the cybersecurity
practices as mandatory requirements.
(B) Rule of construction.--Nothing in
______
SA 2596. Mr. McCAIN submitted an amendment intended to be proposed by
him to the bill S. 3414, to enhance the security and resiliency of the
cyber and communications infrastructure of the United States; which was
ordered to lie on the table; as follows:
On page 13, line 11, insert ``In addition, any authority of
a Federal agency under another provision of law to compel
owners or operators to provide information to the Federal
Government may not be used in furtherance of this Act.''
after the period.
______
SA 2597. Mr. McCAIN submitted an amendment intended to be proposed by
him to the bill S. 3414, to enhance the security and resiliency of the
cyber and communications infrastructure of the United States; which was
ordered to lie on the table; as follows:
Strike title I.
______
SA 2598. Mr. McCAIN submitted an amendment intended to be proposed by
him to the bill S. 3414, to enhance the security and resiliency of the
cyber and communications infrastructure of the United States; which was
ordered to lie on the table; as follows:
On page 16, line 21, strike ``and''.
On page 16, line 23, strike the period and insert ``;
and''.
On page 16, between lines 23 and 24, insert the following:
(H) submit to the President and the appropriate
congressional committees a report, which may be in classified
or unclassified form, explaining the methodologies use to
identify and results of the identification of categories of
critical cyber infrastructure.
______
SA 2599. Mr. McCAIN submitted an amendment intended to be proposed by
him to the bill S. 3414, to enhance the security and resiliency of the
cyber and communications infrastructure of the United States; which was
ordered to lie on the table; as follows:
On page 24, strike lines 3 through 12 and insert the
following:
adopted the cybersecurity practices as mandatory
requirements, the Federal agency shall submit to the
appropriate congressional committees a report on the reasons
the Federal agency did so, including an explanation of how
the Federal agency conducted a detailed cost-benefit analysis
in accordance with Executive Order 13563 (5 U.S.C. 601 note;
relating to improving regulation and regulatory review),
including sections 1 and 3 of such Executive Order.
______
SA 2600. Mr. McCAIN submitted an amendment intended to be proposed by
him to the bill S. 3414, to enhance the security and resiliency of the
cyber and communications infrastructure of the United States; which was
ordered to lie on the table; as follows:
Beginning on page 18, strike line 18 and all that follows
through page 19, line 2, and insert the following: ``under
this section critical infrastructure based solely on
activities protected by the first amendment to the
Constitution of the United States.''.
______
SA 2601. Mr. McCAIN submitted an amendment intended to be proposed by
him to the bill S. 3414, to enhance the security and resiliency of the
cyber and communications infrastructure of the United States; which was
ordered to lie on the table; as follows:
On page 34, strike lines 3 through 19 and insert the
following:
(1) provide additional authority for any sector-specific
agency or any Federal agency that is not a sector-specific
agency with responsibilities for regulating the security of
critical infrastructure to establish standards or other
cybersecurity measures that are applicable to the security of
critical infrastructure not otherwise authorized by law;
(2) limit or restrict the authority of the Department, or
any other Federal agency, under any other provision of law;
or
(3) permit any owner (including a certified owner) to fail
to comply with any other law or regulation, unless
specifically authorized.
______
SA 2602. Mr. McCAIN submitted an amendment intended to be proposed by
him to the bill S. 3414, to enhance the security and resiliency of the
cyber and communications infrastructure of the United States; which was
ordered to lie on the table; as follows:
On page 173, beginning on line 14, strike ``The Secretary
of Homeland Security, in consultation with'' and insert ``The
President, in consultation with the Secretary,''.
On page 173, line 19, strike ``civilian''.
On page 174, line 11, strike ``Civilian''.
On page 174, beginning on line 13, strike ``The Secretary,
in consultation with'' and insert ``The President, in
consultation with the Secretary,''.
On page 174, line 16, strike ``civilian''.
On page 174, beginning on line 21, strike ``civilian''.
On page 177, line 2, strike ``civilian''.
On page 177, line 6, strike ``Civilian''.
On page 177, beginning on line 8, strike ``the Secretary,
in consultation with'' and insert ``the President, in
consultation with the Secretary,''.
On page 177, line 11, strike ``civilian''.
On page 177, line 23, strike ``the Secretary'' and insert
``the President''.
On page 178, line 21, strike ``The Secretary'' and insert
``The President''.
On page 179, beginning on line 6, strike ``The Secretary,
in coordination with the Director of National Intelligence,
the Attorney General, and the Secretary of Defense,'' and
insert ``The President''.
On page 183, beginning on line 15, strike ``the Secretary
and approved by the Attorney General'' and insert ``the
President''.
On page 184, beginning on line 19, strike ``The Secretary,
in consultation with privacy and civil liberties experts,''
and insert ``The President, in consultation with privacy and
civil liberties experts, the Secretary,''.
On page 186, strike lines 16 through 22.
On page 186, line 24, strike ``The Secretary'' and insert
``The President''.
On page 187, beginning on line 10, strike ``The Secretary
and the Attorney General'' and insert ``The President, in
consultation with the Secretary and the Attorney General,''.
On page 187, beginning on line 20, strike ``the Secretary
and approved by the Attorney General'' and insert ``the
President''.
On page 187, beginning on line 23, strike ``the Attorney
General'' and insert ``the President''.
On page 188, line 1, strike ``the Attorney General'' and
insert ``the President''.
On page 188, line 3, strike ``the Attorney General'' and
insert ``the President''.
On page 202, beginning on line 21, strike ``the Secretary,
the Director of National Intelligence, the Attorney General,
and the Secretary of Defense shall jointly'' and insert ``the
President, in consultation with the Secretary, the Director
of National Intelligence, the Attorney General, and the
Secretary of Defense, shall''.
______
SA 2603. Mr. McCAIN submitted an amendment intended to be proposed by
him to the bill S. 3414, to enhance the security and resiliency of the
cyber and communications infrastructure of the United States; which was
ordered to lie on the table; as follows:
On page 173, beginning on line 14, strike ``The Secretary
of Homeland Security, in consultation with'' and insert ``The
President, in consultation with the Secretary,''.
On page 173, line 19, strike ``civilian''.
On page 174, line 11, strike ``Civilian''.
On page 174, beginning on line 13, strike ``The Secretary,
in consultation with'' and insert ``The President, in
consultation with the Secretary,''.
On page 174, line 16, strike ``civilian''.
On page 174, beginning on line 21, strike ``civilian''.
On page 177, line 2, strike ``civilian''.
On page 177, line 6, strike ``Civilian''.
On page 177, beginning on line 8, strike ``the Secretary,
in consultation with'' and
[[Page S5522]]
insert ``the President, in consultation with the
Secretary,''.
On page 177, line 11, strike ``civilian''.
On page 177, line 23, strike ``the Secretary'' and insert
``the President''.
On page 178, line 21, strike ``The Secretary'' and insert
``The President''.
On page 179, beginning on line 6, strike ``The Secretary,
in coordination with the Director of National Intelligence,
the Attorney General, and the Secretary of Defense,'' and
insert ``The President''.
On page 183, beginning on line 15, strike ``the Secretary
and approved by the Attorney General'' and insert ``the
President''.
On page 184, beginning on line 19, strike ``The Secretary,
in consultation with privacy and civil liberties experts,''
and insert ``The President, in consultation with privacy and
civil liberties experts, the Secretary,''.
On page 186, strike lines 16 through 22.
On page 186, line 24, strike ``The Secretary'' and insert
``The President''.
On page 187, beginning on line 10, strike ``The Secretary
and the Attorney General'' and insert ``The President, in
consultation with the Secretary and the Attorney General,''.
On page 187, beginning on line 20, strike ``the Secretary
and approved by the Attorney General'' and insert ``the
President''.
On page 187, beginning on line 23, strike ``the Attorney
General'' and insert ``the President''.
On page 188, line 1, strike ``the Attorney General'' and
insert ``the President''.
On page 188, line 3, strike ``the Attorney General'' and
insert ``the President''.
On page 199, strike lines 12 through 17.
On page 202, beginning on line 21, strike ``the Secretary,
the Director of National Intelligence, the Attorney General,
and the Secretary of Defense shall jointly'' and insert ``the
President, in consultation with the Secretary, the Director
of National Intelligence, the Attorney General, and the
Secretary of Defense, shall''.
______
SA 2604. Mr. McCAIN submitted an amendment intended to be proposed by
him to the bill S. 3414, to enhance the security and resiliency of the
cyber and communications infrastructure of the United States; which was
ordered to lie on the table; as follows:
At the end of title I, add the following:
SEC. 111. SUNSET.
This title is repealed effective on the date that is 4
years after the date of enactment of this Act.
______
SA 2605. Mr. McCAIN (for himself, Mrs. Hutchison, Mr. Chambliss, Mr.
Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of
Wisconsin) submitted an amendment intended to be proposed by him to the
bill S. 3414, to enhance the security and resiliency of the cyber and
communications infrastructure of the United States; which was ordered
to lie on the table; as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the
``Strengthening and Enhancing Cybersecurity by Using
Research, Education, Information, and Technology Act of
2012'' or ``SECURE IT''.
(b) Table of Contents.--The table of contents of this Act
is as follows:
Sec. 1. Short title; table of contents.
TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION
Sec. 101. Definitions.
Sec. 102. Authorization to share cyber threat information.
Sec. 103. Information sharing by the Federal government.
Sec. 104. Construction.
Sec. 105. Report on implementation.
Sec. 106. Inspector General review.
Sec. 107. Technical amendments.
Sec. 108. Access to classified information.
TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY
Sec. 201. Coordination of Federal information security policy.
Sec. 202. Management of information technology.
Sec. 203. No new funding.
Sec. 204. Technical and conforming amendments.
Sec. 205. Clarification of authorities.
TITLE III--CRIMINAL PENALTIES
Sec. 301. Penalties for fraud and related activity in connection with
computers.
Sec. 302. Trafficking in passwords.
Sec. 303. Conspiracy and attempted computer fraud offenses.
Sec. 304. Criminal and civil forfeiture for fraud and related activity
in connection with computers.
Sec. 305. Damage to critical infrastructure computers.
Sec. 306. Limitation on actions involving unauthorized use.
Sec. 307. No new funding.
TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT
Sec. 401. National High-Performance Computing Program planning and
coordination.
Sec. 402. Research in areas of national importance.
Sec. 403. Program improvements.
Sec. 404. Improving education of networking and information technology,
including high performance computing.
Sec. 405. Conforming and technical amendments to the High-Performance
Computing Act of 1991.
Sec. 406. Federal cyber scholarship-for-service program.
Sec. 407. Study and analysis of certification and training of
information infrastructure professionals.
Sec. 408. International cybersecurity technical standards.
Sec. 409. Identity management research and development.
Sec. 410. Federal cybersecurity research and development.
TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION
SEC. 101. DEFINITIONS.
In this title:
(1) Agency.--The term ``agency'' has the meaning given the
term in section 3502 of title 44, United States Code.
(2) Antitrust laws.--The term ``antitrust laws''--
(A) has the meaning given the term in section 1(a) of the
Clayton Act (15 U.S.C. 12(a));
(B) includes section 5 of the Federal Trade Commission Act
(15 U.S.C. 45) to the extent that section 5 of that Act
applies to unfair methods of competition; and
(C) includes any State law that has the same intent and
effect as the laws under subparagraphs (A) and (B).
(3) Countermeasure.--The term ``countermeasure'' means an
automated or a manual action with defensive intent to
mitigate cyber threats.
(4) Cyber threat information.--The term ``cyber threat
information'' means information that indicates or describes--
(A) a technical or operation vulnerability or a cyber
threat mitigation measure;
(B) an action or operation to mitigate a cyber threat;
(C) malicious reconnaissance, including anomalous patterns
of network activity that appear to be transmitted for the
purpose of gathering technical information related to a
cybersecurity threat;
(D) a method of defeating a technical control;
(E) a method of defeating an operational control;
(F) network activity or protocols known to be associated
with a malicious cyber actor or that signify malicious cyber
intent;
(G) a method of causing a user with legitimate access to an
information system or information that is stored on,
processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational
control;
(H) any other attribute of a cybersecurity threat or cyber
defense information that would foster situational awareness
of the United States cybersecurity posture, if disclosure of
such attribute or information is not otherwise prohibited by
law;
(I) the actual or potential harm caused by a cyber
incident, including information exfiltrated when it is
necessary in order to identify or describe a cybersecurity
threat; or
(J) any combination of subparagraphs (A) through (I).
(5) Cybersecurity center.--The term ``cybersecurity
center'' means the Department of Defense Cyber Crime Center,
the Intelligence Community Incident Response Center, the
United States Cyber Command Joint Operations Center, the
National Cyber Investigative Joint Task Force, the National
Security Agency/Central Security Service Threat Operations
Center, the National Cybersecurity and Communications
Integration Center, and any successor center.
(6) Cybersecurity system.--The term ``cybersecurity
system'' means a system designed or employed to ensure the
integrity, confidentiality, or availability of, or to
safeguard, a system or network, including measures intended
to protect a system or network from--
(A) efforts to degrade, disrupt, or destroy such system or
network; or
(B) theft or misappropriations of private or government
information, intellectual property, or personally
identifiable information.
(7) Entity.--
(A) In general.--The term ``entity'' means any private
entity, non-Federal government agency or department, or
State, tribal, or local government agency or department
(including an officer, employee, or agent thereof).
(B) Inclusions.--The term ``entity'' includes a government
agency or department (including an officer, employee, or
agent thereof) of the District of Columbia, the Commonwealth
of Puerto Rico, the Virgin Islands, Guam, American Samoa, the
Northern Mariana Islands, and any other territory or
possession of the United States.
(8) Federal information system.--The term ``Federal
information system'' means an information system of a Federal
department or agency used or operated by an executive agency,
by a contractor of an executive agency, or by another
organization on behalf of an executive agency.
(9) Information security.--The term ``information
security'' means protecting information and information
systems from disruption or unauthorized access, use,
disclosure, modification, or destruction in order to
provide--
(A) integrity, by guarding against improper information
modification or destruction, including by ensuring
information nonrepudiation and authenticity;
[[Page S5523]]
(B) confidentiality, by preserving authorized restrictions
on access and disclosure, including means for protecting
personal privacy and proprietary information; or
(C) availability, by ensuring timely and reliable access to
and use of information.
(10) Information system.--The term ``information system''
has the meaning given the term in section 3502 of title 44,
United States Code.
(11) Local government.--The term ``local government'' means
any borough, city, county, parish, town, township, village,
or other general purpose political subdivision of a State.
(12) Malicious reconnaissance.--The term ``malicious
reconnaissance'' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning technical vulnerabilities of the information
system, if such method is associated with a known or
suspected cybersecurity threat.
(13) Operational control.--The term ``operational control''
means a security control for an information system that
primarily is implemented and executed by people.
(14) Operational vulnerability.--The term ``operational
vulnerability'' means any attribute of policy, process, or
procedure that could enable or facilitate the defeat of an
operational control.
(15) Private entity.--The term ``private entity'' means any
individual or any private group, organization, or
corporation, including an officer, employee, or agent
thereof.
(16) Significant cyber incident.--The term ``significant
cyber incident'' means a cyber incident resulting in, or an
attempted cyber incident that, if successful, would have
resulted in--
(A) the exfiltration from a Federal information system of
data that is essential to the operation of the Federal
information system; or
(B) an incident in which an operational or technical
control essential to the security or operation of a Federal
information system was defeated.
(17) Technical control.--The term ``technical control''
means a hardware or software restriction on, or audit of,
access or use of an information system or information that is
stored on, processed by, or transiting an information system
that is intended to ensure the confidentiality, integrity, or
availability of that system.
(18) Technical vulnerability.--The term ``technical
vulnerability'' means any attribute of hardware or software
that could enable or facilitate the defeat of a technical
control.
(19) Tribal.--The term ``tribal'' has the meaning given the
term ``Indian tribe'' in section 4 of the Indian Self-
Determination and Education Assistance Act (25 U.S.C. 450b).
SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION.
(a) Voluntary Disclosure.--
(1) Private entities.--Notwithstanding any other provision
of law, a private entity may, for the purpose of preventing,
investigating, or otherwise mitigating threats to information
security, on its own networks, or as authorized by another
entity, on such entity's networks, employ countermeasures and
use cybersecurity systems in order to obtain, identify, or
otherwise possess cyber threat information.
(2) Entities.--Notwithstanding any other provision of law,
an entity may disclose cyber threat information to--
(A) a cybersecurity center; or
(B) any other entity in order to assist with preventing,
investigating, or otherwise mitigating threats to information
security.
(3) Information security providers.--If the cyber threat
information described in paragraph (1) is obtained,
identified, or otherwise possessed in the course of providing
information security products or services under contract to
another entity, that entity shall be given, at any time prior
to disclosure of such information, a reasonable opportunity
to authorize or prevent such disclosure, to request
anonymization of such information, or to request that
reasonable efforts be made to safeguard such information that
identifies specific persons from unauthorized access or
disclosure.
(b) Significant Cyber Incidents Involving Federal
Information Systems.--
(1) In general.--An entity providing electronic
communication services, remote computing services, or
information security services to a Federal department or
agency shall inform the Federal department or agency of a
significant cyber incident involving the Federal information
system of that Federal department or agency that--
(A) is directly known to the entity as a result of
providing such services;
(B) is directly related to the provision of such services
by the entity; and
(C) as determined by the entity, has impeded or will impede
the performance of a critical mission of the Federal
department or agency.
(2) Advance coordination.--A Federal department or agency
receiving the services described in paragraph (1) shall
coordinate in advance with an entity described in paragraph
(1) to develop the parameters of any information that may be
provided under paragraph (1), including clarification of the
type of significant cyber incident that will impede the
performance of a critical mission of the Federal department
or agency.
(3) Report.--A Federal department or agency shall report
information provided under this subsection to a cybersecurity
center.
(4) Construction.--Any information provided to a
cybersecurity center under paragraph (3) shall be treated in
the same manner as information provided to a cybersecurity
center under subsection (a).
(c) Information Shared With or Provided to a Cybersecurity
Center.--Cyber threat information provided to a cybersecurity
center under this section--
(1) may be disclosed to, retained by, and used by,
consistent with otherwise applicable Federal law, any Federal
agency or department, component, officer, employee, or agent
of the Federal government for a cybersecurity purpose, a
national security purpose, or in order to prevent,
investigate, or prosecute any of the offenses listed in
section 2516 of title 18, United States Code, and such
information shall not be disclosed to, retained by, or used
by any Federal agency or department for any use not permitted
under this paragraph;
(2) may, with the prior written consent of the entity
submitting such information, be disclosed to and used by a
State, tribal, or local government or government agency for
the purpose of protecting information systems, or in
furtherance of preventing, investigating, or prosecuting a
criminal act, except that if the need for immediate
disclosure prevents obtaining written consent, such consent
may be provided orally with subsequent documentation of such
consent;
(3) shall be considered the commercial, financial, or
proprietary information of the entity providing such
information to the Federal government and any disclosure
outside the Federal government may only be made upon the
prior written consent by such entity and shall not constitute
a waiver of any applicable privilege or protection provided
by law, except that if the need for immediate disclosure
prevents obtaining written consent, such consent may be
provided orally with subsequent documentation of such
consent;
(4) shall be deemed voluntarily shared information and
exempt from disclosure under section 552 of title 5, United
States Code, and any State, tribal, or local law requiring
disclosure of information or records;
(5) shall be, without discretion, withheld from the public
under section 552(b)(3)(B) of title 5, United States Code,
and any State, tribal, or local law requiring disclosure of
information or records;
(6) shall not be subject to the rules of any Federal agency
or department or any judicial doctrine regarding ex parte
communications with a decision-making official;
(7) shall not, if subsequently provided to a State, tribal,
or local government or government agency, otherwise be
disclosed or distributed to any entity by such State, tribal,
or local government or government agency without the prior
written consent of the entity submitting such information,
notwithstanding any State, tribal, or local law requiring
disclosure of information or records, except that if the need
for immediate disclosure prevents obtaining written consent,
such consent may be provided orally with subsequent
documentation of such consent; and
(8) shall not be directly used by any Federal, State,
tribal, or local department or agency to regulate the lawful
activities of an entity, including activities relating to
obtaining, identifying, or otherwise possessing cyber threat
information, except that the procedures required to be
developed and implemented under this title shall not be
considered regulations within the meaning of this paragraph.
(d) Procedures Relating to Information Sharing With a
Cybersecurity Center.--Not later than 60 days after the date
of enactment of this Act, the heads of each department or
agency containing a cybersecurity center shall jointly
develop, promulgate, and submit to Congress procedures to
ensure that cyber threat information shared with or provided
to--
(1) a cybersecurity center under this section--
(A) may be submitted to a cybersecurity center by an
entity, to the greatest extent possible, through a uniform,
publicly available process or format that is easily
accessible on the website of such cybersecurity center, and
that includes the ability to provide relevant details about
the cyber threat information and written consent to any
subsequent disclosures authorized by this paragraph;
(B) shall immediately be further shared with each
cybersecurity center in order to prevent, investigate, or
otherwise mitigate threats to information security across the
Federal government;
(C) is handled by the Federal government in a reasonable
manner, including consideration of the need to protect the
privacy and civil liberties of individuals through
anonymization or other appropriate methods, while fully
accomplishing the objectives of this title, and the Federal
government may undertake efforts consistent with this
subparagraph to limit the impact on privacy and civil
liberties of the sharing of cyber threat information with the
Federal government; and
(D) except as provided in this section, shall only be used,
disclosed, or handled in accordance with the provisions of
subsection (c); and
(2) a Federal agency or department under subsection (b) is
provided immediately to a cybersecurity center in order to
prevent, investigate, or otherwise mitigate threats to
[[Page S5524]]
information security across the Federal government.
(e) Information Shared Between Entities.--
(1) In general.--An entity sharing cyber threat information
with another entity under this title may restrict the use or
sharing of such information by such other entity.
(2) Further sharing.--Cyber threat information shared by
any entity with another entity under this title--
(A) shall only be further shared in accordance with any
restrictions placed on the sharing of such information by the
entity authorizing such sharing, such as appropriate
anonymization of such information; and
(B) may not be used by any entity to gain an unfair
competitive advantage to the detriment of the entity
authorizing the sharing of such information, except that the
conduct described in paragraph (3) shall not constitute
unfair competitive conduct.
(3) Information shared with state, tribal, or local
government or government agency.--Cyber threat information
shared with a State, tribal, or local government or
government agency under this title--
(A) may, with the prior written consent of the entity
sharing such information, be disclosed to and used by a
State, tribal, or local government or government agency for
the purpose of protecting information systems, or in
furtherance of preventing, investigating, or prosecuting a
criminal act, except if the need for immediate disclosure
prevents obtaining written consent, consent may be provided
orally with subsequent documentation of the consent;
(B) shall be deemed voluntarily shared information and
exempt from disclosure under any State, tribal, or local law
requiring disclosure of information or records;
(C) shall not be disclosed or distributed to any entity by
the State, tribal, or local government or government agency
without the prior written consent of the entity submitting
such information, notwithstanding any State, tribal, or local
law requiring disclosure of information or records, except if
the need for immediate disclosure prevents obtaining written
consent, consent may be provided orally with subsequent
documentation of the consent; and
(D) shall not be directly used by any State, tribal, or
local department or agency to regulate the lawful activities
of an entity, including activities relating to obtaining,
identifying, or otherwise possessing cyber threat
information, except that the procedures required to be
developed and implemented under this title shall not be
considered regulations within the meaning of this
subparagraph.
(4) Antitrust exemption.--The exchange or provision of
cyber threat information or assistance between 2 or more
private entities under this title shall not be considered a
violation of any provision of antitrust laws if exchanged or
provided in order to assist with--
(A) facilitating the prevention, investigation, or
mitigation of threats to information security; or
(B) communicating or disclosing of cyber threat information
to help prevent, investigate or otherwise mitigate the
effects of a threat to information security.
(5) No right or benefit.--The provision of cyber threat
information to an entity under this section shall not create
a right or a benefit to similar information by such entity or
any other entity.
(f) Federal Preemption.--
(1) In general.--This section supersedes any statute or
other law of a State or political subdivision of a State that
restricts or otherwise expressly regulates an activity
authorized under this section.
(2) State law enforcement.--Nothing in this section shall
be construed to supersede any statute or other law of a State
or political subdivision of a State concerning the use of
authorized law enforcement techniques.
(3) Public disclosure.--No information shared with or
provided to a State, tribal, or local government or
government agency pursuant to this section shall be made
publicly available pursuant to any State, tribal, or local
law requiring disclosure of information or records.
(g) Civil and Criminal Liability.--
(1) General protections.--
(A) Private entities.--No cause of action shall lie or be
maintained in any court against any private entity for--
(i) the use of countermeasures and cybersecurity systems as
authorized by this title;
(ii) the use, receipt, or disclosure of any cyber threat
information as authorized by this title; or
(iii) the subsequent actions or inactions of any lawful
recipient of cyber threat information provided by such
private entity.
(B) Entities.--No cause of action shall lie or be
maintained in any court against any entity for--
(i) the use, receipt, or disclosure of any cyber threat
information as authorized by this title; or
(ii) the subsequent actions or inactions of any lawful
recipient of cyber threat information provided by such
entity.
(2) Construction.--Nothing in this subsection shall be
construed as creating any immunity against, or otherwise
affecting, any action brought by the Federal government, or
any agency or department thereof, to enforce any law,
executive order, or procedure governing the appropriate
handling, disclosure, and use of classified information.
(h) Otherwise Lawful Disclosures.--Nothing in this section
shall be construed to limit or prohibit otherwise lawful
disclosures of communications, records, or other information
by a private entity to any other governmental or private
entity not covered under this section.
(i) Whistleblower Protection.--Nothing in this Act shall be
construed to preempt or preclude any employee from exercising
rights currently provided under any whistleblower law, rule,
or regulation.
(j) Relationship to Other Laws.--The submission of cyber
threat information under this section to a cybersecurity
center shall not affect any requirement under any other
provision of law for an entity to provide information to the
Federal government.
SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT.
(a) Classified Information.--
(1) Procedures.--Consistent with the protection of
intelligence sources and methods, and as otherwise determined
appropriate, the Director of National Intelligence and the
Secretary of Defense, in consultation with the heads of the
appropriate Federal departments or agencies, shall develop
and promulgate procedures to facilitate and promote--
(A) the immediate sharing, through the cybersecurity
centers, of classified cyber threat information in the
possession of the Federal government with appropriately
cleared representatives of any appropriate entity; and
(B) the declassification and immediate sharing, through the
cybersecurity centers, with any entity or, if appropriate,
public availability of cyber threat information in the
possession of the Federal government;
(2) Handling of classified information.--The procedures
developed under paragraph (1) shall ensure that each entity
receiving classified cyber threat information pursuant to
this section has acknowledged in writing the ongoing
obligation to comply with all laws, executive orders, and
procedures concerning the appropriate handling, disclosure,
or use of classified information.
(b) Unclassified Cyber Threat Information.--The heads of
each department or agency containing a cybersecurity center
shall jointly develop and promulgate procedures that ensure
that, consistent with the provisions of this section,
unclassified, including controlled unclassified, cyber threat
information in the possession of the Federal government--
(1) is shared, through the cybersecurity centers, in an
immediate and adequate manner with appropriate entities; and
(2) if appropriate, is made publicly available.
(c) Development of Procedures.--
(1) In general.--The procedures developed under this
section shall incorporate, to the greatest extent possible,
existing processes utilized by sector specific information
sharing and analysis centers.
(2) Coordination with entities.--In developing the
procedures required under this section, the Director of
National Intelligence and the heads of each department or
agency containing a cybersecurity center shall coordinate
with appropriate entities to ensure that protocols are
implemented that will facilitate and promote the sharing of
cyber threat information by the Federal government.
(d) Additional Responsibilities of Cybersecurity Centers.--
Consistent with section 102, a cybersecurity center shall--
(1) facilitate information sharing, interaction, and
collaboration among and between cybersecurity centers and--
(A) other Federal entities;
(B) any entity; and
(C) international partners, in consultation with the
Secretary of State;
(2) disseminate timely and actionable cybersecurity threat,
vulnerability, mitigation, and warning information, including
alerts, advisories, indicators, signatures, and mitigation
and response measures, to improve the security and protection
of information systems; and
(3) coordinate with other Federal entities, as appropriate,
to integrate information from across the Federal government
to provide situational awareness of the cybersecurity posture
of the United States.
(e) Sharing Within the Federal Government.--The heads of
appropriate Federal departments and agencies shall ensure
that cyber threat information in the possession of such
Federal departments or agencies that relates to the
prevention, investigation, or mitigation of threats to
information security across the Federal government is shared
effectively with the cybersecurity centers.
(f) Submission to Congress.--Not later than 60 days after
the date of enactment of this Act, the Director of National
Intelligence, in coordination with the appropriate head of a
department or an agency containing a cybersecurity center,
shall submit the procedures required by this section to
Congress.
SEC. 104. CONSTRUCTION.
(a) Information Sharing Relationships.--Nothing in this
title shall be construed--
(1) to limit or modify an existing information sharing
relationship;
(2) to prohibit a new information sharing relationship;
(3) to require a new information sharing relationship
between any entity and the Federal government, except as
specified under section 102(b); or
(4) to modify the authority of a department or agency of
the Federal government
[[Page S5525]]
to protect sources and methods and the national security of
the United States.
(b) Anti-tasking Restriction.--Nothing in this title shall
be construed to permit the Federal government--
(1) to require an entity to share information with the
Federal government, except as expressly provided under
section 102(b); or
(2) to condition the sharing of cyber threat information
with an entity on such entity's provision of cyber threat
information to the Federal government.
(c) No Liability for Non-participation.--Nothing in this
title shall be construed to subject any entity to liability
for choosing not to engage in the voluntary activities
authorized under this title.
(d) Use and Retention of Information.--Nothing in this
title shall be construed to authorize, or to modify any
existing authority of, a department or agency of the Federal
government to retain or use any information shared under
section 102 for any use other than a use permitted under
subsection 102(c)(1).
(e) No New Funding.--An applicable Federal agency shall
carry out the provisions of this title with existing
facilities and funds otherwise available, through such means
as the head of the agency considers appropriate.
SEC. 105. REPORT ON IMPLEMENTATION.
(a) Content of Report.--Not later than 1 year after the
date of enactment of this Act, and biennially thereafter, the
heads of each department or agency containing a cybersecurity
center shall jointly submit, in coordination with the privacy
and civil liberties officials of such departments or agencies
and the Privacy and Civil Liberties Oversight Board, a
detailed report to Congress concerning the implementation of
this title, including--
(1) an assessment of the sufficiency of the procedures
developed under section 103 of this Act in ensuring that
cyber threat information in the possession of the Federal
government is provided in an immediate and adequate manner to
appropriate entities or, if appropriate, is made publicly
available;
(2) an assessment of whether information has been
appropriately classified and an accounting of the number of
security clearances authorized by the Federal government for
purposes of this title;
(3) a review of the type of cyber threat information shared
with a cybersecurity center under section 102 of this Act,
including whether such information meets the definition of
cyber threat information under section 101, the degree to
which such information may impact the privacy and civil
liberties of individuals, any appropriate metrics to
determine any impact of the sharing of such information with
the Federal government on privacy and civil liberties, and
the adequacy of any steps taken to reduce such impact;
(4) a review of actions taken by the Federal government
based on information provided to a cybersecurity center under
section 102 of this Act, including the appropriateness of any
subsequent use under section 102(c)(1) of this Act and
whether there was inappropriate stovepiping within the
Federal government of any such information;
(5) a description of any violations of the requirements of
this title by the Federal government;
(6) a classified list of entities that received classified
information from the Federal government under section 103 of
this Act and a description of any indication that such
information may not have been appropriately handled;
(7) a summary of any breach of information security, if
known, attributable to a specific failure by any entity or
the Federal government to act on cyber threat information in
the possession of such entity or the Federal government that
resulted in substantial economic harm or injury to a specific
entity or the Federal government; and
(8) any recommendation for improvements or modifications to
the authorities under this title.
(b) Form of Report.--The report under subsection (a) shall
be submitted in unclassified form, but shall include a
classified annex.
SEC. 106. INSPECTOR GENERAL REVIEW.
(a) In General.--The Council of the Inspectors General on
Integrity and Efficiency are authorized to review compliance
by the cybersecurity centers, and by any Federal department
or agency receiving cyber threat information from such
cybersecurity centers, with the procedures required under
section 102 of this Act.
(b) Scope of Review.--The review under subsection (a) shall
consider whether the Federal government has handled such
cyber threat information in a reasonable manner, including
consideration of the need to protect the privacy and civil
liberties of individuals through anonymization or other
appropriate methods, while fully accomplishing the objectives
of this title.
(c) Report to Congress.--Each review conducted under this
section shall be provided to Congress not later than 30 days
after the date of completion of the review.
SEC. 107. TECHNICAL AMENDMENTS.
Section 552(b) of title 5, United States Code, is amended--
(1) in paragraph (8), by striking ``or'';
(2) in paragraph (9), by striking ``wells.'' and inserting
``wells; or''; and
(3) by adding at the end the following:
``(10) information shared with or provided to a
cybersecurity center under section 102 of title I of the
Strengthening and Enhancing Cybersecurity by Using Research,
Education, Information, and Technology Act of 2012.''.
SEC. 108. ACCESS TO CLASSIFIED INFORMATION.
(a) Authorization Required.--No person shall be provided
with access to classified information (as defined in section
6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to
classified national security information)) relating to cyber
security threats or cyber security vulnerabilities under this
title without the appropriate security clearances.
(b) Security Clearances.--The appropriate Federal agencies
or departments shall, consistent with applicable procedures
and requirements, and if otherwise deemed appropriate, assist
an individual in timely obtaining an appropriate security
clearance where such individual has been determined to be
eligible for such clearance and has a need-to-know (as
defined in section 6.1 of that Executive Order) classified
information to carry out this title.
TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY
SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY
POLICY.
(a) In General.--Chapter 35 of title 44, United States
Code, is amended by striking subchapters II and III and
inserting the following:
``SUBCHAPTER II--INFORMATION SECURITY
``Sec. 3551. Purposes
``The purposes of this subchapter are--
``(1) to provide a comprehensive framework for ensuring the
effectiveness of information security controls over
information resources that support Federal operations and
assets;
``(2) to recognize the highly networked nature of the
current Federal computing environment and provide effective
government-wide management of policies, directives,
standards, and guidelines, as well as effective and nimble
oversight of and response to information security risks,
including coordination of information security efforts
throughout the Federal civilian, national security, and law
enforcement communities;
``(3) to provide for development and maintenance of
controls required to protect agency information and
information systems and contribute to the overall improvement
of agency information security posture;
``(4) to provide for the development of tools and methods
to assess and respond to real-time situational risk for
Federal information system operations and assets; and
``(5) to provide a mechanism for improving agency
information security programs through continuous monitoring
of agency information systems and streamlined reporting
requirements rather than overly prescriptive manual
reporting.
``Sec. 3552. Definitions
``In this subchapter:
``(1) Adequate security.--The term `adequate security'
means security commensurate with the risk and magnitude of
the harm resulting from the unauthorized access to or loss,
misuse, destruction, or modification of information.
``(2) Agency.--The term `agency' has the meaning given the
term in section 3502 of title 44.
``(3) Cybersecurity center.--The term `cybersecurity
center' means the Department of Defense Cyber Crime Center,
the Intelligence Community Incident Response Center, the
United States Cyber Command Joint Operations Center, the
National Cyber Investigative Joint Task Force, the National
Security Agency/Central Security Service Threat Operations
Center, the National Cybersecurity and Communications
Integration Center, and any successor center.
``(4) Cyber threat information.--The term `cyber threat
information' means information that indicates or describes--
``(A) a technical or operation vulnerability or a cyber
threat mitigation measure;
``(B) an action or operation to mitigate a cyber threat;
``(C) malicious reconnaissance, including anomalous
patterns of network activity that appear to be transmitted
for the purpose of gathering technical information related to
a cybersecurity threat;
``(D) a method of defeating a technical control;
``(E) a method of defeating an operational control;
``(F) network activity or protocols known to be associated
with a malicious cyber actor or that signify malicious cyber
intent;
``(G) a method of causing a user with legitimate access to
an information system or information that is stored on,
processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational
control;
``(H) any other attribute of a cybersecurity threat or
cyber defense information that would foster situational
awareness of the United States cybersecurity posture, if
disclosure of such attribute or information is not otherwise
prohibited by law;
``(I) the actual or potential harm caused by a cyber
incident, including information exfiltrated when it is
necessary in order to identify or describe a cybersecurity
threat; or
``(J) any combination of subparagraphs (A) through (I).
``(5) Director.--The term `Director' means the Director of
the Office of Management and Budget unless otherwise
specified.
``(6) Environment of operation.--The term `environment of
operation' means the information system and environment in
[[Page S5526]]
which those systems operate, including changing threats,
vulnerabilities, technologies, and missions and business
practices.
``(7) Federal information system.--The term `Federal
information system' means an information system used or
operated by an executive agency, by a contractor of an
executive agency, or by another organization on behalf of an
executive agency.
``(8) Incident.--The term `incident' means an occurrence
that--
``(A) actually or imminently jeopardizes the integrity,
confidentiality, or availability of an information system or
the information that system controls, processes, stores, or
transmits; or
``(B) constitutes a violation of law or an imminent threat
of violation of a law, a security policy, a security
procedure, or an acceptable use policy.
``(9) Information resources.--The term `information
resources' has the meaning given the term in section 3502 of
title 44.
``(10) Information security.--The term `information
security' means protecting information and information
systems from disruption or unauthorized access, use,
disclosure, modification, or destruction in order to
provide--
``(A) integrity, by guarding against improper information
modification or destruction, including by ensuring
information nonrepudiation and authenticity;
``(B) confidentiality, by preserving authorized
restrictions on access and disclosure, including means for
protecting personal privacy and proprietary information; or
``(C) availability, by ensuring timely and reliable access
to and use of information.
``(11) Information system.--The term `information system'
has the meaning given the term in section 3502 of title 44.
``(12) Information technology.--The term `information
technology' has the meaning given the term in section 11101
of title 40.
``(13) Malicious reconnaissance.--The term `malicious
reconnaissance' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning technical vulnerabilities of the information
system, if such method is associated with a known or
suspected cybersecurity threat.
``(14) National security system.--
``(A) In general.--The term `national security system'
means any information system (including any
telecommunications system) used or operated by an agency or
by a contractor of an agency, or other organization on behalf
of an agency--
``(i) the function, operation, or use of which--
``(I) involves intelligence activities;
``(II) involves cryptologic activities related to national
security;
``(III) involves command and control of military forces;
``(IV) involves equipment that is an integral part of a
weapon or weapons system; or
``(V) subject to subparagraph (B), is critical to the
direct fulfillment of military or intelligence missions; or
``(ii) is protected at all times by procedures established
for information that have been specifically authorized under
criteria established by an Executive Order or an Act of
Congress to be kept classified in the interest of national
defense or foreign policy.
``(B) Limitation.--Subparagraph (A)(i)(V) does not include
a system that is to be used for routine administrative and
business applications (including payroll, finance, logistics,
and personnel management applications).
``(15) Operational control.--The term `operational control'
means a security control for an information system that
primarily is implemented and executed by people.
``(16) Person.--The term `person' has the meaning given the
term in section 3502 of title 44.
``(17) Secretary.--The term `Secretary' means the Secretary
of Commerce unless otherwise specified.
``(18) Security control.--The term `security control' means
the management, operational, and technical controls,
including safeguards or countermeasures, prescribed for an
information system to protect the confidentiality, integrity,
and availability of the system and its information.
``(19) Significant cyber incident.--The term `significant
cyber incident' means a cyber incident resulting in, or an
attempted cyber incident that, if successful, would have
resulted in--
``(A) the exfiltration from a Federal information system of
data that is essential to the operation of the Federal
information system; or
``(B) an incident in which an operational or technical
control essential to the security or operation of a Federal
information system was defeated.
``(20) Technical control.--The term `technical control'
means a hardware or software restriction on, or audit of,
access or use of an information system or information that is
stored on, processed by, or transiting an information system
that is intended to ensure the confidentiality, integrity, or
availability of that system.
``Sec. 3553. Federal information security authority and
coordination
``(a) In General.--The Secretary, in consultation with the
Secretary of Homeland Security, shall--
``(1) issue compulsory and binding policies and directives
governing agency information security operations, and require
implementation of such policies and directives, including--
``(A) policies and directives consistent with the standards
and guidelines promulgated under section 11331 of title 40 to
identify and provide information security protections
prioritized and commensurate with the risk and impact
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of--
``(i) information collected or maintained by or on behalf
of an agency; or
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(B) minimum operational requirements for Federal
Government to protect agency information systems and provide
common situational awareness across all agency information
systems;
``(C) reporting requirements, consistent with relevant law,
regarding information security incidents and cyber threat
information;
``(D) requirements for agencywide information security
programs;
``(E) performance requirements and metrics for the security
of agency information systems;
``(F) training requirements to ensure that agencies are
able to fully and timely comply with the policies and
directives issued by the Secretary under this subchapter;
``(G) training requirements regarding privacy, civil
rights, and civil liberties, and information oversight for
agency information security personnel;
``(H) requirements for the annual reports to the Secretary
under section 3554(d);
``(I) any other information security operations or
information security requirements as determined by the
Secretary in coordination with relevant agency heads; and
``(J) coordinating the development of standards and
guidelines under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3) with agencies
and offices operating or exercising control of national
security systems (including the National Security Agency) to
assure, to the maximum extent feasible, that such standards
and guidelines are complementary with standards and
guidelines developed for national security systems;
``(2) review the agencywide information security programs
under section 3554; and
``(3) designate an individual or an entity at each
cybersecurity center, among other responsibilities--
``(A) to receive reports and information about information
security incidents, cyber threat information, and
deterioration of security control affecting agency
information systems; and
``(B) to act on or share the information under subparagraph
(A) in accordance with this subchapter.
``(b) Considerations.--When issuing policies and directives
under subsection (a), the Secretary shall consider any
applicable standards or guidelines developed by the National
Institute of Standards and Technology under section 11331 of
title 40.
``(c) Limitation of Authority.--The authorities of the
Secretary under this section shall not apply to national
security systems. Information security policies, directives,
standards and guidelines for national security systems shall
be overseen as directed by the President and, in accordance
with that direction, carried out under the authority of the
heads of agencies that operate or exercise authority over
such national security systems.
``(d) Statutory Construction.--Nothing in this subchapter
shall be construed to alter or amend any law regarding the
authority of any head of an agency over such agency.
``Sec. 3554. Agency responsibilities
``(a) In General.--The head of each agency shall--
``(1) be responsible for--
``(A) complying with the policies and directives issued
under section 3553;
``(B) providing information security protections
commensurate with the risk resulting from unauthorized
access, use, disclosure, disruption, modification, or
destruction of--
``(i) information collected or maintained by the agency or
by a contractor of an agency or other organization on behalf
of an agency; and
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(C) complying with the requirements of this subchapter,
including--
``(i) information security standards and guidelines
promulgated under section 11331 of title 40;
``(ii) for any national security systems operated or
controlled by that agency, information security policies,
directives, standards and guidelines issued as directed by
the President; and
``(iii) for any non-national security systems operated or
controlled by that agency, information security policies,
directives, standards and guidelines issued under section
3553;
``(D) ensuring that information security management
processes are integrated with agency strategic and
operational planning processes;
``(E) reporting and sharing, for an agency operating or
exercising control of a national security system, information
about information security incidents, cyber threat
information, and deterioration of security controls to the
individual or entity designated
[[Page S5527]]
at each cybersecurity center and to other appropriate
entities consistent with policies and directives for national
security systems issued as directed by the President; and
``(F) reporting and sharing, for those agencies operating
or exercising control of non-national security systems,
information about information security incidents, cyber
threat information, and deterioration of security controls to
the individual or entity designated at each cybersecurity
center and to other appropriate entities consistent with
policies and directives for non-national security systems as
prescribed under section 3553(a), including information to
assist the entity designated under section 3555(a) with the
ongoing security analysis under section 3555;
``(2) ensure that each senior agency official provides
information security for the information and information
systems that support the operations and assets under the
senior agency official's control, including by--
``(A) assessing the risk and impact that could result from
the unauthorized access, use, disclosure, disruption,
modification, or destruction of such information or
information systems;
``(B) determining the level of information security
appropriate to protect such information and information
systems in accordance with policies and directives issued
under section 3553(a), and standards and guidelines
promulgated under section 11331 of title 40 for information
security classifications and related requirements;
``(C) implementing policies, procedures, and capabilities
to reduce risks to an acceptable level in a cost-effective
manner;
``(D) actively monitoring the effective implementation of
information security controls and techniques; and
``(E) reporting information about information security
incidents, cyber threat information, and deterioration of
security controls in a timely and adequate manner to the
entity designated under section 3553(a)(3) in accordance with
paragraph (1);
``(3) assess and maintain the resiliency of information
technology systems critical to agency mission and operations;
``(4) designate the agency Inspector General (or an
independent entity selected in consultation with the Director
and the Council of Inspectors General on Integrity and
Efficiency if the agency does not have an Inspector General)
to conduct the annual independent evaluation required under
section 3556, and allow the agency Inspector General to
contract with an independent entity to perform such
evaluation;
``(5) delegate to the Chief Information Officer or
equivalent (or to a senior agency official who reports to the
Chief Information Officer or equivalent)--
``(A) the authority and primary responsibility to implement
an agencywide information security program; and
``(B) the authority to provide information security for the
information collected and maintained by the agency (or by a
contractor, other agency, or other source on behalf of the
agency) and for the information systems that support the
operations, assets, and mission of the agency (including any
information system provided or managed by a contractor, other
agency, or other source on behalf of the agency);
``(6) delegate to the appropriate agency official (who is
responsible for a particular agency system or subsystem) the
responsibility to ensure and enforce compliance with all
requirements of the agency's agencywide information security
program in coordination with the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5);
``(7) ensure that an agency has trained personnel who have
obtained any necessary security clearances to permit them to
assist the agency in complying with this subchapter;
``(8) ensure that the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5),
in coordination with other senior agency officials, reports
to the agency head on the effectiveness of the agencywide
information security program, including the progress of any
remedial actions; and
``(9) ensure that the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5)
has the necessary qualifications to administer the functions
described in this subchapter and has information security
duties as a primary duty of that official.
``(b) Chief Information Officers.--Each Chief Information
Officer or equivalent (or the senior agency official who
reports to the Chief Information Officer or equivalent) under
subsection (a)(5) shall--
``(1) establish and maintain an enterprise security
operations capability that on a continuous basis--
``(A) detects, reports, contains, mitigates, and responds
to information security incidents that impair adequate
security of the agency's information or information system in
a timely manner and in accordance with the policies and
directives under section 3553; and
``(B) reports any information security incident under
subparagraph (A) to the entity designated under section 3555;
``(2) develop, maintain, and oversee an agencywide
information security program;
``(3) develop, maintain, and oversee information security
policies, procedures, and control techniques to address
applicable requirements, including requirements under section
3553 of this title and section 11331 of title 40; and
``(4) train and oversee the agency personnel who have
significant responsibility for information security with
respect to that responsibility.
``(c) Agencywide Information Security Programs.--
``(1) In general.--Each agencywide information security
program under subsection (b)(2) shall include--
``(A) relevant security risk assessments, including
technical assessments and others related to the acquisition
process;
``(B) security testing commensurate with risk and impact;
``(C) mitigation of deterioration of security controls
commensurate with risk and impact;
``(D) risk-based continuous monitoring and threat
assessment of the operational status and security of agency
information systems to enable evaluation of the effectiveness
of and compliance with information security policies,
procedures, and practices, including a relevant and
appropriate selection of security controls of information
systems identified in the inventory under section 3505(c);
``(E) operation of appropriate technical capabilities in
order to detect, mitigate, report, and respond to information
security incidents, cyber threat information, and
deterioration of security controls in a manner that is
consistent with the policies and directives under section
3553, including--
``(i) mitigating risks associated with such information
security incidents;
``(ii) notifying and consulting with the entity designated
under section 3555; and
``(iii) notifying and consulting with, as appropriate--
``(I) law enforcement and the relevant Office of the
Inspector General; and
``(II) any other entity, in accordance with law and as
directed by the President;
``(F) a process to ensure that remedial action is taken to
address any deficiencies in the information security
policies, procedures, and practices of the agency; and
``(G) a plan and procedures to ensure the continuity of
operations for information systems that support the
operations and assets of the agency.
``(2) Risk management strategies.--Each agencywide
information security program under subsection (b)(2) shall
include the development and maintenance of a risk management
strategy for information security. The risk management
strategy shall include--
``(A) consideration of information security incidents,
cyber threat information, and deterioration of security
controls; and
``(B) consideration of the consequences that could result
from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information and information
systems that support the operations and assets of the agency,
including any information system provided or managed by a
contractor, other agency, or other source on behalf of the
agency;
``(3) Policies and procedures.--Each agencywide information
security program under subsection (b)(2) shall include
policies and procedures that--
``(A) are based on the risk management strategy under
paragraph (2);
``(B) reduce information security risks to an acceptable
level in a cost-effective manner;
``(C) ensure that cost-effective and adequate information
security is addressed as part of the acquisition and ongoing
management of each agency information system; and
``(D) ensure compliance with--
``(i) this subchapter; and
``(ii) any other applicable requirements.
``(4) Training requirements.--Each agencywide information
security program under subsection (b)(2) shall include
information security, privacy, civil rights, civil liberties,
and information oversight training that meets any applicable
requirements under section 3553. The training shall inform
each information security personnel that has access to agency
information systems (including contractors and other users of
information systems that support the operations and assets of
the agency) of--
``(A) the information security risks associated with the
information security personnel's activities; and
``(B) the individual's responsibility to comply with the
agency policies and procedures that reduce the risks under
subparagraph (A).
``(d) Annual Report.--Each agency shall submit a report
annually to the Secretary of Homeland Security on its
agencywide information security program and information
systems.
``Sec. 3555. Multiagency ongoing threat assessment
``(a) Implementation.--The Director of the Office of
Management and Budget, in coordination with the Secretary of
Homeland Security, shall designate an entity to implement
ongoing security analysis concerning agency information
systems--
``(1) based on cyber threat information;
``(2) based on agency information system and environment of
operation changes, including--
``(A) an ongoing evaluation of the information system
security controls; and
[[Page S5528]]
``(B) the security state, risk level, and environment of
operation of an agency information system, including--
``(i) a change in risk level due to a new cyber threat;
``(ii) a change resulting from a new technology;
``(iii) a change resulting from the agency's mission; and
``(iv) a change resulting from the business practice; and
``(3) using automated processes to the maximum extent
possible--
``(A) to increase information system security;
``(B) to reduce paper-based reporting requirements; and
``(C) to maintain timely and actionable knowledge of the
state of the information system security.
``(b) Standards.--The National Institute of Standards and
Technology may promulgate standards, in coordination with the
Secretary of Homeland Security, to assist an agency with its
duties under this section.
``(c) Compliance.--The head of each appropriate department
and agency shall be responsible for ensuring compliance and
implementing necessary procedures to comply with this
section. The head of each appropriate department and agency,
in consultation with the Director of the Office of Management
and Budget and the Secretary of Homeland Security, shall--
``(1) monitor compliance under this section;
``(2) develop a timeline and implement for the department
or agency--
``(A) adoption of any technology, system, or method that
facilitates continuous monitoring and threat assessments of
an agency information system;
``(B) adoption or updating of any technology, system, or
method that prevents, detects, or remediates a significant
cyber incident to a Federal information system of the
department or agency that has impeded, or is reasonably
likely to impede, the performance of a critical mission of
the department or agency; and
``(C) adoption of any technology, system, or method that
satisfies a requirement under this section.
``(d) Limitation of Authority.--The authorities of the
Director of the Office of Management and Budget and of the
Secretary of Homeland Security under this section shall not
apply to national security systems.
``(e) Report.--Not later than 6 months after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the Government Accountability Office shall issue a
report evaluating each agency's status toward implementing
this section.
``Sec. 3556. Independent evaluations
``(a) In General.--The Council of the Inspectors General on
Integrity and Efficiency, in consultation with the Director
and the Secretary of Homeland Security, the Secretary of
Commerce, and the Secretary of Defense, shall issue and
maintain criteria for the timely, cost-effective, risk-based,
and independent evaluation of each agencywide information
security program (and practices) to determine the
effectiveness of the agencywide information security program
(and practices). The criteria shall include measures to
assess any conflicts of interest in the performance of the
evaluation and whether the agencywide information security
program includes appropriate safeguards against disclosure of
information where such disclosure may adversely affect
information security.
``(b) Annual Independent Evaluations.--Each agency shall
perform an annual independent evaluation of its agencywide
information security program (and practices) in accordance
with the criteria under subsection (a).
``(c) Distribution of Reports.--Not later than 30 days
after receiving an independent evaluation under subsection
(b), each agency head shall transmit a copy of the
independent evaluation to the Secretary of Homeland Security,
the Secretary of Commerce, and the Secretary of Defense.
``(d) National Security Systems.--Evaluations involving
national security systems shall be conducted as directed by
President.
``Sec. 3557. National security systems.
``The head of each agency operating or exercising control
of a national security system shall be responsible for
ensuring that the agency--
``(1) provides information security protections
commensurate with the risk and magnitude of the harm
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of the information
contained in such system; and
``(2) implements information security policies and
practices as required by standards and guidelines for
national security systems, issued in accordance with law and
as directed by the President.''.
(b) Savings Provisions.--
(1) Policy and compliance guidance.--Policy and compliance
guidance issued by the Director before the date of enactment
of this Act under section 3543(a)(1) of title 44, United
States Code (as in effect on the day before the date of
enactment of this Act), shall continue in effect, according
to its terms, until modified, terminated, superseded, or
repealed pursuant to section 3553(a)(1) of title 44, United
States Code.
(2) Standards and guidelines.--Standards and guidelines
issued by the Secretary of Commerce or by the Director before
the date of enactment of this Act under section 11331(a)(1)
of title 40, United States Code, (as in effect on the day
before the date of enactment of this Act) shall continue in
effect, according to their terms, until modified, terminated,
superseded, or repealed pursuant to section 11331(a)(1) of
title 40, United States Code, as amended by this Act.
(c) Technical and Conforming Amendments.--
(1) Chapter analysis.--The chapter analysis for chapter 35
of title 44, United States Code, is amended--
(A) by striking the items relating to sections 3531 through
3538;
(B) by striking the items relating to sections 3541 through
3549; and
(C) by inserting the following:
``3551. Purposes.
``3552. Definitions.
``3553. Federal information security authority and coordination.
``3554. Agency responsibilities.
``3555. Multiagency ongoing threat assessment.
``3556. Independent evaluations.
``3557. National security systems.''.
(2) Other references.--
(A) Section 1001(c)(1)(A) of the Homeland Security Act of
2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section
3532(3)'' and inserting ``section 3552''.
(B) Section 2222(j)(5) of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(C) Section 2223(c)(3) of title 10, United States Code, is
amended, by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(D) Section 2315 of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(E) Section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3) is amended--
(i) in subsection (a)(2), by striking ``section
3532(b)(2)'' and inserting ``section 3552'';
(ii) in subsection (c)(3), by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(iii) in subsection (d)(1), by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(iv) in subsection (d)(8) by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(v) in subsection (d)(8), by striking ``submitted to the
Director'' and inserting ``submitted to the Secretary'';
(vi) in subsection (e)(2), by striking ``section 3532(1) of
such title'' and inserting ``section 3552 of title 44''; and
(vii) in subsection (e)(5), by striking ``section
3532(b)(2) of such title'' and inserting ``section 3552 of
title 44''.
(F) Section 8(d)(1) of the Cyber Security Research and
Development Act (15 U.S.C. 7406(d)(1)) is amended by striking
``section 3534(b)'' and inserting ``section 3554(b)(2)''.
SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.
(a) In General.--Section 11331 of title 40, United States
Code, is amended to read as follows:
``Sec. 11331. Responsibilities for Federal information
systems standards
``(a) Standards and Guidelines.--
``(1) Authority to prescribe.--Except as provided under
paragraph (2), the Secretary of Commerce shall prescribe
standards and guidelines pertaining to Federal information
systems--
``(A) in consultation with the Secretary of Homeland
Security; and
``(B) on the basis of standards and guidelines developed by
the National Institute of Standards and Technology under
paragraphs (2) and (3) of section 20(a) of the National
Institute of Standards and Technology Act (15 U.S.C. 278g-
3(a)(2) and (a)(3)).
``(2) National security systems.--Standards and guidelines
for national security systems shall be developed, prescribed,
enforced, and overseen as otherwise authorized by law and as
directed by the President.
``(b) Mandatory Standards and Guidelines.--
``(1) Authority to make mandatory standards and
guidelines.--The Secretary of Commerce shall make standards
and guidelines under subsection (a)(1) compulsory and binding
to the extent determined necessary by the Secretary of
Commerce to improve the efficiency of operation or security
of Federal information systems.
``(2) Required mandatory standards and guidelines.--
``(A) In general.--Standards and guidelines under
subsection (a)(1) shall include information security
standards that--
``(i) provide minimum information security requirements as
determined under section 20(b) of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3(b)); and
``(ii) are otherwise necessary to improve the security of
Federal information and information systems.
``(B) Binding effect.--Information security standards under
subparagraph (A) shall be compulsory and binding.
``(c) Exercise of Authority.--To ensure fiscal and policy
consistency, the Secretary of Commerce shall exercise the
authority conferred by this section subject to direction by
the President and in coordination with the Director.
``(d) Application of More Stringent Standards and
Guidelines.--The head of an executive agency may employ
standards for the cost-effective information security for
[[Page S5529]]
information systems within or under the supervision of that
agency that are more stringent than the standards and
guidelines the Secretary of Commerce prescribes under this
section if the more stringent standards and guidelines--
``(1) contain at least the applicable standards and
guidelines made compulsory and binding by the Secretary of
Commerce; and
``(2) are otherwise consistent with the policies,
directives, and implementation memoranda issued under section
3553(a) of title 44.
``(e) Decisions on Promulgation of Standards and
Guidelines.--The decision by the Secretary of Commerce
regarding the promulgation of any standard or guideline under
this section shall occur not later than 6 months after the
date of submission of the proposed standard to the Secretary
of Commerce by the National Institute of Standards and
Technology under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3).
``(f) Notice and Comment.--A decision by the Secretary of
Commerce to significantly modify, or not promulgate, a
proposed standard submitted to the Secretary by the National
Institute of Standards and Technology under section 20 of the
National Institute of Standards and Technology Act (15 U.S.C.
278g-3) shall be made after the public is given an
opportunity to comment on the Secretary's proposed decision.
``(g) Definitions.--In this section:
``(1) Federal information system.--The term `Federal
information system' has the meaning given the term in section
3552 of title 44.
``(2) Information security.--The term `information
security' has the meaning given the term in section 3552 of
title 44.
``(3) National security system.--The term `national
security system' has the meaning given the term in section
3552 of title 44.''.
SEC. 203. NO NEW FUNDING.
An applicable Federal agency shall carry out the provisions
of this title with existing facilities and funds otherwise
available, through such means as the head of the agency
considers appropriate.
SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS.
Section 21(b) of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-4(b)) is amended--
(1) in paragraph (2), by striking ``and the Director of the
Office of Management and Budget'' and inserting ``, the
Secretary of Commerce, and the Secretary of Homeland
Security''; and
(2) in paragraph (3), by inserting ``, the Secretary of
Homeland Security,'' after ``the Secretary of Commerce''.
SEC. 205. CLARIFICATION OF AUTHORITIES.
Nothing in this title shall be construed to convey any new
regulatory authority to any government entity implementing or
complying with any provision of this title.
TITLE III--CRIMINAL PENALTIES
SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN
CONNECTION WITH COMPUTERS.
Section 1030(c) of title 18, United States Code, is amended
to read as follows:
``(c) The punishment for an offense under subsection (a) or
(b) of this section is--
``(1) a fine under this title or imprisonment for not more
than 20 years, or both, in the case of an offense under
subsection (a)(1) of this section;
``(2)(A) except as provided in subparagraph (B), a fine
under this title or imprisonment for not more than 3 years,
or both, in the case of an offense under subsection (a)(2);
or
``(B) a fine under this title or imprisonment for not more
than ten years, or both, in the case of an offense under
subsection (a)(2) of this section, if--
``(i) the offense was committed for purposes of commercial
advantage or private financial gain;
``(ii) the offense was committed in the furtherance of any
criminal or tortious act in violation of the Constitution or
laws of the United States, or of any State; or
``(iii) the value of the information obtained, or that
would have been obtained if the offense was completed,
exceeds $5,000;
``(3) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(3) of this section;
``(4) a fine under this title or imprisonment of not more
than 20 years, or both, in the case of an offense under
subsection (a)(4) of this section;
``(5)(A) except as provided in subparagraph (C), a fine
under this title, imprisonment for not more than 20 years, or
both, in the case of an offense under subsection (a)(5)(A) of
this section, if the offense caused--
``(i) loss to 1 or more persons during any 1-year period
(and, for purposes of an investigation, prosecution, or other
proceeding brought by the United States only, loss resulting
from a related course of conduct affecting 1 or more other
protected computers) aggregating at least $5,000 in value;
``(ii) the modification or impairment, or potential
modification or impairment, of the medical examination,
diagnosis, treatment, or care of 1 or more individuals;
``(iii) physical injury to any person;
``(iv) a threat to public health or safety;
``(v) damage affecting a computer used by, or on behalf of,
an entity of the United States Government in furtherance of
the administration of justice, national defense, or national
security; or
``(vi) damage affecting 10 or more protected computers
during any 1-year period;
``(B) a fine under this title, imprisonment for not more
than 20 years, or both, in the case of an offense under
subsection (a)(5)(B), if the offense caused a harm provided
in clause (i) through (vi) of subparagraph (A) of this
subsection;
``(C) if the offender attempts to cause or knowingly or
recklessly causes death from conduct in violation of
subsection (a)(5)(A), a fine under this title, imprisonment
for any term of years or for life, or both;
``(D) a fine under this title, imprisonment for not more
than 10 years, or both, for any other offense under
subsection (a)(5);
``(E) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(6) of this section; or
``(F) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(7) of this section.''.
SEC. 302. TRAFFICKING IN PASSWORDS.
Section 1030(a)(6) of title 18, United States Code, is
amended to read as follows:
``(6) knowingly and with intent to defraud traffics (as
defined in section 1029) in any password or similar
information or means of access through which a protected
computer (as defined in subparagraphs (A) and (B) of
subsection (e)(2)) may be accessed without authorization.''.
SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.
Section 1030(b) of title 18, United States Code, is amended
by inserting ``as if for the completed offense'' after
``punished as provided''.
SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED
ACTIVITY IN CONNECTION WITH COMPUTERS.
Section 1030 of title 18, United States Code, is amended by
striking subsections (i) and (j) and inserting the following:
``(i) Criminal Forfeiture.--
``(1) The court, in imposing sentence on any person
convicted of a violation of this section, or convicted of
conspiracy to violate this section, shall order, in addition
to any other sentence imposed and irrespective of any
provision of State law, that such person forfeit to the
United States--
``(A) such person's interest in any property, real or
personal, that was used, or intended to be used, to commit or
facilitate the commission of such violation; and
``(B) any property, real or personal, constituting or
derived from any gross proceeds, or any property traceable to
such property, that such person obtained, directly or
indirectly, as a result of such violation.
``(2) The criminal forfeiture of property under this
subsection, including any seizure and disposition of the
property, and any related judicial or administrative
proceeding, shall be governed by the provisions of section
413 of the Comprehensive Drug Abuse Prevention and Control
Act of 1970 (21 U.S.C. 853), except subsection (d) of that
section.
``(j) Civil Forfeiture.--
``(1) The following shall be subject to forfeiture to the
United States and no property right, real or personal, shall
exist in them:
``(A) Any property, real or personal, that was used, or
intended to be used, to commit or facilitate the commission
of any violation of this section, or a conspiracy to violate
this section.
``(B) Any property, real or personal, constituting or
derived from any gross proceeds obtained directly or
indirectly, or any property traceable to such property, as a
result of the commission of any violation of this section, or
a conspiracy to violate this section.
``(2) Seizures and forfeitures under this subsection shall
be governed by the provisions in chapter 46 relating to civil
forfeitures, except that such duties as are imposed on the
Secretary of the Treasury under the customs laws described in
section 981(d) shall be performed by such officers, agents
and other persons as may be designated for that purpose by
the Secretary of Homeland Security or the Attorney
General.''.
SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.
(a) In General.--Chapter 47 of title 18, United States
Code, is amended by inserting after section 1030 the
following:
``Sec. 1030A. Aggravated damage to a critical infrastructure
computer
``(a) Definitions.--In this section--
``(1) the term `computer' has the meaning given the term in
section 1030;
``(2) the term `critical infrastructure computer' means a
computer that manages or controls systems or assets vital to
national defense, national security, national economic
security, public health or safety, or any combination of
those matters, whether publicly or privately owned or
operated, including--
``(A) oil and gas production, storage, conversion, and
delivery systems;
``(B) water supply systems;
``(C) telecommunication networks;
``(D) electrical power generation and delivery systems;
``(E) finance and banking systems;
``(F) emergency services;
``(G) transportation systems and services; and
``(H) government operations that provide essential services
to the public; and
``(3) the term `damage' has the meaning given the term in
section 1030.
``(b) Offense.--It shall be unlawful, during and in
relation to a felony violation of section 1030, to knowingly
cause or attempt to cause damage to a critical infrastructure
computer if the damage results in (or, in the
[[Page S5530]]
case of an attempt, if completed, would have resulted in) the
substantial impairment--
``(1) of the operation of the critical infrastructure
computer; or
``(2) of the critical infrastructure associated with the
computer.
``(c) Penalty.--Any person who violates subsection (b)
shall be--
``(1) fined under this title;
``(2) imprisoned for not less than 3 years but not more
than 20 years; or
``(3) penalized under paragraphs (1) and (2).
``(d) Consecutive Sentence.--Notwithstanding any other
provision of law--
``(1) a court shall not place on probation any person
convicted of a violation of this section;
``(2) except as provided in paragraph (4), no term of
imprisonment imposed on a person under this section shall run
concurrently with any other term of imprisonment, including
any term of imprisonment imposed on the person under any
other provision of law, including any term of imprisonment
imposed for a felony violation of section 1030;
``(3) in determining any term of imprisonment to be imposed
for a felony violation of section 1030, a court shall not in
any way reduce the term to be imposed for such crime so as to
compensate for, or otherwise take into account, any separate
term of imprisonment imposed or to be imposed for a violation
of this section; and
``(4) a term of imprisonment imposed on a person for a
violation of this section may, in the discretion of the
court, run concurrently, in whole or in part, only with
another term of imprisonment that is imposed by the court at
the same time on that person for an additional violation of
this section, provided that such discretion shall be
exercised in accordance with any applicable guidelines and
policy statements issued by the United States Sentencing
Commission pursuant to section 994 of title 28.''.
(b) Technical and Conforming Amendment.--The chapter
analysis for chapter 47 of title 18, United States Code, is
amended by inserting after the item relating to section 1030
the following:
``1030A. Aggravated damage to a critical infrastructure computer.''.
SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.
Section 1030(e)(6) of title 18, United States Code, is
amended by striking ``alter;'' and inserting ``alter, but
does not include access in violation of a contractual
obligation or agreement, such as an acceptable use policy or
terms of service agreement, with an Internet service
provider, Internet website, or non-government employer, if
such violation constitutes the sole basis for determining
that access to a protected computer is unauthorized;''.
SEC. 307. NO NEW FUNDING.
An applicable Federal agency shall carry out the provisions
of this title with existing facilities and funds otherwise
available, through such means as the head of the agency
considers appropriate.
TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT
SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM
PLANNING AND COORDINATION.
(a) Goals and Priorities.--Section 101 of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511) is amended
by adding at the end the following:
``(d) Goals and Priorities.--The goals and priorities for
Federal high-performance computing research, development,
networking, and other activities under subsection (a)(2)(A)
shall include--
``(1) encouraging and supporting mechanisms for
interdisciplinary research and development in networking and
information technology, including--
``(A) through collaborations across agencies;
``(B) through collaborations across Program Component
Areas;
``(C) through collaborations with industry;
``(D) through collaborations with institutions of higher
education;
``(E) through collaborations with Federal laboratories (as
defined in section 4 of the Stevenson-Wydler Technology
Innovation Act of 1980 (15 U.S.C. 3703)); and
``(F) through collaborations with international
organizations;
``(2) addressing national, multi-agency, multi-faceted
challenges of national importance; and
``(3) fostering the transfer of research and development
results into new technologies and applications for the
benefit of society.''.
(b) Development of Strategic Plan.--Section 101 of the
High-Performance Computing Act of 1991 (15 U.S.C. 5511) is
amended by adding at the end the following:
``(e) Strategic Plan.--
``(1) In general.--Not later than 1 year after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the agencies under subsection (a)(3)(B), working
through the National Science and Technology Council and with
the assistance of the Office of Science and Technology Policy
shall develop a 5-year strategic plan to guide the activities
under subsection (a)(1).
``(2) Contents.--The strategic plan shall specify--
``(A) the near-term objectives for the Program;
``(B) the long-term objectives for the Program;
``(C) the anticipated time frame for achieving the near-
term objectives;
``(D) the metrics that will be used to assess any progress
made toward achieving the near-term objectives and the long-
term objectives; and
``(E) how the Program will achieve the goals and priorities
under subsection (d).
``(3) Implementation roadmap.--
``(A) In general.--The agencies under subsection (a)(3)(B)
shall develop and annually update an implementation roadmap
for the strategic plan.
``(B) Requirements.--The information in the implementation
roadmap shall be coordinated with the database under section
102(c) and the annual report under section 101(a)(3). The
implementation roadmap shall--
``(i) specify the role of each Federal agency in carrying
out or sponsoring research and development to meet the
research objectives of the strategic plan, including a
description of how progress toward the research objectives
will be evaluated, with consideration of any relevant
recommendations of the advisory committee;
``(ii) specify the funding allocated to each major research
objective of the strategic plan and the source of funding by
agency for the current fiscal year; and
``(iii) estimate the funding required for each major
research objective of the strategic plan for the next 3
fiscal years.
``(4) Recommendations.--The agencies under subsection
(a)(3)(B) shall take into consideration when developing the
strategic plan under paragraph (1) the recommendations of--
``(A) the advisory committee under subsection (b); and
``(B) the stakeholders under section 102(a)(3).
``(5) Report to congress.--The Director of the Office of
Science and Technology Policy shall transmit the strategic
plan under this subsection, including the implementation
roadmap and any updates under paragraph (3), to--
``(A) the advisory committee under subsection (b);
``(B) the Committee on Commerce, Science, and
Transportation of the Senate; and
``(C) the Committee on Science and Technology of the House
of Representatives.''.
(c) Periodic Reviews.--Section 101 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511) is amended by adding
at the end the following:
``(f) Periodic Reviews.--The agencies under subsection
(a)(3)(B) shall--
``(1) periodically assess the contents and funding levels
of the Program Component Areas and restructure the Program
when warranted, taking into consideration any relevant
recommendations of the advisory committee under subsection
(b); and
``(2) ensure that the Program includes national, multi-
agency, multi-faceted research and development activities,
including activities described in section 104.''.
(d) Additional Responsibilities of Director.--Section
101(a)(2) of the High-Performance Computing Act of 1991 (15
U.S.C. 5511(a)(2)) is amended--
(1) by redesignating subparagraphs (E) and (F) as
subparagraphs (G) and (H), respectively; and
(2) by inserting after subparagraph (D) the following:
``(E) encourage and monitor the efforts of the agencies
participating in the Program to allocate the level of
resources and management attention necessary--
``(i) to ensure that the strategic plan under subsection
(e) is developed and executed effectively; and
``(ii) to ensure that the objectives of the Program are
met;
``(F) working with the Office of Management and Budget and
in coordination with the creation of the database under
section 102(c), direct the Office of Science and Technology
Policy and the agencies participating in the Program to
establish a mechanism (consistent with existing law) to track
all ongoing and completed research and development projects
and associated funding;''.
(e) Advisory Committee.--Section 101(b) of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is
amended--
(1) in paragraph (1)--
(A) by inserting after the first sentence the following:
``The co-chairs of the advisory committee shall meet the
qualifications of committee members and may be members of the
Presidents Council of Advisors on Science and Technology.'';
and
(B) by striking ``high-performance'' in subparagraph (D)
and inserting ``high-end''; and
(2) by amending paragraph (2) to read as follows:
``(2) In addition to the duties under paragraph (1), the
advisory committee shall conduct periodic evaluations of the
funding, management, coordination, implementation, and
activities of the Program. The advisory committee shall
report its findings and recommendations not less frequently
than once every 3 fiscal years to the Committee on Commerce,
Science, and Transportation of the Senate and the Committee
on Science and Technology of the House of Representatives.
The report shall be submitted in conjunction with the update
of the strategic plan.''.
(f) Report.--Section 101(a)(3) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended--
(1) in subparagraph (C)--
(A) by striking ``is submitted,'' and inserting ``is
submitted, the levels for the previous fiscal year,''; and
[[Page S5531]]
(B) by striking ``each Program Component Area'' and
inserting ``each Program Component Area and each research
area supported in accordance with section 104'';
(2) in subparagraph (D)--
(A) by striking ``each Program Component Area,'' and
inserting ``each Program Component Area and each research
area supported in accordance with section 104,'';
(B) by striking ``is submitted,'' and inserting ``is
submitted, the levels for the previous fiscal year,''; and
(C) by striking ``and'' after the semicolon;
(3) by redesignating subparagraph (E) as subparagraph (G);
and
(4) by inserting after subparagraph (D) the following:
``(E) include a description of how the objectives for each
Program Component Area, and the objectives for activities
that involve multiple Program Component Areas, relate to the
objectives of the Program identified in the strategic plan
under subsection (e);
``(F) include--
``(i) a description of the funding required by the Office
of Science and Technology Policy to perform the functions
under subsections (a) and (c) of section 102 for the next
fiscal year by category of activity;
``(ii) a description of the funding required by the Office
of Science and Technology Policy to perform the functions
under subsections (a) and (c) of section 102 for the current
fiscal year by category of activity; and
``(iii) the amount of funding provided for the Office of
Science and Technology Policy for the current fiscal year by
each agency participating in the Program; and''.
(g) Definitions.--Section 4 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5503) is amended--
(1) by redesignating paragraphs (1) and (2) as paragraphs
(2) and (3), respectively;
(2) by redesignating paragraph (3) as paragraph (6);
(3) by redesignating paragraphs (6) and (7) as paragraphs
(7) and (8), respectively;
(4) by inserting before paragraph (2), as redesignated, the
following:
``(1) `cyber-physical systems' means physical or engineered
systems whose networking and information technology functions
and physical elements are deeply integrated and are actively
connected to the physical world through sensors, actuators,
or other means to perform monitoring and control
functions;'';
(5) in paragraph (3), as redesignated, by striking ``high-
performance computing'' and inserting ``networking and
information technology'';
(6) in paragraph (6), as redesignated--
(A) by striking ``high-performance computing'' and
inserting ``networking and information technology''; and
(B) by striking ``supercomputer'' and inserting ``high-end
computing'';
(7) in paragraph (5), by striking ``network referred to
as'' and all that follows through the semicolon and inserting
``network, including advanced computer networks of Federal
agencies and departments''; and
(8) in paragraph (7), as redesignated, by striking
``National High-Performance Computing Program'' and inserting
``networking and information technology research and
development program''.
SEC. 402. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.
(a) Research in Areas of National Importance.--Title I of
the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et
seq.) is amended by adding at the end the following:
``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.
``(a) In General.--The Program shall encourage agencies
under section 101(a)(3)(B) to support, maintain, and improve
national, multi-agency, multi-faceted, research and
development activities in networking and information
technology directed toward application areas that have the
potential for significant contributions to national economic
competitiveness and for other significant societal benefits.
``(b) Technical Solutions.--An activity under subsection
(a) shall be designed to advance the development of research
discoveries by demonstrating technical solutions to important
problems in areas including--
``(1) cybersecurity;
``(2) health care;
``(3) energy management and low-power systems and devices;
``(4) transportation, including surface and air
transportation;
``(5) cyber-physical systems;
``(6) large-scale data analysis and modeling of physical
phenomena;
``(7) large scale data analysis and modeling of behavioral
phenomena;
``(8) supply chain quality and security; and
``(9) privacy protection and protected disclosure of
confidential data.
``(c) Recommendations.--The advisory committee under
section 101(b) shall make recommendations to the Program for
candidate research and development areas for support under
this section.
``(d) Characteristics.--
``(1) In general.--Research and development activities
under this section--
``(A) shall include projects selected on the basis of
applications for support through a competitive, merit-based
process;
``(B) shall leverage, when possible, Federal investments
through collaboration with related State initiatives;
``(C) shall include a plan for fostering the transfer of
research discoveries and the results of technology
demonstration activities, including from institutions of
higher education and Federal laboratories, to industry for
commercial development;
``(D) shall involve collaborations among researchers in
institutions of higher education and industry; and
``(E) may involve collaborations among nonprofit research
institutions and Federal laboratories, as appropriate.
``(2) Cost-sharing.--In selecting applications for support,
the agencies under section 101(a)(3)(B) shall give special
consideration to projects that include cost sharing from non-
Federal sources.
``(3) Multidisciplinary research centers.--Research and
development activities under this section shall be supported
through multidisciplinary research centers, including Federal
laboratories, that are organized to investigate basic
research questions and carry out technology demonstration
activities in areas described in subsection (a). Research may
be carried out through existing multidisciplinary centers,
including those authorized under section 7024(b)(2) of the
America COMPETES Act (42 U.S.C. 1862o-10(2)).''.
(b) Cyber-Physical Systems.--Section 101(a)(1) of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is
amended--
(1) in subparagraph (H), by striking ``and'' after the
semicolon;
(2) in subparagraph (I), by striking the period at the end
and inserting a semicolon; and
(3) by adding at the end the following:
``(J) provide for increased understanding of the scientific
principles of cyber-physical systems and improve the methods
available for the design, development, and operation of
cyber-physical systems that are characterized by high
reliability, safety, and security; and
``(K) provide for research and development on human-
computer interactions, visualization, and big data.''.
(c) Task Force.--Title I of the High-Performance Computing
Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section
402(a) of this Act, is amended by adding at the end the
following:
``SEC. 105. TASK FORCE.
``(a) Establishment.--Not later than 180 days after the
date of enactment the Strengthening and Enhancing
Cybersecurity by Using Research, Education, Information, and
Technology Act of 2012, the Director of the Office of Science
and Technology Policy under section 102 shall convene a task
force to explore mechanisms for carrying out collaborative
research and development activities for cyber-physical
systems (including the related technologies required to
enable these systems) through a consortium or other
appropriate entity with participants from institutions of
higher education, Federal laboratories, and industry.
``(b) Functions.--The task force shall--
``(1) develop options for a collaborative model and an
organizational structure for such entity under which the
joint research and development activities could be planned,
managed, and conducted effectively, including mechanisms for
the allocation of resources among the participants in such
entity for support of such activities;
``(2) propose a process for developing a research and
development agenda for such entity, including guidelines to
ensure an appropriate scope of work focused on nationally
significant challenges and requiring collaboration and to
ensure the development of related scientific and
technological milestones;
``(3) define the roles and responsibilities for the
participants from institutions of higher education, Federal
laboratories, and industry in such entity;
``(4) propose guidelines for assigning intellectual
property rights and for transferring research results to the
private sector; and
``(5) make recommendations for how such entity could be
funded from Federal, State, and non-governmental sources.
``(c) Composition.--In establishing the task force under
subsection (a), the Director of the Office of Science and
Technology Policy shall appoint an equal number of
individuals from institutions of higher education and from
industry with knowledge and expertise in cyber-physical
systems, and may appoint not more than 2 individuals from
Federal laboratories.
``(d) Report.--Not later than 1 year after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the Director of the Office of Science and Technology
Policy shall transmit to the Committee on Commerce, Science,
and Transportation of the Senate and the Committee on Science
and Technology of the House of Representatives a report
describing the findings and recommendations of the task
force.
``(e) Termination.--The task force shall terminate upon
transmittal of the report required under subsection (d).
``(f) Compensation and Expenses.--Members of the task force
shall serve without compensation.''.
SEC. 403. PROGRAM IMPROVEMENTS.
Section 102 of the High-Performance Computing Act of 1991
(15 U.S.C. 5512) is amended to read as follows:
``SEC. 102. PROGRAM IMPROVEMENTS.
``(a) Functions.--The Director of the Office of Science and
Technology Policy shall continue--
``(1) to provide technical and administrative support to--
[[Page S5532]]
``(A) the agencies participating in planning and
implementing the Program, including support needed to develop
the strategic plan under section 101(e); and
``(B) the advisory committee under section 101(b);
______
SA 2606. Mr. McCAIN (for himself, Mrs. Hutchison, Mr. Chambliss, Mr.
Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of
Wisconsin) submitted an amendment intended to be proposed by him to the
bill S. 3414, to enhance the security and resiliency of the cyber and
communications infrastructure of the United States; which was ordered
to lie on the table; as follows:
Beginning on page 1, strike line 3 and all that follows
through page 211, line 6 and insert the following:
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the
``Strengthening and Enhancing Cybersecurity by Using
Research, Education, Information, and Technology Act of
2012'' or ``SECURE IT''.
(b) Table of Contents.--The table of contents of this Act
is as follows:
Sec. 1. Short title; table of contents.
TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION
Sec. 101. Definitions.
Sec. 102. Authorization to share cyber threat information.
Sec. 103. Information sharing by the Federal government.
Sec. 104. Construction.
Sec. 105. Report on implementation.
Sec. 106. Inspector General review.
Sec. 107. Technical amendments.
Sec. 108. Access to classified information.
TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY
Sec. 201. Coordination of Federal information security policy.
Sec. 202. Management of information technology.
Sec. 203. No new funding.
Sec. 204. Technical and conforming amendments.
Sec. 205. Clarification of authorities.
TITLE III--CRIMINAL PENALTIES
Sec. 301. Penalties for fraud and related activity in connection with
computers.
Sec. 302. Trafficking in passwords.
Sec. 303. Conspiracy and attempted computer fraud offenses.
Sec. 304. Criminal and civil forfeiture for fraud and related activity
in connection with computers.
Sec. 305. Damage to critical infrastructure computers.
Sec. 306. Limitation on actions involving unauthorized use.
Sec. 307. No new funding.
TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT
Sec. 401. National High-Performance Computing Program planning and
coordination.
Sec. 402. Research in areas of national importance.
Sec. 403. Program improvements.
Sec. 404. Improving education of networking and information technology,
including high performance computing.
Sec. 405. Conforming and technical amendments to the High-Performance
Computing Act of 1991.
Sec. 406. Federal cyber scholarship-for-service program.
Sec. 407. Study and analysis of certification and training of
information infrastructure professionals.
Sec. 408. International cybersecurity technical standards.
Sec. 409. Identity management research and development.
Sec. 410. Federal cybersecurity research and development.
TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION
SEC. 101. DEFINITIONS.
In this title:
(1) Agency.--The term ``agency'' has the meaning given the
term in section 3502 of title 44, United States Code.
(2) Antitrust laws.--The term ``antitrust laws''--
(A) has the meaning given the term in section 1(a) of the
Clayton Act (15 U.S.C. 12(a));
(B) includes section 5 of the Federal Trade Commission Act
(15 U.S.C. 45) to the extent that section 5 of that Act
applies to unfair methods of competition; and
(C) includes any State law that has the same intent and
effect as the laws under subparagraphs (A) and (B).
(3) Countermeasure.--The term ``countermeasure'' means an
automated or a manual action with defensive intent to
mitigate cyber threats.
(4) Cyber threat information.--The term ``cyber threat
information'' means information that indicates or describes--
(A) a technical or operation vulnerability or a cyber
threat mitigation measure;
(B) an action or operation to mitigate a cyber threat;
(C) malicious reconnaissance, including anomalous patterns
of network activity that appear to be transmitted for the
purpose of gathering technical information related to a
cybersecurity threat;
(D) a method of defeating a technical control;
(E) a method of defeating an operational control;
(F) network activity or protocols known to be associated
with a malicious cyber actor or that signify malicious cyber
intent;
(G) a method of causing a user with legitimate access to an
information system or information that is stored on,
processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational
control;
(H) any other attribute of a cybersecurity threat or cyber
defense information that would foster situational awareness
of the United States cybersecurity posture, if disclosure of
such attribute or information is not otherwise prohibited by
law;
(I) the actual or potential harm caused by a cyber
incident, including information exfiltrated when it is
necessary in order to identify or describe a cybersecurity
threat; or
(J) any combination of subparagraphs (A) through (I).
(5) Cybersecurity center.--The term ``cybersecurity
center'' means the Department of Defense Cyber Crime Center,
the Intelligence Community Incident Response Center, the
United States Cyber Command Joint Operations Center, the
National Cyber Investigative Joint Task Force, the National
Security Agency/Central Security Service Threat Operations
Center, the National Cybersecurity and Communications
Integration Center, and any successor center.
(6) Cybersecurity system.--The term ``cybersecurity
system'' means a system designed or employed to ensure the
integrity, confidentiality, or availability of, or to
safeguard, a system or network, including measures intended
to protect a system or network from--
(A) efforts to degrade, disrupt, or destroy such system or
network; or
(B) theft or misappropriations of private or government
information, intellectual property, or personally
identifiable information.
(7) Entity.--
(A) In general.--The term ``entity'' means any private
entity, non-Federal government agency or department, or
State, tribal, or local government agency or department
(including an officer, employee, or agent thereof).
(B) Inclusions.--The term ``entity'' includes a government
agency or department (including an officer, employee, or
agent thereof) of the District of Columbia, the Commonwealth
of Puerto Rico, the Virgin Islands, Guam, American Samoa, the
Northern Mariana Islands, and any other territory or
possession of the United States.
(8) Federal information system.--The term ``Federal
information system'' means an information system of a Federal
department or agency used or operated by an executive agency,
by a contractor of an executive agency, or by another
organization on behalf of an executive agency.
(9) Information security.--The term ``information
security'' means protecting information and information
systems from disruption or unauthorized access, use,
disclosure, modification, or destruction in order to
provide--
(A) integrity, by guarding against improper information
modification or destruction, including by ensuring
information nonrepudiation and authenticity;
(B) confidentiality, by preserving authorized restrictions
on access and disclosure, including means for protecting
personal privacy and proprietary information; or
(C) availability, by ensuring timely and reliable access to
and use of information.
(10) Information system.--The term ``information system''
has the meaning given the term in section 3502 of title 44,
United States Code.
(11) Local government.--The term ``local government'' means
any borough, city, county, parish, town, township, village,
or other general purpose political subdivision of a State.
(12) Malicious reconnaissance.--The term ``malicious
reconnaissance'' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning technical vulnerabilities of the information
system, if such method is associated with a known or
suspected cybersecurity threat.
(13) Operational control.--The term ``operational control''
means a security control for an information system that
primarily is implemented and executed by people.
(14) Operational vulnerability.--The term ``operational
vulnerability'' means any attribute of policy, process, or
procedure that could enable or facilitate the defeat of an
operational control.
(15) Private entity.--The term ``private entity'' means any
individual or any private group, organization, or
corporation, including an officer, employee, or agent
thereof.
(16) Significant cyber incident.--The term ``significant
cyber incident'' means a cyber incident resulting in, or an
attempted cyber incident that, if successful, would have
resulted in--
(A) the exfiltration from a Federal information system of
data that is essential to the operation of the Federal
information system; or
(B) an incident in which an operational or technical
control essential to the security or operation of a Federal
information system was defeated.
[[Page S5533]]
(17) Technical control.--The term ``technical control''
means a hardware or software restriction on, or audit of,
access or use of an information system or information that is
stored on, processed by, or transiting an information system
that is intended to ensure the confidentiality, integrity, or
availability of that system.
(18) Technical vulnerability.--The term ``technical
vulnerability'' means any attribute of hardware or software
that could enable or facilitate the defeat of a technical
control.
(19) Tribal.--The term ``tribal'' has the meaning given the
term ``Indian tribe'' in section 4 of the Indian Self-
Determination and Education Assistance Act (25 U.S.C. 450b).
SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION.
(a) Voluntary Disclosure.--
(1) Private entities.--Notwithstanding any other provision
of law, a private entity may, for the purpose of preventing,
investigating, or otherwise mitigating threats to information
security, on its own networks, or as authorized by another
entity, on such entity's networks, employ countermeasures and
use cybersecurity systems in order to obtain, identify, or
otherwise possess cyber threat information.
(2) Entities.--Notwithstanding any other provision of law,
an entity may disclose cyber threat information to--
(A) a cybersecurity center; or
(B) any other entity in order to assist with preventing,
investigating, or otherwise mitigating threats to information
security.
(3) Information security providers.--If the cyber threat
information described in paragraph (1) is obtained,
identified, or otherwise possessed in the course of providing
information security products or services under contract to
another entity, that entity shall be given, at any time prior
to disclosure of such information, a reasonable opportunity
to authorize or prevent such disclosure, to request
anonymization of such information, or to request that
reasonable efforts be made to safeguard such information that
identifies specific persons from unauthorized access or
disclosure.
(b) Significant Cyber Incidents Involving Federal
Information Systems.--
(1) In general.--An entity providing electronic
communication services, remote computing services, or
information security services to a Federal department or
agency shall inform the Federal department or agency of a
significant cyber incident involving the Federal information
system of that Federal department or agency that--
(A) is directly known to the entity as a result of
providing such services;
(B) is directly related to the provision of such services
by the entity; and
(C) as determined by the entity, has impeded or will impede
the performance of a critical mission of the Federal
department or agency.
(2) Advance coordination.--A Federal department or agency
receiving the services described in paragraph (1) shall
coordinate in advance with an entity described in paragraph
(1) to develop the parameters of any information that may be
provided under paragraph (1), including clarification of the
type of significant cyber incident that will impede the
performance of a critical mission of the Federal department
or agency.
(3) Report.--A Federal department or agency shall report
information provided under this subsection to a cybersecurity
center.
(4) Construction.--Any information provided to a
cybersecurity center under paragraph (3) shall be treated in
the same manner as information provided to a cybersecurity
center under subsection (a).
(c) Information Shared With or Provided to a Cybersecurity
Center.--Cyber threat information provided to a cybersecurity
center under this section--
(1) may be disclosed to, retained by, and used by,
consistent with otherwise applicable Federal law, any Federal
agency or department, component, officer, employee, or agent
of the Federal government for a cybersecurity purpose, a
national security purpose, or in order to prevent,
investigate, or prosecute any of the offenses listed in
section 2516 of title 18, United States Code, and such
information shall not be disclosed to, retained by, or used
by any Federal agency or department for any use not permitted
under this paragraph;
(2) may, with the prior written consent of the entity
submitting such information, be disclosed to and used by a
State, tribal, or local government or government agency for
the purpose of protecting information systems, or in
furtherance of preventing, investigating, or prosecuting a
criminal act, except that if the need for immediate
disclosure prevents obtaining written consent, such consent
may be provided orally with subsequent documentation of such
consent;
(3) shall be considered the commercial, financial, or
proprietary information of the entity providing such
information to the Federal government and any disclosure
outside the Federal government may only be made upon the
prior written consent by such entity and shall not constitute
a waiver of any applicable privilege or protection provided
by law, except that if the need for immediate disclosure
prevents obtaining written consent, such consent may be
provided orally with subsequent documentation of such
consent;
(4) shall be deemed voluntarily shared information and
exempt from disclosure under section 552 of title 5, United
States Code, and any State, tribal, or local law requiring
disclosure of information or records;
(5) shall be, without discretion, withheld from the public
under section 552(b)(3)(B) of title 5, United States Code,
and any State, tribal, or local law requiring disclosure of
information or records;
(6) shall not be subject to the rules of any Federal agency
or department or any judicial doctrine regarding ex parte
communications with a decision-making official;
(7) shall not, if subsequently provided to a State, tribal,
or local government or government agency, otherwise be
disclosed or distributed to any entity by such State, tribal,
or local government or government agency without the prior
written consent of the entity submitting such information,
notwithstanding any State, tribal, or local law requiring
disclosure of information or records, except that if the need
for immediate disclosure prevents obtaining written consent,
such consent may be provided orally with subsequent
documentation of such consent; and
(8) shall not be directly used by any Federal, State,
tribal, or local department or agency to regulate the lawful
activities of an entity, including activities relating to
obtaining, identifying, or otherwise possessing cyber threat
information, except that the procedures required to be
developed and implemented under this title shall not be
considered regulations within the meaning of this paragraph.
(d) Procedures Relating to Information Sharing With a
Cybersecurity Center.--Not later than 60 days after the date
of enactment of this Act, the heads of each department or
agency containing a cybersecurity center shall jointly
develop, promulgate, and submit to Congress procedures to
ensure that cyber threat information shared with or provided
to--
(1) a cybersecurity center under this section--
(A) may be submitted to a cybersecurity center by an
entity, to the greatest extent possible, through a uniform,
publicly available process or format that is easily
accessible on the website of such cybersecurity center, and
that includes the ability to provide relevant details about
the cyber threat information and written consent to any
subsequent disclosures authorized by this paragraph;
(B) shall immediately be further shared with each
cybersecurity center in order to prevent, investigate, or
otherwise mitigate threats to information security across the
Federal government;
(C) is handled by the Federal government in a reasonable
manner, including consideration of the need to protect the
privacy and civil liberties of individuals through
anonymization or other appropriate methods, while fully
accomplishing the objectives of this title, and the Federal
government may undertake efforts consistent with this
subparagraph to limit the impact on privacy and civil
liberties of the sharing of cyber threat information with the
Federal government; and
(D) except as provided in this section, shall only be used,
disclosed, or handled in accordance with the provisions of
subsection (c); and
(2) a Federal agency or department under subsection (b) is
provided immediately to a cybersecurity center in order to
prevent, investigate, or otherwise mitigate threats to
information security across the Federal government.
(e) Information Shared Between Entities.--
(1) In general.--An entity sharing cyber threat information
with another entity under this title may restrict the use or
sharing of such information by such other entity.
(2) Further sharing.--Cyber threat information shared by
any entity with another entity under this title--
(A) shall only be further shared in accordance with any
restrictions placed on the sharing of such information by the
entity authorizing such sharing, such as appropriate
anonymization of such information; and
(B) may not be used by any entity to gain an unfair
competitive advantage to the detriment of the entity
authorizing the sharing of such information, except that the
conduct described in paragraph (3) shall not constitute
unfair competitive conduct.
(3) Information shared with state, tribal, or local
government or government agency.--Cyber threat information
shared with a State, tribal, or local government or
government agency under this title--
(A) may, with the prior written consent of the entity
sharing such information, be disclosed to and used by a
State, tribal, or local government or government agency for
the purpose of protecting information systems, or in
furtherance of preventing, investigating, or prosecuting a
criminal act, except if the need for immediate disclosure
prevents obtaining written consent, consent may be provided
orally with subsequent documentation of the consent;
(B) shall be deemed voluntarily shared information and
exempt from disclosure under any State, tribal, or local law
requiring disclosure of information or records;
(C) shall not be disclosed or distributed to any entity by
the State, tribal, or local government or government agency
without the prior written consent of the entity submitting
such information, notwithstanding any
[[Page S5534]]
State, tribal, or local law requiring disclosure of
information or records, except if the need for immediate
disclosure prevents obtaining written consent, consent may be
provided orally with subsequent documentation of the consent;
and
(D) shall not be directly used by any State, tribal, or
local department or agency to regulate the lawful activities
of an entity, including activities relating to obtaining,
identifying, or otherwise possessing cyber threat
information, except that the procedures required to be
developed and implemented under this title shall not be
considered regulations within the meaning of this
subparagraph.
(4) Antitrust exemption.--The exchange or provision of
cyber threat information or assistance between 2 or more
private entities under this title shall not be considered a
violation of any provision of antitrust laws if exchanged or
provided in order to assist with--
(A) facilitating the prevention, investigation, or
mitigation of threats to information security; or
(B) communicating or disclosing of cyber threat information
to help prevent, investigate or otherwise mitigate the
effects of a threat to information security.
(5) No right or benefit.--The provision of cyber threat
information to an entity under this section shall not create
a right or a benefit to similar information by such entity or
any other entity.
(f) Federal Preemption.--
(1) In general.--This section supersedes any statute or
other law of a State or political subdivision of a State that
restricts or otherwise expressly regulates an activity
authorized under this section.
(2) State law enforcement.--Nothing in this section shall
be construed to supersede any statute or other law of a State
or political subdivision of a State concerning the use of
authorized law enforcement techniques.
(3) Public disclosure.--No information shared with or
provided to a State, tribal, or local government or
government agency pursuant to this section shall be made
publicly available pursuant to any State, tribal, or local
law requiring disclosure of information or records.
(g) Civil and Criminal Liability.--
(1) General protections.--
(A) Private entities.--No cause of action shall lie or be
maintained in any court against any private entity for--
(i) the use of countermeasures and cybersecurity systems as
authorized by this title;
(ii) the use, receipt, or disclosure of any cyber threat
information as authorized by this title; or
(iii) the subsequent actions or inactions of any lawful
recipient of cyber threat information provided by such
private entity.
(B) Entities.--No cause of action shall lie or be
maintained in any court against any entity for--
(i) the use, receipt, or disclosure of any cyber threat
information as authorized by this title; or
(ii) the subsequent actions or inactions of any lawful
recipient of cyber threat information provided by such
entity.
(2) Construction.--Nothing in this subsection shall be
construed as creating any immunity against, or otherwise
affecting, any action brought by the Federal government, or
any agency or department thereof, to enforce any law,
executive order, or procedure governing the appropriate
handling, disclosure, and use of classified information.
(h) Otherwise Lawful Disclosures.--Nothing in this section
shall be construed to limit or prohibit otherwise lawful
disclosures of communications, records, or other information
by a private entity to any other governmental or private
entity not covered under this section.
(i) Whistleblower Protection.--Nothing in this Act shall be
construed to preempt or preclude any employee from exercising
rights currently provided under any whistleblower law, rule,
or regulation.
(j) Relationship to Other Laws.--The submission of cyber
threat information under this section to a cybersecurity
center shall not affect any requirement under any other
provision of law for an entity to provide information to the
Federal government.
SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT.
(a) Classified Information.--
(1) Procedures.--Consistent with the protection of
intelligence sources and methods, and as otherwise determined
appropriate, the Director of National Intelligence and the
Secretary of Defense, in consultation with the heads of the
appropriate Federal departments or agencies, shall develop
and promulgate procedures to facilitate and promote--
(A) the immediate sharing, through the cybersecurity
centers, of classified cyber threat information in the
possession of the Federal government with appropriately
cleared representatives of any appropriate entity; and
(B) the declassification and immediate sharing, through the
cybersecurity centers, with any entity or, if appropriate,
public availability of cyber threat information in the
possession of the Federal government;
(2) Handling of classified information.--The procedures
developed under paragraph (1) shall ensure that each entity
receiving classified cyber threat information pursuant to
this section has acknowledged in writing the ongoing
obligation to comply with all laws, executive orders, and
procedures concerning the appropriate handling, disclosure,
or use of classified information.
(b) Unclassified Cyber Threat Information.--The heads of
each department or agency containing a cybersecurity center
shall jointly develop and promulgate procedures that ensure
that, consistent with the provisions of this section,
unclassified, including controlled unclassified, cyber threat
information in the possession of the Federal government--
(1) is shared, through the cybersecurity centers, in an
immediate and adequate manner with appropriate entities; and
(2) if appropriate, is made publicly available.
(c) Development of Procedures.--
(1) In general.--The procedures developed under this
section shall incorporate, to the greatest extent possible,
existing processes utilized by sector specific information
sharing and analysis centers.
(2) Coordination with entities.--In developing the
procedures required under this section, the Director of
National Intelligence and the heads of each department or
agency containing a cybersecurity center shall coordinate
with appropriate entities to ensure that protocols are
implemented that will facilitate and promote the sharing of
cyber threat information by the Federal government.
(d) Additional Responsibilities of Cybersecurity Centers.--
Consistent with section 102, a cybersecurity center shall--
(1) facilitate information sharing, interaction, and
collaboration among and between cybersecurity centers and--
(A) other Federal entities;
(B) any entity; and
(C) international partners, in consultation with the
Secretary of State;
(2) disseminate timely and actionable cybersecurity threat,
vulnerability, mitigation, and warning information, including
alerts, advisories, indicators, signatures, and mitigation
and response measures, to improve the security and protection
of information systems; and
(3) coordinate with other Federal entities, as appropriate,
to integrate information from across the Federal government
to provide situational awareness of the cybersecurity posture
of the United States.
(e) Sharing Within the Federal Government.--The heads of
appropriate Federal departments and agencies shall ensure
that cyber threat information in the possession of such
Federal departments or agencies that relates to the
prevention, investigation, or mitigation of threats to
information security across the Federal government is shared
effectively with the cybersecurity centers.
(f) Submission to Congress.--Not later than 60 days after
the date of enactment of this Act, the Director of National
Intelligence, in coordination with the appropriate head of a
department or an agency containing a cybersecurity center,
shall submit the procedures required by this section to
Congress.
SEC. 104. CONSTRUCTION.
(a) Information Sharing Relationships.--Nothing in this
title shall be construed--
(1) to limit or modify an existing information sharing
relationship;
(2) to prohibit a new information sharing relationship;
(3) to require a new information sharing relationship
between any entity and the Federal government, except as
specified under section 102(b); or
(4) to modify the authority of a department or agency of
the Federal government to protect sources and methods and the
national security of the United States.
(b) Anti-tasking Restriction.--Nothing in this title shall
be construed to permit the Federal government--
(1) to require an entity to share information with the
Federal government, except as expressly provided under
section 102(b); or
(2) to condition the sharing of cyber threat information
with an entity on such entity's provision of cyber threat
information to the Federal government.
(c) No Liability for Non-participation.--Nothing in this
title shall be construed to subject any entity to liability
for choosing not to engage in the voluntary activities
authorized under this title.
(d) Use and Retention of Information.--Nothing in this
title shall be construed to authorize, or to modify any
existing authority of, a department or agency of the Federal
government to retain or use any information shared under
section 102 for any use other than a use permitted under
subsection 102(c)(1).
(e) No New Funding.--An applicable Federal agency shall
carry out the provisions of this title with existing
facilities and funds otherwise available, through such means
as the head of the agency considers appropriate.
SEC. 105. REPORT ON IMPLEMENTATION.
(a) Content of Report.--Not later than 1 year after the
date of enactment of this Act, and biennially thereafter, the
heads of each department or agency containing a cybersecurity
center shall jointly submit, in coordination with the privacy
and civil liberties officials of such departments or agencies
and the Privacy and Civil Liberties Oversight Board, a
detailed report to Congress concerning the implementation of
this title, including--
(1) an assessment of the sufficiency of the procedures
developed under section 103 of this Act in ensuring that
cyber threat information in the possession of the Federal
government is provided in an immediate and adequate manner to
appropriate entities or, if appropriate, is made publicly
available;
[[Page S5535]]
(2) an assessment of whether information has been
appropriately classified and an accounting of the number of
security clearances authorized by the Federal government for
purposes of this title;
(3) a review of the type of cyber threat information shared
with a cybersecurity center under section 102 of this Act,
including whether such information meets the definition of
cyber threat information under section 101, the degree to
which such information may impact the privacy and civil
liberties of individuals, any appropriate metrics to
determine any impact of the sharing of such information with
the Federal government on privacy and civil liberties, and
the adequacy of any steps taken to reduce such impact;
(4) a review of actions taken by the Federal government
based on information provided to a cybersecurity center under
section 102 of this Act, including the appropriateness of any
subsequent use under section 102(c)(1) of this Act and
whether there was inappropriate stovepiping within the
Federal government of any such information;
(5) a description of any violations of the requirements of
this title by the Federal government;
(6) a classified list of entities that received classified
information from the Federal government under section 103 of
this Act and a description of any indication that such
information may not have been appropriately handled;
(7) a summary of any breach of information security, if
known, attributable to a specific failure by any entity or
the Federal government to act on cyber threat information in
the possession of such entity or the Federal government that
resulted in substantial economic harm or injury to a specific
entity or the Federal government; and
(8) any recommendation for improvements or modifications to
the authorities under this title.
(b) Form of Report.--The report under subsection (a) shall
be submitted in unclassified form, but shall include a
classified annex.
SEC. 106. INSPECTOR GENERAL REVIEW.
(a) In General.--The Council of the Inspectors General on
Integrity and Efficiency are authorized to review compliance
by the cybersecurity centers, and by any Federal department
or agency receiving cyber threat information from such
cybersecurity centers, with the procedures required under
section 102 of this Act.
(b) Scope of Review.--The review under subsection (a) shall
consider whether the Federal government has handled such
cyber threat information in a reasonable manner, including
consideration of the need to protect the privacy and civil
liberties of individuals through anonymization or other
appropriate methods, while fully accomplishing the objectives
of this title.
(c) Report to Congress.--Each review conducted under this
section shall be provided to Congress not later than 30 days
after the date of completion of the review.
SEC. 107. TECHNICAL AMENDMENTS.
Section 552(b) of title 5, United States Code, is amended--
(1) in paragraph (8), by striking ``or'';
(2) in paragraph (9), by striking ``wells.'' and inserting
``wells; or''; and
(3) by adding at the end the following:
``(10) information shared with or provided to a
cybersecurity center under section 102 of title I of the
Strengthening and Enhancing Cybersecurity by Using Research,
Education, Information, and Technology Act of 2012.''.
SEC. 108. ACCESS TO CLASSIFIED INFORMATION.
(a) Authorization Required.--No person shall be provided
with access to classified information (as defined in section
6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to
classified national security information)) relating to cyber
security threats or cyber security vulnerabilities under this
title without the appropriate security clearances.
(b) Security Clearances.--The appropriate Federal agencies
or departments shall, consistent with applicable procedures
and requirements, and if otherwise deemed appropriate, assist
an individual in timely obtaining an appropriate security
clearance where such individual has been determined to be
eligible for such clearance and has a need-to-know (as
defined in section 6.1 of that Executive Order) classified
information to carry out this title.
TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY
SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY
POLICY.
(a) In General.--Chapter 35 of title 44, United States
Code, is amended by striking subchapters II and III and
inserting the following:
``SUBCHAPTER II--INFORMATION SECURITY
``Sec. 3551. Purposes
``The purposes of this subchapter are--
``(1) to provide a comprehensive framework for ensuring the
effectiveness of information security controls over
information resources that support Federal operations and
assets;
``(2) to recognize the highly networked nature of the
current Federal computing environment and provide effective
government-wide management of policies, directives,
standards, and guidelines, as well as effective and nimble
oversight of and response to information security risks,
including coordination of information security efforts
throughout the Federal civilian, national security, and law
enforcement communities;
``(3) to provide for development and maintenance of
controls required to protect agency information and
information systems and contribute to the overall improvement
of agency information security posture;
``(4) to provide for the development of tools and methods
to assess and respond to real-time situational risk for
Federal information system operations and assets; and
``(5) to provide a mechanism for improving agency
information security programs through continuous monitoring
of agency information systems and streamlined reporting
requirements rather than overly prescriptive manual
reporting.
``Sec. 3552. Definitions
``In this subchapter:
``(1) Adequate security.--The term `adequate security'
means security commensurate with the risk and magnitude of
the harm resulting from the unauthorized access to or loss,
misuse, destruction, or modification of information.
``(2) Agency.--The term `agency' has the meaning given the
term in section 3502 of title 44.
``(3) Cybersecurity center.--The term `cybersecurity
center' means the Department of Defense Cyber Crime Center,
the Intelligence Community Incident Response Center, the
United States Cyber Command Joint Operations Center, the
National Cyber Investigative Joint Task Force, the National
Security Agency/Central Security Service Threat Operations
Center, the National Cybersecurity and Communications
Integration Center, and any successor center.
``(4) Cyber threat information.--The term `cyber threat
information' means information that indicates or describes--
``(A) a technical or operation vulnerability or a cyber
threat mitigation measure;
``(B) an action or operation to mitigate a cyber threat;
``(C) malicious reconnaissance, including anomalous
patterns of network activity that appear to be transmitted
for the purpose of gathering technical information related to
a cybersecurity threat;
``(D) a method of defeating a technical control;
``(E) a method of defeating an operational control;
``(F) network activity or protocols known to be associated
with a malicious cyber actor or that signify malicious cyber
intent;
``(G) a method of causing a user with legitimate access to
an information system or information that is stored on,
processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational
control;
``(H) any other attribute of a cybersecurity threat or
cyber defense information that would foster situational
awareness of the United States cybersecurity posture, if
disclosure of such attribute or information is not otherwise
prohibited by law;
``(I) the actual or potential harm caused by a cyber
incident, including information exfiltrated when it is
necessary in order to identify or describe a cybersecurity
threat; or
``(J) any combination of subparagraphs (A) through (I).
``(5) Director.--The term `Director' means the Director of
the Office of Management and Budget unless otherwise
specified.
``(6) Environment of operation.--The term `environment of
operation' means the information system and environment in
which those systems operate, including changing threats,
vulnerabilities, technologies, and missions and business
practices.
``(7) Federal information system.--The term `Federal
information system' means an information system used or
operated by an executive agency, by a contractor of an
executive agency, or by another organization on behalf of an
executive agency.
``(8) Incident.--The term `incident' means an occurrence
that--
``(A) actually or imminently jeopardizes the integrity,
confidentiality, or availability of an information system or
the information that system controls, processes, stores, or
transmits; or
``(B) constitutes a violation of law or an imminent threat
of violation of a law, a security policy, a security
procedure, or an acceptable use policy.
``(9) Information resources.--The term `information
resources' has the meaning given the term in section 3502 of
title 44.
``(10) Information security.--The term `information
security' means protecting information and information
systems from disruption or unauthorized access, use,
disclosure, modification, or destruction in order to
provide--
``(A) integrity, by guarding against improper information
modification or destruction, including by ensuring
information nonrepudiation and authenticity;
``(B) confidentiality, by preserving authorized
restrictions on access and disclosure, including means for
protecting personal privacy and proprietary information; or
``(C) availability, by ensuring timely and reliable access
to and use of information.
``(11) Information system.--The term `information system'
has the meaning given the term in section 3502 of title 44.
``(12) Information technology.--The term `information
technology' has the meaning given the term in section 11101
of title 40.
``(13) Malicious reconnaissance.--The term `malicious
reconnaissance' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning technical
[[Page S5536]]
vulnerabilities of the information system, if such method is
associated with a known or suspected cybersecurity threat.
``(14) National security system.--
``(A) In general.--The term `national security system'
means any information system (including any
telecommunications system) used or operated by an agency or
by a contractor of an agency, or other organization on behalf
of an agency--
``(i) the function, operation, or use of which--
``(I) involves intelligence activities;
``(II) involves cryptologic activities related to national
security;
``(III) involves command and control of military forces;
``(IV) involves equipment that is an integral part of a
weapon or weapons system; or
``(V) subject to subparagraph (B), is critical to the
direct fulfillment of military or intelligence missions; or
``(ii) is protected at all times by procedures established
for information that have been specifically authorized under
criteria established by an Executive Order or an Act of
Congress to be kept classified in the interest of national
defense or foreign policy.
``(B) Limitation.--Subparagraph (A)(i)(V) does not include
a system that is to be used for routine administrative and
business applications (including payroll, finance, logistics,
and personnel management applications).
``(15) Operational control.--The term `operational control'
means a security control for an information system that
primarily is implemented and executed by people.
``(16) Person.--The term `person' has the meaning given the
term in section 3502 of title 44.
``(17) Secretary.--The term `Secretary' means the Secretary
of Commerce unless otherwise specified.
``(18) Security control.--The term `security control' means
the management, operational, and technical controls,
including safeguards or countermeasures, prescribed for an
information system to protect the confidentiality, integrity,
and availability of the system and its information.
``(19) Significant cyber incident.--The term `significant
cyber incident' means a cyber incident resulting in, or an
attempted cyber incident that, if successful, would have
resulted in--
``(A) the exfiltration from a Federal information system of
data that is essential to the operation of the Federal
information system; or
``(B) an incident in which an operational or technical
control essential to the security or operation of a Federal
information system was defeated.
``(20) Technical control.--The term `technical control'
means a hardware or software restriction on, or audit of,
access or use of an information system or information that is
stored on, processed by, or transiting an information system
that is intended to ensure the confidentiality, integrity, or
availability of that system.
``Sec. 3553. Federal information security authority and
coordination
``(a) In General.--The Secretary, in consultation with the
Secretary of Homeland Security, shall--
``(1) issue compulsory and binding policies and directives
governing agency information security operations, and require
implementation of such policies and directives, including--
``(A) policies and directives consistent with the standards
and guidelines promulgated under section 11331 of title 40 to
identify and provide information security protections
prioritized and commensurate with the risk and impact
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of--
``(i) information collected or maintained by or on behalf
of an agency; or
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(B) minimum operational requirements for Federal
Government to protect agency information systems and provide
common situational awareness across all agency information
systems;
``(C) reporting requirements, consistent with relevant law,
regarding information security incidents and cyber threat
information;
``(D) requirements for agencywide information security
programs;
``(E) performance requirements and metrics for the security
of agency information systems;
``(F) training requirements to ensure that agencies are
able to fully and timely comply with the policies and
directives issued by the Secretary under this subchapter;
``(G) training requirements regarding privacy, civil
rights, and civil liberties, and information oversight for
agency information security personnel;
``(H) requirements for the annual reports to the Secretary
under section 3554(d);
``(I) any other information security operations or
information security requirements as determined by the
Secretary in coordination with relevant agency heads; and
``(J) coordinating the development of standards and
guidelines under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3) with agencies
and offices operating or exercising control of national
security systems (including the National Security Agency) to
assure, to the maximum extent feasible, that such standards
and guidelines are complementary with standards and
guidelines developed for national security systems;
``(2) review the agencywide information security programs
under section 3554; and
``(3) designate an individual or an entity at each
cybersecurity center, among other responsibilities--
``(A) to receive reports and information about information
security incidents, cyber threat information, and
deterioration of security control affecting agency
information systems; and
``(B) to act on or share the information under subparagraph
(A) in accordance with this subchapter.
``(b) Considerations.--When issuing policies and directives
under subsection (a), the Secretary shall consider any
applicable standards or guidelines developed by the National
Institute of Standards and Technology under section 11331 of
title 40.
``(c) Limitation of Authority.--The authorities of the
Secretary under this section shall not apply to national
security systems. Information security policies, directives,
standards and guidelines for national security systems shall
be overseen as directed by the President and, in accordance
with that direction, carried out under the authority of the
heads of agencies that operate or exercise authority over
such national security systems.
``(d) Statutory Construction.--Nothing in this subchapter
shall be construed to alter or amend any law regarding the
authority of any head of an agency over such agency.
``Sec. 3554. Agency responsibilities
``(a) In General.--The head of each agency shall--
``(1) be responsible for--
``(A) complying with the policies and directives issued
under section 3553;
``(B) providing information security protections
commensurate with the risk resulting from unauthorized
access, use, disclosure, disruption, modification, or
destruction of--
``(i) information collected or maintained by the agency or
by a contractor of an agency or other organization on behalf
of an agency; and
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(C) complying with the requirements of this subchapter,
including--
``(i) information security standards and guidelines
promulgated under section 11331 of title 40;
``(ii) for any national security systems operated or
controlled by that agency, information security policies,
directives, standards and guidelines issued as directed by
the President; and
``(iii) for any non-national security systems operated or
controlled by that agency, information security policies,
directives, standards and guidelines issued under section
3553;
``(D) ensuring that information security management
processes are integrated with agency strategic and
operational planning processes;
``(E) reporting and sharing, for an agency operating or
exercising control of a national security system, information
about information security incidents, cyber threat
information, and deterioration of security controls to the
individual or entity designated at each cybersecurity center
and to other appropriate entities consistent with policies
and directives for national security systems issued as
directed by the President; and
``(F) reporting and sharing, for those agencies operating
or exercising control of non-national security systems,
information about information security incidents, cyber
threat information, and deterioration of security controls to
the individual or entity designated at each cybersecurity
center and to other appropriate entities consistent with
policies and directives for non-national security systems as
prescribed under section 3553(a), including information to
assist the entity designated under section 3555(a) with the
ongoing security analysis under section 3555;
``(2) ensure that each senior agency official provides
information security for the information and information
systems that support the operations and assets under the
senior agency official's control, including by--
``(A) assessing the risk and impact that could result from
the unauthorized access, use, disclosure, disruption,
modification, or destruction of such information or
information systems;
``(B) determining the level of information security
appropriate to protect such information and information
systems in accordance with policies and directives issued
under section 3553(a), and standards and guidelines
promulgated under section 11331 of title 40 for information
security classifications and related requirements;
``(C) implementing policies, procedures, and capabilities
to reduce risks to an acceptable level in a cost-effective
manner;
``(D) actively monitoring the effective implementation of
information security controls and techniques; and
``(E) reporting information about information security
incidents, cyber threat information, and deterioration of
security controls in a timely and adequate manner to the
entity designated under section 3553(a)(3) in accordance with
paragraph (1);
``(3) assess and maintain the resiliency of information
technology systems critical to agency mission and operations;
[[Page S5537]]
``(4) designate the agency Inspector General (or an
independent entity selected in consultation with the Director
and the Council of Inspectors General on Integrity and
Efficiency if the agency does not have an Inspector General)
to conduct the annual independent evaluation required under
section 3556, and allow the agency Inspector General to
contract with an independent entity to perform such
evaluation;
``(5) delegate to the Chief Information Officer or
equivalent (or to a senior agency official who reports to the
Chief Information Officer or equivalent)--
``(A) the authority and primary responsibility to implement
an agencywide information security program; and
``(B) the authority to provide information security for the
information collected and maintained by the agency (or by a
contractor, other agency, or other source on behalf of the
agency) and for the information systems that support the
operations, assets, and mission of the agency (including any
information system provided or managed by a contractor, other
agency, or other source on behalf of the agency);
``(6) delegate to the appropriate agency official (who is
responsible for a particular agency system or subsystem) the
responsibility to ensure and enforce compliance with all
requirements of the agency's agencywide information security
program in coordination with the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5);
``(7) ensure that an agency has trained personnel who have
obtained any necessary security clearances to permit them to
assist the agency in complying with this subchapter;
``(8) ensure that the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5),
in coordination with other senior agency officials, reports
to the agency head on the effectiveness of the agencywide
information security program, including the progress of any
remedial actions; and
``(9) ensure that the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5)
has the necessary qualifications to administer the functions
described in this subchapter and has information security
duties as a primary duty of that official.
``(b) Chief Information Officers.--Each Chief Information
Officer or equivalent (or the senior agency official who
reports to the Chief Information Officer or equivalent) under
subsection (a)(5) shall--
``(1) establish and maintain an enterprise security
operations capability that on a continuous basis--
``(A) detects, reports, contains, mitigates, and responds
to information security incidents that impair adequate
security of the agency's information or information system in
a timely manner and in accordance with the policies and
directives under section 3553; and
``(B) reports any information security incident under
subparagraph (A) to the entity designated under section 3555;
``(2) develop, maintain, and oversee an agencywide
information security program;
``(3) develop, maintain, and oversee information security
policies, procedures, and control techniques to address
applicable requirements, including requirements under section
3553 of this title and section 11331 of title 40; and
``(4) train and oversee the agency personnel who have
significant responsibility for information security with
respect to that responsibility.
``(c) Agencywide Information Security Programs.--
``(1) In general.--Each agencywide information security
program under subsection (b)(2) shall include--
``(A) relevant security risk assessments, including
technical assessments and others related to the acquisition
process;
``(B) security testing commensurate with risk and impact;
``(C) mitigation of deterioration of security controls
commensurate with risk and impact;
``(D) risk-based continuous monitoring and threat
assessment of the operational status and security of agency
information systems to enable evaluation of the effectiveness
of and compliance with information security policies,
procedures, and practices, including a relevant and
appropriate selection of security controls of information
systems identified in the inventory under section 3505(c);
``(E) operation of appropriate technical capabilities in
order to detect, mitigate, report, and respond to information
security incidents, cyber threat information, and
deterioration of security controls in a manner that is
consistent with the policies and directives under section
3553, including--
``(i) mitigating risks associated with such information
security incidents;
``(ii) notifying and consulting with the entity designated
under section 3555; and
``(iii) notifying and consulting with, as appropriate--
``(I) law enforcement and the relevant Office of the
Inspector General; and
``(II) any other entity, in accordance with law and as
directed by the President;
``(F) a process to ensure that remedial action is taken to
address any deficiencies in the information security
policies, procedures, and practices of the agency; and
``(G) a plan and procedures to ensure the continuity of
operations for information systems that support the
operations and assets of the agency.
``(2) Risk management strategies.--Each agencywide
information security program under subsection (b)(2) shall
include the development and maintenance of a risk management
strategy for information security. The risk management
strategy shall include--
``(A) consideration of information security incidents,
cyber threat information, and deterioration of security
controls; and
``(B) consideration of the consequences that could result
from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information and information
systems that support the operations and assets of the agency,
including any information system provided or managed by a
contractor, other agency, or other source on behalf of the
agency;
``(3) Policies and procedures.--Each agencywide information
security program under subsection (b)(2) shall include
policies and procedures that--
``(A) are based on the risk management strategy under
paragraph (2);
``(B) reduce information security risks to an acceptable
level in a cost-effective manner;
``(C) ensure that cost-effective and adequate information
security is addressed as part of the acquisition and ongoing
management of each agency information system; and
``(D) ensure compliance with--
``(i) this subchapter; and
``(ii) any other applicable requirements.
``(4) Training requirements.--Each agencywide information
security program under subsection (b)(2) shall include
information security, privacy, civil rights, civil liberties,
and information oversight training that meets any applicable
requirements under section 3553. The training shall inform
each information security personnel that has access to agency
information systems (including contractors and other users of
information systems that support the operations and assets of
the agency) of--
``(A) the information security risks associated with the
information security personnel's activities; and
``(B) the individual's responsibility to comply with the
agency policies and procedures that reduce the risks under
subparagraph (A).
``(d) Annual Report.--Each agency shall submit a report
annually to the Secretary of Homeland Security on its
agencywide information security program and information
systems.
``Sec. 3555. Multiagency ongoing threat assessment
``(a) Implementation.--The Director of the Office of
Management and Budget, in coordination with the Secretary of
Homeland Security, shall designate an entity to implement
ongoing security analysis concerning agency information
systems--
``(1) based on cyber threat information;
``(2) based on agency information system and environment of
operation changes, including--
``(A) an ongoing evaluation of the information system
security controls; and
``(B) the security state, risk level, and environment of
operation of an agency information system, including--
``(i) a change in risk level due to a new cyber threat;
``(ii) a change resulting from a new technology;
``(iii) a change resulting from the agency's mission; and
``(iv) a change resulting from the business practice; and
``(3) using automated processes to the maximum extent
possible--
``(A) to increase information system security;
``(B) to reduce paper-based reporting requirements; and
``(C) to maintain timely and actionable knowledge of the
state of the information system security.
``(b) Standards.--The National Institute of Standards and
Technology may promulgate standards, in coordination with the
Secretary of Homeland Security, to assist an agency with its
duties under this section.
``(c) Compliance.--The head of each appropriate department
and agency shall be responsible for ensuring compliance and
implementing necessary procedures to comply with this
section. The head of each appropriate department and agency,
in consultation with the Director of the Office of Management
and Budget and the Secretary of Homeland Security, shall--
``(1) monitor compliance under this section;
``(2) develop a timeline and implement for the department
or agency--
``(A) adoption of any technology, system, or method that
facilitates continuous monitoring and threat assessments of
an agency information system;
``(B) adoption or updating of any technology, system, or
method that prevents, detects, or remediates a significant
cyber incident to a Federal information system of the
department or agency that has impeded, or is reasonably
likely to impede, the performance of a critical mission of
the department or agency; and
``(C) adoption of any technology, system, or method that
satisfies a requirement under this section.
[[Page S5538]]
``(d) Limitation of Authority.--The authorities of the
Director of the Office of Management and Budget and of the
Secretary of Homeland Security under this section shall not
apply to national security systems.
``(e) Report.--Not later than 6 months after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the Government Accountability Office shall issue a
report evaluating each agency's status toward implementing
this section.
``Sec. 3556. Independent evaluations
``(a) In General.--The Council of the Inspectors General on
Integrity and Efficiency, in consultation with the Director
and the Secretary of Homeland Security, the Secretary of
Commerce, and the Secretary of Defense, shall issue and
maintain criteria for the timely, cost-effective, risk-based,
and independent evaluation of each agencywide information
security program (and practices) to determine the
effectiveness of the agencywide information security program
(and practices). The criteria shall include measures to
assess any conflicts of interest in the performance of the
evaluation and whether the agencywide information security
program includes appropriate safeguards against disclosure of
information where such disclosure may adversely affect
information security.
``(b) Annual Independent Evaluations.--Each agency shall
perform an annual independent evaluation of its agencywide
information security program (and practices) in accordance
with the criteria under subsection (a).
``(c) Distribution of Reports.--Not later than 30 days
after receiving an independent evaluation under subsection
(b), each agency head shall transmit a copy of the
independent evaluation to the Secretary of Homeland Security,
the Secretary of Commerce, and the Secretary of Defense.
``(d) National Security Systems.--Evaluations involving
national security systems shall be conducted as directed by
President.
``Sec. 3557. National security systems.
``The head of each agency operating or exercising control
of a national security system shall be responsible for
ensuring that the agency--
``(1) provides information security protections
commensurate with the risk and magnitude of the harm
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of the information
contained in such system; and
``(2) implements information security policies and
practices as required by standards and guidelines for
national security systems, issued in accordance with law and
as directed by the President.''.
(b) Savings Provisions.--
(1) Policy and compliance guidance.--Policy and compliance
guidance issued by the Director before the date of enactment
of this Act under section 3543(a)(1) of title 44, United
States Code (as in effect on the day before the date of
enactment of this Act), shall continue in effect, according
to its terms, until modified, terminated, superseded, or
repealed pursuant to section 3553(a)(1) of title 44, United
States Code.
(2) Standards and guidelines.--Standards and guidelines
issued by the Secretary of Commerce or by the Director before
the date of enactment of this Act under section 11331(a)(1)
of title 40, United States Code, (as in effect on the day
before the date of enactment of this Act) shall continue in
effect, according to their terms, until modified, terminated,
superseded, or repealed pursuant to section 11331(a)(1) of
title 40, United States Code, as amended by this Act.
(c) Technical and Conforming Amendments.--
(1) Chapter analysis.--The chapter analysis for chapter 35
of title 44, United States Code, is amended--
(A) by striking the items relating to sections 3531 through
3538;
(B) by striking the items relating to sections 3541 through
3549; and
(C) by inserting the following:
``3551. Purposes.
``3552. Definitions.
``3553. Federal information security authority and coordination.
``3554. Agency responsibilities.
``3555. Multiagency ongoing threat assessment.
``3556. Independent evaluations.
``3557. National security systems.''.
(2) Other references.--
(A) Section 1001(c)(1)(A) of the Homeland Security Act of
2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section
3532(3)'' and inserting ``section 3552''.
(B) Section 2222(j)(5) of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(C) Section 2223(c)(3) of title 10, United States Code, is
amended, by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(D) Section 2315 of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(E) Section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3) is amended--
(i) in subsection (a)(2), by striking ``section
3532(b)(2)'' and inserting ``section 3552'';
(ii) in subsection (c)(3), by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(iii) in subsection (d)(1), by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(iv) in subsection (d)(8) by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(v) in subsection (d)(8), by striking ``submitted to the
Director'' and inserting ``submitted to the Secretary'';
(vi) in subsection (e)(2), by striking ``section 3532(1) of
such title'' and inserting ``section 3552 of title 44''; and
(vii) in subsection (e)(5), by striking ``section
3532(b)(2) of such title'' and inserting ``section 3552 of
title 44''.
(F) Section 8(d)(1) of the Cyber Security Research and
Development Act (15 U.S.C. 7406(d)(1)) is amended by striking
``section 3534(b)'' and inserting ``section 3554(b)(2)''.
SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.
(a) In General.--Section 11331 of title 40, United States
Code, is amended to read as follows:
``Sec. 11331. Responsibilities for Federal information
systems standards
``(a) Standards and Guidelines.--
``(1) Authority to prescribe.--Except as provided under
paragraph (2), the Secretary of Commerce shall prescribe
standards and guidelines pertaining to Federal information
systems--
``(A) in consultation with the Secretary of Homeland
Security; and
``(B) on the basis of standards and guidelines developed by
the National Institute of Standards and Technology under
paragraphs (2) and (3) of section 20(a) of the National
Institute of Standards and Technology Act (15 U.S.C. 278g-
3(a)(2) and (a)(3)).
``(2) National security systems.--Standards and guidelines
for national security systems shall be developed, prescribed,
enforced, and overseen as otherwise authorized by law and as
directed by the President.
``(b) Mandatory Standards and Guidelines.--
``(1) Authority to make mandatory standards and
guidelines.--The Secretary of Commerce shall make standards
and guidelines under subsection (a)(1) compulsory and binding
to the extent determined necessary by the Secretary of
Commerce to improve the efficiency of operation or security
of Federal information systems.
``(2) Required mandatory standards and guidelines.--
``(A) In general.--Standards and guidelines under
subsection (a)(1) shall include information security
standards that--
``(i) provide minimum information security requirements as
determined under section 20(b) of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3(b)); and
``(ii) are otherwise necessary to improve the security of
Federal information and information systems.
``(B) Binding effect.--Information security standards under
subparagraph (A) shall be compulsory and binding.
``(c) Exercise of Authority.--To ensure fiscal and policy
consistency, the Secretary of Commerce shall exercise the
authority conferred by this section subject to direction by
the President and in coordination with the Director.
``(d) Application of More Stringent Standards and
Guidelines.--The head of an executive agency may employ
standards for the cost-effective information security for
information systems within or under the supervision of that
agency that are more stringent than the standards and
guidelines the Secretary of Commerce prescribes under this
section if the more stringent standards and guidelines--
``(1) contain at least the applicable standards and
guidelines made compulsory and binding by the Secretary of
Commerce; and
``(2) are otherwise consistent with the policies,
directives, and implementation memoranda issued under section
3553(a) of title 44.
``(e) Decisions on Promulgation of Standards and
Guidelines.--The decision by the Secretary of Commerce
regarding the promulgation of any standard or guideline under
this section shall occur not later than 6 months after the
date of submission of the proposed standard to the Secretary
of Commerce by the National Institute of Standards and
Technology under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3).
``(f) Notice and Comment.--A decision by the Secretary of
Commerce to significantly modify, or not promulgate, a
proposed standard submitted to the Secretary by the National
Institute of Standards and Technology under section 20 of the
National Institute of Standards and Technology Act (15 U.S.C.
278g-3) shall be made after the public is given an
opportunity to comment on the Secretary's proposed decision.
``(g) Definitions.--In this section:
``(1) Federal information system.--The term `Federal
information system' has the meaning given the term in section
3552 of title 44.
``(2) Information security.--The term `information
security' has the meaning given the term in section 3552 of
title 44.
``(3) National security system.--The term `national
security system' has the meaning given the term in section
3552 of title 44.''.
SEC. 203. NO NEW FUNDING.
An applicable Federal agency shall carry out the provisions
of this title with existing facilities and funds otherwise
available, through such means as the head of the agency
considers appropriate.
[[Page S5539]]
SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS.
Section 21(b) of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-4(b)) is amended--
(1) in paragraph (2), by striking ``and the Director of the
Office of Management and Budget'' and inserting ``, the
Secretary of Commerce, and the Secretary of Homeland
Security''; and
(2) in paragraph (3), by inserting ``, the Secretary of
Homeland Security,'' after ``the Secretary of Commerce''.
SEC. 205. CLARIFICATION OF AUTHORITIES.
Nothing in this title shall be construed to convey any new
regulatory authority to any government entity implementing or
complying with any provision of this title.
TITLE III--CRIMINAL PENALTIES
SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN
CONNECTION WITH COMPUTERS.
Section 1030(c) of title 18, United States Code, is amended
to read as follows:
``(c) The punishment for an offense under subsection (a) or
(b) of this section is--
``(1) a fine under this title or imprisonment for not more
than 20 years, or both, in the case of an offense under
subsection (a)(1) of this section;
``(2)(A) except as provided in subparagraph (B), a fine
under this title or imprisonment for not more than 3 years,
or both, in the case of an offense under subsection (a)(2);
or
``(B) a fine under this title or imprisonment for not more
than ten years, or both, in the case of an offense under
subsection (a)(2) of this section, if--
``(i) the offense was committed for purposes of commercial
advantage or private financial gain;
``(ii) the offense was committed in the furtherance of any
criminal or tortious act in violation of the Constitution or
laws of the United States, or of any State; or
``(iii) the value of the information obtained, or that
would have been obtained if the offense was completed,
exceeds $5,000;
``(3) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(3) of this section;
``(4) a fine under this title or imprisonment of not more
than 20 years, or both, in the case of an offense under
subsection (a)(4) of this section;
``(5)(A) except as provided in subparagraph (C), a fine
under this title, imprisonment for not more than 20 years, or
both, in the case of an offense under subsection (a)(5)(A) of
this section, if the offense caused--
``(i) loss to 1 or more persons during any 1-year period
(and, for purposes of an investigation, prosecution, or other
proceeding brought by the United States only, loss resulting
from a related course of conduct affecting 1 or more other
protected computers) aggregating at least $5,000 in value;
``(ii) the modification or impairment, or potential
modification or impairment, of the medical examination,
diagnosis, treatment, or care of 1 or more individuals;
``(iii) physical injury to any person;
``(iv) a threat to public health or safety;
``(v) damage affecting a computer used by, or on behalf of,
an entity of the United States Government in furtherance of
the administration of justice, national defense, or national
security; or
``(vi) damage affecting 10 or more protected computers
during any 1-year period;
``(B) a fine under this title, imprisonment for not more
than 20 years, or both, in the case of an offense under
subsection (a)(5)(B), if the offense caused a harm provided
in clause (i) through (vi) of subparagraph (A) of this
subsection;
``(C) if the offender attempts to cause or knowingly or
recklessly causes death from conduct in violation of
subsection (a)(5)(A), a fine under this title, imprisonment
for any term of years or for life, or both;
``(D) a fine under this title, imprisonment for not more
than 10 years, or both, for any other offense under
subsection (a)(5);
``(E) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(6) of this section; or
``(F) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(7) of this section.''.
SEC. 302. TRAFFICKING IN PASSWORDS.
Section 1030(a)(6) of title 18, United States Code, is
amended to read as follows:
``(6) knowingly and with intent to defraud traffics (as
defined in section 1029) in any password or similar
information or means of access through which a protected
computer (as defined in subparagraphs (A) and (B) of
subsection (e)(2)) may be accessed without authorization.''.
SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.
Section 1030(b) of title 18, United States Code, is amended
by inserting ``as if for the completed offense'' after
``punished as provided''.
SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED
ACTIVITY IN CONNECTION WITH COMPUTERS.
Section 1030 of title 18, United States Code, is amended by
striking subsections (i) and (j) and inserting the following:
``(i) Criminal Forfeiture.--
``(1) The court, in imposing sentence on any person
convicted of a violation of this section, or convicted of
conspiracy to violate this section, shall order, in addition
to any other sentence imposed and irrespective of any
provision of State law, that such person forfeit to the
United States--
``(A) such persons interest in any property, real or
personal, that was used, or intended to be used, to commit or
facilitate the commission of such violation; and
``(B) any property, real or personal, constituting or
derived from any gross proceeds, or any property traceable to
such property, that such person obtained, directly or
indirectly, as a result of such violation.
``(2) The criminal forfeiture of property under this
subsection, including any seizure and disposition of the
property, and any related judicial or administrative
proceeding, shall be governed by the provisions of section
413 of the Comprehensive Drug Abuse Prevention and Control
Act of 1970 (21 U.S.C. 853), except subsection (d) of that
section.
``(j) Civil Forfeiture.--
``(1) The following shall be subject to forfeiture to the
United States and no property right, real or personal, shall
exist in them:
``(A) Any property, real or personal, that was used, or
intended to be used, to commit or facilitate the commission
of any violation of this section, or a conspiracy to violate
this section.
``(B) Any property, real or personal, constituting or
derived from any gross proceeds obtained directly or
indirectly, or any property traceable to such property, as a
result of the commission of any violation of this section, or
a conspiracy to violate this section.
``(2) Seizures and forfeitures under this subsection shall
be governed by the provisions in chapter 46 relating to civil
forfeitures, except that such duties as are imposed on the
Secretary of the Treasury under the customs laws described in
section 981(d) shall be performed by such officers, agents
and other persons as may be designated for that purpose by
the Secretary of Homeland Security or the Attorney
General.''.
SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.
(a) In General.--Chapter 47 of title 18, United States
Code, is amended by inserting after section 1030 the
following:
``Sec. 1030A. Aggravated damage to a critical infrastructure
computer
``(a) Definitions.--In this section--
``(1) the term `computer' has the meaning given the term in
section 1030;
``(2) the term `critical infrastructure computer' means a
computer that manages or controls systems or assets vital to
national defense, national security, national economic
security, public health or safety, or any combination of
those matters, whether publicly or privately owned or
operated, including--
``(A) oil and gas production, storage, conversion, and
delivery systems;
``(B) water supply systems;
``(C) telecommunication networks;
``(D) electrical power generation and delivery systems;
``(E) finance and banking systems;
``(F) emergency services;
``(G) transportation systems and services; and
``(H) government operations that provide essential services
to the public; and
``(3) the term `damage' has the meaning given the term in
section 1030.
``(b) Offense.--It shall be unlawful, during and in
relation to a felony violation of section 1030, to knowingly
cause or attempt to cause damage to a critical infrastructure
computer if the damage results in (or, in the case of an
attempt, if completed, would have resulted in) the
substantial impairment--
``(1) of the operation of the critical infrastructure
computer; or
``(2) of the critical infrastructure associated with the
computer.
``(c) Penalty.--Any person who violates subsection (b)
shall be--
``(1) fined under this title;
``(2) imprisoned for not less than 3 years but not more
than 20 years; or
``(3) penalized under paragraphs (1) and (2).
``(d) Consecutive Sentence.--Notwithstanding any other
provision of law--
``(1) a court shall not place on probation any person
convicted of a violation of this section;
``(2) except as provided in paragraph (4), no term of
imprisonment imposed on a person under this section shall run
concurrently with any other term of imprisonment, including
any term of imprisonment imposed on the person under any
other provision of law, including any term of imprisonment
imposed for a felony violation of section 1030;
``(3) in determining any term of imprisonment to be imposed
for a felony violation of section 1030, a court shall not in
any way reduce the term to be imposed for such crime so as to
compensate for, or otherwise take into account, any separate
term of imprisonment imposed or to be imposed for a violation
of this section; and
``(4) a term of imprisonment imposed on a person for a
violation of this section may, in the discretion of the
court, run concurrently, in whole or in part, only with
another term of imprisonment that is imposed by the court at
the same time on that person for an additional violation of
this section, provided that such discretion shall be
exercised in accordance with any applicable guidelines and
policy statements issued by the United States Sentencing
Commission pursuant to section 994 of title 28.''.
(b) Technical and Conforming Amendment.--The chapter
analysis for chapter 47 of title 18, United States Code, is
amended by inserting after the item relating to section 1030
the following:
[[Page S5540]]
``1030A. Aggravated damage to a critical infrastructure computer.''.
SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.
Section 1030(e)(6) of title 18, United States Code, is
amended by striking ``alter;'' and inserting ``alter, but
does not include access in violation of a contractual
obligation or agreement, such as an acceptable use policy or
terms of service agreement, with an Internet service
provider, Internet website, or non-government employer, if
such violation constitutes the sole basis for determining
that access to a protected computer is unauthorized;''.
SEC. 307. NO NEW FUNDING.
An applicable Federal agency shall carry out the provisions
of this title with existing facilities and funds otherwise
available, through such means as the head of the agency
considers appropriate.
TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT
SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM
PLANNING AND COORDINATION.
(a) Goals and Priorities.--Section 101 of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511) is amended
by adding at the end the following:
``(d) Goals and Priorities.--The goals and priorities for
Federal high-performance computing research, development,
networking, and other activities under subsection (a)(2)(A)
shall include--
``(1) encouraging and supporting mechanisms for
interdisciplinary research and development in networking and
information technology, including--
``(A) through collaborations across agencies;
``(B) through collaborations across Program Component
Areas;
``(C) through collaborations with industry;
``(D) through collaborations with institutions of higher
education;
``(E) through collaborations with Federal laboratories (as
defined in section 4 of the Stevenson-Wydler Technology
Innovation Act of 1980 (15 U.S.C. 3703)); and
``(F) through collaborations with international
organizations;
``(2) addressing national, multi-agency, multi-faceted
challenges of national importance; and
``(3) fostering the transfer of research and development
results into new technologies and applications for the
benefit of society.''.
(b) Development of Strategic Plan.--Section 101 of the
High-Performance Computing Act of 1991 (15 U.S.C. 5511) is
amended by adding at the end the following:
``(e) Strategic Plan.--
``(1) In general.--Not later than 1 year after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the agencies under subsection (a)(3)(B), working
through the National Science and Technology Council and with
the assistance of the Office of Science and Technology Policy
shall develop a 5-year strategic plan to guide the activities
under subsection (a)(1).
``(2) Contents.--The strategic plan shall specify--
``(A) the near-term objectives for the Program;
``(B) the long-term objectives for the Program;
``(C) the anticipated time frame for achieving the near-
term objectives;
``(D) the metrics that will be used to assess any progress
made toward achieving the near-term objectives and the long-
term objectives; and
``(E) how the Program will achieve the goals and priorities
under subsection (d).
``(3) Implementation roadmap.--
``(A) In general.--The agencies under subsection (a)(3)(B)
shall develop and annually update an implementation roadmap
for the strategic plan.
``(B) Requirements.--The information in the implementation
roadmap shall be coordinated with the database under section
102(c) and the annual report under section 101(a)(3). The
implementation roadmap shall--
``(i) specify the role of each Federal agency in carrying
out or sponsoring research and development to meet the
research objectives of the strategic plan, including a
description of how progress toward the research objectives
will be evaluated, with consideration of any relevant
recommendations of the advisory committee;
``(ii) specify the funding allocated to each major research
objective of the strategic plan and the source of funding by
agency for the current fiscal year; and
``(iii) estimate the funding required for each major
research objective of the strategic plan for the next 3
fiscal years.
``(4) Recommendations.--The agencies under subsection
(a)(3)(B) shall take into consideration when developing the
strategic plan under paragraph (1) the recommendations of--
``(A) the advisory committee under subsection (b); and
``(B) the stakeholders under section 102(a)(3).
``(5) Report to congress.--The Director of the Office of
Science and Technology Policy shall transmit the strategic
plan under this subsection, including the implementation
roadmap and any updates under paragraph (3), to--
``(A) the advisory committee under subsection (b);
``(B) the Committee on Commerce, Science, and
Transportation of the Senate; and
``(C) the Committee on Science and Technology of the House
of Representatives.''.
(c) Periodic Reviews.--Section 101 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511) is amended by adding
at the end the following:
``(f) Periodic Reviews.--The agencies under subsection
(a)(3)(B) shall--
``(1) periodically assess the contents and funding levels
of the Program Component Areas and restructure the Program
when warranted, taking into consideration any relevant
recommendations of the advisory committee under subsection
(b); and
``(2) ensure that the Program includes national, multi-
agency, multi-faceted research and development activities,
including activities described in section 104.''.
(d) Additional Responsibilities of Director.--Section
101(a)(2) of the High-Performance Computing Act of 1991 (15
U.S.C. 5511(a)(2)) is amended--
(1) by redesignating subparagraphs (E) and (F) as
subparagraphs (G) and (H), respectively; and
(2) by inserting after subparagraph (D) the following:
``(E) encourage and monitor the efforts of the agencies
participating in the Program to allocate the level of
resources and management attention necessary--
``(i) to ensure that the strategic plan under subsection
(e) is developed and executed effectively; and
``(ii) to ensure that the objectives of the Program are
met;
``(F) working with the Office of Management and Budget and
in coordination with the creation of the database under
section 102(c), direct the Office of Science and Technology
Policy and the agencies participating in the Program to
establish a mechanism (consistent with existing law) to track
all ongoing and completed research and development projects
and associated funding;''.
(e) Advisory Committee.--Section 101(b) of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is
amended--
(1) in paragraph (1)--
(A) by inserting after the first sentence the following:
``The co-chairs of the advisory committee shall meet the
qualifications of committee members and may be members of the
Presidents Council of Advisors on Science and Technology.'';
and
(B) by striking ``high-performance'' in subparagraph (D)
and inserting ``high-end''; and
(2) by amending paragraph (2) to read as follows:
``(2) In addition to the duties under paragraph (1), the
advisory committee shall conduct periodic evaluations of the
funding, management, coordination, implementation, and
activities of the Program. The advisory committee shall
report its findings and recommendations not less frequently
than once every 3 fiscal years to the Committee on Commerce,
Science, and Transportation of the Senate and the Committee
on Science and Technology of the House of Representatives.
The report shall be submitted in conjunction with the update
of the strategic plan.''.
(f) Report.--Section 101(a)(3) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended--
(1) in subparagraph (C)--
(A) by striking ``is submitted,'' and inserting ``is
submitted, the levels for the previous fiscal year,''; and
(B) by striking ``each Program Component Area'' and
inserting ``each Program Component Area and each research
area supported in accordance with section 104'';
(2) in subparagraph (D)--
(A) by striking ``each Program Component Area,'' and
inserting ``each Program Component Area and each research
area supported in accordance with section 104,'';
(B) by striking ``is submitted,'' and inserting ``is
submitted, the levels for the previous fiscal year,''; and
(C) by striking ``and'' after the semicolon;
(3) by redesignating subparagraph (E) as subparagraph (G);
and
(4) by inserting after subparagraph (D) the following:
``(E) include a description of how the objectives for each
Program Component Area, and the objectives for activities
that involve multiple Program Component Areas, relate to the
objectives of the Program identified in the strategic plan
under subsection (e);
``(F) include--
``(i) a description of the funding required by the Office
of Science and Technology Policy to perform the functions
under subsections (a) and (c) of section 102 for the next
fiscal year by category of activity;
``(ii) a description of the funding required by the Office
of Science and Technology Policy to perform the functions
under subsections (a) and (c) of section 102 for the current
fiscal year by category of activity; and
``(iii) the amount of funding provided for the Office of
Science and Technology Policy for the current fiscal year by
each agency participating in the Program; and''.
(g) Definitions.--Section 4 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5503) is amended--
(1) by redesignating paragraphs (1) and (2) as paragraphs
(2) and (3), respectively;
(2) by redesignating paragraph (3) as paragraph (6);
(3) by redesignating paragraphs (6) and (7) as paragraphs
(7) and (8), respectively;
(4) by inserting before paragraph (2), as redesignated, the
following:
``(1) `cyber-physical systems' means physical or engineered
systems whose networking
[[Page S5541]]
and information technology functions and physical elements
are deeply integrated and are actively connected to the
physical world through sensors, actuators, or other means to
perform monitoring and control functions;'';
(5) in paragraph (3), as redesignated, by striking ``high-
performance computing'' and inserting ``networking and
information technology'';
(6) in paragraph (6), as redesignated--
(A) by striking ``high-performance computing'' and
inserting ``networking and information technology''; and
(B) by striking ``supercomputer'' and inserting ``high-end
computing'';
(7) in paragraph (5), by striking ``network referred to
as'' and all that follows through the semicolon and inserting
``network, including advanced computer networks of Federal
agencies and departments''; and
(8) in paragraph (7), as redesignated, by striking
``National High-Performance Computing Program'' and inserting
``networking and information technology research and
development program''.
SEC. 402. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.
(a) Research in Areas of National Importance.--Title I of
the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et
seq.) is amended by adding at the end the following:
``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.
``(a) In General.--The Program shall encourage agencies
under section 101(a)(3)(B) to support, maintain, and improve
national, multi-agency, multi-faceted, research and
development activities in networking and information
technology directed toward application areas that have the
potential for significant contributions to national economic
competitiveness and for other significant societal benefits.
``(b) Technical Solutions.--An activity under subsection
(a) shall be designed to advance the development of research
discoveries by demonstrating technical solutions to important
problems in areas including--
``(1) cybersecurity;
``(2) health care;
``(3) energy management and low-power systems and devices;
``(4) transportation, including surface and air
transportation;
``(5) cyber-physical systems;
``(6) large-scale data analysis and modeling of physical
phenomena;
``(7) large scale data analysis and modeling of behavioral
phenomena;
``(8) supply chain quality and security; and
``(9) privacy protection and protected disclosure of
confidential data.
``(c) Recommendations.--The advisory committee under
section 101(b) shall make recommendations to the Program for
candidate research and development areas for support under
this section.
``(d) Characteristics.--
``(1) In general.--Research and development activities
under this section--
``(A) shall include projects selected on the basis of
applications for support through a competitive, merit-based
process;
``(B) shall leverage, when possible, Federal investments
through collaboration with related State initiatives;
``(C) shall include a plan for fostering the transfer of
research discoveries and the results of technology
demonstration activities, including from institutions of
higher education and Federal laboratories, to industry for
commercial development;
``(D) shall involve collaborations among researchers in
institutions of higher education and industry; and
``(E) may involve collaborations among nonprofit research
institutions and Federal laboratories, as appropriate.
``(2) Cost-sharing.--In selecting applications for support,
the agencies under section 101(a)(3)(B) shall give special
consideration to projects that include cost sharing from non-
Federal sources.
``(3) Multidisciplinary research centers.--Research and
development activities under this section shall be supported
through multidisciplinary research centers, including Federal
laboratories, that are organized to investigate basic
research questions and carry out technology demonstration
activities in areas described in subsection (a). Research may
be carried out through existing multidisciplinary centers,
including those authorized under section 7024(b)(2) of the
America COMPETES Act (42 U.S.C. 1862o-10(2)).''.
(b) Cyber-Physical Systems.--Section 101(a)(1) of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is
amended--
(1) in subparagraph (H), by striking ``and'' after the
semicolon;
(2) in subparagraph (I), by striking the period at the end
and inserting a semicolon; and
(3) by adding at the end the following:
``(J) provide for increased understanding of the scientific
principles of cyber-physical systems and improve the methods
available for the design, development, and operation of
cyber-physical systems that are characterized by high
reliability, safety, and security; and
``(K) provide for research and development on human-
computer interactions, visualization, and big data.''.
(c) Task Force.--Title I of the High-Performance Computing
Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section
402(a) of this Act, is amended by adding at the end the
following:
``SEC. 105. TASK FORCE.
``(a) Establishment.--Not later than 180 days after the
date of enactment the Strengthening and Enhancing
Cybersecurity by Using Research, Education, Information, and
Technology Act of 2012, the Director of the Office of Science
and Technology Policy under section 102 shall convene a task
force to explore mechanisms for carrying out collaborative
research and development activities for cyber-physical
systems (including the related technologies required to
enable these systems) through a consortium or other
appropriate entity with participants from institutions of
higher education, Federal laboratories, and industry.
``(b) Functions.--The task force shall--
``(1) develop options for a collaborative model and an
organizational structure for such entity under which the
joint research and development activities could be planned,
managed, and conducted effectively, including mechanisms for
the allocation of resources among the participants in such
entity for support of such activities;
``(2) propose a process for developing a research and
development agenda for such entity, including guidelines to
ensure an appropriate scope of work focused on nationally
significant challenges and requiring collaboration and to
ensure the development of related scientific and
technological milestones;
``(3) define the roles and responsibilities for the
participants from institutions of higher education, Federal
laboratories, and industry in such entity;
``(4) propose guidelines for assigning intellectual
property rights and for transferring research results to the
private sector; and
``(5) make recommendations for how such entity could be
funded from Federal, State, and non-governmental sources.
``(c) Composition.--In establishing the task force under
subsection (a), the Director of the Office of Science and
Technology Policy shall appoint an equal number of
individuals from institutions of higher education and from
industry with knowledge and expertise in cyber-physical
systems, and may appoint not more than 2 individuals from
Federal laboratories.
``(d) Report.--Not later than 1 year after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the Director of the Office of Science and Technology
Policy shall transmit to the Committee on Commerce, Science,
and Transportation of the Senate and the Committee on Science
and Technology of the House of Representatives a report
describing the findings and recommendations of the task
force.
``(e) Termination.--The task force shall terminate upon
transmittal of the report required under subsection (d).
``(f) Compensation and Expenses.--Members of the task force
shall serve without compensation.''.
SEC. 403. PROGRAM IMPROVEMENTS.
Section 102 of the High-Performance Computing Act of 1991
(15 U.S.C. 5512) is amended to read as follows:
``SEC. 102. PROGRAM IMPROVEMENTS.
``(a) Functions.--The Director of the Office of Science and
Technology Policy shall continue--
``(1) to provide technical and administrative support to--
``(A) the agencies participating in planning and
implementing the Program, including support needed to develop
the strategic plan under section 101(e); and
``(B) the advisory committee under section 101(b);
``(2) to serve as the primary point of contact on Federal
networking and information technology activities for
government agencies, academia, industry, professional
societies, State computing and networking technology
programs, interested citizen groups, and others to exchange
technical and programmatic information;
``(3) to solicit input and recommendations from a wide
range of stakeholders during the development of each
strategic plan under section 101(e) by convening at least 1
workshop with invitees from academia, industry, Federal
laboratories, and other relevant organizations and
institutions;
``(4) to conduct public outreach, including the
dissemination of the advisory committee's findings and
recommendations, as appropriate;
``(5) to promote access to and early application of the
technologies, innovations, and expertise derived from Program
activities to agency missions and systems across the Federal
Government and to United States industry;
``(6) to ensure accurate and detailed budget reporting of
networking and information technology research and
development investment; and
``(7) to encourage agencies participating in the Program to
use existing programs and resources to strengthen networking
and information technology education and training, and
increase participation in such fields, including by women and
underrepresented minorities.
``(b) Source of Funding.--
``(1) In general.--The functions under this section shall
be supported by funds from each agency participating in the
Program.
``(2) Specifications.--The portion of the total budget of
the Office of Science and Technology Policy that is provided
by each agency participating in the Program for each
[[Page S5542]]
fiscal year shall be in the same proportion as each agency's
share of the total budget for the Program for the previous
fiscal year, as specified in the database under section
102(c).
``(c) Database.--
``(1) In general.--The Director of the Office of Science
and Technology Policy shall develop and maintain a database
of projects funded by each agency for the fiscal year for
each Program Component Area.
``(2) Public accessibility.--The Director of the Office of
Science and Technology Policy shall make the database
accessible to the public.
``(3) Database contents.--The database shall include, for
each project in the database--
``(A) a description of the project;
``(B) each agency, industry, institution of higher
education, Federal laboratory, or international institution
involved in the project;
``(C) the source funding of the project (set forth by
agency);
``(D) the funding history of the project; and
``(E) whether the project has been completed.''.
SEC. 404. IMPROVING EDUCATION OF NETWORKING AND INFORMATION
TECHNOLOGY, INCLUDING HIGH PERFORMANCE
COMPUTING.
Section 201(a) of the High-Performance Computing Act of
1991 (15 U.S.C. 5521(a)) is amended--
(1) by redesignating paragraphs (2) through (4) as
paragraphs (3) through (5), respectively; and
(2) by inserting after paragraph (1) the following:
``(2) the National Science Foundation shall use its
existing programs, in collaboration with other agencies, as
appropriate, to improve the teaching and learning of
networking and information technology at all levels of
education and to increase participation in networking and
information technology fields;''.
SEC. 405. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH-
PERFORMANCE COMPUTING ACT OF 1991.
(a) Section 3.--Section 3 of the High-Performance Computing
Act of 1991 (15 U.S.C. 5502) is amended--
(1) in the matter preceding paragraph (1), by striking
``high-performance computing'' and inserting ``networking and
information technology'';
(2) in paragraph (1)--
(A) in the matter preceding subparagraph (A), by striking
``high-performance computing'' and inserting ``networking and
information technology'';
(B) in subparagraphs (A), (F), and (G), by striking ``high-
performance computing'' each place it appears and inserting
``networking and information technology''; and
(C) in subparagraph (H), by striking ``high-performance''
and inserting ``high-end''; and
(3) in paragraph (2)--
(A) by striking ``high-performance computing and'' and
inserting ``networking and information technology, and''; and
(B) by striking ``high-performance computing network'' and
inserting ``networking and information technology''.
(b) Title Heading.--The heading of title I of the High-
Performance Computing Act of 1991 (105 Stat. 1595) is amended
by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting
``NETWORKING AND INFORMATION TECHNOLOGY''.
(c) Section 101.--Section 101 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511) is amended--
(1) in the section heading, by striking ``high-performance
computing'' and inserting ``networking and information
technology research and development'';
(2) in subsection (a)--
(A) in the subsection heading, by striking ``National High-
Performance Computing'' and inserting ``Networking and
Information Technology Research and Development'';
(B) in paragraph (1)--
(i) by striking ``National High-Performance Computing
Program'' and inserting ``networking and information
technology research and development program'';
(ii) in subparagraph (A), by striking ``high-performance
computing, including networking'' and inserting ``networking
and information technology'';
(iii) in subparagraphs (B) and (G), by striking ``high-
performance'' each place it appears and inserting ``high-
end''; and
(iv) in subparagraph (C), by striking ``high-performance
computing and networking'' and inserting ``high-end
computing, distributed, and networking''; and
(C) in paragraph (2)--
(i) in subparagraphs (A) and (C)--
(I) by striking ``high-performance computing'' each place
it appears and inserting ``networking and information
technology''; and
(II) by striking ``development, networking,'' each place it
appears and inserting ``development,''; and
(ii) in subparagraphs (G) and (H), as redesignated by
section 401(d) of this Act, by striking ``high-performance''
each place it appears and inserting ``high-end'';
(3) in subsection (b)(1), in the matter preceding
subparagraph (A), by striking ``high-performance computing''
each place it appears and inserting ``networking and
information technology''; and
(4) in subsection (c)(1)(A), by striking ``high-performance
computing'' and inserting ``networking and information
technology''.
(d) Section 201.--Section 201(a)(1) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by
striking ``high-performance computing and advanced high-speed
computer networking'' and inserting ``networking and
information technology research and development''.
(e) Section 202.--Section 202(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by
striking ``high-performance computing'' and inserting
``networking and information technology''.
(f) Section 203.--Section 203(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5523(a)) is amended--
(1) in paragraph (1), by striking ``high-performance
computing and networking'' and inserting ``networking and
information technology''; and
(2) in paragraph (2)(A), by striking ``high-performance''
and inserting ``high-end''.
(g) Section 204.--Section 204 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5524) is amended--
(1) in subsection (a)(1)--
(A) in subparagraph (A), by striking ``high-performance
computing systems and networks'' and inserting ``networking
and information technology systems and capabilities'';
(B) in subparagraph (B), by striking ``interoperability of
high-performance computing systems in networks and for common
user interfaces to systems'' and inserting ``interoperability
and usability of networking and information technology
systems''; and
(C) in subparagraph (C), by striking ``high-performance
computing'' and inserting ``networking and information
technology''; and
(2) in subsection (b)--
(A) by striking ``High-Performance Computing and Network''
in the heading and inserting ``Networking and Information
Technology''; and
(B) by striking ``sensitive''.
(h) Section 205.--Section 205(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by
striking ``computational'' and inserting ``networking and
information technology''.
(i) Section 206.--Section 206(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by
striking ``computational research'' and inserting
``networking and information technology research''.
(j) Section 207.--Section 207 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5527) is amended by striking
``high-performance computing'' and inserting ``networking and
information technology''.
(k) Section 208.--Section 208 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5528) is amended--
(1) in the section heading, by striking ``high-performance
computing'' and inserting ``networking and information
technology''; and
(2) in subsection (a)--
(A) in paragraph (1), by striking ``High-performance
computing and associated'' and inserting ``Networking and
information'';
(B) in paragraph (2), by striking ``high-performance
computing'' and inserting ``networking and information
technologies'';
(C) in paragraph (3), by striking ``high-performance'' and
inserting ``high-end'';
(D) in paragraph (4), by striking ``high-performance
computers and associated'' and inserting ``networking and
information''; and
(E) in paragraph (5), by striking ``high-performance
computing and associated'' and inserting ``networking and
information''.
SEC. 406. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.
(a) In General.--The Director of the National Science
Foundation, in coordination with the Secretary of Homeland
Security, shall carry out a Federal cyber scholarship-for-
service program to recruit and train the next generation of
information technology professionals and security managers to
meet the needs of the cybersecurity mission for the Federal
government.
(b) Program Description and Components.--The program
shall--
(1) annually assess the workforce needs of the Federal
government for cybersecurity professionals, including network
engineers, software engineers, and other experts in order to
determine how many scholarships should be awarded annually to
ensure that the workforce needs following graduation match
the number of scholarships awarded;
(2) provide scholarships for up to 1,000 students per year
in their pursuit of undergraduate or graduate degrees in the
cybersecurity field, in an amount that may include coverage
for full tuition, fees, and a stipend;
(3) require each scholarship recipient, as a condition of
receiving a scholarship under the program, to serve in a
Federal information technology workforce for a period equal
to one and one-half times each year, or partial year, of
scholarship received, in addition to an internship in the
cybersecurity field, if applicable, following graduation;
(4) provide a procedure for the National Science Foundation
or a Federal agency, consistent with regulations of the
Office of Personnel Management, to request and fund a
security clearance for a scholarship recipient, including
providing for clearance during a summer internship and upon
graduation; and
(5) provide opportunities for students to receive temporary
appointments for meaningful employment in the Federal
information technology workforce during school vacation
periods and for internships.
(c) Hiring Authority.--
(1) In general.--For purposes of any law or regulation
governing the appointment of an
[[Page S5543]]
individual in the Federal civil service, upon the successful
completion of the student's studies, a student receiving a
scholarship under the program may--
(A) be hired under section 213.3102(r) of title 5, Code of
Federal Regulations; and
(B) be exempt from competitive service.
(2) Competitive service.--Upon satisfactory fulfillment of
the service term under paragraph (1), an individual may be
converted to a competitive service position without
competition if the individual meets the requirements for that
position.
(d) Eligibility.--The eligibility requirements for a
scholarship under this section shall include that a
scholarship applicant--
(1) be a citizen of the United States;
(2) be eligible to be granted a security clearance;
(3) maintain a grade point average of 3.2 or above on a 4.0
scale for undergraduate study or a 3.5 or above on a 4.0
scale for postgraduate study;
(4) demonstrate a commitment to a career in improving the
security of the information infrastructure; and
(5) has demonstrated a level of proficiency in math or
computer sciences.
(e) Failure to Complete Service Obligation.--
(1) In general.--A scholarship recipient under this section
shall be liable to the United States under paragraph (2) if
the scholarship recipient--
(A) fails to maintain an acceptable level of academic
standing in the educational institution in which the
individual is enrolled, as determined by the Director;
(B) is dismissed from such educational institution for
disciplinary reasons;
(C) withdraws from the program for which the award was made
before the completion of such program;
(D) declares that the individual does not intend to fulfill
the service obligation under this section;
(E) fails to fulfill the service obligation of the
individual under this section; or
(F) loses a security clearance or becomes ineligible for a
security clearance.
(2) Repayment amounts.--
(A) Less than 1 year of service.--If a circumstance under
paragraph (1) occurs before the completion of 1 year of a
service obligation under this section, the total amount of
awards received by the individual under this section shall be
repaid.
(B) One or more years of service.--If a circumstance
described in subparagraph (D) or (E) of paragraph (1) occurs
after the completion of 1 year of a service obligation under
this section, the total amount of scholarship awards received
by the individual under this section, reduced by the ratio of
the number of years of service completed divided by the
number of years of service required, shall be repaid.
(f) Evaluation and Report.--The Director of the National
Science Foundation shall--
(1) evaluate the success of recruiting individuals for
scholarships under this section and of hiring and retaining
those individuals in the public sector workforce, including
the annual cost and an assessment of how the program actually
improves the Federal workforce; and
(2) periodically report the findings under paragraph (1) to
Congress.
(g) Authorization of Appropriations.--From amounts made
available under section 503 of the America COMPETES
Reauthorization Act of 2010 (124 Stat. 4005), the Secretary
may use funds to carry out the requirements of this section
for fiscal years 2012 through 2013.
SEC. 407. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF
INFORMATION INFRASTRUCTURE PROFESSIONALS.
(a) Study.--The President shall enter into an agreement
with the National Academies to conduct a comprehensive study
of government, academic, and private-sector accreditation,
training, and certification programs for personnel working in
information infrastructure. The agreement shall require the
National Academies to consult with sector coordinating
councils and relevant governmental agencies, regulatory
entities, and nongovernmental organizations in the course of
the study.
(b) Scope.--The study shall include--
(1) an evaluation of the body of knowledge and various
skills that specific categories of personnel working in
information infrastructure should possess in order to secure
information systems;
(2) an assessment of whether existing government, academic,
and private-sector accreditation, training, and certification
programs provide the body of knowledge and various skills
described in paragraph (1);
(3) an analysis of any barriers to the Federal Government
recruiting and hiring cybersecurity talent, including
barriers relating to compensation, the hiring process, job
classification, and hiring flexibility; and
(4) an analysis of the sources and availability of
cybersecurity talent, a comparison of the skills and
expertise sought by the Federal Government and the private
sector, an examination of the current and future capacity of
United States institutions of higher education, including
community colleges, to provide current and future
cybersecurity professionals, through education and training
activities, with those skills sought by the Federal
Government, State and local entities, and the private sector.
(c) Report.--Not later than 1 year after the date of
enactment of this Act, the National Academies shall submit to
the President and Congress a report on the results of the
study. The report shall include--
(1) findings regarding the state of information
infrastructure accreditation, training, and certification
programs, including specific areas of deficiency and
demonstrable progress; and
(2) recommendations for the improvement of information
infrastructure accreditation, training, and certification
programs.
SEC. 408. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.
(a) In General.--The Director of the National Institute of
Standards and Technology, in coordination with appropriate
Federal authorities, shall--
(1) as appropriate, ensure coordination of Federal agencies
engaged in the development of international technical
standards related to information system security; and
(2) not later than 1 year after the date of enactment of
this Act, develop and transmit to Congress a plan for
ensuring such Federal agency coordination.
(b) Consultation With the Private Sector.--In carrying out
the activities under subsection (a)(1), the Director shall
ensure consultation with appropriate private sector
stakeholders.
SEC. 409. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.
The Director of the National Institute of Standards and
Technology shall continue a program to support the
development of technical standards, metrology, testbeds, and
conformance criteria, taking into account appropriate user
concerns--
(1) to improve interoperability among identity management
technologies;
(2) to strengthen authentication methods of identity
management systems;
(3) to improve privacy protection in identity management
systems, including health information technology systems,
through authentication and security protocols; and
(4) to improve the usability of identity management
systems.
SEC. 410. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.
(a) National Science Foundation Computer and Network
Security Research Grant Areas.--Section 4(a)(1) of the Cyber
Security Research and Development Act (15 U.S.C. 7403(a)(1))
is amended--
(1) in subparagraph (H), by striking ``and'' after the
semicolon;
(2) in subparagraph (I), by striking ``property.'' and
inserting ``property;''; and
(3) by adding at the end the following:
``(J) secure fundamental protocols that are at the heart of
inter-network communications and data exchange;
``(K) system security that addresses the building of secure
systems from trusted and untrusted components;
``(L) monitoring and detection; and
``(M) resiliency and rapid recovery methods.''.
(b) National Science Foundation Computer and Network
Security Grants.--Section 4(a)(3) of the Cyber Security
Research and Development Act (15 U.S.C. 7403(a)(3)) is
amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Secretary finds necessary to carry out
the requirements of this subsection for fiscal years 2012
through 2013.''.
(c) Computer and Network Security Centers.--Section 4(b)(7)
of the Cyber Security Research and Development Act (15 U.S.C.
7403(b)(7)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Secretary finds necessary to carry out
the requirements of this subsection for fiscal years 2012
through 2013.''.
(d) Computer and Network Security Capacity Building
Grants.--Section 5(a)(6) of the Cyber Security Research and
Development Act (15 U.S.C. 7404(a)(6)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Secretary finds necessary to carry out
the requirements of this subsection for fiscal years 2012
through 2013.''.
(e) Scientific and Advanced Technology Act Grants.--Section
5(b)(2) of the Cyber Security Research and Development Act
(15 U.S.C. 7404(b)(2)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Secretary finds necessary to carry out
the requirements of this subsection for fiscal years 2012
through 2013.''.
(f) Graduate Traineeships in Computer and Network Security
Research.--Section 5(c)(7) of the Cyber Security Research and
Development Act (15 U.S.C. 7404(c)(7)) is amended--
[[Page S5544]]
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Secretary finds necessary to carry out
the requirements of this subsection for fiscal years 2012
through 2013.''.
______
SA 2607. Mr. McCAIN (for himself, Mrs. Hutchison, Mr. Chambliss, Mr.
Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of
Wisconsin) submitted an amendment intended to be proposed by him to the
bill S. 3414, to enhance the security and resiliency of the cyber and
communications infrastructure of the United States; which was ordered
to lie on the table; as follows:
Beginning on page 1, strike line 3 and all that follows
through page 211, line 6 and insert the following:
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the
``Strengthening and Enhancing Cybersecurity by Using
Research, Education, Information, and Technology Act of
2012'' or ``SECURE IT''.
(b) Table of Contents.--The table of contents of this Act
is as follows:
Sec. 1. Short title; table of contents.
TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION
Sec. 101. Definitions.
Sec. 102. Authorization to share cyber threat information.
Sec. 103. Information sharing by the Federal government.
Sec. 104. Construction.
Sec. 105. Report on implementation.
Sec. 106. Inspector General review.
Sec. 107. Technical amendments.
Sec. 108. Access to classified information.
TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY
Sec. 201. Coordination of Federal information security policy.
Sec. 202. Management of information technology.
Sec. 203. No new funding.
Sec. 204. Technical and conforming amendments.
Sec. 205. Clarification of authorities.
TITLE III--CRIMINAL PENALTIES
Sec. 301. Penalties for fraud and related activity in connection with
computers.
Sec. 302. Trafficking in passwords.
Sec. 303. Conspiracy and attempted computer fraud offenses.
Sec. 304. Criminal and civil forfeiture for fraud and related activity
in connection with computers.
Sec. 305. Damage to critical infrastructure computers.
Sec. 306. Limitation on actions involving unauthorized use.
Sec. 307. No new funding.
TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT
Sec. 401. National High-Performance Computing Program planning and
coordination.
Sec. 402. Research in areas of national importance.
Sec. 403. Program improvements.
Sec. 404. Improving education of networking and information technology,
including high performance computing.
Sec. 405. Conforming and technical amendments to the High-Performance
Computing Act of 1991.
Sec. 406. Federal cyber scholarship-for-service program.
Sec. 407. Study and analysis of certification and training of
information infrastructure professionals.
Sec. 408. International cybersecurity technical standards.
Sec. 409. Identity management research and development.
Sec. 410. Federal cybersecurity research and development.
TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION
SEC. 101. DEFINITIONS.
In this title:
(1) Agency.--The term ``agency'' has the meaning given the
term in section 3502 of title 44, United States Code.
(2) Antitrust laws.--The term ``antitrust laws''--
(A) has the meaning given the term in section 1(a) of the
Clayton Act (15 U.S.C. 12(a));
(B) includes section 5 of the Federal Trade Commission Act
(15 U.S.C. 45) to the extent that section 5 of that Act
applies to unfair methods of competition; and
(C) includes any State law that has the same intent and
effect as the laws under subparagraphs (A) and (B).
(3) Countermeasure.--The term ``countermeasure'' means an
automated or a manual action with defensive intent to
mitigate cyber threats.
(4) Cyber threat information.--The term ``cyber threat
information'' means information that indicates or describes--
(A) a technical or operation vulnerability or a cyber
threat mitigation measure;
(B) an action or operation to mitigate a cyber threat;
(C) malicious reconnaissance, including anomalous patterns
of network activity that appear to be transmitted for the
purpose of gathering technical information related to a
cybersecurity threat;
(D) a method of defeating a technical control;
(E) a method of defeating an operational control;
(F) network activity or protocols known to be associated
with a malicious cyber actor or that signify malicious cyber
intent;
(G) a method of causing a user with legitimate access to an
information system or information that is stored on,
processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational
control;
(H) any other attribute of a cybersecurity threat or cyber
defense information that would foster situational awareness
of the United States cybersecurity posture, if disclosure of
such attribute or information is not otherwise prohibited by
law;
(I) the actual or potential harm caused by a cyber
incident, including information exfiltrated when it is
necessary in order to identify or describe a cybersecurity
threat; or
(J) any combination of subparagraphs (A) through (I).
(5) Cybersecurity center.--The term ``cybersecurity
center'' means the Department of Defense Cyber Crime Center,
the Intelligence Community Incident Response Center, the
United States Cyber Command Joint Operations Center, the
National Cyber Investigative Joint Task Force, the National
Security Agency/Central Security Service Threat Operations
Center, the National Cybersecurity and Communications
Integration Center, and any successor center.
(6) Cybersecurity system.--The term ``cybersecurity
system'' means a system designed or employed to ensure the
integrity, confidentiality, or availability of, or to
safeguard, a system or network, including measures intended
to protect a system or network from--
(A) efforts to degrade, disrupt, or destroy such system or
network; or
(B) theft or misappropriations of private or government
information, intellectual property, or personally
identifiable information.
(7) Entity.--
(A) In general.--The term ``entity'' means any private
entity, non-Federal government agency or department, or
State, tribal, or local government agency or department
(including an officer, employee, or agent thereof).
(B) Inclusions.--The term ``entity'' includes a government
agency or department (including an officer, employee, or
agent thereof) of the District of Columbia, the Commonwealth
of Puerto Rico, the Virgin Islands, Guam, American Samoa, the
Northern Mariana Islands, and any other territory or
possession of the United States.
(8) Federal information system.--The term ``Federal
information system'' means an information system of a Federal
department or agency used or operated by an executive agency,
by a contractor of an executive agency, or by another
organization on behalf of an executive agency.
(9) Information security.--The term ``information
security'' means protecting information and information
systems from disruption or unauthorized access, use,
disclosure, modification, or destruction in order to
provide--
(A) integrity, by guarding against improper information
modification or destruction, including by ensuring
information nonrepudiation and authenticity;
(B) confidentiality, by preserving authorized restrictions
on access and disclosure, including means for protecting
personal privacy and proprietary information; or
(C) availability, by ensuring timely and reliable access to
and use of information.
(10) Information system.--The term ``information system''
has the meaning given the term in section 3502 of title 44,
United States Code.
(11) Local government.--The term ``local government'' means
any borough, city, county, parish, town, township, village,
or other general purpose political subdivision of a State.
(12) Malicious reconnaissance.--The term ``malicious
reconnaissance'' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning technical vulnerabilities of the information
system, if such method is associated with a known or
suspected cybersecurity threat.
(13) Operational control.--The term ``operational control''
means a security control for an information system that
primarily is implemented and executed by people.
(14) Operational vulnerability.--The term ``operational
vulnerability'' means any attribute of policy, process, or
procedure that could enable or facilitate the defeat of an
operational control.
(15) Private entity.--The term ``private entity'' means any
individual or any private group, organization, or
corporation, including an officer, employee, or agent
thereof.
(16) Significant cyber incident.--The term ``significant
cyber incident'' means a cyber incident resulting in, or an
attempted cyber incident that, if successful, would have
resulted in--
(A) the exfiltration from a Federal information system of
data that is essential to the operation of the Federal
information system; or
(B) an incident in which an operational or technical
control essential to the security or
[[Page S5545]]
operation of a Federal information system was defeated.
(17) Technical control.--The term ``technical control''
means a hardware or software restriction on, or audit of,
access or use of an information system or information that is
stored on, processed by, or transiting an information system
that is intended to ensure the confidentiality, integrity, or
availability of that system.
(18) Technical vulnerability.--The term ``technical
vulnerability'' means any attribute of hardware or software
that could enable or facilitate the defeat of a technical
control.
(19) Tribal.--The term ``tribal'' has the meaning given the
term ``Indian tribe'' in section 4 of the Indian Self-
Determination and Education Assistance Act (25 U.S.C. 450b).
SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION.
(a) Voluntary Disclosure.--
(1) Private entities.--Notwithstanding any other provision
of law, a private entity may, for the purpose of preventing,
investigating, or otherwise mitigating threats to information
security, on its own networks, or as authorized by another
entity, on such entity's networks, employ countermeasures and
use cybersecurity systems in order to obtain, identify, or
otherwise possess cyber threat information.
(2) Entities.--Notwithstanding any other provision of law,
an entity may disclose cyber threat information to--
(A) a cybersecurity center; or
(B) any other entity in order to assist with preventing,
investigating, or otherwise mitigating threats to information
security.
(3) Information security providers.--If the cyber threat
information described in paragraph (1) is obtained,
identified, or otherwise possessed in the course of providing
information security products or services under contract to
another entity, that entity shall be given, at any time prior
to disclosure of such information, a reasonable opportunity
to authorize or prevent such disclosure, to request
anonymization of such information, or to request that
reasonable efforts be made to safeguard such information that
identifies specific persons from unauthorized access or
disclosure.
(b) Significant Cyber Incidents Involving Federal
Information Systems.--
(1) In general.--An entity providing electronic
communication services, remote computing services, or
information security services to a Federal department or
agency shall inform the Federal department or agency of a
significant cyber incident involving the Federal information
system of that Federal department or agency that--
(A) is directly known to the entity as a result of
providing such services;
(B) is directly related to the provision of such services
by the entity; and
(C) as determined by the entity, has impeded or will impede
the performance of a critical mission of the Federal
department or agency.
(2) Advance coordination.--A Federal department or agency
receiving the services described in paragraph (1) shall
coordinate in advance with an entity described in paragraph
(1) to develop the parameters of any information that may be
provided under paragraph (1), including clarification of the
type of significant cyber incident that will impede the
performance of a critical mission of the Federal department
or agency.
(3) Report.--A Federal department or agency shall report
information provided under this subsection to a cybersecurity
center.
(4) Construction.--Any information provided to a
cybersecurity center under paragraph (3) shall be treated in
the same manner as information provided to a cybersecurity
center under subsection (a).
(c) Information Shared With or Provided to a Cybersecurity
Center.--Cyber threat information provided to a cybersecurity
center under this section--
(1) may be disclosed to, retained by, and used by,
consistent with otherwise applicable Federal law, any Federal
agency or department, component, officer, employee, or agent
of the Federal government for a cybersecurity purpose, a
national security purpose, or in order to prevent,
investigate, or prosecute any of the offenses listed in
section 2516 of title 18, United States Code, and such
information shall not be disclosed to, retained by, or used
by any Federal agency or department for any use not permitted
under this paragraph;
(2) may, with the prior written consent of the entity
submitting such information, be disclosed to and used by a
State, tribal, or local government or government agency for
the purpose of protecting information systems, or in
furtherance of preventing, investigating, or prosecuting a
criminal act, except that if the need for immediate
disclosure prevents obtaining written consent, such consent
may be provided orally with subsequent documentation of such
consent;
(3) shall be considered the commercial, financial, or
proprietary information of the entity providing such
information to the Federal government and any disclosure
outside the Federal government may only be made upon the
prior written consent by such entity and shall not constitute
a waiver of any applicable privilege or protection provided
by law, except that if the need for immediate disclosure
prevents obtaining written consent, such consent may be
provided orally with subsequent documentation of such
consent;
(4) shall be deemed voluntarily shared information and
exempt from disclosure under section 552 of title 5, United
States Code, and any State, tribal, or local law requiring
disclosure of information or records;
(5) shall be, without discretion, withheld from the public
under section 552(b)(3)(B) of title 5, United States Code,
and any State, tribal, or local law requiring disclosure of
information or records;
(6) shall not be subject to the rules of any Federal agency
or department or any judicial doctrine regarding ex parte
communications with a decision-making official;
(7) shall not, if subsequently provided to a State, tribal,
or local government or government agency, otherwise be
disclosed or distributed to any entity by such State, tribal,
or local government or government agency without the prior
written consent of the entity submitting such information,
notwithstanding any State, tribal, or local law requiring
disclosure of information or records, except that if the need
for immediate disclosure prevents obtaining written consent,
such consent may be provided orally with subsequent
documentation of such consent; and
(8) shall not be directly used by any Federal, State,
tribal, or local department or agency to regulate the lawful
activities of an entity, including activities relating to
obtaining, identifying, or otherwise possessing cyber threat
information, except that the procedures required to be
developed and implemented under this title shall not be
considered regulations within the meaning of this paragraph.
(d) Procedures Relating to Information Sharing With a
Cybersecurity Center.--Not later than 60 days after the date
of enactment of this Act, the heads of each department or
agency containing a cybersecurity center shall jointly
develop, promulgate, and submit to Congress procedures to
ensure that cyber threat information shared with or provided
to--
(1) a cybersecurity center under this section--
(A) may be submitted to a cybersecurity center by an
entity, to the greatest extent possible, through a uniform,
publicly available process or format that is easily
accessible on the website of such cybersecurity center, and
that includes the ability to provide relevant details about
the cyber threat information and written consent to any
subsequent disclosures authorized by this paragraph;
(B) shall immediately be further shared with each
cybersecurity center in order to prevent, investigate, or
otherwise mitigate threats to information security across the
Federal government;
(C) is handled by the Federal government in a reasonable
manner, including consideration of the need to protect the
privacy and civil liberties of individuals through
anonymization or other appropriate methods, while fully
accomplishing the objectives of this title, and the Federal
government may undertake efforts consistent with this
subparagraph to limit the impact on privacy and civil
liberties of the sharing of cyber threat information with the
Federal government; and
(D) except as provided in this section, shall only be used,
disclosed, or handled in accordance with the provisions of
subsection (c); and
(2) a Federal agency or department under subsection (b) is
provided immediately to a cybersecurity center in order to
prevent, investigate, or otherwise mitigate threats to
information security across the Federal government.
(e) Information Shared Between Entities.--
(1) In general.--An entity sharing cyber threat information
with another entity under this title may restrict the use or
sharing of such information by such other entity.
(2) Further sharing.--Cyber threat information shared by
any entity with another entity under this title--
(A) shall only be further shared in accordance with any
restrictions placed on the sharing of such information by the
entity authorizing such sharing, such as appropriate
anonymization of such information; and
(B) may not be used by any entity to gain an unfair
competitive advantage to the detriment of the entity
authorizing the sharing of such information, except that the
conduct described in paragraph (3) shall not constitute
unfair competitive conduct.
(3) Information shared with state, tribal, or local
government or government agency.--Cyber threat information
shared with a State, tribal, or local government or
government agency under this title--
(A) may, with the prior written consent of the entity
sharing such information, be disclosed to and used by a
State, tribal, or local government or government agency for
the purpose of protecting information systems, or in
furtherance of preventing, investigating, or prosecuting a
criminal act, except if the need for immediate disclosure
prevents obtaining written consent, consent may be provided
orally with subsequent documentation of the consent;
(B) shall be deemed voluntarily shared information and
exempt from disclosure under any State, tribal, or local law
requiring disclosure of information or records;
(C) shall not be disclosed or distributed to any entity by
the State, tribal, or local government or government agency
without the prior written consent of the entity submitting
such information, notwithstanding any
[[Page S5546]]
State, tribal, or local law requiring disclosure of
information or records, except if the need for immediate
disclosure prevents obtaining written consent, consent may be
provided orally with subsequent documentation of the consent;
and
(D) shall not be directly used by any State, tribal, or
local department or agency to regulate the lawful activities
of an entity, including activities relating to obtaining,
identifying, or otherwise possessing cyber threat
information, except that the procedures required to be
developed and implemented under this title shall not be
considered regulations within the meaning of this
subparagraph.
(4) Antitrust exemption.--The exchange or provision of
cyber threat information or assistance between 2 or more
private entities under this title shall not be considered a
violation of any provision of antitrust laws if exchanged or
provided in order to assist with--
(A) facilitating the prevention, investigation, or
mitigation of threats to information security; or
(B) communicating or disclosing of cyber threat information
to help prevent, investigate or otherwise mitigate the
effects of a threat to information security.
(5) No right or benefit.--The provision of cyber threat
information to an entity under this section shall not create
a right or a benefit to similar information by such entity or
any other entity.
(f) Federal Preemption.--
(1) In general.--This section supersedes any statute or
other law of a State or political subdivision of a State that
restricts or otherwise expressly regulates an activity
authorized under this section.
(2) State law enforcement.--Nothing in this section shall
be construed to supersede any statute or other law of a State
or political subdivision of a State concerning the use of
authorized law enforcement techniques.
(3) Public disclosure.--No information shared with or
provided to a State, tribal, or local government or
government agency pursuant to this section shall be made
publicly available pursuant to any State, tribal, or local
law requiring disclosure of information or records.
(g) Civil and Criminal Liability.--
(1) General protections.--
(A) Private entities.--No cause of action shall lie or be
maintained in any court against any private entity for--
(i) the use of countermeasures and cybersecurity systems as
authorized by this title;
(ii) the use, receipt, or disclosure of any cyber threat
information as authorized by this title; or
(iii) the subsequent actions or inactions of any lawful
recipient of cyber threat information provided by such
private entity.
(B) Entities.--No cause of action shall lie or be
maintained in any court against any entity for--
(i) the use, receipt, or disclosure of any cyber threat
information as authorized by this title; or
(ii) the subsequent actions or inactions of any lawful
recipient of cyber threat information provided by such
entity.
(2) Construction.--Nothing in this subsection shall be
construed as creating any immunity against, or otherwise
affecting, any action brought by the Federal government, or
any agency or department thereof, to enforce any law,
executive order, or procedure governing the appropriate
handling, disclosure, and use of classified information.
(h) Otherwise Lawful Disclosures.--Nothing in this section
shall be construed to limit or prohibit otherwise lawful
disclosures of communications, records, or other information
by a private entity to any other governmental or private
entity not covered under this section.
(i) Whistleblower Protection.--Nothing in this Act shall be
construed to preempt or preclude any employee from exercising
rights currently provided under any whistleblower law, rule,
or regulation.
(j) Relationship to Other Laws.--The submission of cyber
threat information under this section to a cybersecurity
center shall not affect any requirement under any other
provision of law for an entity to provide information to the
Federal government.
SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT.
(a) Classified Information.--
(1) Procedures.--Consistent with the protection of
intelligence sources and methods, and as otherwise determined
appropriate, the Director of National Intelligence and the
Secretary of Defense, in consultation with the heads of the
appropriate Federal departments or agencies, shall develop
and promulgate procedures to facilitate and promote--
(A) the immediate sharing, through the cybersecurity
centers, of classified cyber threat information in the
possession of the Federal government with appropriately
cleared representatives of any appropriate entity; and
(B) the declassification and immediate sharing, through the
cybersecurity centers, with any entity or, if appropriate,
public availability of cyber threat information in the
possession of the Federal government;
(2) Handling of classified information.--The procedures
developed under paragraph (1) shall ensure that each entity
receiving classified cyber threat information pursuant to
this section has acknowledged in writing the ongoing
obligation to comply with all laws, executive orders, and
procedures concerning the appropriate handling, disclosure,
or use of classified information.
(b) Unclassified Cyber Threat Information.--The heads of
each department or agency containing a cybersecurity center
shall jointly develop and promulgate procedures that ensure
that, consistent with the provisions of this section,
unclassified, including controlled unclassified, cyber threat
information in the possession of the Federal government--
(1) is shared, through the cybersecurity centers, in an
immediate and adequate manner with appropriate entities; and
(2) if appropriate, is made publicly available.
(c) Development of Procedures.--
(1) In general.--The procedures developed under this
section shall incorporate, to the greatest extent possible,
existing processes utilized by sector specific information
sharing and analysis centers.
(2) Coordination with entities.--In developing the
procedures required under this section, the Director of
National Intelligence and the heads of each department or
agency containing a cybersecurity center shall coordinate
with appropriate entities to ensure that protocols are
implemented that will facilitate and promote the sharing of
cyber threat information by the Federal government.
(d) Additional Responsibilities of Cybersecurity Centers.--
Consistent with section 102, a cybersecurity center shall--
(1) facilitate information sharing, interaction, and
collaboration among and between cybersecurity centers and--
(A) other Federal entities;
(B) any entity; and
(C) international partners, in consultation with the
Secretary of State;
(2) disseminate timely and actionable cybersecurity threat,
vulnerability, mitigation, and warning information, including
alerts, advisories, indicators, signatures, and mitigation
and response measures, to improve the security and protection
of information systems; and
(3) coordinate with other Federal entities, as appropriate,
to integrate information from across the Federal government
to provide situational awareness of the cybersecurity posture
of the United States.
(e) Sharing Within the Federal Government.--The heads of
appropriate Federal departments and agencies shall ensure
that cyber threat information in the possession of such
Federal departments or agencies that relates to the
prevention, investigation, or mitigation of threats to
information security across the Federal government is shared
effectively with the cybersecurity centers.
(f) Submission to Congress.--Not later than 60 days after
the date of enactment of this Act, the Director of National
Intelligence, in coordination with the appropriate head of a
department or an agency containing a cybersecurity center,
shall submit the procedures required by this section to
Congress.
SEC. 104. CONSTRUCTION.
(a) Information Sharing Relationships.--Nothing in this
title shall be construed--
(1) to limit or modify an existing information sharing
relationship;
(2) to prohibit a new information sharing relationship;
(3) to require a new information sharing relationship
between any entity and the Federal government, except as
specified under section 102(b); or
(4) to modify the authority of a department or agency of
the Federal government to protect sources and methods and the
national security of the United States.
(b) Anti-tasking Restriction.--Nothing in this title shall
be construed to permit the Federal government--
(1) to require an entity to share information with the
Federal government, except as expressly provided under
section 102(b); or
(2) to condition the sharing of cyber threat information
with an entity on such entity's provision of cyber threat
information to the Federal government.
(c) No Liability for Non-participation.--Nothing in this
title shall be construed to subject any entity to liability
for choosing not to engage in the voluntary activities
authorized under this title.
(d) Use and Retention of Information.--Nothing in this
title shall be construed to authorize, or to modify any
existing authority of, a department or agency of the Federal
government to retain or use any information shared under
section 102 for any use other than a use permitted under
subsection 102(c)(1).
(e) No New Funding.--An applicable Federal agency shall
carry out the provisions of this title with existing
facilities and funds otherwise available, through such means
as the head of the agency considers appropriate.
SEC. 105. REPORT ON IMPLEMENTATION.
(a) Content of Report.--Not later than 1 year after the
date of enactment of this Act, and biennially thereafter, the
heads of each department or agency containing a cybersecurity
center shall jointly submit, in coordination with the privacy
and civil liberties officials of such departments or agencies
and the Privacy and Civil Liberties Oversight Board, a
detailed report to Congress concerning the implementation of
this title, including--
(1) an assessment of the sufficiency of the procedures
developed under section 103 of this Act in ensuring that
cyber threat information in the possession of the Federal
government is provided in an immediate and adequate manner to
appropriate entities or, if appropriate, is made publicly
available;
[[Page S5547]]
(2) an assessment of whether information has been
appropriately classified and an accounting of the number of
security clearances authorized by the Federal government for
purposes of this title;
(3) a review of the type of cyber threat information shared
with a cybersecurity center under section 102 of this Act,
including whether such information meets the definition of
cyber threat information under section 101, the degree to
which such information may impact the privacy and civil
liberties of individuals, any appropriate metrics to
determine any impact of the sharing of such information with
the Federal government on privacy and civil liberties, and
the adequacy of any steps taken to reduce such impact;
(4) a review of actions taken by the Federal government
based on information provided to a cybersecurity center under
section 102 of this Act, including the appropriateness of any
subsequent use under section 102(c)(1) of this Act and
whether there was inappropriate stovepiping within the
Federal government of any such information;
(5) a description of any violations of the requirements of
this title by the Federal government;
(6) a classified list of entities that received classified
information from the Federal government under section 103 of
this Act and a description of any indication that such
information may not have been appropriately handled;
(7) a summary of any breach of information security, if
known, attributable to a specific failure by any entity or
the Federal government to act on cyber threat information in
the possession of such entity or the Federal government that
resulted in substantial economic harm or injury to a specific
entity or the Federal government; and
(8) any recommendation for improvements or modifications to
the authorities under this title.
(b) Form of Report.--The report under subsection (a) shall
be submitted in unclassified form, but shall include a
classified annex.
SEC. 106. INSPECTOR GENERAL REVIEW.
(a) In General.--The Council of the Inspectors General on
Integrity and Efficiency are authorized to review compliance
by the cybersecurity centers, and by any Federal department
or agency receiving cyber threat information from such
cybersecurity centers, with the procedures required under
section 102 of this Act.
(b) Scope of Review.--The review under subsection (a) shall
consider whether the Federal government has handled such
cyber threat information in a reasonable manner, including
consideration of the need to protect the privacy and civil
liberties of individuals through anonymization or other
appropriate methods, while fully accomplishing the objectives
of this title.
(c) Report to Congress.--Each review conducted under this
section shall be provided to Congress not later than 30 days
after the date of completion of the review.
SEC. 107. TECHNICAL AMENDMENTS.
Section 552(b) of title 5, United States Code, is amended--
(1) in paragraph (8), by striking ``or'';
(2) in paragraph (9), by striking ``wells.'' and inserting
``wells; or''; and
(3) by adding at the end the following:
``(10) information shared with or provided to a
cybersecurity center under section 102 of title I of the
Strengthening and Enhancing Cybersecurity by Using Research,
Education, Information, and Technology Act of 2012.''.
SEC. 108. ACCESS TO CLASSIFIED INFORMATION.
(a) Authorization Required.--No person shall be provided
with access to classified information (as defined in section
6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to
classified national security information)) relating to cyber
security threats or cyber security vulnerabilities under this
title without the appropriate security clearances.
(b) Security Clearances.--The appropriate Federal agencies
or departments shall, consistent with applicable procedures
and requirements, and if otherwise deemed appropriate, assist
an individual in timely obtaining an appropriate security
clearance where such individual has been determined to be
eligible for such clearance and has a need-to-know (as
defined in section 6.1 of that Executive Order) classified
information to carry out this title.
TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY
SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY
POLICY.
(a) In General.--Chapter 35 of title 44, United States
Code, is amended by striking subchapters II and III and
inserting the following:
``SUBCHAPTER II--INFORMATION SECURITY
``Sec. 3551. Purposes
``The purposes of this subchapter are--
``(1) to provide a comprehensive framework for ensuring the
effectiveness of information security controls over
information resources that support Federal operations and
assets;
``(2) to recognize the highly networked nature of the
current Federal computing environment and provide effective
government-wide management of policies, directives,
standards, and guidelines, as well as effective and nimble
oversight of and response to information security risks,
including coordination of information security efforts
throughout the Federal civilian, national security, and law
enforcement communities;
``(3) to provide for development and maintenance of
controls required to protect agency information and
information systems and contribute to the overall improvement
of agency information security posture;
``(4) to provide for the development of tools and methods
to assess and respond to real-time situational risk for
Federal information system operations and assets; and
``(5) to provide a mechanism for improving agency
information security programs through continuous monitoring
of agency information systems and streamlined reporting
requirements rather than overly prescriptive manual
reporting.
``Sec. 3552. Definitions
``In this subchapter:
``(1) Adequate security.--The term `adequate security'
means security commensurate with the risk and magnitude of
the harm resulting from the unauthorized access to or loss,
misuse, destruction, or modification of information.
``(2) Agency.--The term `agency' has the meaning given the
term in section 3502 of title 44.
``(3) Cybersecurity center.--The term `cybersecurity
center' means the Department of Defense Cyber Crime Center,
the Intelligence Community Incident Response Center, the
United States Cyber Command Joint Operations Center, the
National Cyber Investigative Joint Task Force, the National
Security Agency/Central Security Service Threat Operations
Center, the National Cybersecurity and Communications
Integration Center, and any successor center.
``(4) Cyber threat information.--The term `cyber threat
information' means information that indicates or describes--
``(A) a technical or operation vulnerability or a cyber
threat mitigation measure;
``(B) an action or operation to mitigate a cyber threat;
``(C) malicious reconnaissance, including anomalous
patterns of network activity that appear to be transmitted
for the purpose of gathering technical information related to
a cybersecurity threat;
``(D) a method of defeating a technical control;
``(E) a method of defeating an operational control;
``(F) network activity or protocols known to be associated
with a malicious cyber actor or that signify malicious cyber
intent;
``(G) a method of causing a user with legitimate access to
an information system or information that is stored on,
processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational
control;
``(H) any other attribute of a cybersecurity threat or
cyber defense information that would foster situational
awareness of the United States cybersecurity posture, if
disclosure of such attribute or information is not otherwise
prohibited by law;
``(I) the actual or potential harm caused by a cyber
incident, including information exfiltrated when it is
necessary in order to identify or describe a cybersecurity
threat; or
``(J) any combination of subparagraphs (A) through (I).
``(5) Director.--The term `Director' means the Director of
the Office of Management and Budget unless otherwise
specified.
``(6) Environment of operation.--The term `environment of
operation' means the information system and environment in
which those systems operate, including changing threats,
vulnerabilities, technologies, and missions and business
practices.
``(7) Federal information system.--The term `Federal
information system' means an information system used or
operated by an executive agency, by a contractor of an
executive agency, or by another organization on behalf of an
executive agency.
``(8) Incident.--The term `incident' means an occurrence
that--
``(A) actually or imminently jeopardizes the integrity,
confidentiality, or availability of an information system or
the information that system controls, processes, stores, or
transmits; or
``(B) constitutes a violation of law or an imminent threat
of violation of a law, a security policy, a security
procedure, or an acceptable use policy.
``(9) Information resources.--The term `information
resources' has the meaning given the term in section 3502 of
title 44.
``(10) Information security.--The term `information
security' means protecting information and information
systems from disruption or unauthorized access, use,
disclosure, modification, or destruction in order to
provide--
``(A) integrity, by guarding against improper information
modification or destruction, including by ensuring
information nonrepudiation and authenticity;
``(B) confidentiality, by preserving authorized
restrictions on access and disclosure, including means for
protecting personal privacy and proprietary information; or
``(C) availability, by ensuring timely and reliable access
to and use of information.
``(11) Information system.--The term `information system'
has the meaning given the term in section 3502 of title 44.
``(12) Information technology.--The term `information
technology' has the meaning given the term in section 11101
of title 40.
``(13) Malicious reconnaissance.--The term `malicious
reconnaissance' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning technical
[[Page S5548]]
vulnerabilities of the information system, if such method is
associated with a known or suspected cybersecurity threat.
``(14) National security system.--
``(A) In general.--The term `national security system'
means any information system (including any
telecommunications system) used or operated by an agency or
by a contractor of an agency, or other organization on behalf
of an agency--
``(i) the function, operation, or use of which--
``(I) involves intelligence activities;
``(II) involves cryptologic activities related to national
security;
``(III) involves command and control of military forces;
``(IV) involves equipment that is an integral part of a
weapon or weapons system; or
``(V) subject to subparagraph (B), is critical to the
direct fulfillment of military or intelligence missions; or
``(ii) is protected at all times by procedures established
for information that have been specifically authorized under
criteria established by an Executive Order or an Act of
Congress to be kept classified in the interest of national
defense or foreign policy.
``(B) Limitation.--Subparagraph (A)(i)(V) does not include
a system that is to be used for routine administrative and
business applications (including payroll, finance, logistics,
and personnel management applications).
``(15) Operational control.--The term `operational control'
means a security control for an information system that
primarily is implemented and executed by people.
``(16) Person.--The term `person' has the meaning given the
term in section 3502 of title 44.
``(17) Secretary.--The term `Secretary' means the Secretary
of Commerce unless otherwise specified.
``(18) Security control.--The term `security control' means
the management, operational, and technical controls,
including safeguards or countermeasures, prescribed for an
information system to protect the confidentiality, integrity,
and availability of the system and its information.
``(19) Significant cyber incident.--The term `significant
cyber incident' means a cyber incident resulting in, or an
attempted cyber incident that, if successful, would have
resulted in--
``(A) the exfiltration from a Federal information system of
data that is essential to the operation of the Federal
information system; or
``(B) an incident in which an operational or technical
control essential to the security or operation of a Federal
information system was defeated.
``(20) Technical control.--The term `technical control'
means a hardware or software restriction on, or audit of,
access or use of an information system or information that is
stored on, processed by, or transiting an information system
that is intended to ensure the confidentiality, integrity, or
availability of that system.
``Sec. 3553. Federal information security authority and
coordination
``(a) In General.--The Secretary, in consultation with the
Secretary of Homeland Security, shall--
``(1) issue compulsory and binding policies and directives
governing agency information security operations, and require
implementation of such policies and directives, including--
``(A) policies and directives consistent with the standards
and guidelines promulgated under section 11331 of title 40 to
identify and provide information security protections
prioritized and commensurate with the risk and impact
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of--
``(i) information collected or maintained by or on behalf
of an agency; or
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(B) minimum operational requirements for Federal
Government to protect agency information systems and provide
common situational awareness across all agency information
systems;
``(C) reporting requirements, consistent with relevant law,
regarding information security incidents and cyber threat
information;
``(D) requirements for agencywide information security
programs;
``(E) performance requirements and metrics for the security
of agency information systems;
``(F) training requirements to ensure that agencies are
able to fully and timely comply with the policies and
directives issued by the Secretary under this subchapter;
``(G) training requirements regarding privacy, civil
rights, and civil liberties, and information oversight for
agency information security personnel;
``(H) requirements for the annual reports to the Secretary
under section 3554(d);
``(I) any other information security operations or
information security requirements as determined by the
Secretary in coordination with relevant agency heads; and
``(J) coordinating the development of standards and
guidelines under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3) with agencies
and offices operating or exercising control of national
security systems (including the National Security Agency) to
assure, to the maximum extent feasible, that such standards
and guidelines are complementary with standards and
guidelines developed for national security systems;
``(2) review the agencywide information security programs
under section 3554; and
``(3) designate an individual or an entity at each
cybersecurity center, among other responsibilities--
``(A) to receive reports and information about information
security incidents, cyber threat information, and
deterioration of security control affecting agency
information systems; and
``(B) to act on or share the information under subparagraph
(A) in accordance with this subchapter.
``(b) Considerations.--When issuing policies and directives
under subsection (a), the Secretary shall consider any
applicable standards or guidelines developed by the National
Institute of Standards and Technology under section 11331 of
title 40.
``(c) Limitation of Authority.--The authorities of the
Secretary under this section shall not apply to national
security systems. Information security policies, directives,
standards and guidelines for national security systems shall
be overseen as directed by the President and, in accordance
with that direction, carried out under the authority of the
heads of agencies that operate or exercise authority over
such national security systems.
``(d) Statutory Construction.--Nothing in this subchapter
shall be construed to alter or amend any law regarding the
authority of any head of an agency over such agency.
``Sec. 3554. Agency responsibilities
``(a) In General.--The head of each agency shall--
``(1) be responsible for--
``(A) complying with the policies and directives issued
under section 3553;
``(B) providing information security protections
commensurate with the risk resulting from unauthorized
access, use, disclosure, disruption, modification, or
destruction of--
``(i) information collected or maintained by the agency or
by a contractor of an agency or other organization on behalf
of an agency; and
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(C) complying with the requirements of this subchapter,
including--
``(i) information security standards and guidelines
promulgated under section 11331 of title 40;
``(ii) for any national security systems operated or
controlled by that agency, information security policies,
directives, standards and guidelines issued as directed by
the President; and
``(iii) for any non-national security systems operated or
controlled by that agency, information security policies,
directives, standards and guidelines issued under section
3553;
``(D) ensuring that information security management
processes are integrated with agency strategic and
operational planning processes;
``(E) reporting and sharing, for an agency operating or
exercising control of a national security system, information
about information security incidents, cyber threat
information, and deterioration of security controls to the
individual or entity designated at each cybersecurity center
and to other appropriate entities consistent with policies
and directives for national security systems issued as
directed by the President; and
``(F) reporting and sharing, for those agencies operating
or exercising control of non-national security systems,
information about information security incidents, cyber
threat information, and deterioration of security controls to
the individual or entity designated at each cybersecurity
center and to other appropriate entities consistent with
policies and directives for non-national security systems as
prescribed under section 3553(a), including information to
assist the entity designated under section 3555(a) with the
ongoing security analysis under section 3555;
``(2) ensure that each senior agency official provides
information security for the information and information
systems that support the operations and assets under the
senior agency official's control, including by--
``(A) assessing the risk and impact that could result from
the unauthorized access, use, disclosure, disruption,
modification, or destruction of such information or
information systems;
``(B) determining the level of information security
appropriate to protect such information and information
systems in accordance with policies and directives issued
under section 3553(a), and standards and guidelines
promulgated under section 11331 of title 40 for information
security classifications and related requirements;
``(C) implementing policies, procedures, and capabilities
to reduce risks to an acceptable level in a cost-effective
manner;
``(D) actively monitoring the effective implementation of
information security controls and techniques; and
``(E) reporting information about information security
incidents, cyber threat information, and deterioration of
security controls in a timely and adequate manner to the
entity designated under section 3553(a)(3) in accordance with
paragraph (1);
``(3) assess and maintain the resiliency of information
technology systems critical to agency mission and operations;
[[Page S5549]]
``(4) designate the agency Inspector General (or an
independent entity selected in consultation with the Director
and the Council of Inspectors General on Integrity and
Efficiency if the agency does not have an Inspector General)
to conduct the annual independent evaluation required under
section 3556, and allow the agency Inspector General to
contract with an independent entity to perform such
evaluation;
``(5) delegate to the Chief Information Officer or
equivalent (or to a senior agency official who reports to the
Chief Information Officer or equivalent)--
``(A) the authority and primary responsibility to implement
an agencywide information security program; and
``(B) the authority to provide information security for the
information collected and maintained by the agency (or by a
contractor, other agency, or other source on behalf of the
agency) and for the information systems that support the
operations, assets, and mission of the agency (including any
information system provided or managed by a contractor, other
agency, or other source on behalf of the agency);
``(6) delegate to the appropriate agency official (who is
responsible for a particular agency system or subsystem) the
responsibility to ensure and enforce compliance with all
requirements of the agency's agencywide information security
program in coordination with the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5);
``(7) ensure that an agency has trained personnel who have
obtained any necessary security clearances to permit them to
assist the agency in complying with this subchapter;
``(8) ensure that the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5),
in coordination with other senior agency officials, reports
to the agency head on the effectiveness of the agencywide
information security program, including the progress of any
remedial actions; and
``(9) ensure that the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5)
has the necessary qualifications to administer the functions
described in this subchapter and has information security
duties as a primary duty of that official.
``(b) Chief Information Officers.--Each Chief Information
Officer or equivalent (or the senior agency official who
reports to the Chief Information Officer or equivalent) under
subsection (a)(5) shall--
``(1) establish and maintain an enterprise security
operations capability that on a continuous basis--
``(A) detects, reports, contains, mitigates, and responds
to information security incidents that impair adequate
security of the agency's information or information system in
a timely manner and in accordance with the policies and
directives under section 3553; and
``(B) reports any information security incident under
subparagraph (A) to the entity designated under section 3555;
``(2) develop, maintain, and oversee an agencywide
information security program;
``(3) develop, maintain, and oversee information security
policies, procedures, and control techniques to address
applicable requirements, including requirements under section
3553 of this title and section 11331 of title 40; and
``(4) train and oversee the agency personnel who have
significant responsibility for information security with
respect to that responsibility.
``(c) Agencywide Information Security Programs.--
``(1) In general.--Each agencywide information security
program under subsection (b)(2) shall include--
``(A) relevant security risk assessments, including
technical assessments and others related to the acquisition
process;
``(B) security testing commensurate with risk and impact;
``(C) mitigation of deterioration of security controls
commensurate with risk and impact;
``(D) risk-based continuous monitoring and threat
assessment of the operational status and security of agency
information systems to enable evaluation of the effectiveness
of and compliance with information security policies,
procedures, and practices, including a relevant and
appropriate selection of security controls of information
systems identified in the inventory under section 3505(c);
``(E) operation of appropriate technical capabilities in
order to detect, mitigate, report, and respond to information
security incidents, cyber threat information, and
deterioration of security controls in a manner that is
consistent with the policies and directives under section
3553, including--
``(i) mitigating risks associated with such information
security incidents;
``(ii) notifying and consulting with the entity designated
under section 3555; and
``(iii) notifying and consulting with, as appropriate--
``(I) law enforcement and the relevant Office of the
Inspector General; and
``(II) any other entity, in accordance with law and as
directed by the President;
``(F) a process to ensure that remedial action is taken to
address any deficiencies in the information security
policies, procedures, and practices of the agency; and
``(G) a plan and procedures to ensure the continuity of
operations for information systems that support the
operations and assets of the agency.
``(2) Risk management strategies.--Each agencywide
information security program under subsection (b)(2) shall
include the development and maintenance of a risk management
strategy for information security. The risk management
strategy shall include--
``(A) consideration of information security incidents,
cyber threat information, and deterioration of security
controls; and
``(B) consideration of the consequences that could result
from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information and information
systems that support the operations and assets of the agency,
including any information system provided or managed by a
contractor, other agency, or other source on behalf of the
agency;
``(3) Policies and procedures.--Each agencywide information
security program under subsection (b)(2) shall include
policies and procedures that--
``(A) are based on the risk management strategy under
paragraph (2);
``(B) reduce information security risks to an acceptable
level in a cost-effective manner;
``(C) ensure that cost-effective and adequate information
security is addressed as part of the acquisition and ongoing
management of each agency information system; and
``(D) ensure compliance with--
``(i) this subchapter; and
``(ii) any other applicable requirements.
``(4) Training requirements.--Each agencywide information
security program under subsection (b)(2) shall include
information security, privacy, civil rights, civil liberties,
and information oversight training that meets any applicable
requirements under section 3553. The training shall inform
each information security personnel that has access to agency
information systems (including contractors and other users of
information systems that support the operations and assets of
the agency) of--
``(A) the information security risks associated with the
information security personnel's activities; and
``(B) the individual's responsibility to comply with the
agency policies and procedures that reduce the risks under
subparagraph (A).
``(d) Annual Report.--Each agency shall submit a report
annually to the Secretary of Homeland Security on its
agencywide information security program and information
systems.
``Sec. 3555. Multiagency ongoing threat assessment
``(a) Implementation.--The Director of the Office of
Management and Budget, in coordination with the Secretary of
Homeland Security, shall designate an entity to implement
ongoing security analysis concerning agency information
systems--
``(1) based on cyber threat information;
``(2) based on agency information system and environment of
operation changes, including--
``(A) an ongoing evaluation of the information system
security controls; and
``(B) the security state, risk level, and environment of
operation of an agency information system, including--
``(i) a change in risk level due to a new cyber threat;
``(ii) a change resulting from a new technology;
``(iii) a change resulting from the agency's mission; and
``(iv) a change resulting from the business practice; and
``(3) using automated processes to the maximum extent
possible--
``(A) to increase information system security;
``(B) to reduce paper-based reporting requirements; and
``(C) to maintain timely and actionable knowledge of the
state of the information system security.
``(b) Standards.--The National Institute of Standards and
Technology may promulgate standards, in coordination with the
Secretary of Homeland Security, to assist an agency with its
duties under this section.
``(c) Compliance.--The head of each appropriate department
and agency shall be responsible for ensuring compliance and
implementing necessary procedures to comply with this
section. The head of each appropriate department and agency,
in consultation with the Director of the Office of Management
and Budget and the Secretary of Homeland Security, shall--
``(1) monitor compliance under this section;
``(2) develop a timeline and implement for the department
or agency--
``(A) adoption of any technology, system, or method that
facilitates continuous monitoring and threat assessments of
an agency information system;
``(B) adoption or updating of any technology, system, or
method that prevents, detects, or remediates a significant
cyber incident to a Federal information system of the
department or agency that has impeded, or is reasonably
likely to impede, the performance of a critical mission of
the department or agency; and
``(C) adoption of any technology, system, or method that
satisfies a requirement under this section.
[[Page S5550]]
``(d) Limitation of Authority.--The authorities of the
Director of the Office of Management and Budget and of the
Secretary of Homeland Security under this section shall not
apply to national security systems.
``(e) Report.--Not later than 6 months after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the Government Accountability Office shall issue a
report evaluating each agency's status toward implementing
this section.
``Sec. 3556. Independent evaluations
``(a) In General.--The Council of the Inspectors General on
Integrity and Efficiency, in consultation with the Director
and the Secretary of Homeland Security, the Secretary of
Commerce, and the Secretary of Defense, shall issue and
maintain criteria for the timely, cost-effective, risk-based,
and independent evaluation of each agencywide information
security program (and practices) to determine the
effectiveness of the agencywide information security program
(and practices). The criteria shall include measures to
assess any conflicts of interest in the performance of the
evaluation and whether the agencywide information security
program includes appropriate safeguards against disclosure of
information where such disclosure may adversely affect
information security.
``(b) Annual Independent Evaluations.--Each agency shall
perform an annual independent evaluation of its agencywide
information security program (and practices) in accordance
with the criteria under subsection (a).
``(c) Distribution of Reports.--Not later than 30 days
after receiving an independent evaluation under subsection
(b), each agency head shall transmit a copy of the
independent evaluation to the Secretary of Homeland Security,
the Secretary of Commerce, and the Secretary of Defense.
``(d) National Security Systems.--Evaluations involving
national security systems shall be conducted as directed by
President.
``Sec. 3557. National security systems.
``The head of each agency operating or exercising control
of a national security system shall be responsible for
ensuring that the agency--
``(1) provides information security protections
commensurate with the risk and magnitude of the harm
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of the information
contained in such system; and
``(2) implements information security policies and
practices as required by standards and guidelines for
national security systems, issued in accordance with law and
as directed by the President.''.
(b) Savings Provisions.--
(1) Policy and compliance guidance.--Policy and compliance
guidance issued by the Director before the date of enactment
of this Act under section 3543(a)(1) of title 44, United
States Code (as in effect on the day before the date of
enactment of this Act), shall continue in effect, according
to its terms, until modified, terminated, superseded, or
repealed pursuant to section 3553(a)(1) of title 44, United
States Code.
(2) Standards and guidelines.--Standards and guidelines
issued by the Secretary of Commerce or by the Director before
the date of enactment of this Act under section 11331(a)(1)
of title 40, United States Code, (as in effect on the day
before the date of enactment of this Act) shall continue in
effect, according to their terms, until modified, terminated,
superseded, or repealed pursuant to section 11331(a)(1) of
title 40, United States Code, as amended by this Act.
(c) Technical and Conforming Amendments.--
(1) Chapter analysis.--The chapter analysis for chapter 35
of title 44, United States Code, is amended--
(A) by striking the items relating to sections 3531 through
3538;
(B) by striking the items relating to sections 3541 through
3549; and
(C) by inserting the following:
``3551. Purposes.
``3552. Definitions.
``3553. Federal information security authority and coordination.
``3554. Agency responsibilities.
``3555. Multiagency ongoing threat assessment.
``3556. Independent evaluations.
``3557. National security systems.''.
(2) Other references.--
(A) Section 1001(c)(1)(A) of the Homeland Security Act of
2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section
3532(3)'' and inserting ``section 3552''.
(B) Section 2222(j)(5) of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(C) Section 2223(c)(3) of title 10, United States Code, is
amended, by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(D) Section 2315 of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(E) Section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3) is amended--
(i) in subsection (a)(2), by striking ``section
3532(b)(2)'' and inserting ``section 3552'';
(ii) in subsection (c)(3), by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(iii) in subsection (d)(1), by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(iv) in subsection (d)(8) by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(v) in subsection (d)(8), by striking ``submitted to the
Director'' and inserting ``submitted to the Secretary'';
(vi) in subsection (e)(2), by striking ``section 3532(1) of
such title'' and inserting ``section 3552 of title 44''; and
(vii) in subsection (e)(5), by striking ``section
3532(b)(2) of such title'' and inserting ``section 3552 of
title 44''.
(F) Section 8(d)(1) of the Cyber Security Research and
Development Act (15 U.S.C. 7406(d)(1)) is amended by striking
``section 3534(b)'' and inserting ``section 3554(b)(2)''.
SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.
(a) In General.--Section 11331 of title 40, United States
Code, is amended to read as follows:
``Sec. 11331. Responsibilities for Federal information
systems standards
``(a) Standards and Guidelines.--
``(1) Authority to prescribe.--Except as provided under
paragraph (2), the Secretary of Commerce shall prescribe
standards and guidelines pertaining to Federal information
systems--
``(A) in consultation with the Secretary of Homeland
Security; and
``(B) on the basis of standards and guidelines developed by
the National Institute of Standards and Technology under
paragraphs (2) and (3) of section 20(a) of the National
Institute of Standards and Technology Act (15 U.S.C. 278g-
3(a)(2) and (a)(3)).
``(2) National security systems.--Standards and guidelines
for national security systems shall be developed, prescribed,
enforced, and overseen as otherwise authorized by law and as
directed by the President.
``(b) Mandatory Standards and Guidelines.--
``(1) Authority to make mandatory standards and
guidelines.--The Secretary of Commerce shall make standards
and guidelines under subsection (a)(1) compulsory and binding
to the extent determined necessary by the Secretary of
Commerce to improve the efficiency of operation or security
of Federal information systems.
``(2) Required mandatory standards and guidelines.--
``(A) In general.--Standards and guidelines under
subsection (a)(1) shall include information security
standards that--
``(i) provide minimum information security requirements as
determined under section 20(b) of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3(b)); and
``(ii) are otherwise necessary to improve the security of
Federal information and information systems.
``(B) Binding effect.--Information security standards under
subparagraph (A) shall be compulsory and binding.
``(c) Exercise of Authority.--To ensure fiscal and policy
consistency, the Secretary of Commerce shall exercise the
authority conferred by this section subject to direction by
the President and in coordination with the Director.
``(d) Application of More Stringent Standards and
Guidelines.--The head of an executive agency may employ
standards for the cost-effective information security for
information systems within or under the supervision of that
agency that are more stringent than the standards and
guidelines the Secretary of Commerce prescribes under this
section if the more stringent standards and guidelines--
``(1) contain at least the applicable standards and
guidelines made compulsory and binding by the Secretary of
Commerce; and
``(2) are otherwise consistent with the policies,
directives, and implementation memoranda issued under section
3553(a) of title 44.
``(e) Decisions on Promulgation of Standards and
Guidelines.--The decision by the Secretary of Commerce
regarding the promulgation of any standard or guideline under
this section shall occur not later than 6 months after the
date of submission of the proposed standard to the Secretary
of Commerce by the National Institute of Standards and
Technology under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3).
``(f) Notice and Comment.--A decision by the Secretary of
Commerce to significantly modify, or not promulgate, a
proposed standard submitted to the Secretary by the National
Institute of Standards and Technology under section 20 of the
National Institute of Standards and Technology Act (15 U.S.C.
278g-3) shall be made after the public is given an
opportunity to comment on the Secretary's proposed decision.
``(g) Definitions.--In this section:
``(1) Federal information system.--The term `Federal
information system' has the meaning given the term in section
3552 of title 44.
``(2) Information security.--The term `information
security' has the meaning given the term in section 3552 of
title 44.
``(3) National security system.--The term `national
security system' has the meaning given the term in section
3552 of title 44.''.
SEC. 203. NO NEW FUNDING.
An applicable Federal agency shall carry out the provisions
of this title with existing facilities and funds otherwise
available, through such means as the head of the agency
considers appropriate.
[[Page S5551]]
SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS.
Section 21(b) of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-4(b)) is amended--
(1) in paragraph (2), by striking ``and the Director of the
Office of Management and Budget'' and inserting ``, the
Secretary of Commerce, and the Secretary of Homeland
Security''; and
(2) in paragraph (3), by inserting ``, the Secretary of
Homeland Security,'' after ``the Secretary of Commerce''.
SEC. 205. CLARIFICATION OF AUTHORITIES.
Nothing in this title shall be construed to convey any new
regulatory authority to any government entity implementing or
complying with any provision of this title.
TITLE III--CRIMINAL PENALTIES
SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN
CONNECTION WITH COMPUTERS.
Section 1030(c) of title 18, United States Code, is amended
to read as follows:
``(c) The punishment for an offense under subsection (a) or
(b) of this section is--
``(1) a fine under this title or imprisonment for not more
than 20 years, or both, in the case of an offense under
subsection (a)(1) of this section;
``(2)(A) except as provided in subparagraph (B), a fine
under this title or imprisonment for not more than 3 years,
or both, in the case of an offense under subsection (a)(2);
or
``(B) a fine under this title or imprisonment for not more
than ten years, or both, in the case of an offense under
subsection (a)(2) of this section, if--
``(i) the offense was committed for purposes of commercial
advantage or private financial gain;
``(ii) the offense was committed in the furtherance of any
criminal or tortious act in violation of the Constitution or
laws of the United States, or of any State; or
``(iii) the value of the information obtained, or that
would have been obtained if the offense was completed,
exceeds $5,000;
``(3) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(3) of this section;
``(4) a fine under this title or imprisonment of not more
than 20 years, or both, in the case of an offense under
subsection (a)(4) of this section;
``(5)(A) except as provided in subparagraph (C), a fine
under this title, imprisonment for not more than 20 years, or
both, in the case of an offense under subsection (a)(5)(A) of
this section, if the offense caused--
``(i) loss to 1 or more persons during any 1-year period
(and, for purposes of an investigation, prosecution, or other
proceeding brought by the United States only, loss resulting
from a related course of conduct affecting 1 or more other
protected computers) aggregating at least $5,000 in value;
``(ii) the modification or impairment, or potential
modification or impairment, of the medical examination,
diagnosis, treatment, or care of 1 or more individuals;
``(iii) physical injury to any person;
``(iv) a threat to public health or safety;
``(v) damage affecting a computer used by, or on behalf of,
an entity of the United States Government in furtherance of
the administration of justice, national defense, or national
security; or
``(vi) damage affecting 10 or more protected computers
during any 1-year period;
``(B) a fine under this title, imprisonment for not more
than 20 years, or both, in the case of an offense under
subsection (a)(5)(B), if the offense caused a harm provided
in clause (i) through (vi) of subparagraph (A) of this
subsection;
``(C) if the offender attempts to cause or knowingly or
recklessly causes death from conduct in violation of
subsection (a)(5)(A), a fine under this title, imprisonment
for any term of years or for life, or both;
``(D) a fine under this title, imprisonment for not more
than 10 years, or both, for any other offense under
subsection (a)(5);
``(E) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(6) of this section; or
``(F) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(7) of this section.''.
SEC. 302. TRAFFICKING IN PASSWORDS.
Section 1030(a)(6) of title 18, United States Code, is
amended to read as follows:
``(6) knowingly and with intent to defraud traffics (as
defined in section 1029) in any password or similar
information or means of access through which a protected
computer (as defined in subparagraphs (A) and (B) of
subsection (e)(2)) may be accessed without authorization.''.
SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.
Section 1030(b) of title 18, United States Code, is amended
by inserting ``as if for the completed offense'' after
``punished as provided''.
SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED
ACTIVITY IN CONNECTION WITH COMPUTERS.
Section 1030 of title 18, United States Code, is amended by
striking subsections (i) and (j) and inserting the following:
``(i) Criminal Forfeiture.--
``(1) The court, in imposing sentence on any person
convicted of a violation of this section, or convicted of
conspiracy to violate this section, shall order, in addition
to any other sentence imposed and irrespective of any
provision of State law, that such person forfeit to the
United States--
``(A) such persons interest in any property, real or
personal, that was used, or intended to be used, to commit or
facilitate the commission of such violation; and
``(B) any property, real or personal, constituting or
derived from any gross proceeds, or any property traceable to
such property, that such person obtained, directly or
indirectly, as a result of such violation.
``(2) The criminal forfeiture of property under this
subsection, including any seizure and disposition of the
property, and any related judicial or administrative
proceeding, shall be governed by the provisions of section
413 of the Comprehensive Drug Abuse Prevention and Control
Act of 1970 (21 U.S.C. 853), except subsection (d) of that
section.
``(j) Civil Forfeiture.--
``(1) The following shall be subject to forfeiture to the
United States and no property right, real or personal, shall
exist in them:
``(A) Any property, real or personal, that was used, or
intended to be used, to commit or facilitate the commission
of any violation of this section, or a conspiracy to violate
this section.
``(B) Any property, real or personal, constituting or
derived from any gross proceeds obtained directly or
indirectly, or any property traceable to such property, as a
result of the commission of any violation of this section, or
a conspiracy to violate this section.
``(2) Seizures and forfeitures under this subsection shall
be governed by the provisions in chapter 46 relating to civil
forfeitures, except that such duties as are imposed on the
Secretary of the Treasury under the customs laws described in
section 981(d) shall be performed by such officers, agents
and other persons as may be designated for that purpose by
the Secretary of Homeland Security or the Attorney
General.''.
SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.
(a) In General.--Chapter 47 of title 18, United States
Code, is amended by inserting after section 1030 the
following:
``Sec. 1030A. Aggravated damage to a critical infrastructure
computer
``(a) Definitions.--In this section--
``(1) the term `computer' has the meaning given the term in
section 1030;
``(2) the term `critical infrastructure computer' means a
computer that manages or controls systems or assets vital to
national defense, national security, national economic
security, public health or safety, or any combination of
those matters, whether publicly or privately owned or
operated, including--
``(A) oil and gas production, storage, conversion, and
delivery systems;
``(B) water supply systems;
``(C) telecommunication networks;
``(D) electrical power generation and delivery systems;
``(E) finance and banking systems;
``(F) emergency services;
``(G) transportation systems and services; and
``(H) government operations that provide essential services
to the public; and
``(3) the term `damage' has the meaning given the term in
section 1030.
``(b) Offense.--It shall be unlawful, during and in
relation to a felony violation of section 1030, to knowingly
cause or attempt to cause damage to a critical infrastructure
computer if the damage results in (or, in the case of an
attempt, if completed, would have resulted in) the
substantial impairment--
``(1) of the operation of the critical infrastructure
computer; or
``(2) of the critical infrastructure associated with the
computer.
``(c) Penalty.--Any person who violates subsection (b)
shall be--
``(1) fined under this title;
``(2) imprisoned for not less than 3 years but not more
than 20 years; or
``(3) penalized under paragraphs (1) and (2).
``(d) Consecutive Sentence.--Notwithstanding any other
provision of law--
``(1) a court shall not place on probation any person
convicted of a violation of this section;
``(2) except as provided in paragraph (4), no term of
imprisonment imposed on a person under this section shall run
concurrently with any other term of imprisonment, including
any term of imprisonment imposed on the person under any
other provision of law, including any term of imprisonment
imposed for a felony violation of section 1030;
``(3) in determining any term of imprisonment to be imposed
for a felony violation of section 1030, a court shall not in
any way reduce the term to be imposed for such crime so as to
compensate for, or otherwise take into account, any separate
term of imprisonment imposed or to be imposed for a violation
of this section; and
``(4) a term of imprisonment imposed on a person for a
violation of this section may, in the discretion of the
court, run concurrently, in whole or in part, only with
another term of imprisonment that is imposed by the court at
the same time on that person for an additional violation of
this section, provided that such discretion shall be
exercised in accordance with any applicable guidelines and
policy statements issued by the United States Sentencing
Commission pursuant to section 994 of title 28.''.
(b) Technical and Conforming Amendment.--The chapter
analysis for chapter 47 of title 18, United States Code, is
amended by inserting after the item relating to section 1030
the following:
[[Page S5552]]
``1030A. Aggravated damage to a critical infrastructure computer.''.
SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.
Section 1030(e)(6) of title 18, United States Code, is
amended by striking ``alter;'' and inserting ``alter, but
does not include access in violation of a contractual
obligation or agreement, such as an acceptable use policy or
terms of service agreement, with an Internet service
provider, Internet website, or non-government employer, if
such violation constitutes the sole basis for determining
that access to a protected computer is unauthorized;''.
SEC. 307. NO NEW FUNDING.
An applicable Federal agency shall carry out the provisions
of this title with existing facilities and funds otherwise
available, through such means as the head of the agency
considers appropriate.
TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT
SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM
PLANNING AND COORDINATION.
(a) Goals and Priorities.--Section 101 of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511) is amended
by adding at the end the following:
``(d) Goals and Priorities.--The goals and priorities for
Federal high-performance computing research, development,
networking, and other activities under subsection (a)(2)(A)
shall include--
``(1) encouraging and supporting mechanisms for
interdisciplinary research and development in networking and
information technology, including--
``(A) through collaborations across agencies;
``(B) through collaborations across Program Component
Areas;
``(C) through collaborations with industry;
``(D) through collaborations with institutions of higher
education;
``(E) through collaborations with Federal laboratories (as
defined in section 4 of the Stevenson-Wydler Technology
Innovation Act of 1980 (15 U.S.C. 3703)); and
``(F) through collaborations with international
organizations;
``(2) addressing national, multi-agency, multi-faceted
challenges of national importance; and
``(3) fostering the transfer of research and development
results into new technologies and applications for the
benefit of society.''.
(b) Development of Strategic Plan.--Section 101 of the
High-Performance Computing Act of 1991 (15 U.S.C. 5511) is
amended by adding at the end the following:
``(e) Strategic Plan.--
``(1) In general.--Not later than 1 year after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the agencies under subsection (a)(3)(B), working
through the National Science and Technology Council and with
the assistance of the Office of Science and Technology Policy
shall develop a 5-year strategic plan to guide the activities
under subsection (a)(1).
``(2) Contents.--The strategic plan shall specify--
``(A) the near-term objectives for the Program;
``(B) the long-term objectives for the Program;
``(C) the anticipated time frame for achieving the near-
term objectives;
``(D) the metrics that will be used to assess any progress
made toward achieving the near-term objectives and the long-
term objectives; and
``(E) how the Program will achieve the goals and priorities
under subsection (d).
``(3) Implementation roadmap.--
``(A) In general.--The agencies under subsection (a)(3)(B)
shall develop and annually update an implementation roadmap
for the strategic plan.
``(B) Requirements.--The information in the implementation
roadmap shall be coordinated with the database under section
102(c) and the annual report under section 101(a)(3). The
implementation roadmap shall--
``(i) specify the role of each Federal agency in carrying
out or sponsoring research and development to meet the
research objectives of the strategic plan, including a
description of how progress toward the research objectives
will be evaluated, with consideration of any relevant
recommendations of the advisory committee;
``(ii) specify the funding allocated to each major research
objective of the strategic plan and the source of funding by
agency for the current fiscal year; and
``(iii) estimate the funding required for each major
research objective of the strategic plan for the next 3
fiscal years.
``(4) Recommendations.--The agencies under subsection
(a)(3)(B) shall take into consideration when developing the
strategic plan under paragraph (1) the recommendations of--
``(A) the advisory committee under subsection (b); and
``(B) the stakeholders under section 102(a)(3).
``(5) Report to congress.--The Director of the Office of
Science and Technology Policy shall transmit the strategic
plan under this subsection, including the implementation
roadmap and any updates under paragraph (3), to--
``(A) the advisory committee under subsection (b);
``(B) the Committee on Commerce, Science, and
Transportation of the Senate; and
``(C) the Committee on Science and Technology of the House
of Representatives.''.
(c) Periodic Reviews.--Section 101 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511) is amended by adding
at the end the following:
``(f) Periodic Reviews.--The agencies under subsection
(a)(3)(B) shall--
``(1) periodically assess the contents and funding levels
of the Program Component Areas and restructure the Program
when warranted, taking into consideration any relevant
recommendations of the advisory committee under subsection
(b); and
``(2) ensure that the Program includes national, multi-
agency, multi-faceted research and development activities,
including activities described in section 104.''.
(d) Additional Responsibilities of Director.--Section
101(a)(2) of the High-Performance Computing Act of 1991 (15
U.S.C. 5511(a)(2)) is amended--
(1) by redesignating subparagraphs (E) and (F) as
subparagraphs (G) and (H), respectively; and
(2) by inserting after subparagraph (D) the following:
``(E) encourage and monitor the efforts of the agencies
participating in the Program to allocate the level of
resources and management attention necessary--
``(i) to ensure that the strategic plan under subsection
(e) is developed and executed effectively; and
``(ii) to ensure that the objectives of the Program are
met;
``(F) working with the Office of Management and Budget and
in coordination with the creation of the database under
section 102(c), direct the Office of Science and Technology
Policy and the agencies participating in the Program to
establish a mechanism (consistent with existing law) to track
all ongoing and completed research and development projects
and associated funding;''.
(e) Advisory Committee.--Section 101(b) of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is
amended--
(1) in paragraph (1)--
(A) by inserting after the first sentence the following:
``The co-chairs of the advisory committee shall meet the
qualifications of committee members and may be members of the
Presidents Council of Advisors on Science and Technology.'';
and
(B) by striking ``high-performance'' in subparagraph (D)
and inserting ``high-end''; and
(2) by amending paragraph (2) to read as follows:
``(2) In addition to the duties under paragraph (1), the
advisory committee shall conduct periodic evaluations of the
funding, management, coordination, implementation, and
activities of the Program. The advisory committee shall
report its findings and recommendations not less frequently
than once every 3 fiscal years to the Committee on Commerce,
Science, and Transportation of the Senate and the Committee
on Science and Technology of the House of Representatives.
The report shall be submitted in conjunction with the update
of the strategic plan.''.
(f) Report.--Section 101(a)(3) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended--
(1) in subparagraph (C)--
(A) by striking ``is submitted,'' and inserting ``is
submitted, the levels for the previous fiscal year,''; and
(B) by striking ``each Program Component Area'' and
inserting ``each Program Component Area and each research
area supported in accordance with section 104'';
(2) in subparagraph (D)--
(A) by striking ``each Program Component Area,'' and
inserting ``each Program Component Area and each research
area supported in accordance with section 104,'';
(B) by striking ``is submitted,'' and inserting ``is
submitted, the levels for the previous fiscal year,''; and
(C) by striking ``and'' after the semicolon;
(3) by redesignating subparagraph (E) as subparagraph (G);
and
(4) by inserting after subparagraph (D) the following:
``(E) include a description of how the objectives for each
Program Component Area, and the objectives for activities
that involve multiple Program Component Areas, relate to the
objectives of the Program identified in the strategic plan
under subsection (e);
``(F) include--
``(i) a description of the funding required by the Office
of Science and Technology Policy to perform the functions
under subsections (a) and (c) of section 102 for the next
fiscal year by category of activity;
``(ii) a description of the funding required by the Office
of Science and Technology Policy to perform the functions
under subsections (a) and (c) of section 102 for the current
fiscal year by category of activity; and
``(iii) the amount of funding provided for the Office of
Science and Technology Policy for the current fiscal year by
each agency participating in the Program; and''.
(g) Definitions.--Section 4 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5503) is amended--
(1) by redesignating paragraphs (1) and (2) as paragraphs
(2) and (3), respectively;
(2) by redesignating paragraph (3) as paragraph (6);
(3) by redesignating paragraphs (6) and (7) as paragraphs
(7) and (8), respectively;
(4) by inserting before paragraph (2), as redesignated, the
following:
``(1) `cyber-physical systems' means physical or engineered
systems whose networking
[[Page S5553]]
and information technology functions and physical elements
are deeply integrated and are actively connected to the
physical world through sensors, actuators, or other means to
perform monitoring and control functions;'';
(5) in paragraph (3), as redesignated, by striking ``high-
performance computing'' and inserting ``networking and
information technology'';
(6) in paragraph (6), as redesignated--
(A) by striking ``high-performance computing'' and
inserting ``networking and information technology''; and
(B) by striking ``supercomputer'' and inserting ``high-end
computing'';
(7) in paragraph (5), by striking ``network referred to
as'' and all that follows through the semicolon and inserting
``network, including advanced computer networks of Federal
agencies and departments''; and
(8) in paragraph (7), as redesignated, by striking
``National High-Performance Computing Program'' and inserting
``networking and information technology research and
development program''.
SEC. 402. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.
(a) Research in Areas of National Importance.--Title I of
the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et
seq.) is amended by adding at the end the following:
``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.
``(a) In General.--The Program shall encourage agencies
under section 101(a)(3)(B) to support, maintain, and improve
national, multi-agency, multi-faceted, research and
development activities in networking and information
technology directed toward application areas that have the
potential for significant contributions to national economic
competitiveness and for other significant societal benefits.
``(b) Technical Solutions.--An activity under subsection
(a) shall be designed to advance the development of research
discoveries by demonstrating technical solutions to important
problems in areas including--
``(1) cybersecurity;
``(2) health care;
``(3) energy management and low-power systems and devices;
``(4) transportation, including surface and air
transportation;
``(5) cyber-physical systems;
``(6) large-scale data analysis and modeling of physical
phenomena;
``(7) large scale data analysis and modeling of behavioral
phenomena;
``(8) supply chain quality and security; and
``(9) privacy protection and protected disclosure of
confidential data.
``(c) Recommendations.--The advisory committee under
section 101(b) shall make recommendations to the Program for
candidate research and development areas for support under
this section.
``(d) Characteristics.--
``(1) In general.--Research and development activities
under this section--
``(A) shall include projects selected on the basis of
applications for support through a competitive, merit-based
process;
``(B) shall leverage, when possible, Federal investments
through collaboration with related State initiatives;
``(C) shall include a plan for fostering the transfer of
research discoveries and the results of technology
demonstration activities, including from institutions of
higher education and Federal laboratories, to industry for
commercial development;
``(D) shall involve collaborations among researchers in
institutions of higher education and industry; and
``(E) may involve collaborations among nonprofit research
institutions and Federal laboratories, as appropriate.
``(2) Cost-sharing.--In selecting applications for support,
the agencies under section 101(a)(3)(B) shall give special
consideration to projects that include cost sharing from non-
Federal sources.
``(3) Multidisciplinary research centers.--Research and
development activities under this section shall be supported
through multidisciplinary research centers, including Federal
laboratories, that are organized to investigate basic
research questions and carry out technology demonstration
activities in areas described in subsection (a). Research may
be carried out through existing multidisciplinary centers,
including those authorized under section 7024(b)(2) of the
America COMPETES Act (42 U.S.C. 1862o-10(2)).''.
(b) Cyber-Physical Systems.--Section 101(a)(1) of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is
amended--
(1) in subparagraph (H), by striking ``and'' after the
semicolon;
(2) in subparagraph (I), by striking the period at the end
and inserting a semicolon; and
(3) by adding at the end the following:
``(J) provide for increased understanding of the scientific
principles of cyber-physical systems and improve the methods
available for the design, development, and operation of
cyber-physical systems that are characterized by high
reliability, safety, and security; and
``(K) provide for research and development on human-
computer interactions, visualization, and big data.''.
(c) Task Force.--Title I of the High-Performance Computing
Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section
402(a) of this Act, is amended by adding at the end the
following:
``SEC. 105. TASK FORCE.
``(a) Establishment.--Not later than 180 days after the
date of enactment the Strengthening and Enhancing
Cybersecurity by Using Research, Education, Information, and
Technology Act of 2012, the Director of the Office of Science
and Technology Policy under section 102 shall convene a task
force to explore mechanisms for carrying out collaborative
research and development activities for cyber-physical
systems (including the related technologies required to
enable these systems) through a consortium or other
appropriate entity with participants from institutions of
higher education, Federal laboratories, and industry.
``(b) Functions.--The task force shall--
``(1) develop options for a collaborative model and an
organizational structure for such entity under which the
joint research and development activities could be planned,
managed, and conducted effectively, including mechanisms for
the allocation of resources among the participants in such
entity for support of such activities;
``(2) propose a process for developing a research and
development agenda for such entity, including guidelines to
ensure an appropriate scope of work focused on nationally
significant challenges and requiring collaboration and to
ensure the development of related scientific and
technological milestones;
``(3) define the roles and responsibilities for the
participants from institutions of higher education, Federal
laboratories, and industry in such entity;
``(4) propose guidelines for assigning intellectual
property rights and for transferring research results to the
private sector; and
``(5) make recommendations for how such entity could be
funded from Federal, State, and non-governmental sources.
``(c) Composition.--In establishing the task force under
subsection (a), the Director of the Office of Science and
Technology Policy shall appoint an equal number of
individuals from institutions of higher education and from
industry with knowledge and expertise in cyber-physical
systems, and may appoint not more than 2 individuals from
Federal laboratories.
``(d) Report.--Not later than 1 year after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the Director of the Office of Science and Technology
Policy shall transmit to the Committee on Commerce, Science,
and Transportation of the Senate and the Committee on Science
and Technology of the House of Representatives a report
describing the findings and recommendations of the task
force.
``(e) Termination.--The task force shall terminate upon
transmittal of the report required under subsection (d).
``(f) Compensation and Expenses.--Members of the task force
shall serve without compensation.''.
SEC. 403. PROGRAM IMPROVEMENTS.
Section 102 of the High-Performance Computing Act of 1991
(15 U.S.C. 5512) is amended to read as follows:
``SEC. 102. PROGRAM IMPROVEMENTS.
``(a) Functions.--The Director of the Office of Science and
Technology Policy shall continue--
``(1) to provide technical and administrative support to--
``(A) the agencies participating in planning and
implementing the Program, including support needed to develop
the strategic plan under section 101(e); and
``(B) the advisory committee under section 101(b);
``(2) to serve as the primary point of contact on Federal
networking and information technology activities for
government agencies, academia, industry, professional
societies, State computing and networking technology
programs, interested citizen groups, and others to exchange
technical and programmatic information;
``(3) to solicit input and recommendations from a wide
range of stakeholders during the development of each
strategic plan under section 101(e) by convening at least 1
workshop with invitees from academia, industry, Federal
laboratories, and other relevant organizations and
institutions;
``(4) to conduct public outreach, including the
dissemination of the advisory committee's findings and
recommendations, as appropriate;
``(5) to promote access to and early application of the
technologies, innovations, and expertise derived from Program
activities to agency missions and systems across the Federal
Government and to United States industry;
``(6) to ensure accurate and detailed budget reporting of
networking and information technology research and
development investment; and
``(7) to encourage agencies participating in the Program to
use existing programs and resources to strengthen networking
and information technology education and training, and
increase participation in such fields, including by women and
underrepresented minorities.
``(b) Source of Funding.--
``(1) In general.--The functions under this section shall
be supported by funds from each agency participating in the
Program.
``(2) Specifications.--The portion of the total budget of
the Office of Science and Technology Policy that is provided
by each agency participating in the Program for each
[[Page S5554]]
fiscal year shall be in the same proportion as each agency's
share of the total budget for the Program for the previous
fiscal year, as specified in the database under section
102(c).
``(c) Database.--
``(1) In general.--The Director of the Office of Science
and Technology Policy shall develop and maintain a database
of projects funded by each agency for the fiscal year for
each Program Component Area.
``(2) Public accessibility.--The Director of the Office of
Science and Technology Policy shall make the database
accessible to the public.
``(3) Database contents.--The database shall include, for
each project in the database--
``(A) a description of the project;
``(B) each agency, industry, institution of higher
education, Federal laboratory, or international institution
involved in the project;
``(C) the source funding of the project (set forth by
agency);
``(D) the funding history of the project; and
``(E) whether the project has been completed.''.
SEC. 404. IMPROVING EDUCATION OF NETWORKING AND INFORMATION
TECHNOLOGY, INCLUDING HIGH PERFORMANCE
COMPUTING.
Section 201(a) of the High-Performance Computing Act of
1991 (15 U.S.C. 5521(a)) is amended--
(1) by redesignating paragraphs (2) through (4) as
paragraphs (3) through (5), respectively; and
(2) by inserting after paragraph (1) the following:
``(2) the National Science Foundation shall use its
existing programs, in collaboration with other agencies, as
appropriate, to improve the teaching and learning of
networking and information technology at all levels of
education and to increase participation in networking and
information technology fields;''.
SEC. 405. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH-
PERFORMANCE COMPUTING ACT OF 1991.
(a) Section 3.--Section 3 of the High-Performance Computing
Act of 1991 (15 U.S.C. 5502) is amended--
(1) in the matter preceding paragraph (1), by striking
``high-performance computing'' and inserting ``networking and
information technology'';
(2) in paragraph (1)--
(A) in the matter preceding subparagraph (A), by striking
``high-performance computing'' and inserting ``networking and
information technology'';
(B) in subparagraphs (A), (F), and (G), by striking ``high-
performance computing'' each place it appears and inserting
``networking and information technology''; and
(C) in subparagraph (H), by striking ``high-performance''
and inserting ``high-end''; and
(3) in paragraph (2)--
(A) by striking ``high-performance computing and'' and
inserting ``networking and information technology, and''; and
(B) by striking ``high-performance computing network'' and
inserting ``networking and information technology''.
(b) Title Heading.--The heading of title I of the High-
Performance Computing Act of 1991 (105 Stat. 1595) is amended
by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting
``NETWORKING AND INFORMATION TECHNOLOGY''.
(c) Section 101.--Section 101 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511) is amended--
(1) in the section heading, by striking ``high-performance
computing'' and inserting ``networking and information
technology research and development'';
(2) in subsection (a)--
(A) in the subsection heading, by striking ``National High-
Performance Computing'' and inserting ``Networking and
Information Technology Research and Development'';
(B) in paragraph (1)--
(i) by striking ``National High-Performance Computing
Program'' and inserting ``networking and information
technology research and development program'';
(ii) in subparagraph (A), by striking ``high-performance
computing, including networking'' and inserting ``networking
and information technology'';
(iii) in subparagraphs (B) and (G), by striking ``high-
performance'' each place it appears and inserting ``high-
end''; and
(iv) in subparagraph (C), by striking ``high-performance
computing and networking'' and inserting ``high-end
computing, distributed, and networking''; and
(C) in paragraph (2)--
(i) in subparagraphs (A) and (C)--
(I) by striking ``high-performance computing'' each place
it appears and inserting ``networking and information
technology''; and
(II) by striking ``development, networking,'' each place it
appears and inserting ``development,''; and
(ii) in subparagraphs (G) and (H), as redesignated by
section 401(d) of this Act, by striking ``high-performance''
each place it appears and inserting ``high-end'';
(3) in subsection (b)(1), in the matter preceding
subparagraph (A), by striking ``high-performance computing''
each place it appears and inserting ``networking and
information technology''; and
(4) in subsection (c)(1)(A), by striking ``high-performance
computing'' and inserting ``networking and information
technology''.
(d) Section 201.--Section 201(a)(1) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by
striking ``high-performance computing and advanced high-speed
computer networking'' and inserting ``networking and
information technology research and development''.
(e) Section 202.--Section 202(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by
striking ``high-performance computing'' and inserting
``networking and information technology''.
(f) Section 203.--Section 203(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5523(a)) is amended--
(1) in paragraph (1), by striking ``high-performance
computing and networking'' and inserting ``networking and
information technology''; and
(2) in paragraph (2)(A), by striking ``high-performance''
and inserting ``high-end''.
(g) Section 204.--Section 204 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5524) is amended--
(1) in subsection (a)(1)--
(A) in subparagraph (A), by striking ``high-performance
computing systems and networks'' and inserting ``networking
and information technology systems and capabilities'';
(B) in subparagraph (B), by striking ``interoperability of
high-performance computing systems in networks and for common
user interfaces to systems'' and inserting ``interoperability
and usability of networking and information technology
systems''; and
(C) in subparagraph (C), by striking ``high-performance
computing'' and inserting ``networking and information
technology''; and
(2) in subsection (b)--
(A) by striking ``High-Performance Computing and Network''
in the heading and inserting ``Networking and Information
Technology''; and
(B) by striking ``sensitive''.
(h) Section 205.--Section 205(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by
striking ``computational'' and inserting ``networking and
information technology''.
(i) Section 206.--Section 206(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by
striking ``computational research'' and inserting
``networking and information technology research''.
(j) Section 207.--Section 207 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5527) is amended by striking
``high-performance computing'' and inserting ``networking and
information technology''.
(k) Section 208.--Section 208 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5528) is amended--
(1) in the section heading, by striking ``high-performance
computing'' and inserting ``networking and information
technology''; and
(2) in subsection (a)--
(A) in paragraph (1), by striking ``High-performance
computing and associated'' and inserting ``Networking and
information'';
(B) in paragraph (2), by striking ``high-performance
computing'' and inserting ``networking and information
technologies'';
(C) in paragraph (3), by striking ``high-performance'' and
inserting ``high-end'';
(D) in paragraph (4), by striking ``high-performance
computers and associated'' and inserting ``networking and
information''; and
(E) in paragraph (5), by striking ``high-performance
computing and associated'' and inserting ``networking and
information''.
SEC. 406. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.
(a) In General.--The Director of the National Science
Foundation, in coordination with the Secretary of Homeland
Security, shall carry out a Federal cyber scholarship-for-
service program to recruit and train the next generation of
information technology professionals and security managers to
meet the needs of the cybersecurity mission for the Federal
government.
(b) Program Description and Components.--The program
shall--
(1) annually assess the workforce needs of the Federal
government for cybersecurity professionals, including network
engineers, software engineers, and other experts in order to
determine how many scholarships should be awarded annually to
ensure that the workforce needs following graduation match
the number of scholarships awarded;
(2) provide scholarships for up to 1,000 students per year
in their pursuit of undergraduate or graduate degrees in the
cybersecurity field, in an amount that may include coverage
for full tuition, fees, and a stipend;
(3) require each scholarship recipient, as a condition of
receiving a scholarship under the program, to serve in a
Federal information technology workforce for a period equal
to one and one-half times each year, or partial year, of
scholarship received, in addition to an internship in the
cybersecurity field, if applicable, following graduation;
(4) provide a procedure for the National Science Foundation
or a Federal agency, consistent with regulations of the
Office of Personnel Management, to request and fund a
security clearance for a scholarship recipient, including
providing for clearance during a summer internship and upon
graduation; and
(5) provide opportunities for students to receive temporary
appointments for meaningful employment in the Federal
information technology workforce during school vacation
periods and for internships.
(c) Hiring Authority.--
(1) In general.--For purposes of any law or regulation
governing the appointment of an
[[Page S5555]]
individual in the Federal civil service, upon the successful
completion of the student's studies, a student receiving a
scholarship under the program may--
(A) be hired under section 213.3102(r) of title 5, Code of
Federal Regulations; and
(B) be exempt from competitive service.
(2) Competitive service.--Upon satisfactory fulfillment of
the service term under paragraph (1), an individual may be
converted to a competitive service position without
competition if the individual meets the requirements for that
position.
(d) Eligibility.--The eligibility requirements for a
scholarship under this section shall include that a
scholarship applicant--
(1) be a citizen of the United States;
(2) be eligible to be granted a security clearance;
(3) maintain a grade point average of 3.2 or above on a 4.0
scale for undergraduate study or a 3.5 or above on a 4.0
scale for postgraduate study;
(4) demonstrate a commitment to a career in improving the
security of the information infrastructure; and
(5) has demonstrated a level of proficiency in math or
computer sciences.
(e) Failure to Complete Service Obligation.--
(1) In general.--A scholarship recipient under this section
shall be liable to the United States under paragraph (2) if
the scholarship recipient--
(A) fails to maintain an acceptable level of academic
standing in the educational institution in which the
individual is enrolled, as determined by the Director;
(B) is dismissed from such educational institution for
disciplinary reasons;
(C) withdraws from the program for which the award was made
before the completion of such program;
(D) declares that the individual does not intend to fulfill
the service obligation under this section;
(E) fails to fulfill the service obligation of the
individual under this section; or
(F) loses a security clearance or becomes ineligible for a
security clearance.
(2) Repayment amounts.--
(A) Less than 1 year of service.--If a circumstance under
paragraph (1) occurs before the completion of 1 year of a
service obligation under this section, the total amount of
awards received by the individual under this section shall be
repaid.
(B) One or more years of service.--If a circumstance
described in subparagraph (D) or (E) of paragraph (1) occurs
after the completion of 1 year of a service obligation under
this section, the total amount of scholarship awards received
by the individual under this section, reduced by the ratio of
the number of years of service completed divided by the
number of years of service required, shall be repaid.
(f) Evaluation and Report.--The Director of the National
Science Foundation shall--
(1) evaluate the success of recruiting individuals for
scholarships under this section and of hiring and retaining
those individuals in the public sector workforce, including
the annual cost and an assessment of how the program actually
improves the Federal workforce; and
(2) periodically report the findings under paragraph (1) to
Congress.
(g) Authorization of Appropriations.--From amounts made
available under section 503 of the America COMPETES
Reauthorization Act of 2010 (124 Stat. 4005), the Director
may use funds to carry out the requirements of this section
for fiscal years 2012 through 2013.
SEC. 407. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF
INFORMATION INFRASTRUCTURE PROFESSIONALS.
(a) Study.--The President shall enter into an agreement
with the National Academies to conduct a comprehensive study
of government, academic, and private-sector accreditation,
training, and certification programs for personnel working in
information infrastructure. The agreement shall require the
National Academies to consult with sector coordinating
councils and relevant governmental agencies, regulatory
entities, and nongovernmental organizations in the course of
the study.
(b) Scope.--The study shall include--
(1) an evaluation of the body of knowledge and various
skills that specific categories of personnel working in
information infrastructure should possess in order to secure
information systems;
(2) an assessment of whether existing government, academic,
and private-sector accreditation, training, and certification
programs provide the body of knowledge and various skills
described in paragraph (1);
(3) an analysis of any barriers to the Federal Government
recruiting and hiring cybersecurity talent, including
barriers relating to compensation, the hiring process, job
classification, and hiring flexibility; and
(4) an analysis of the sources and availability of
cybersecurity talent, a comparison of the skills and
expertise sought by the Federal Government and the private
sector, an examination of the current and future capacity of
United States institutions of higher education, including
community colleges, to provide current and future
cybersecurity professionals, through education and training
activities, with those skills sought by the Federal
Government, State and local entities, and the private sector.
(c) Report.--Not later than 1 year after the date of
enactment of this Act, the National Academies shall submit to
the President and Congress a report on the results of the
study. The report shall include--
(1) findings regarding the state of information
infrastructure accreditation, training, and certification
programs, including specific areas of deficiency and
demonstrable progress; and
(2) recommendations for the improvement of information
infrastructure accreditation, training, and certification
programs.
SEC. 408. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.
(a) In General.--The Director of the National Institute of
Standards and Technology, in coordination with appropriate
Federal authorities, shall--
(1) as appropriate, ensure coordination of Federal agencies
engaged in the development of international technical
standards related to information system security; and
(2) not later than 1 year after the date of enactment of
this Act, develop and transmit to Congress a plan for
ensuring such Federal agency coordination.
(b) Consultation With the Private Sector.--In carrying out
the activities under subsection (a)(1), the Director shall
ensure consultation with appropriate private sector
stakeholders.
SEC. 409. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.
The Director of the National Institute of Standards and
Technology shall continue a program to support the
development of technical standards, metrology, testbeds, and
conformance criteria, taking into account appropriate user
concerns--
(1) to improve interoperability among identity management
technologies;
(2) to strengthen authentication methods of identity
management systems;
(3) to improve privacy protection in identity management
systems, including health information technology systems,
through authentication and security protocols; and
(4) to improve the usability of identity management
systems.
SEC. 410. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.
(a) National Science Foundation Computer and Network
Security Research Grant Areas.--Section 4(a)(1) of the Cyber
Security Research and Development Act (15 U.S.C. 7403(a)(1))
is amended--
(1) in subparagraph (H), by striking ``and'' after the
semicolon;
(2) in subparagraph (I), by striking ``property.'' and
inserting ``property;''; and
(3) by adding at the end the following:
``(J) secure fundamental protocols that are at the heart of
inter-network communications and data exchange;
``(K) system security that addresses the building of secure
systems from trusted and untrusted components;
``(L) monitoring and detection; and
``(M) resiliency and rapid recovery methods.''.
(b) National Science Foundation Computer and Network
Security Grants.--Section 4(a)(3) of the Cyber Security
Research and Development Act (15 U.S.C. 7403(a)(3)) is
amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
(c) Computer and Network Security Centers.--Section 4(b)(7)
of the Cyber Security Research and Development Act (15 U.S.C.
7403(b)(7)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
(d) Computer and Network Security Capacity Building
Grants.--Section 5(a)(6) of the Cyber Security Research and
Development Act (15 U.S.C. 7404(a)(6)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
(e) Scientific and Advanced Technology Act Grants.--Section
5(b)(2) of the Cyber Security Research and Development Act
(15 U.S.C. 7404(b)(2)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
(f) Graduate Traineeships in Computer and Network Security
Research.--Section 5(c)(7) of the Cyber Security Research and
Development Act (15 U.S.C. 7404(c)(7)) is amended--
[[Page S5556]]
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
______
SA 2608. Mr. McCAIN (for himself, Mrs. Hutchison, Mr. Chambliss, Mr.
Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of
Wisconsin) submitted an amendment intended to be proposed by him to the
bill S. 3414, to enhance the security and resiliency of the cyber and
communications infrastrucutre of the United States; which was ordered
to lie on the table; as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the
``Strengthening and Enhancing Cybersecurity by Using
Research, Education, Information, and Technology Act of
2012'' or ``SECURE IT''.
(b) Table of Contents.--The table of contents of this Act
is as follows:
Sec. 1. Short title; table of contents.
TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION
Sec. 101. Definitions.
Sec. 102. Authorization to share cyber threat information.
Sec. 103. Information sharing by the Federal government.
Sec. 104. Construction.
Sec. 105. Report on implementation.
Sec. 106. Inspector General review.
Sec. 107. Technical amendments.
Sec. 108. Access to classified information.
TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY
Sec. 201. Coordination of Federal information security policy.
Sec. 202. Management of information technology.
Sec. 203. No new funding.
Sec. 204. Technical and conforming amendments.
Sec. 205. Clarification of authorities.
TITLE III--CRIMINAL PENALTIES
Sec. 301. Penalties for fraud and related activity in connection with
computers.
Sec. 302. Trafficking in passwords.
Sec. 303. Conspiracy and attempted computer fraud offenses.
Sec. 304. Criminal and civil forfeiture for fraud and related activity
in connection with computers.
Sec. 305. Damage to critical infrastructure computers.
Sec. 306. Limitation on actions involving unauthorized use.
Sec. 307. No new funding.
TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT
Sec. 401. National High-Performance Computing Program planning and
coordination.
Sec. 402. Research in areas of national importance.
Sec. 403. Program improvements.
Sec. 404. Improving education of networking and information technology,
including high performance computing.
Sec. 405. Conforming and technical amendments to the High-Performance
Computing Act of 1991.
Sec. 406. Federal cyber scholarship-for-service program.
Sec. 407. Study and analysis of certification and training of
information infrastructure professionals.
Sec. 408. International cybersecurity technical standards.
Sec. 409. Identity management research and development.
Sec. 410. Federal cybersecurity research and development.
TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION
SEC. 101. DEFINITIONS.
In this title:
(1) Agency.--The term ``agency'' has the meaning given the
term in section 3502 of title 44, United States Code.
(2) Antitrust laws.--The term ``antitrust laws''--
(A) has the meaning given the term in section 1(a) of the
Clayton Act (15 U.S.C. 12(a));
(B) includes section 5 of the Federal Trade Commission Act
(15 U.S.C. 45) to the extent that section 5 of that Act
applies to unfair methods of competition; and
(C) includes any State law that has the same intent and
effect as the laws under subparagraphs (A) and (B).
(3) Countermeasure.--The term ``countermeasure'' means an
automated or a manual action with defensive intent to
mitigate cyber threats.
(4) Cyber threat information.--The term ``cyber threat
information'' means information that indicates or describes--
(A) a technical or operation vulnerability or a cyber
threat mitigation measure;
(B) an action or operation to mitigate a cyber threat;
(C) malicious reconnaissance, including anomalous patterns
of network activity that appear to be transmitted for the
purpose of gathering technical information related to a
cybersecurity threat;
(D) a method of defeating a technical control;
(E) a method of defeating an operational control;
(F) network activity or protocols known to be associated
with a malicious cyber actor or that signify malicious cyber
intent;
(G) a method of causing a user with legitimate access to an
information system or information that is stored on,
processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational
control;
(H) any other attribute of a cybersecurity threat or cyber
defense information that would foster situational awareness
of the United States cybersecurity posture, if disclosure of
such attribute or information is not otherwise prohibited by
law;
(I) the actual or potential harm caused by a cyber
incident, including information exfiltrated when it is
necessary in order to identify or describe a cybersecurity
threat; or
(J) any combination of subparagraphs (A) through (I).
(5) Cybersecurity center.--The term ``cybersecurity
center'' means the Department of Defense Cyber Crime Center,
the Intelligence Community Incident Response Center, the
United States Cyber Command Joint Operations Center, the
National Cyber Investigative Joint Task Force, the National
Security Agency/Central Security Service Threat Operations
Center, the National Cybersecurity and Communications
Integration Center, and any successor center.
(6) Cybersecurity system.--The term ``cybersecurity
system'' means a system designed or employed to ensure the
integrity, confidentiality, or availability of, or to
safeguard, a system or network, including measures intended
to protect a system or network from--
(A) efforts to degrade, disrupt, or destroy such system or
network; or
(B) theft or misappropriations of private or government
information, intellectual property, or personally
identifiable information.
(7) Entity.--
(A) In general.--The term ``entity'' means any private
entity, non-Federal government agency or department, or
State, tribal, or local government agency or department
(including an officer, employee, or agent thereof).
(B) Inclusions.--The term ``entity'' includes a government
agency or department (including an officer, employee, or
agent thereof) of the District of Columbia, the Commonwealth
of Puerto Rico, the Virgin Islands, Guam, American Samoa, the
Northern Mariana Islands, and any other territory or
possession of the United States.
(8) Federal information system.--The term ``Federal
information system'' means an information system of a Federal
department or agency used or operated by an executive agency,
by a contractor of an executive agency, or by another
organization on behalf of an executive agency.
(9) Information security.--The term ``information
security'' means protecting information and information
systems from disruption or unauthorized access, use,
disclosure, modification, or destruction in order to
provide--
(A) integrity, by guarding against improper information
modification or destruction, including by ensuring
information nonrepudiation and authenticity;
(B) confidentiality, by preserving authorized restrictions
on access and disclosure, including means for protecting
personal privacy and proprietary information; or
(C) availability, by ensuring timely and reliable access to
and use of information.
(10) Information system.--The term ``information system''
has the meaning given the term in section 3502 of title 44,
United States Code.
(11) Local government.--The term ``local government'' means
any borough, city, county, parish, town, township, village,
or other general purpose political subdivision of a State.
(12) Malicious reconnaissance.--The term ``malicious
reconnaissance'' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning technical vulnerabilities of the information
system, if such method is associated with a known or
suspected cybersecurity threat.
(13) Operational control.--The term ``operational control''
means a security control for an information system that
primarily is implemented and executed by people.
(14) Operational vulnerability.--The term ``operational
vulnerability'' means any attribute of policy, process, or
procedure that could enable or facilitate the defeat of an
operational control.
(15) Private entity.--The term ``private entity'' means any
individual or any private group, organization, or
corporation, including an officer, employee, or agent
thereof.
(16) Significant cyber incident.--The term ``significant
cyber incident'' means a cyber incident resulting in, or an
attempted cyber incident that, if successful, would have
resulted in--
(A) the exfiltration from a Federal information system of
data that is essential to the operation of the Federal
information system; or
(B) an incident in which an operational or technical
control essential to the security or
[[Page S5557]]
operation of a Federal information system was defeated.
(17) Technical control.--The term ``technical control''
means a hardware or software restriction on, or audit of,
access or use of an information system or information that is
stored on, processed by, or transiting an information system
that is intended to ensure the confidentiality, integrity, or
availability of that system.
(18) Technical vulnerability.--The term ``technical
vulnerability'' means any attribute of hardware or software
that could enable or facilitate the defeat of a technical
control.
(19) Tribal.--The term ``tribal'' has the meaning given the
term ``Indian tribe'' in section 4 of the Indian Self-
Determination and Education Assistance Act (25 U.S.C. 450b).
SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION.
(a) Voluntary Disclosure.--
(1) Private entities.--Notwithstanding any other provision
of law, a private entity may, for the purpose of preventing,
investigating, or otherwise mitigating threats to information
security, on its own networks, or as authorized by another
entity, on such entity's networks, employ countermeasures and
use cybersecurity systems in order to obtain, identify, or
otherwise possess cyber threat information.
(2) Entities.--Notwithstanding any other provision of law,
an entity may disclose cyber threat information to--
(A) a cybersecurity center; or
(B) any other entity in order to assist with preventing,
investigating, or otherwise mitigating threats to information
security.
(3) Information security providers.--If the cyber threat
information described in paragraph (1) is obtained,
identified, or otherwise possessed in the course of providing
information security products or services under contract to
another entity, that entity shall be given, at any time prior
to disclosure of such information, a reasonable opportunity
to authorize or prevent such disclosure, to request
anonymization of such information, or to request that
reasonable efforts be made to safeguard such information that
identifies specific persons from unauthorized access or
disclosure.
(b) Significant Cyber Incidents Involving Federal
Information Systems.--
(1) In general.--An entity providing electronic
communication services, remote computing services, or
information security services to a Federal department or
agency shall inform the Federal department or agency of a
significant cyber incident involving the Federal information
system of that Federal department or agency that--
(A) is directly known to the entity as a result of
providing such services;
(B) is directly related to the provision of such services
by the entity; and
(C) as determined by the entity, has impeded or will impede
the performance of a critical mission of the Federal
department or agency.
(2) Advance coordination.--A Federal department or agency
receiving the services described in paragraph (1) shall
coordinate in advance with an entity described in paragraph
(1) to develop the parameters of any information that may be
provided under paragraph (1), including clarification of the
type of significant cyber incident that will impede the
performance of a critical mission of the Federal department
or agency.
(3) Report.--A Federal department or agency shall report
information provided under this subsection to a cybersecurity
center.
(4) Construction.--Any information provided to a
cybersecurity center under paragraph (3) shall be treated in
the same manner as information provided to a cybersecurity
center under subsection (a).
(c) Information Shared With or Provided to a Cybersecurity
Center.--Cyber threat information provided to a cybersecurity
center under this section--
(1) may be disclosed to, retained by, and used by,
consistent with otherwise applicable Federal law, any Federal
agency or department, component, officer, employee, or agent
of the Federal government for a cybersecurity purpose, a
national security purpose, or in order to prevent,
investigate, or prosecute any of the offenses listed in
section 2516 of title 18, United States Code, and such
information shall not be disclosed to, retained by, or used
by any Federal agency or department for any use not permitted
under this paragraph;
(2) may, with the prior written consent of the entity
submitting such information, be disclosed to and used by a
State, tribal, or local government or government agency for
the purpose of protecting information systems, or in
furtherance of preventing, investigating, or prosecuting a
criminal act, except that if the need for immediate
disclosure prevents obtaining written consent, such consent
may be provided orally with subsequent documentation of such
consent;
(3) shall be considered the commercial, financial, or
proprietary information of the entity providing such
information to the Federal government and any disclosure
outside the Federal government may only be made upon the
prior written consent by such entity and shall not constitute
a waiver of any applicable privilege or protection provided
by law, except that if the need for immediate disclosure
prevents obtaining written consent, such consent may be
provided orally with subsequent documentation of such
consent;
(4) shall be deemed voluntarily shared information and
exempt from disclosure under section 552 of title 5, United
States Code, and any State, tribal, or local law requiring
disclosure of information or records;
(5) shall be, without discretion, withheld from the public
under section 552(b)(3)(B) of title 5, United States Code,
and any State, tribal, or local law requiring disclosure of
information or records;
(6) shall not be subject to the rules of any Federal agency
or department or any judicial doctrine regarding ex parte
communications with a decision-making official;
(7) shall not, if subsequently provided to a State, tribal,
or local government or government agency, otherwise be
disclosed or distributed to any entity by such State, tribal,
or local government or government agency without the prior
written consent of the entity submitting such information,
notwithstanding any State, tribal, or local law requiring
disclosure of information or records, except that if the need
for immediate disclosure prevents obtaining written consent,
such consent may be provided orally with subsequent
documentation of such consent; and
(8) shall not be directly used by any Federal, State,
tribal, or local department or agency to regulate the lawful
activities of an entity, including activities relating to
obtaining, identifying, or otherwise possessing cyber threat
information, except that the procedures required to be
developed and implemented under this title shall not be
considered regulations within the meaning of this paragraph.
(d) Procedures Relating to Information Sharing With a
Cybersecurity Center.--Not later than 60 days after the date
of enactment of this Act, the heads of each department or
agency containing a cybersecurity center shall jointly
develop, promulgate, and submit to Congress procedures to
ensure that cyber threat information shared with or provided
to--
(1) a cybersecurity center under this section--
(A) may be submitted to a cybersecurity center by an
entity, to the greatest extent possible, through a uniform,
publicly available process or format that is easily
accessible on the website of such cybersecurity center, and
that includes the ability to provide relevant details about
the cyber threat information and written consent to any
subsequent disclosures authorized by this paragraph;
(B) shall immediately be further shared with each
cybersecurity center in order to prevent, investigate, or
otherwise mitigate threats to information security across the
Federal government;
(C) is handled by the Federal government in a reasonable
manner, including consideration of the need to protect the
privacy and civil liberties of individuals through
anonymization or other appropriate methods, while fully
accomplishing the objectives of this title, and the Federal
government may undertake efforts consistent with this
subparagraph to limit the impact on privacy and civil
liberties of the sharing of cyber threat information with the
Federal government; and
(D) except as provided in this section, shall only be used,
disclosed, or handled in accordance with the provisions of
subsection (c); and
(2) a Federal agency or department under subsection (b) is
provided immediately to a cybersecurity center in order to
prevent, investigate, or otherwise mitigate threats to
information security across the Federal government.
(e) Information Shared Between Entities.--
(1) In general.--An entity sharing cyber threat information
with another entity under this title may restrict the use or
sharing of such information by such other entity.
(2) Further sharing.--Cyber threat information shared by
any entity with another entity under this title--
(A) shall only be further shared in accordance with any
restrictions placed on the sharing of such information by the
entity authorizing such sharing, such as appropriate
anonymization of such information; and
(B) may not be used by any entity to gain an unfair
competitive advantage to the detriment of the entity
authorizing the sharing of such information, except that the
conduct described in paragraph (3) shall not constitute
unfair competitive conduct.
(3) Information shared with state, tribal, or local
government or government agency.--Cyber threat information
shared with a State, tribal, or local government or
government agency under this title--
(A) may, with the prior written consent of the entity
sharing such information, be disclosed to and used by a
State, tribal, or local government or government agency for
the purpose of protecting information systems, or in
furtherance of preventing, investigating, or prosecuting a
criminal act, except if the need for immediate disclosure
prevents obtaining written consent, consent may be provided
orally with subsequent documentation of the consent;
(B) shall be deemed voluntarily shared information and
exempt from disclosure under any State, tribal, or local law
requiring disclosure of information or records;
(C) shall not be disclosed or distributed to any entity by
the State, tribal, or local government or government agency
without the prior written consent of the entity submitting
such information, notwithstanding any
[[Page S5558]]
State, tribal, or local law requiring disclosure of
information or records, except if the need for immediate
disclosure prevents obtaining written consent, consent may be
provided orally with subsequent documentation of the consent;
and
(D) shall not be directly used by any State, tribal, or
local department or agency to regulate the lawful activities
of an entity, including activities relating to obtaining,
identifying, or otherwise possessing cyber threat
information, except that the procedures required to be
developed and implemented under this title shall not be
considered regulations within the meaning of this
subparagraph.
(4) Antitrust exemption.--The exchange or provision of
cyber threat information or assistance between 2 or more
private entities under this title shall not be considered a
violation of any provision of antitrust laws if exchanged or
provided in order to assist with--
(A) facilitating the prevention, investigation, or
mitigation of threats to information security; or
(B) communicating or disclosing of cyber threat information
to help prevent, investigate or otherwise mitigate the
effects of a threat to information security.
(5) No right or benefit.--The provision of cyber threat
information to an entity under this section shall not create
a right or a benefit to similar information by such entity or
any other entity.
(f) Federal Preemption.--
(1) In general.--This section supersedes any statute or
other law of a State or political subdivision of a State that
restricts or otherwise expressly regulates an activity
authorized under this section.
(2) State law enforcement.--Nothing in this section shall
be construed to supersede any statute or other law of a State
or political subdivision of a State concerning the use of
authorized law enforcement techniques.
(3) Public disclosure.--No information shared with or
provided to a State, tribal, or local government or
government agency pursuant to this section shall be made
publicly available pursuant to any State, tribal, or local
law requiring disclosure of information or records.
(g) Civil and Criminal Liability.--
(1) General protections.--
(A) Private entities.--No cause of action shall lie or be
maintained in any court against any private entity for--
(i) the use of countermeasures and cybersecurity systems as
authorized by this title;
(ii) the use, receipt, or disclosure of any cyber threat
information as authorized by this title; or
(iii) the subsequent actions or inactions of any lawful
recipient of cyber threat information provided by such
private entity.
(B) Entities.--No cause of action shall lie or be
maintained in any court against any entity for--
(i) the use, receipt, or disclosure of any cyber threat
information as authorized by this title; or
(ii) the subsequent actions or inactions of any lawful
recipient of cyber threat information provided by such
entity.
(2) Construction.--Nothing in this subsection shall be
construed as creating any immunity against, or otherwise
affecting, any action brought by the Federal government, or
any agency or department thereof, to enforce any law,
executive order, or procedure governing the appropriate
handling, disclosure, and use of classified information.
(h) Otherwise Lawful Disclosures.--Nothing in this section
shall be construed to limit or prohibit otherwise lawful
disclosures of communications, records, or other information
by a private entity to any other governmental or private
entity not covered under this section.
(i) Whistleblower Protection.--Nothing in this Act shall be
construed to preempt or preclude any employee from exercising
rights currently provided under any whistleblower law, rule,
or regulation.
(j) Relationship to Other Laws.--The submission of cyber
threat information under this section to a cybersecurity
center shall not affect any requirement under any other
provision of law for an entity to provide information to the
Federal government.
SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT.
(a) Classified Information.--
(1) Procedures.--Consistent with the protection of
intelligence sources and methods, and as otherwise determined
appropriate, the Director of National Intelligence and the
Secretary of Defense, in consultation with the heads of the
appropriate Federal departments or agencies, shall develop
and promulgate procedures to facilitate and promote--
(A) the immediate sharing, through the cybersecurity
centers, of classified cyber threat information in the
possession of the Federal government with appropriately
cleared representatives of any appropriate entity; and
(B) the declassification and immediate sharing, through the
cybersecurity centers, with any entity or, if appropriate,
public availability of cyber threat information in the
possession of the Federal government;
(2) Handling of classified information.--The procedures
developed under paragraph (1) shall ensure that each entity
receiving classified cyber threat information pursuant to
this section has acknowledged in writing the ongoing
obligation to comply with all laws, executive orders, and
procedures concerning the appropriate handling, disclosure,
or use of classified information.
(b) Unclassified Cyber Threat Information.--The heads of
each department or agency containing a cybersecurity center
shall jointly develop and promulgate procedures that ensure
that, consistent with the provisions of this section,
unclassified, including controlled unclassified, cyber threat
information in the possession of the Federal government--
(1) is shared, through the cybersecurity centers, in an
immediate and adequate manner with appropriate entities; and
(2) if appropriate, is made publicly available.
(c) Development of Procedures.--
(1) In general.--The procedures developed under this
section shall incorporate, to the greatest extent possible,
existing processes utilized by sector specific information
sharing and analysis centers.
(2) Coordination with entities.--In developing the
procedures required under this section, the Director of
National Intelligence and the heads of each department or
agency containing a cybersecurity center shall coordinate
with appropriate entities to ensure that protocols are
implemented that will facilitate and promote the sharing of
cyber threat information by the Federal government.
(d) Additional Responsibilities of Cybersecurity Centers.--
Consistent with section 102, a cybersecurity center shall--
(1) facilitate information sharing, interaction, and
collaboration among and between cybersecurity centers and--
(A) other Federal entities;
(B) any entity; and
(C) international partners, in consultation with the
Secretary of State;
(2) disseminate timely and actionable cybersecurity threat,
vulnerability, mitigation, and warning information, including
alerts, advisories, indicators, signatures, and mitigation
and response measures, to improve the security and protection
of information systems; and
(3) coordinate with other Federal entities, as appropriate,
to integrate information from across the Federal government
to provide situational awareness of the cybersecurity posture
of the United States.
(e) Sharing Within the Federal Government.--The heads of
appropriate Federal departments and agencies shall ensure
that cyber threat information in the possession of such
Federal departments or agencies that relates to the
prevention, investigation, or mitigation of threats to
information security across the Federal government is shared
effectively with the cybersecurity centers.
(f) Submission to Congress.--Not later than 60 days after
the date of enactment of this Act, the Director of National
Intelligence, in coordination with the appropriate head of a
department or an agency containing a cybersecurity center,
shall submit the procedures required by this section to
Congress.
SEC. 104. CONSTRUCTION.
(a) Information Sharing Relationships.--Nothing in this
title shall be construed--
(1) to limit or modify an existing information sharing
relationship;
(2) to prohibit a new information sharing relationship;
(3) to require a new information sharing relationship
between any entity and the Federal government, except as
specified under section 102(b); or
(4) to modify the authority of a department or agency of
the Federal government to protect sources and methods and the
national security of the United States.
(b) Anti-tasking Restriction.--Nothing in this title shall
be construed to permit the Federal government--
(1) to require an entity to share information with the
Federal government, except as expressly provided under
section 102(b); or
(2) to condition the sharing of cyber threat information
with an entity on such entity's provision of cyber threat
information to the Federal government.
(c) No Liability for Non-participation.--Nothing in this
title shall be construed to subject any entity to liability
for choosing not to engage in the voluntary activities
authorized under this title.
(d) Use and Retention of Information.--Nothing in this
title shall be construed to authorize, or to modify any
existing authority of, a department or agency of the Federal
government to retain or use any information shared under
section 102 for any use other than a use permitted under
subsection 102(c)(1).
(e) No New Funding.--An applicable Federal agency shall
carry out the provisions of this title with existing
facilities and funds otherwise available, through such means
as the head of the agency considers appropriate.
SEC. 105. REPORT ON IMPLEMENTATION.
(a) Content of Report.--Not later than 1 year after the
date of enactment of this Act, and biennially thereafter, the
heads of each department or agency containing a cybersecurity
center shall jointly submit, in coordination with the privacy
and civil liberties officials of such departments or agencies
and the Privacy and Civil Liberties Oversight Board, a
detailed report to Congress concerning the implementation of
this title, including--
(1) an assessment of the sufficiency of the procedures
developed under section 103 of this Act in ensuring that
cyber threat information in the possession of the Federal
government is provided in an immediate and adequate manner to
appropriate entities or, if appropriate, is made publicly
available;
[[Page S5559]]
(2) an assessment of whether information has been
appropriately classified and an accounting of the number of
security clearances authorized by the Federal government for
purposes of this title;
(3) a review of the type of cyber threat information shared
with a cybersecurity center under section 102 of this Act,
including whether such information meets the definition of
cyber threat information under section 101, the degree to
which such information may impact the privacy and civil
liberties of individuals, any appropriate metrics to
determine any impact of the sharing of such information with
the Federal government on privacy and civil liberties, and
the adequacy of any steps taken to reduce such impact;
(4) a review of actions taken by the Federal government
based on information provided to a cybersecurity center under
section 102 of this Act, including the appropriateness of any
subsequent use under section 102(c)(1) of this Act and
whether there was inappropriate stovepiping within the
Federal government of any such information;
(5) a description of any violations of the requirements of
this title by the Federal government;
(6) a classified list of entities that received classified
information from the Federal government under section 103 of
this Act and a description of any indication that such
information may not have been appropriately handled;
(7) a summary of any breach of information security, if
known, attributable to a specific failure by any entity or
the Federal government to act on cyber threat information in
the possession of such entity or the Federal government that
resulted in substantial economic harm or injury to a specific
entity or the Federal government; and
(8) any recommendation for improvements or modifications to
the authorities under this title.
(b) Form of Report.--The report under subsection (a) shall
be submitted in unclassified form, but shall include a
classified annex.
SEC. 106. INSPECTOR GENERAL REVIEW.
(a) In General.--The Council of the Inspectors General on
Integrity and Efficiency are authorized to review compliance
by the cybersecurity centers, and by any Federal department
or agency receiving cyber threat information from such
cybersecurity centers, with the procedures required under
section 102 of this Act.
(b) Scope of Review.--The review under subsection (a) shall
consider whether the Federal government has handled such
cyber threat information in a reasonable manner, including
consideration of the need to protect the privacy and civil
liberties of individuals through anonymization or other
appropriate methods, while fully accomplishing the objectives
of this title.
(c) Report to Congress.--Each review conducted under this
section shall be provided to Congress not later than 30 days
after the date of completion of the review.
SEC. 107. TECHNICAL AMENDMENTS.
Section 552(b) of title 5, United States Code, is amended--
(1) in paragraph (8), by striking ``or'';
(2) in paragraph (9), by striking ``wells.'' and inserting
``wells; or''; and
(3) by adding at the end the following:
``(10) information shared with or provided to a
cybersecurity center under section 102 of title I of the
Strengthening and Enhancing Cybersecurity by Using Research,
Education, Information, and Technology Act of 2012.''.
SEC. 108. ACCESS TO CLASSIFIED INFORMATION.
(a) Authorization Required.--No person shall be provided
with access to classified information (as defined in section
6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to
classified national security information)) relating to cyber
security threats or cyber security vulnerabilities under this
title without the appropriate security clearances.
(b) Security Clearances.--The appropriate Federal agencies
or departments shall, consistent with applicable procedures
and requirements, and if otherwise deemed appropriate, assist
an individual in timely obtaining an appropriate security
clearance where such individual has been determined to be
eligible for such clearance and has a need-to-know (as
defined in section 6.1 of that Executive Order) classified
information to carry out this title.
TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY
SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY
POLICY.
(a) In General.--Chapter 35 of title 44, United States
Code, is amended by striking subchapters II and III and
inserting the following:
``SUBCHAPTER II--INFORMATION SECURITY
``Sec. 3551. Purposes
``The purposes of this subchapter are--
``(1) to provide a comprehensive framework for ensuring the
effectiveness of information security controls over
information resources that support Federal operations and
assets;
``(2) to recognize the highly networked nature of the
current Federal computing environment and provide effective
government-wide management of policies, directives,
standards, and guidelines, as well as effective and nimble
oversight of and response to information security risks,
including coordination of information security efforts
throughout the Federal civilian, national security, and law
enforcement communities;
``(3) to provide for development and maintenance of
controls required to protect agency information and
information systems and contribute to the overall improvement
of agency information security posture;
``(4) to provide for the development of tools and methods
to assess and respond to real-time situational risk for
Federal information system operations and assets; and
``(5) to provide a mechanism for improving agency
information security programs through continuous monitoring
of agency information systems and streamlined reporting
requirements rather than overly prescriptive manual
reporting.
``Sec. 3552. Definitions
``In this subchapter:
``(1) Adequate security.--The term `adequate security'
means security commensurate with the risk and magnitude of
the harm resulting from the unauthorized access to or loss,
misuse, destruction, or modification of information.
``(2) Agency.--The term `agency' has the meaning given the
term in section 3502 of title 44.
``(3) Cybersecurity center.--The term `cybersecurity
center' means the Department of Defense Cyber Crime Center,
the Intelligence Community Incident Response Center, the
United States Cyber Command Joint Operations Center, the
National Cyber Investigative Joint Task Force, the National
Security Agency/Central Security Service Threat Operations
Center, the National Cybersecurity and Communications
Integration Center, and any successor center.
``(4) Cyber threat information.--The term `cyber threat
information' means information that indicates or describes--
``(A) a technical or operation vulnerability or a cyber
threat mitigation measure;
``(B) an action or operation to mitigate a cyber threat;
``(C) malicious reconnaissance, including anomalous
patterns of network activity that appear to be transmitted
for the purpose of gathering technical information related to
a cybersecurity threat;
``(D) a method of defeating a technical control;
``(E) a method of defeating an operational control;
``(F) network activity or protocols known to be associated
with a malicious cyber actor or that signify malicious cyber
intent;
``(G) a method of causing a user with legitimate access to
an information system or information that is stored on,
processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational
control;
``(H) any other attribute of a cybersecurity threat or
cyber defense information that would foster situational
awareness of the United States cybersecurity posture, if
disclosure of such attribute or information is not otherwise
prohibited by law;
``(I) the actual or potential harm caused by a cyber
incident, including information exfiltrated when it is
necessary in order to identify or describe a cybersecurity
threat; or
``(J) any combination of subparagraphs (A) through (I).
``(5) Director.--The term `Director' means the Director of
the Office of Management and Budget unless otherwise
specified.
``(6) Environment of operation.--The term `environment of
operation' means the information system and environment in
which those systems operate, including changing threats,
vulnerabilities, technologies, and missions and business
practices.
``(7) Federal information system.--The term `Federal
information system' means an information system used or
operated by an executive agency, by a contractor of an
executive agency, or by another organization on behalf of an
executive agency.
``(8) Incident.--The term `incident' means an occurrence
that--
``(A) actually or imminently jeopardizes the integrity,
confidentiality, or availability of an information system or
the information that system controls, processes, stores, or
transmits; or
``(B) constitutes a violation of law or an imminent threat
of violation of a law, a security policy, a security
procedure, or an acceptable use policy.
``(9) Information resources.--The term `information
resources' has the meaning given the term in section 3502 of
title 44.
``(10) Information security.--The term `information
security' means protecting information and information
systems from disruption or unauthorized access, use,
disclosure, modification, or destruction in order to
provide--
``(A) integrity, by guarding against improper information
modification or destruction, including by ensuring
information nonrepudiation and authenticity;
``(B) confidentiality, by preserving authorized
restrictions on access and disclosure, including means for
protecting personal privacy and proprietary information; or
``(C) availability, by ensuring timely and reliable access
to and use of information.
``(11) Information system.--The term `information system'
has the meaning given the term in section 3502 of title 44.
``(12) Information technology.--The term `information
technology' has the meaning given the term in section 11101
of title 40.
``(13) Malicious reconnaissance.--The term `malicious
reconnaissance' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning technical
[[Page S5560]]
vulnerabilities of the information system, if such method is
associated with a known or suspected cybersecurity threat.
``(14) National security system.--
``(A) In general.--The term `national security system'
means any information system (including any
telecommunications system) used or operated by an agency or
by a contractor of an agency, or other organization on behalf
of an agency--
``(i) the function, operation, or use of which--
``(I) involves intelligence activities;
``(II) involves cryptologic activities related to national
security;
``(III) involves command and control of military forces;
``(IV) involves equipment that is an integral part of a
weapon or weapons system; or
``(V) subject to subparagraph (B), is critical to the
direct fulfillment of military or intelligence missions; or
``(ii) is protected at all times by procedures established
for information that have been specifically authorized under
criteria established by an Executive Order or an Act of
Congress to be kept classified in the interest of national
defense or foreign policy.
``(B) Limitation.--Subparagraph (A)(i)(V) does not include
a system that is to be used for routine administrative and
business applications (including payroll, finance, logistics,
and personnel management applications).
``(15) Operational control.--The term `operational control'
means a security control for an information system that
primarily is implemented and executed by people.
``(16) Person.--The term `person' has the meaning given the
term in section 3502 of title 44.
``(17) Secretary.--The term `Secretary' means the Secretary
of Commerce unless otherwise specified.
``(18) Security control.--The term `security control' means
the management, operational, and technical controls,
including safeguards or countermeasures, prescribed for an
information system to protect the confidentiality, integrity,
and availability of the system and its information.
``(19) Significant cyber incident.--The term `significant
cyber incident' means a cyber incident resulting in, or an
attempted cyber incident that, if successful, would have
resulted in--
``(A) the exfiltration from a Federal information system of
data that is essential to the operation of the Federal
information system; or
``(B) an incident in which an operational or technical
control essential to the security or operation of a Federal
information system was defeated.
``(20) Technical control.--The term `technical control'
means a hardware or software restriction on, or audit of,
access or use of an information system or information that is
stored on, processed by, or transiting an information system
that is intended to ensure the confidentiality, integrity, or
availability of that system.
``Sec. 3553. Federal information security authority and
coordination
``(a) In General.--The Secretary, in consultation with the
Secretary of Homeland Security, shall--
``(1) issue compulsory and binding policies and directives
governing agency information security operations, and require
implementation of such policies and directives, including--
``(A) policies and directives consistent with the standards
and guidelines promulgated under section 11331 of title 40 to
identify and provide information security protections
prioritized and commensurate with the risk and impact
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of--
``(i) information collected or maintained by or on behalf
of an agency; or
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(B) minimum operational requirements for Federal
Government to protect agency information systems and provide
common situational awareness across all agency information
systems;
``(C) reporting requirements, consistent with relevant law,
regarding information security incidents and cyber threat
information;
``(D) requirements for agencywide information security
programs;
``(E) performance requirements and metrics for the security
of agency information systems;
``(F) training requirements to ensure that agencies are
able to fully and timely comply with the policies and
directives issued by the Secretary under this subchapter;
``(G) training requirements regarding privacy, civil
rights, and civil liberties, and information oversight for
agency information security personnel;
``(H) requirements for the annual reports to the Secretary
under section 3554(d);
``(I) any other information security operations or
information security requirements as determined by the
Secretary in coordination with relevant agency heads; and
``(J) coordinating the development of standards and
guidelines under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3) with agencies
and offices operating or exercising control of national
security systems (including the National Security Agency) to
assure, to the maximum extent feasible, that such standards
and guidelines are complementary with standards and
guidelines developed for national security systems;
``(2) review the agencywide information security programs
under section 3554; and
``(3) designate an individual or an entity at each
cybersecurity center, among other responsibilities--
``(A) to receive reports and information about information
security incidents, cyber threat information, and
deterioration of security control affecting agency
information systems; and
``(B) to act on or share the information under subparagraph
(A) in accordance with this subchapter.
``(b) Considerations.--When issuing policies and directives
under subsection (a), the Secretary shall consider any
applicable standards or guidelines developed by the National
Institute of Standards and Technology under section 11331 of
title 40.
``(c) Limitation of Authority.--The authorities of the
Secretary under this section shall not apply to national
security systems. Information security policies, directives,
standards and guidelines for national security systems shall
be overseen as directed by the President and, in accordance
with that direction, carried out under the authority of the
heads of agencies that operate or exercise authority over
such national security systems.
``(d) Statutory Construction.--Nothing in this subchapter
shall be construed to alter or amend any law regarding the
authority of any head of an agency over such agency.
``Sec. 3554. Agency responsibilities
``(a) In General.--The head of each agency shall--
``(1) be responsible for--
``(A) complying with the policies and directives issued
under section 3553;
``(B) providing information security protections
commensurate with the risk resulting from unauthorized
access, use, disclosure, disruption, modification, or
destruction of--
``(i) information collected or maintained by the agency or
by a contractor of an agency or other organization on behalf
of an agency; and
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(C) complying with the requirements of this subchapter,
including--
``(i) information security standards and guidelines
promulgated under section 11331 of title 40;
``(ii) for any national security systems operated or
controlled by that agency, information security policies,
directives, standards and guidelines issued as directed by
the President; and
``(iii) for any non-national security systems operated or
controlled by that agency, information security policies,
directives, standards and guidelines issued under section
3553;
``(D) ensuring that information security management
processes are integrated with agency strategic and
operational planning processes;
``(E) reporting and sharing, for an agency operating or
exercising control of a national security system, information
about information security incidents, cyber threat
information, and deterioration of security controls to the
individual or entity designated at each cybersecurity center
and to other appropriate entities consistent with policies
and directives for national security systems issued as
directed by the President; and
``(F) reporting and sharing, for those agencies operating
or exercising control of non-national security systems,
information about information security incidents, cyber
threat information, and deterioration of security controls to
the individual or entity designated at each cybersecurity
center and to other appropriate entities consistent with
policies and directives for non-national security systems as
prescribed under section 3553(a), including information to
assist the entity designated under section 3555(a) with the
ongoing security analysis under section 3555;
``(2) ensure that each senior agency official provides
information security for the information and information
systems that support the operations and assets under the
senior agency official's control, including by--
``(A) assessing the risk and impact that could result from
the unauthorized access, use, disclosure, disruption,
modification, or destruction of such information or
information systems;
``(B) determining the level of information security
appropriate to protect such information and information
systems in accordance with policies and directives issued
under section 3553(a), and standards and guidelines
promulgated under section 11331 of title 40 for information
security classifications and related requirements;
``(C) implementing policies, procedures, and capabilities
to reduce risks to an acceptable level in a cost-effective
manner;
``(D) actively monitoring the effective implementation of
information security controls and techniques; and
``(E) reporting information about information security
incidents, cyber threat information, and deterioration of
security controls in a timely and adequate manner to the
entity designated under section 3553(a)(3) in accordance with
paragraph (1);
``(3) assess and maintain the resiliency of information
technology systems critical to agency mission and operations;
[[Page S5561]]
``(4) designate the agency Inspector General (or an
independent entity selected in consultation with the Director
and the Council of Inspectors General on Integrity and
Efficiency if the agency does not have an Inspector General)
to conduct the annual independent evaluation required under
section 3556, and allow the agency Inspector General to
contract with an independent entity to perform such
evaluation;
``(5) delegate to the Chief Information Officer or
equivalent (or to a senior agency official who reports to the
Chief Information Officer or equivalent)--
``(A) the authority and primary responsibility to implement
an agencywide information security program; and
``(B) the authority to provide information security for the
information collected and maintained by the agency (or by a
contractor, other agency, or other source on behalf of the
agency) and for the information systems that support the
operations, assets, and mission of the agency (including any
information system provided or managed by a contractor, other
agency, or other source on behalf of the agency);
``(6) delegate to the appropriate agency official (who is
responsible for a particular agency system or subsystem) the
responsibility to ensure and enforce compliance with all
requirements of the agency's agencywide information security
program in coordination with the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5);
``(7) ensure that an agency has trained personnel who have
obtained any necessary security clearances to permit them to
assist the agency in complying with this subchapter;
``(8) ensure that the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5),
in coordination with other senior agency officials, reports
to the agency head on the effectiveness of the agencywide
information security program, including the progress of any
remedial actions; and
``(9) ensure that the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5)
has the necessary qualifications to administer the functions
described in this subchapter and has information security
duties as a primary duty of that official.
``(b) Chief Information Officers.--Each Chief Information
Officer or equivalent (or the senior agency official who
reports to the Chief Information Officer or equivalent) under
subsection (a)(5) shall--
``(1) establish and maintain an enterprise security
operations capability that on a continuous basis--
``(A) detects, reports, contains, mitigates, and responds
to information security incidents that impair adequate
security of the agency's information or information system in
a timely manner and in accordance with the policies and
directives under section 3553; and
``(B) reports any information security incident under
subparagraph (A) to the entity designated under section 3555;
``(2) develop, maintain, and oversee an agencywide
information security program;
``(3) develop, maintain, and oversee information security
policies, procedures, and control techniques to address
applicable requirements, including requirements under section
3553 of this title and section 11331 of title 40; and
``(4) train and oversee the agency personnel who have
significant responsibility for information security with
respect to that responsibility.
``(c) Agencywide Information Security Programs.--
``(1) In general.--Each agencywide information security
program under subsection (b)(2) shall include--
``(A) relevant security risk assessments, including
technical assessments and others related to the acquisition
process;
``(B) security testing commensurate with risk and impact;
``(C) mitigation of deterioration of security controls
commensurate with risk and impact;
``(D) risk-based continuous monitoring and threat
assessment of the operational status and security of agency
information systems to enable evaluation of the effectiveness
of and compliance with information security policies,
procedures, and practices, including a relevant and
appropriate selection of security controls of information
systems identified in the inventory under section 3505(c);
``(E) operation of appropriate technical capabilities in
order to detect, mitigate, report, and respond to information
security incidents, cyber threat information, and
deterioration of security controls in a manner that is
consistent with the policies and directives under section
3553, including--
``(i) mitigating risks associated with such information
security incidents;
``(ii) notifying and consulting with the entity designated
under section 3555; and
``(iii) notifying and consulting with, as appropriate--
``(I) law enforcement and the relevant Office of the
Inspector General; and
``(II) any other entity, in accordance with law and as
directed by the President;
``(F) a process to ensure that remedial action is taken to
address any deficiencies in the information security
policies, procedures, and practices of the agency; and
``(G) a plan and procedures to ensure the continuity of
operations for information systems that support the
operations and assets of the agency.
``(2) Risk management strategies.--Each agencywide
information security program under subsection (b)(2) shall
include the development and maintenance of a risk management
strategy for information security. The risk management
strategy shall include--
``(A) consideration of information security incidents,
cyber threat information, and deterioration of security
controls; and
``(B) consideration of the consequences that could result
from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information and information
systems that support the operations and assets of the agency,
including any information system provided or managed by a
contractor, other agency, or other source on behalf of the
agency;
``(3) Policies and procedures.--Each agencywide information
security program under subsection (b)(2) shall include
policies and procedures that--
``(A) are based on the risk management strategy under
paragraph (2);
``(B) reduce information security risks to an acceptable
level in a cost-effective manner;
``(C) ensure that cost-effective and adequate information
security is addressed as part of the acquisition and ongoing
management of each agency information system; and
``(D) ensure compliance with--
``(i) this subchapter; and
``(ii) any other applicable requirements.
``(4) Training requirements.--Each agencywide information
security program under subsection (b)(2) shall include
information security, privacy, civil rights, civil liberties,
and information oversight training that meets any applicable
requirements under section 3553. The training shall inform
each information security personnel that has access to agency
information systems (including contractors and other users of
information systems that support the operations and assets of
the agency) of--
``(A) the information security risks associated with the
information security personnel's activities; and
``(B) the individual's responsibility to comply with the
agency policies and procedures that reduce the risks under
subparagraph (A).
``(d) Annual Report.--Each agency shall submit a report
annually to the Secretary of Homeland Security on its
agencywide information security program and information
systems.
``Sec. 3555. Multiagency ongoing threat assessment
``(a) Implementation.--The Director of the Office of
Management and Budget, in coordination with the Secretary of
Homeland Security, shall designate an entity to implement
ongoing security analysis concerning agency information
systems--
``(1) based on cyber threat information;
``(2) based on agency information system and environment of
operation changes, including--
``(A) an ongoing evaluation of the information system
security controls; and
``(B) the security state, risk level, and environment of
operation of an agency information system, including--
``(i) a change in risk level due to a new cyber threat;
``(ii) a change resulting from a new technology;
``(iii) a change resulting from the agency's mission; and
``(iv) a change resulting from the business practice; and
``(3) using automated processes to the maximum extent
possible--
``(A) to increase information system security;
``(B) to reduce paper-based reporting requirements; and
``(C) to maintain timely and actionable knowledge of the
state of the information system security.
``(b) Standards.--The National Institute of Standards and
Technology may promulgate standards, in coordination with the
Secretary of Homeland Security, to assist an agency with its
duties under this section.
``(c) Compliance.--The head of each appropriate department
and agency shall be responsible for ensuring compliance and
implementing necessary procedures to comply with this
section. The head of each appropriate department and agency,
in consultation with the Director of the Office of Management
and Budget and the Secretary of Homeland Security, shall--
``(1) monitor compliance under this section;
``(2) develop a timeline and implement for the department
or agency--
``(A) adoption of any technology, system, or method that
facilitates continuous monitoring and threat assessments of
an agency information system;
``(B) adoption or updating of any technology, system, or
method that prevents, detects, or remediates a significant
cyber incident to a Federal information system of the
department or agency that has impeded, or is reasonably
likely to impede, the performance of a critical mission of
the department or agency; and
``(C) adoption of any technology, system, or method that
satisfies a requirement under this section.
[[Page S5562]]
``(d) Limitation of Authority.--The authorities of the
Director of the Office of Management and Budget and of the
Secretary of Homeland Security under this section shall not
apply to national security systems.
``(e) Report.--Not later than 6 months after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the Government Accountability Office shall issue a
report evaluating each agency's status toward implementing
this section.
``Sec. 3556. Independent evaluations
``(a) In General.--The Council of the Inspectors General on
Integrity and Efficiency, in consultation with the Director
and the Secretary of Homeland Security, the Secretary of
Commerce, and the Secretary of Defense, shall issue and
maintain criteria for the timely, cost-effective, risk-based,
and independent evaluation of each agencywide information
security program (and practices) to determine the
effectiveness of the agencywide information security program
(and practices). The criteria shall include measures to
assess any conflicts of interest in the performance of the
evaluation and whether the agencywide information security
program includes appropriate safeguards against disclosure of
information where such disclosure may adversely affect
information security.
``(b) Annual Independent Evaluations.--Each agency shall
perform an annual independent evaluation of its agencywide
information security program (and practices) in accordance
with the criteria under subsection (a).
``(c) Distribution of Reports.--Not later than 30 days
after receiving an independent evaluation under subsection
(b), each agency head shall transmit a copy of the
independent evaluation to the Secretary of Homeland Security,
the Secretary of Commerce, and the Secretary of Defense.
``(d) National Security Systems.--Evaluations involving
national security systems shall be conducted as directed by
President.
``Sec. 3557. National security systems.
``The head of each agency operating or exercising control
of a national security system shall be responsible for
ensuring that the agency--
``(1) provides information security protections
commensurate with the risk and magnitude of the harm
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of the information
contained in such system; and
``(2) implements information security policies and
practices as required by standards and guidelines for
national security systems, issued in accordance with law and
as directed by the President.''.
(b) Savings Provisions.--
(1) Policy and compliance guidance.--Policy and compliance
guidance issued by the Director before the date of enactment
of this Act under section 3543(a)(1) of title 44, United
States Code (as in effect on the day before the date of
enactment of this Act), shall continue in effect, according
to its terms, until modified, terminated, superseded, or
repealed pursuant to section 3553(a)(1) of title 44, United
States Code.
(2) Standards and guidelines.--Standards and guidelines
issued by the Secretary of Commerce or by the Director before
the date of enactment of this Act under section 11331(a)(1)
of title 40, United States Code, (as in effect on the day
before the date of enactment of this Act) shall continue in
effect, according to their terms, until modified, terminated,
superseded, or repealed pursuant to section 11331(a)(1) of
title 40, United States Code, as amended by this Act.
(c) Technical and Conforming Amendments.--
(1) Chapter analysis.--The chapter analysis for chapter 35
of title 44, United States Code, is amended--
(A) by striking the items relating to sections 3531 through
3538;
(B) by striking the items relating to sections 3541 through
3549; and
(C) by inserting the following:
``3551. Purposes.
``3552. Definitions.
``3553. Federal information security authority and coordination.
``3554. Agency responsibilities.
``3555. Multiagency ongoing threat assessment.
``3556. Independent evaluations.
``3557. National security systems.''.
(2) Other references.--
(A) Section 1001(c)(1)(A) of the Homeland Security Act of
2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section
3532(3)'' and inserting ``section 3552''.
(B) Section 2222(j)(5) of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(C) Section 2223(c)(3) of title 10, United States Code, is
amended, by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(D) Section 2315 of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(E) Section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3) is amended--
(i) in subsection (a)(2), by striking ``section
3532(b)(2)'' and inserting ``section 3552'';
(ii) in subsection (c)(3), by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(iii) in subsection (d)(1), by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(iv) in subsection (d)(8) by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(v) in subsection (d)(8), by striking ``submitted to the
Director'' and inserting ``submitted to the Secretary'';
(vi) in subsection (e)(2), by striking ``section 3532(1) of
such title'' and inserting ``section 3552 of title 44''; and
(vii) in subsection (e)(5), by striking ``section
3532(b)(2) of such title'' and inserting ``section 3552 of
title 44''.
(F) Section 8(d)(1) of the Cyber Security Research and
Development Act (15 U.S.C. 7406(d)(1)) is amended by striking
``section 3534(b)'' and inserting ``section 3554(b)(2)''.
SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.
(a) In General.--Section 11331 of title 40, United States
Code, is amended to read as follows:
``Sec. 11331. Responsibilities for Federal information
systems standards
``(a) Standards and Guidelines.--
``(1) Authority to prescribe.--Except as provided under
paragraph (2), the Secretary of Commerce shall prescribe
standards and guidelines pertaining to Federal information
systems--
``(A) in consultation with the Secretary of Homeland
Security; and
``(B) on the basis of standards and guidelines developed by
the National Institute of Standards and Technology under
paragraphs (2) and (3) of section 20(a) of the National
Institute of Standards and Technology Act (15 U.S.C. 278g-
3(a)(2) and (a)(3)).
``(2) National security systems.--Standards and guidelines
for national security systems shall be developed, prescribed,
enforced, and overseen as otherwise authorized by law and as
directed by the President.
``(b) Mandatory Standards and Guidelines.--
``(1) Authority to make mandatory standards and
guidelines.--The Secretary of Commerce shall make standards
and guidelines under subsection (a)(1) compulsory and binding
to the extent determined necessary by the Secretary of
Commerce to improve the efficiency of operation or security
of Federal information systems.
``(2) Required mandatory standards and guidelines.--
``(A) In general.--Standards and guidelines under
subsection (a)(1) shall include information security
standards that--
``(i) provide minimum information security requirements as
determined under section 20(b) of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3(b)); and
``(ii) are otherwise necessary to improve the security of
Federal information and information systems.
``(B) Binding effect.--Information security standards under
subparagraph (A) shall be compulsory and binding.
``(c) Exercise of Authority.--To ensure fiscal and policy
consistency, the Secretary of Commerce shall exercise the
authority conferred by this section subject to direction by
the President and in coordination with the Director.
``(d) Application of More Stringent Standards and
Guidelines.--The head of an executive agency may employ
standards for the cost-effective information security for
information systems within or under the supervision of that
agency that are more stringent than the standards and
guidelines the Secretary of Commerce prescribes under this
section if the more stringent standards and guidelines--
``(1) contain at least the applicable standards and
guidelines made compulsory and binding by the Secretary of
Commerce; and
``(2) are otherwise consistent with the policies,
directives, and implementation memoranda issued under section
3553(a) of title 44.
``(e) Decisions on Promulgation of Standards and
Guidelines.--The decision by the Secretary of Commerce
regarding the promulgation of any standard or guideline under
this section shall occur not later than 6 months after the
date of submission of the proposed standard to the Secretary
of Commerce by the National Institute of Standards and
Technology under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3).
``(f) Notice and Comment.--A decision by the Secretary of
Commerce to significantly modify, or not promulgate, a
proposed standard submitted to the Secretary by the National
Institute of Standards and Technology under section 20 of the
National Institute of Standards and Technology Act (15 U.S.C.
278g-3) shall be made after the public is given an
opportunity to comment on the Secretary's proposed decision.
``(g) Definitions.--In this section:
``(1) Federal information system.--The term `Federal
information system' has the meaning given the term in section
3552 of title 44.
``(2) Information security.--The term `information
security' has the meaning given the term in section 3552 of
title 44.
``(3) National security system.--The term `national
security system' has the meaning given the term in section
3552 of title 44.''.
SEC. 203. NO NEW FUNDING.
An applicable Federal agency shall carry out the provisions
of this title with existing facilities and funds otherwise
available, through such means as the head of the agency
considers appropriate.
[[Page S5563]]
SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS.
Section 21(b) of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-4(b)) is amended--
(1) in paragraph (2), by striking ``and the Director of the
Office of Management and Budget'' and inserting ``, the
Secretary of Commerce, and the Secretary of Homeland
Security''; and
(2) in paragraph (3), by inserting ``, the Secretary of
Homeland Security,'' after ``the Secretary of Commerce''.
SEC. 205. CLARIFICATION OF AUTHORITIES.
Nothing in this title shall be construed to convey any new
regulatory authority to any government entity implementing or
complying with any provision of this title.
TITLE III--CRIMINAL PENALTIES
SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN
CONNECTION WITH COMPUTERS.
Section 1030(c) of title 18, United States Code, is amended
to read as follows:
``(c) The punishment for an offense under subsection (a) or
(b) of this section is--
``(1) a fine under this title or imprisonment for not more
than 20 years, or both, in the case of an offense under
subsection (a)(1) of this section;
``(2)(A) except as provided in subparagraph (B), a fine
under this title or imprisonment for not more than 3 years,
or both, in the case of an offense under subsection (a)(2);
or
``(B) a fine under this title or imprisonment for not more
than ten years, or both, in the case of an offense under
subsection (a)(2) of this section, if--
``(i) the offense was committed for purposes of commercial
advantage or private financial gain;
``(ii) the offense was committed in the furtherance of any
criminal or tortious act in violation of the Constitution or
laws of the United States, or of any State; or
``(iii) the value of the information obtained, or that
would have been obtained if the offense was completed,
exceeds $5,000;
``(3) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(3) of this section;
``(4) a fine under this title or imprisonment of not more
than 20 years, or both, in the case of an offense under
subsection (a)(4) of this section;
``(5)(A) except as provided in subparagraph (C), a fine
under this title, imprisonment for not more than 20 years, or
both, in the case of an offense under subsection (a)(5)(A) of
this section, if the offense caused--
``(i) loss to 1 or more persons during any 1-year period
(and, for purposes of an investigation, prosecution, or other
proceeding brought by the United States only, loss resulting
from a related course of conduct affecting 1 or more other
protected computers) aggregating at least $5,000 in value;
``(ii) the modification or impairment, or potential
modification or impairment, of the medical examination,
diagnosis, treatment, or care of 1 or more individuals;
``(iii) physical injury to any person;
``(iv) a threat to public health or safety;
``(v) damage affecting a computer used by, or on behalf of,
an entity of the United States Government in furtherance of
the administration of justice, national defense, or national
security; or
``(vi) damage affecting 10 or more protected computers
during any 1-year period;
``(B) a fine under this title, imprisonment for not more
than 20 years, or both, in the case of an offense under
subsection (a)(5)(B), if the offense caused a harm provided
in clause (i) through (vi) of subparagraph (A) of this
subsection;
``(C) if the offender attempts to cause or knowingly or
recklessly causes death from conduct in violation of
subsection (a)(5)(A), a fine under this title, imprisonment
for any term of years or for life, or both;
``(D) a fine under this title, imprisonment for not more
than 10 years, or both, for any other offense under
subsection (a)(5);
``(E) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(6) of this section; or
``(F) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(7) of this section.''.
SEC. 302. TRAFFICKING IN PASSWORDS.
Section 1030(a)(6) of title 18, United States Code, is
amended to read as follows:
``(6) knowingly and with intent to defraud traffics (as
defined in section 1029) in any password or similar
information or means of access through which a protected
computer (as defined in subparagraphs (A) and (B) of
subsection (e)(2)) may be accessed without authorization.''.
SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.
Section 1030(b) of title 18, United States Code, is amended
by inserting ``as if for the completed offense'' after
``punished as provided''.
SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED
ACTIVITY IN CONNECTION WITH COMPUTERS.
Section 1030 of title 18, United States Code, is amended by
striking subsections (i) and (j) and inserting the following:
``(i) Criminal Forfeiture.--
``(1) The court, in imposing sentence on any person
convicted of a violation of this section, or convicted of
conspiracy to violate this section, shall order, in addition
to any other sentence imposed and irrespective of any
provision of State law, that such person forfeit to the
United States--
``(A) such persons interest in any property, real or
personal, that was used, or intended to be used, to commit or
facilitate the commission of such violation; and
``(B) any property, real or personal, constituting or
derived from any gross proceeds, or any property traceable to
such property, that such person obtained, directly or
indirectly, as a result of such violation.
``(2) The criminal forfeiture of property under this
subsection, including any seizure and disposition of the
property, and any related judicial or administrative
proceeding, shall be governed by the provisions of section
413 of the Comprehensive Drug Abuse Prevention and Control
Act of 1970 (21 U.S.C. 853), except subsection (d) of that
section.
``(j) Civil Forfeiture.--
``(1) The following shall be subject to forfeiture to the
United States and no property right, real or personal, shall
exist in them:
``(A) Any property, real or personal, that was used, or
intended to be used, to commit or facilitate the commission
of any violation of this section, or a conspiracy to violate
this section.
``(B) Any property, real or personal, constituting or
derived from any gross proceeds obtained directly or
indirectly, or any property traceable to such property, as a
result of the commission of any violation of this section, or
a conspiracy to violate this section.
``(2) Seizures and forfeitures under this subsection shall
be governed by the provisions in chapter 46 relating to civil
forfeitures, except that such duties as are imposed on the
Secretary of the Treasury under the customs laws described in
section 981(d) shall be performed by such officers, agents
and other persons as may be designated for that purpose by
the Secretary of Homeland Security or the Attorney
General.''.
SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.
(a) In General.--Chapter 47 of title 18, United States
Code, is amended by inserting after section 1030 the
following:
``Sec. 1030A. Aggravated damage to a critical infrastructure
computer
``(a) Definitions.--In this section--
``(1) the term `computer' has the meaning given the term in
section 1030;
``(2) the term `critical infrastructure computer' means a
computer that manages or controls systems or assets vital to
national defense, national security, national economic
security, public health or safety, or any combination of
those matters, whether publicly or privately owned or
operated, including--
``(A) oil and gas production, storage, conversion, and
delivery systems;
``(B) water supply systems;
``(C) telecommunication networks;
``(D) electrical power generation and delivery systems;
``(E) finance and banking systems;
``(F) emergency services;
``(G) transportation systems and services; and
``(H) government operations that provide essential services
to the public; and
``(3) the term `damage' has the meaning given the term in
section 1030.
``(b) Offense.--It shall be unlawful, during and in
relation to a felony violation of section 1030, to knowingly
cause or attempt to cause damage to a critical infrastructure
computer if the damage results in (or, in the case of an
attempt, if completed, would have resulted in) the
substantial impairment--
``(1) of the operation of the critical infrastructure
computer; or
``(2) of the critical infrastructure associated with the
computer.
``(c) Penalty.--Any person who violates subsection (b)
shall be--
``(1) fined under this title;
``(2) imprisoned for not less than 3 years but not more
than 20 years; or
``(3) penalized under paragraphs (1) and (2).
``(d) Consecutive Sentence.--Notwithstanding any other
provision of law--
``(1) a court shall not place on probation any person
convicted of a violation of this section;
``(2) except as provided in paragraph (4), no term of
imprisonment imposed on a person under this section shall run
concurrently with any other term of imprisonment, including
any term of imprisonment imposed on the person under any
other provision of law, including any term of imprisonment
imposed for a felony violation of section 1030;
``(3) in determining any term of imprisonment to be imposed
for a felony violation of section 1030, a court shall not in
any way reduce the term to be imposed for such crime so as to
compensate for, or otherwise take into account, any separate
term of imprisonment imposed or to be imposed for a violation
of this section; and
``(4) a term of imprisonment imposed on a person for a
violation of this section may, in the discretion of the
court, run concurrently, in whole or in part, only with
another term of imprisonment that is imposed by the court at
the same time on that person for an additional violation of
this section, provided that such discretion shall be
exercised in accordance with any applicable guidelines and
policy statements issued by the United States Sentencing
Commission pursuant to section 994 of title 28.''.
(b) Technical and Conforming Amendment.--The chapter
analysis for chapter 47 of title 18, United States Code, is
amended by inserting after the item relating to section 1030
the following:
[[Page S5564]]
``1030A. Aggravated damage to a critical infrastructure computer.''.
SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.
Section 1030(e)(6) of title 18, United States Code, is
amended by striking ``alter;'' and inserting ``alter, but
does not include access in violation of a contractual
obligation or agreement, such as an acceptable use policy or
terms of service agreement, with an Internet service
provider, Internet website, or non-government employer, if
such violation constitutes the sole basis for determining
that access to a protected computer is unauthorized;''.
SEC. 307. NO NEW FUNDING.
An applicable Federal agency shall carry out the provisions
of this title with existing facilities and funds otherwise
available, through such means as the head of the agency
considers appropriate.
TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT
SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM
PLANNING AND COORDINATION.
(a) Goals and Priorities.--Section 101 of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511) is amended
by adding at the end the following:
``(d) Goals and Priorities.--The goals and priorities for
Federal high-performance computing research, development,
networking, and other activities under subsection (a)(2)(A)
shall include--
``(1) encouraging and supporting mechanisms for
interdisciplinary research and development in networking and
information technology, including--
``(A) through collaborations across agencies;
``(B) through collaborations across Program Component
Areas;
``(C) through collaborations with industry;
``(D) through collaborations with institutions of higher
education;
``(E) through collaborations with Federal laboratories (as
defined in section 4 of the Stevenson-Wydler Technology
Innovation Act of 1980 (15 U.S.C. 3703)); and
``(F) through collaborations with international
organizations;
``(2) addressing national, multi-agency, multi-faceted
challenges of national importance; and
``(3) fostering the transfer of research and development
results into new technologies and applications for the
benefit of society.''.
(b) Development of Strategic Plan.--Section 101 of the
High-Performance Computing Act of 1991 (15 U.S.C. 5511) is
amended by adding at the end the following:
``(e) Strategic Plan.--
``(1) In general.--Not later than 1 year after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the agencies under subsection (a)(3)(B), working
through the National Science and Technology Council and with
the assistance of the Office of Science and Technology Policy
shall develop a 5-year strategic plan to guide the activities
under subsection (a)(1).
``(2) Contents.--The strategic plan shall specify--
``(A) the near-term objectives for the Program;
``(B) the long-term objectives for the Program;
``(C) the anticipated time frame for achieving the near-
term objectives;
``(D) the metrics that will be used to assess any progress
made toward achieving the near-term objectives and the long-
term objectives; and
``(E) how the Program will achieve the goals and priorities
under subsection (d).
``(3) Implementation roadmap.--
``(A) In general.--The agencies under subsection (a)(3)(B)
shall develop and annually update an implementation roadmap
for the strategic plan.
``(B) Requirements.--The information in the implementation
roadmap shall be coordinated with the database under section
102(c) and the annual report under section 101(a)(3). The
implementation roadmap shall--
``(i) specify the role of each Federal agency in carrying
out or sponsoring research and development to meet the
research objectives of the strategic plan, including a
description of how progress toward the research objectives
will be evaluated, with consideration of any relevant
recommendations of the advisory committee;
``(ii) specify the funding allocated to each major research
objective of the strategic plan and the source of funding by
agency for the current fiscal year; and
``(iii) estimate the funding required for each major
research objective of the strategic plan for the next 3
fiscal years.
``(4) Recommendations.--The agencies under subsection
(a)(3)(B) shall take into consideration when developing the
strategic plan under paragraph (1) the recommendations of--
``(A) the advisory committee under subsection (b); and
``(B) the stakeholders under section 102(a)(3).
``(5) Report to congress.--The Director of the Office of
Science and Technology Policy shall transmit the strategic
plan under this subsection, including the implementation
roadmap and any updates under paragraph (3), to--
``(A) the advisory committee under subsection (b);
``(B) the Committee on Commerce, Science, and
Transportation of the Senate; and
``(C) the Committee on Science and Technology of the House
of Representatives.''.
(c) Periodic Reviews.--Section 101 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511) is amended by adding
at the end the following:
``(f) Periodic Reviews.--The agencies under subsection
(a)(3)(B) shall--
``(1) periodically assess the contents and funding levels
of the Program Component Areas and restructure the Program
when warranted, taking into consideration any relevant
recommendations of the advisory committee under subsection
(b); and
``(2) ensure that the Program includes national, multi-
agency, multi-faceted research and development activities,
including activities described in section 104.''.
(d) Additional Responsibilities of Director.--Section
101(a)(2) of the High-Performance Computing Act of 1991 (15
U.S.C. 5511(a)(2)) is amended--
(1) by redesignating subparagraphs (E) and (F) as
subparagraphs (G) and (H), respectively; and
(2) by inserting after subparagraph (D) the following:
``(E) encourage and monitor the efforts of the agencies
participating in the Program to allocate the level of
resources and management attention necessary--
``(i) to ensure that the strategic plan under subsection
(e) is developed and executed effectively; and
``(ii) to ensure that the objectives of the Program are
met;
``(F) working with the Office of Management and Budget and
in coordination with the creation of the database under
section 102(c), direct the Office of Science and Technology
Policy and the agencies participating in the Program to
establish a mechanism (consistent with existing law) to track
all ongoing and completed research and development projects
and associated funding;''.
(e) Advisory Committee.--Section 101(b) of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is
amended--
(1) in paragraph (1)--
(A) by inserting after the first sentence the following:
``The co-chairs of the advisory committee shall meet the
qualifications of committee members and may be members of the
Presidents Council of Advisors on Science and Technology.'';
and
(B) by striking ``high-performance'' in subparagraph (D)
and inserting ``high-end''; and
(2) by amending paragraph (2) to read as follows:
``(2) In addition to the duties under paragraph (1), the
advisory committee shall conduct periodic evaluations of the
funding, management, coordination, implementation, and
activities of the Program. The advisory committee shall
report its findings and recommendations not less frequently
than once every 3 fiscal years to the Committee on Commerce,
Science, and Transportation of the Senate and the Committee
on Science and Technology of the House of Representatives.
The report shall be submitted in conjunction with the update
of the strategic plan.''.
(f) Report.--Section 101(a)(3) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended--
(1) in subparagraph (C)--
(A) by striking ``is submitted,'' and inserting ``is
submitted, the levels for the previous fiscal year,''; and
(B) by striking ``each Program Component Area'' and
inserting ``each Program Component Area and each research
area supported in accordance with section 104'';
(2) in subparagraph (D)--
(A) by striking ``each Program Component Area,'' and
inserting ``each Program Component Area and each research
area supported in accordance with section 104,'';
(B) by striking ``is submitted,'' and inserting ``is
submitted, the levels for the previous fiscal year,''; and
(C) by striking ``and'' after the semicolon;
(3) by redesignating subparagraph (E) as subparagraph (G);
and
(4) by inserting after subparagraph (D) the following:
``(E) include a description of how the objectives for each
Program Component Area, and the objectives for activities
that involve multiple Program Component Areas, relate to the
objectives of the Program identified in the strategic plan
under subsection (e);
``(F) include--
``(i) a description of the funding required by the Office
of Science and Technology Policy to perform the functions
under subsections (a) and (c) of section 102 for the next
fiscal year by category of activity;
``(ii) a description of the funding required by the Office
of Science and Technology Policy to perform the functions
under subsections (a) and (c) of section 102 for the current
fiscal year by category of activity; and
``(iii) the amount of funding provided for the Office of
Science and Technology Policy for the current fiscal year by
each agency participating in the Program; and''.
(g) Definitions.--Section 4 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5503) is amended--
(1) by redesignating paragraphs (1) and (2) as paragraphs
(2) and (3), respectively;
(2) by redesignating paragraph (3) as paragraph (6);
(3) by redesignating paragraphs (6) and (7) as paragraphs
(7) and (8), respectively;
(4) by inserting before paragraph (2), as redesignated, the
following:
``(1) `cyber-physical systems' means physical or engineered
systems whose networking
[[Page S5565]]
and information technology functions and physical elements
are deeply integrated and are actively connected to the
physical world through sensors, actuators, or other means to
perform monitoring and control functions;'';
(5) in paragraph (3), as redesignated, by striking ``high-
performance computing'' and inserting ``networking and
information technology'';
(6) in paragraph (6), as redesignated--
(A) by striking ``high-performance computing'' and
inserting ``networking and information technology''; and
(B) by striking ``supercomputer'' and inserting ``high-end
computing'';
(7) in paragraph (5), by striking ``network referred to
as'' and all that follows through the semicolon and inserting
``network, including advanced computer networks of Federal
agencies and departments''; and
(8) in paragraph (7), as redesignated, by striking
``National High-Performance Computing Program'' and inserting
``networking and information technology research and
development program''.
SEC. 402. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.
(a) Research in Areas of National Importance.--Title I of
the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et
seq.) is amended by adding at the end the following:
``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.
``(a) In General.--The Program shall encourage agencies
under section 101(a)(3)(B) to support, maintain, and improve
national, multi-agency, multi-faceted, research and
development activities in networking and information
technology directed toward application areas that have the
potential for significant contributions to national economic
competitiveness and for other significant societal benefits.
``(b) Technical Solutions.--An activity under subsection
(a) shall be designed to advance the development of research
discoveries by demonstrating technical solutions to important
problems in areas including--
``(1) cybersecurity;
``(2) health care;
``(3) energy management and low-power systems and devices;
``(4) transportation, including surface and air
transportation;
``(5) cyber-physical systems;
``(6) large-scale data analysis and modeling of physical
phenomena;
``(7) large scale data analysis and modeling of behavioral
phenomena;
``(8) supply chain quality and security; and
``(9) privacy protection and protected disclosure of
confidential data.
``(c) Recommendations.--The advisory committee under
section 101(b) shall make recommendations to the Program for
candidate research and development areas for support under
this section.
``(d) Characteristics.--
``(1) In general.--Research and development activities
under this section--
``(A) shall include projects selected on the basis of
applications for support through a competitive, merit-based
process;
``(B) shall leverage, when possible, Federal investments
through collaboration with related State initiatives;
``(C) shall include a plan for fostering the transfer of
research discoveries and the results of technology
demonstration activities, including from institutions of
higher education and Federal laboratories, to industry for
commercial development;
``(D) shall involve collaborations among researchers in
institutions of higher education and industry; and
``(E) may involve collaborations among nonprofit research
institutions and Federal laboratories, as appropriate.
``(2) Cost-sharing.--In selecting applications for support,
the agencies under section 101(a)(3)(B) shall give special
consideration to projects that include cost sharing from non-
Federal sources.
``(3) Multidisciplinary research centers.--Research and
development activities under this section shall be supported
through multidisciplinary research centers, including Federal
laboratories, that are organized to investigate basic
research questions and carry out technology demonstration
activities in areas described in subsection (a). Research may
be carried out through existing multidisciplinary centers,
including those authorized under section 7024(b)(2) of the
America COMPETES Act (42 U.S.C. 1862o-10(2)).''.
(b) Cyber-Physical Systems.--Section 101(a)(1) of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is
amended--
(1) in subparagraph (H), by striking ``and'' after the
semicolon;
(2) in subparagraph (I), by striking the period at the end
and inserting a semicolon; and
(3) by adding at the end the following:
``(J) provide for increased understanding of the scientific
principles of cyber-physical systems and improve the methods
available for the design, development, and operation of
cyber-physical systems that are characterized by high
reliability, safety, and security; and
``(K) provide for research and development on human-
computer interactions, visualization, and big data.''.
(c) Task Force.--Title I of the High-Performance Computing
Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section
402(a) of this Act, is amended by adding at the end the
following:
``SEC. 105. TASK FORCE.
``(a) Establishment.--Not later than 180 days after the
date of enactment the Strengthening and Enhancing
Cybersecurity by Using Research, Education, Information, and
Technology Act of 2012, the Director of the Office of Science
and Technology Policy under section 102 shall convene a task
force to explore mechanisms for carrying out collaborative
research and development activities for cyber-physical
systems (including the related technologies required to
enable these systems) through a consortium or other
appropriate entity with participants from institutions of
higher education, Federal laboratories, and industry.
``(b) Functions.--The task force shall--
``(1) develop options for a collaborative model and an
organizational structure for such entity under which the
joint research and development activities could be planned,
managed, and conducted effectively, including mechanisms for
the allocation of resources among the participants in such
entity for support of such activities;
``(2) propose a process for developing a research and
development agenda for such entity, including guidelines to
ensure an appropriate scope of work focused on nationally
significant challenges and requiring collaboration and to
ensure the development of related scientific and
technological milestones;
``(3) define the roles and responsibilities for the
participants from institutions of higher education, Federal
laboratories, and industry in such entity;
``(4) propose guidelines for assigning intellectual
property rights and for transferring research results to the
private sector; and
``(5) make recommendations for how such entity could be
funded from Federal, State, and non-governmental sources.
``(c) Composition.--In establishing the task force under
subsection (a), the Director of the Office of Science and
Technology Policy shall appoint an equal number of
individuals from institutions of higher education and from
industry with knowledge and expertise in cyber-physical
systems, and may appoint not more than 2 individuals from
Federal laboratories.
``(d) Report.--Not later than 1 year after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the Director of the Office of Science and Technology
Policy shall transmit to the Committee on Commerce, Science,
and Transportation of the Senate and the Committee on Science
and Technology of the House of Representatives a report
describing the findings and recommendations of the task
force.
``(e) Termination.--The task force shall terminate upon
transmittal of the report required under subsection (d).
``(f) Compensation and Expenses.--Members of the task force
shall serve without compensation.''.
SEC. 403. PROGRAM IMPROVEMENTS.
Section 102 of the High-Performance Computing Act of 1991
(15 U.S.C. 5512) is amended to read as follows:
``SEC. 102. PROGRAM IMPROVEMENTS.
``(a) Functions.--The Director of the Office of Science and
Technology Policy shall continue--
``(1) to provide technical and administrative support to--
``(A) the agencies participating in planning and
implementing the Program, including support needed to develop
the strategic plan under section 101(e); and
``(B) the advisory committee under section 101(b);
``(2) to serve as the primary point of contact on Federal
networking and information technology activities for
government agencies, academia, industry, professional
societies, State computing and networking technology
programs, interested citizen groups, and others to exchange
technical and programmatic information;
``(3) to solicit input and recommendations from a wide
range of stakeholders during the development of each
strategic plan under section 101(e) by convening at least 1
workshop with invitees from academia, industry, Federal
laboratories, and other relevant organizations and
institutions;
``(4) to conduct public outreach, including the
dissemination of the advisory committee's findings and
recommendations, as appropriate;
``(5) to promote access to and early application of the
technologies, innovations, and expertise derived from Program
activities to agency missions and systems across the Federal
Government and to United States industry;
``(6) to ensure accurate and detailed budget reporting of
networking and information technology research and
development investment; and
``(7) to encourage agencies participating in the Program to
use existing programs and resources to strengthen networking
and information technology education and training, and
increase participation in such fields, including by women and
underrepresented minorities.
``(b) Source of Funding.--
``(1) In general.--The functions under this section shall
be supported by funds from each agency participating in the
Program.
``(2) Specifications.--The portion of the total budget of
the Office of Science and Technology Policy that is provided
by each agency participating in the Program for each
[[Page S5566]]
fiscal year shall be in the same proportion as each agency's
share of the total budget for the Program for the previous
fiscal year, as specified in the database under section
102(c).
``(c) Database.--
``(1) In general.--The Director of the Office of Science
and Technology Policy shall develop and maintain a database
of projects funded by each agency for the fiscal year for
each Program Component Area.
``(2) Public accessibility.--The Director of the Office of
Science and Technology Policy shall make the database
accessible to the public.
``(3) Database contents.--The database shall include, for
each project in the database--
``(A) a description of the project;
``(B) each agency, industry, institution of higher
education, Federal laboratory, or international institution
involved in the project;
``(C) the source funding of the project (set forth by
agency);
``(D) the funding history of the project; and
``(E) whether the project has been completed.''.
SEC. 404. IMPROVING EDUCATION OF NETWORKING AND INFORMATION
TECHNOLOGY, INCLUDING HIGH PERFORMANCE
COMPUTING.
Section 201(a) of the High-Performance Computing Act of
1991 (15 U.S.C. 5521(a)) is amended--
(1) by redesignating paragraphs (2) through (4) as
paragraphs (3) through (5), respectively; and
(2) by inserting after paragraph (1) the following:
``(2) the National Science Foundation shall use its
existing programs, in collaboration with other agencies, as
appropriate, to improve the teaching and learning of
networking and information technology at all levels of
education and to increase participation in networking and
information technology fields;''.
SEC. 405. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH-
PERFORMANCE COMPUTING ACT OF 1991.
(a) Section 3.--Section 3 of the High-Performance Computing
Act of 1991 (15 U.S.C. 5502) is amended--
(1) in the matter preceding paragraph (1), by striking
``high-performance computing'' and inserting ``networking and
information technology'';
(2) in paragraph (1)--
(A) in the matter preceding subparagraph (A), by striking
``high-performance computing'' and inserting ``networking and
information technology'';
(B) in subparagraphs (A), (F), and (G), by striking ``high-
performance computing'' each place it appears and inserting
``networking and information technology''; and
(C) in subparagraph (H), by striking ``high-performance''
and inserting ``high-end''; and
(3) in paragraph (2)--
(A) by striking ``high-performance computing and'' and
inserting ``networking and information technology, and''; and
(B) by striking ``high-performance computing network'' and
inserting ``networking and information technology''.
(b) Title Heading.--The heading of title I of the High-
Performance Computing Act of 1991 (105 Stat. 1595) is amended
by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting
``NETWORKING AND INFORMATION TECHNOLOGY''.
(c) Section 101.--Section 101 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511) is amended--
(1) in the section heading, by striking ``high-performance
computing'' and inserting ``networking and information
technology research and development'';
(2) in subsection (a)--
(A) in the subsection heading, by striking ``National High-
Performance Computing'' and inserting ``Networking and
Information Technology Research and Development'';
(B) in paragraph (1)--
(i) by striking ``National High-Performance Computing
Program'' and inserting ``networking and information
technology research and development program'';
(ii) in subparagraph (A), by striking ``high-performance
computing, including networking'' and inserting ``networking
and information technology'';
(iii) in subparagraphs (B) and (G), by striking ``high-
performance'' each place it appears and inserting ``high-
end''; and
(iv) in subparagraph (C), by striking ``high-performance
computing and networking'' and inserting ``high-end
computing, distributed, and networking''; and
(C) in paragraph (2)--
(i) in subparagraphs (A) and (C)--
(I) by striking ``high-performance computing'' each place
it appears and inserting ``networking and information
technology''; and
(II) by striking ``development, networking,'' each place it
appears and inserting ``development,''; and
(ii) in subparagraphs (G) and (H), as redesignated by
section 401(d) of this Act, by striking ``high-performance''
each place it appears and inserting ``high-end'';
(3) in subsection (b)(1), in the matter preceding
subparagraph (A), by striking ``high-performance computing''
each place it appears and inserting ``networking and
information technology''; and
(4) in subsection (c)(1)(A), by striking ``high-performance
computing'' and inserting ``networking and information
technology''.
(d) Section 201.--Section 201(a)(1) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by
striking ``high-performance computing and advanced high-speed
computer networking'' and inserting ``networking and
information technology research and development''.
(e) Section 202.--Section 202(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by
striking ``high-performance computing'' and inserting
``networking and information technology''.
(f) Section 203.--Section 203(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5523(a)) is amended--
(1) in paragraph (1), by striking ``high-performance
computing and networking'' and inserting ``networking and
information technology''; and
(2) in paragraph (2)(A), by striking ``high-performance''
and inserting ``high-end''.
(g) Section 204.--Section 204 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5524) is amended--
(1) in subsection (a)(1)--
(A) in subparagraph (A), by striking ``high-performance
computing systems and networks'' and inserting ``networking
and information technology systems and capabilities'';
(B) in subparagraph (B), by striking ``interoperability of
high-performance computing systems in networks and for common
user interfaces to systems'' and inserting ``interoperability
and usability of networking and information technology
systems''; and
(C) in subparagraph (C), by striking ``high-performance
computing'' and inserting ``networking and information
technology''; and
(2) in subsection (b)--
(A) by striking ``High-Performance Computing and Network''
in the heading and inserting ``Networking and Information
Technology''; and
(B) by striking ``sensitive''.
(h) Section 205.--Section 205(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by
striking ``computational'' and inserting ``networking and
information technology''.
(i) Section 206.--Section 206(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by
striking ``computational research'' and inserting
``networking and information technology research''.
(j) Section 207.--Section 207 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5527) is amended by striking
``high-performance computing'' and inserting ``networking and
information technology''.
(k) Section 208.--Section 208 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5528) is amended--
(1) in the section heading, by striking ``HIGH-PERFORMANCE
COMPUTING'' and inserting ``NETWORKING AND INFORMATION
TECHNOLOGY''; and
(2) in subsection (a)--
(A) in paragraph (1), by striking ``High-performance
computing and associated'' and inserting ``Networking and
information'';
(B) in paragraph (2), by striking ``high-performance
computing'' and inserting ``networking and information
technologies'';
(C) in paragraph (3), by striking ``high-performance'' and
inserting ``high-end'';
(D) in paragraph (4), by striking ``high-performance
computers and associated'' and inserting ``networking and
information''; and
(E) in paragraph (5), by striking ``high-performance
computing and associated'' and inserting ``networking and
information''.
SEC. 406. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.
(a) In General.--The Director of the National Science
Foundation, in coordination with the Secretary of Homeland
Security, shall carry out a Federal cyber scholarship-for-
service program to recruit and train the next generation of
information technology professionals and security managers to
meet the needs of the cybersecurity mission for the Federal
government.
(b) Program Description and Components.--The program
shall--
(1) annually assess the workforce needs of the Federal
government for cybersecurity professionals, including network
engineers, software engineers, and other experts in order to
determine how many scholarships should be awarded annually to
ensure that the workforce needs following graduation match
the number of scholarships awarded;
(2) provide scholarships for up to 1,000 students per year
in their pursuit of undergraduate or graduate degrees in the
cybersecurity field, in an amount that may include coverage
for full tuition, fees, and a stipend;
(3) require each scholarship recipient, as a condition of
receiving a scholarship under the program, to serve in a
Federal information technology workforce for a period equal
to one and one-half times each year, or partial year, of
scholarship received, in addition to an internship in the
cybersecurity field, if applicable, following graduation;
(4) provide a procedure for the National Science Foundation
or a Federal agency, consistent with regulations of the
Office of Personnel Management, to request and fund a
security clearance for a scholarship recipient, including
providing for clearance during a summer internship and upon
graduation; and
(5) provide opportunities for students to receive temporary
appointments for meaningful employment in the Federal
information technology workforce during school vacation
periods and for internships.
(c) Hiring Authority.--
(1) In general.--For purposes of any law or regulation
governing the appointment of an
[[Page S5567]]
individual in the Federal civil service, upon the successful
completion of the student's studies, a student receiving a
scholarship under the program may--
(A) be hired under section 213.3102(r) of title 5, Code of
Federal Regulations; and
(B) be exempt from competitive service.
(2) Competitive service.--Upon satisfactory fulfillment of
the service term under paragraph (1), an individual may be
converted to a competitive service position without
competition if the individual meets the requirements for that
position.
(d) Eligibility.--The eligibility requirements for a
scholarship under this section shall include that a
scholarship applicant--
(1) be a citizen of the United States;
(2) be eligible to be granted a security clearance;
(3) maintain a grade point average of 3.2 or above on a 4.0
scale for undergraduate study or a 3.5 or above on a 4.0
scale for postgraduate study;
(4) demonstrate a commitment to a career in improving the
security of the information infrastructure; and
(5) has demonstrated a level of proficiency in math or
computer sciences.
(e) Failure to Complete Service Obligation.--
(1) In general.--A scholarship recipient under this section
shall be liable to the United States under paragraph (2) if
the scholarship recipient--
(A) fails to maintain an acceptable level of academic
standing in the educational institution in which the
individual is enrolled, as determined by the Director;
(B) is dismissed from such educational institution for
disciplinary reasons;
(C) withdraws from the program for which the award was made
before the completion of such program;
(D) declares that the individual does not intend to fulfill
the service obligation under this section;
(E) fails to fulfill the service obligation of the
individual under this section; or
(F) loses a security clearance or becomes ineligible for a
security clearance.
(2) Repayment amounts.--
(A) Less than 1 year of service.--If a circumstance under
paragraph (1) occurs before the completion of 1 year of a
service obligation under this section, the total amount of
awards received by the individual under this section shall be
repaid.
(B) One or more years of service.--If a circumstance
described in subparagraph (D) or (E) of paragraph (1) occurs
after the completion of 1 year of a service obligation under
this section, the total amount of scholarship awards received
by the individual under this section, reduced by the ratio of
the number of years of service completed divided by the
number of years of service required, shall be repaid.
(f) Evaluation and Report.--The Director of the National
Science Foundation shall--
(1) evaluate the success of recruiting individuals for
scholarships under this section and of hiring and retaining
those individuals in the public sector workforce, including
the annual cost and an assessment of how the program actually
improves the Federal workforce; and
(2) periodically report the findings under paragraph (1) to
Congress.
(g) Authorization of Appropriations.--From amounts made
available under section 503 of the America COMPETES
Reauthorization Act of 2010 (124 Stat. 4005), the Director
may use funds to carry out the requirements of this section
for fiscal years 2012 through 2013.
SEC. 407. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF
INFORMATION INFRASTRUCTURE PROFESSIONALS.
(a) Study.--The President shall enter into an agreement
with the National Academies to conduct a comprehensive study
of government, academic, and private-sector accreditation,
training, and certification programs for personnel working in
information infrastructure. The agreement shall require the
National Academies to consult with sector coordinating
councils and relevant governmental agencies, regulatory
entities, and nongovernmental organizations in the course of
the study.
(b) Scope.--The study shall include--
(1) an evaluation of the body of knowledge and various
skills that specific categories of personnel working in
information infrastructure should possess in order to secure
information systems;
(2) an assessment of whether existing government, academic,
and private-sector accreditation, training, and certification
programs provide the body of knowledge and various skills
described in paragraph (1);
(3) an analysis of any barriers to the Federal Government
recruiting and hiring cybersecurity talent, including
barriers relating to compensation, the hiring process, job
classification, and hiring flexibility; and
(4) an analysis of the sources and availability of
cybersecurity talent, a comparison of the skills and
expertise sought by the Federal Government and the private
sector, an examination of the current and future capacity of
United States institutions of higher education, including
community colleges, to provide current and future
cybersecurity professionals, through education and training
activities, with those skills sought by the Federal
Government, State and local entities, and the private sector.
(c) Report.--Not later than 1 year after the date of
enactment of this Act, the National Academies shall submit to
the President and Congress a report on the results of the
study. The report shall include--
(1) findings regarding the state of information
infrastructure accreditation, training, and certification
programs, including specific areas of deficiency and
demonstrable progress; and
(2) recommendations for the improvement of information
infrastructure accreditation, training, and certification
programs.
SEC. 408. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.
(a) In General.--The Director of the National Institute of
Standards and Technology, in coordination with appropriate
Federal authorities, shall--
(1) as appropriate, ensure coordination of Federal agencies
engaged in the development of international technical
standards related to information system security; and
(2) not later than 1 year after the date of enactment of
this Act, develop and transmit to Congress a plan for
ensuring such Federal agency coordination.
(b) Consultation With the Private Sector.--In carrying out
the activities under subsection (a)(1), the Director shall
ensure consultation with appropriate private sector
stakeholders.
SEC. 409. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.
The Director of the National Institute of Standards and
Technology shall continue a program to support the
development of technical standards, metrology, testbeds, and
conformance criteria, taking into account appropriate user
concerns--
(1) to improve interoperability among identity management
technologies;
(2) to strengthen authentication methods of identity
management systems;
(3) to improve privacy protection in identity management
systems, including health information technology systems,
through authentication and security protocols; and
(4) to improve the usability of identity management
systems.
SEC. 410. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.
(a) National Science Foundation Computer and Network
Security Research Grant Areas.--Section 4(a)(1) of the Cyber
Security Research and Development Act (15 U.S.C. 7403(a)(1))
is amended--
(1) in subparagraph (H), by striking ``and'' after the
semicolon;
(2) in subparagraph (I), by striking ``property.'' and
inserting ``property;''; and
(3) by adding at the end the following:
``(J) secure fundamental protocols that are at the heart of
inter-network communications and data exchange;
``(K) system security that addresses the building of secure
systems from trusted and untrusted components;
``(L) monitoring and detection; and
``(M) resiliency and rapid recovery methods.''.
(b) National Science Foundation Computer and Network
Security Grants.--Section 4(a)(3) of the Cyber Security
Research and Development Act (15 U.S.C. 7403(a)(3)) is
amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
(c) Computer and Network Security Centers.--Section 4(b)(7)
of the Cyber Security Research and Development Act (15 U.S.C.
7403(b)(7)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
(d) Computer and Network Security Capacity Building
Grants.--Section 5(a)(6) of the Cyber Security Research and
Development Act (15 U.S.C. 7404(a)(6)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
(e) Scientific and Advanced Technology Act Grants.--Section
5(b)(2) of the Cyber Security Research and Development Act
(15 U.S.C. 7404(b)(2)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
(f) Graduate Traineeships in Computer and Network Security
Research.--Section 5(c)(7) of the Cyber Security Research and
Development Act (15 U.S.C. 7404(c)(7)) is amended--
[[Page S5568]]
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
______
SA 2609. Mr. PAUL submitted an amendment intended to be proposed by
him to the bill S. 3414, to enhance the security and resiliency of the
cyber and communications infrastructure of the United States; which was
ordered to lie on the table; as follows:
At the appropriate place, insert the following:
SEC. __. LIMITATION ON FOREIGN ASSISTANCE TO PAKISTAN.
No amounts may be obligated or expended to provide any
direct United States assistance to the Government of Pakistan
unless the President certifies to Congress that--
(1) Dr. Shakil Afridi has been released from prison in
Pakistan;
(2) any criminal charges brought against Dr. Afridi,
including treason, have been dropped; and
(3) if necessary to ensure his freedom, Dr. Afridi has been
allowed to leave Pakistan.
______
SA 2610. Mrs. HUTCHISON submitted an amendment intended to be
proposed by her to the bill S. 3414, to enhance the security and
resiliency of the cyber and communications infrastructure of the United
States; which was ordered to lie on the table; as follows:
Beginning on page 106, strike line 8 and all that follows
through page 156, line 13, and insert the following:
TITLE III--CYBERSECURITY RESEARCH AND DEVELOPMENT
SEC. 301. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM
PLANNING AND COORDINATION.
(a) Goals and Priorities.--Section 101 of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511) is amended
by adding at the end the following:
``(d) Goals and Priorities.--The goals and priorities for
Federal high-performance computing research, development,
networking, and other activities under subsection (a)(2)(A)
shall include--
``(1) encouraging and supporting mechanisms for
interdisciplinary research and development in networking and
information technology, including--
``(A) through collaborations across agencies;
``(B) through collaborations across Program Component
Areas;
``(C) through collaborations with industry;
``(D) through collaborations with institutions of higher
education;
``(E) through collaborations with Federal laboratories (as
defined in section 4 of the Stevenson-Wydler Technology
Innovation Act of 1980 (15 U.S.C. 3703)); and
``(F) through collaborations with international
organizations;
``(2) addressing national, multi-agency, multi-faceted
challenges of national importance; and
``(3) fostering the transfer of research and development
results into new technologies and applications for the
benefit of society.''.
(b) Development of Strategic Plan.--Section 101 of the
High-Performance Computing Act of 1991 (15 U.S.C. 5511) is
amended by adding at the end the following:
``(e) Strategic Plan.--
``(1) In general.--Not later than 1 year after the date of
enactment of the Cybersecurity Act of 2012, the agencies
under subsection (a)(3)(B), working through the National
Science and Technology Council and with the assistance of the
Office of Science and Technology Policy shall develop a 5-
year strategic plan to guide the activities under subsection
(a)(1).
``(2) Contents.--The strategic plan shall specify--
``(A) the near-term objectives for the Program;
``(B) the long-term objectives for the Program;
``(C) the anticipated time frame for achieving the near-
term objectives;
``(D) the metrics that will be used to assess any progress
made toward achieving the near-term objectives and the long-
term objectives; and
``(E) how the Program will achieve the goals and priorities
under subsection (d).
``(3) Implementation roadmap.--
``(A) In general.--The agencies under subsection (a)(3)(B)
shall develop and annually update an implementation roadmap
for the strategic plan.
``(B) Requirements.--The information in the implementation
roadmap shall be coordinated with the database under section
102(c) and the annual report under section 101(a)(3). The
implementation roadmap shall--
``(i) specify the role of each Federal agency in carrying
out or sponsoring research and development to meet the
research objectives of the strategic plan, including a
description of how progress toward the research objectives
will be evaluated, with consideration of any relevant
recommendations of the advisory committee;
``(ii) specify the funding allocated to each major research
objective of the strategic plan and the source of funding by
agency for the current fiscal year; and
``(iii) estimate the funding required for each major
research objective of the strategic plan for the next 3
fiscal years.
``(4) Recommendations.--The agencies under subsection
(a)(3)(B) shall take into consideration when developing the
strategic plan under paragraph (1) the recommendations of--
``(A) the advisory committee under subsection (b); and
``(B) the stakeholders under section 102(a)(3).
``(5) Report to congress.--The Director of the Office of
Science and Technology Policy shall transmit the strategic
plan under this subsection, including the implementation
roadmap and any updates under paragraph (3), to--
``(A) the advisory committee under subsection (b);
``(B) the Committee on Commerce, Science, and
Transportation of the Senate; and
``(C) the Committee on Science and Technology of the House
of Representatives.''.
(c) Periodic Reviews.--Section 101 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511) is amended by adding
at the end the following:
``(f) Periodic Reviews.--The agencies under subsection
(a)(3)(B) shall--
``(1) periodically assess the contents and funding levels
of the Program Component Areas and restructure the Program
when warranted, taking into consideration any relevant
recommendations of the advisory committee under subsection
(b); and
``(2) ensure that the Program includes national, multi-
agency, multi-faceted research and development activities,
including activities described in section 104.''.
(d) Additional Responsibilities of Director.--Section
101(a)(2) of the High-Performance Computing Act of 1991 (15
U.S.C. 5511(a)(2)) is amended--
(1) by redesignating subparagraphs (E) and (F) as
subparagraphs (G) and (H), respectively; and
(2) by inserting after subparagraph (D) the following:
``(E) encourage and monitor the efforts of the agencies
participating in the Program to allocate the level of
resources and management attention necessary--
``(i) to ensure that the strategic plan under subsection
(e) is developed and executed effectively; and
``(ii) to ensure that the objectives of the Program are
met;
``(F) working with the Office of Management and Budget and
in coordination with the creation of the database under
section 102(c), direct the Office of Science and Technology
Policy and the agencies participating in the Program to
establish a mechanism (consistent with existing law) to track
all ongoing and completed research and development projects
and associated funding;''.
(e) Advisory Committee.--Section 101(b) of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is
amended--
(1) in paragraph (1)--
(A) by inserting after the first sentence the following:
``The co-chairs of the advisory committee shall meet the
qualifications of committee members and may be members of the
Presidents Council of Advisors on Science and Technology.'';
and
(B) by striking ``high-performance'' in subparagraph (D)
and inserting ``high-end''; and
(2) by amending paragraph (2) to read as follows:
``(2) In addition to the duties under paragraph (1), the
advisory committee shall conduct periodic evaluations of the
funding, management, coordination, implementation, and
activities of the Program. The advisory committee shall
report its findings and recommendations not less frequently
than once every 3 fiscal years to the Committee on Commerce,
Science, and Transportation of the Senate and the Committee
on Science and Technology of the House of Representatives.
The report shall be submitted in conjunction with the update
of the strategic plan.''.
(f) Report.--Section 101(a)(3) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended--
(1) in subparagraph (C)--
(A) by striking ``is submitted,'' and inserting ``is
submitted, the levels for the previous fiscal year,''; and
(B) by striking ``each Program Component Area'' and
inserting ``each Program Component Area and each research
area supported in accordance with section 104'';
(2) in subparagraph (D)--
(A) by striking ``each Program Component Area,'' and
inserting ``each Program Component Area and each research
area supported in accordance with section 104,'';
(B) by striking ``is submitted,'' and inserting ``is
submitted, the levels for the previous fiscal year,''; and
(C) by striking ``and'' after the semicolon;
(3) by redesignating subparagraph (E) as subparagraph (G);
and
(4) by inserting after subparagraph (D) the following:
``(E) include a description of how the objectives for each
Program Component Area, and the objectives for activities
that involve multiple Program Component Areas, relate to the
objectives of the Program identified in the strategic plan
under subsection (e);
``(F) include--
[[Page S5569]]
``(i) a description of the funding required by the Office
of Science and Technology Policy to perform the functions
under subsections (a) and (c) of section 102 for the next
fiscal year by category of activity;
``(ii) a description of the funding required by the Office
of Science and Technology Policy to perform the functions
under subsections (a) and (c) of section 102 for the current
fiscal year by category of activity; and
``(iii) the amount of funding provided for the Office of
Science and Technology Policy for the current fiscal year by
each agency participating in the Program; and''.
(g) Definitions.--Section 4 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5503) is amended--
(1) by redesignating paragraphs (1) and (2) as paragraphs
(2) and (3), respectively;
(2) by redesignating paragraph (3) as paragraph (6);
(3) by redesignating paragraphs (6) and (7) as paragraphs
(7) and (8), respectively;
(4) by inserting before paragraph (2), as redesignated, the
following:
``(1) `cyber-physical systems' means physical or engineered
systems whose networking and information technology functions
and physical elements are deeply integrated and are actively
connected to the physical world through sensors, actuators,
or other means to perform monitoring and control
functions;'';
(5) in paragraph (3), as redesignated, by striking ``high-
performance computing'' and inserting ``networking and
information technology'';
(6) in paragraph (6), as redesignated--
(A) by striking ``high-performance computing'' and
inserting ``networking and information technology''; and
(B) by striking ``supercomputer'' and inserting ``high-end
computing'';
(7) in paragraph (5), by striking ``network referred to
as'' and all that follows through the semicolon and inserting
``network, including advanced computer networks of Federal
agencies and departments''; and
(8) in paragraph (7), as redesignated, by striking
``National High-Performance Computing Program'' and inserting
``networking and information technology research and
development program''.
SEC. 302. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.
(a) Research in Areas of National Importance.--Title I of
the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et
seq.) is amended by adding at the end the following:
``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.
``(a) In General.--The Program shall encourage agencies
under section 101(a)(3)(B) to support, maintain, and improve
national, multi-agency, multi-faceted, research and
development activities in networking and information
technology directed toward application areas that have the
potential for significant contributions to national economic
competitiveness and for other significant societal benefits.
``(b) Technical Solutions.--An activity under subsection
(a) shall be designed to advance the development of research
discoveries by demonstrating technical solutions to important
problems in areas including--
``(1) cybersecurity;
``(2) health care;
``(3) energy management and low-power systems and devices;
``(4) transportation, including surface and air
transportation;
``(5) cyber-physical systems;
``(6) large-scale data analysis and modeling of physical
phenomena;
``(7) large scale data analysis and modeling of behavioral
phenomena;
``(8) supply chain quality and security; and
``(9) privacy protection and protected disclosure of
confidential data.
``(c) Recommendations.--The advisory committee under
section 101(b) shall make recommendations to the Program for
candidate research and development areas for support under
this section.
``(d) Characteristics.--
``(1) In general.--Research and development activities
under this section--
``(A) shall include projects selected on the basis of
applications for support through a competitive, merit-based
process;
``(B) shall leverage, when possible, Federal investments
through collaboration with related State initiatives;
``(C) shall include a plan for fostering the transfer of
research discoveries and the results of technology
demonstration activities, including from institutions of
higher education and Federal laboratories, to industry for
commercial development;
``(D) shall involve collaborations among researchers in
institutions of higher education and industry; and
``(E) may involve collaborations among nonprofit research
institutions and Federal laboratories, as appropriate.
``(2) Cost-sharing.--In selecting applications for support,
the agencies under section 101(a)(3)(B) shall give special
consideration to projects that include cost sharing from non-
Federal sources.
``(3) Multidisciplinary research centers.--Research and
development activities under this section shall be supported
through multidisciplinary research centers, including Federal
laboratories, that are organized to investigate basic
research questions and carry out technology demonstration
activities in areas described in subsection (a). Research may
be carried out through existing multidisciplinary centers,
including those authorized under section 7024(b)(2) of the
America COMPETES Act (42 U.S.C. 1862o-10(2)).''.
(b) Cyber-Physical Systems.--Section 101(a)(1) of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is
amended--
(1) in subparagraph (H), by striking ``and'' after the
semicolon;
(2) in subparagraph (I), by striking the period at the end
and inserting a semicolon; and
(3) by adding at the end the following:
``(J) provide for increased understanding of the scientific
principles of cyber-physical systems and improve the methods
available for the design, development, and operation of
cyber-physical systems that are characterized by high
reliability, safety, and security; and
``(K) provide for research and development on human-
computer interactions, visualization, and big data.''.
(c) Task Force.--Title I of the High-Performance Computing
Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section
302(a) of this Act, is amended by adding at the end the
following:
``SEC. 105. TASK FORCE.
``(a) Establishment.--Not later than 180 days after the
date of enactment the Cybersecurity Act of 2012, the Director
of the Office of Science and Technology Policy under section
102 shall convene a task force to explore mechanisms for
carrying out collaborative research and development
activities for cyber-physical systems (including the related
technologies required to enable these systems) through a
consortium or other appropriate entity with participants from
institutions of higher education, Federal laboratories, and
industry.
``(b) Functions.--The task force shall--
``(1) develop options for a collaborative model and an
organizational structure for such entity under which the
joint research and development activities could be planned,
managed, and conducted effectively, including mechanisms for
the allocation of resources among the participants in such
entity for support of such activities;
``(2) propose a process for developing a research and
development agenda for such entity, including guidelines to
ensure an appropriate scope of work focused on nationally
significant challenges and requiring collaboration and to
ensure the development of related scientific and
technological milestones;
``(3) define the roles and responsibilities for the
participants from institutions of higher education, Federal
laboratories, and industry in such entity;
``(4) propose guidelines for assigning intellectual
property rights and for transferring research results to the
private sector; and
``(5) make recommendations for how such entity could be
funded from Federal, State, and non-governmental sources.
``(c) Composition.--In establishing the task force under
subsection (a), the Director of the Office of Science and
Technology Policy shall appoint an equal number of
individuals from institutions of higher education and from
industry with knowledge and expertise in cyber-physical
systems, and may appoint not more than 2 individuals from
Federal laboratories.
``(d) Report.--Not later than 1 year after the date of
enactment of the Cybersecurity Act of 2012, the Director of
the Office of Science and Technology Policy shall transmit to
the Committee on Commerce, Science, and Transportation of the
Senate and the Committee on Science and Technology of the
House of Representatives a report describing the findings and
recommendations of the task force.
``(e) Termination.--The task force shall terminate upon
transmittal of the report required under subsection (d).
``(f) Compensation and Expenses.--Members of the task force
shall serve without compensation.''.
SEC. 303. PROGRAM IMPROVEMENTS.
Section 102 of the High-Performance Computing Act of 1991
(15 U.S.C. 5512) is amended to read as follows:
``SEC. 102. PROGRAM IMPROVEMENTS.
``(a) Functions.--The Director of the Office of Science and
Technology Policy shall continue--
``(1) to provide technical and administrative support to--
``(A) the agencies participating in planning and
implementing the Program, including support needed to develop
the strategic plan under section 101(e); and
``(B) the advisory committee under section 101(b);
``(2) to serve as the primary point of contact on Federal
networking and information technology activities for
government agencies, academia, industry, professional
societies, State computing and networking technology
programs, interested citizen groups, and others to exchange
technical and programmatic information;
``(3) to solicit input and recommendations from a wide
range of stakeholders during the development of each
strategic plan under section 101(e) by convening at least 1
workshop with invitees from academia, industry, Federal
laboratories, and other relevant organizations and
institutions;
``(4) to conduct public outreach, including the
dissemination of the advisory committee's findings and
recommendations, as appropriate;
``(5) to promote access to and early application of the
technologies, innovations, and expertise derived from Program
activities to
[[Page S5570]]
agency missions and systems across the Federal Government and
to United States industry;
``(6) to ensure accurate and detailed budget reporting of
networking and information technology research and
development investment; and
``(7) to encourage agencies participating in the Program to
use existing programs and resources to strengthen networking
and information technology education and training, and
increase participation in such fields, including by women and
underrepresented minorities.
``(b) Source of Funding.--
``(1) In general.--The functions under this section shall
be supported by funds from each agency participating in the
Program.
``(2) Specifications.--The portion of the total budget of
the Office of Science and Technology Policy that is provided
by each agency participating in the Program for each fiscal
year shall be in the same proportion as each agency's share
of the total budget for the Program for the previous fiscal
year, as specified in the database under section 102(c).
``(c) Database.--
``(1) In general.--The Director of the Office of Science
and Technology Policy shall develop and maintain a database
of projects funded by each agency for the fiscal year for
each Program Component Area.
``(2) Public accessibility.--The Director of the Office of
Science and Technology Policy shall make the database
accessible to the public.
``(3) Database contents.--The database shall include, for
each project in the database--
``(A) a description of the project;
``(B) each agency, industry, institution of higher
education, Federal laboratory, or international institution
involved in the project;
``(C) the source funding of the project (set forth by
agency);
``(D) the funding history of the project; and
``(E) whether the project has been completed.''.
SEC. 304. IMPROVING EDUCATION OF NETWORKING AND INFORMATION
TECHNOLOGY, INCLUDING HIGH PERFORMANCE
COMPUTING.
Section 201(a) of the High-Performance Computing Act of
1991 (15 U.S.C. 5521(a)) is amended--
(1) by redesignating paragraphs (2) through (4) as
paragraphs (3) through (5), respectively; and
(2) by inserting after paragraph (1) the following:
``(2) the National Science Foundation shall use its
existing programs, in collaboration with other agencies, as
appropriate, to improve the teaching and learning of
networking and information technology at all levels of
education and to increase participation in networking and
information technology fields;''.
SEC. 305. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH-
PERFORMANCE COMPUTING ACT OF 1991.
(a) Section 3.--Section 3 of the High-Performance Computing
Act of 1991 (15 U.S.C. 5502) is amended--
(1) in the matter preceding paragraph (1), by striking
``high-performance computing'' and inserting ``networking and
information technology'';
(2) in paragraph (1)--
(A) in the matter preceding subparagraph (A), by striking
``high-performance computing'' and inserting ``networking and
information technology'';
(B) in subparagraphs (A), (F), and (G), by striking ``high-
performance computing'' each place it appears and inserting
``networking and information technology''; and
(C) in subparagraph (H), by striking ``high-performance''
and inserting ``high-end''; and
(3) in paragraph (2)--
(A) by striking ``high-performance computing and'' and
inserting ``networking and information technology, and''; and
(B) by striking ``high-performance computing network'' and
inserting ``networking and information technology''.
(b) Title Heading.--The heading of title I of the High-
Performance Computing Act of 1991 (105 Stat. 1595) is amended
by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting
``NETWORKING AND INFORMATION TECHNOLOGY''.
(c) Section 101.--Section 101 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511) is amended--
(1) in the section heading, by striking ``high-performance
computing'' and inserting ``networking and information
technology research and development'';
(2) in subsection (a)--
(A) in the subsection heading, by striking ``National High-
Performance Computing'' and inserting ``Networking and
Information Technology Research and Development'';
(B) in paragraph (1)--
(i) by striking ``National High-Performance Computing
Program'' and inserting ``networking and information
technology research and development program'';
(ii) in subparagraph (A), by striking ``high-performance
computing, including networking'' and inserting ``networking
and information technology'';
(iii) in subparagraphs (B) and (G), by striking ``high-
performance'' each place it appears and inserting ``high-
end''; and
(iv) in subparagraph (C), by striking ``high-performance
computing and networking'' and inserting ``high-end
computing, distributed, and networking''; and
(C) in paragraph (2)--
(i) in subparagraphs (A) and (C)--
(I) by striking ``high-performance computing'' each place
it appears and inserting ``networking and information
technology''; and
(II) by striking ``development, networking,'' each place it
appears and inserting ``development,''; and
(ii) in subparagraphs (G) and (H), as redesignated by
section 301(d) of this Act, by striking ``high-performance''
each place it appears and inserting ``high-end'';
(3) in subsection (b)(1), in the matter preceding
subparagraph (A), by striking ``high-performance computing''
each place it appears and inserting ``networking and
information technology''; and
(4) in subsection (c)(1)(A), by striking ``high-performance
computing'' and inserting ``networking and information
technology''.
(d) Section 201.--Section 201(a)(1) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by
striking ``high-performance computing and advanced high-speed
computer networking'' and inserting ``networking and
information technology research and development''.
(e) Section 202.--Section 202(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by
striking ``high-performance computing'' and inserting
``networking and information technology''.
(f) Section 203.--Section 203(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5523(a)) is amended--
(1) in paragraph (1), by striking ``high-performance
computing and networking'' and inserting ``networking and
information technology''; and
(2) in paragraph (2)(A), by striking ``high-performance''
and inserting ``high-end''.
(g) Section 204.--Section 204 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5524) is amended--
(1) in subsection (a)(1)--
(A) in subparagraph (A), by striking ``high-performance
computing systems and networks'' and inserting ``networking
and information technology systems and capabilities'';
(B) in subparagraph (B), by striking ``interoperability of
high-performance computing systems in networks and for common
user interfaces to systems'' and inserting ``interoperability
and usability of networking and information technology
systems''; and
(C) in subparagraph (C), by striking ``high-performance
computing'' and inserting ``networking and information
technology''; and
(2) in subsection (b)--
(A) by striking ``High-Performance Computing and Network''
in the heading and inserting ``Networking and Information
Technology''; and
(B) by striking ``sensitive''.
(h) Section 205.--Section 205(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by
striking ``computational'' and inserting ``networking and
information technology''.
(i) Section 206.--Section 206(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by
striking ``computational research'' and inserting
``networking and information technology research''.
(j) Section 207.--Section 207 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5527) is amended by striking
``high-performance computing'' and inserting ``networking and
information technology''.
(k) Section 208.--Section 208 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5528) is amended--
(1) in the section heading, by striking ``HIGH-PERFORMANCE
COMPUTING'' and inserting ``NETWORKING AND INFORMATION
TECHNOLOGY''; and
(2) in subsection (a)--
(A) in paragraph (1), by striking ``High-performance
computing and associated'' and inserting ``Networking and
information'';
(B) in paragraph (2), by striking ``high-performance
computing'' and inserting ``networking and information
technologies'';
(C) in paragraph (3), by striking ``high-performance'' and
inserting ``high-end'';
(D) in paragraph (4), by striking ``high-performance
computers and associated'' and inserting ``networking and
information''; and
(E) in paragraph (5), by striking ``high-performance
computing and associated'' and inserting ``networking and
information''.
SEC. 306. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.
(a) In General.--The Director of the National Science
Foundation, in coordination with the Secretary of Homeland
Security, shall carry out a Federal cyber scholarship-for-
service program to recruit and train the next generation of
information technology professionals and security managers to
meet the needs of the cybersecurity mission for the Federal
government.
(b) Program Description and Components.--The program
shall--
(1) annually assess the workforce needs of the Federal
government for cybersecurity professionals, including network
engineers, software engineers, and other experts in order to
determine how many scholarships should be awarded annually to
ensure that the workforce needs following graduation match
the number of scholarships awarded;
(2) provide scholarships for up to 1,000 students per year
in their pursuit of undergraduate or graduate degrees in the
cybersecurity field, in an amount that may include coverage
for full tuition, fees, and a stipend;
(3) require each scholarship recipient, as a condition of
receiving a scholarship under the program, to serve in a
Federal information technology workforce for a period equal
[[Page S5571]]
to one and one-half times each year, or partial year, of
scholarship received, in addition to an internship in the
cybersecurity field, if applicable, following graduation;
(4) provide a procedure for the National Science Foundation
or a Federal agency, consistent with regulations of the
Office of Personnel Management, to request and fund a
security clearance for a scholarship recipient, including
providing for clearance during a summer internship and upon
graduation; and
(5) provide opportunities for students to receive temporary
appointments for meaningful employment in the Federal
information technology workforce during school vacation
periods and for internships.
(c) Hiring Authority.--
(1) In general.--For purposes of any law or regulation
governing the appointment of an individual in the Federal
civil service, upon the successful completion of the
student's studies, a student receiving a scholarship under
the program may--
(A) be hired under section 213.3102(r) of title 5, Code of
Federal Regulations; and
(B) be exempt from competitive service.
(2) Competitive service.--Upon satisfactory fulfillment of
the service term under paragraph (1), an individual may be
converted to a competitive service position without
competition if the individual meets the requirements for that
position.
(d) Eligibility.--The eligibility requirements for a
scholarship under this section shall include that a
scholarship applicant--
(1) be a citizen of the United States;
(2) be eligible to be granted a security clearance;
(3) maintain a grade point average of 3.2 or above on a 4.0
scale for undergraduate study or a 3.5 or above on a 4.0
scale for postgraduate study;
(4) demonstrate a commitment to a career in improving the
security of the information infrastructure; and
(5) has demonstrated a level of proficiency in math or
computer sciences.
(e) Failure to Complete Service Obligation.--
(1) In general.--A scholarship recipient under this section
shall be liable to the United States under paragraph (2) if
the scholarship recipient--
(A) fails to maintain an acceptable level of academic
standing in the educational institution in which the
individual is enrolled, as determined by the Director;
(B) is dismissed from such educational institution for
disciplinary reasons;
(C) withdraws from the program for which the award was made
before the completion of such program;
(D) declares that the individual does not intend to fulfill
the service obligation under this section;
(E) fails to fulfill the service obligation of the
individual under this section; or
(F) loses a security clearance or becomes ineligible for a
security clearance.
(2) Repayment amounts.--
(A) Less than 1 year of service.--If a circumstance under
paragraph (1) occurs before the completion of 1 year of a
service obligation under this section, the total amount of
awards received by the individual under this section shall be
repaid.
(B) One or more years of service.--If a circumstance
described in subparagraph (D) or (E) of paragraph (1) occurs
after the completion of 1 year of a service obligation under
this section, the total amount of scholarship awards received
by the individual under this section, reduced by the ratio of
the number of years of service completed divided by the
number of years of service required, shall be repaid.
(f) Evaluation and Report.--The Director of the National
Science Foundation shall--
(1) evaluate the success of recruiting individuals for
scholarships under this section and of hiring and retaining
those individuals in the public sector workforce, including
the annual cost and an assessment of how the program actually
improves the Federal workforce; and
(2) periodically report the findings under paragraph (1) to
Congress.
(g) Authorization of Appropriations.--From amounts made
available under section 503 of the America COMPETES
Reauthorization Act of 2010 (124 Stat. 4005), the Director
may use funds to carry out the requirements of this section
for fiscal years 2012 through 2013.
SEC. 307. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF
INFORMATION INFRASTRUCTURE PROFESSIONALS.
(a) Study.--The President shall enter into an agreement
with the National Academies to conduct a comprehensive study
of government, academic, and private-sector accreditation,
training, and certification programs for personnel working in
information infrastructure. The agreement shall require the
National Academies to consult with sector coordinating
councils and relevant governmental agencies, regulatory
entities, and nongovernmental organizations in the course of
the study.
(b) Scope.--The study shall include--
(1) an evaluation of the body of knowledge and various
skills that specific categories of personnel working in
information infrastructure should possess in order to secure
information systems;
(2) an assessment of whether existing government, academic,
and private-sector accreditation, training, and certification
programs provide the body of knowledge and various skills
described in paragraph (1);
(3) an analysis of any barriers to the Federal Government
recruiting and hiring cybersecurity talent, including
barriers relating to compensation, the hiring process, job
classification, and hiring flexibility; and
(4) an analysis of the sources and availability of
cybersecurity talent, a comparison of the skills and
expertise sought by the Federal Government and the private
sector, an examination of the current and future capacity of
United States institutions of higher education, including
community colleges, to provide current and future
cybersecurity professionals, through education and training
activities, with those skills sought by the Federal
Government, State and local entities, and the private sector.
(c) Report.--Not later than 1 year after the date of
enactment of this Act, the National Academies shall submit to
the President and Congress a report on the results of the
study. The report shall include--
(1) findings regarding the state of information
infrastructure accreditation, training, and certification
programs, including specific areas of deficiency and
demonstrable progress; and
(2) recommendations for the improvement of information
infrastructure accreditation, training, and certification
programs.
SEC. 308. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.
(a) In General.--The Director of the National Institute of
Standards and Technology, in coordination with appropriate
Federal authorities, shall--
(1) as appropriate, ensure coordination of Federal agencies
engaged in the development of international technical
standards related to information system security; and
(2) not later than 1 year after the date of enactment of
this Act, develop and transmit to Congress a plan for
ensuring such Federal agency coordination.
(b) Consultation With the Private Sector.--In carrying out
the activities under subsection (a)(1), the Director shall
ensure consultation with appropriate private sector
stakeholders.
SEC. 309. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.
The Director of the National Institute of Standards and
Technology shall continue a program to support the
development of technical standards, metrology, testbeds, and
conformance criteria, taking into account appropriate user
concerns--
(1) to improve interoperability among identity management
technologies;
(2) to strengthen authentication methods of identity
management systems;
(3) to improve privacy protection in identity management
systems, including health information technology systems,
through authentication and security protocols; and
(4) to improve the usability of identity management
systems.
SEC. 310. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.
(a) National Science Foundation Computer and Network
Security Research Grant Areas.--Section 4(a)(1) of the Cyber
Security Research and Development Act (15 U.S.C. 7403(a)(1))
is amended--
(1) in subparagraph (H), by striking ``and'' after the
semicolon;
(2) in subparagraph (I), by striking ``property.'' and
inserting ``property;''; and
(3) by adding at the end the following:
``(J) secure fundamental protocols that are at the heart of
inter-network communications and data exchange;
``(K) system security that addresses the building of secure
systems from trusted and untrusted components;
``(L) monitoring and detection; and
``(M) resiliency and rapid recovery methods.''.
(b) National Science Foundation Computer and Network
Security Grants.--Section 4(a)(3) of the Cyber Security
Research and Development Act (15 U.S.C. 7403(a)(3)) is
amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
(c) Computer and Network Security Centers.--Section 4(b)(7)
of the Cyber Security Research and Development Act (15 U.S.C.
7403(b)(7)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
(d) Computer and Network Security Capacity Building
Grants.--Section 5(a)(6) of the Cyber Security Research and
Development Act (15 U.S.C. 7404(a)(6)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
[[Page S5572]]
(e) Scientific and Advanced Technology Act Grants.--Section
5(b)(2) of the Cyber Security Research and Development Act
(15 U.S.C. 7404(b)(2)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
(f) Graduate Traineeships in Computer and Network Security
Research.--Section 5(c)(7) of the Cyber Security Research and
Development Act (15 U.S.C. 7404(c)(7)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
______
SA 2611. Mrs. HUTCHISON submitted an amendment intended to be
proposed by her to the bill S. 3414, to enhance the security and
resiliency of the cyber and communications infrastructure of the United
States; which was ordered to lie on the table; as follows:
Beginning on page 45, strike line 1 and all that follows
through page 87, line 22, and insert the following:
TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY
SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY
POLICY.
(a) In General.--Chapter 35 of title 44, United States
Code, is amended by striking subchapters II and III and
inserting the following:
``SUBCHAPTER II--INFORMATION SECURITY
``Sec. 3551. Purposes
``The purposes of this subchapter are--
``(1) to provide a comprehensive framework for ensuring the
effectiveness of information security controls over
information resources that support Federal operations and
assets;
``(2) to recognize the highly networked nature of the
current Federal computing environment and provide effective
government-wide management of policies, directives,
standards, and guidelines, as well as effective and nimble
oversight of and response to information security risks,
including coordination of information security efforts
throughout the Federal civilian, national security, and law
enforcement communities;
``(3) to provide for development and maintenance of
controls required to protect agency information and
information systems and contribute to the overall improvement
of agency information security posture;
``(4) to provide for the development of tools and methods
to assess and respond to real-time situational risk for
Federal information system operations and assets; and
``(5) to provide a mechanism for improving agency
information security programs through continuous monitoring
of agency information systems and streamlined reporting
requirements rather than overly prescriptive manual
reporting.
``Sec. 3552. Definitions
``In this subchapter:
``(1) Adequate security.--The term `adequate security'
means security commensurate with the risk and magnitude of
the harm resulting from the unauthorized access to or loss,
misuse, destruction, or modification of information.
``(2) Agency.--The term `agency' has the meaning given the
term in section 3502 of title 44.
``(3) Cybersecurity center.--The term `cybersecurity
center' means the Department of Defense Cyber Crime Center,
the Intelligence Community Incident Response Center, the
United States Cyber Command Joint Operations Center, the
National Cyber Investigative Joint Task Force, the National
Security Agency/Central Security Service Threat Operations
Center, the National Cybersecurity and Communications
Integration Center, and any successor center.
``(4) Cyber threat information.--The term `cyber threat
information' means information that indicates or describes--
``(A) a technical or operation vulnerability or a cyber
threat mitigation measure;
``(B) an action or operation to mitigate a cyber threat;
``(C) malicious reconnaissance, including anomalous
patterns of network activity that appear to be transmitted
for the purpose of gathering technical information related to
a cybersecurity threat;
``(D) a method of defeating a technical control;
``(E) a method of defeating an operational control;
``(F) network activity or protocols known to be associated
with a malicious cyber actor or that signify malicious cyber
intent;
``(G) a method of causing a user with legitimate access to
an information system or information that is stored on,
processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational
control;
``(H) any other attribute of a cybersecurity threat or
cyber defense information that would foster situational
awareness of the United States cybersecurity posture, if
disclosure of such attribute or information is not otherwise
prohibited by law;
``(I) the actual or potential harm caused by a cyber
incident, including information exfiltrated when it is
necessary in order to identify or describe a cybersecurity
threat; or
``(J) any combination of subparagraphs (A) through (I).
``(5) Director.--The term `Director' means the Director of
the Office of Management and Budget unless otherwise
specified.
``(6) Environment of operation.--The term `environment of
operation' means the information system and environment in
which those systems operate, including changing threats,
vulnerabilities, technologies, and missions and business
practices.
``(7) Federal information system.--The term `Federal
information system' means an information system used or
operated by an executive agency, by a contractor of an
executive agency, or by another organization on behalf of an
executive agency.
``(8) Incident.--The term `incident' means an occurrence
that--
``(A) actually or imminently jeopardizes the integrity,
confidentiality, or availability of an information system or
the information that system controls, processes, stores, or
transmits; or
``(B) constitutes a violation of law or an imminent threat
of violation of a law, a security policy, a security
procedure, or an acceptable use policy.
``(9) Information resources.--The term `information
resources' has the meaning given the term in section 3502 of
title 44.
``(10) Information security.--The term `information
security' means protecting information and information
systems from disruption or unauthorized access, use,
disclosure, modification, or destruction in order to
provide--
``(A) integrity, by guarding against improper information
modification or destruction, including by ensuring
information nonrepudiation and authenticity;
``(B) confidentiality, by preserving authorized
restrictions on access and disclosure, including means for
protecting personal privacy and proprietary information; or
``(C) availability, by ensuring timely and reliable access
to and use of information.
``(11) Information system.--The term `information system'
has the meaning given the term in section 3502 of title 44.
``(12) Information technology.--The term `information
technology' has the meaning given the term in section 11101
of title 40.
``(13) Malicious reconnaissance.--The term `malicious
reconnaissance' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning technical vulnerabilities of the information
system, if such method is associated with a known or
suspected cybersecurity threat.
``(14) National security system.--
``(A) In general.--The term `national security system'
means any information system (including any
telecommunications system) used or operated by an agency or
by a contractor of an agency, or other organization on behalf
of an agency--
``(i) the function, operation, or use of which--
``(I) involves intelligence activities;
``(II) involves cryptologic activities related to national
security;
``(III) involves command and control of military forces;
``(IV) involves equipment that is an integral part of a
weapon or weapons system; or
``(V) subject to subparagraph (B), is critical to the
direct fulfillment of military or intelligence missions; or
``(ii) is protected at all times by procedures established
for information that have been specifically authorized under
criteria established by an Executive Order or an Act of
Congress to be kept classified in the interest of national
defense or foreign policy.
``(B) Limitation.--Subparagraph (A)(i)(V) does not include
a system that is to be used for routine administrative and
business applications (including payroll, finance, logistics,
and personnel management applications).
``(15) Operational control.--The term `operational control'
means a security control for an information system that
primarily is implemented and executed by people.
``(16) Person.--The term `person' has the meaning given the
term in section 3502 of title 44.
``(17) Secretary.--The term `Secretary' means the Secretary
of Commerce unless otherwise specified.
``(18) Security control.--The term `security control' means
the management, operational, and technical controls,
including safeguards or countermeasures, prescribed for an
information system to protect the confidentiality, integrity,
and availability of the system and its information.
``(19) Significant cyber incident.--The term `significant
cyber incident' means a cyber incident resulting in, or an
attempted cyber incident that, if successful, would have
resulted in--
``(A) the exfiltration from a Federal information system of
data that is essential to the operation of the Federal
information system; or
``(B) an incident in which an operational or technical
control essential to the security or
[[Page S5573]]
operation of a Federal information system was defeated.
``(20) Technical control.--The term `technical control'
means a hardware or software restriction on, or audit of,
access or use of an information system or information that is
stored on, processed by, or transiting an information system
that is intended to ensure the confidentiality, integrity, or
availability of that system.
``Sec. 3553. Federal information security authority and
coordination
``(a) In General.--The Secretary, in consultation with the
Secretary of Homeland Security, shall--
``(1) issue compulsory and binding policies and directives
governing agency information security operations, and require
implementation of such policies and directives, including--
``(A) policies and directives consistent with the standards
and guidelines promulgated under section 11331 of title 40 to
identify and provide information security protections
prioritized and commensurate with the risk and impact
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of--
``(i) information collected or maintained by or on behalf
of an agency; or
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(B) minimum operational requirements for Federal
Government to protect agency information systems and provide
common situational awareness across all agency information
systems;
``(C) reporting requirements, consistent with relevant law,
regarding information security incidents and cyber threat
information;
``(D) requirements for agencywide information security
programs;
``(E) performance requirements and metrics for the security
of agency information systems;
``(F) training requirements to ensure that agencies are
able to fully and timely comply with the policies and
directives issued by the Secretary under this subchapter;
``(G) training requirements regarding privacy, civil
rights, and civil liberties, and information oversight for
agency information security personnel;
``(H) requirements for the annual reports to the Secretary
under section 3554(d);
``(I) any other information security operations or
information security requirements as determined by the
Secretary in coordination with relevant agency heads; and
``(J) coordinating the development of standards and
guidelines under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3) with agencies
and offices operating or exercising control of national
security systems (including the National Security Agency) to
assure, to the maximum extent feasible, that such standards
and guidelines are complementary with standards and
guidelines developed for national security systems;
``(2) review the agencywide information security programs
under section 3554; and
``(3) designate an individual or an entity at each
cybersecurity center, among other responsibilities--
``(A) to receive reports and information about information
security incidents, cyber threat information, and
deterioration of security control affecting agency
information systems; and
``(B) to act on or share the information under subparagraph
(A) in accordance with this subchapter.
``(b) Considerations.--When issuing policies and directives
under subsection (a), the Secretary shall consider any
applicable standards or guidelines developed by the National
Institute of Standards and Technology under section 11331 of
title 40.
``(c) Limitation of Authority.--The authorities of the
Secretary under this section shall not apply to national
security systems. Information security policies, directives,
standards and guidelines for national security systems shall
be overseen as directed by the President and, in accordance
with that direction, carried out under the authority of the
heads of agencies that operate or exercise authority over
such national security systems.
``(d) Statutory Construction.--Nothing in this subchapter
shall be construed to alter or amend any law regarding the
authority of any head of an agency over such agency.
``Sec. 3554. Agency responsibilities
``(a) In General.--The head of each agency shall--
``(1) be responsible for--
``(A) complying with the policies and directives issued
under section 3553;
``(B) providing information security protections
commensurate with the risk resulting from unauthorized
access, use, disclosure, disruption, modification, or
destruction of--
``(i) information collected or maintained by the agency or
by a contractor of an agency or other organization on behalf
of an agency; and
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(C) complying with the requirements of this subchapter,
including--
``(i) information security standards and guidelines
promulgated under section 11331 of title 40;
``(ii) for any national security systems operated or
controlled by that agency, information security policies,
directives, standards and guidelines issued as directed by
the President; and
``(iii) for any non-national security systems operated or
controlled by that agency, information security policies,
directives, standards and guidelines issued under section
3553;
``(D) ensuring that information security management
processes are integrated with agency strategic and
operational planning processes;
``(E) reporting and sharing, for an agency operating or
exercising control of a national security system, information
about information security incidents, cyber threat
information, and deterioration of security controls to the
individual or entity designated at each cybersecurity center
and to other appropriate entities consistent with policies
and directives for national security systems issued as
directed by the President; and
``(F) reporting and sharing, for those agencies operating
or exercising control of non-national security systems,
information about information security incidents, cyber
threat information, and deterioration of security controls to
the individual or entity designated at each cybersecurity
center and to other appropriate entities consistent with
policies and directives for non-national security systems as
prescribed under section 3553(a), including information to
assist the entity designated under section 3555(a) with the
ongoing security analysis under section 3555;
``(2) ensure that each senior agency official provides
information security for the information and information
systems that support the operations and assets under the
senior agency official's control, including by--
``(A) assessing the risk and impact that could result from
the unauthorized access, use, disclosure, disruption,
modification, or destruction of such information or
information systems;
``(B) determining the level of information security
appropriate to protect such information and information
systems in accordance with policies and directives issued
under section 3553(a), and standards and guidelines
promulgated under section 11331 of title 40 for information
security classifications and related requirements;
``(C) implementing policies, procedures, and capabilities
to reduce risks to an acceptable level in a cost-effective
manner;
``(D) actively monitoring the effective implementation of
information security controls and techniques; and
``(E) reporting information about information security
incidents, cyber threat information, and deterioration of
security controls in a timely and adequate manner to the
entity designated under section 3553(a)(3) in accordance with
paragraph (1);
``(3) assess and maintain the resiliency of information
technology systems critical to agency mission and operations;
``(4) designate the agency Inspector General (or an
independent entity selected in consultation with the Director
and the Council of Inspectors General on Integrity and
Efficiency if the agency does not have an Inspector General)
to conduct the annual independent evaluation required under
section 3556, and allow the agency Inspector General to
contract with an independent entity to perform such
evaluation;
``(5) delegate to the Chief Information Officer or
equivalent (or to a senior agency official who reports to the
Chief Information Officer or equivalent)--
``(A) the authority and primary responsibility to implement
an agencywide information security program; and
``(B) the authority to provide information security for the
information collected and maintained by the agency (or by a
contractor, other agency, or other source on behalf of the
agency) and for the information systems that support the
operations, assets, and mission of the agency (including any
information system provided or managed by a contractor, other
agency, or other source on behalf of the agency);
``(6) delegate to the appropriate agency official (who is
responsible for a particular agency system or subsystem) the
responsibility to ensure and enforce compliance with all
requirements of the agency's agencywide information security
program in coordination with the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5);
``(7) ensure that an agency has trained personnel who have
obtained any necessary security clearances to permit them to
assist the agency in complying with this subchapter;
``(8) ensure that the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5),
in coordination with other senior agency officials, reports
to the agency head on the effectiveness of the agencywide
information security program, including the progress of any
remedial actions; and
``(9) ensure that the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5)
has the necessary qualifications to administer the functions
described in this subchapter and has information security
duties as a primary duty of that official.
``(b) Chief Information Officers.--Each Chief Information
Officer or equivalent (or the senior agency official who
reports to the
[[Page S5574]]
Chief Information Officer or equivalent) under subsection
(a)(5) shall--
``(1) establish and maintain an enterprise security
operations capability that on a continuous basis--
``(A) detects, reports, contains, mitigates, and responds
to information security incidents that impair adequate
security of the agency's information or information system in
a timely manner and in accordance with the policies and
directives under section 3553; and
``(B) reports any information security incident under
subparagraph (A) to the entity designated under section 3555;
``(2) develop, maintain, and oversee an agencywide
information security program;
``(3) develop, maintain, and oversee information security
policies, procedures, and control techniques to address
applicable requirements, including requirements under section
3553 of this title and section 11331 of title 40; and
``(4) train and oversee the agency personnel who have
significant responsibility for information security with
respect to that responsibility.
``(c) Agencywide Information Security Programs.--
``(1) In general.--Each agencywide information security
program under subsection (b)(2) shall include--
``(A) relevant security risk assessments, including
technical assessments and others related to the acquisition
process;
``(B) security testing commensurate with risk and impact;
``(C) mitigation of deterioration of security controls
commensurate with risk and impact;
``(D) risk-based continuous monitoring and threat
assessment of the operational status and security of agency
information systems to enable evaluation of the effectiveness
of and compliance with information security policies,
procedures, and practices, including a relevant and
appropriate selection of security controls of information
systems identified in the inventory under section 3505(c);
``(E) operation of appropriate technical capabilities in
order to detect, mitigate, report, and respond to information
security incidents, cyber threat information, and
deterioration of security controls in a manner that is
consistent with the policies and directives under section
3553, including--
``(i) mitigating risks associated with such information
security incidents;
``(ii) notifying and consulting with the entity designated
under section 3555; and
``(iii) notifying and consulting with, as appropriate--
``(I) law enforcement and the relevant Office of the
Inspector General; and
``(II) any other entity, in accordance with law and as
directed by the President;
``(F) a process to ensure that remedial action is taken to
address any deficiencies in the information security
policies, procedures, and practices of the agency; and
``(G) a plan and procedures to ensure the continuity of
operations for information systems that support the
operations and assets of the agency.
``(2) Risk management strategies.--Each agencywide
information security program under subsection (b)(2) shall
include the development and maintenance of a risk management
strategy for information security. The risk management
strategy shall include--
``(A) consideration of information security incidents,
cyber threat information, and deterioration of security
controls; and
``(B) consideration of the consequences that could result
from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information and information
systems that support the operations and assets of the agency,
including any information system provided or managed by a
contractor, other agency, or other source on behalf of the
agency;
``(3) Policies and procedures.--Each agencywide information
security program under subsection (b)(2) shall include
policies and procedures that--
``(A) are based on the risk management strategy under
paragraph (2);
``(B) reduce information security risks to an acceptable
level in a cost-effective manner;
``(C) ensure that cost-effective and adequate information
security is addressed as part of the acquisition and ongoing
management of each agency information system; and
``(D) ensure compliance with--
``(i) this subchapter; and
``(ii) any other applicable requirements.
``(4) Training requirements.--Each agencywide information
security program under subsection (b)(2) shall include
information security, privacy, civil rights, civil liberties,
and information oversight training that meets any applicable
requirements under section 3553. The training shall inform
each information security personnel that has access to agency
information systems (including contractors and other users of
information systems that support the operations and assets of
the agency) of--
``(A) the information security risks associated with the
information security personnel's activities; and
``(B) the individual's responsibility to comply with the
agency policies and procedures that reduce the risks under
subparagraph (A).
``(d) Annual Report.--Each agency shall submit a report
annually to the Secretary of Homeland Security on its
agencywide information security program and information
systems.
``Sec. 3555. Multiagency ongoing threat assessment
``(a) Implementation.--The Director of the Office of
Management and Budget, in coordination with the Secretary of
Homeland Security, shall designate an entity to implement
ongoing security analysis concerning agency information
systems--
``(1) based on cyber threat information;
``(2) based on agency information system and environment of
operation changes, including--
``(A) an ongoing evaluation of the information system
security controls; and
``(B) the security state, risk level, and environment of
operation of an agency information system, including--
``(i) a change in risk level due to a new cyber threat;
``(ii) a change resulting from a new technology;
``(iii) a change resulting from the agency's mission; and
``(iv) a change resulting from the business practice; and
``(3) using automated processes to the maximum extent
possible--
``(A) to increase information system security;
``(B) to reduce paper-based reporting requirements; and
``(C) to maintain timely and actionable knowledge of the
state of the information system security.
``(b) Standards.--The National Institute of Standards and
Technology may promulgate standards, in coordination with the
Secretary of Homeland Security, to assist an agency with its
duties under this section.
``(c) Compliance.--The head of each appropriate department
and agency shall be responsible for ensuring compliance and
implementing necessary procedures to comply with this
section. The head of each appropriate department and agency,
in consultation with the Director of the Office of Management
and Budget and the Secretary of Homeland Security, shall--
``(1) monitor compliance under this section;
``(2) develop a timeline and implement for the department
or agency--
``(A) adoption of any technology, system, or method that
facilitates continuous monitoring and threat assessments of
an agency information system;
``(B) adoption or updating of any technology, system, or
method that prevents, detects, or remediates a significant
cyber incident to a Federal information system of the
department or agency that has impeded, or is reasonably
likely to impede, the performance of a critical mission of
the department or agency; and
``(C) adoption of any technology, system, or method that
satisfies a requirement under this section.
``(d) Limitation of Authority.--The authorities of the
Director of the Office of Management and Budget and of the
Secretary of Homeland Security under this section shall not
apply to national security systems.
``(e) Report.--Not later than 6 months after the date of
enactment of the Cybersecurity Act of 2012, the Government
Accountability Office shall issue a report evaluating each
agency's status toward implementing this section.
``Sec. 3556. Independent evaluations
``(a) In General.--The Council of the Inspectors General on
Integrity and Efficiency, in consultation with the Director
and the Secretary of Homeland Security, the Secretary of
Commerce, and the Secretary of Defense, shall issue and
maintain criteria for the timely, cost-effective, risk-based,
and independent evaluation of each agencywide information
security program (and practices) to determine the
effectiveness of the agencywide information security program
(and practices). The criteria shall include measures to
assess any conflicts of interest in the performance of the
evaluation and whether the agencywide information security
program includes appropriate safeguards against disclosure of
information where such disclosure may adversely affect
information security.
``(b) Annual Independent Evaluations.--Each agency shall
perform an annual independent evaluation of its agencywide
information security program (and practices) in accordance
with the criteria under subsection (a).
``(c) Distribution of Reports.--Not later than 30 days
after receiving an independent evaluation under subsection
(b), each agency head shall transmit a copy of the
independent evaluation to the Secretary of Homeland Security,
the Secretary of Commerce, and the Secretary of Defense.
``(d) National Security Systems.--Evaluations involving
national security systems shall be conducted as directed by
President.
``Sec. 3557. National security systems.
``The head of each agency operating or exercising control
of a national security system shall be responsible for
ensuring that the agency--
``(1) provides information security protections
commensurate with the risk and magnitude of the harm
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of the information
contained in such system; and
``(2) implements information security policies and
practices as required by standards and guidelines for
national security systems,
[[Page S5575]]
issued in accordance with law and as directed by the
President.''.
(b) Savings Provisions.--
(1) Policy and compliance guidance.--Policy and compliance
guidance issued by the Director before the date of enactment
of this Act under section 3543(a)(1) of title 44, United
States Code (as in effect on the day before the date of
enactment of this Act), shall continue in effect, according
to its terms, until modified, terminated, superseded, or
repealed pursuant to section 3553(a)(1) of title 44, United
States Code.
(2) Standards and guidelines.--Standards and guidelines
issued by the Secretary of Commerce or by the Director before
the date of enactment of this Act under section 11331(a)(1)
of title 40, United States Code, (as in effect on the day
before the date of enactment of this Act) shall continue in
effect, according to their terms, until modified, terminated,
superseded, or repealed pursuant to section 11331(a)(1) of
title 40, United States Code, as amended by this Act.
(c) Technical and Conforming Amendments.--
(1) Chapter analysis.--The chapter analysis for chapter 35
of title 44, United States Code, is amended--
(A) by striking the items relating to sections 3531 through
3538;
(B) by striking the items relating to sections 3541 through
3549; and
(C) by inserting the following:
``3551. Purposes.
``3552. Definitions.
``3553. Federal information security authority and coordination.
``3554. Agency responsibilities.
``3555. Multiagency ongoing threat assessment.
``3556. Independent evaluations.
``3557. National security systems.''.
(2) Other references.--
(A) Section 1001(c)(1)(A) of the Homeland Security Act of
2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section
3532(3)'' and inserting ``section 3552''.
(B) Section 2222(j)(5) of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(C) Section 2223(c)(3) of title 10, United States Code, is
amended, by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(D) Section 2315 of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(E) Section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3) is amended--
(i) in subsection (a)(2), by striking ``section
3532(b)(2)'' and inserting ``section 3552'';
(ii) in subsection (c)(3), by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(iii) in subsection (d)(1), by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(iv) in subsection (d)(8) by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(v) in subsection (d)(8), by striking ``submitted to the
Director'' and inserting ``submitted to the Secretary'';
(vi) in subsection (e)(2), by striking ``section 3532(1) of
such title'' and inserting ``section 3552 of title 44''; and
(vii) in subsection (e)(5), by striking ``section
3532(b)(2) of such title'' and inserting ``section 3552 of
title 44''.
(F) Section 8(d)(1) of the Cyber Security Research and
Development Act (15 U.S.C. 7406(d)(1)) is amended by striking
``section 3534(b)'' and inserting ``section 3554(b)(2)''.
SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.
(a) In General.--Section 11331 of title 40, United States
Code, is amended to read as follows:
``Sec. 11331. Responsibilities for Federal information
systems standards
``(a) Standards and Guidelines.--
``(1) Authority to prescribe.--Except as provided under
paragraph (2), the Secretary of Commerce shall prescribe
standards and guidelines pertaining to Federal information
systems--
``(A) in consultation with the Secretary of Homeland
Security; and
``(B) on the basis of standards and guidelines developed by
the National Institute of Standards and Technology under
paragraphs (2) and (3) of section 20(a) of the National
Institute of Standards and Technology Act (15 U.S.C. 278g-
3(a)(2) and (a)(3)).
``(2) National security systems.--Standards and guidelines
for national security systems shall be developed, prescribed,
enforced, and overseen as otherwise authorized by law and as
directed by the President.
``(b) Mandatory Standards and Guidelines.--
``(1) Authority to make mandatory standards and
guidelines.--The Secretary of Commerce shall make standards
and guidelines under subsection (a)(1) compulsory and binding
to the extent determined necessary by the Secretary of
Commerce to improve the efficiency of operation or security
of Federal information systems.
``(2) Required mandatory standards and guidelines.--
``(A) In general.--Standards and guidelines under
subsection (a)(1) shall include information security
standards that--
``(i) provide minimum information security requirements as
determined under section 20(b) of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3(b)); and
``(ii) are otherwise necessary to improve the security of
Federal information and information systems.
``(B) Binding effect.--Information security standards under
subparagraph (A) shall be compulsory and binding.
``(c) Exercise of Authority.--To ensure fiscal and policy
consistency, the Secretary of Commerce shall exercise the
authority conferred by this section subject to direction by
the President and in coordination with the Director.
``(d) Application of More Stringent Standards and
Guidelines.--The head of an executive agency may employ
standards for the cost-effective information security for
information systems within or under the supervision of that
agency that are more stringent than the standards and
guidelines the Secretary of Commerce prescribes under this
section if the more stringent standards and guidelines--
``(1) contain at least the applicable standards and
guidelines made compulsory and binding by the Secretary of
Commerce; and
``(2) are otherwise consistent with the policies,
directives, and implementation memoranda issued under section
3553(a) of title 44.
``(e) Decisions on Promulgation of Standards and
Guidelines.--The decision by the Secretary of Commerce
regarding the promulgation of any standard or guideline under
this section shall occur not later than 6 months after the
date of submission of the proposed standard to the Secretary
of Commerce by the National Institute of Standards and
Technology under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3).
``(f) Notice and Comment.--A decision by the Secretary of
Commerce to significantly modify, or not promulgate, a
proposed standard submitted to the Secretary by the National
Institute of Standards and Technology under section 20 of the
National Institute of Standards and Technology Act (15 U.S.C.
278g-3) shall be made after the public is given an
opportunity to comment on the Secretary's proposed decision.
``(g) Definitions.--In this section:
``(1) Federal information system.--The term `Federal
information system' has the meaning given the term in section
3552 of title 44.
``(2) Information security.--The term `information
security' has the meaning given the term in section 3552 of
title 44.
``(3) National security system.--The term `national
security system' has the meaning given the term in section
3552 of title 44.''.
SEC. 203. NO NEW FUNDING.
An applicable Federal agency shall carry out the provisions
of this title with existing facilities and funds otherwise
available, through such means as the head of the agency
considers appropriate.
SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS.
Section 21(b) of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-4(b)) is amended--
(1) in paragraph (2), by striking ``and the Director of the
Office of Management and Budget'' and inserting ``, the
Secretary of Commerce, and the Secretary of Homeland
Security''; and
(2) in paragraph (3), by inserting ``, the Secretary of
Homeland Security,'' after ``the Secretary of Commerce''.
SEC. 205. CLARIFICATION OF AUTHORITIES.
Nothing in this title shall be construed to convey any new
regulatory authority to any government entity implementing or
complying with any provision of this title.
______
SA 2612. Mrs. HUTCHISON submitted an amendment intended to be
proposed by her to the bill S. 3414, to enhance the security and
resiliency of the cyber and communications infrastructure of the United
States; which was ordered to lie on the table; as follows:
Beginning on page 45, strike line 1 and all that follows
through the undesignated matter between lines 7 and 8 on page
106, and insert the following:
TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY
SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY
POLICY.
(a) In General.--Chapter 35 of title 44, United States
Code, is amended by striking subchapters II and III and
inserting the following:
``SUBCHAPTER II--INFORMATION SECURITY
``Sec. 3551. Purposes
``The purposes of this subchapter are--
``(1) to provide a comprehensive framework for ensuring the
effectiveness of information security controls over
information resources that support Federal operations and
assets;
``(2) to recognize the highly networked nature of the
current Federal computing environment and provide effective
government-wide management of policies, directives,
standards, and guidelines, as well as effective and nimble
oversight of and response to information security risks,
including coordination of information security efforts
throughout the Federal civilian, national security, and law
enforcement communities;
``(3) to provide for development and maintenance of
controls required to protect agency information and
information systems and contribute to the overall improvement
of agency information security posture;
[[Page S5576]]
``(4) to provide for the development of tools and methods
to assess and respond to real-time situational risk for
Federal information system operations and assets; and
``(5) to provide a mechanism for improving agency
information security programs through continuous monitoring
of agency information systems and streamlined reporting
requirements rather than overly prescriptive manual
reporting.
``Sec. 3552. Definitions
``In this subchapter:
``(1) Adequate security.--The term `adequate security'
means security commensurate with the risk and magnitude of
the harm resulting from the unauthorized access to or loss,
misuse, destruction, or modification of information.
``(2) Agency.--The term `agency' has the meaning given the
term in section 3502 of title 44.
``(3) Cybersecurity center.--The term `cybersecurity
center' means the Department of Defense Cyber Crime Center,
the Intelligence Community Incident Response Center, the
United States Cyber Command Joint Operations Center, the
National Cyber Investigative Joint Task Force, the National
Security Agency/Central Security Service Threat Operations
Center, the National Cybersecurity and Communications
Integration Center, and any successor center.
``(4) Cyber threat information.--The term `cyber threat
information' means information that indicates or describes--
``(A) a technical or operation vulnerability or a cyber
threat mitigation measure;
``(B) an action or operation to mitigate a cyber threat;
``(C) malicious reconnaissance, including anomalous
patterns of network activity that appear to be transmitted
for the purpose of gathering technical information related to
a cybersecurity threat;
``(D) a method of defeating a technical control;
``(E) a method of defeating an operational control;
``(F) network activity or protocols known to be associated
with a malicious cyber actor or that signify malicious cyber
intent;
``(G) a method of causing a user with legitimate access to
an information system or information that is stored on,
processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational
control;
``(H) any other attribute of a cybersecurity threat or
cyber defense information that would foster situational
awareness of the United States cybersecurity posture, if
disclosure of such attribute or information is not otherwise
prohibited by law;
``(I) the actual or potential harm caused by a cyber
incident, including information exfiltrated when it is
necessary in order to identify or describe a cybersecurity
threat; or
``(J) any combination of subparagraphs (A) through (I).
``(5) Director.--The term `Director' means the Director of
the Office of Management and Budget unless otherwise
specified.
``(6) Environment of operation.--The term `environment of
operation' means the information system and environment in
which those systems operate, including changing threats,
vulnerabilities, technologies, and missions and business
practices.
``(7) Federal information system.--The term `Federal
information system' means an information system used or
operated by an executive agency, by a contractor of an
executive agency, or by another organization on behalf of an
executive agency.
``(8) Incident.--The term `incident' means an occurrence
that--
``(A) actually or imminently jeopardizes the integrity,
confidentiality, or availability of an information system or
the information that system controls, processes, stores, or
transmits; or
``(B) constitutes a violation of law or an imminent threat
of violation of a law, a security policy, a security
procedure, or an acceptable use policy.
``(9) Information resources.--The term `information
resources' has the meaning given the term in section 3502 of
title 44.
``(10) Information security.--The term `information
security' means protecting information and information
systems from disruption or unauthorized access, use,
disclosure, modification, or destruction in order to
provide--
``(A) integrity, by guarding against improper information
modification or destruction, including by ensuring
information nonrepudiation and authenticity;
``(B) confidentiality, by preserving authorized
restrictions on access and disclosure, including means for
protecting personal privacy and proprietary information; or
``(C) availability, by ensuring timely and reliable access
to and use of information.
``(11) Information system.--The term `information system'
has the meaning given the term in section 3502 of title 44.
``(12) Information technology.--The term `information
technology' has the meaning given the term in section 11101
of title 40.
``(13) Malicious reconnaissance.--The term `malicious
reconnaissance' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning technical vulnerabilities of the information
system, if such method is associated with a known or
suspected cybersecurity threat.
``(14) National security system.--
``(A) In general.--The term `national security system'
means any information system (including any
telecommunications system) used or operated by an agency or
by a contractor of an agency, or other organization on behalf
of an agency--
``(i) the function, operation, or use of which--
``(I) involves intelligence activities;
``(II) involves cryptologic activities related to national
security;
``(III) involves command and control of military forces;
``(IV) involves equipment that is an integral part of a
weapon or weapons system; or
``(V) subject to subparagraph (B), is critical to the
direct fulfillment of military or intelligence missions; or
``(ii) is protected at all times by procedures established
for information that have been specifically authorized under
criteria established by an Executive Order or an Act of
Congress to be kept classified in the interest of national
defense or foreign policy.
``(B) Limitation.--Subparagraph (A)(i)(V) does not include
a system that is to be used for routine administrative and
business applications (including payroll, finance, logistics,
and personnel management applications).
``(15) Operational control.--The term `operational control'
means a security control for an information system that
primarily is implemented and executed by people.
``(16) Person.--The term `person' has the meaning given the
term in section 3502 of title 44.
``(17) Secretary.--The term `Secretary' means the Secretary
of Commerce unless otherwise specified.
``(18) Security control.--The term `security control' means
the management, operational, and technical controls,
including safeguards or countermeasures, prescribed for an
information system to protect the confidentiality, integrity,
and availability of the system and its information.
``(19) Significant cyber incident.--The term `significant
cyber incident' means a cyber incident resulting in, or an
attempted cyber incident that, if successful, would have
resulted in--
``(A) the exfiltration from a Federal information system of
data that is essential to the operation of the Federal
information system; or
``(B) an incident in which an operational or technical
control essential to the security or operation of a Federal
information system was defeated.
``(20) Technical control.--The term `technical control'
means a hardware or software restriction on, or audit of,
access or use of an information system or information that is
stored on, processed by, or transiting an information system
that is intended to ensure the confidentiality, integrity, or
availability of that system.
``Sec. 3553. Federal information security authority and
coordination
``(a) In General.--The Secretary, in consultation with the
Secretary of Homeland Security, shall--
``(1) issue compulsory and binding policies and directives
governing agency information security operations, and require
implementation of such policies and directives, including--
``(A) policies and directives consistent with the standards
and guidelines promulgated under section 11331 of title 40 to
identify and provide information security protections
prioritized and commensurate with the risk and impact
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of--
``(i) information collected or maintained by or on behalf
of an agency; or
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(B) minimum operational requirements for Federal
Government to protect agency information systems and provide
common situational awareness across all agency information
systems;
``(C) reporting requirements, consistent with relevant law,
regarding information security incidents and cyber threat
information;
``(D) requirements for agencywide information security
programs;
``(E) performance requirements and metrics for the security
of agency information systems;
``(F) training requirements to ensure that agencies are
able to fully and timely comply with the policies and
directives issued by the Secretary under this subchapter;
``(G) training requirements regarding privacy, civil
rights, and civil liberties, and information oversight for
agency information security personnel;
``(H) requirements for the annual reports to the Secretary
under section 3554(d);
``(I) any other information security operations or
information security requirements as determined by the
Secretary in coordination with relevant agency heads; and
``(J) coordinating the development of standards and
guidelines under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3) with agencies
and offices operating or exercising control of national
security systems (including the National Security Agency) to
assure, to the maximum extent feasible, that such standards
and guidelines are complementary with standards and
guidelines developed for national security systems;
``(2) review the agencywide information security programs
under section 3554; and
[[Page S5577]]
``(3) designate an individual or an entity at each
cybersecurity center, among other responsibilities--
``(A) to receive reports and information about information
security incidents, cyber threat information, and
deterioration of security control affecting agency
information systems; and
``(B) to act on or share the information under subparagraph
(A) in accordance with this subchapter.
``(b) Considerations.--When issuing policies and directives
under subsection (a), the Secretary shall consider any
applicable standards or guidelines developed by the National
Institute of Standards and Technology under section 11331 of
title 40.
``(c) Limitation of Authority.--The authorities of the
Secretary under this section shall not apply to national
security systems. Information security policies, directives,
standards and guidelines for national security systems shall
be overseen as directed by the President and, in accordance
with that direction, carried out under the authority of the
heads of agencies that operate or exercise authority over
such national security systems.
``(d) Statutory Construction.--Nothing in this subchapter
shall be construed to alter or amend any law regarding the
authority of any head of an agency over such agency.
``Sec. 3554. Agency responsibilities
``(a) In General.--The head of each agency shall--
``(1) be responsible for--
``(A) complying with the policies and directives issued
under section 3553;
``(B) providing information security protections
commensurate with the risk resulting from unauthorized
access, use, disclosure, disruption, modification, or
destruction of--
``(i) information collected or maintained by the agency or
by a contractor of an agency or other organization on behalf
of an agency; and
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(C) complying with the requirements of this subchapter,
including--
``(i) information security standards and guidelines
promulgated under section 11331 of title 40;
``(ii) for any national security systems operated or
controlled by that agency, information security policies,
directives, standards and guidelines issued as directed by
the President; and
``(iii) for any non-national security systems operated or
controlled by that agency, information security policies,
directives, standards and guidelines issued under section
3553;
``(D) ensuring that information security management
processes are integrated with agency strategic and
operational planning processes;
``(E) reporting and sharing, for an agency operating or
exercising control of a national security system, information
about information security incidents, cyber threat
information, and deterioration of security controls to the
individual or entity designated at each cybersecurity center
and to other appropriate entities consistent with policies
and directives for national security systems issued as
directed by the President; and
``(F) reporting and sharing, for those agencies operating
or exercising control of non-national security systems,
information about information security incidents, cyber
threat information, and deterioration of security controls to
the individual or entity designated at each cybersecurity
center and to other appropriate entities consistent with
policies and directives for non-national security systems as
prescribed under section 3553(a), including information to
assist the entity designated under section 3555(a) with the
ongoing security analysis under section 3555;
``(2) ensure that each senior agency official provides
information security for the information and information
systems that support the operations and assets under the
senior agency official's control, including by--
``(A) assessing the risk and impact that could result from
the unauthorized access, use, disclosure, disruption,
modification, or destruction of such information or
information systems;
``(B) determining the level of information security
appropriate to protect such information and information
systems in accordance with policies and directives issued
under section 3553(a), and standards and guidelines
promulgated under section 11331 of title 40 for information
security classifications and related requirements;
``(C) implementing policies, procedures, and capabilities
to reduce risks to an acceptable level in a cost-effective
manner;
``(D) actively monitoring the effective implementation of
information security controls and techniques; and
``(E) reporting information about information security
incidents, cyber threat information, and deterioration of
security controls in a timely and adequate manner to the
entity designated under section 3553(a)(3) in accordance with
paragraph (1);
``(3) assess and maintain the resiliency of information
technology systems critical to agency mission and operations;
``(4) designate the agency Inspector General (or an
independent entity selected in consultation with the Director
and the Council of Inspectors General on Integrity and
Efficiency if the agency does not have an Inspector General)
to conduct the annual independent evaluation required under
section 3556, and allow the agency Inspector General to
contract with an independent entity to perform such
evaluation;
``(5) delegate to the Chief Information Officer or
equivalent (or to a senior agency official who reports to the
Chief Information Officer or equivalent)--
``(A) the authority and primary responsibility to implement
an agencywide information security program; and
``(B) the authority to provide information security for the
information collected and maintained by the agency (or by a
contractor, other agency, or other source on behalf of the
agency) and for the information systems that support the
operations, assets, and mission of the agency (including any
information system provided or managed by a contractor, other
agency, or other source on behalf of the agency);
``(6) delegate to the appropriate agency official (who is
responsible for a particular agency system or subsystem) the
responsibility to ensure and enforce compliance with all
requirements of the agency's agencywide information security
program in coordination with the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5);
``(7) ensure that an agency has trained personnel who have
obtained any necessary security clearances to permit them to
assist the agency in complying with this subchapter;
``(8) ensure that the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5),
in coordination with other senior agency officials, reports
to the agency head on the effectiveness of the agencywide
information security program, including the progress of any
remedial actions; and
``(9) ensure that the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5)
has the necessary qualifications to administer the functions
described in this subchapter and has information security
duties as a primary duty of that official.
``(b) Chief Information Officers.--Each Chief Information
Officer or equivalent (or the senior agency official who
reports to the Chief Information Officer or equivalent) under
subsection (a)(5) shall--
``(1) establish and maintain an enterprise security
operations capability that on a continuous basis--
``(A) detects, reports, contains, mitigates, and responds
to information security incidents that impair adequate
security of the agency's information or information system in
a timely manner and in accordance with the policies and
directives under section 3553; and
``(B) reports any information security incident under
subparagraph (A) to the entity designated under section 3555;
``(2) develop, maintain, and oversee an agencywide
information security program;
``(3) develop, maintain, and oversee information security
policies, procedures, and control techniques to address
applicable requirements, including requirements under section
3553 of this title and section 11331 of title 40; and
``(4) train and oversee the agency personnel who have
significant responsibility for information security with
respect to that responsibility.
``(c) Agencywide Information Security Programs.--
``(1) In general.--Each agencywide information security
program under subsection (b)(2) shall include--
``(A) relevant security risk assessments, including
technical assessments and others related to the acquisition
process;
``(B) security testing commensurate with risk and impact;
``(C) mitigation of deterioration of security controls
commensurate with risk and impact;
``(D) risk-based continuous monitoring and threat
assessment of the operational status and security of agency
information systems to enable evaluation of the effectiveness
of and compliance with information security policies,
procedures, and practices, including a relevant and
appropriate selection of security controls of information
systems identified in the inventory under section 3505(c);
``(E) operation of appropriate technical capabilities in
order to detect, mitigate, report, and respond to information
security incidents, cyber threat information, and
deterioration of security controls in a manner that is
consistent with the policies and directives under section
3553, including--
``(i) mitigating risks associated with such information
security incidents;
``(ii) notifying and consulting with the entity designated
under section 3555; and
``(iii) notifying and consulting with, as appropriate--
``(I) law enforcement and the relevant Office of the
Inspector General; and
``(II) any other entity, in accordance with law and as
directed by the President;
``(F) a process to ensure that remedial action is taken to
address any deficiencies in the information security
policies, procedures, and practices of the agency; and
``(G) a plan and procedures to ensure the continuity of
operations for information systems that support the
operations and assets of the agency.
[[Page S5578]]
``(2) Risk management strategies.--Each agencywide
information security program under subsection (b)(2) shall
include the development and maintenance of a risk management
strategy for information security. The risk management
strategy shall include--
``(A) consideration of information security incidents,
cyber threat information, and deterioration of security
controls; and
``(B) consideration of the consequences that could result
from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information and information
systems that support the operations and assets of the agency,
including any information system provided or managed by a
contractor, other agency, or other source on behalf of the
agency;
``(3) Policies and procedures.--Each agencywide information
security program under subsection (b)(2) shall include
policies and procedures that--
``(A) are based on the risk management strategy under
paragraph (2);
``(B) reduce information security risks to an acceptable
level in a cost-effective manner;
``(C) ensure that cost-effective and adequate information
security is addressed as part of the acquisition and ongoing
management of each agency information system; and
``(D) ensure compliance with--
``(i) this subchapter; and
``(ii) any other applicable requirements.
``(4) Training requirements.--Each agencywide information
security program under subsection (b)(2) shall include
information security, privacy, civil rights, civil liberties,
and information oversight training that meets any applicable
requirements under section 3553. The training shall inform
each information security personnel that has access to agency
information systems (including contractors and other users of
information systems that support the operations and assets of
the agency) of--
``(A) the information security risks associated with the
information security personnel's activities; and
``(B) the individual's responsibility to comply with the
agency policies and procedures that reduce the risks under
subparagraph (A).
``(d) Annual Report.--Each agency shall submit a report
annually to the Secretary of Homeland Security on its
agencywide information security program and information
systems.
``Sec. 3555. Multiagency ongoing threat assessment
``(a) Implementation.--The Director of the Office of
Management and Budget, in coordination with the Secretary of
Homeland Security, shall designate an entity to implement
ongoing security analysis concerning agency information
systems--
``(1) based on cyber threat information;
``(2) based on agency information system and environment of
operation changes, including--
``(A) an ongoing evaluation of the information system
security controls; and
``(B) the security state, risk level, and environment of
operation of an agency information system, including--
``(i) a change in risk level due to a new cyber threat;
``(ii) a change resulting from a new technology;
``(iii) a change resulting from the agency's mission; and
``(iv) a change resulting from the business practice; and
``(3) using automated processes to the maximum extent
possible--
``(A) to increase information system security;
``(B) to reduce paper-based reporting requirements; and
``(C) to maintain timely and actionable knowledge of the
state of the information system security.
``(b) Standards.--The National Institute of Standards and
Technology may promulgate standards, in coordination with the
Secretary of Homeland Security, to assist an agency with its
duties under this section.
``(c) Compliance.--The head of each appropriate department
and agency shall be responsible for ensuring compliance and
implementing necessary procedures to comply with this
section. The head of each appropriate department and agency,
in consultation with the Director of the Office of Management
and Budget and the Secretary of Homeland Security, shall--
``(1) monitor compliance under this section;
``(2) develop a timeline and implement for the department
or agency--
``(A) adoption of any technology, system, or method that
facilitates continuous monitoring and threat assessments of
an agency information system;
``(B) adoption or updating of any technology, system, or
method that prevents, detects, or remediates a significant
cyber incident to a Federal information system of the
department or agency that has impeded, or is reasonably
likely to impede, the performance of a critical mission of
the department or agency; and
``(C) adoption of any technology, system, or method that
satisfies a requirement under this section.
``(d) Limitation of Authority.--The authorities of the
Director of the Office of Management and Budget and of the
Secretary of Homeland Security under this section shall not
apply to national security systems.
``(e) Report.--Not later than 6 months after the date of
enactment of the Cybersecurity Act of 2012, the Government
Accountability Office shall issue a report evaluating each
agency's status toward implementing this section.
``Sec. 3556. Independent evaluations
``(a) In General.--The Council of the Inspectors General on
Integrity and Efficiency, in consultation with the Director
and the Secretary of Homeland Security, the Secretary of
Commerce, and the Secretary of Defense, shall issue and
maintain criteria for the timely, cost-effective, risk-based,
and independent evaluation of each agencywide information
security program (and practices) to determine the
effectiveness of the agencywide information security program
(and practices). The criteria shall include measures to
assess any conflicts of interest in the performance of the
evaluation and whether the agencywide information security
program includes appropriate safeguards against disclosure of
information where such disclosure may adversely affect
information security.
``(b) Annual Independent Evaluations.--Each agency shall
perform an annual independent evaluation of its agencywide
information security program (and practices) in accordance
with the criteria under subsection (a).
``(c) Distribution of Reports.--Not later than 30 days
after receiving an independent evaluation under subsection
(b), each agency head shall transmit a copy of the
independent evaluation to the Secretary of Homeland Security,
the Secretary of Commerce, and the Secretary of Defense.
``(d) National Security Systems.--Evaluations involving
national security systems shall be conducted as directed by
President.
``Sec. 3557. National security systems.
``The head of each agency operating or exercising control
of a national security system shall be responsible for
ensuring that the agency--
``(1) provides information security protections
commensurate with the risk and magnitude of the harm
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of the information
contained in such system; and
``(2) implements information security policies and
practices as required by standards and guidelines for
national security systems, issued in accordance with law and
as directed by the President.''.
(b) Savings Provisions.--
(1) Policy and compliance guidance.--Policy and compliance
guidance issued by the Director before the date of enactment
of this Act under section 3543(a)(1) of title 44, United
States Code (as in effect on the day before the date of
enactment of this Act), shall continue in effect, according
to its terms, until modified, terminated, superseded, or
repealed pursuant to section 3553(a)(1) of title 44, United
States Code.
(2) Standards and guidelines.--Standards and guidelines
issued by the Secretary of Commerce or by the Director before
the date of enactment of this Act under section 11331(a)(1)
of title 40, United States Code, (as in effect on the day
before the date of enactment of this Act) shall continue in
effect, according to their terms, until modified, terminated,
superseded, or repealed pursuant to section 11331(a)(1) of
title 40, United States Code, as amended by this Act.
(c) Technical and Conforming Amendments.--
(1) Chapter analysis.--The chapter analysis for chapter 35
of title 44, United States Code, is amended--
(A) by striking the items relating to sections 3531 through
3538;
(B) by striking the items relating to sections 3541 through
3549; and
(C) by inserting the following:
``3551. Purposes.
``3552. Definitions.
``3553. Federal information security authority and coordination.
``3554. Agency responsibilities.
``3555. Multiagency ongoing threat assessment.
``3556. Independent evaluations.
``3557. National security systems.''.
(2) Other references.--
(A) Section 1001(c)(1)(A) of the Homeland Security Act of
2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section
3532(3)'' and inserting ``section 3552''.
(B) Section 2222(j)(5) of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(C) Section 2223(c)(3) of title 10, United States Code, is
amended, by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(D) Section 2315 of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(E) Section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3) is amended--
(i) in subsection (a)(2), by striking ``section
3532(b)(2)'' and inserting ``section 3552'';
(ii) in subsection (c)(3), by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(iii) in subsection (d)(1), by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(iv) in subsection (d)(8) by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
[[Page S5579]]
(v) in subsection (d)(8), by striking ``submitted to the
Director'' and inserting ``submitted to the Secretary'';
(vi) in subsection (e)(2), by striking ``section 3532(1) of
such title'' and inserting ``section 3552 of title 44''; and
(vii) in subsection (e)(5), by striking ``section
3532(b)(2) of such title'' and inserting ``section 3552 of
title 44''.
(F) Section 8(d)(1) of the Cyber Security Research and
Development Act (15 U.S.C. 7406(d)(1)) is amended by striking
``section 3534(b)'' and inserting ``section 3554(b)(2)''.
SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.
(a) In General.--Section 11331 of title 40, United States
Code, is amended to read as follows:
``Sec. 11331. Responsibilities for Federal information
systems standards
``(a) Standards and Guidelines.--
``(1) Authority to prescribe.--Except as provided under
paragraph (2), the Secretary of Commerce shall prescribe
standards and guidelines pertaining to Federal information
systems--
``(A) in consultation with the Secretary of Homeland
Security; and
``(B) on the basis of standards and guidelines developed by
the National Institute of Standards and Technology under
paragraphs (2) and (3) of section 20(a) of the National
Institute of Standards and Technology Act (15 U.S.C. 278g-
3(a)(2) and (a)(3)).
``(2) National security systems.--Standards and guidelines
for national security systems shall be developed, prescribed,
enforced, and overseen as otherwise authorized by law and as
directed by the President.
``(b) Mandatory Standards and Guidelines.--
``(1) Authority to make mandatory standards and
guidelines.--The Secretary of Commerce shall make standards
and guidelines under subsection (a)(1) compulsory and binding
to the extent determined necessary by the Secretary of
Commerce to improve the efficiency of operation or security
of Federal information systems.
``(2) Required mandatory standards and guidelines.--
``(A) In general.--Standards and guidelines under
subsection (a)(1) shall include information security
standards that--
``(i) provide minimum information security requirements as
determined under section 20(b) of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3(b)); and
``(ii) are otherwise necessary to improve the security of
Federal information and information systems.
``(B) Binding effect.--Information security standards under
subparagraph (A) shall be compulsory and binding.
``(c) Exercise of Authority.--To ensure fiscal and policy
consistency, the Secretary of Commerce shall exercise the
authority conferred by this section subject to direction by
the President and in coordination with the Director.
``(d) Application of More Stringent Standards and
Guidelines.--The head of an executive agency may employ
standards for the cost-effective information security for
information systems within or under the supervision of that
agency that are more stringent than the standards and
guidelines the Secretary of Commerce prescribes under this
section if the more stringent standards and guidelines--
``(1) contain at least the applicable standards and
guidelines made compulsory and binding by the Secretary of
Commerce; and
``(2) are otherwise consistent with the policies,
directives, and implementation memoranda issued under section
3553(a) of title 44.
``(e) Decisions on Promulgation of Standards and
Guidelines.--The decision by the Secretary of Commerce
regarding the promulgation of any standard or guideline under
this section shall occur not later than 6 months after the
date of submission of the proposed standard to the Secretary
of Commerce by the National Institute of Standards and
Technology under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3).
``(f) Notice and Comment.--A decision by the Secretary of
Commerce to significantly modify, or not promulgate, a
proposed standard submitted to the Secretary by the National
Institute of Standards and Technology under section 20 of the
National Institute of Standards and Technology Act (15 U.S.C.
278g-3) shall be made after the public is given an
opportunity to comment on the Secretary's proposed decision.
``(g) Definitions.--In this section:
``(1) Federal information system.--The term `Federal
information system' has the meaning given the term in section
3552 of title 44.
``(2) Information security.--The term `information
security' has the meaning given the term in section 3552 of
title 44.
``(3) National security system.--The term `national
security system' has the meaning given the term in section
3552 of title 44.''.
SEC. 203. NO NEW FUNDING.
An applicable Federal agency shall carry out the provisions
of this title with existing facilities and funds otherwise
available, through such means as the head of the agency
considers appropriate.
SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS.
Section 21(b) of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-4(b)) is amended--
(1) in paragraph (2), by striking ``and the Director of the
Office of Management and Budget'' and inserting ``, the
Secretary of Commerce, and the Secretary of Homeland
Security''; and
(2) in paragraph (3), by inserting ``, the Secretary of
Homeland Security,'' after ``the Secretary of Commerce''.
SEC. 205. CLARIFICATION OF AUTHORITIES.
Nothing in this title shall be construed to convey any new
regulatory authority to any government entity implementing or
complying with any provision of this title.
______
SA 2613. Mrs. HUTCHISON (for herself, Mr. McCain, Mr. Chambliss, Mr.
Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of
Wisconsin) submitted an amendment intended to be proposed by her to the
bill S. 3414, to enhance the security and resiliency of the cyber and
communications infrastructure of the United States; which was ordered
to lie on the table; as follows:
Beginning on page 1, strike line 3 and all that follows
through page 211, line 6 and insert the following:
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the
``Strengthening and Enhancing Cybersecurity by Using
Research, Education, Information, and Technology Act of
2012'' or ``SECURE IT''.
(b) Table of Contents.--The table of contents of this Act
is as follows:
Sec. 1. Short title; table of contents.
TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION
Sec. 101. Definitions.
Sec. 102. Authorization to share cyber threat information.
Sec. 103. Information sharing by the Federal government.
Sec. 104. Construction.
Sec. 105. Report on implementation.
Sec. 106. Inspector General review.
Sec. 107. Technical amendments.
Sec. 108. Access to classified information.
TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY
Sec. 201. Coordination of Federal information security policy.
Sec. 202. Management of information technology.
Sec. 203. No new funding.
Sec. 204. Technical and conforming amendments.
Sec. 205. Clarification of authorities.
TITLE III--CRIMINAL PENALTIES
Sec. 301. Penalties for fraud and related activity in connection with
computers.
Sec. 302. Trafficking in passwords.
Sec. 303. Conspiracy and attempted computer fraud offenses.
Sec. 304. Criminal and civil forfeiture for fraud and related activity
in connection with computers.
Sec. 305. Damage to critical infrastructure computers.
Sec. 306. Limitation on actions involving unauthorized use.
Sec. 307. No new funding.
TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT
Sec. 401. National High-Performance Computing Program planning and
coordination.
Sec. 402. Research in areas of national importance.
Sec. 403. Program improvements.
Sec. 404. Improving education of networking and information technology,
including high performance computing.
Sec. 405. Conforming and technical amendments to the High-Performance
Computing Act of 1991.
Sec. 406. Federal cyber scholarship-for-service program.
Sec. 407. Study and analysis of certification and training of
information infrastructure professionals.
Sec. 408. International cybersecurity technical standards.
Sec. 409. Identity management research and development.
Sec. 410. Federal cybersecurity research and development.
TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION
SEC. 101. DEFINITIONS.
In this title:
(1) Agency.--The term ``agency'' has the meaning given the
term in section 3502 of title 44, United States Code.
(2) Antitrust laws.--The term ``antitrust laws''--
(A) has the meaning given the term in section 1(a) of the
Clayton Act (15 U.S.C. 12(a));
(B) includes section 5 of the Federal Trade Commission Act
(15 U.S.C. 45) to the extent that section 5 of that Act
applies to unfair methods of competition; and
(C) includes any State law that has the same intent and
effect as the laws under subparagraphs (A) and (B).
(3) Countermeasure.--The term ``countermeasure'' means an
automated or a manual action with defensive intent to
mitigate cyber threats.
(4) Cyber threat information.--The term ``cyber threat
information'' means information that indicates or describes--
(A) a technical or operation vulnerability or a cyber
threat mitigation measure;
(B) an action or operation to mitigate a cyber threat;
(C) malicious reconnaissance, including anomalous patterns
of network activity that
[[Page S5580]]
appear to be transmitted for the purpose of gathering
technical information related to a cybersecurity threat;
(D) a method of defeating a technical control;
(E) a method of defeating an operational control;
(F) network activity or protocols known to be associated
with a malicious cyber actor or that signify malicious cyber
intent;
(G) a method of causing a user with legitimate access to an
information system or information that is stored on,
processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational
control;
(H) any other attribute of a cybersecurity threat or cyber
defense information that would foster situational awareness
of the United States cybersecurity posture, if disclosure of
such attribute or information is not otherwise prohibited by
law;
(I) the actual or potential harm caused by a cyber
incident, including information exfiltrated when it is
necessary in order to identify or describe a cybersecurity
threat; or
(J) any combination of subparagraphs (A) through (I).
(5) Cybersecurity center.--The term ``cybersecurity
center'' means the Department of Defense Cyber Crime Center,
the Intelligence Community Incident Response Center, the
United States Cyber Command Joint Operations Center, the
National Cyber Investigative Joint Task Force, the National
Security Agency/Central Security Service Threat Operations
Center, the National Cybersecurity and Communications
Integration Center, and any successor center.
(6) Cybersecurity system.--The term ``cybersecurity
system'' means a system designed or employed to ensure the
integrity, confidentiality, or availability of, or to
safeguard, a system or network, including measures intended
to protect a system or network from--
(A) efforts to degrade, disrupt, or destroy such system or
network; or
(B) theft or misappropriations of private or government
information, intellectual property, or personally
identifiable information.
(7) Entity.--
(A) In general.--The term ``entity'' means any private
entity, non-Federal government agency or department, or
State, tribal, or local government agency or department
(including an officer, employee, or agent thereof).
(B) Inclusions.--The term ``entity'' includes a government
agency or department (including an officer, employee, or
agent thereof) of the District of Columbia, the Commonwealth
of Puerto Rico, the Virgin Islands, Guam, American Samoa, the
Northern Mariana Islands, and any other territory or
possession of the United States.
(8) Federal information system.--The term ``Federal
information system'' means an information system of a Federal
department or agency used or operated by an executive agency,
by a contractor of an executive agency, or by another
organization on behalf of an executive agency.
(9) Information security.--The term ``information
security'' means protecting information and information
systems from disruption or unauthorized access, use,
disclosure, modification, or destruction in order to
provide--
(A) integrity, by guarding against improper information
modification or destruction, including by ensuring
information nonrepudiation and authenticity;
(B) confidentiality, by preserving authorized restrictions
on access and disclosure, including means for protecting
personal privacy and proprietary information; or
(C) availability, by ensuring timely and reliable access to
and use of information.
(10) Information system.--The term ``information system''
has the meaning given the term in section 3502 of title 44,
United States Code.
(11) Local government.--The term ``local government'' means
any borough, city, county, parish, town, township, village,
or other general purpose political subdivision of a State.
(12) Malicious reconnaissance.--The term ``malicious
reconnaissance'' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning technical vulnerabilities of the information
system, if such method is associated with a known or
suspected cybersecurity threat.
(13) Operational control.--The term ``operational control''
means a security control for an information system that
primarily is implemented and executed by people.
(14) Operational vulnerability.--The term ``operational
vulnerability'' means any attribute of policy, process, or
procedure that could enable or facilitate the defeat of an
operational control.
(15) Private entity.--The term ``private entity'' means any
individual or any private group, organization, or
corporation, including an officer, employee, or agent
thereof.
(16) Significant cyber incident.--The term ``significant
cyber incident'' means a cyber incident resulting in, or an
attempted cyber incident that, if successful, would have
resulted in--
(A) the exfiltration from a Federal information system of
data that is essential to the operation of the Federal
information system; or
(B) an incident in which an operational or technical
control essential to the security or operation of a Federal
information system was defeated.
(17) Technical control.--The term ``technical control''
means a hardware or software restriction on, or audit of,
access or use of an information system or information that is
stored on, processed by, or transiting an information system
that is intended to ensure the confidentiality, integrity, or
availability of that system.
(18) Technical vulnerability.--The term ``technical
vulnerability'' means any attribute of hardware or software
that could enable or facilitate the defeat of a technical
control.
(19) Tribal.--The term ``tribal'' has the meaning given the
term ``Indian tribe'' in section 4 of the Indian Self-
Determination and Education Assistance Act (25 U.S.C. 450b).
SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION.
(a) Voluntary Disclosure.--
(1) Private entities.--Notwithstanding any other provision
of law, a private entity may, for the purpose of preventing,
investigating, or otherwise mitigating threats to information
security, on its own networks, or as authorized by another
entity, on such entity's networks, employ countermeasures and
use cybersecurity systems in order to obtain, identify, or
otherwise possess cyber threat information.
(2) Entities.--Notwithstanding any other provision of law,
an entity may disclose cyber threat information to--
(A) a cybersecurity center; or
(B) any other entity in order to assist with preventing,
investigating, or otherwise mitigating threats to information
security.
(3) Information security providers.--If the cyber threat
information described in paragraph (1) is obtained,
identified, or otherwise possessed in the course of providing
information security products or services under contract to
another entity, that entity shall be given, at any time prior
to disclosure of such information, a reasonable opportunity
to authorize or prevent such disclosure, to request
anonymization of such information, or to request that
reasonable efforts be made to safeguard such information that
identifies specific persons from unauthorized access or
disclosure.
(b) Significant Cyber Incidents Involving Federal
Information Systems.--
(1) In general.--An entity providing electronic
communication services, remote computing services, or
information security services to a Federal department or
agency shall inform the Federal department or agency of a
significant cyber incident involving the Federal information
system of that Federal department or agency that--
(A) is directly known to the entity as a result of
providing such services;
(B) is directly related to the provision of such services
by the entity; and
(C) as determined by the entity, has impeded or will impede
the performance of a critical mission of the Federal
department or agency.
(2) Advance coordination.--A Federal department or agency
receiving the services described in paragraph (1) shall
coordinate in advance with an entity described in paragraph
(1) to develop the parameters of any information that may be
provided under paragraph (1), including clarification of the
type of significant cyber incident that will impede the
performance of a critical mission of the Federal department
or agency.
(3) Report.--A Federal department or agency shall report
information provided under this subsection to a cybersecurity
center.
(4) Construction.--Any information provided to a
cybersecurity center under paragraph (3) shall be treated in
the same manner as information provided to a cybersecurity
center under subsection (a).
(c) Information Shared With or Provided to a Cybersecurity
Center.--Cyber threat information provided to a cybersecurity
center under this section--
(1) may be disclosed to, retained by, and used by,
consistent with otherwise applicable Federal law, any Federal
agency or department, component, officer, employee, or agent
of the Federal government for a cybersecurity purpose, a
national security purpose, or in order to prevent,
investigate, or prosecute any of the offenses listed in
section 2516 of title 18, United States Code, and such
information shall not be disclosed to, retained by, or used
by any Federal agency or department for any use not permitted
under this paragraph;
(2) may, with the prior written consent of the entity
submitting such information, be disclosed to and used by a
State, tribal, or local government or government agency for
the purpose of protecting information systems, or in
furtherance of preventing, investigating, or prosecuting a
criminal act, except that if the need for immediate
disclosure prevents obtaining written consent, such consent
may be provided orally with subsequent documentation of such
consent;
(3) shall be considered the commercial, financial, or
proprietary information of the entity providing such
information to the Federal government and any disclosure
outside the Federal government may only be made upon the
prior written consent by such entity and shall not constitute
a waiver of any applicable privilege or protection provided
by law, except that if the need for immediate disclosure
prevents obtaining written consent, such consent may be
provided orally with subsequent documentation of such
consent;
[[Page S5581]]
(4) shall be deemed voluntarily shared information and
exempt from disclosure under section 552 of title 5, United
States Code, and any State, tribal, or local law requiring
disclosure of information or records;
(5) shall be, without discretion, withheld from the public
under section 552(b)(3)(B) of title 5, United States Code,
and any State, tribal, or local law requiring disclosure of
information or records;
(6) shall not be subject to the rules of any Federal agency
or department or any judicial doctrine regarding ex parte
communications with a decision-making official;
(7) shall not, if subsequently provided to a State, tribal,
or local government or government agency, otherwise be
disclosed or distributed to any entity by such State, tribal,
or local government or government agency without the prior
written consent of the entity submitting such information,
notwithstanding any State, tribal, or local law requiring
disclosure of information or records, except that if the need
for immediate disclosure prevents obtaining written consent,
such consent may be provided orally with subsequent
documentation of such consent; and
(8) shall not be directly used by any Federal, State,
tribal, or local department or agency to regulate the lawful
activities of an entity, including activities relating to
obtaining, identifying, or otherwise possessing cyber threat
information, except that the procedures required to be
developed and implemented under this title shall not be
considered regulations within the meaning of this paragraph.
(d) Procedures Relating to Information Sharing With a
Cybersecurity Center.--Not later than 60 days after the date
of enactment of this Act, the heads of each department or
agency containing a cybersecurity center shall jointly
develop, promulgate, and submit to Congress procedures to
ensure that cyber threat information shared with or provided
to--
(1) a cybersecurity center under this section--
(A) may be submitted to a cybersecurity center by an
entity, to the greatest extent possible, through a uniform,
publicly available process or format that is easily
accessible on the website of such cybersecurity center, and
that includes the ability to provide relevant details about
the cyber threat information and written consent to any
subsequent disclosures authorized by this paragraph;
(B) shall immediately be further shared with each
cybersecurity center in order to prevent, investigate, or
otherwise mitigate threats to information security across the
Federal government;
(C) is handled by the Federal government in a reasonable
manner, including consideration of the need to protect the
privacy and civil liberties of individuals through
anonymization or other appropriate methods, while fully
accomplishing the objectives of this title, and the Federal
government may undertake efforts consistent with this
subparagraph to limit the impact on privacy and civil
liberties of the sharing of cyber threat information with the
Federal government; and
(D) except as provided in this section, shall only be used,
disclosed, or handled in accordance with the provisions of
subsection (c); and
(2) a Federal agency or department under subsection (b) is
provided immediately to a cybersecurity center in order to
prevent, investigate, or otherwise mitigate threats to
information security across the Federal government.
(e) Information Shared Between Entities.--
(1) In general.--An entity sharing cyber threat information
with another entity under this title may restrict the use or
sharing of such information by such other entity.
(2) Further sharing.--Cyber threat information shared by
any entity with another entity under this title--
(A) shall only be further shared in accordance with any
restrictions placed on the sharing of such information by the
entity authorizing such sharing, such as appropriate
anonymization of such information; and
(B) may not be used by any entity to gain an unfair
competitive advantage to the detriment of the entity
authorizing the sharing of such information, except that the
conduct described in paragraph (3) shall not constitute
unfair competitive conduct.
(3) Information shared with state, tribal, or local
government or government agency.--Cyber threat information
shared with a State, tribal, or local government or
government agency under this title--
(A) may, with the prior written consent of the entity
sharing such information, be disclosed to and used by a
State, tribal, or local government or government agency for
the purpose of protecting information systems, or in
furtherance of preventing, investigating, or prosecuting a
criminal act, except if the need for immediate disclosure
prevents obtaining written consent, consent may be provided
orally with subsequent documentation of the consent;
(B) shall be deemed voluntarily shared information and
exempt from disclosure under any State, tribal, or local law
requiring disclosure of information or records;
(C) shall not be disclosed or distributed to any entity by
the State, tribal, or local government or government agency
without the prior written consent of the entity submitting
such information, notwithstanding any State, tribal, or local
law requiring disclosure of information or records, except if
the need for immediate disclosure prevents obtaining written
consent, consent may be provided orally with subsequent
documentation of the consent; and
(D) shall not be directly used by any State, tribal, or
local department or agency to regulate the lawful activities
of an entity, including activities relating to obtaining,
identifying, or otherwise possessing cyber threat
information, except that the procedures required to be
developed and implemented under this title shall not be
considered regulations within the meaning of this
subparagraph.
(4) Antitrust exemption.--The exchange or provision of
cyber threat information or assistance between 2 or more
private entities under this title shall not be considered a
violation of any provision of antitrust laws if exchanged or
provided in order to assist with--
(A) facilitating the prevention, investigation, or
mitigation of threats to information security; or
(B) communicating or disclosing of cyber threat information
to help prevent, investigate or otherwise mitigate the
effects of a threat to information security.
(5) No right or benefit.--The provision of cyber threat
information to an entity under this section shall not create
a right or a benefit to similar information by such entity or
any other entity.
(f) Federal Preemption.--
(1) In general.--This section supersedes any statute or
other law of a State or political subdivision of a State that
restricts or otherwise expressly regulates an activity
authorized under this section.
(2) State law enforcement.--Nothing in this section shall
be construed to supersede any statute or other law of a State
or political subdivision of a State concerning the use of
authorized law enforcement techniques.
(3) Public disclosure.--No information shared with or
provided to a State, tribal, or local government or
government agency pursuant to this section shall be made
publicly available pursuant to any State, tribal, or local
law requiring disclosure of information or records.
(g) Civil and Criminal Liability.--
(1) General protections.--
(A) Private entities.--No cause of action shall lie or be
maintained in any court against any private entity for--
(i) the use of countermeasures and cybersecurity systems as
authorized by this title;
(ii) the use, receipt, or disclosure of any cyber threat
information as authorized by this title; or
(iii) the subsequent actions or inactions of any lawful
recipient of cyber threat information provided by such
private entity.
(B) Entities.--No cause of action shall lie or be
maintained in any court against any entity for--
(i) the use, receipt, or disclosure of any cyber threat
information as authorized by this title; or
(ii) the subsequent actions or inactions of any lawful
recipient of cyber threat information provided by such
entity.
(2) Construction.--Nothing in this subsection shall be
construed as creating any immunity against, or otherwise
affecting, any action brought by the Federal government, or
any agency or department thereof, to enforce any law,
executive order, or procedure governing the appropriate
handling, disclosure, and use of classified information.
(h) Otherwise Lawful Disclosures.--Nothing in this section
shall be construed to limit or prohibit otherwise lawful
disclosures of communications, records, or other information
by a private entity to any other governmental or private
entity not covered under this section.
(i) Whistleblower Protection.--Nothing in this Act shall be
construed to preempt or preclude any employee from exercising
rights currently provided under any whistleblower law, rule,
or regulation.
(j) Relationship to Other Laws.--The submission of cyber
threat information under this section to a cybersecurity
center shall not affect any requirement under any other
provision of law for an entity to provide information to the
Federal government.
SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT.
(a) Classified Information.--
(1) Procedures.--Consistent with the protection of
intelligence sources and methods, and as otherwise determined
appropriate, the Director of National Intelligence and the
Secretary of Defense, in consultation with the heads of the
appropriate Federal departments or agencies, shall develop
and promulgate procedures to facilitate and promote--
(A) the immediate sharing, through the cybersecurity
centers, of classified cyber threat information in the
possession of the Federal government with appropriately
cleared representatives of any appropriate entity; and
(B) the declassification and immediate sharing, through the
cybersecurity centers, with any entity or, if appropriate,
public availability of cyber threat information in the
possession of the Federal government;
(2) Handling of classified information.--The procedures
developed under paragraph (1) shall ensure that each entity
receiving classified cyber threat information pursuant to
this section has acknowledged in writing the ongoing
obligation to comply with all
[[Page S5582]]
laws, executive orders, and procedures concerning the
appropriate handling, disclosure, or use of classified
information.
(b) Unclassified Cyber Threat Information.--The heads of
each department or agency containing a cybersecurity center
shall jointly develop and promulgate procedures that ensure
that, consistent with the provisions of this section,
unclassified, including controlled unclassified, cyber threat
information in the possession of the Federal government--
(1) is shared, through the cybersecurity centers, in an
immediate and adequate manner with appropriate entities; and
(2) if appropriate, is made publicly available.
(c) Development of Procedures.--
(1) In general.--The procedures developed under this
section shall incorporate, to the greatest extent possible,
existing processes utilized by sector specific information
sharing and analysis centers.
(2) Coordination with entities.--In developing the
procedures required under this section, the Director of
National Intelligence and the heads of each department or
agency containing a cybersecurity center shall coordinate
with appropriate entities to ensure that protocols are
implemented that will facilitate and promote the sharing of
cyber threat information by the Federal government.
(d) Additional Responsibilities of Cybersecurity Centers.--
Consistent with section 102, a cybersecurity center shall--
(1) facilitate information sharing, interaction, and
collaboration among and between cybersecurity centers and--
(A) other Federal entities;
(B) any entity; and
(C) international partners, in consultation with the
Secretary of State;
(2) disseminate timely and actionable cybersecurity threat,
vulnerability, mitigation, and warning information, including
alerts, advisories, indicators, signatures, and mitigation
and response measures, to improve the security and protection
of information systems; and
(3) coordinate with other Federal entities, as appropriate,
to integrate information from across the Federal government
to provide situational awareness of the cybersecurity posture
of the United States.
(e) Sharing Within the Federal Government.--The heads of
appropriate Federal departments and agencies shall ensure
that cyber threat information in the possession of such
Federal departments or agencies that relates to the
prevention, investigation, or mitigation of threats to
information security across the Federal government is shared
effectively with the cybersecurity centers.
(f) Submission to Congress.--Not later than 60 days after
the date of enactment of this Act, the Director of National
Intelligence, in coordination with the appropriate head of a
department or an agency containing a cybersecurity center,
shall submit the procedures required by this section to
Congress.
SEC. 104. CONSTRUCTION.
(a) Information Sharing Relationships.--Nothing in this
title shall be construed--
(1) to limit or modify an existing information sharing
relationship;
(2) to prohibit a new information sharing relationship;
(3) to require a new information sharing relationship
between any entity and the Federal government, except as
specified under section 102(b); or
(4) to modify the authority of a department or agency of
the Federal government to protect sources and methods and the
national security of the United States.
(b) Anti-tasking Restriction.--Nothing in this title shall
be construed to permit the Federal government--
(1) to require an entity to share information with the
Federal government, except as expressly provided under
section 102(b); or
(2) to condition the sharing of cyber threat information
with an entity on such entity's provision of cyber threat
information to the Federal government.
(c) No Liability for Non-participation.--Nothing in this
title shall be construed to subject any entity to liability
for choosing not to engage in the voluntary activities
authorized under this title.
(d) Use and Retention of Information.--Nothing in this
title shall be construed to authorize, or to modify any
existing authority of, a department or agency of the Federal
government to retain or use any information shared under
section 102 for any use other than a use permitted under
subsection 102(c)(1).
(e) No New Funding.--An applicable Federal agency shall
carry out the provisions of this title with existing
facilities and funds otherwise available, through such means
as the head of the agency considers appropriate.
SEC. 105. REPORT ON IMPLEMENTATION.
(a) Content of Report.--Not later than 1 year after the
date of enactment of this Act, and biennially thereafter, the
heads of each department or agency containing a cybersecurity
center shall jointly submit, in coordination with the privacy
and civil liberties officials of such departments or agencies
and the Privacy and Civil Liberties Oversight Board, a
detailed report to Congress concerning the implementation of
this title, including--
(1) an assessment of the sufficiency of the procedures
developed under section 103 of this Act in ensuring that
cyber threat information in the possession of the Federal
government is provided in an immediate and adequate manner to
appropriate entities or, if appropriate, is made publicly
available;
(2) an assessment of whether information has been
appropriately classified and an accounting of the number of
security clearances authorized by the Federal government for
purposes of this title;
(3) a review of the type of cyber threat information shared
with a cybersecurity center under section 102 of this Act,
including whether such information meets the definition of
cyber threat information under section 101, the degree to
which such information may impact the privacy and civil
liberties of individuals, any appropriate metrics to
determine any impact of the sharing of such information with
the Federal government on privacy and civil liberties, and
the adequacy of any steps taken to reduce such impact;
(4) a review of actions taken by the Federal government
based on information provided to a cybersecurity center under
section 102 of this Act, including the appropriateness of any
subsequent use under section 102(c)(1) of this Act and
whether there was inappropriate stovepiping within the
Federal government of any such information;
(5) a description of any violations of the requirements of
this title by the Federal government;
(6) a classified list of entities that received classified
information from the Federal government under section 103 of
this Act and a description of any indication that such
information may not have been appropriately handled;
(7) a summary of any breach of information security, if
known, attributable to a specific failure by any entity or
the Federal government to act on cyber threat information in
the possession of such entity or the Federal government that
resulted in substantial economic harm or injury to a specific
entity or the Federal government; and
(8) any recommendation for improvements or modifications to
the authorities under this title.
(b) Form of Report.--The report under subsection (a) shall
be submitted in unclassified form, but shall include a
classified annex.
SEC. 106. INSPECTOR GENERAL REVIEW.
(a) In General.--The Council of the Inspectors General on
Integrity and Efficiency are authorized to review compliance
by the cybersecurity centers, and by any Federal department
or agency receiving cyber threat information from such
cybersecurity centers, with the procedures required under
section 102 of this Act.
(b) Scope of Review.--The review under subsection (a) shall
consider whether the Federal government has handled such
cyber threat information in a reasonable manner, including
consideration of the need to protect the privacy and civil
liberties of individuals through anonymization or other
appropriate methods, while fully accomplishing the objectives
of this title.
(c) Report to Congress.--Each review conducted under this
section shall be provided to Congress not later than 30 days
after the date of completion of the review.
SEC. 107. TECHNICAL AMENDMENTS.
Section 552(b) of title 5, United States Code, is amended--
(1) in paragraph (8), by striking ``or'';
(2) in paragraph (9), by striking ``wells.'' and inserting
``wells; or''; and
(3) by adding at the end the following:
``(10) information shared with or provided to a
cybersecurity center under section 102 of title I of the
Strengthening and Enhancing Cybersecurity by Using Research,
Education, Information, and Technology Act of 2012.''.
SEC. 108. ACCESS TO CLASSIFIED INFORMATION.
(a) Authorization Required.--No person shall be provided
with access to classified information (as defined in section
6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to
classified national security information)) relating to cyber
security threats or cyber security vulnerabilities under this
title without the appropriate security clearances.
(b) Security Clearances.--The appropriate Federal agencies
or departments shall, consistent with applicable procedures
and requirements, and if otherwise deemed appropriate, assist
an individual in timely obtaining an appropriate security
clearance where such individual has been determined to be
eligible for such clearance and has a need-to-know (as
defined in section 6.1 of that Executive Order) classified
information to carry out this title.
TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY
SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY
POLICY.
(a) In General.--Chapter 35 of title 44, United States
Code, is amended by striking subchapters II and III and
inserting the following:
``SUBCHAPTER II--INFORMATION SECURITY
``Sec. 3551. Purposes
``The purposes of this subchapter are--
``(1) to provide a comprehensive framework for ensuring the
effectiveness of information security controls over
information resources that support Federal operations and
assets;
``(2) to recognize the highly networked nature of the
current Federal computing environment and provide effective
government-wide management of policies, directives,
standards, and guidelines, as well as effective and nimble
oversight of and response to
[[Page S5583]]
information security risks, including coordination of
information security efforts throughout the Federal civilian,
national security, and law enforcement communities;
``(3) to provide for development and maintenance of
controls required to protect agency information and
information systems and contribute to the overall improvement
of agency information security posture;
``(4) to provide for the development of tools and methods
to assess and respond to real-time situational risk for
Federal information system operations and assets; and
``(5) to provide a mechanism for improving agency
information security programs through continuous monitoring
of agency information systems and streamlined reporting
requirements rather than overly prescriptive manual
reporting.
``Sec. 3552. Definitions
``In this subchapter:
``(1) Adequate security.--The term `adequate security'
means security commensurate with the risk and magnitude of
the harm resulting from the unauthorized access to or loss,
misuse, destruction, or modification of information.
``(2) Agency.--The term `agency' has the meaning given the
term in section 3502 of title 44.
``(3) Cybersecurity center.--The term `cybersecurity
center' means the Department of Defense Cyber Crime Center,
the Intelligence Community Incident Response Center, the
United States Cyber Command Joint Operations Center, the
National Cyber Investigative Joint Task Force, the National
Security Agency/Central Security Service Threat Operations
Center, the National Cybersecurity and Communications
Integration Center, and any successor center.
``(4) Cyber threat information.--The term `cyber threat
information' means information that indicates or describes--
``(A) a technical or operation vulnerability or a cyber
threat mitigation measure;
``(B) an action or operation to mitigate a cyber threat;
``(C) malicious reconnaissance, including anomalous
patterns of network activity that appear to be transmitted
for the purpose of gathering technical information related to
a cybersecurity threat;
``(D) a method of defeating a technical control;
``(E) a method of defeating an operational control;
``(F) network activity or protocols known to be associated
with a malicious cyber actor or that signify malicious cyber
intent;
``(G) a method of causing a user with legitimate access to
an information system or information that is stored on,
processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational
control;
``(H) any other attribute of a cybersecurity threat or
cyber defense information that would foster situational
awareness of the United States cybersecurity posture, if
disclosure of such attribute or information is not otherwise
prohibited by law;
``(I) the actual or potential harm caused by a cyber
incident, including information exfiltrated when it is
necessary in order to identify or describe a cybersecurity
threat; or
``(J) any combination of subparagraphs (A) through (I).
``(5) Director.--The term `Director' means the Director of
the Office of Management and Budget unless otherwise
specified.
``(6) Environment of operation.--The term `environment of
operation' means the information system and environment in
which those systems operate, including changing threats,
vulnerabilities, technologies, and missions and business
practices.
``(7) Federal information system.--The term `Federal
information system' means an information system used or
operated by an executive agency, by a contractor of an
executive agency, or by another organization on behalf of an
executive agency.
``(8) Incident.--The term `incident' means an occurrence
that--
``(A) actually or imminently jeopardizes the integrity,
confidentiality, or availability of an information system or
the information that system controls, processes, stores, or
transmits; or
``(B) constitutes a violation of law or an imminent threat
of violation of a law, a security policy, a security
procedure, or an acceptable use policy.
``(9) Information resources.--The term `information
resources' has the meaning given the term in section 3502 of
title 44.
``(10) Information security.--The term `information
security' means protecting information and information
systems from disruption or unauthorized access, use,
disclosure, modification, or destruction in order to
provide--
``(A) integrity, by guarding against improper information
modification or destruction, including by ensuring
information nonrepudiation and authenticity;
``(B) confidentiality, by preserving authorized
restrictions on access and disclosure, including means for
protecting personal privacy and proprietary information; or
``(C) availability, by ensuring timely and reliable access
to and use of information.
``(11) Information system.--The term `information system'
has the meaning given the term in section 3502 of title 44.
``(12) Information technology.--The term `information
technology' has the meaning given the term in section 11101
of title 40.
``(13) Malicious reconnaissance.--The term `malicious
reconnaissance' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning technical vulnerabilities of the information
system, if such method is associated with a known or
suspected cybersecurity threat.
``(14) National security system.--
``(A) In general.--The term `national security system'
means any information system (including any
telecommunications system) used or operated by an agency or
by a contractor of an agency, or other organization on behalf
of an agency--
``(i) the function, operation, or use of which--
``(I) involves intelligence activities;
``(II) involves cryptologic activities related to national
security;
``(III) involves command and control of military forces;
``(IV) involves equipment that is an integral part of a
weapon or weapons system; or
``(V) subject to subparagraph (B), is critical to the
direct fulfillment of military or intelligence missions; or
``(ii) is protected at all times by procedures established
for information that have been specifically authorized under
criteria established by an Executive Order or an Act of
Congress to be kept classified in the interest of national
defense or foreign policy.
``(B) Limitation.--Subparagraph (A)(i)(V) does not include
a system that is to be used for routine administrative and
business applications (including payroll, finance, logistics,
and personnel management applications).
``(15) Operational control.--The term `operational control'
means a security control for an information system that
primarily is implemented and executed by people.
``(16) Person.--The term `person' has the meaning given the
term in section 3502 of title 44.
``(17) Secretary.--The term `Secretary' means the Secretary
of Commerce unless otherwise specified.
``(18) Security control.--The term `security control' means
the management, operational, and technical controls,
including safeguards or countermeasures, prescribed for an
information system to protect the confidentiality, integrity,
and availability of the system and its information.
``(19) Significant cyber incident.--The term `significant
cyber incident' means a cyber incident resulting in, or an
attempted cyber incident that, if successful, would have
resulted in--
``(A) the exfiltration from a Federal information system of
data that is essential to the operation of the Federal
information system; or
``(B) an incident in which an operational or technical
control essential to the security or operation of a Federal
information system was defeated.
``(20) Technical control.--The term `technical control'
means a hardware or software restriction on, or audit of,
access or use of an information system or information that is
stored on, processed by, or transiting an information system
that is intended to ensure the confidentiality, integrity, or
availability of that system.
``Sec. 3553. Federal information security authority and
coordination
``(a) In General.--The Secretary, in consultation with the
Secretary of Homeland Security, shall--
``(1) issue compulsory and binding policies and directives
governing agency information security operations, and require
implementation of such policies and directives, including--
``(A) policies and directives consistent with the standards
and guidelines promulgated under section 11331 of title 40 to
identify and provide information security protections
prioritized and commensurate with the risk and impact
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of--
``(i) information collected or maintained by or on behalf
of an agency; or
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(B) minimum operational requirements for Federal
Government to protect agency information systems and provide
common situational awareness across all agency information
systems;
``(C) reporting requirements, consistent with relevant law,
regarding information security incidents and cyber threat
information;
``(D) requirements for agencywide information security
programs;
``(E) performance requirements and metrics for the security
of agency information systems;
``(F) training requirements to ensure that agencies are
able to fully and timely comply with the policies and
directives issued by the Secretary under this subchapter;
``(G) training requirements regarding privacy, civil
rights, and civil liberties, and information oversight for
agency information security personnel;
``(H) requirements for the annual reports to the Secretary
under section 3554(d);
``(I) any other information security operations or
information security requirements as determined by the
Secretary in coordination with relevant agency heads; and
``(J) coordinating the development of standards and
guidelines under section 20 of
[[Page S5584]]
the National Institute of Standards and Technology Act (15
U.S.C. 278g-3) with agencies and offices operating or
exercising control of national security systems (including
the National Security Agency) to assure, to the maximum
extent feasible, that such standards and guidelines are
complementary with standards and guidelines developed for
national security systems;
``(2) review the agencywide information security programs
under section 3554; and
``(3) designate an individual or an entity at each
cybersecurity center, among other responsibilities--
``(A) to receive reports and information about information
security incidents, cyber threat information, and
deterioration of security control affecting agency
information systems; and
``(B) to act on or share the information under subparagraph
(A) in accordance with this subchapter.
``(b) Considerations.--When issuing policies and directives
under subsection (a), the Secretary shall consider any
applicable standards or guidelines developed by the National
Institute of Standards and Technology under section 11331 of
title 40.
``(c) Limitation of Authority.--The authorities of the
Secretary under this section shall not apply to national
security systems. Information security policies, directives,
standards and guidelines for national security systems shall
be overseen as directed by the President and, in accordance
with that direction, carried out under the authority of the
heads of agencies that operate or exercise authority over
such national security systems.
``(d) Statutory Construction.--Nothing in this subchapter
shall be construed to alter or amend any law regarding the
authority of any head of an agency over such agency.
``Sec. 3554. Agency responsibilities
``(a) In General.--The head of each agency shall--
``(1) be responsible for--
``(A) complying with the policies and directives issued
under section 3553;
``(B) providing information security protections
commensurate with the risk resulting from unauthorized
access, use, disclosure, disruption, modification, or
destruction of--
``(i) information collected or maintained by the agency or
by a contractor of an agency or other organization on behalf
of an agency; and
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(C) complying with the requirements of this subchapter,
including--
``(i) information security standards and guidelines
promulgated under section 11331 of title 40;
``(ii) for any national security systems operated or
controlled by that agency, information security policies,
directives, standards and guidelines issued as directed by
the President; and
``(iii) for any non-national security systems operated or
controlled by that agency, information security policies,
directives, standards and guidelines issued under section
3553;
``(D) ensuring that information security management
processes are integrated with agency strategic and
operational planning processes;
``(E) reporting and sharing, for an agency operating or
exercising control of a national security system, information
about information security incidents, cyber threat
information, and deterioration of security controls to the
individual or entity designated at each cybersecurity center
and to other appropriate entities consistent with policies
and directives for national security systems issued as
directed by the President; and
``(F) reporting and sharing, for those agencies operating
or exercising control of non-national security systems,
information about information security incidents, cyber
threat information, and deterioration of security controls to
the individual or entity designated at each cybersecurity
center and to other appropriate entities consistent with
policies and directives for non-national security systems as
prescribed under section 3553(a), including information to
assist the entity designated under section 3555(a) with the
ongoing security analysis under section 3555;
``(2) ensure that each senior agency official provides
information security for the information and information
systems that support the operations and assets under the
senior agency official's control, including by--
``(A) assessing the risk and impact that could result from
the unauthorized access, use, disclosure, disruption,
modification, or destruction of such information or
information systems;
``(B) determining the level of information security
appropriate to protect such information and information
systems in accordance with policies and directives issued
under section 3553(a), and standards and guidelines
promulgated under section 11331 of title 40 for information
security classifications and related requirements;
``(C) implementing policies, procedures, and capabilities
to reduce risks to an acceptable level in a cost-effective
manner;
``(D) actively monitoring the effective implementation of
information security controls and techniques; and
``(E) reporting information about information security
incidents, cyber threat information, and deterioration of
security controls in a timely and adequate manner to the
entity designated under section 3553(a)(3) in accordance with
paragraph (1);
``(3) assess and maintain the resiliency of information
technology systems critical to agency mission and operations;
``(4) designate the agency Inspector General (or an
independent entity selected in consultation with the Director
and the Council of Inspectors General on Integrity and
Efficiency if the agency does not have an Inspector General)
to conduct the annual independent evaluation required under
section 3556, and allow the agency Inspector General to
contract with an independent entity to perform such
evaluation;
``(5) delegate to the Chief Information Officer or
equivalent (or to a senior agency official who reports to the
Chief Information Officer or equivalent)--
``(A) the authority and primary responsibility to implement
an agencywide information security program; and
``(B) the authority to provide information security for the
information collected and maintained by the agency (or by a
contractor, other agency, or other source on behalf of the
agency) and for the information systems that support the
operations, assets, and mission of the agency (including any
information system provided or managed by a contractor, other
agency, or other source on behalf of the agency);
``(6) delegate to the appropriate agency official (who is
responsible for a particular agency system or subsystem) the
responsibility to ensure and enforce compliance with all
requirements of the agency's agencywide information security
program in coordination with the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5);
``(7) ensure that an agency has trained personnel who have
obtained any necessary security clearances to permit them to
assist the agency in complying with this subchapter;
``(8) ensure that the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5),
in coordination with other senior agency officials, reports
to the agency head on the effectiveness of the agencywide
information security program, including the progress of any
remedial actions; and
``(9) ensure that the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5)
has the necessary qualifications to administer the functions
described in this subchapter and has information security
duties as a primary duty of that official.
``(b) Chief Information Officers.--Each Chief Information
Officer or equivalent (or the senior agency official who
reports to the Chief Information Officer or equivalent) under
subsection (a)(5) shall--
``(1) establish and maintain an enterprise security
operations capability that on a continuous basis--
``(A) detects, reports, contains, mitigates, and responds
to information security incidents that impair adequate
security of the agency's information or information system in
a timely manner and in accordance with the policies and
directives under section 3553; and
``(B) reports any information security incident under
subparagraph (A) to the entity designated under section 3555;
``(2) develop, maintain, and oversee an agencywide
information security program;
``(3) develop, maintain, and oversee information security
policies, procedures, and control techniques to address
applicable requirements, including requirements under section
3553 of this title and section 11331 of title 40; and
``(4) train and oversee the agency personnel who have
significant responsibility for information security with
respect to that responsibility.
``(c) Agencywide Information Security Programs.--
``(1) In general.--Each agencywide information security
program under subsection (b)(2) shall include--
``(A) relevant security risk assessments, including
technical assessments and others related to the acquisition
process;
``(B) security testing commensurate with risk and impact;
``(C) mitigation of deterioration of security controls
commensurate with risk and impact;
``(D) risk-based continuous monitoring and threat
assessment of the operational status and security of agency
information systems to enable evaluation of the effectiveness
of and compliance with information security policies,
procedures, and practices, including a relevant and
appropriate selection of security controls of information
systems identified in the inventory under section 3505(c);
``(E) operation of appropriate technical capabilities in
order to detect, mitigate, report, and respond to information
security incidents, cyber threat information, and
deterioration of security controls in a manner that is
consistent with the policies and directives under section
3553, including--
``(i) mitigating risks associated with such information
security incidents;
``(ii) notifying and consulting with the entity designated
under section 3555; and
``(iii) notifying and consulting with, as appropriate--
[[Page S5585]]
``(I) law enforcement and the relevant Office of the
Inspector General; and
``(II) any other entity, in accordance with law and as
directed by the President;
``(F) a process to ensure that remedial action is taken to
address any deficiencies in the information security
policies, procedures, and practices of the agency; and
``(G) a plan and procedures to ensure the continuity of
operations for information systems that support the
operations and assets of the agency.
``(2) Risk management strategies.--Each agencywide
information security program under subsection (b)(2) shall
include the development and maintenance of a risk management
strategy for information security. The risk management
strategy shall include--
``(A) consideration of information security incidents,
cyber threat information, and deterioration of security
controls; and
``(B) consideration of the consequences that could result
from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information and information
systems that support the operations and assets of the agency,
including any information system provided or managed by a
contractor, other agency, or other source on behalf of the
agency;
``(3) Policies and procedures.--Each agencywide information
security program under subsection (b)(2) shall include
policies and procedures that--
``(A) are based on the risk management strategy under
paragraph (2);
``(B) reduce information security risks to an acceptable
level in a cost-effective manner;
``(C) ensure that cost-effective and adequate information
security is addressed as part of the acquisition and ongoing
management of each agency information system; and
``(D) ensure compliance with--
``(i) this subchapter; and
``(ii) any other applicable requirements.
``(4) Training requirements.--Each agencywide information
security program under subsection (b)(2) shall include
information security, privacy, civil rights, civil liberties,
and information oversight training that meets any applicable
requirements under section 3553. The training shall inform
each information security personnel that has access to agency
information systems (including contractors and other users of
information systems that support the operations and assets of
the agency) of--
``(A) the information security risks associated with the
information security personnel's activities; and
``(B) the individual's responsibility to comply with the
agency policies and procedures that reduce the risks under
subparagraph (A).
``(d) Annual Report.--Each agency shall submit a report
annually to the Secretary of Homeland Security on its
agencywide information security program and information
systems.
``Sec. 3555. Multiagency ongoing threat assessment
``(a) Implementation.--The Director of the Office of
Management and Budget, in coordination with the Secretary of
Homeland Security, shall designate an entity to implement
ongoing security analysis concerning agency information
systems--
``(1) based on cyber threat information;
``(2) based on agency information system and environment of
operation changes, including--
``(A) an ongoing evaluation of the information system
security controls; and
``(B) the security state, risk level, and environment of
operation of an agency information system, including--
``(i) a change in risk level due to a new cyber threat;
``(ii) a change resulting from a new technology;
``(iii) a change resulting from the agency's mission; and
``(iv) a change resulting from the business practice; and
``(3) using automated processes to the maximum extent
possible--
``(A) to increase information system security;
``(B) to reduce paper-based reporting requirements; and
``(C) to maintain timely and actionable knowledge of the
state of the information system security.
``(b) Standards.--The National Institute of Standards and
Technology may promulgate standards, in coordination with the
Secretary of Homeland Security, to assist an agency with its
duties under this section.
``(c) Compliance.--The head of each appropriate department
and agency shall be responsible for ensuring compliance and
implementing necessary procedures to comply with this
section. The head of each appropriate department and agency,
in consultation with the Director of the Office of Management
and Budget and the Secretary of Homeland Security, shall--
``(1) monitor compliance under this section;
``(2) develop a timeline and implement for the department
or agency--
``(A) adoption of any technology, system, or method that
facilitates continuous monitoring and threat assessments of
an agency information system;
``(B) adoption or updating of any technology, system, or
method that prevents, detects, or remediates a significant
cyber incident to a Federal information system of the
department or agency that has impeded, or is reasonably
likely to impede, the performance of a critical mission of
the department or agency; and
``(C) adoption of any technology, system, or method that
satisfies a requirement under this section.
``(d) Limitation of Authority.--The authorities of the
Director of the Office of Management and Budget and of the
Secretary of Homeland Security under this section shall not
apply to national security systems.
``(e) Report.--Not later than 6 months after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the Government Accountability Office shall issue a
report evaluating each agency's status toward implementing
this section.
``Sec. 3556. Independent evaluations
``(a) In General.--The Council of the Inspectors General on
Integrity and Efficiency, in consultation with the Director
and the Secretary of Homeland Security, the Secretary of
Commerce, and the Secretary of Defense, shall issue and
maintain criteria for the timely, cost-effective, risk-based,
and independent evaluation of each agencywide information
security program (and practices) to determine the
effectiveness of the agencywide information security program
(and practices). The criteria shall include measures to
assess any conflicts of interest in the performance of the
evaluation and whether the agencywide information security
program includes appropriate safeguards against disclosure of
information where such disclosure may adversely affect
information security.
``(b) Annual Independent Evaluations.--Each agency shall
perform an annual independent evaluation of its agencywide
information security program (and practices) in accordance
with the criteria under subsection (a).
``(c) Distribution of Reports.--Not later than 30 days
after receiving an independent evaluation under subsection
(b), each agency head shall transmit a copy of the
independent evaluation to the Secretary of Homeland Security,
the Secretary of Commerce, and the Secretary of Defense.
``(d) National Security Systems.--Evaluations involving
national security systems shall be conducted as directed by
President.
``Sec. 3557. National security systems.
``The head of each agency operating or exercising control
of a national security system shall be responsible for
ensuring that the agency--
``(1) provides information security protections
commensurate with the risk and magnitude of the harm
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of the information
contained in such system; and
``(2) implements information security policies and
practices as required by standards and guidelines for
national security systems, issued in accordance with law and
as directed by the President.''.
(b) Savings Provisions.--
(1) Policy and compliance guidance.--Policy and compliance
guidance issued by the Director before the date of enactment
of this Act under section 3543(a)(1) of title 44, United
States Code (as in effect on the day before the date of
enactment of this Act), shall continue in effect, according
to its terms, until modified, terminated, superseded, or
repealed pursuant to section 3553(a)(1) of title 44, United
States Code.
(2) Standards and guidelines.--Standards and guidelines
issued by the Secretary of Commerce or by the Director before
the date of enactment of this Act under section 11331(a)(1)
of title 40, United States Code, (as in effect on the day
before the date of enactment of this Act) shall continue in
effect, according to their terms, until modified, terminated,
superseded, or repealed pursuant to section 11331(a)(1) of
title 40, United States Code, as amended by this Act.
(c) Technical and Conforming Amendments.--
(1) Chapter analysis.--The chapter analysis for chapter 35
of title 44, United States Code, is amended--
(A) by striking the items relating to sections 3531 through
3538;
(B) by striking the items relating to sections 3541 through
3549; and
(C) by inserting the following:
``3551. Purposes.
``3552. Definitions.
``3553. Federal information security authority and coordination.
``3554. Agency responsibilities.
``3555. Multiagency ongoing threat assessment.
``3556. Independent evaluations.
``3557. National security systems.''.
(2) Other references.--
(A) Section 1001(c)(1)(A) of the Homeland Security Act of
2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section
3532(3)'' and inserting ``section 3552''.
(B) Section 2222(j)(5) of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(C) Section 2223(c)(3) of title 10, United States Code, is
amended, by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(D) Section 2315 of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(E) Section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3) is amended--
[[Page S5586]]
(i) in subsection (a)(2), by striking ``section
3532(b)(2)'' and inserting ``section 3552'';
(ii) in subsection (c)(3), by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(iii) in subsection (d)(1), by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(iv) in subsection (d)(8) by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(v) in subsection (d)(8), by striking ``submitted to the
Director'' and inserting ``submitted to the Secretary'';
(vi) in subsection (e)(2), by striking ``section 3532(1) of
such title'' and inserting ``section 3552 of title 44''; and
(vii) in subsection (e)(5), by striking ``section
3532(b)(2) of such title'' and inserting ``section 3552 of
title 44''.
(F) Section 8(d)(1) of the Cyber Security Research and
Development Act (15 U.S.C. 7406(d)(1)) is amended by striking
``section 3534(b)'' and inserting ``section 3554(b)(2)''.
SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.
(a) In General.--Section 11331 of title 40, United States
Code, is amended to read as follows:
``Sec. 11331. Responsibilities for Federal information
systems standards
``(a) Standards and Guidelines.--
``(1) Authority to prescribe.--Except as provided under
paragraph (2), the Secretary of Commerce shall prescribe
standards and guidelines pertaining to Federal information
systems--
``(A) in consultation with the Secretary of Homeland
Security; and
``(B) on the basis of standards and guidelines developed by
the National Institute of Standards and Technology under
paragraphs (2) and (3) of section 20(a) of the National
Institute of Standards and Technology Act (15 U.S.C. 278g-
3(a)(2) and (a)(3)).
``(2) National security systems.--Standards and guidelines
for national security systems shall be developed, prescribed,
enforced, and overseen as otherwise authorized by law and as
directed by the President.
``(b) Mandatory Standards and Guidelines.--
``(1) Authority to make mandatory standards and
guidelines.--The Secretary of Commerce shall make standards
and guidelines under subsection (a)(1) compulsory and binding
to the extent determined necessary by the Secretary of
Commerce to improve the efficiency of operation or security
of Federal information systems.
``(2) Required mandatory standards and guidelines.--
``(A) In general.--Standards and guidelines under
subsection (a)(1) shall include information security
standards that--
``(i) provide minimum information security requirements as
determined under section 20(b) of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3(b)); and
``(ii) are otherwise necessary to improve the security of
Federal information and information systems.
``(B) Binding effect.--Information security standards under
subparagraph (A) shall be compulsory and binding.
``(c) Exercise of Authority.--To ensure fiscal and policy
consistency, the Secretary of Commerce shall exercise the
authority conferred by this section subject to direction by
the President and in coordination with the Director.
``(d) Application of More Stringent Standards and
Guidelines.--The head of an executive agency may employ
standards for the cost-effective information security for
information systems within or under the supervision of that
agency that are more stringent than the standards and
guidelines the Secretary of Commerce prescribes under this
section if the more stringent standards and guidelines--
``(1) contain at least the applicable standards and
guidelines made compulsory and binding by the Secretary of
Commerce; and
``(2) are otherwise consistent with the policies,
directives, and implementation memoranda issued under section
3553(a) of title 44.
``(e) Decisions on Promulgation of Standards and
Guidelines.--The decision by the Secretary of Commerce
regarding the promulgation of any standard or guideline under
this section shall occur not later than 6 months after the
date of submission of the proposed standard to the Secretary
of Commerce by the National Institute of Standards and
Technology under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3).
``(f) Notice and Comment.--A decision by the Secretary of
Commerce to significantly modify, or not promulgate, a
proposed standard submitted to the Secretary by the National
Institute of Standards and Technology under section 20 of the
National Institute of Standards and Technology Act (15 U.S.C.
278g-3) shall be made after the public is given an
opportunity to comment on the Secretary's proposed decision.
``(g) Definitions.--In this section:
``(1) Federal information system.--The term `Federal
information system' has the meaning given the term in section
3552 of title 44.
``(2) Information security.--The term `information
security' has the meaning given the term in section 3552 of
title 44.
``(3) National security system.--The term `national
security system' has the meaning given the term in section
3552 of title 44.''.
SEC. 203. NO NEW FUNDING.
An applicable Federal agency shall carry out the provisions
of this title with existing facilities and funds otherwise
available, through such means as the head of the agency
considers appropriate.
SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS.
Section 21(b) of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-4(b)) is amended--
(1) in paragraph (2), by striking ``and the Director of the
Office of Management and Budget'' and inserting ``, the
Secretary of Commerce, and the Secretary of Homeland
Security''; and
(2) in paragraph (3), by inserting ``, the Secretary of
Homeland Security,'' after ``the Secretary of Commerce''.
SEC. 205. CLARIFICATION OF AUTHORITIES.
Nothing in this title shall be construed to convey any new
regulatory authority to any government entity implementing or
complying with any provision of this title.
TITLE III--CRIMINAL PENALTIES
SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN
CONNECTION WITH COMPUTERS.
Section 1030(c) of title 18, United States Code, is amended
to read as follows:
``(c) The punishment for an offense under subsection (a) or
(b) of this section is--
``(1) a fine under this title or imprisonment for not more
than 20 years, or both, in the case of an offense under
subsection (a)(1) of this section;
``(2)(A) except as provided in subparagraph (B), a fine
under this title or imprisonment for not more than 3 years,
or both, in the case of an offense under subsection (a)(2);
or
``(B) a fine under this title or imprisonment for not more
than ten years, or both, in the case of an offense under
subsection (a)(2) of this section, if--
``(i) the offense was committed for purposes of commercial
advantage or private financial gain;
``(ii) the offense was committed in the furtherance of any
criminal or tortious act in violation of the Constitution or
laws of the United States, or of any State; or
``(iii) the value of the information obtained, or that
would have been obtained if the offense was completed,
exceeds $5,000;
``(3) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(3) of this section;
``(4) a fine under this title or imprisonment of not more
than 20 years, or both, in the case of an offense under
subsection (a)(4) of this section;
``(5)(A) except as provided in subparagraph (C), a fine
under this title, imprisonment for not more than 20 years, or
both, in the case of an offense under subsection (a)(5)(A) of
this section, if the offense caused--
``(i) loss to 1 or more persons during any 1-year period
(and, for purposes of an investigation, prosecution, or other
proceeding brought by the United States only, loss resulting
from a related course of conduct affecting 1 or more other
protected computers) aggregating at least $5,000 in value;
``(ii) the modification or impairment, or potential
modification or impairment, of the medical examination,
diagnosis, treatment, or care of 1 or more individuals;
``(iii) physical injury to any person;
``(iv) a threat to public health or safety;
``(v) damage affecting a computer used by, or on behalf of,
an entity of the United States Government in furtherance of
the administration of justice, national defense, or national
security; or
``(vi) damage affecting 10 or more protected computers
during any 1-year period;
``(B) a fine under this title, imprisonment for not more
than 20 years, or both, in the case of an offense under
subsection (a)(5)(B), if the offense caused a harm provided
in clause (i) through (vi) of subparagraph (A) of this
subsection;
``(C) if the offender attempts to cause or knowingly or
recklessly causes death from conduct in violation of
subsection (a)(5)(A), a fine under this title, imprisonment
for any term of years or for life, or both;
``(D) a fine under this title, imprisonment for not more
than 10 years, or both, for any other offense under
subsection (a)(5);
``(E) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(6) of this section; or
``(F) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(7) of this section.''.
SEC. 302. TRAFFICKING IN PASSWORDS.
Section 1030(a)(6) of title 18, United States Code, is
amended to read as follows:
``(6) knowingly and with intent to defraud traffics (as
defined in section 1029) in any password or similar
information or means of access through which a protected
computer (as defined in subparagraphs (A) and (B) of
subsection (e)(2)) may be accessed without authorization.''.
SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.
Section 1030(b) of title 18, United States Code, is amended
by inserting ``as if for the completed offense'' after
``punished as provided''.
SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED
ACTIVITY IN CONNECTION WITH COMPUTERS.
Section 1030 of title 18, United States Code, is amended by
striking subsections (i) and (j) and inserting the following:
[[Page S5587]]
``(i) Criminal Forfeiture.--
``(1) The court, in imposing sentence on any person
convicted of a violation of this section, or convicted of
conspiracy to violate this section, shall order, in addition
to any other sentence imposed and irrespective of any
provision of State law, that such person forfeit to the
United States--
``(A) such persons interest in any property, real or
personal, that was used, or intended to be used, to commit or
facilitate the commission of such violation; and
``(B) any property, real or personal, constituting or
derived from any gross proceeds, or any property traceable to
such property, that such person obtained, directly or
indirectly, as a result of such violation.
``(2) The criminal forfeiture of property under this
subsection, including any seizure and disposition of the
property, and any related judicial or administrative
proceeding, shall be governed by the provisions of section
413 of the Comprehensive Drug Abuse Prevention and Control
Act of 1970 (21 U.S.C. 853), except subsection (d) of that
section.
``(j) Civil Forfeiture.--
``(1) The following shall be subject to forfeiture to the
United States and no property right, real or personal, shall
exist in them:
``(A) Any property, real or personal, that was used, or
intended to be used, to commit or facilitate the commission
of any violation of this section, or a conspiracy to violate
this section.
``(B) Any property, real or personal, constituting or
derived from any gross proceeds obtained directly or
indirectly, or any property traceable to such property, as a
result of the commission of any violation of this section, or
a conspiracy to violate this section.
``(2) Seizures and forfeitures under this subsection shall
be governed by the provisions in chapter 46 relating to civil
forfeitures, except that such duties as are imposed on the
Secretary of the Treasury under the customs laws described in
section 981(d) shall be performed by such officers, agents
and other persons as may be designated for that purpose by
the Secretary of Homeland Security or the Attorney
General.''.
SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.
(a) In General.--Chapter 47 of title 18, United States
Code, is amended by inserting after section 1030 the
following:
``Sec. 1030A. Aggravated damage to a critical infrastructure
computer
``(a) Definitions.--In this section--
``(1) the term `computer' has the meaning given the term in
section 1030;
``(2) the term `critical infrastructure computer' means a
computer that manages or controls systems or assets vital to
national defense, national security, national economic
security, public health or safety, or any combination of
those matters, whether publicly or privately owned or
operated, including--
``(A) oil and gas production, storage, conversion, and
delivery systems;
``(B) water supply systems;
``(C) telecommunication networks;
``(D) electrical power generation and delivery systems;
``(E) finance and banking systems;
``(F) emergency services;
``(G) transportation systems and services; and
``(H) government operations that provide essential services
to the public; and
``(3) the term `damage' has the meaning given the term in
section 1030.
``(b) Offense.--It shall be unlawful, during and in
relation to a felony violation of section 1030, to knowingly
cause or attempt to cause damage to a critical infrastructure
computer if the damage results in (or, in the case of an
attempt, if completed, would have resulted in) the
substantial impairment--
``(1) of the operation of the critical infrastructure
computer; or
``(2) of the critical infrastructure associated with the
computer.
``(c) Penalty.--Any person who violates subsection (b)
shall be--
``(1) fined under this title;
``(2) imprisoned for not less than 3 years but not more
than 20 years; or
``(3) penalized under paragraphs (1) and (2).
``(d) Consecutive Sentence.--Notwithstanding any other
provision of law--
``(1) a court shall not place on probation any person
convicted of a violation of this section;
``(2) except as provided in paragraph (4), no term of
imprisonment imposed on a person under this section shall run
concurrently with any other term of imprisonment, including
any term of imprisonment imposed on the person under any
other provision of law, including any term of imprisonment
imposed for a felony violation of section 1030;
``(3) in determining any term of imprisonment to be imposed
for a felony violation of section 1030, a court shall not in
any way reduce the term to be imposed for such crime so as to
compensate for, or otherwise take into account, any separate
term of imprisonment imposed or to be imposed for a violation
of this section; and
``(4) a term of imprisonment imposed on a person for a
violation of this section may, in the discretion of the
court, run concurrently, in whole or in part, only with
another term of imprisonment that is imposed by the court at
the same time on that person for an additional violation of
this section, provided that such discretion shall be
exercised in accordance with any applicable guidelines and
policy statements issued by the United States Sentencing
Commission pursuant to section 994 of title 28.''.
(b) Technical and Conforming Amendment.--The chapter
analysis for chapter 47 of title 18, United States Code, is
amended by inserting after the item relating to section 1030
the following:
``1030A. Aggravated damage to a critical infrastructure computer.''.
SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.
Section 1030(e)(6) of title 18, United States Code, is
amended by striking ``alter;'' and inserting ``alter, but
does not include access in violation of a contractual
obligation or agreement, such as an acceptable use policy or
terms of service agreement, with an Internet service
provider, Internet website, or non-government employer, if
such violation constitutes the sole basis for determining
that access to a protected computer is unauthorized;''.
SEC. 307. NO NEW FUNDING.
An applicable Federal agency shall carry out the provisions
of this title with existing facilities and funds otherwise
available, through such means as the head of the agency
considers appropriate.
TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT
SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM
PLANNING AND COORDINATION.
(a) Goals and Priorities.--Section 101 of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511) is amended
by adding at the end the following:
``(d) Goals and Priorities.--The goals and priorities for
Federal high-performance computing research, development,
networking, and other activities under subsection (a)(2)(A)
shall include--
``(1) encouraging and supporting mechanisms for
interdisciplinary research and development in networking and
information technology, including--
``(A) through collaborations across agencies;
``(B) through collaborations across Program Component
Areas;
``(C) through collaborations with industry;
``(D) through collaborations with institutions of higher
education;
``(E) through collaborations with Federal laboratories (as
defined in section 4 of the Stevenson-Wydler Technology
Innovation Act of 1980 (15 U.S.C. 3703)); and
``(F) through collaborations with international
organizations;
``(2) addressing national, multi-agency, multi-faceted
challenges of national importance; and
``(3) fostering the transfer of research and development
results into new technologies and applications for the
benefit of society.''.
(b) Development of Strategic Plan.--Section 101 of the
High-Performance Computing Act of 1991 (15 U.S.C. 5511) is
amended by adding at the end the following:
``(e) Strategic Plan.--
``(1) In general.--Not later than 1 year after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the agencies under subsection (a)(3)(B), working
through the National Science and Technology Council and with
the assistance of the Office of Science and Technology Policy
shall develop a 5-year strategic plan to guide the activities
under subsection (a)(1).
``(2) Contents.--The strategic plan shall specify--
``(A) the near-term objectives for the Program;
``(B) the long-term objectives for the Program;
``(C) the anticipated time frame for achieving the near-
term objectives;
``(D) the metrics that will be used to assess any progress
made toward achieving the near-term objectives and the long-
term objectives; and
``(E) how the Program will achieve the goals and priorities
under subsection (d).
``(3) Implementation roadmap.--
``(A) In general.--The agencies under subsection (a)(3)(B)
shall develop and annually update an implementation roadmap
for the strategic plan.
``(B) Requirements.--The information in the implementation
roadmap shall be coordinated with the database under section
102(c) and the annual report under section 101(a)(3). The
implementation roadmap shall--
``(i) specify the role of each Federal agency in carrying
out or sponsoring research and development to meet the
research objectives of the strategic plan, including a
description of how progress toward the research objectives
will be evaluated, with consideration of any relevant
recommendations of the advisory committee;
``(ii) specify the funding allocated to each major research
objective of the strategic plan and the source of funding by
agency for the current fiscal year; and
``(iii) estimate the funding required for each major
research objective of the strategic plan for the next 3
fiscal years.
``(4) Recommendations.--The agencies under subsection
(a)(3)(B) shall take into consideration when developing the
strategic plan under paragraph (1) the recommendations of--
``(A) the advisory committee under subsection (b); and
``(B) the stakeholders under section 102(a)(3).
``(5) Report to congress.--The Director of the Office of
Science and Technology Policy shall transmit the strategic
plan under this
[[Page S5588]]
subsection, including the implementation roadmap and any
updates under paragraph (3), to--
``(A) the advisory committee under subsection (b);
``(B) the Committee on Commerce, Science, and
Transportation of the Senate; and
``(C) the Committee on Science and Technology of the House
of Representatives.''.
(c) Periodic Reviews.--Section 101 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511) is amended by adding
at the end the following:
``(f) Periodic Reviews.--The agencies under subsection
(a)(3)(B) shall--
``(1) periodically assess the contents and funding levels
of the Program Component Areas and restructure the Program
when warranted, taking into consideration any relevant
recommendations of the advisory committee under subsection
(b); and
``(2) ensure that the Program includes national, multi-
agency, multi-faceted research and development activities,
including activities described in section 104.''.
(d) Additional Responsibilities of Director.--Section
101(a)(2) of the High-Performance Computing Act of 1991 (15
U.S.C. 5511(a)(2)) is amended--
(1) by redesignating subparagraphs (E) and (F) as
subparagraphs (G) and (H), respectively; and
(2) by inserting after subparagraph (D) the following:
``(E) encourage and monitor the efforts of the agencies
participating in the Program to allocate the level of
resources and management attention necessary--
``(i) to ensure that the strategic plan under subsection
(e) is developed and executed effectively; and
``(ii) to ensure that the objectives of the Program are
met;
``(F) working with the Office of Management and Budget and
in coordination with the creation of the database under
section 102(c), direct the Office of Science and Technology
Policy and the agencies participating in the Program to
establish a mechanism (consistent with existing law) to track
all ongoing and completed research and development projects
and associated funding;''.
(e) Advisory Committee.--Section 101(b) of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is
amended--
(1) in paragraph (1)--
(A) by inserting after the first sentence the following:
``The co-chairs of the advisory committee shall meet the
qualifications of committee members and may be members of the
Presidents Council of Advisors on Science and Technology.'';
and
(B) by striking ``high-performance'' in subparagraph (D)
and inserting ``high-end''; and
(2) by amending paragraph (2) to read as follows:
``(2) In addition to the duties under paragraph (1), the
advisory committee shall conduct periodic evaluations of the
funding, management, coordination, implementation, and
activities of the Program. The advisory committee shall
report its findings and recommendations not less frequently
than once every 3 fiscal years to the Committee on Commerce,
Science, and Transportation of the Senate and the Committee
on Science and Technology of the House of Representatives.
The report shall be submitted in conjunction with the update
of the strategic plan.''.
(f) Report.--Section 101(a)(3) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended--
(1) in subparagraph (C)--
(A) by striking ``is submitted,'' and inserting ``is
submitted, the levels for the previous fiscal year,''; and
(B) by striking ``each Program Component Area'' and
inserting ``each Program Component Area and each research
area supported in accordance with section 104'';
(2) in subparagraph (D)--
(A) by striking ``each Program Component Area,'' and
inserting ``each Program Component Area and each research
area supported in accordance with section 104,'';
(B) by striking ``is submitted,'' and inserting ``is
submitted, the levels for the previous fiscal year,''; and
(C) by striking ``and'' after the semicolon;
(3) by redesignating subparagraph (E) as subparagraph (G);
and
(4) by inserting after subparagraph (D) the following:
``(E) include a description of how the objectives for each
Program Component Area, and the objectives for activities
that involve multiple Program Component Areas, relate to the
objectives of the Program identified in the strategic plan
under subsection (e);
``(F) include--
``(i) a description of the funding required by the Office
of Science and Technology Policy to perform the functions
under subsections (a) and (c) of section 102 for the next
fiscal year by category of activity;
``(ii) a description of the funding required by the Office
of Science and Technology Policy to perform the functions
under subsections (a) and (c) of section 102 for the current
fiscal year by category of activity; and
``(iii) the amount of funding provided for the Office of
Science and Technology Policy for the current fiscal year by
each agency participating in the Program; and''.
(g) Definitions.--Section 4 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5503) is amended--
(1) by redesignating paragraphs (1) and (2) as paragraphs
(2) and (3), respectively;
(2) by redesignating paragraph (3) as paragraph (6);
(3) by redesignating paragraphs (6) and (7) as paragraphs
(7) and (8), respectively;
(4) by inserting before paragraph (2), as redesignated, the
following:
``(1) `cyber-physical systems' means physical or engineered
systems whose networking and information technology functions
and physical elements are deeply integrated and are actively
connected to the physical world through sensors, actuators,
or other means to perform monitoring and control
functions;'';
(5) in paragraph (3), as redesignated, by striking ``high-
performance computing'' and inserting ``networking and
information technology'';
(6) in paragraph (6), as redesignated--
(A) by striking ``high-performance computing'' and
inserting ``networking and information technology''; and
(B) by striking ``supercomputer'' and inserting ``high-end
computing'';
(7) in paragraph (5), by striking ``network referred to
as'' and all that follows through the semicolon and inserting
``network, including advanced computer networks of Federal
agencies and departments''; and
(8) in paragraph (7), as redesignated, by striking
``National High-Performance Computing Program'' and inserting
``networking and information technology research and
development program''.
SEC. 402. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.
(a) Research in Areas of National Importance.--Title I of
the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et
seq.) is amended by adding at the end the following:
``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.
``(a) In General.--The Program shall encourage agencies
under section 101(a)(3)(B) to support, maintain, and improve
national, multi-agency, multi-faceted, research and
development activities in networking and information
technology directed toward application areas that have the
potential for significant contributions to national economic
competitiveness and for other significant societal benefits.
``(b) Technical Solutions.--An activity under subsection
(a) shall be designed to advance the development of research
discoveries by demonstrating technical solutions to important
problems in areas including--
``(1) cybersecurity;
``(2) health care;
``(3) energy management and low-power systems and devices;
``(4) transportation, including surface and air
transportation;
``(5) cyber-physical systems;
``(6) large-scale data analysis and modeling of physical
phenomena;
``(7) large scale data analysis and modeling of behavioral
phenomena;
``(8) supply chain quality and security; and
``(9) privacy protection and protected disclosure of
confidential data.
``(c) Recommendations.--The advisory committee under
section 101(b) shall make recommendations to the Program for
candidate research and development areas for support under
this section.
``(d) Characteristics.--
``(1) In general.--Research and development activities
under this section--
``(A) shall include projects selected on the basis of
applications for support through a competitive, merit-based
process;
``(B) shall leverage, when possible, Federal investments
through collaboration with related State initiatives;
``(C) shall include a plan for fostering the transfer of
research discoveries and the results of technology
demonstration activities, including from institutions of
higher education and Federal laboratories, to industry for
commercial development;
``(D) shall involve collaborations among researchers in
institutions of higher education and industry; and
``(E) may involve collaborations among nonprofit research
institutions and Federal laboratories, as appropriate.
``(2) Cost-sharing.--In selecting applications for support,
the agencies under section 101(a)(3)(B) shall give special
consideration to projects that include cost sharing from non-
Federal sources.
``(3) Multidisciplinary research centers.--Research and
development activities under this section shall be supported
through multidisciplinary research centers, including Federal
laboratories, that are organized to investigate basic
research questions and carry out technology demonstration
activities in areas described in subsection (a). Research may
be carried out through existing multidisciplinary centers,
including those authorized under section 7024(b)(2) of the
America COMPETES Act (42 U.S.C. 1862o-10(2)).''.
(b) Cyber-Physical Systems.--Section 101(a)(1) of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is
amended--
(1) in subparagraph (H), by striking ``and'' after the
semicolon;
(2) in subparagraph (I), by striking the period at the end
and inserting a semicolon; and
(3) by adding at the end the following:
``(J) provide for increased understanding of the scientific
principles of cyber-physical systems and improve the methods
available for the design, development, and operation of
cyber-physical systems that are characterized by high
reliability, safety, and security; and
[[Page S5589]]
``(K) provide for research and development on human-
computer interactions, visualization, and big data.''.
(c) Task Force.--Title I of the High-Performance Computing
Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section
402(a) of this Act, is amended by adding at the end the
following:
``SEC. 105. TASK FORCE.
``(a) Establishment.--Not later than 180 days after the
date of enactment the Strengthening and Enhancing
Cybersecurity by Using Research, Education, Information, and
Technology Act of 2012, the Director of the Office of Science
and Technology Policy under section 102 shall convene a task
force to explore mechanisms for carrying out collaborative
research and development activities for cyber-physical
systems (including the related technologies required to
enable these systems) through a consortium or other
appropriate entity with participants from institutions of
higher education, Federal laboratories, and industry.
``(b) Functions.--The task force shall--
``(1) develop options for a collaborative model and an
organizational structure for such entity under which the
joint research and development activities could be planned,
managed, and conducted effectively, including mechanisms for
the allocation of resources among the participants in such
entity for support of such activities;
``(2) propose a process for developing a research and
development agenda for such entity, including guidelines to
ensure an appropriate scope of work focused on nationally
significant challenges and requiring collaboration and to
ensure the development of related scientific and
technological milestones;
``(3) define the roles and responsibilities for the
participants from institutions of higher education, Federal
laboratories, and industry in such entity;
``(4) propose guidelines for assigning intellectual
property rights and for transferring research results to the
private sector; and
``(5) make recommendations for how such entity could be
funded from Federal, State, and non-governmental sources.
``(c) Composition.--In establishing the task force under
subsection (a), the Director of the Office of Science and
Technology Policy shall appoint an equal number of
individuals from institutions of higher education and from
industry with knowledge and expertise in cyber-physical
systems, and may appoint not more than 2 individuals from
Federal laboratories.
``(d) Report.--Not later than 1 year after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the Director of the Office of Science and Technology
Policy shall transmit to the Committee on Commerce, Science,
and Transportation of the Senate and the Committee on Science
and Technology of the House of Representatives a report
describing the findings and recommendations of the task
force.
``(e) Termination.--The task force shall terminate upon
transmittal of the report required under subsection (d).
``(f) Compensation and Expenses.--Members of the task force
shall serve without compensation.''.
SEC. 403. PROGRAM IMPROVEMENTS.
Section 102 of the High-Performance Computing Act of 1991
(15 U.S.C. 5512) is amended to read as follows:
``SEC. 102. PROGRAM IMPROVEMENTS.
``(a) Functions.--The Director of the Office of Science and
Technology Policy shall continue--
``(1) to provide technical and administrative support to--
``(A) the agencies participating in planning and
implementing the Program, including support needed to develop
the strategic plan under section 101(e); and
``(B) the advisory committee under section 101(b);
``(2) to serve as the primary point of contact on Federal
networking and information technology activities for
government agencies, academia, industry, professional
societies, State computing and networking technology
programs, interested citizen groups, and others to exchange
technical and programmatic information;
``(3) to solicit input and recommendations from a wide
range of stakeholders during the development of each
strategic plan under section 101(e) by convening at least 1
workshop with invitees from academia, industry, Federal
laboratories, and other relevant organizations and
institutions;
``(4) to conduct public outreach, including the
dissemination of the advisory committee's findings and
recommendations, as appropriate;
``(5) to promote access to and early application of the
technologies, innovations, and expertise derived from Program
activities to agency missions and systems across the Federal
Government and to United States industry;
``(6) to ensure accurate and detailed budget reporting of
networking and information technology research and
development investment; and
``(7) to encourage agencies participating in the Program to
use existing programs and resources to strengthen networking
and information technology education and training, and
increase participation in such fields, including by women and
underrepresented minorities.
``(b) Source of Funding.--
``(1) In general.--The functions under this section shall
be supported by funds from each agency participating in the
Program.
``(2) Specifications.--The portion of the total budget of
the Office of Science and Technology Policy that is provided
by each agency participating in the Program for each fiscal
year shall be in the same proportion as each agency's share
of the total budget for the Program for the previous fiscal
year, as specified in the database under section 102(c).
``(c) Database.--
``(1) In general.--The Director of the Office of Science
and Technology Policy shall develop and maintain a database
of projects funded by each agency for the fiscal year for
each Program Component Area.
``(2) Public accessibility.--The Director of the Office of
Science and Technology Policy shall make the database
accessible to the public.
``(3) Database contents.--The database shall include, for
each project in the database--
``(A) a description of the project;
``(B) each agency, industry, institution of higher
education, Federal laboratory, or international institution
involved in the project;
``(C) the source funding of the project (set forth by
agency);
``(D) the funding history of the project; and
``(E) whether the project has been completed.''.
SEC. 404. IMPROVING EDUCATION OF NETWORKING AND INFORMATION
TECHNOLOGY, INCLUDING HIGH PERFORMANCE
COMPUTING.
Section 201(a) of the High-Performance Computing Act of
1991 (15 U.S.C. 5521(a)) is amended--
(1) by redesignating paragraphs (2) through (4) as
paragraphs (3) through (5), respectively; and
(2) by inserting after paragraph (1) the following:
``(2) the National Science Foundation shall use its
existing programs, in collaboration with other agencies, as
appropriate, to improve the teaching and learning of
networking and information technology at all levels of
education and to increase participation in networking and
information technology fields;''.
SEC. 405. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH-
PERFORMANCE COMPUTING ACT OF 1991.
(a) Section 3.--Section 3 of the High-Performance Computing
Act of 1991 (15 U.S.C. 5502) is amended--
(1) in the matter preceding paragraph (1), by striking
``high-performance computing'' and inserting ``networking and
information technology'';
(2) in paragraph (1)--
(A) in the matter preceding subparagraph (A), by striking
``high-performance computing'' and inserting ``networking and
information technology'';
(B) in subparagraphs (A), (F), and (G), by striking ``high-
performance computing'' each place it appears and inserting
``networking and information technology''; and
(C) in subparagraph (H), by striking ``high-performance''
and inserting ``high-end''; and
(3) in paragraph (2)--
(A) by striking ``high-performance computing and'' and
inserting ``networking and information technology, and''; and
(B) by striking ``high-performance computing network'' and
inserting ``networking and information technology''.
(b) Title Heading.--The heading of title I of the High-
Performance Computing Act of 1991 (105 Stat. 1595) is amended
by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting
``NETWORKING AND INFORMATION TECHNOLOGY''.
(c) Section 101.--Section 101 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511) is amended--
(1) in the section heading, by striking ``high-performance
computing'' and inserting ``networking and information
technology research and development'';
(2) in subsection (a)--
(A) in the subsection heading, by striking ``National High-
Performance Computing'' and inserting ``Networking and
Information Technology Research and Development'';
(B) in paragraph (1)--
(i) by striking ``National High-Performance Computing
Program'' and inserting ``networking and information
technology research and development program'';
(ii) in subparagraph (A), by striking ``high-performance
computing, including networking'' and inserting ``networking
and information technology'';
(iii) in subparagraphs (B) and (G), by striking ``high-
performance'' each place it appears and inserting ``high-
end''; and
(iv) in subparagraph (C), by striking ``high-performance
computing and networking'' and inserting ``high-end
computing, distributed, and networking''; and
(C) in paragraph (2)--
(i) in subparagraphs (A) and (C)--
(I) by striking ``high-performance computing'' each place
it appears and inserting ``networking and information
technology''; and
(II) by striking ``development, networking,'' each place it
appears and inserting ``development,''; and
(ii) in subparagraphs (G) and (H), as redesignated by
section 401(d) of this Act, by striking ``high-performance''
each place it appears and inserting ``high-end'';
(3) in subsection (b)(1), in the matter preceding
subparagraph (A), by striking ``high-
[[Page S5590]]
performance computing'' each place it appears and inserting
``networking and information technology''; and
(4) in subsection (c)(1)(A), by striking ``high-performance
computing'' and inserting ``networking and information
technology''.
(d) Section 201.--Section 201(a)(1) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by
striking ``high-performance computing and advanced high-speed
computer networking'' and inserting ``networking and
information technology research and development''.
(e) Section 202.--Section 202(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by
striking ``high-performance computing'' and inserting
``networking and information technology''.
(f) Section 203.--Section 203(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5523(a)) is amended--
(1) in paragraph (1), by striking ``high-performance
computing and networking'' and inserting ``networking and
information technology''; and
(2) in paragraph (2)(A), by striking ``high-performance''
and inserting ``high-end''.
(g) Section 204.--Section 204 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5524) is amended--
(1) in subsection (a)(1)--
(A) in subparagraph (A), by striking ``high-performance
computing systems and networks'' and inserting ``networking
and information technology systems and capabilities'';
(B) in subparagraph (B), by striking ``interoperability of
high-performance computing systems in networks and for common
user interfaces to systems'' and inserting ``interoperability
and usability of networking and information technology
systems''; and
(C) in subparagraph (C), by striking ``high-performance
computing'' and inserting ``networking and information
technology''; and
(2) in subsection (b)--
(A) by striking ``High-Performance Computing and Network''
in the heading and inserting ``Networking and Information
Technology''; and
(B) by striking ``sensitive''.
(h) Section 205.--Section 205(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by
striking ``computational'' and inserting ``networking and
information technology''.
(i) Section 206.--Section 206(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by
striking ``computational research'' and inserting
``networking and information technology research''.
(j) Section 207.--Section 207 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5527) is amended by striking
``high-performance computing'' and inserting ``networking and
information technology''.
(k) Section 208.--Section 208 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5528) is amended--
(1) in the section heading, by striking ``HIGH-PERFORMANCE
COMPUTING'' and inserting ``NETWORKING AND INFORMATION
TECHNOLOGY''; and
(2) in subsection (a)--
(A) in paragraph (1), by striking ``High-performance
computing and associated'' and inserting ``Networking and
information'';
(B) in paragraph (2), by striking ``high-performance
computing'' and inserting ``networking and information
technologies'';
(C) in paragraph (3), by striking ``high-performance'' and
inserting ``high-end'';
(D) in paragraph (4), by striking ``high-performance
computers and associated'' and inserting ``networking and
information''; and
(E) in paragraph (5), by striking ``high-performance
computing and associated'' and inserting ``networking and
information''.
SEC. 406. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.
(a) In General.--The Director of the National Science
Foundation, in coordination with the Secretary of Homeland
Security, shall carry out a Federal cyber scholarship-for-
service program to recruit and train the next generation of
information technology professionals and security managers to
meet the needs of the cybersecurity mission for the Federal
government.
(b) Program Description and Components.--The program
shall--
(1) annually assess the workforce needs of the Federal
government for cybersecurity professionals, including network
engineers, software engineers, and other experts in order to
determine how many scholarships should be awarded annually to
ensure that the workforce needs following graduation match
the number of scholarships awarded;
(2) provide scholarships for up to 1,000 students per year
in their pursuit of undergraduate or graduate degrees in the
cybersecurity field, in an amount that may include coverage
for full tuition, fees, and a stipend;
(3) require each scholarship recipient, as a condition of
receiving a scholarship under the program, to serve in a
Federal information technology workforce for a period equal
to one and one-half times each year, or partial year, of
scholarship received, in addition to an internship in the
cybersecurity field, if applicable, following graduation;
(4) provide a procedure for the National Science Foundation
or a Federal agency, consistent with regulations of the
Office of Personnel Management, to request and fund a
security clearance for a scholarship recipient, including
providing for clearance during a summer internship and upon
graduation; and
(5) provide opportunities for students to receive temporary
appointments for meaningful employment in the Federal
information technology workforce during school vacation
periods and for internships.
(c) Hiring Authority.--
(1) In general.--For purposes of any law or regulation
governing the appointment of an individual in the Federal
civil service, upon the successful completion of the
student's studies, a student receiving a scholarship under
the program may--
(A) be hired under section 213.3102(r) of title 5, Code of
Federal Regulations; and
(B) be exempt from competitive service.
(2) Competitive service.--Upon satisfactory fulfillment of
the service term under paragraph (1), an individual may be
converted to a competitive service position without
competition if the individual meets the requirements for that
position.
(d) Eligibility.--The eligibility requirements for a
scholarship under this section shall include that a
scholarship applicant--
(1) be a citizen of the United States;
(2) be eligible to be granted a security clearance;
(3) maintain a grade point average of 3.2 or above on a 4.0
scale for undergraduate study or a 3.5 or above on a 4.0
scale for postgraduate study;
(4) demonstrate a commitment to a career in improving the
security of the information infrastructure; and
(5) has demonstrated a level of proficiency in math or
computer sciences.
(e) Failure to Complete Service Obligation.--
(1) In general.--A scholarship recipient under this section
shall be liable to the United States under paragraph (2) if
the scholarship recipient--
(A) fails to maintain an acceptable level of academic
standing in the educational institution in which the
individual is enrolled, as determined by the Director;
(B) is dismissed from such educational institution for
disciplinary reasons;
(C) withdraws from the program for which the award was made
before the completion of such program;
(D) declares that the individual does not intend to fulfill
the service obligation under this section;
(E) fails to fulfill the service obligation of the
individual under this section; or
(F) loses a security clearance or becomes ineligible for a
security clearance.
(2) Repayment amounts.--
(A) Less than 1 year of service.--If a circumstance under
paragraph (1) occurs before the completion of 1 year of a
service obligation under this section, the total amount of
awards received by the individual under this section shall be
repaid.
(B) One or more years of service.--If a circumstance
described in subparagraph (D) or (E) of paragraph (1) occurs
after the completion of 1 year of a service obligation under
this section, the total amount of scholarship awards received
by the individual under this section, reduced by the ratio of
the number of years of service completed divided by the
number of years of service required, shall be repaid.
(f) Evaluation and Report.--The Director of the National
Science Foundation shall--
(1) evaluate the success of recruiting individuals for
scholarships under this section and of hiring and retaining
those individuals in the public sector workforce, including
the annual cost and an assessment of how the program actually
improves the Federal workforce; and
(2) periodically report the findings under paragraph (1) to
Congress.
(g) Authorization of Appropriations.--From amounts made
available under section 503 of the America COMPETES
Reauthorization Act of 2010 (124 Stat. 4005), the Director
may use funds to carry out the requirements of this section
for fiscal years 2012 through 2013.
SEC. 407. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF
INFORMATION INFRASTRUCTURE PROFESSIONALS.
(a) Study.--The President shall enter into an agreement
with the National Academies to conduct a comprehensive study
of government, academic, and private-sector accreditation,
training, and certification programs for personnel working in
information infrastructure. The agreement shall require the
National Academies to consult with sector coordinating
councils and relevant governmental agencies, regulatory
entities, and nongovernmental organizations in the course of
the study.
(b) Scope.--The study shall include--
(1) an evaluation of the body of knowledge and various
skills that specific categories of personnel working in
information infrastructure should possess in order to secure
information systems;
(2) an assessment of whether existing government, academic,
and private-sector accreditation, training, and certification
programs provide the body of knowledge and various skills
described in paragraph (1);
(3) an analysis of any barriers to the Federal Government
recruiting and hiring cybersecurity talent, including
barriers relating to compensation, the hiring process, job
classification, and hiring flexibility; and
(4) an analysis of the sources and availability of
cybersecurity talent, a comparison of the skills and
expertise sought by the Federal Government and the private
sector, an examination of the current and future capacity of
United States institutions of higher
[[Page S5591]]
education, including community colleges, to provide current
and future cybersecurity professionals, through education and
training activities, with those skills sought by the Federal
Government, State and local entities, and the private sector.
(c) Report.--Not later than 1 year after the date of
enactment of this Act, the National Academies shall submit to
the President and Congress a report on the results of the
study. The report shall include--
(1) findings regarding the state of information
infrastructure accreditation, training, and certification
programs, including specific areas of deficiency and
demonstrable progress; and
(2) recommendations for the improvement of information
infrastructure accreditation, training, and certification
programs.
SEC. 408. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.
(a) In General.--The Director of the National Institute of
Standards and Technology, in coordination with appropriate
Federal authorities, shall--
(1) as appropriate, ensure coordination of Federal agencies
engaged in the development of international technical
standards related to information system security; and
(2) not later than 1 year after the date of enactment of
this Act, develop and transmit to Congress a plan for
ensuring such Federal agency coordination.
(b) Consultation With the Private Sector.--In carrying out
the activities under subsection (a)(1), the Director shall
ensure consultation with appropriate private sector
stakeholders.
SEC. 409. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.
The Director of the National Institute of Standards and
Technology shall continue a program to support the
development of technical standards, metrology, testbeds, and
conformance criteria, taking into account appropriate user
concerns--
(1) to improve interoperability among identity management
technologies;
(2) to strengthen authentication methods of identity
management systems;
(3) to improve privacy protection in identity management
systems, including health information technology systems,
through authentication and security protocols; and
(4) to improve the usability of identity management
systems.
SEC. 410. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.
(a) National Science Foundation Computer and Network
Security Research Grant Areas.--Section 4(a)(1) of the Cyber
Security Research and Development Act (15 U.S.C. 7403(a)(1))
is amended--
(1) in subparagraph (H), by striking ``and'' after the
semicolon;
(2) in subparagraph (I), by striking ``property.'' and
inserting ``property;''; and
(3) by adding at the end the following:
``(J) secure fundamental protocols that are at the heart of
inter-network communications and data exchange;
``(K) system security that addresses the building of secure
systems from trusted and untrusted components;
``(L) monitoring and detection; and
``(M) resiliency and rapid recovery methods.''.
(b) National Science Foundation Computer and Network
Security Grants.--Section 4(a)(3) of the Cyber Security
Research and Development Act (15 U.S.C. 7403(a)(3)) is
amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
(c) Computer and Network Security Centers.--Section 4(b)(7)
of the Cyber Security Research and Development Act (15 U.S.C.
7403(b)(7)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
(d) Computer and Network Security Capacity Building
Grants.--Section 5(a)(6) of the Cyber Security Research and
Development Act (15 U.S.C. 7404(a)(6)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
(e) Scientific and Advanced Technology Act Grants.--Section
5(b)(2) of the Cyber Security Research and Development Act
(15 U.S.C. 7404(b)(2)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
(f) Graduate Traineeships in Computer and Network Security
Research.--Section 5(c)(7) of the Cyber Security Research and
Development Act (15 U.S.C. 7404(c)(7)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
______
SA 2614. Mrs. HUTCHISON (for herself, Mr. McCain, Mr. Chambliss, Mr.
Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of
Wisconsin) submitted an amendment intended to be proposed by her to the
bill S. 3414, to enhance the security and resiliency of the cyber and
communications infrastructure of the United States; which was ordered
to lie on the table; as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the
``Strengthening and Enhancing Cybersecurity by Using
Research, Education, Information, and Technology Act of
2012'' or ``SECURE IT''.
(b) Table of Contents.--The table of contents of this Act
is as follows:
Sec. 1. Short title; table of contents.
TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION
Sec. 101. Definitions.
Sec. 102. Authorization to share cyber threat information.
Sec. 103. Information sharing by the Federal government.
Sec. 104. Construction.
Sec. 105. Report on implementation.
Sec. 106. Inspector General review.
Sec. 107. Technical amendments.
Sec. 108. Access to classified information.
TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY
Sec. 201. Coordination of Federal information security policy.
Sec. 202. Management of information technology.
Sec. 203. No new funding.
Sec. 204. Technical and conforming amendments.
Sec. 205. Clarification of authorities.
TITLE III--CRIMINAL PENALTIES
Sec. 301. Penalties for fraud and related activity in connection with
computers.
Sec. 302. Trafficking in passwords.
Sec. 303. Conspiracy and attempted computer fraud offenses.
Sec. 304. Criminal and civil forfeiture for fraud and related activity
in connection with computers.
Sec. 305. Damage to critical infrastructure computers.
Sec. 306. Limitation on actions involving unauthorized use.
Sec. 307. No new funding.
TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT
Sec. 401. National High-Performance Computing Program planning and
coordination.
Sec. 402. Research in areas of national importance.
Sec. 403. Program improvements.
Sec. 404. Improving education of networking and information technology,
including high performance computing.
Sec. 405. Conforming and technical amendments to the High-Performance
Computing Act of 1991.
Sec. 406. Federal cyber scholarship-for-service program.
Sec. 407. Study and analysis of certification and training of
information infrastructure professionals.
Sec. 408. International cybersecurity technical standards.
Sec. 409. Identity management research and development.
Sec. 410. Federal cybersecurity research and development.
TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION
SEC. 101. DEFINITIONS.
In this title:
(1) Agency.--The term ``agency'' has the meaning given the
term in section 3502 of title 44, United States Code.
(2) Antitrust laws.--The term ``antitrust laws''--
(A) has the meaning given the term in section 1(a) of the
Clayton Act (15 U.S.C. 12(a));
(B) includes section 5 of the Federal Trade Commission Act
(15 U.S.C. 45) to the extent that section 5 of that Act
applies to unfair methods of competition; and
(C) includes any State law that has the same intent and
effect as the laws under subparagraphs (A) and (B).
(3) Countermeasure.--The term ``countermeasure'' means an
automated or a manual action with defensive intent to
mitigate cyber threats.
(4) Cyber threat information.--The term ``cyber threat
information'' means information that indicates or describes--
(A) a technical or operation vulnerability or a cyber
threat mitigation measure;
[[Page S5592]]
(B) an action or operation to mitigate a cyber threat;
(C) malicious reconnaissance, including anomalous patterns
of network activity that appear to be transmitted for the
purpose of gathering technical information related to a
cybersecurity threat;
(D) a method of defeating a technical control;
(E) a method of defeating an operational control;
(F) network activity or protocols known to be associated
with a malicious cyber actor or that signify malicious cyber
intent;
(G) a method of causing a user with legitimate access to an
information system or information that is stored on,
processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational
control;
(H) any other attribute of a cybersecurity threat or cyber
defense information that would foster situational awareness
of the United States cybersecurity posture, if disclosure of
such attribute or information is not otherwise prohibited by
law;
(I) the actual or potential harm caused by a cyber
incident, including information exfiltrated when it is
necessary in order to identify or describe a cybersecurity
threat; or
(J) any combination of subparagraphs (A) through (I).
(5) Cybersecurity center.--The term ``cybersecurity
center'' means the Department of Defense Cyber Crime Center,
the Intelligence Community Incident Response Center, the
United States Cyber Command Joint Operations Center, the
National Cyber Investigative Joint Task Force, the National
Security Agency/Central Security Service Threat Operations
Center, the National Cybersecurity and Communications
Integration Center, and any successor center.
(6) Cybersecurity system.--The term ``cybersecurity
system'' means a system designed or employed to ensure the
integrity, confidentiality, or availability of, or to
safeguard, a system or network, including measures intended
to protect a system or network from--
(A) efforts to degrade, disrupt, or destroy such system or
network; or
(B) theft or misappropriations of private or government
information, intellectual property, or personally
identifiable information.
(7) Entity.--
(A) In general.--The term ``entity'' means any private
entity, non-Federal government agency or department, or
State, tribal, or local government agency or department
(including an officer, employee, or agent thereof).
(B) Inclusions.--The term ``entity'' includes a government
agency or department (including an officer, employee, or
agent thereof) of the District of Columbia, the Commonwealth
of Puerto Rico, the Virgin Islands, Guam, American Samoa, the
Northern Mariana Islands, and any other territory or
possession of the United States.
(8) Federal information system.--The term ``Federal
information system'' means an information system of a Federal
department or agency used or operated by an executive agency,
by a contractor of an executive agency, or by another
organization on behalf of an executive agency.
(9) Information security.--The term ``information
security'' means protecting information and information
systems from disruption or unauthorized access, use,
disclosure, modification, or destruction in order to
provide--
(A) integrity, by guarding against improper information
modification or destruction, including by ensuring
information nonrepudiation and authenticity;
(B) confidentiality, by preserving authorized restrictions
on access and disclosure, including means for protecting
personal privacy and proprietary information; or
(C) availability, by ensuring timely and reliable access to
and use of information.
(10) Information system.--The term ``information system''
has the meaning given the term in section 3502 of title 44,
United States Code.
(11) Local government.--The term ``local government'' means
any borough, city, county, parish, town, township, village,
or other general purpose political subdivision of a State.
(12) Malicious reconnaissance.--The term ``malicious
reconnaissance'' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning technical vulnerabilities of the information
system, if such method is associated with a known or
suspected cybersecurity threat.
(13) Operational control.--The term ``operational control''
means a security control for an information system that
primarily is implemented and executed by people.
(14) Operational vulnerability.--The term ``operational
vulnerability'' means any attribute of policy, process, or
procedure that could enable or facilitate the defeat of an
operational control.
(15) Private entity.--The term ``private entity'' means any
individual or any private group, organization, or
corporation, including an officer, employee, or agent
thereof.
(16) Significant cyber incident.--The term ``significant
cyber incident'' means a cyber incident resulting in, or an
attempted cyber incident that, if successful, would have
resulted in--
(A) the exfiltration from a Federal information system of
data that is essential to the operation of the Federal
information system; or
(B) an incident in which an operational or technical
control essential to the security or operation of a Federal
information system was defeated.
(17) Technical control.--The term ``technical control''
means a hardware or software restriction on, or audit of,
access or use of an information system or information that is
stored on, processed by, or transiting an information system
that is intended to ensure the confidentiality, integrity, or
availability of that system.
(18) Technical vulnerability.--The term ``technical
vulnerability'' means any attribute of hardware or software
that could enable or facilitate the defeat of a technical
control.
(19) Tribal.--The term ``tribal'' has the meaning given the
term ``Indian tribe'' in section 4 of the Indian Self-
Determination and Education Assistance Act (25 U.S.C. 450b).
SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION.
(a) Voluntary Disclosure.--
(1) Private entities.--Notwithstanding any other provision
of law, a private entity may, for the purpose of preventing,
investigating, or otherwise mitigating threats to information
security, on its own networks, or as authorized by another
entity, on such entity's networks, employ countermeasures and
use cybersecurity systems in order to obtain, identify, or
otherwise possess cyber threat information.
(2) Entities.--Notwithstanding any other provision of law,
an entity may disclose cyber threat information to--
(A) a cybersecurity center; or
(B) any other entity in order to assist with preventing,
investigating, or otherwise mitigating threats to information
security.
(3) Information security providers.--If the cyber threat
information described in paragraph (1) is obtained,
identified, or otherwise possessed in the course of providing
information security products or services under contract to
another entity, that entity shall be given, at any time prior
to disclosure of such information, a reasonable opportunity
to authorize or prevent such disclosure, to request
anonymization of such information, or to request that
reasonable efforts be made to safeguard such information that
identifies specific persons from unauthorized access or
disclosure.
(b) Significant Cyber Incidents Involving Federal
Information Systems.--
(1) In general.--An entity providing electronic
communication services, remote computing services, or
information security services to a Federal department or
agency shall inform the Federal department or agency of a
significant cyber incident involving the Federal information
system of that Federal department or agency that--
(A) is directly known to the entity as a result of
providing such services;
(B) is directly related to the provision of such services
by the entity; and
(C) as determined by the entity, has impeded or will impede
the performance of a critical mission of the Federal
department or agency.
(2) Advance coordination.--A Federal department or agency
receiving the services described in paragraph (1) shall
coordinate in advance with an entity described in paragraph
(1) to develop the parameters of any information that may be
provided under paragraph (1), including clarification of the
type of significant cyber incident that will impede the
performance of a critical mission of the Federal department
or agency.
(3) Report.--A Federal department or agency shall report
information provided under this subsection to a cybersecurity
center.
(4) Construction.--Any information provided to a
cybersecurity center under paragraph (3) shall be treated in
the same manner as information provided to a cybersecurity
center under subsection (a).
(c) Information Shared With or Provided to a Cybersecurity
Center.--Cyber threat information provided to a cybersecurity
center under this section--
(1) may be disclosed to, retained by, and used by,
consistent with otherwise applicable Federal law, any Federal
agency or department, component, officer, employee, or agent
of the Federal government for a cybersecurity purpose, a
national security purpose, or in order to prevent,
investigate, or prosecute any of the offenses listed in
section 2516 of title 18, United States Code, and such
information shall not be disclosed to, retained by, or used
by any Federal agency or department for any use not permitted
under this paragraph;
(2) may, with the prior written consent of the entity
submitting such information, be disclosed to and used by a
State, tribal, or local government or government agency for
the purpose of protecting information systems, or in
furtherance of preventing, investigating, or prosecuting a
criminal act, except that if the need for immediate
disclosure prevents obtaining written consent, such consent
may be provided orally with subsequent documentation of such
consent;
(3) shall be considered the commercial, financial, or
proprietary information of the entity providing such
information to the Federal government and any disclosure
outside the Federal government may only be made upon the
prior written consent by such entity and shall not constitute
a waiver of
[[Page S5593]]
any applicable privilege or protection provided by law,
except that if the need for immediate disclosure prevents
obtaining written consent, such consent may be provided
orally with subsequent documentation of such consent;
(4) shall be deemed voluntarily shared information and
exempt from disclosure under section 552 of title 5, United
States Code, and any State, tribal, or local law requiring
disclosure of information or records;
(5) shall be, without discretion, withheld from the public
under section 552(b)(3)(B) of title 5, United States Code,
and any State, tribal, or local law requiring disclosure of
information or records;
(6) shall not be subject to the rules of any Federal agency
or department or any judicial doctrine regarding ex parte
communications with a decision-making official;
(7) shall not, if subsequently provided to a State, tribal,
or local government or government agency, otherwise be
disclosed or distributed to any entity by such State, tribal,
or local government or government agency without the prior
written consent of the entity submitting such information,
notwithstanding any State, tribal, or local law requiring
disclosure of information or records, except that if the need
for immediate disclosure prevents obtaining written consent,
such consent may be provided orally with subsequent
documentation of such consent; and
(8) shall not be directly used by any Federal, State,
tribal, or local department or agency to regulate the lawful
activities of an entity, including activities relating to
obtaining, identifying, or otherwise possessing cyber threat
information, except that the procedures required to be
developed and implemented under this title shall not be
considered regulations within the meaning of this paragraph.
(d) Procedures Relating to Information Sharing With a
Cybersecurity Center.--Not later than 60 days after the date
of enactment of this Act, the heads of each department or
agency containing a cybersecurity center shall jointly
develop, promulgate, and submit to Congress procedures to
ensure that cyber threat information shared with or provided
to--
(1) a cybersecurity center under this section--
(A) may be submitted to a cybersecurity center by an
entity, to the greatest extent possible, through a uniform,
publicly available process or format that is easily
accessible on the website of such cybersecurity center, and
that includes the ability to provide relevant details about
the cyber threat information and written consent to any
subsequent disclosures authorized by this paragraph;
(B) shall immediately be further shared with each
cybersecurity center in order to prevent, investigate, or
otherwise mitigate threats to information security across the
Federal government;
(C) is handled by the Federal government in a reasonable
manner, including consideration of the need to protect the
privacy and civil liberties of individuals through
anonymization or other appropriate methods, while fully
accomplishing the objectives of this title, and the Federal
government may undertake efforts consistent with this
subparagraph to limit the impact on privacy and civil
liberties of the sharing of cyber threat information with the
Federal government; and
(D) except as provided in this section, shall only be used,
disclosed, or handled in accordance with the provisions of
subsection (c); and
(2) a Federal agency or department under subsection (b) is
provided immediately to a cybersecurity center in order to
prevent, investigate, or otherwise mitigate threats to
information security across the Federal government.
(e) Information Shared Between Entities.--
(1) In general.--An entity sharing cyber threat information
with another entity under this title may restrict the use or
sharing of such information by such other entity.
(2) Further sharing.--Cyber threat information shared by
any entity with another entity under this title--
(A) shall only be further shared in accordance with any
restrictions placed on the sharing of such information by the
entity authorizing such sharing, such as appropriate
anonymization of such information; and
(B) may not be used by any entity to gain an unfair
competitive advantage to the detriment of the entity
authorizing the sharing of such information, except that the
conduct described in paragraph (3) shall not constitute
unfair competitive conduct.
(3) Information shared with state, tribal, or local
government or government agency.--Cyber threat information
shared with a State, tribal, or local government or
government agency under this title--
(A) may, with the prior written consent of the entity
sharing such information, be disclosed to and used by a
State, tribal, or local government or government agency for
the purpose of protecting information systems, or in
furtherance of preventing, investigating, or prosecuting a
criminal act, except if the need for immediate disclosure
prevents obtaining written consent, consent may be provided
orally with subsequent documentation of the consent;
(B) shall be deemed voluntarily shared information and
exempt from disclosure under any State, tribal, or local law
requiring disclosure of information or records;
(C) shall not be disclosed or distributed to any entity by
the State, tribal, or local government or government agency
without the prior written consent of the entity submitting
such information, notwithstanding any State, tribal, or local
law requiring disclosure of information or records, except if
the need for immediate disclosure prevents obtaining written
consent, consent may be provided orally with subsequent
documentation of the consent; and
(D) shall not be directly used by any State, tribal, or
local department or agency to regulate the lawful activities
of an entity, including activities relating to obtaining,
identifying, or otherwise possessing cyber threat
information, except that the procedures required to be
developed and implemented under this title shall not be
considered regulations within the meaning of this
subparagraph.
(4) Antitrust exemption.--The exchange or provision of
cyber threat information or assistance between 2 or more
private entities under this title shall not be considered a
violation of any provision of antitrust laws if exchanged or
provided in order to assist with--
(A) facilitating the prevention, investigation, or
mitigation of threats to information security; or
(B) communicating or disclosing of cyber threat information
to help prevent, investigate or otherwise mitigate the
effects of a threat to information security.
(5) No right or benefit.--The provision of cyber threat
information to an entity under this section shall not create
a right or a benefit to similar information by such entity or
any other entity.
(f) Federal Preemption.--
(1) In general.--This section supersedes any statute or
other law of a State or political subdivision of a State that
restricts or otherwise expressly regulates an activity
authorized under this section.
(2) State law enforcement.--Nothing in this section shall
be construed to supersede any statute or other law of a State
or political subdivision of a State concerning the use of
authorized law enforcement techniques.
(3) Public disclosure.--No information shared with or
provided to a State, tribal, or local government or
government agency pursuant to this section shall be made
publicly available pursuant to any State, tribal, or local
law requiring disclosure of information or records.
(g) Civil and Criminal Liability.--
(1) General protections.--
(A) Private entities.--No cause of action shall lie or be
maintained in any court against any private entity for--
(i) the use of countermeasures and cybersecurity systems as
authorized by this title;
(ii) the use, receipt, or disclosure of any cyber threat
information as authorized by this title; or
(iii) the subsequent actions or inactions of any lawful
recipient of cyber threat information provided by such
private entity.
(B) Entities.--No cause of action shall lie or be
maintained in any court against any entity for--
(i) the use, receipt, or disclosure of any cyber threat
information as authorized by this title; or
(ii) the subsequent actions or inactions of any lawful
recipient of cyber threat information provided by such
entity.
(2) Construction.--Nothing in this subsection shall be
construed as creating any immunity against, or otherwise
affecting, any action brought by the Federal government, or
any agency or department thereof, to enforce any law,
executive order, or procedure governing the appropriate
handling, disclosure, and use of classified information.
(h) Otherwise Lawful Disclosures.--Nothing in this section
shall be construed to limit or prohibit otherwise lawful
disclosures of communications, records, or other information
by a private entity to any other governmental or private
entity not covered under this section.
(i) Whistleblower Protection.--Nothing in this Act shall be
construed to preempt or preclude any employee from exercising
rights currently provided under any whistleblower law, rule,
or regulation.
(j) Relationship to Other Laws.--The submission of cyber
threat information under this section to a cybersecurity
center shall not affect any requirement under any other
provision of law for an entity to provide information to the
Federal government.
SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT.
(a) Classified Information.--
(1) Procedures.--Consistent with the protection of
intelligence sources and methods, and as otherwise determined
appropriate, the Director of National Intelligence and the
Secretary of Defense, in consultation with the heads of the
appropriate Federal departments or agencies, shall develop
and promulgate procedures to facilitate and promote--
(A) the immediate sharing, through the cybersecurity
centers, of classified cyber threat information in the
possession of the Federal government with appropriately
cleared representatives of any appropriate entity; and
(B) the declassification and immediate sharing, through the
cybersecurity centers, with any entity or, if appropriate,
public availability of cyber threat information in the
possession of the Federal government;
(2) Handling of classified information.--The procedures
developed under paragraph
[[Page S5594]]
(1) shall ensure that each entity receiving classified cyber
threat information pursuant to this section has acknowledged
in writing the ongoing obligation to comply with all laws,
executive orders, and procedures concerning the appropriate
handling, disclosure, or use of classified information.
(b) Unclassified Cyber Threat Information.--The heads of
each department or agency containing a cybersecurity center
shall jointly develop and promulgate procedures that ensure
that, consistent with the provisions of this section,
unclassified, including controlled unclassified, cyber threat
information in the possession of the Federal government--
(1) is shared, through the cybersecurity centers, in an
immediate and adequate manner with appropriate entities; and
(2) if appropriate, is made publicly available.
(c) Development of Procedures.--
(1) In general.--The procedures developed under this
section shall incorporate, to the greatest extent possible,
existing processes utilized by sector specific information
sharing and analysis centers.
(2) Coordination with entities.--In developing the
procedures required under this section, the Director of
National Intelligence and the heads of each department or
agency containing a cybersecurity center shall coordinate
with appropriate entities to ensure that protocols are
implemented that will facilitate and promote the sharing of
cyber threat information by the Federal government.
(d) Additional Responsibilities of Cybersecurity Centers.--
Consistent with section 102, a cybersecurity center shall--
(1) facilitate information sharing, interaction, and
collaboration among and between cybersecurity centers and--
(A) other Federal entities;
(B) any entity; and
(C) international partners, in consultation with the
Secretary of State;
(2) disseminate timely and actionable cybersecurity threat,
vulnerability, mitigation, and warning information, including
alerts, advisories, indicators, signatures, and mitigation
and response measures, to improve the security and protection
of information systems; and
(3) coordinate with other Federal entities, as appropriate,
to integrate information from across the Federal government
to provide situational awareness of the cybersecurity posture
of the United States.
(e) Sharing Within the Federal Government.--The heads of
appropriate Federal departments and agencies shall ensure
that cyber threat information in the possession of such
Federal departments or agencies that relates to the
prevention, investigation, or mitigation of threats to
information security across the Federal government is shared
effectively with the cybersecurity centers.
(f) Submission to Congress.--Not later than 60 days after
the date of enactment of this Act, the Director of National
Intelligence, in coordination with the appropriate head of a
department or an agency containing a cybersecurity center,
shall submit the procedures required by this section to
Congress.
SEC. 104. CONSTRUCTION.
(a) Information Sharing Relationships.--Nothing in this
title shall be construed--
(1) to limit or modify an existing information sharing
relationship;
(2) to prohibit a new information sharing relationship;
(3) to require a new information sharing relationship
between any entity and the Federal government, except as
specified under section 102(b); or
(4) to modify the authority of a department or agency of
the Federal government to protect sources and methods and the
national security of the United States.
(b) Anti-Tasking Restriction.--Nothing in this title shall
be construed to permit the Federal government--
(1) to require an entity to share information with the
Federal government, except as expressly provided under
section 102(b); or
(2) to condition the sharing of cyber threat information
with an entity on such entity's provision of cyber threat
information to the Federal government.
(c) No Liability for Non-Participation.--Nothing in this
title shall be construed to subject any entity to liability
for choosing not to engage in the voluntary activities
authorized under this title.
(d) Use and Retention of Information.--Nothing in this
title shall be construed to authorize, or to modify any
existing authority of, a department or agency of the Federal
government to retain or use any information shared under
section 102 for any use other than a use permitted under
subsection 102(c)(1).
(e) No New Funding.--An applicable Federal agency shall
carry out the provisions of this title with existing
facilities and funds otherwise available, through such means
as the head of the agency considers appropriate.
SEC. 105. REPORT ON IMPLEMENTATION.
(a) Content of Report.--Not later than 1 year after the
date of enactment of this Act, and biennially thereafter, the
heads of each department or agency containing a cybersecurity
center shall jointly submit, in coordination with the privacy
and civil liberties officials of such departments or agencies
and the Privacy and Civil Liberties Oversight Board, a
detailed report to Congress concerning the implementation of
this title, including--
(1) an assessment of the sufficiency of the procedures
developed under section 103 of this Act in ensuring that
cyber threat information in the possession of the Federal
government is provided in an immediate and adequate manner to
appropriate entities or, if appropriate, is made publicly
available;
(2) an assessment of whether information has been
appropriately classified and an accounting of the number of
security clearances authorized by the Federal government for
purposes of this title;
(3) a review of the type of cyber threat information shared
with a cybersecurity center under section 102 of this Act,
including whether such information meets the definition of
cyber threat information under section 101, the degree to
which such information may impact the privacy and civil
liberties of individuals, any appropriate metrics to
determine any impact of the sharing of such information with
the Federal government on privacy and civil liberties, and
the adequacy of any steps taken to reduce such impact;
(4) a review of actions taken by the Federal government
based on information provided to a cybersecurity center under
section 102 of this Act, including the appropriateness of any
subsequent use under section 102(c)(1) of this Act and
whether there was inappropriate stovepiping within the
Federal government of any such information;
(5) a description of any violations of the requirements of
this title by the Federal government;
(6) a classified list of entities that received classified
information from the Federal government under section 103 of
this Act and a description of any indication that such
information may not have been appropriately handled;
(7) a summary of any breach of information security, if
known, attributable to a specific failure by any entity or
the Federal government to act on cyber threat information in
the possession of such entity or the Federal government that
resulted in substantial economic harm or injury to a specific
entity or the Federal government; and
(8) any recommendation for improvements or modifications to
the authorities under this title.
(b) Form of Report.--The report under subsection (a) shall
be submitted in unclassified form, but shall include a
classified annex.
SEC. 106. INSPECTOR GENERAL REVIEW.
(a) In General.--The Council of the Inspectors General on
Integrity and Efficiency are authorized to review compliance
by the cybersecurity centers, and by any Federal department
or agency receiving cyber threat information from such
cybersecurity centers, with the procedures required under
section 102 of this Act.
(b) Scope of Review.--The review under subsection (a) shall
consider whether the Federal government has handled such
cyber threat information in a reasonable manner, including
consideration of the need to protect the privacy and civil
liberties of individuals through anonymization or other
appropriate methods, while fully accomplishing the objectives
of this title.
(c) Report to Congress.--Each review conducted under this
section shall be provided to Congress not later than 30 days
after the date of completion of the review.
SEC. 107. TECHNICAL AMENDMENTS.
Section 552(b) of title 5, United States Code, is amended--
(1) in paragraph (8), by striking ``or'';
(2) in paragraph (9), by striking ``wells.'' and inserting
``wells; or''; and
(3) by adding at the end the following:
``(10) information shared with or provided to a
cybersecurity center under section 102 of title I of the
Strengthening and Enhancing Cybersecurity by Using Research,
Education, Information, and Technology Act of 2012.''.
SEC. 108. ACCESS TO CLASSIFIED INFORMATION.
(a) Authorization Required.--No person shall be provided
with access to classified information (as defined in section
6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to
classified national security information)) relating to cyber
security threats or cyber security vulnerabilities under this
title without the appropriate security clearances.
(b) Security Clearances.--The appropriate Federal agencies
or departments shall, consistent with applicable procedures
and requirements, and if otherwise deemed appropriate, assist
an individual in timely obtaining an appropriate security
clearance where such individual has been determined to be
eligible for such clearance and has a need-to-know (as
defined in section 6.1 of that Executive Order) classified
information to carry out this title.
TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY
SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY
POLICY.
(a) In General.--Chapter 35 of title 44, United States
Code, is amended by striking subchapters II and III and
inserting the following:
``SUBCHAPTER II--INFORMATION SECURITY
``Sec. 3551. Purposes
``The purposes of this subchapter are--
``(1) to provide a comprehensive framework for ensuring the
effectiveness of information security controls over
information resources that support Federal operations and
assets;
``(2) to recognize the highly networked nature of the
current Federal computing environment and provide effective
government-
[[Page S5595]]
wide management of policies, directives, standards, and
guidelines, as well as effective and nimble oversight of and
response to information security risks, including
coordination of information security efforts throughout the
Federal civilian, national security, and law enforcement
communities;
``(3) to provide for development and maintenance of
controls required to protect agency information and
information systems and contribute to the overall improvement
of agency information security posture;
``(4) to provide for the development of tools and methods
to assess and respond to real-time situational risk for
Federal information system operations and assets; and
``(5) to provide a mechanism for improving agency
information security programs through continuous monitoring
of agency information systems and streamlined reporting
requirements rather than overly prescriptive manual
reporting.
``Sec. 3552. Definitions
``In this subchapter:
``(1) Adequate security.--The term `adequate security'
means security commensurate with the risk and magnitude of
the harm resulting from the unauthorized access to or loss,
misuse, destruction, or modification of information.
``(2) Agency.--The term `agency' has the meaning given the
term in section 3502 of title 44.
``(3) Cybersecurity center.--The term `cybersecurity
center' means the Department of Defense Cyber Crime Center,
the Intelligence Community Incident Response Center, the
United States Cyber Command Joint Operations Center, the
National Cyber Investigative Joint Task Force, the National
Security Agency/Central Security Service Threat Operations
Center, the National Cybersecurity and Communications
Integration Center, and any successor center.
``(4) Cyber threat information.--The term `cyber threat
information' means information that indicates or describes--
``(A) a technical or operation vulnerability or a cyber
threat mitigation measure;
``(B) an action or operation to mitigate a cyber threat;
``(C) malicious reconnaissance, including anomalous
patterns of network activity that appear to be transmitted
for the purpose of gathering technical information related to
a cybersecurity threat;
``(D) a method of defeating a technical control;
``(E) a method of defeating an operational control;
``(F) network activity or protocols known to be associated
with a malicious cyber actor or that signify malicious cyber
intent;
``(G) a method of causing a user with legitimate access to
an information system or information that is stored on,
processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational
control;
``(H) any other attribute of a cybersecurity threat or
cyber defense information that would foster situational
awareness of the United States cybersecurity posture, if
disclosure of such attribute or information is not otherwise
prohibited by law;
``(I) the actual or potential harm caused by a cyber
incident, including information exfiltrated when it is
necessary in order to identify or describe a cybersecurity
threat; or
``(J) any combination of subparagraphs (A) through (I).
``(5) Director.--The term `Director' means the Director of
the Office of Management and Budget unless otherwise
specified.
``(6) Environment of operation.--The term `environment of
operation' means the information system and environment in
which those systems operate, including changing threats,
vulnerabilities, technologies, and missions and business
practices.
``(7) Federal information system.--The term `Federal
information system' means an information system used or
operated by an executive agency, by a contractor of an
executive agency, or by another organization on behalf of an
executive agency.
``(8) Incident.--The term `incident' means an occurrence
that--
``(A) actually or imminently jeopardizes the integrity,
confidentiality, or availability of an information system or
the information that system controls, processes, stores, or
transmits; or
``(B) constitutes a violation of law or an imminent threat
of violation of a law, a security policy, a security
procedure, or an acceptable use policy.
``(9) Information resources.--The term `information
resources' has the meaning given the term in section 3502 of
title 44.
``(10) Information security.--The term `information
security' means protecting information and information
systems from disruption or unauthorized access, use,
disclosure, modification, or destruction in order to
provide--
``(A) integrity, by guarding against improper information
modification or destruction, including by ensuring
information nonrepudiation and authenticity;
``(B) confidentiality, by preserving authorized
restrictions on access and disclosure, including means for
protecting personal privacy and proprietary information; or
``(C) availability, by ensuring timely and reliable access
to and use of information.
``(11) Information system.--The term `information system'
has the meaning given the term in section 3502 of title 44.
``(12) Information technology.--The term `information
technology' has the meaning given the term in section 11101
of title 40.
``(13) Malicious reconnaissance.--The term `malicious
reconnaissance' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning technical vulnerabilities of the information
system, if such method is associated with a known or
suspected cybersecurity threat.
``(14) National security system.--
``(A) In general.--The term `national security system'
means any information system (including any
telecommunications system) used or operated by an agency or
by a contractor of an agency, or other organization on behalf
of an agency--
``(i) the function, operation, or use of which--
``(I) involves intelligence activities;
``(II) involves cryptologic activities related to national
security;
``(III) involves command and control of military forces;
``(IV) involves equipment that is an integral part of a
weapon or weapons system; or
``(V) subject to subparagraph (B), is critical to the
direct fulfillment of military or intelligence missions; or
``(ii) is protected at all times by procedures established
for information that have been specifically authorized under
criteria established by an Executive Order or an Act of
Congress to be kept classified in the interest of national
defense or foreign policy.
``(B) Limitation.--Subparagraph (A)(i)(V) does not include
a system that is to be used for routine administrative and
business applications (including payroll, finance, logistics,
and personnel management applications).
``(15) Operational control.--The term `operational control'
means a security control for an information system that
primarily is implemented and executed by people.
``(16) Person.--The term `person' has the meaning given the
term in section 3502 of title 44.
``(17) Secretary.--The term `Secretary' means the Secretary
of Commerce unless otherwise specified.
``(18) Security control.--The term `security control' means
the management, operational, and technical controls,
including safeguards or countermeasures, prescribed for an
information system to protect the confidentiality, integrity,
and availability of the system and its information.
``(19) Significant cyber incident.--The term `significant
cyber incident' means a cyber incident resulting in, or an
attempted cyber incident that, if successful, would have
resulted in--
``(A) the exfiltration from a Federal information system of
data that is essential to the operation of the Federal
information system; or
``(B) an incident in which an operational or technical
control essential to the security or operation of a Federal
information system was defeated.
``(20) Technical control.--The term `technical control'
means a hardware or software restriction on, or audit of,
access or use of an information system or information that is
stored on, processed by, or transiting an information system
that is intended to ensure the confidentiality, integrity, or
availability of that system.
``Sec. 3553. Federal information security authority and
coordination
``(a) In General.--The Secretary, in consultation with the
Secretary of Homeland Security, shall--
``(1) issue compulsory and binding policies and directives
governing agency information security operations, and require
implementation of such policies and directives, including--
``(A) policies and directives consistent with the standards
and guidelines promulgated under section 11331 of title 40 to
identify and provide information security protections
prioritized and commensurate with the risk and impact
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of--
``(i) information collected or maintained by or on behalf
of an agency; or
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(B) minimum operational requirements for Federal
Government to protect agency information systems and provide
common situational awareness across all agency information
systems;
``(C) reporting requirements, consistent with relevant law,
regarding information security incidents and cyber threat
information;
``(D) requirements for agencywide information security
programs;
``(E) performance requirements and metrics for the security
of agency information systems;
``(F) training requirements to ensure that agencies are
able to fully and timely comply with the policies and
directives issued by the Secretary under this subchapter;
``(G) training requirements regarding privacy, civil
rights, and civil liberties, and information oversight for
agency information security personnel;
``(H) requirements for the annual reports to the Secretary
under section 3554(d);
``(I) any other information security operations or
information security requirements as determined by the
Secretary in coordination with relevant agency heads; and
[[Page S5596]]
``(J) coordinating the development of standards and
guidelines under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3) with agencies
and offices operating or exercising control of national
security systems (including the National Security Agency) to
assure, to the maximum extent feasible, that such standards
and guidelines are complementary with standards and
guidelines developed for national security systems;
``(2) review the agencywide information security programs
under section 3554; and
``(3) designate an individual or an entity at each
cybersecurity center, among other responsibilities--
``(A) to receive reports and information about information
security incidents, cyber threat information, and
deterioration of security control affecting agency
information systems; and
``(B) to act on or share the information under subparagraph
(A) in accordance with this subchapter.
``(b) Considerations.--When issuing policies and directives
under subsection (a), the Secretary shall consider any
applicable standards or guidelines developed by the National
Institute of Standards and Technology under section 11331 of
title 40.
``(c) Limitation of Authority.--The authorities of the
Secretary under this section shall not apply to national
security systems. Information security policies, directives,
standards and guidelines for national security systems shall
be overseen as directed by the President and, in accordance
with that direction, carried out under the authority of the
heads of agencies that operate or exercise authority over
such national security systems.
``(d) Statutory Construction.--Nothing in this subchapter
shall be construed to alter or amend any law regarding the
authority of any head of an agency over such agency.
``Sec. 3554. Agency responsibilities
``(a) In General.--The head of each agency shall--
``(1) be responsible for--
``(A) complying with the policies and directives issued
under section 3553;
``(B) providing information security protections
commensurate with the risk resulting from unauthorized
access, use, disclosure, disruption, modification, or
destruction of--
``(i) information collected or maintained by the agency or
by a contractor of an agency or other organization on behalf
of an agency; and
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(C) complying with the requirements of this subchapter,
including--
``(i) information security standards and guidelines
promulgated under section 11331 of title 40;
``(ii) for any national security systems operated or
controlled by that agency, information security policies,
directives, standards and guidelines issued as directed by
the President; and
``(iii) for any non-national security systems operated or
controlled by that agency, information security policies,
directives, standards and guidelines issued under section
3553;
``(D) ensuring that information security management
processes are integrated with agency strategic and
operational planning processes;
``(E) reporting and sharing, for an agency operating or
exercising control of a national security system, information
about information security incidents, cyber threat
information, and deterioration of security controls to the
individual or entity designated at each cybersecurity center
and to other appropriate entities consistent with policies
and directives for national security systems issued as
directed by the President; and
``(F) reporting and sharing, for those agencies operating
or exercising control of non-national security systems,
information about information security incidents, cyber
threat information, and deterioration of security controls to
the individual or entity designated at each cybersecurity
center and to other appropriate entities consistent with
policies and directives for non-national security systems as
prescribed under section 3553(a), including information to
assist the entity designated under section 3555(a) with the
ongoing security analysis under section 3555;
``(2) ensure that each senior agency official provides
information security for the information and information
systems that support the operations and assets under the
senior agency official's control, including by--
``(A) assessing the risk and impact that could result from
the unauthorized access, use, disclosure, disruption,
modification, or destruction of such information or
information systems;
``(B) determining the level of information security
appropriate to protect such information and information
systems in accordance with policies and directives issued
under section 3553(a), and standards and guidelines
promulgated under section 11331 of title 40 for information
security classifications and related requirements;
``(C) implementing policies, procedures, and capabilities
to reduce risks to an acceptable level in a cost-effective
manner;
``(D) actively monitoring the effective implementation of
information security controls and techniques; and
``(E) reporting information about information security
incidents, cyber threat information, and deterioration of
security controls in a timely and adequate manner to the
entity designated under section 3553(a)(3) in accordance with
paragraph (1);
``(3) assess and maintain the resiliency of information
technology systems critical to agency mission and operations;
``(4) designate the agency Inspector General (or an
independent entity selected in consultation with the Director
and the Council of Inspectors General on Integrity and
Efficiency if the agency does not have an Inspector General)
to conduct the annual independent evaluation required under
section 3556, and allow the agency Inspector General to
contract with an independent entity to perform such
evaluation;
``(5) delegate to the Chief Information Officer or
equivalent (or to a senior agency official who reports to the
Chief Information Officer or equivalent)--
``(A) the authority and primary responsibility to implement
an agencywide information security program; and
``(B) the authority to provide information security for the
information collected and maintained by the agency (or by a
contractor, other agency, or other source on behalf of the
agency) and for the information systems that support the
operations, assets, and mission of the agency (including any
information system provided or managed by a contractor, other
agency, or other source on behalf of the agency);
``(6) delegate to the appropriate agency official (who is
responsible for a particular agency system or subsystem) the
responsibility to ensure and enforce compliance with all
requirements of the agency's agencywide information security
program in coordination with the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5);
``(7) ensure that an agency has trained personnel who have
obtained any necessary security clearances to permit them to
assist the agency in complying with this subchapter;
``(8) ensure that the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5),
in coordination with other senior agency officials, reports
to the agency head on the effectiveness of the agencywide
information security program, including the progress of any
remedial actions; and
``(9) ensure that the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5)
has the necessary qualifications to administer the functions
described in this subchapter and has information security
duties as a primary duty of that official.
``(b) Chief Information Officers.--Each Chief Information
Officer or equivalent (or the senior agency official who
reports to the Chief Information Officer or equivalent) under
subsection (a)(5) shall--
``(1) establish and maintain an enterprise security
operations capability that on a continuous basis--
``(A) detects, reports, contains, mitigates, and responds
to information security incidents that impair adequate
security of the agency's information or information system in
a timely manner and in accordance with the policies and
directives under section 3553; and
``(B) reports any information security incident under
subparagraph (A) to the entity designated under section 3555;
``(2) develop, maintain, and oversee an agencywide
information security program;
``(3) develop, maintain, and oversee information security
policies, procedures, and control techniques to address
applicable requirements, including requirements under section
3553 of this title and section 11331 of title 40; and
``(4) train and oversee the agency personnel who have
significant responsibility for information security with
respect to that responsibility.
``(c) Agencywide Information Security Programs.--
``(1) In general.--Each agencywide information security
program under subsection (b)(2) shall include--
``(A) relevant security risk assessments, including
technical assessments and others related to the acquisition
process;
``(B) security testing commensurate with risk and impact;
``(C) mitigation of deterioration of security controls
commensurate with risk and impact;
``(D) risk-based continuous monitoring and threat
assessment of the operational status and security of agency
information systems to enable evaluation of the effectiveness
of and compliance with information security policies,
procedures, and practices, including a relevant and
appropriate selection of security controls of information
systems identified in the inventory under section 3505(c);
``(E) operation of appropriate technical capabilities in
order to detect, mitigate, report, and respond to information
security incidents, cyber threat information, and
deterioration of security controls in a manner that is
consistent with the policies and directives under section
3553, including--
``(i) mitigating risks associated with such information
security incidents;
``(ii) notifying and consulting with the entity designated
under section 3555; and
[[Page S5597]]
``(iii) notifying and consulting with, as appropriate--
``(I) law enforcement and the relevant Office of the
Inspector General; and
``(II) any other entity, in accordance with law and as
directed by the President;
``(F) a process to ensure that remedial action is taken to
address any deficiencies in the information security
policies, procedures, and practices of the agency; and
``(G) a plan and procedures to ensure the continuity of
operations for information systems that support the
operations and assets of the agency.
``(2) Risk management strategies.--Each agencywide
information security program under subsection (b)(2) shall
include the development and maintenance of a risk management
strategy for information security. The risk management
strategy shall include--
``(A) consideration of information security incidents,
cyber threat information, and deterioration of security
controls; and
``(B) consideration of the consequences that could result
from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information and information
systems that support the operations and assets of the agency,
including any information system provided or managed by a
contractor, other agency, or other source on behalf of the
agency;
``(3) Policies and procedures.--Each agencywide information
security program under subsection (b)(2) shall include
policies and procedures that--
``(A) are based on the risk management strategy under
paragraph (2);
``(B) reduce information security risks to an acceptable
level in a cost-effective manner;
``(C) ensure that cost-effective and adequate information
security is addressed as part of the acquisition and ongoing
management of each agency information system; and
``(D) ensure compliance with--
``(i) this subchapter; and
``(ii) any other applicable requirements.
``(4) Training requirements.--Each agencywide information
security program under subsection (b)(2) shall include
information security, privacy, civil rights, civil liberties,
and information oversight training that meets any applicable
requirements under section 3553. The training shall inform
each information security personnel that has access to agency
information systems (including contractors and other users of
information systems that support the operations and assets of
the agency) of--
``(A) the information security risks associated with the
information security personnel's activities; and
``(B) the individual's responsibility to comply with the
agency policies and procedures that reduce the risks under
subparagraph (A).
``(d) Annual Report.--Each agency shall submit a report
annually to the Secretary of Homeland Security on its
agencywide information security program and information
systems.
``Sec. 3555. Multiagency ongoing threat assessment
``(a) Implementation.--The Director of the Office of
Management and Budget, in coordination with the Secretary of
Homeland Security, shall designate an entity to implement
ongoing security analysis concerning agency information
systems--
``(1) based on cyber threat information;
``(2) based on agency information system and environment of
operation changes, including--
``(A) an ongoing evaluation of the information system
security controls; and
``(B) the security state, risk level, and environment of
operation of an agency information system, including--
``(i) a change in risk level due to a new cyber threat;
``(ii) a change resulting from a new technology;
``(iii) a change resulting from the agency's mission; and
``(iv) a change resulting from the business practice; and
``(3) using automated processes to the maximum extent
possible--
``(A) to increase information system security;
``(B) to reduce paper-based reporting requirements; and
``(C) to maintain timely and actionable knowledge of the
state of the information system security.
``(b) Standards.--The National Institute of Standards and
Technology may promulgate standards, in coordination with the
Secretary of Homeland Security, to assist an agency with its
duties under this section.
``(c) Compliance.--The head of each appropriate department
and agency shall be responsible for ensuring compliance and
implementing necessary procedures to comply with this
section. The head of each appropriate department and agency,
in consultation with the Director of the Office of Management
and Budget and the Secretary of Homeland Security, shall--
``(1) monitor compliance under this section;
``(2) develop a timeline and implement for the department
or agency--
``(A) adoption of any technology, system, or method that
facilitates continuous monitoring and threat assessments of
an agency information system;
``(B) adoption or updating of any technology, system, or
method that prevents, detects, or remediates a significant
cyber incident to a Federal information system of the
department or agency that has impeded, or is reasonably
likely to impede, the performance of a critical mission of
the department or agency; and
``(C) adoption of any technology, system, or method that
satisfies a requirement under this section.
``(d) Limitation of Authority.--The authorities of the
Director of the Office of Management and Budget and of the
Secretary of Homeland Security under this section shall not
apply to national security systems.
``(e) Report.--Not later than 6 months after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the Government Accountability Office shall issue a
report evaluating each agency's status toward implementing
this section.
``Sec. 3556. Independent evaluations
``(a) In General.--The Council of the Inspectors General on
Integrity and Efficiency, in consultation with the Director
and the Secretary of Homeland Security, the Secretary of
Commerce, and the Secretary of Defense, shall issue and
maintain criteria for the timely, cost-effective, risk-based,
and independent evaluation of each agencywide information
security program (and practices) to determine the
effectiveness of the agencywide information security program
(and practices). The criteria shall include measures to
assess any conflicts of interest in the performance of the
evaluation and whether the agencywide information security
program includes appropriate safeguards against disclosure of
information where such disclosure may adversely affect
information security.
``(b) Annual Independent Evaluations.--Each agency shall
perform an annual independent evaluation of its agencywide
information security program (and practices) in accordance
with the criteria under subsection (a).
``(c) Distribution of Reports.--Not later than 30 days
after receiving an independent evaluation under subsection
(b), each agency head shall transmit a copy of the
independent evaluation to the Secretary of Homeland Security,
the Secretary of Commerce, and the Secretary of Defense.
``(d) National Security Systems.--Evaluations involving
national security systems shall be conducted as directed by
President.
``Sec. 3557. National security systems.
``The head of each agency operating or exercising control
of a national security system shall be responsible for
ensuring that the agency--
``(1) provides information security protections
commensurate with the risk and magnitude of the harm
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of the information
contained in such system; and
``(2) implements information security policies and
practices as required by standards and guidelines for
national security systems, issued in accordance with law and
as directed by the President.''.
(b) Savings Provisions.--
(1) Policy and compliance guidance.--Policy and compliance
guidance issued by the Director before the date of enactment
of this Act under section 3543(a)(1) of title 44, United
States Code (as in effect on the day before the date of
enactment of this Act), shall continue in effect, according
to its terms, until modified, terminated, superseded, or
repealed pursuant to section 3553(a)(1) of title 44, United
States Code.
(2) Standards and guidelines.--Standards and guidelines
issued by the Secretary of Commerce or by the Director before
the date of enactment of this Act under section 11331(a)(1)
of title 40, United States Code, (as in effect on the day
before the date of enactment of this Act) shall continue in
effect, according to their terms, until modified, terminated,
superseded, or repealed pursuant to section 11331(a)(1) of
title 40, United States Code, as amended by this Act.
(c) Technical and Conforming Amendments.--
(1) Chapter analysis.--The chapter analysis for chapter 35
of title 44, United States Code, is amended--
(A) by striking the items relating to sections 3531 through
3538;
(B) by striking the items relating to sections 3541 through
3549; and
(C) by inserting the following:
``3551. Purposes.
``3552. Definitions.
``3553. Federal information security authority and coordination.
``3554. Agency responsibilities.
``3555. Multiagency ongoing threat assessment.
``3556. Independent evaluations.
``3557. National security systems.''.
(2) Other references.--
(A) Section 1001(c)(1)(A) of the Homeland Security Act of
2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section
3532(3)'' and inserting ``section 3552''.
(B) Section 2222(j)(5) of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(C) Section 2223(c)(3) of title 10, United States Code, is
amended, by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(D) Section 2315 of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(E) Section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3) is amended--
[[Page S5598]]
(i) in subsection (a)(2), by striking ``section
3532(b)(2)'' and inserting ``section 3552'';
(ii) in subsection (c)(3), by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(iii) in subsection (d)(1), by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(iv) in subsection (d)(8) by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(v) in subsection (d)(8), by striking ``submitted to the
Director'' and inserting ``submitted to the Secretary'';
(vi) in subsection (e)(2), by striking ``section 3532(1) of
such title'' and inserting ``section 3552 of title 44''; and
(vii) in subsection (e)(5), by striking ``section
3532(b)(2) of such title'' and inserting ``section 3552 of
title 44''.
(F) Section 8(d)(1) of the Cyber Security Research and
Development Act (15 U.S.C. 7406(d)(1)) is amended by striking
``section 3534(b)'' and inserting ``section 3554(b)(2)''.
SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY.
(a) In General.--Section 11331 of title 40, United States
Code, is amended to read as follows:
``Sec. 11331. Responsibilities for Federal information
systems standards
``(a) Standards and Guidelines.--
``(1) Authority to prescribe.--Except as provided under
paragraph (2), the Secretary of Commerce shall prescribe
standards and guidelines pertaining to Federal information
systems--
``(A) in consultation with the Secretary of Homeland
Security; and
``(B) on the basis of standards and guidelines developed by
the National Institute of Standards and Technology under
paragraphs (2) and (3) of section 20(a) of the National
Institute of Standards and Technology Act (15 U.S.C. 278g-
3(a)(2) and (a)(3)).
``(2) National security systems.--Standards and guidelines
for national security systems shall be developed, prescribed,
enforced, and overseen as otherwise authorized by law and as
directed by the President.
``(b) Mandatory Standards and Guidelines.--
``(1) Authority to make mandatory standards and
guidelines.--The Secretary of Commerce shall make standards
and guidelines under subsection (a)(1) compulsory and binding
to the extent determined necessary by the Secretary of
Commerce to improve the efficiency of operation or security
of Federal information systems.
``(2) Required mandatory standards and guidelines.--
``(A) In general.--Standards and guidelines under
subsection (a)(1) shall include information security
standards that--
``(i) provide minimum information security requirements as
determined under section 20(b) of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3(b)); and
``(ii) are otherwise necessary to improve the security of
Federal information and information systems.
``(B) Binding effect.--Information security standards under
subparagraph (A) shall be compulsory and binding.
``(c) Exercise of Authority.--To ensure fiscal and policy
consistency, the Secretary of Commerce shall exercise the
authority conferred by this section subject to direction by
the President and in coordination with the Director.
``(d) Application of More Stringent Standards and
Guidelines.--The head of an executive agency may employ
standards for the cost-effective information security for
information systems within or under the supervision of that
agency that are more stringent than the standards and
guidelines the Secretary of Commerce prescribes under this
section if the more stringent standards and guidelines--
``(1) contain at least the applicable standards and
guidelines made compulsory and binding by the Secretary of
Commerce; and
``(2) are otherwise consistent with the policies,
directives, and implementation memoranda issued under section
3553(a) of title 44.
``(e) Decisions on Promulgation of Standards and
Guidelines.--The decision by the Secretary of Commerce
regarding the promulgation of any standard or guideline under
this section shall occur not later than 6 months after the
date of submission of the proposed standard to the Secretary
of Commerce by the National Institute of Standards and
Technology under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3).
``(f) Notice and Comment.--A decision by the Secretary of
Commerce to significantly modify, or not promulgate, a
proposed standard submitted to the Secretary by the National
Institute of Standards and Technology under section 20 of the
National Institute of Standards and Technology Act (15 U.S.C.
278g-3) shall be made after the public is given an
opportunity to comment on the Secretary's proposed decision.
``(g) Definitions.--In this section:
``(1) Federal information system.--The term `Federal
information system' has the meaning given the term in section
3552 of title 44.
``(2) Information security.--The term `information
security' has the meaning given the term in section 3552 of
title 44.
``(3) National security system.--The term `national
security system' has the meaning given the term in section
3552 of title 44.''.
SEC. 203. NO NEW FUNDING.
An applicable Federal agency shall carry out the provisions
of this title with existing facilities and funds otherwise
available, through such means as the head of the agency
considers appropriate.
SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS.
Section 21(b) of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-4(b)) is amended--
(1) in paragraph (2), by striking ``and the Director of the
Office of Management and Budget'' and inserting ``, the
Secretary of Commerce, and the Secretary of Homeland
Security''; and
(2) in paragraph (3), by inserting ``, the Secretary of
Homeland Security,'' after ``the Secretary of Commerce''.
SEC. 205. CLARIFICATION OF AUTHORITIES.
Nothing in this title shall be construed to convey any new
regulatory authority to any government entity implementing or
complying with any provision of this title.
TITLE III--CRIMINAL PENALTIES
SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN
CONNECTION WITH COMPUTERS.
Section 1030(c) of title 18, United States Code, is amended
to read as follows:
``(c) The punishment for an offense under subsection (a) or
(b) of this section is--
``(1) a fine under this title or imprisonment for not more
than 20 years, or both, in the case of an offense under
subsection (a)(1) of this section;
``(2)(A) except as provided in subparagraph (B), a fine
under this title or imprisonment for not more than 3 years,
or both, in the case of an offense under subsection (a)(2);
or
``(B) a fine under this title or imprisonment for not more
than ten years, or both, in the case of an offense under
subsection (a)(2) of this section, if--
``(i) the offense was committed for purposes of commercial
advantage or private financial gain;
``(ii) the offense was committed in the furtherance of any
criminal or tortious act in violation of the Constitution or
laws of the United States, or of any State; or
``(iii) the value of the information obtained, or that
would have been obtained if the offense was completed,
exceeds $5,000;
``(3) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(3) of this section;
``(4) a fine under this title or imprisonment of not more
than 20 years, or both, in the case of an offense under
subsection (a)(4) of this section;
``(5)(A) except as provided in subparagraph (C), a fine
under this title, imprisonment for not more than 20 years, or
both, in the case of an offense under subsection (a)(5)(A) of
this section, if the offense caused--
``(i) loss to 1 or more persons during any 1-year period
(and, for purposes of an investigation, prosecution, or other
proceeding brought by the United States only, loss resulting
from a related course of conduct affecting 1 or more other
protected computers) aggregating at least $5,000 in value;
``(ii) the modification or impairment, or potential
modification or impairment, of the medical examination,
diagnosis, treatment, or care of 1 or more individuals;
``(iii) physical injury to any person;
``(iv) a threat to public health or safety;
``(v) damage affecting a computer used by, or on behalf of,
an entity of the United States Government in furtherance of
the administration of justice, national defense, or national
security; or
``(vi) damage affecting 10 or more protected computers
during any 1-year period;
``(B) a fine under this title, imprisonment for not more
than 20 years, or both, in the case of an offense under
subsection (a)(5)(B), if the offense caused a harm provided
in clause (i) through (vi) of subparagraph (A) of this
subsection;
``(C) if the offender attempts to cause or knowingly or
recklessly causes death from conduct in violation of
subsection (a)(5)(A), a fine under this title, imprisonment
for any term of years or for life, or both;
``(D) a fine under this title, imprisonment for not more
than 10 years, or both, for any other offense under
subsection (a)(5);
``(E) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(6) of this section; or
``(F) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(7) of this section.''.
SEC. 302. TRAFFICKING IN PASSWORDS.
Section 1030(a)(6) of title 18, United States Code, is
amended to read as follows:
``(6) knowingly and with intent to defraud traffics (as
defined in section 1029) in any password or similar
information or means of access through which a protected
computer (as defined in subparagraphs (A) and (B) of
subsection (e)(2)) may be accessed without authorization.''.
SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.
Section 1030(b) of title 18, United States Code, is amended
by inserting ``as if for the completed offense'' after
``punished as provided''.
SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED
ACTIVITY IN CONNECTION WITH COMPUTERS.
Section 1030 of title 18, United States Code, is amended by
striking subsections (i) and (j) and inserting the following:
[[Page S5599]]
``(i) Criminal Forfeiture.--
``(1) The court, in imposing sentence on any person
convicted of a violation of this section, or convicted of
conspiracy to violate this section, shall order, in addition
to any other sentence imposed and irrespective of any
provision of State law, that such person forfeit to the
United States--
``(A) such persons interest in any property, real or
personal, that was used, or intended to be used, to commit or
facilitate the commission of such violation; and
``(B) any property, real or personal, constituting or
derived from any gross proceeds, or any property traceable to
such property, that such person obtained, directly or
indirectly, as a result of such violation.
``(2) The criminal forfeiture of property under this
subsection, including any seizure and disposition of the
property, and any related judicial or administrative
proceeding, shall be governed by the provisions of section
413 of the Comprehensive Drug Abuse Prevention and Control
Act of 1970 (21 U.S.C. 853), except subsection (d) of that
section.
``(j) Civil Forfeiture.--
``(1) The following shall be subject to forfeiture to the
United States and no property right, real or personal, shall
exist in them:
``(A) Any property, real or personal, that was used, or
intended to be used, to commit or facilitate the commission
of any violation of this section, or a conspiracy to violate
this section.
``(B) Any property, real or personal, constituting or
derived from any gross proceeds obtained directly or
indirectly, or any property traceable to such property, as a
result of the commission of any violation of this section, or
a conspiracy to violate this section.
``(2) Seizures and forfeitures under this subsection shall
be governed by the provisions in chapter 46 relating to civil
forfeitures, except that such duties as are imposed on the
Secretary of the Treasury under the customs laws described in
section 981(d) shall be performed by such officers, agents
and other persons as may be designated for that purpose by
the Secretary of Homeland Security or the Attorney
General.''.
SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.
(a) In General.--Chapter 47 of title 18, United States
Code, is amended by inserting after section 1030 the
following:
``Sec. 1030A. Aggravated damage to a critical infrastructure
computer
``(a) Definitions.--In this section--
``(1) the term `computer' has the meaning given the term in
section 1030;
``(2) the term `critical infrastructure computer' means a
computer that manages or controls systems or assets vital to
national defense, national security, national economic
security, public health or safety, or any combination of
those matters, whether publicly or privately owned or
operated, including--
``(A) oil and gas production, storage, conversion, and
delivery systems;
``(B) water supply systems;
``(C) telecommunication networks;
``(D) electrical power generation and delivery systems;
``(E) finance and banking systems;
``(F) emergency services;
``(G) transportation systems and services; and
``(H) government operations that provide essential services
to the public; and
``(3) the term `damage' has the meaning given the term in
section 1030.
``(b) Offense.--It shall be unlawful, during and in
relation to a felony violation of section 1030, to knowingly
cause or attempt to cause damage to a critical infrastructure
computer if the damage results in (or, in the case of an
attempt, if completed, would have resulted in) the
substantial impairment--
``(1) of the operation of the critical infrastructure
computer; or
``(2) of the critical infrastructure associated with the
computer.
``(c) Penalty.--Any person who violates subsection (b)
shall be--
``(1) fined under this title;
``(2) imprisoned for not less than 3 years but not more
than 20 years; or
``(3) penalized under paragraphs (1) and (2).
``(d) Consecutive Sentence.--Notwithstanding any other
provision of law--
``(1) a court shall not place on probation any person
convicted of a violation of this section;
``(2) except as provided in paragraph (4), no term of
imprisonment imposed on a person under this section shall run
concurrently with any other term of imprisonment, including
any term of imprisonment imposed on the person under any
other provision of law, including any term of imprisonment
imposed for a felony violation of section 1030;
``(3) in determining any term of imprisonment to be imposed
for a felony violation of section 1030, a court shall not in
any way reduce the term to be imposed for such crime so as to
compensate for, or otherwise take into account, any separate
term of imprisonment imposed or to be imposed for a violation
of this section; and
``(4) a term of imprisonment imposed on a person for a
violation of this section may, in the discretion of the
court, run concurrently, in whole or in part, only with
another term of imprisonment that is imposed by the court at
the same time on that person for an additional violation of
this section, provided that such discretion shall be
exercised in accordance with any applicable guidelines and
policy statements issued by the United States Sentencing
Commission pursuant to section 994 of title 28.''.
(b) Technical and Conforming Amendment.--The chapter
analysis for chapter 47 of title 18, United States Code, is
amended by inserting after the item relating to section 1030
the following:
``1030A. Aggravated damage to a critical infrastructure computer.''.
SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.
Section 1030(e)(6) of title 18, United States Code, is
amended by striking ``alter;'' and inserting ``alter, but
does not include access in violation of a contractual
obligation or agreement, such as an acceptable use policy or
terms of service agreement, with an Internet service
provider, Internet website, or non-government employer, if
such violation constitutes the sole basis for determining
that access to a protected computer is unauthorized;''.
SEC. 307. NO NEW FUNDING.
An applicable Federal agency shall carry out the provisions
of this title with existing facilities and funds otherwise
available, through such means as the head of the agency
considers appropriate.
TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT
SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM
PLANNING AND COORDINATION.
(a) Goals and Priorities.--Section 101 of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511) is amended
by adding at the end the following:
``(d) Goals and Priorities.--The goals and priorities for
Federal high-performance computing research, development,
networking, and other activities under subsection (a)(2)(A)
shall include--
``(1) encouraging and supporting mechanisms for
interdisciplinary research and development in networking and
information technology, including--
``(A) through collaborations across agencies;
``(B) through collaborations across Program Component
Areas;
``(C) through collaborations with industry;
``(D) through collaborations with institutions of higher
education;
``(E) through collaborations with Federal laboratories (as
defined in section 4 of the Stevenson-Wydler Technology
Innovation Act of 1980 (15 U.S.C. 3703)); and
``(F) through collaborations with international
organizations;
``(2) addressing national, multi-agency, multi-faceted
challenges of national importance; and
``(3) fostering the transfer of research and development
results into new technologies and applications for the
benefit of society.''.
(b) Development of Strategic Plan.--Section 101 of the
High-Performance Computing Act of 1991 (15 U.S.C. 5511) is
amended by adding at the end the following:
``(e) Strategic Plan.--
``(1) In general.--Not later than 1 year after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the agencies under subsection (a)(3)(B), working
through the National Science and Technology Council and with
the assistance of the Office of Science and Technology Policy
shall develop a 5-year strategic plan to guide the activities
under subsection (a)(1).
``(2) Contents.--The strategic plan shall specify--
``(A) the near-term objectives for the Program;
``(B) the long-term objectives for the Program;
``(C) the anticipated time frame for achieving the near-
term objectives;
``(D) the metrics that will be used to assess any progress
made toward achieving the near-term objectives and the long-
term objectives; and
``(E) how the Program will achieve the goals and priorities
under subsection (d).
``(3) Implementation roadmap.--
``(A) In general.--The agencies under subsection (a)(3)(B)
shall develop and annually update an implementation roadmap
for the strategic plan.
``(B) Requirements.--The information in the implementation
roadmap shall be coordinated with the database under section
102(c) and the annual report under section 101(a)(3). The
implementation roadmap shall--
``(i) specify the role of each Federal agency in carrying
out or sponsoring research and development to meet the
research objectives of the strategic plan, including a
description of how progress toward the research objectives
will be evaluated, with consideration of any relevant
recommendations of the advisory committee;
``(ii) specify the funding allocated to each major research
objective of the strategic plan and the source of funding by
agency for the current fiscal year; and
``(iii) estimate the funding required for each major
research objective of the strategic plan for the next 3
fiscal years.
``(4) Recommendations.--The agencies under subsection
(a)(3)(B) shall take into consideration when developing the
strategic plan under paragraph (1) the recommendations of--
``(A) the advisory committee under subsection (b); and
``(B) the stakeholders under section 102(a)(3).
``(5) Report to congress.--The Director of the Office of
Science and Technology Policy shall transmit the strategic
plan under this
[[Page S5600]]
subsection, including the implementation roadmap and any
updates under paragraph (3), to--
``(A) the advisory committee under subsection (b);
``(B) the Committee on Commerce, Science, and
Transportation of the Senate; and
``(C) the Committee on Science and Technology of the House
of Representatives.''.
(c) Periodic Reviews.--Section 101 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511) is amended by adding
at the end the following:
``(f) Periodic Reviews.--The agencies under subsection
(a)(3)(B) shall--
``(1) periodically assess the contents and funding levels
of the Program Component Areas and restructure the Program
when warranted, taking into consideration any relevant
recommendations of the advisory committee under subsection
(b); and
``(2) ensure that the Program includes national, multi-
agency, multi-faceted research and development activities,
including activities described in section 104.''.
(d) Additional Responsibilities of Director.--Section
101(a)(2) of the High-Performance Computing Act of 1991 (15
U.S.C. 5511(a)(2)) is amended--
(1) by redesignating subparagraphs (E) and (F) as
subparagraphs (G) and (H), respectively; and
(2) by inserting after subparagraph (D) the following:
``(E) encourage and monitor the efforts of the agencies
participating in the Program to allocate the level of
resources and management attention necessary--
``(i) to ensure that the strategic plan under subsection
(e) is developed and executed effectively; and
``(ii) to ensure that the objectives of the Program are
met;
``(F) working with the Office of Management and Budget and
in coordination with the creation of the database under
section 102(c), direct the Office of Science and Technology
Policy and the agencies participating in the Program to
establish a mechanism (consistent with existing law) to track
all ongoing and completed research and development projects
and associated funding;''.
(e) Advisory Committee.--Section 101(b) of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is
amended--
(1) in paragraph (1)--
(A) by inserting after the first sentence the following:
``The co-chairs of the advisory committee shall meet the
qualifications of committee members and may be members of the
Presidents Council of Advisors on Science and Technology.'';
and
(B) by striking ``high-performance'' in subparagraph (D)
and inserting ``high-end''; and
(2) by amending paragraph (2) to read as follows:
``(2) In addition to the duties under paragraph (1), the
advisory committee shall conduct periodic evaluations of the
funding, management, coordination, implementation, and
activities of the Program. The advisory committee shall
report its findings and recommendations not less frequently
than once every 3 fiscal years to the Committee on Commerce,
Science, and Transportation of the Senate and the Committee
on Science and Technology of the House of Representatives.
The report shall be submitted in conjunction with the update
of the strategic plan.''.
(f) Report.--Section 101(a)(3) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended--
(1) in subparagraph (C)--
(A) by striking ``is submitted,'' and inserting ``is
submitted, the levels for the previous fiscal year,''; and
(B) by striking ``each Program Component Area'' and
inserting ``each Program Component Area and each research
area supported in accordance with section 104'';
(2) in subparagraph (D)--
(A) by striking ``each Program Component Area,'' and
inserting ``each Program Component Area and each research
area supported in accordance with section 104,'';
(B) by striking ``is submitted,'' and inserting ``is
submitted, the levels for the previous fiscal year,''; and
(C) by striking ``and'' after the semicolon;
(3) by redesignating subparagraph (E) as subparagraph (G);
and
(4) by inserting after subparagraph (D) the following:
``(E) include a description of how the objectives for each
Program Component Area, and the objectives for activities
that involve multiple Program Component Areas, relate to the
objectives of the Program identified in the strategic plan
under subsection (e);
``(F) include--
``(i) a description of the funding required by the Office
of Science and Technology Policy to perform the functions
under subsections (a) and (c) of section 102 for the next
fiscal year by category of activity;
``(ii) a description of the funding required by the Office
of Science and Technology Policy to perform the functions
under subsections (a) and (c) of section 102 for the current
fiscal year by category of activity; and
``(iii) the amount of funding provided for the Office of
Science and Technology Policy for the current fiscal year by
each agency participating in the Program; and''.
(g) Definitions.--Section 4 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5503) is amended--
(1) by redesignating paragraphs (1) and (2) as paragraphs
(2) and (3), respectively;
(2) by redesignating paragraph (3) as paragraph (6);
(3) by redesignating paragraphs (6) and (7) as paragraphs
(7) and (8), respectively;
(4) by inserting before paragraph (2), as redesignated, the
following:
``(1) `cyber-physical systems' means physical or engineered
systems whose networking and information technology functions
and physical elements are deeply integrated and are actively
connected to the physical world through sensors, actuators,
or other means to perform monitoring and control
functions;'';
(5) in paragraph (3), as redesignated, by striking ``high-
performance computing'' and inserting ``networking and
information technology'';
(6) in paragraph (6), as redesignated--
(A) by striking ``high-performance computing'' and
inserting ``networking and information technology''; and
(B) by striking ``supercomputer'' and inserting ``high-end
computing'';
(7) in paragraph (5), by striking ``network referred to
as'' and all that follows through the semicolon and inserting
``network, including advanced computer networks of Federal
agencies and departments''; and
(8) in paragraph (7), as redesignated, by striking
``National High-Performance Computing Program'' and inserting
``networking and information technology research and
development program''.
SEC. 402. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.
(a) Research in Areas of National Importance.--Title I of
the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et
seq.) is amended by adding at the end the following:
``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.
``(a) In General.--The Program shall encourage agencies
under section 101(a)(3)(B) to support, maintain, and improve
national, multi-agency, multi-faceted, research and
development activities in networking and information
technology directed toward application areas that have the
potential for significant contributions to national economic
competitiveness and for other significant societal benefits.
``(b) Technical Solutions.--An activity under subsection
(a) shall be designed to advance the development of research
discoveries by demonstrating technical solutions to important
problems in areas including--
``(1) cybersecurity;
``(2) health care;
``(3) energy management and low-power systems and devices;
``(4) transportation, including surface and air
transportation;
``(5) cyber-physical systems;
``(6) large-scale data analysis and modeling of physical
phenomena;
``(7) large scale data analysis and modeling of behavioral
phenomena;
``(8) supply chain quality and security; and
``(9) privacy protection and protected disclosure of
confidential data.
``(c) Recommendations.--The advisory committee under
section 101(b) shall make recommendations to the Program for
candidate research and development areas for support under
this section.
``(d) Characteristics.--
``(1) In general.--Research and development activities
under this section--
``(A) shall include projects selected on the basis of
applications for support through a competitive, merit-based
process;
``(B) shall leverage, when possible, Federal investments
through collaboration with related State initiatives;
``(C) shall include a plan for fostering the transfer of
research discoveries and the results of technology
demonstration activities, including from institutions of
higher education and Federal laboratories, to industry for
commercial development;
``(D) shall involve collaborations among researchers in
institutions of higher education and industry; and
``(E) may involve collaborations among nonprofit research
institutions and Federal laboratories, as appropriate.
``(2) Cost-sharing.--In selecting applications for support,
the agencies under section 101(a)(3)(B) shall give special
consideration to projects that include cost sharing from non-
Federal sources.
``(3) Multidisciplinary research centers.--Research and
development activities under this section shall be supported
through multidisciplinary research centers, including Federal
laboratories, that are organized to investigate basic
research questions and carry out technology demonstration
activities in areas described in subsection (a). Research may
be carried out through existing multidisciplinary centers,
including those authorized under section 7024(b)(2) of the
America COMPETES Act (42 U.S.C. 1862o-10(2)).''.
(b) Cyber-Physical Systems.--Section 101(a)(1) of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is
amended--
(1) in subparagraph (H), by striking ``and'' after the
semicolon;
(2) in subparagraph (I), by striking the period at the end
and inserting a semicolon; and
(3) by adding at the end the following:
``(J) provide for increased understanding of the scientific
principles of cyber-physical systems and improve the methods
available for the design, development, and operation of
cyber-physical systems that are characterized by high
reliability, safety, and security; and
[[Page S5601]]
``(K) provide for research and development on human-
computer interactions, visualization, and big data.''.
(c) Task Force.--Title I of the High-Performance Computing
Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section
402(a) of this Act, is amended by adding at the end the
following:
``SEC. 105. TASK FORCE.
``(a) Establishment.--Not later than 180 days after the
date of enactment of the Strengthening and Enhancing
Cybersecurity by Using Research, Education, Information, and
Technology Act of 2012, the Director of the Office of Science
and Technology Policy under section 102 shall convene a task
force to explore mechanisms for carrying out collaborative
research and development activities for cyber-physical
systems (including the related technologies required to
enable these systems) through a consortium or other
appropriate entity with participants from institutions of
higher education, Federal laboratories, and industry.
``(b) Functions.--The task force shall--
``(1) develop options for a collaborative model and an
organizational structure for such entity under which the
joint research and development activities could be planned,
managed, and conducted effectively, including mechanisms for
the allocation of resources among the participants in such
entity for support of such activities;
``(2) propose a process for developing a research and
development agenda for such entity, including guidelines to
ensure an appropriate scope of work focused on nationally
significant challenges and requiring collaboration and to
ensure the development of related scientific and
technological milestones;
``(3) define the roles and responsibilities for the
participants from institutions of higher education, Federal
laboratories, and industry in such entity;
``(4) propose guidelines for assigning intellectual
property rights and for transferring research results to the
private sector; and
``(5) make recommendations for how such entity could be
funded from Federal, State, and non-governmental sources.
``(c) Composition.--In establishing the task force under
subsection (a), the Director of the Office of Science and
Technology Policy shall appoint an equal number of
individuals from institutions of higher education and from
industry with knowledge and expertise in cyber-physical
systems, and may appoint not more than 2 individuals from
Federal laboratories.
``(d) Report.--Not later than 1 year after the date of
enactment of the Strengthening and Enhancing Cybersecurity by
Using Research, Education, Information, and Technology Act of
2012, the Director of the Office of Science and Technology
Policy shall transmit to the Committee on Commerce, Science,
and Transportation of the Senate and the Committee on Science
and Technology of the House of Representatives a report
describing the findings and recommendations of the task
force.
``(e) Termination.--The task force shall terminate upon
transmittal of the report required under subsection (d).
``(f) Compensation and Expenses.--Members of the task force
shall serve without compensation.''.
SEC. 403. PROGRAM IMPROVEMENTS.
Section 102 of the High-Performance Computing Act of 1991
(15 U.S.C. 5512) is amended to read as follows:
``SEC. 102. PROGRAM IMPROVEMENTS.
``(a) Functions.--The Director of the Office of Science and
Technology Policy shall continue--
``(1) to provide technical and administrative support to--
``(A) the agencies participating in planning and
implementing the Program, including support needed to develop
the strategic plan under section 101(e); and
``(B) the advisory committee under section 101(b);
``(2) to serve as the primary point of contact on Federal
networking and information technology activities for
government agencies, academia, industry, professional
societies, State computing and networking technology
programs, interested citizen groups, and others to exchange
technical and programmatic information;
``(3) to solicit input and recommendations from a wide
range of stakeholders during the development of each
strategic plan under section 101(e) by convening at least 1
workshop with invitees from academia, industry, Federal
laboratories, and other relevant organizations and
institutions;
``(4) to conduct public outreach, including the
dissemination of the advisory committee's findings and
recommendations, as appropriate;
``(5) to promote access to and early application of the
technologies, innovations, and expertise derived from Program
activities to agency missions and systems across the Federal
Government and to United States industry;
``(6) to ensure accurate and detailed budget reporting of
networking and information technology research and
development investment; and
``(7) to encourage agencies participating in the Program to
use existing programs and resources to strengthen networking
and information technology education and training, and
increase participation in such fields, including by women and
underrepresented minorities.
``(b) Source of Funding.--
``(1) In general.--The functions under this section shall
be supported by funds from each agency participating in the
Program.
``(2) Specifications.--The portion of the total budget of
the Office of Science and Technology Policy that is provided
by each agency participating in the Program for each fiscal
year shall be in the same proportion as each agency's share
of the total budget for the Program for the previous fiscal
year, as specified in the database under section 102(c).
``(c) Database.--
``(1) In general.--The Director of the Office of Science
and Technology Policy shall develop and maintain a database
of projects funded by each agency for the fiscal year for
each Program Component Area.
``(2) Public accessibility.--The Director of the Office of
Science and Technology Policy shall make the database
accessible to the public.
``(3) Database contents.--The database shall include, for
each project in the database--
``(A) a description of the project;
``(B) each agency, industry, institution of higher
education, Federal laboratory, or international institution
involved in the project;
``(C) the source funding of the project (set forth by
agency);
``(D) the funding history of the project; and
``(E) whether the project has been completed.''.
SEC. 404. IMPROVING EDUCATION OF NETWORKING AND INFORMATION
TECHNOLOGY, INCLUDING HIGH PERFORMANCE
COMPUTING.
Section 201(a) of the High-Performance Computing Act of
1991 (15 U.S.C. 5521(a)) is amended--
(1) by redesignating paragraphs (2) through (4) as
paragraphs (3) through (5), respectively; and
(2) by inserting after paragraph (1) the following:
``(2) the National Science Foundation shall use its
existing programs, in collaboration with other agencies, as
appropriate, to improve the teaching and learning of
networking and information technology at all levels of
education and to increase participation in networking and
information technology fields;''.
SEC. 405. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH-
PERFORMANCE COMPUTING ACT OF 1991.
(a) Section 3.--Section 3 of the High-Performance Computing
Act of 1991 (15 U.S.C. 5502) is amended--
(1) in the matter preceding paragraph (1), by striking
``high-performance computing'' and inserting ``networking and
information technology'';
(2) in paragraph (1)--
(A) in the matter preceding subparagraph (A), by striking
``high-performance computing'' and inserting ``networking and
information technology'';
(B) in subparagraphs (A), (F), and (G), by striking ``high-
performance computing'' each place it appears and inserting
``networking and information technology''; and
(C) in subparagraph (H), by striking ``high-performance''
and inserting ``high-end''; and
(3) in paragraph (2)--
(A) by striking ``high-performance computing and'' and
inserting ``networking and information technology, and''; and
(B) by striking ``high-performance computing network'' and
inserting ``networking and information technology''.
(b) Title Heading.--The heading of title I of the High-
Performance Computing Act of 1991 (105 Stat. 1595) is amended
by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting
``NETWORKING AND INFORMATION TECHNOLOGY''.
(c) Section 101.--Section 101 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511) is amended--
(1) in the section heading, by striking ``high-performance
computing'' and inserting ``networking and information
technology research and development'';
(2) in subsection (a)--
(A) in the subsection heading, by striking ``National High-
Performance Computing'' and inserting ``Networking and
Information Technology Research and Development'';
(B) in paragraph (1)--
(i) by striking ``National High-Performance Computing
Program'' and inserting ``networking and information
technology research and development program'';
(ii) in subparagraph (A), by striking ``high-performance
computing, including networking'' and inserting ``networking
and information technology'';
(iii) in subparagraphs (B) and (G), by striking ``high-
performance'' each place it appears and inserting ``high-
end''; and
(iv) in subparagraph (C), by striking ``high-performance
computing and networking'' and inserting ``high-end
computing, distributed, and networking''; and
(C) in paragraph (2)--
(i) in subparagraphs (A) and (C)--
(I) by striking ``high-performance computing'' each place
it appears and inserting ``networking and information
technology''; and
(II) by striking ``development, networking,'' each place it
appears and inserting ``development,''; and
(ii) in subparagraphs (G) and (H), as redesignated by
section 401(d) of this Act, by striking ``high-performance''
each place it appears and inserting ``high-end'';
(3) in subsection (b)(1), in the matter preceding
subparagraph (A), by striking ``high-
[[Page S5602]]
performance computing'' each place it appears and inserting
``networking and information technology''; and
(4) in subsection (c)(1)(A), by striking ``high-performance
computing'' and inserting ``networking and information
technology''.
(d) Section 201.--Section 201(a)(1) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by
striking ``high-performance computing and advanced high-speed
computer networking'' and inserting ``networking and
information technology research and development''.
(e) Section 202.--Section 202(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by
striking ``high-performance computing'' and inserting
``networking and information technology''.
(f) Section 203.--Section 203(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5523(a)) is amended--
(1) in paragraph (1), by striking ``high-performance
computing and networking'' and inserting ``networking and
information technology''; and
(2) in paragraph (2)(A), by striking ``high-performance''
and inserting ``high-end''.
(g) Section 204.--Section 204 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5524) is amended--
(1) in subsection (a)(1)--
(A) in subparagraph (A), by striking ``high-performance
computing systems and networks'' and inserting ``networking
and information technology systems and capabilities'';
(B) in subparagraph (B), by striking ``interoperability of
high-performance computing systems in networks and for common
user interfaces to systems'' and inserting ``interoperability
and usability of networking and information technology
systems''; and
(C) in subparagraph (C), by striking ``high-performance
computing'' and inserting ``networking and information
technology''; and
(2) in subsection (b)--
(A) by striking ``High-Performance Computing and Network''
in the heading and inserting ``Networking and Information
Technology''; and
(B) by striking ``sensitive''.
(h) Section 205.--Section 205(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by
striking ``computational'' and inserting ``networking and
information technology''.
(i) Section 206.--Section 206(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by
striking ``computational research'' and inserting
``networking and information technology research''.
(j) Section 207.--Section 207 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5527) is amended by striking
``high-performance computing'' and inserting ``networking and
information technology''.
(k) Section 208.--Section 208 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5528) is amended--
(1) in the section heading, by striking ``HIGH-PERFORMANCE
COMPUTING'' and inserting ``NETWORKING AND INFORMATION
TECHNOLOGY''; and
(2) in subsection (a)--
(A) in paragraph (1), by striking ``High-performance
computing and associated'' and inserting ``Networking and
information'';
(B) in paragraph (2), by striking ``high-performance
computing'' and inserting ``networking and information
technologies'';
(C) in paragraph (3), by striking ``high-performance'' and
inserting ``high-end'';
(D) in paragraph (4), by striking ``high-performance
computers and associated'' and inserting ``networking and
information''; and
(E) in paragraph (5), by striking ``high-performance
computing and associated'' and inserting ``networking and
information''.
SEC. 406. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.
(a) In General.--The Director of the National Science
Foundation, in coordination with the Secretary of Homeland
Security, shall carry out a Federal cyber scholarship-for-
service program to recruit and train the next generation of
information technology professionals and security managers to
meet the needs of the cybersecurity mission for the Federal
government.
(b) Program Description and Components.--The program
shall--
(1) annually assess the workforce needs of the Federal
government for cybersecurity professionals, including network
engineers, software engineers, and other experts in order to
determine how many scholarships should be awarded annually to
ensure that the workforce needs following graduation match
the number of scholarships awarded;
(2) provide scholarships for up to 1,000 students per year
in their pursuit of undergraduate or graduate degrees in the
cybersecurity field, in an amount that may include coverage
for full tuition, fees, and a stipend;
(3) require each scholarship recipient, as a condition of
receiving a scholarship under the program, to serve in a
Federal information technology workforce for a period equal
to one and one-half times each year, or partial year, of
scholarship received, in addition to an internship in the
cybersecurity field, if applicable, following graduation;
(4) provide a procedure for the National Science Foundation
or a Federal agency, consistent with regulations of the
Office of Personnel Management, to request and fund a
security clearance for a scholarship recipient, including
providing for clearance during a summer internship and upon
graduation; and
(5) provide opportunities for students to receive temporary
appointments for meaningful employment in the Federal
information technology workforce during school vacation
periods and for internships.
(c) Hiring Authority.--
(1) In general.--For purposes of any law or regulation
governing the appointment of an individual in the Federal
civil service, upon the successful completion of the
student's studies, a student receiving a scholarship under
the program may--
(A) be hired under section 213.3102(r) of title 5, Code of
Federal Regulations; and
(B) be exempt from competitive service.
(2) Competitive service.--Upon satisfactory fulfillment of
the service term under paragraph (1), an individual may be
converted to a competitive service position without
competition if the individual meets the requirements for that
position.
(d) Eligibility.--The eligibility requirements for a
scholarship under this section shall include that a
scholarship applicant--
(1) be a citizen of the United States;
(2) be eligible to be granted a security clearance;
(3) maintain a grade point average of 3.2 or above on a 4.0
scale for undergraduate study or a 3.5 or above on a 4.0
scale for postgraduate study;
(4) demonstrate a commitment to a career in improving the
security of the information infrastructure; and
(5) has demonstrated a level of proficiency in math or
computer sciences.
(e) Failure to Complete Service Obligation.--
(1) In general.--A scholarship recipient under this section
shall be liable to the United States under paragraph (2) if
the scholarship recipient--
(A) fails to maintain an acceptable level of academic
standing in the educational institution in which the
individual is enrolled, as determined by the Director;
(B) is dismissed from such educational institution for
disciplinary reasons;
(C) withdraws from the program for which the award was made
before the completion of such program;
(D) declares that the individual does not intend to fulfill
the service obligation under this section;
(E) fails to fulfill the service obligation of the
individual under this section; or
(F) loses a security clearance or becomes ineligible for a
security clearance.
(2) Repayment amounts.--
(A) Less than 1 year of service.--If a circumstance under
paragraph (1) occurs before the completion of 1 year of a
service obligation under this section, the total amount of
awards received by the individual under this section shall be
repaid.
(B) One or more years of service.--If a circumstance
described in subparagraph (D) or (E) of paragraph (1) occurs
after the completion of 1 year of a service obligation under
this section, the total amount of scholarship awards received
by the individual under this section, reduced by the ratio of
the number of years of service completed divided by the
number of years of service required, shall be repaid.
(f) Evaluation and Report.--The Director of the National
Science Foundation shall--
(1) evaluate the success of recruiting individuals for
scholarships under this section and of hiring and retaining
those individuals in the public sector workforce, including
the annual cost and an assessment of how the program actually
improves the Federal workforce; and
(2) periodically report the findings under paragraph (1) to
Congress.
(g) Authorization of Appropriations.--From amounts made
available under section 503 of the America COMPETES
Reauthorization Act of 2010 (124 Stat. 4005), the Director
may use funds to carry out the requirements of this section
for fiscal years 2012 through 2013.
SEC. 407. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF
INFORMATION INFRASTRUCTURE PROFESSIONALS.
(a) Study.--The President shall enter into an agreement
with the National Academies to conduct a comprehensive study
of government, academic, and private-sector accreditation,
training, and certification programs for personnel working in
information infrastructure. The agreement shall require the
National Academies to consult with sector coordinating
councils and relevant governmental agencies, regulatory
entities, and nongovernmental organizations in the course of
the study.
(b) Scope.--The study shall include--
(1) an evaluation of the body of knowledge and various
skills that specific categories of personnel working in
information infrastructure should possess in order to secure
information systems;
(2) an assessment of whether existing government, academic,
and private-sector accreditation, training, and certification
programs provide the body of knowledge and various skills
described in paragraph (1);
(3) an analysis of any barriers to the Federal Government
recruiting and hiring cybersecurity talent, including
barriers relating to compensation, the hiring process, job
classification, and hiring flexibility; and
(4) an analysis of the sources and availability of
cybersecurity talent, a comparison of the skills and
expertise sought by the Federal Government and the private
sector, an examination of the current and future capacity of
United States institutions of higher
[[Page S5603]]
education, including community colleges, to provide current
and future cybersecurity professionals, through education and
training activities, with those skills sought by the Federal
Government, State and local entities, and the private sector.
(c) Report.--Not later than 1 year after the date of
enactment of this Act, the National Academies shall submit to
the President and Congress a report on the results of the
study. The report shall include--
(1) findings regarding the state of information
infrastructure accreditation, training, and certification
programs, including specific areas of deficiency and
demonstrable progress; and
(2) recommendations for the improvement of information
infrastructure accreditation, training, and certification
programs.
SEC. 408. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.
(a) In General.--The Director of the National Institute of
Standards and Technology, in coordination with appropriate
Federal authorities, shall--
(1) as appropriate, ensure coordination of Federal agencies
engaged in the development of international technical
standards related to information system security; and
(2) not later than 1 year after the date of enactment of
this Act, develop and transmit to Congress a plan for
ensuring such Federal agency coordination.
(b) Consultation With the Private Sector.--In carrying out
the activities under subsection (a)(1), the Director shall
ensure consultation with appropriate private sector
stakeholders.
SEC. 409. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.
The Director of the National Institute of Standards and
Technology shall continue a program to support the
development of technical standards, metrology, testbeds, and
conformance criteria, taking into account appropriate user
concerns--
(1) to improve interoperability among identity management
technologies;
(2) to strengthen authentication methods of identity
management systems;
(3) to improve privacy protection in identity management
systems, including health information technology systems,
through authentication and security protocols; and
(4) to improve the usability of identity management
systems.
SEC. 410. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.
(a) National Science Foundation Computer and Network
Security Research Grant Areas.--Section 4(a)(1) of the Cyber
Security Research and Development Act (15 U.S.C. 7403(a)(1))
is amended--
(1) in subparagraph (H), by striking ``and'' after the
semicolon;
(2) in subparagraph (I), by striking ``property.'' and
inserting ``property;''; and
(3) by adding at the end the following:
``(J) secure fundamental protocols that are at the heart of
inter-network communications and data exchange;
``(K) system security that addresses the building of secure
systems from trusted and untrusted components;
``(L) monitoring and detection; and
``(M) resiliency and rapid recovery methods.''.
(b) National Science Foundation Computer and Network
Security Grants.--Section 4(a)(3) of the Cyber Security
Research and Development Act (15 U.S.C. 7403(a)(3)) is
amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
(c) Computer and Network Security Centers.--Section 4(b)(7)
of the Cyber Security Research and Development Act (15 U.S.C.
7403(b)(7)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
(d) Computer and Network Security Capacity Building
Grants.--Section 5(a)(6) of the Cyber Security Research and
Development Act (15 U.S.C. 7404(a)(6)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
(e) Scientific and Advanced Technology Act Grants.--Section
5(b)(2) of the Cyber Security Research and Development Act
(15 U.S.C. 7404(b)(2)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
(f) Graduate Traineeships in Computer and Network Security
Research.--Section 5(c)(7) of the Cyber Security Research and
Development Act (15 U.S.C. 7404(c)(7)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
______
SA 2615. Mrs. HUTCHISON submitted an amendment intended to be
proposed by her to the bill S. 3414, to enhance the security and
resiliency of the cyber and communications infrastructure of the United
States; which was ordered to lie on the table; as follows:
Beginning on page 45, strike line 1 and all that follows
through page 212, line 6, and insert the following:
TITLE II--FACILITATING SHARING OF CYBER THREAT INFORMATION
SEC. 201. DEFINITIONS.
In this title:
(1) Agency.--The term ``agency'' has the meaning given the
term in section 3502 of title 44, United States Code.
(2) Antitrust laws.--The term ``antitrust laws''--
(A) has the meaning given the term in section 1(a) of the
Clayton Act (15 U.S.C. 12(a));
(B) includes section 5 of the Federal Trade Commission Act
(15 U.S.C. 45) to the extent that section 5 of that Act
applies to unfair methods of competition; and
(C) includes any State law that has the same intent and
effect as the laws under subparagraphs (A) and (B).
(3) Countermeasure.--The term ``countermeasure'' means an
automated or a manual action with defensive intent to
mitigate cyber threats.
(4) Cyber threat information.--The term ``cyber threat
information'' means information that indicates or describes--
(A) a technical or operation vulnerability or a cyber
threat mitigation measure;
(B) an action or operation to mitigate a cyber threat;
(C) malicious reconnaissance, including anomalous patterns
of network activity that appear to be transmitted for the
purpose of gathering technical information related to a
cybersecurity threat;
(D) a method of defeating a technical control;
(E) a method of defeating an operational control;
(F) network activity or protocols known to be associated
with a malicious cyber actor or that signify malicious cyber
intent;
(G) a method of causing a user with legitimate access to an
information system or information that is stored on,
processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational
control;
(H) any other attribute of a cybersecurity threat or cyber
defense information that would foster situational awareness
of the United States cybersecurity posture, if disclosure of
such attribute or information is not otherwise prohibited by
law;
(I) the actual or potential harm caused by a cyber
incident, including information exfiltrated when it is
necessary in order to identify or describe a cybersecurity
threat; or
(J) any combination of subparagraphs (A) through (I).
(5) Cybersecurity center.--The term ``cybersecurity
center'' means the Department of Defense Cyber Crime Center,
the Intelligence Community Incident Response Center, the
United States Cyber Command Joint Operations Center, the
National Cyber Investigative Joint Task Force, the National
Security Agency/Central Security Service Threat Operations
Center, the National Cybersecurity and Communications
Integration Center, and any successor center.
(6) Cybersecurity system.--The term ``cybersecurity
system'' means a system designed or employed to ensure the
integrity, confidentiality, or availability of, or to
safeguard, a system or network, including measures intended
to protect a system or network from--
(A) efforts to degrade, disrupt, or destroy such system or
network; or
(B) theft or misappropriations of private or government
information, intellectual property, or personally
identifiable information.
(7) Entity.--
(A) In general.--The term ``entity'' means any private
entity, non-Federal government agency or department, or
State, tribal, or local government agency or department
(including an officer, employee, or agent thereof).
(B) Inclusions.--The term ``entity'' includes a government
agency or department (including an officer, employee, or
agent thereof) of the District of Columbia, the Commonwealth
of Puerto Rico, the Virgin Islands, Guam, American Samoa, the
Northern Mariana Islands, and any other territory or
possession of the United States.
(8) Federal information system.--The term ``Federal
information system'' means an information system of a Federal
department or agency used or operated by an executive agency,
by a contractor of an executive
[[Page S5604]]
agency, or by another organization on behalf of an executive
agency.
(9) Information security.--The term ``information
security'' means protecting information and information
systems from disruption or unauthorized access, use,
disclosure, modification, or destruction in order to
provide--
(A) integrity, by guarding against improper information
modification or destruction, including by ensuring
information nonrepudiation and authenticity;
(B) confidentiality, by preserving authorized restrictions
on access and disclosure, including means for protecting
personal privacy and proprietary information; or
(C) availability, by ensuring timely and reliable access to
and use of information.
(10) Information system.--The term ``information system''
has the meaning given the term in section 3502 of title 44,
United States Code.
(11) Local government.--The term ``local government'' means
any borough, city, county, parish, town, township, village,
or other general purpose political subdivision of a State.
(12) Malicious reconnaissance.--The term ``malicious
reconnaissance'' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning technical vulnerabilities of the information
system, if such method is associated with a known or
suspected cybersecurity threat.
(13) Operational control.--The term ``operational control''
means a security control for an information system that
primarily is implemented and executed by people.
(14) Operational vulnerability.--The term ``operational
vulnerability'' means any attribute of policy, process, or
procedure that could enable or facilitate the defeat of an
operational control.
(15) Private entity.--The term ``private entity'' means any
individual or any private group, organization, or
corporation, including an officer, employee, or agent
thereof.
(16) Significant cyber incident.--The term ``significant
cyber incident'' means a cyber incident resulting in, or an
attempted cyber incident that, if successful, would have
resulted in--
(A) the exfiltration from a Federal information system of
data that is essential to the operation of the Federal
information system; or
(B) an incident in which an operational or technical
control essential to the security or operation of a Federal
information system was defeated.
(17) Technical control.--The term ``technical control''
means a hardware or software restriction on, or audit of,
access or use of an information system or information that is
stored on, processed by, or transiting an information system
that is intended to ensure the confidentiality, integrity, or
availability of that system.
(18) Technical vulnerability.--The term ``technical
vulnerability'' means any attribute of hardware or software
that could enable or facilitate the defeat of a technical
control.
(19) Tribal.--The term ``tribal'' has the meaning given the
term ``Indian tribe'' in section 4 of the Indian Self-
Determination and Education Assistance Act (25 U.S.C. 450b).
SEC. 202. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION.
(a) Voluntary Disclosure.--
(1) Private entities.--Notwithstanding any other provision
of law, a private entity may, for the purpose of preventing,
investigating, or otherwise mitigating threats to information
security, on its own networks, or as authorized by another
entity, on such entity's networks, employ countermeasures and
use cybersecurity systems in order to obtain, identify, or
otherwise possess cyber threat information.
(2) Entities.--Notwithstanding any other provision of law,
an entity may disclose cyber threat information to--
(A) a cybersecurity center; or
(B) any other entity in order to assist with preventing,
investigating, or otherwise mitigating threats to information
security.
(3) Information security providers.--If the cyber threat
information described in paragraph (1) is obtained,
identified, or otherwise possessed in the course of providing
information security products or services under contract to
another entity, that entity shall be given, at any time prior
to disclosure of such information, a reasonable opportunity
to authorize or prevent such disclosure, to request
anonymization of such information, or to request that
reasonable efforts be made to safeguard such information that
identifies specific persons from unauthorized access or
disclosure.
(b) Significant Cyber Incidents Involving Federal
Information Systems.--
(1) In general.--An entity providing electronic
communication services, remote computing services, or
information security services to a Federal department or
agency shall inform the Federal department or agency of a
significant cyber incident involving the Federal information
system of that Federal department or agency that--
(A) is directly known to the entity as a result of
providing such services;
(B) is directly related to the provision of such services
by the entity; and
(C) as determined by the entity, has impeded or will impede
the performance of a critical mission of the Federal
department or agency.
(2) Advance coordination.--A Federal department or agency
receiving the services described in paragraph (1) shall
coordinate in advance with an entity described in paragraph
(1) to develop the parameters of any information that may be
provided under paragraph (1), including clarification of the
type of significant cyber incident that will impede the
performance of a critical mission of the Federal department
or agency.
(3) Report.--A Federal department or agency shall report
information provided under this subsection to a cybersecurity
center.
(4) Construction.--Any information provided to a
cybersecurity center under paragraph (3) shall be treated in
the same manner as information provided to a cybersecurity
center under subsection (a).
(c) Information Shared With or Provided to a Cybersecurity
Center.--Cyber threat information provided to a cybersecurity
center under this section--
(1) may be disclosed to, retained by, and used by,
consistent with otherwise applicable Federal law, any Federal
agency or department, component, officer, employee, or agent
of the Federal government for a cybersecurity purpose, a
national security purpose, or in order to prevent,
investigate, or prosecute any of the offenses listed in
section 2516 of title 18, United States Code, and such
information shall not be disclosed to, retained by, or used
by any Federal agency or department for any use not permitted
under this paragraph;
(2) may, with the prior written consent of the entity
submitting such information, be disclosed to and used by a
State, tribal, or local government or government agency for
the purpose of protecting information systems, or in
furtherance of preventing, investigating, or prosecuting a
criminal act, except that if the need for immediate
disclosure prevents obtaining written consent, such consent
may be provided orally with subsequent documentation of such
consent;
(3) shall be considered the commercial, financial, or
proprietary information of the entity providing such
information to the Federal government and any disclosure
outside the Federal government may only be made upon the
prior written consent by such entity and shall not constitute
a waiver of any applicable privilege or protection provided
by law, except that if the need for immediate disclosure
prevents obtaining written consent, such consent may be
provided orally with subsequent documentation of such
consent;
(4) shall be deemed voluntarily shared information and
exempt from disclosure under section 552 of title 5, United
States Code, and any State, tribal, or local law requiring
disclosure of information or records;
(5) shall be, without discretion, withheld from the public
under section 552(b)(3)(B) of title 5, United States Code,
and any State, tribal, or local law requiring disclosure of
information or records;
(6) shall not be subject to the rules of any Federal agency
or department or any judicial doctrine regarding ex parte
communications with a decision-making official;
(7) shall not, if subsequently provided to a State, tribal,
or local government or government agency, otherwise be
disclosed or distributed to any entity by such State, tribal,
or local government or government agency without the prior
written consent of the entity submitting such information,
notwithstanding any State, tribal, or local law requiring
disclosure of information or records, except that if the need
for immediate disclosure prevents obtaining written consent,
such consent may be provided orally with subsequent
documentation of such consent; and
(8) shall not be directly used by any Federal, State,
tribal, or local department or agency to regulate the lawful
activities of an entity, including activities relating to
obtaining, identifying, or otherwise possessing cyber threat
information, except that the procedures required to be
developed and implemented under this title shall not be
considered regulations within the meaning of this paragraph.
(d) Procedures Relating to Information Sharing With a
Cybersecurity Center.--Not later than 60 days after the date
of enactment of this Act, the heads of each department or
agency containing a cybersecurity center shall jointly
develop, promulgate, and submit to Congress procedures to
ensure that cyber threat information shared with or provided
to--
(1) a cybersecurity center under this section--
(A) may be submitted to a cybersecurity center by an
entity, to the greatest extent possible, through a uniform,
publicly available process or format that is easily
accessible on the website of such cybersecurity center, and
that includes the ability to provide relevant details about
the cyber threat information and written consent to any
subsequent disclosures authorized by this paragraph;
(B) shall immediately be further shared with each
cybersecurity center in order to prevent, investigate, or
otherwise mitigate threats to information security across the
Federal government;
(C) is handled by the Federal government in a reasonable
manner, including consideration of the need to protect the
privacy and civil liberties of individuals through
anonymization or other appropriate methods, while fully
accomplishing the objectives of this title, and the Federal
government may undertake efforts consistent with this
[[Page S5605]]
subparagraph to limit the impact on privacy and civil
liberties of the sharing of cyber threat information with the
Federal government; and
(D) except as provided in this section, shall only be used,
disclosed, or handled in accordance with the provisions of
subsection (c); and
(2) a Federal agency or department under subsection (b) is
provided immediately to a cybersecurity center in order to
prevent, investigate, or otherwise mitigate threats to
information security across the Federal government.
(e) Information Shared Between Entities.--
(1) In general.--An entity sharing cyber threat information
with another entity under this title may restrict the use or
sharing of such information by such other entity.
(2) Further sharing.--Cyber threat information shared by
any entity with another entity under this title--
(A) shall only be further shared in accordance with any
restrictions placed on the sharing of such information by the
entity authorizing such sharing, such as appropriate
anonymization of such information; and
(B) may not be used by any entity to gain an unfair
competitive advantage to the detriment of the entity
authorizing the sharing of such information, except that the
conduct described in paragraph (3) shall not constitute
unfair competitive conduct.
(3) Information shared with state, tribal, or local
government or government agency.--Cyber threat information
shared with a State, tribal, or local government or
government agency under this title--
(A) may, with the prior written consent of the entity
sharing such information, be disclosed to and used by a
State, tribal, or local government or government agency for
the purpose of protecting information systems, or in
furtherance of preventing, investigating, or prosecuting a
criminal act, except if the need for immediate disclosure
prevents obtaining written consent, consent may be provided
orally with subsequent documentation of the consent;
(B) shall be deemed voluntarily shared information and
exempt from disclosure under any State, tribal, or local law
requiring disclosure of information or records;
(C) shall not be disclosed or distributed to any entity by
the State, tribal, or local government or government agency
without the prior written consent of the entity submitting
such information, notwithstanding any State, tribal, or local
law requiring disclosure of information or records, except if
the need for immediate disclosure prevents obtaining written
consent, consent may be provided orally with subsequent
documentation of the consent; and
(D) shall not be directly used by any State, tribal, or
local department or agency to regulate the lawful activities
of an entity, including activities relating to obtaining,
identifying, or otherwise possessing cyber threat
information, except that the procedures required to be
developed and implemented under this title shall not be
considered regulations within the meaning of this
subparagraph.
(4) Antitrust exemption.--The exchange or provision of
cyber threat information or assistance between 2 or more
private entities under this title shall not be considered a
violation of any provision of antitrust laws if exchanged or
provided in order to assist with--
(A) facilitating the prevention, investigation, or
mitigation of threats to information security; or
(B) communicating or disclosing of cyber threat information
to help prevent, investigate or otherwise mitigate the
effects of a threat to information security.
(5) No right or benefit.--The provision of cyber threat
information to an entity under this section shall not create
a right or a benefit to similar information by such entity or
any other entity.
(f) Federal Preemption.--
(1) In general.--This section supersedes any statute or
other law of a State or political subdivision of a State that
restricts or otherwise expressly regulates an activity
authorized under this section.
(2) State law enforcement.--Nothing in this section shall
be construed to supersede any statute or other law of a State
or political subdivision of a State concerning the use of
authorized law enforcement techniques.
(3) Public disclosure.--No information shared with or
provided to a State, tribal, or local government or
government agency pursuant to this section shall be made
publicly available pursuant to any State, tribal, or local
law requiring disclosure of information or records.
(g) Civil and Criminal Liability.--
(1) General protections.--
(A) Private entities.--No cause of action shall lie or be
maintained in any court against any private entity for--
(i) the use of countermeasures and cybersecurity systems as
authorized by this title;
(ii) the use, receipt, or disclosure of any cyber threat
information as authorized by this title; or
(iii) the subsequent actions or inactions of any lawful
recipient of cyber threat information provided by such
private entity.
(B) Entities.--No cause of action shall lie or be
maintained in any court against any entity for--
(i) the use, receipt, or disclosure of any cyber threat
information as authorized by this title; or
(ii) the subsequent actions or inactions of any lawful
recipient of cyber threat information provided by such
entity.
(2) Construction.--Nothing in this subsection shall be
construed as creating any immunity against, or otherwise
affecting, any action brought by the Federal government, or
any agency or department thereof, to enforce any law,
executive order, or procedure governing the appropriate
handling, disclosure, and use of classified information.
(h) Otherwise Lawful Disclosures.--Nothing in this section
shall be construed to limit or prohibit otherwise lawful
disclosures of communications, records, or other information
by a private entity to any other governmental or private
entity not covered under this section.
(i) Whistleblower Protection.--Nothing in this Act shall be
construed to preempt or preclude any employee from exercising
rights currently provided under any whistleblower law, rule,
or regulation.
(j) Relationship to Other Laws.--The submission of cyber
threat information under this section to a cybersecurity
center shall not affect any requirement under any other
provision of law for an entity to provide information to the
Federal government.
SEC. 203. INFORMATION SHARING BY THE FEDERAL GOVERNMENT.
(a) Classified Information.--
(1) Procedures.--Consistent with the protection of
intelligence sources and methods, and as otherwise determined
appropriate, the Director of National Intelligence and the
Secretary of Defense, in consultation with the heads of the
appropriate Federal departments or agencies, shall develop
and promulgate procedures to facilitate and promote--
(A) the immediate sharing, through the cybersecurity
centers, of classified cyber threat information in the
possession of the Federal government with appropriately
cleared representatives of any appropriate entity; and
(B) the declassification and immediate sharing, through the
cybersecurity centers, with any entity or, if appropriate,
public availability of cyber threat information in the
possession of the Federal government;
(2) Handling of classified information.--The procedures
developed under paragraph (1) shall ensure that each entity
receiving classified cyber threat information pursuant to
this section has acknowledged in writing the ongoing
obligation to comply with all laws, executive orders, and
procedures concerning the appropriate handling, disclosure,
or use of classified information.
(b) Unclassified Cyber Threat Information.--The heads of
each department or agency containing a cybersecurity center
shall jointly develop and promulgate procedures that ensure
that, consistent with the provisions of this section,
unclassified, including controlled unclassified, cyber threat
information in the possession of the Federal government--
(1) is shared, through the cybersecurity centers, in an
immediate and adequate manner with appropriate entities; and
(2) if appropriate, is made publicly available.
(c) Development of Procedures.--
(1) In general.--The procedures developed under this
section shall incorporate, to the greatest extent possible,
existing processes utilized by sector specific information
sharing and analysis centers.
(2) Coordination with entities.--In developing the
procedures required under this section, the Director of
National Intelligence and the heads of each department or
agency containing a cybersecurity center shall coordinate
with appropriate entities to ensure that protocols are
implemented that will facilitate and promote the sharing of
cyber threat information by the Federal government.
(d) Additional Responsibilities of Cybersecurity Centers.--
Consistent with section 202, a cybersecurity center shall--
(1) facilitate information sharing, interaction, and
collaboration among and between cybersecurity centers and--
(A) other Federal entities;
(B) any entity; and
(C) international partners, in consultation with the
Secretary of State;
(2) disseminate timely and actionable cybersecurity threat,
vulnerability, mitigation, and warning information, including
alerts, advisories, indicators, signatures, and mitigation
and response measures, to improve the security and protection
of information systems; and
(3) coordinate with other Federal entities, as appropriate,
to integrate information from across the Federal government
to provide situational awareness of the cybersecurity posture
of the United States.
(e) Sharing Within the Federal Government.--The heads of
appropriate Federal departments and agencies shall ensure
that cyber threat information in the possession of such
Federal departments or agencies that relates to the
prevention, investigation, or mitigation of threats to
information security across the Federal government is shared
effectively with the cybersecurity centers.
(f) Submission to Congress.--Not later than 60 days after
the date of enactment of this Act, the Director of National
Intelligence, in coordination with the appropriate head of a
department or an agency containing a cybersecurity center,
shall submit the procedures required by this section to
Congress.
SEC. 204. CONSTRUCTION.
(a) Information Sharing Relationships.--Nothing in this
title shall be construed--
[[Page S5606]]
(1) to limit or modify an existing information sharing
relationship;
(2) to prohibit a new information sharing relationship;
(3) to require a new information sharing relationship
between any entity and the Federal government, except as
specified under section 202(b); or
(4) to modify the authority of a department or agency of
the Federal government to protect sources and methods and the
national security of the United States.
(b) Anti-tasking Restriction.--Nothing in this title shall
be construed to permit the Federal government--
(1) to require an entity to share information with the
Federal government, except as expressly provided under
section 202(b); or
(2) to condition the sharing of cyber threat information
with an entity on such entity's provision of cyber threat
information to the Federal government.
(c) No Liability for Non-participation.--Nothing in this
title shall be construed to subject any entity to liability
for choosing not to engage in the voluntary activities
authorized under this title.
(d) Use and Retention of Information.--Nothing in this
title shall be construed to authorize, or to modify any
existing authority of, a department or agency of the Federal
government to retain or use any information shared under
section 202 for any use other than a use permitted under
section 202(c)(1).
(e) No New Funding.--An applicable Federal agency shall
carry out the provisions of this title with existing
facilities and funds otherwise available, through such means
as the head of the agency considers appropriate.
SEC. 205. REPORT ON IMPLEMENTATION.
(a) Content of Report.--Not later than 1 year after the
date of enactment of this Act, and biennially thereafter, the
heads of each department or agency containing a cybersecurity
center shall jointly submit, in coordination with the privacy
and civil liberties officials of such departments or agencies
and the Privacy and Civil Liberties Oversight Board, a
detailed report to Congress concerning the implementation of
this title, including--
(1) an assessment of the sufficiency of the procedures
developed under section 203 of this Act in ensuring that
cyber threat information in the possession of the Federal
government is provided in an immediate and adequate manner to
appropriate entities or, if appropriate, is made publicly
available;
(2) an assessment of whether information has been
appropriately classified and an accounting of the number of
security clearances authorized by the Federal government for
purposes of this title;
(3) a review of the type of cyber threat information shared
with a cybersecurity center under section 202 of this Act,
including whether such information meets the definition of
cyber threat information under section 201, the degree to
which such information may impact the privacy and civil
liberties of individuals, any appropriate metrics to
determine any impact of the sharing of such information with
the Federal government on privacy and civil liberties, and
the adequacy of any steps taken to reduce such impact;
(4) a review of actions taken by the Federal government
based on information provided to a cybersecurity center under
section 202 of this Act, including the appropriateness of any
subsequent use under section 202(c)(1) of this Act and
whether there was inappropriate stovepiping within the
Federal government of any such information;
(5) a description of any violations of the requirements of
this title by the Federal government;
(6) a classified list of entities that received classified
information from the Federal government under section 203 of
this Act and a description of any indication that such
information may not have been appropriately handled;
(7) a summary of any breach of information security, if
known, attributable to a specific failure by any entity or
the Federal government to act on cyber threat information in
the possession of such entity or the Federal government that
resulted in substantial economic harm or injury to a specific
entity or the Federal government; and
(8) any recommendation for improvements or modifications to
the authorities under this title.
(b) Form of Report.--The report under subsection (a) shall
be submitted in unclassified form, but shall include a
classified annex.
SEC. 206. INSPECTOR GENERAL REVIEW.
(a) In General.--The Council of the Inspectors General on
Integrity and Efficiency are authorized to review compliance
by the cybersecurity centers, and by any Federal department
or agency receiving cyber threat information from such
cybersecurity centers, with the procedures required under
section 202 of this Act.
(b) Scope of Review.--The review under subsection (a) shall
consider whether the Federal government has handled such
cyber threat information in a reasonable manner, including
consideration of the need to protect the privacy and civil
liberties of individuals through anonymization or other
appropriate methods, while fully accomplishing the objectives
of this title.
(c) Report to Congress.--Each review conducted under this
section shall be provided to Congress not later than 30 days
after the date of completion of the review.
SEC. 207. TECHNICAL AMENDMENTS.
Section 552(b) of title 5, United States Code, is amended--
(1) in paragraph (8), by striking ``or'';
(2) in paragraph (9), by striking ``wells.'' and inserting
``wells; or''; and
(3) by adding at the end the following:
``(10) information shared with or provided to a
cybersecurity center under section 202 of title II of the
Cybersecurity Act of 2012.''.
SEC. 208. ACCESS TO CLASSIFIED INFORMATION.
(a) Authorization Required.--No person shall be provided
with access to classified information (as defined in section
6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to
classified national security information)) relating to cyber
security threats or cyber security vulnerabilities under this
title without the appropriate security clearances.
(b) Security Clearances.--The appropriate Federal agencies
or departments shall, consistent with applicable procedures
and requirements, and if otherwise deemed appropriate, assist
an individual in timely obtaining an appropriate security
clearance where such individual has been determined to be
eligible for such clearance and has a need-to-know (as
defined in section 6.1 of that Executive Order) classified
information to carry out this title.
TITLE III--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY
SEC. 301. COORDINATION OF FEDERAL INFORMATION SECURITY
POLICY.
(a) In General.--Chapter 35 of title 44, United States
Code, is amended by striking subchapters II and III and
inserting the following:
``SUBCHAPTER II--INFORMATION SECURITY
``Sec. 3551. Purposes
``The purposes of this subchapter are--
``(1) to provide a comprehensive framework for ensuring the
effectiveness of information security controls over
information resources that support Federal operations and
assets;
``(2) to recognize the highly networked nature of the
current Federal computing environment and provide effective
government-wide management of policies, directives,
standards, and guidelines, as well as effective and nimble
oversight of and response to information security risks,
including coordination of information security efforts
throughout the Federal civilian, national security, and law
enforcement communities;
``(3) to provide for development and maintenance of
controls required to protect agency information and
information systems and contribute to the overall improvement
of agency information security posture;
``(4) to provide for the development of tools and methods
to assess and respond to real-time situational risk for
Federal information system operations and assets; and
``(5) to provide a mechanism for improving agency
information security programs through continuous monitoring
of agency information systems and streamlined reporting
requirements rather than overly prescriptive manual
reporting.
``Sec. 3552. Definitions
``In this subchapter:
``(1) Adequate security.--The term `adequate security'
means security commensurate with the risk and magnitude of
the harm resulting from the unauthorized access to or loss,
misuse, destruction, or modification of information.
``(2) Agency.--The term `agency' has the meaning given the
term in section 3502 of title 44.
``(3) Cybersecurity center.--The term `cybersecurity
center' means the Department of Defense Cyber Crime Center,
the Intelligence Community Incident Response Center, the
United States Cyber Command Joint Operations Center, the
National Cyber Investigative Joint Task Force, the National
Security Agency/Central Security Service Threat Operations
Center, the National Cybersecurity and Communications
Integration Center, and any successor center.
``(4) Cyber threat information.--The term `cyber threat
information' means information that indicates or describes--
``(A) a technical or operation vulnerability or a cyber
threat mitigation measure;
``(B) an action or operation to mitigate a cyber threat;
``(C) malicious reconnaissance, including anomalous
patterns of network activity that appear to be transmitted
for the purpose of gathering technical information related to
a cybersecurity threat;
``(D) a method of defeating a technical control;
``(E) a method of defeating an operational control;
``(F) network activity or protocols known to be associated
with a malicious cyber actor or that signify malicious cyber
intent;
``(G) a method of causing a user with legitimate access to
an information system or information that is stored on,
processed by, or transiting an information system to
inadvertently enable the defeat of a technical or operational
control;
``(H) any other attribute of a cybersecurity threat or
cyber defense information that would foster situational
awareness of the United States cybersecurity posture, if
disclosure of such attribute or information is not otherwise
prohibited by law;
``(I) the actual or potential harm caused by a cyber
incident, including information exfiltrated when it is
necessary in order to identify or describe a cybersecurity
threat; or
``(J) any combination of subparagraphs (A) through (I).
[[Page S5607]]
``(5) Director.--The term `Director' means the Director of
the Office of Management and Budget unless otherwise
specified.
``(6) Environment of operation.--The term `environment of
operation' means the information system and environment in
which those systems operate, including changing threats,
vulnerabilities, technologies, and missions and business
practices.
``(7) Federal information system.--The term `Federal
information system' means an information system used or
operated by an executive agency, by a contractor of an
executive agency, or by another organization on behalf of an
executive agency.
``(8) Incident.--The term `incident' means an occurrence
that--
``(A) actually or imminently jeopardizes the integrity,
confidentiality, or availability of an information system or
the information that system controls, processes, stores, or
transmits; or
``(B) constitutes a violation of law or an imminent threat
of violation of a law, a security policy, a security
procedure, or an acceptable use policy.
``(9) Information resources.--The term `information
resources' has the meaning given the term in section 3502 of
title 44.
``(10) Information security.--The term `information
security' means protecting information and information
systems from disruption or unauthorized access, use,
disclosure, modification, or destruction in order to
provide--
``(A) integrity, by guarding against improper information
modification or destruction, including by ensuring
information nonrepudiation and authenticity;
``(B) confidentiality, by preserving authorized
restrictions on access and disclosure, including means for
protecting personal privacy and proprietary information; or
``(C) availability, by ensuring timely and reliable access
to and use of information.
``(11) Information system.--The term `information system'
has the meaning given the term in section 3502 of title 44.
``(12) Information technology.--The term `information
technology' has the meaning given the term in section 11101
of title 40.
``(13) Malicious reconnaissance.--The term `malicious
reconnaissance' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning technical vulnerabilities of the information
system, if such method is associated with a known or
suspected cybersecurity threat.
``(14) National security system.--
``(A) In general.--The term `national security system'
means any information system (including any
telecommunications system) used or operated by an agency or
by a contractor of an agency, or other organization on behalf
of an agency--
``(i) the function, operation, or use of which--
``(I) involves intelligence activities;
``(II) involves cryptologic activities related to national
security;
``(III) involves command and control of military forces;
``(IV) involves equipment that is an integral part of a
weapon or weapons system; or
``(V) subject to subparagraph (B), is critical to the
direct fulfillment of military or intelligence missions; or
``(ii) is protected at all times by procedures established
for information that have been specifically authorized under
criteria established by an Executive Order or an Act of
Congress to be kept classified in the interest of national
defense or foreign policy.
``(B) Limitation.--Subparagraph (A)(i)(V) does not include
a system that is to be used for routine administrative and
business applications (including payroll, finance, logistics,
and personnel management applications).
``(15) Operational control.--The term `operational control'
means a security control for an information system that
primarily is implemented and executed by people.
``(16) Person.--The term `person' has the meaning given the
term in section 3502 of title 44.
``(17) Secretary.--The term `Secretary' means the Secretary
of Commerce unless otherwise specified.
``(18) Security control.--The term `security control' means
the management, operational, and technical controls,
including safeguards or countermeasures, prescribed for an
information system to protect the confidentiality, integrity,
and availability of the system and its information.
``(19) Significant cyber incident.--The term `significant
cyber incident' means a cyber incident resulting in, or an
attempted cyber incident that, if successful, would have
resulted in--
``(A) the exfiltration from a Federal information system of
data that is essential to the operation of the Federal
information system; or
``(B) an incident in which an operational or technical
control essential to the security or operation of a Federal
information system was defeated.
``(20) Technical control.--The term `technical control'
means a hardware or software restriction on, or audit of,
access or use of an information system or information that is
stored on, processed by, or transiting an information system
that is intended to ensure the confidentiality, integrity, or
availability of that system.
``Sec. 3553. Federal information security authority and
coordination
``(a) In General.--The Secretary, in consultation with the
Secretary of Homeland Security, shall--
``(1) issue compulsory and binding policies and directives
governing agency information security operations, and require
implementation of such policies and directives, including--
``(A) policies and directives consistent with the standards
and guidelines promulgated under section 11331 of title 40 to
identify and provide information security protections
prioritized and commensurate with the risk and impact
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of--
``(i) information collected or maintained by or on behalf
of an agency; or
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(B) minimum operational requirements for Federal
Government to protect agency information systems and provide
common situational awareness across all agency information
systems;
``(C) reporting requirements, consistent with relevant law,
regarding information security incidents and cyber threat
information;
``(D) requirements for agencywide information security
programs;
``(E) performance requirements and metrics for the security
of agency information systems;
``(F) training requirements to ensure that agencies are
able to fully and timely comply with the policies and
directives issued by the Secretary under this subchapter;
``(G) training requirements regarding privacy, civil
rights, and civil liberties, and information oversight for
agency information security personnel;
``(H) requirements for the annual reports to the Secretary
under section 3554(d);
``(I) any other information security operations or
information security requirements as determined by the
Secretary in coordination with relevant agency heads; and
``(J) coordinating the development of standards and
guidelines under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3) with agencies
and offices operating or exercising control of national
security systems (including the National Security Agency) to
assure, to the maximum extent feasible, that such standards
and guidelines are complementary with standards and
guidelines developed for national security systems;
``(2) review the agencywide information security programs
under section 3554; and
``(3) designate an individual or an entity at each
cybersecurity center, among other responsibilities--
``(A) to receive reports and information about information
security incidents, cyber threat information, and
deterioration of security control affecting agency
information systems; and
``(B) to act on or share the information under subparagraph
(A) in accordance with this subchapter.
``(b) Considerations.--When issuing policies and directives
under subsection (a), the Secretary shall consider any
applicable standards or guidelines developed by the National
Institute of Standards and Technology under section 11331 of
title 40.
``(c) Limitation of Authority.--The authorities of the
Secretary under this section shall not apply to national
security systems. Information security policies, directives,
standards and guidelines for national security systems shall
be overseen as directed by the President and, in accordance
with that direction, carried out under the authority of the
heads of agencies that operate or exercise authority over
such national security systems.
``(d) Statutory Construction.--Nothing in this subchapter
shall be construed to alter or amend any law regarding the
authority of any head of an agency over such agency.
``Sec. 3554. Agency responsibilities
``(a) In General.--The head of each agency shall--
``(1) be responsible for--
``(A) complying with the policies and directives issued
under section 3553;
``(B) providing information security protections
commensurate with the risk resulting from unauthorized
access, use, disclosure, disruption, modification, or
destruction of--
``(i) information collected or maintained by the agency or
by a contractor of an agency or other organization on behalf
of an agency; and
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(C) complying with the requirements of this subchapter,
including--
``(i) information security standards and guidelines
promulgated under section 11331 of title 40;
``(ii) for any national security systems operated or
controlled by that agency, information security policies,
directives, standards and guidelines issued as directed by
the President; and
``(iii) for any non-national security systems operated or
controlled by that agency, information security policies,
directives, standards and guidelines issued under section
3553;
``(D) ensuring that information security management
processes are integrated with agency strategic and
operational planning processes;
[[Page S5608]]
``(E) reporting and sharing, for an agency operating or
exercising control of a national security system, information
about information security incidents, cyber threat
information, and deterioration of security controls to the
individual or entity designated at each cybersecurity center
and to other appropriate entities consistent with policies
and directives for national security systems issued as
directed by the President; and
``(F) reporting and sharing, for those agencies operating
or exercising control of non-national security systems,
information about information security incidents, cyber
threat information, and deterioration of security controls to
the individual or entity designated at each cybersecurity
center and to other appropriate entities consistent with
policies and directives for non-national security systems as
prescribed under section 3553(a), including information to
assist the entity designated under section 3555(a) with the
ongoing security analysis under section 3555;
``(2) ensure that each senior agency official provides
information security for the information and information
systems that support the operations and assets under the
senior agency official's control, including by--
``(A) assessing the risk and impact that could result from
the unauthorized access, use, disclosure, disruption,
modification, or destruction of such information or
information systems;
``(B) determining the level of information security
appropriate to protect such information and information
systems in accordance with policies and directives issued
under section 3553(a), and standards and guidelines
promulgated under section 11331 of title 40 for information
security classifications and related requirements;
``(C) implementing policies, procedures, and capabilities
to reduce risks to an acceptable level in a cost-effective
manner;
``(D) actively monitoring the effective implementation of
information security controls and techniques; and
``(E) reporting information about information security
incidents, cyber threat information, and deterioration of
security controls in a timely and adequate manner to the
entity designated under section 3553(a)(3) in accordance with
paragraph (1);
``(3) assess and maintain the resiliency of information
technology systems critical to agency mission and operations;
``(4) designate the agency Inspector General (or an
independent entity selected in consultation with the Director
and the Council of Inspectors General on Integrity and
Efficiency if the agency does not have an Inspector General)
to conduct the annual independent evaluation required under
section 3556, and allow the agency Inspector General to
contract with an independent entity to perform such
evaluation;
``(5) delegate to the Chief Information Officer or
equivalent (or to a senior agency official who reports to the
Chief Information Officer or equivalent)--
``(A) the authority and primary responsibility to implement
an agencywide information security program; and
``(B) the authority to provide information security for the
information collected and maintained by the agency (or by a
contractor, other agency, or other source on behalf of the
agency) and for the information systems that support the
operations, assets, and mission of the agency (including any
information system provided or managed by a contractor, other
agency, or other source on behalf of the agency);
``(6) delegate to the appropriate agency official (who is
responsible for a particular agency system or subsystem) the
responsibility to ensure and enforce compliance with all
requirements of the agency's agencywide information security
program in coordination with the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5);
``(7) ensure that an agency has trained personnel who have
obtained any necessary security clearances to permit them to
assist the agency in complying with this subchapter;
``(8) ensure that the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5),
in coordination with other senior agency officials, reports
to the agency head on the effectiveness of the agencywide
information security program, including the progress of any
remedial actions; and
``(9) ensure that the Chief Information Officer or
equivalent (or the senior agency official who reports to the
Chief Information Officer or equivalent) under paragraph (5)
has the necessary qualifications to administer the functions
described in this subchapter and has information security
duties as a primary duty of that official.
``(b) Chief Information Officers.--Each Chief Information
Officer or equivalent (or the senior agency official who
reports to the Chief Information Officer or equivalent) under
subsection (a)(5) shall--
``(1) establish and maintain an enterprise security
operations capability that on a continuous basis--
``(A) detects, reports, contains, mitigates, and responds
to information security incidents that impair adequate
security of the agency's information or information system in
a timely manner and in accordance with the policies and
directives under section 3553; and
``(B) reports any information security incident under
subparagraph (A) to the entity designated under section 3555;
``(2) develop, maintain, and oversee an agencywide
information security program;
``(3) develop, maintain, and oversee information security
policies, procedures, and control techniques to address
applicable requirements, including requirements under section
3553 of this title and section 11331 of title 40; and
``(4) train and oversee the agency personnel who have
significant responsibility for information security with
respect to that responsibility.
``(c) Agencywide Information Security Programs.--
``(1) In general.--Each agencywide information security
program under subsection (b)(2) shall include--
``(A) relevant security risk assessments, including
technical assessments and others related to the acquisition
process;
``(B) security testing commensurate with risk and impact;
``(C) mitigation of deterioration of security controls
commensurate with risk and impact;
``(D) risk-based continuous monitoring and threat
assessment of the operational status and security of agency
information systems to enable evaluation of the effectiveness
of and compliance with information security policies,
procedures, and practices, including a relevant and
appropriate selection of security controls of information
systems identified in the inventory under section 3505(c);
``(E) operation of appropriate technical capabilities in
order to detect, mitigate, report, and respond to information
security incidents, cyber threat information, and
deterioration of security controls in a manner that is
consistent with the policies and directives under section
3553, including--
``(i) mitigating risks associated with such information
security incidents;
``(ii) notifying and consulting with the entity designated
under section 3555; and
``(iii) notifying and consulting with, as appropriate--
``(I) law enforcement and the relevant Office of the
Inspector General; and
``(II) any other entity, in accordance with law and as
directed by the President;
``(F) a process to ensure that remedial action is taken to
address any deficiencies in the information security
policies, procedures, and practices of the agency; and
``(G) a plan and procedures to ensure the continuity of
operations for information systems that support the
operations and assets of the agency.
``(2) Risk management strategies.--Each agencywide
information security program under subsection (b)(2) shall
include the development and maintenance of a risk management
strategy for information security. The risk management
strategy shall include--
``(A) consideration of information security incidents,
cyber threat information, and deterioration of security
controls; and
``(B) consideration of the consequences that could result
from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information and information
systems that support the operations and assets of the agency,
including any information system provided or managed by a
contractor, other agency, or other source on behalf of the
agency;
``(3) Policies and procedures.--Each agencywide information
security program under subsection (b)(2) shall include
policies and procedures that--
``(A) are based on the risk management strategy under
paragraph (2);
``(B) reduce information security risks to an acceptable
level in a cost-effective manner;
``(C) ensure that cost-effective and adequate information
security is addressed as part of the acquisition and ongoing
management of each agency information system; and
``(D) ensure compliance with--
``(i) this subchapter; and
``(ii) any other applicable requirements.
``(4) Training requirements.--Each agencywide information
security program under subsection (b)(2) shall include
information security, privacy, civil rights, civil liberties,
and information oversight training that meets any applicable
requirements under section 3553. The training shall inform
each information security personnel that has access to agency
information systems (including contractors and other users of
information systems that support the operations and assets of
the agency) of--
``(A) the information security risks associated with the
information security personnel's activities; and
``(B) the individual's responsibility to comply with the
agency policies and procedures that reduce the risks under
subparagraph (A).
``(d) Annual Report.--Each agency shall submit a report
annually to the Secretary of Homeland Security on its
agencywide information security program and information
systems.
``Sec. 3555. Multiagency ongoing threat assessment
``(a) Implementation.--The Director of the Office of
Management and Budget, in coordination with the Secretary of
Homeland Security, shall designate an entity to implement
ongoing security analysis concerning agency information
systems--
``(1) based on cyber threat information;
[[Page S5609]]
``(2) based on agency information system and environment of
operation changes, including--
``(A) an ongoing evaluation of the information system
security controls; and
``(B) the security state, risk level, and environment of
operation of an agency information system, including--
``(i) a change in risk level due to a new cyber threat;
``(ii) a change resulting from a new technology;
``(iii) a change resulting from the agency's mission; and
``(iv) a change resulting from the business practice; and
``(3) using automated processes to the maximum extent
possible--
``(A) to increase information system security;
``(B) to reduce paper-based reporting requirements; and
``(C) to maintain timely and actionable knowledge of the
state of the information system security.
``(b) Standards.--The National Institute of Standards and
Technology may promulgate standards, in coordination with the
Secretary of Homeland Security, to assist an agency with its
duties under this section.
``(c) Compliance.--The head of each appropriate department
and agency shall be responsible for ensuring compliance and
implementing necessary procedures to comply with this
section. The head of each appropriate department and agency,
in consultation with the Director of the Office of Management
and Budget and the Secretary of Homeland Security, shall--
``(1) monitor compliance under this section;
``(2) develop a timeline and implement for the department
or agency--
``(A) adoption of any technology, system, or method that
facilitates continuous monitoring and threat assessments of
an agency information system;
``(B) adoption or updating of any technology, system, or
method that prevents, detects, or remediates a significant
cyber incident to a Federal information system of the
department or agency that has impeded, or is reasonably
likely to impede, the performance of a critical mission of
the department or agency; and
``(C) adoption of any technology, system, or method that
satisfies a requirement under this section.
``(d) Limitation of Authority.--The authorities of the
Director of the Office of Management and Budget and of the
Secretary of Homeland Security under this section shall not
apply to national security systems.
``(e) Report.--Not later than 6 months after the date of
enactment of the Cybersecurity Act of 2012, the Government
Accountability Office shall issue a report evaluating each
agency's status toward implementing this section.
``Sec. 3556. Independent evaluations
``(a) In General.--The Council of the Inspectors General on
Integrity and Efficiency, in consultation with the Director
and the Secretary of Homeland Security, the Secretary of
Commerce, and the Secretary of Defense, shall issue and
maintain criteria for the timely, cost-effective, risk-based,
and independent evaluation of each agencywide information
security program (and practices) to determine the
effectiveness of the agencywide information security program
(and practices). The criteria shall include measures to
assess any conflicts of interest in the performance of the
evaluation and whether the agencywide information security
program includes appropriate safeguards against disclosure of
information where such disclosure may adversely affect
information security.
``(b) Annual Independent Evaluations.--Each agency shall
perform an annual independent evaluation of its agencywide
information security program (and practices) in accordance
with the criteria under subsection (a).
``(c) Distribution of Reports.--Not later than 30 days
after receiving an independent evaluation under subsection
(b), each agency head shall transmit a copy of the
independent evaluation to the Secretary of Homeland Security,
the Secretary of Commerce, and the Secretary of Defense.
``(d) National Security Systems.--Evaluations involving
national security systems shall be conducted as directed by
President.
``Sec. 3557. National security systems.
``The head of each agency operating or exercising control
of a national security system shall be responsible for
ensuring that the agency--
``(1) provides information security protections
commensurate with the risk and magnitude of the harm
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of the information
contained in such system; and
``(2) implements information security policies and
practices as required by standards and guidelines for
national security systems, issued in accordance with law and
as directed by the President.''.
(b) Savings Provisions.--
(1) Policy and compliance guidance.--Policy and compliance
guidance issued by the Director before the date of enactment
of this Act under section 3543(a)(1) of title 44, United
States Code (as in effect on the day before the date of
enactment of this Act), shall continue in effect, according
to its terms, until modified, terminated, superseded, or
repealed pursuant to section 3553(a)(1) of title 44, United
States Code.
(2) Standards and guidelines.--Standards and guidelines
issued by the Secretary of Commerce or by the Director before
the date of enactment of this Act under section 11331(a)(1)
of title 40, United States Code, (as in effect on the day
before the date of enactment of this Act) shall continue in
effect, according to their terms, until modified, terminated,
superseded, or repealed pursuant to section 11331(a)(1) of
title 40, United States Code, as amended by this Act.
(c) Technical and Conforming Amendments.--
(1) Chapter analysis.--The chapter analysis for chapter 35
of title 44, United States Code, is amended--
(A) by striking the items relating to sections 3531 through
3538;
(B) by striking the items relating to sections 3541 through
3549; and
(C) by inserting the following:
``3551. Purposes.
``3552. Definitions.
``3553. Federal information security authority and coordination.
``3554. Agency responsibilities.
``3555. Multiagency ongoing threat assessment.
``3556. Independent evaluations.
``3557. National security systems.''.
(2) Other references.--
(A) Section 1001(c)(1)(A) of the Homeland Security Act of
2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section
3532(3)'' and inserting ``section 3552''.
(B) Section 2222(j)(5) of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(C) Section 2223(c)(3) of title 10, United States Code, is
amended, by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(D) Section 2315 of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552''.
(E) Section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3) is amended--
(i) in subsection (a)(2), by striking ``section
3532(b)(2)'' and inserting ``section 3552'';
(ii) in subsection (c)(3), by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(iii) in subsection (d)(1), by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(iv) in subsection (d)(8) by striking ``Director of the
Office of Management and Budget'' and inserting ``Secretary
of Commerce'';
(v) in subsection (d)(8), by striking ``submitted to the
Director'' and inserting ``submitted to the Secretary'';
(vi) in subsection (e)(2), by striking ``section 3532(1) of
such title'' and inserting ``section 3552 of title 44''; and
(vii) in subsection (e)(5), by striking ``section
3532(b)(2) of such title'' and inserting ``section 3552 of
title 44''.
(F) Section 8(d)(1) of the Cyber Security Research and
Development Act (15 U.S.C. 7406(d)(1)) is amended by striking
``section 3534(b)'' and inserting ``section 3554(b)(2)''.
SEC. 302. MANAGEMENT OF INFORMATION TECHNOLOGY.
(a) In General.--Section 11331 of title 40, United States
Code, is amended to read as follows:
``Sec. 11331. Responsibilities for Federal information
systems standards
``(a) Standards and Guidelines.--
``(1) Authority to prescribe.--Except as provided under
paragraph (2), the Secretary of Commerce shall prescribe
standards and guidelines pertaining to Federal information
systems--
``(A) in consultation with the Secretary of Homeland
Security; and
``(B) on the basis of standards and guidelines developed by
the National Institute of Standards and Technology under
paragraphs (2) and (3) of section 20(a) of the National
Institute of Standards and Technology Act (15 U.S.C. 278g-
3(a)(2) and (a)(3)).
``(2) National security systems.--Standards and guidelines
for national security systems shall be developed, prescribed,
enforced, and overseen as otherwise authorized by law and as
directed by the President.
``(b) Mandatory Standards and Guidelines.--
``(1) Authority to make mandatory standards and
guidelines.--The Secretary of Commerce shall make standards
and guidelines under subsection (a)(1) compulsory and binding
to the extent determined necessary by the Secretary of
Commerce to improve the efficiency of operation or security
of Federal information systems.
``(2) Required mandatory standards and guidelines.--
``(A) In general.--Standards and guidelines under
subsection (a)(1) shall include information security
standards that--
``(i) provide minimum information security requirements as
determined under section 20(b) of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3(b)); and
``(ii) are otherwise necessary to improve the security of
Federal information and information systems.
``(B) Binding effect.--Information security standards under
subparagraph (A) shall be compulsory and binding.
``(c) Exercise of Authority.--To ensure fiscal and policy
consistency, the Secretary of Commerce shall exercise the
authority conferred by this section subject to direction by
the President and in coordination with the Director.
[[Page S5610]]
``(d) Application of More Stringent Standards and
Guidelines.--The head of an executive agency may employ
standards for the cost-effective information security for
information systems within or under the supervision of that
agency that are more stringent than the standards and
guidelines the Secretary of Commerce prescribes under this
section if the more stringent standards and guidelines--
``(1) contain at least the applicable standards and
guidelines made compulsory and binding by the Secretary of
Commerce; and
``(2) are otherwise consistent with the policies,
directives, and implementation memoranda issued under section
3553(a) of title 44.
``(e) Decisions on Promulgation of Standards and
Guidelines.--The decision by the Secretary of Commerce
regarding the promulgation of any standard or guideline under
this section shall occur not later than 6 months after the
date of submission of the proposed standard to the Secretary
of Commerce by the National Institute of Standards and
Technology under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3).
``(f) Notice and Comment.--A decision by the Secretary of
Commerce to significantly modify, or not promulgate, a
proposed standard submitted to the Secretary by the National
Institute of Standards and Technology under section 20 of the
National Institute of Standards and Technology Act (15 U.S.C.
278g-3) shall be made after the public is given an
opportunity to comment on the Secretary's proposed decision.
``(g) Definitions.--In this section:
``(1) Federal information system.--The term `Federal
information system' has the meaning given the term in section
3552 of title 44.
``(2) Information security.--The term `information
security' has the meaning given the term in section 3552 of
title 44.
``(3) National security system.--The term `national
security system' has the meaning given the term in section
3552 of title 44.''.
SEC. 303. NO NEW FUNDING.
An applicable Federal agency shall carry out the provisions
of this title with existing facilities and funds otherwise
available, through such means as the head of the agency
considers appropriate.
SEC. 304. TECHNICAL AND CONFORMING AMENDMENTS.
Section 21(b) of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-4(b)) is amended--
(1) in paragraph (2), by striking ``and the Director of the
Office of Management and Budget'' and inserting ``, the
Secretary of Commerce, and the Secretary of Homeland
Security''; and
(2) in paragraph (3), by inserting ``, the Secretary of
Homeland Security,'' after ``the Secretary of Commerce''.
SEC. 305. CLARIFICATION OF AUTHORITIES.
Nothing in this title shall be construed to convey any new
regulatory authority to any government entity implementing or
complying with any provision of this title.
TITLE IV--CRIMINAL PENALTIES
SEC. 401. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN
CONNECTION WITH COMPUTERS.
Section 1030(c) of title 18, United States Code, is amended
to read as follows:
``(c) The punishment for an offense under subsection (a) or
(b) of this section is--
``(1) a fine under this title or imprisonment for not more
than 20 years, or both, in the case of an offense under
subsection (a)(1) of this section;
``(2)(A) except as provided in subparagraph (B), a fine
under this title or imprisonment for not more than 3 years,
or both, in the case of an offense under subsection (a)(2);
or
``(B) a fine under this title or imprisonment for not more
than ten years, or both, in the case of an offense under
subsection (a)(2) of this section, if--
``(i) the offense was committed for purposes of commercial
advantage or private financial gain;
``(ii) the offense was committed in the furtherance of any
criminal or tortious act in violation of the Constitution or
laws of the United States, or of any State; or
``(iii) the value of the information obtained, or that
would have been obtained if the offense was completed,
exceeds $5,000;
``(3) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(3) of this section;
``(4) a fine under this title or imprisonment of not more
than 20 years, or both, in the case of an offense under
subsection (a)(4) of this section;
``(5)(A) except as provided in subparagraph (C), a fine
under this title, imprisonment for not more than 20 years, or
both, in the case of an offense under subsection (a)(5)(A) of
this section, if the offense caused--
``(i) loss to 1 or more persons during any 1-year period
(and, for purposes of an investigation, prosecution, or other
proceeding brought by the United States only, loss resulting
from a related course of conduct affecting 1 or more other
protected computers) aggregating at least $5,000 in value;
``(ii) the modification or impairment, or potential
modification or impairment, of the medical examination,
diagnosis, treatment, or care of 1 or more individuals;
``(iii) physical injury to any person;
``(iv) a threat to public health or safety;
``(v) damage affecting a computer used by, or on behalf of,
an entity of the United States Government in furtherance of
the administration of justice, national defense, or national
security; or
``(vi) damage affecting 10 or more protected computers
during any 1-year period;
``(B) a fine under this title, imprisonment for not more
than 20 years, or both, in the case of an offense under
subsection (a)(5)(B), if the offense caused a harm provided
in clause (i) through (vi) of subparagraph (A) of this
subsection;
``(C) if the offender attempts to cause or knowingly or
recklessly causes death from conduct in violation of
subsection (a)(5)(A), a fine under this title, imprisonment
for any term of years or for life, or both;
``(D) a fine under this title, imprisonment for not more
than 10 years, or both, for any other offense under
subsection (a)(5);
``(E) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(6) of this section; or
``(F) a fine under this title or imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(7) of this section.''.
SEC. 402. TRAFFICKING IN PASSWORDS.
Section 1030(a)(6) of title 18, United States Code, is
amended to read as follows:
``(6) knowingly and with intent to defraud traffics (as
defined in section 1029) in any password or similar
information or means of access through which a protected
computer (as defined in subparagraphs (A) and (B) of
subsection (e)(2)) may be accessed without authorization.''.
SEC. 403. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES.
Section 1030(b) of title 18, United States Code, is amended
by inserting ``as if for the completed offense'' after
``punished as provided''.
SEC. 404. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED
ACTIVITY IN CONNECTION WITH COMPUTERS.
Section 1030 of title 18, United States Code, is amended by
striking subsections (i) and (j) and inserting the following:
``(i) Criminal Forfeiture.--
``(1) The court, in imposing sentence on any person
convicted of a violation of this section, or convicted of
conspiracy to violate this section, shall order, in addition
to any other sentence imposed and irrespective of any
provision of State law, that such person forfeit to the
United States--
``(A) such persons interest in any property, real or
personal, that was used, or intended to be used, to commit or
facilitate the commission of such violation; and
``(B) any property, real or personal, constituting or
derived from any gross proceeds, or any property traceable to
such property, that such person obtained, directly or
indirectly, as a result of such violation.
``(2) The criminal forfeiture of property under this
subsection, including any seizure and disposition of the
property, and any related judicial or administrative
proceeding, shall be governed by the provisions of section
413 of the Comprehensive Drug Abuse Prevention and Control
Act of 1970 (21 U.S.C. 853), except subsection (d) of that
section.
``(j) Civil Forfeiture.--
``(1) The following shall be subject to forfeiture to the
United States and no property right, real or personal, shall
exist in them:
``(A) Any property, real or personal, that was used, or
intended to be used, to commit or facilitate the commission
of any violation of this section, or a conspiracy to violate
this section.
``(B) Any property, real or personal, constituting or
derived from any gross proceeds obtained directly or
indirectly, or any property traceable to such property, as a
result of the commission of any violation of this section, or
a conspiracy to violate this section.
``(2) Seizures and forfeitures under this subsection shall
be governed by the provisions in chapter 46 relating to civil
forfeitures, except that such duties as are imposed on the
Secretary of the Treasury under the customs laws described in
section 981(d) shall be performed by such officers, agents
and other persons as may be designated for that purpose by
the Secretary of Homeland Security or the Attorney
General.''.
SEC. 405. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS.
(a) In General.--Chapter 47 of title 18, United States
Code, is amended by inserting after section 1030 the
following:
``Sec. 1030A. Aggravated damage to a critical infrastructure
computer
``(a) Definitions.--In this section--
``(1) the term `computer' has the meaning given the term in
section 1030;
``(2) the term `critical infrastructure computer' means a
computer that manages or controls systems or assets vital to
national defense, national security, national economic
security, public health or safety, or any combination of
those matters, whether publicly or privately owned or
operated, including--
``(A) oil and gas production, storage, conversion, and
delivery systems;
``(B) water supply systems;
``(C) telecommunication networks;
``(D) electrical power generation and delivery systems;
``(E) finance and banking systems;
``(F) emergency services;
``(G) transportation systems and services; and
``(H) government operations that provide essential services
to the public; and
``(3) the term `damage' has the meaning given the term in
section 1030.
[[Page S5611]]
``(b) Offense.--It shall be unlawful, during and in
relation to a felony violation of section 1030, to knowingly
cause or attempt to cause damage to a critical infrastructure
computer if the damage results in (or, in the case of an
attempt, if completed, would have resulted in) the
substantial impairment--
``(1) of the operation of the critical infrastructure
computer; or
``(2) of the critical infrastructure associated with the
computer.
``(c) Penalty.--Any person who violates subsection (b)
shall be--
``(1) fined under this title;
``(2) imprisoned for not less than 3 years but not more
than 20 years; or
``(3) penalized under paragraphs (1) and (2).
``(d) Consecutive Sentence.--Notwithstanding any other
provision of law--
``(1) a court shall not place on probation any person
convicted of a violation of this section;
``(2) except as provided in paragraph (4), no term of
imprisonment imposed on a person under this section shall run
concurrently with any other term of imprisonment, including
any term of imprisonment imposed on the person under any
other provision of law, including any term of imprisonment
imposed for a felony violation of section 1030;
``(3) in determining any term of imprisonment to be imposed
for a felony violation of section 1030, a court shall not in
any way reduce the term to be imposed for such crime so as to
compensate for, or otherwise take into account, any separate
term of imprisonment imposed or to be imposed for a violation
of this section; and
``(4) a term of imprisonment imposed on a person for a
violation of this section may, in the discretion of the
court, run concurrently, in whole or in part, only with
another term of imprisonment that is imposed by the court at
the same time on that person for an additional violation of
this section, provided that such discretion shall be
exercised in accordance with any applicable guidelines and
policy statements issued by the United States Sentencing
Commission pursuant to section 994 of title 28.''.
(b) Technical and Conforming Amendment.--The chapter
analysis for chapter 47 of title 18, United States Code, is
amended by inserting after the item relating to section 1030
the following:
``1030A. Aggravated damage to a critical infrastructure computer.''.
SEC. 406. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE.
Section 1030(e)(6) of title 18, United States Code, is
amended by striking ``alter;'' and inserting ``alter, but
does not include access in violation of a contractual
obligation or agreement, such as an acceptable use policy or
terms of service agreement, with an Internet service
provider, Internet website, or non-government employer, if
such violation constitutes the sole basis for determining
that access to a protected computer is unauthorized;''.
SEC. 407. NO NEW FUNDING.
An applicable Federal agency shall carry out the provisions
of this title with existing facilities and funds otherwise
available, through such means as the head of the agency
considers appropriate.
TITLE V--CYBERSECURITY RESEARCH AND DEVELOPMENT
SEC. 501. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM
PLANNING AND COORDINATION.
(a) Goals and Priorities.--Section 101 of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511) is amended
by adding at the end the following:
``(d) Goals and Priorities.--The goals and priorities for
Federal high-performance computing research, development,
networking, and other activities under subsection (a)(2)(A)
shall include--
``(1) encouraging and supporting mechanisms for
interdisciplinary research and development in networking and
information technology, including--
``(A) through collaborations across agencies;
``(B) through collaborations across Program Component
Areas;
``(C) through collaborations with industry;
``(D) through collaborations with institutions of higher
education;
``(E) through collaborations with Federal laboratories (as
defined in section 4 of the Stevenson-Wydler Technology
Innovation Act of 1980 (15 U.S.C. 3703)); and
``(F) through collaborations with international
organizations;
``(2) addressing national, multi-agency, multi-faceted
challenges of national importance; and
``(3) fostering the transfer of research and development
results into new technologies and applications for the
benefit of society.''.
(b) Development of Strategic Plan.--Section 101 of the
High-Performance Computing Act of 1991 (15 U.S.C. 5511) is
amended by adding at the end the following:
``(e) Strategic Plan.--
``(1) In general.--Not later than 1 year after the date of
enactment of the Cybersecurity Act of 2012, the agencies
under subsection (a)(3)(B), working through the National
Science and Technology Council and with the assistance of the
Office of Science and Technology Policy shall develop a 5-
year strategic plan to guide the activities under subsection
(a)(1).
``(2) Contents.--The strategic plan shall specify--
``(A) the near-term objectives for the Program;
``(B) the long-term objectives for the Program;
``(C) the anticipated time frame for achieving the near-
term objectives;
``(D) the metrics that will be used to assess any progress
made toward achieving the near-term objectives and the long-
term objectives; and
``(E) how the Program will achieve the goals and priorities
under subsection (d).
``(3) Implementation roadmap.--
``(A) In general.--The agencies under subsection (a)(3)(B)
shall develop and annually update an implementation roadmap
for the strategic plan.
``(B) Requirements.--The information in the implementation
roadmap shall be coordinated with the database under section
102(c) and the annual report under section 101(a)(3). The
implementation roadmap shall--
``(i) specify the role of each Federal agency in carrying
out or sponsoring research and development to meet the
research objectives of the strategic plan, including a
description of how progress toward the research objectives
will be evaluated, with consideration of any relevant
recommendations of the advisory committee;
``(ii) specify the funding allocated to each major research
objective of the strategic plan and the source of funding by
agency for the current fiscal year; and
``(iii) estimate the funding required for each major
research objective of the strategic plan for the next 3
fiscal years.
``(4) Recommendations.--The agencies under subsection
(a)(3)(B) shall take into consideration when developing the
strategic plan under paragraph (1) the recommendations of--
``(A) the advisory committee under subsection (b); and
``(B) the stakeholders under section 102(a)(3).
``(5) Report to congress.--The Director of the Office of
Science and Technology Policy shall transmit the strategic
plan under this subsection, including the implementation
roadmap and any updates under paragraph (3), to--
``(A) the advisory committee under subsection (b);
``(B) the Committee on Commerce, Science, and
Transportation of the Senate; and
``(C) the Committee on Science and Technology of the House
of Representatives.''.
(c) Periodic Reviews.--Section 101 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511) is amended by adding
at the end the following:
``(f) Periodic Reviews.--The agencies under subsection
(a)(3)(B) shall--
``(1) periodically assess the contents and funding levels
of the Program Component Areas and restructure the Program
when warranted, taking into consideration any relevant
recommendations of the advisory committee under subsection
(b); and
``(2) ensure that the Program includes national, multi-
agency, multi-faceted research and development activities,
including activities described in section 104.''.
(d) Additional Responsibilities of Director.--Section
101(a)(2) of the High-Performance Computing Act of 1991 (15
U.S.C. 5511(a)(2)) is amended--
(1) by redesignating subparagraphs (E) and (F) as
subparagraphs (G) and (H), respectively; and
(2) by inserting after subparagraph (D) the following:
``(E) encourage and monitor the efforts of the agencies
participating in the Program to allocate the level of
resources and management attention necessary--
``(i) to ensure that the strategic plan under subsection
(e) is developed and executed effectively; and
``(ii) to ensure that the objectives of the Program are
met;
``(F) working with the Office of Management and Budget and
in coordination with the creation of the database under
section 102(c), direct the Office of Science and Technology
Policy and the agencies participating in the Program to
establish a mechanism (consistent with existing law) to track
all ongoing and completed research and development projects
and associated funding;''.
(e) Advisory Committee.--Section 101(b) of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is
amended--
(1) in paragraph (1)--
(A) by inserting after the first sentence the following:
``The co-chairs of the advisory committee shall meet the
qualifications of committee members and may be members of the
Presidents Council of Advisors on Science and Technology.'';
and
(B) by striking ``high-performance'' in subparagraph (D)
and inserting ``high-end''; and
(2) by amending paragraph (2) to read as follows:
``(2) In addition to the duties under paragraph (1), the
advisory committee shall conduct periodic evaluations of the
funding, management, coordination, implementation, and
activities of the Program. The advisory committee shall
report its findings and recommendations not less frequently
than once every 3 fiscal years to the Committee on Commerce,
Science, and Transportation of the Senate and the Committee
on Science and Technology of the House of Representatives.
The report shall be submitted in conjunction with the update
of the strategic plan.''.
(f) Report.--Section 101(a)(3) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended--
(1) in subparagraph (C)--
[[Page S5612]]
(A) by striking ``is submitted,'' and inserting ``is
submitted, the levels for the previous fiscal year,''; and
(B) by striking ``each Program Component Area'' and
inserting ``each Program Component Area and each research
area supported in accordance with section 104'';
(2) in subparagraph (D)--
(A) by striking ``each Program Component Area,'' and
inserting ``each Program Component Area and each research
area supported in accordance with section 104,'';
(B) by striking ``is submitted,'' and inserting ``is
submitted, the levels for the previous fiscal year,''; and
(C) by striking ``and'' after the semicolon;
(3) by redesignating subparagraph (E) as subparagraph (G);
and
(4) by inserting after subparagraph (D) the following:
``(E) include a description of how the objectives for each
Program Component Area, and the objectives for activities
that involve multiple Program Component Areas, relate to the
objectives of the Program identified in the strategic plan
under subsection (e);
``(F) include--
``(i) a description of the funding required by the Office
of Science and Technology Policy to perform the functions
under subsections (a) and (c) of section 102 for the next
fiscal year by category of activity;
``(ii) a description of the funding required by the Office
of Science and Technology Policy to perform the functions
under subsections (a) and (c) of section 102 for the current
fiscal year by category of activity; and
``(iii) the amount of funding provided for the Office of
Science and Technology Policy for the current fiscal year by
each agency participating in the Program; and''.
(g) Definitions.--Section 4 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5503) is amended--
(1) by redesignating paragraphs (1) and (2) as paragraphs
(2) and (3), respectively;
(2) by redesignating paragraph (3) as paragraph (6);
(3) by redesignating paragraphs (6) and (7) as paragraphs
(7) and (8), respectively;
(4) by inserting before paragraph (2), as redesignated, the
following:
``(1) `cyber-physical systems' means physical or engineered
systems whose networking and information technology functions
and physical elements are deeply integrated and are actively
connected to the physical world through sensors, actuators,
or other means to perform monitoring and control
functions;'';
(5) in paragraph (3), as redesignated, by striking ``high-
performance computing'' and inserting ``networking and
information technology'';
(6) in paragraph (6), as redesignated--
(A) by striking ``high-performance computing'' and
inserting ``networking and information technology''; and
(B) by striking ``supercomputer'' and inserting ``high-end
computing'';
(7) in paragraph (5), by striking ``network referred to
as'' and all that follows through the semicolon and inserting
``network, including advanced computer networks of Federal
agencies and departments''; and
(8) in paragraph (7), as redesignated, by striking
``National High-Performance Computing Program'' and inserting
``networking and information technology research and
development program''.
SEC. 502. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.
(a) Research in Areas of National Importance.--Title I of
the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et
seq.) is amended by adding at the end the following:
``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE.
``(a) In General.--The Program shall encourage agencies
under section 101(a)(3)(B) to support, maintain, and improve
national, multi-agency, multi-faceted, research and
development activities in networking and information
technology directed toward application areas that have the
potential for significant contributions to national economic
competitiveness and for other significant societal benefits.
``(b) Technical Solutions.--An activity under subsection
(a) shall be designed to advance the development of research
discoveries by demonstrating technical solutions to important
problems in areas including--
``(1) cybersecurity;
``(2) health care;
``(3) energy management and low-power systems and devices;
``(4) transportation, including surface and air
transportation;
``(5) cyber-physical systems;
``(6) large-scale data analysis and modeling of physical
phenomena;
``(7) large scale data analysis and modeling of behavioral
phenomena;
``(8) supply chain quality and security; and
``(9) privacy protection and protected disclosure of
confidential data.
``(c) Recommendations.--The advisory committee under
section 101(b) shall make recommendations to the Program for
candidate research and development areas for support under
this section.
``(d) Characteristics.--
``(1) In general.--Research and development activities
under this section--
``(A) shall include projects selected on the basis of
applications for support through a competitive, merit-based
process;
``(B) shall leverage, when possible, Federal investments
through collaboration with related State initiatives;
``(C) shall include a plan for fostering the transfer of
research discoveries and the results of technology
demonstration activities, including from institutions of
higher education and Federal laboratories, to industry for
commercial development;
``(D) shall involve collaborations among researchers in
institutions of higher education and industry; and
``(E) may involve collaborations among nonprofit research
institutions and Federal laboratories, as appropriate.
``(2) Cost-sharing.--In selecting applications for support,
the agencies under section 101(a)(3)(B) shall give special
consideration to projects that include cost sharing from non-
Federal sources.
``(3) Multidisciplinary research centers.--Research and
development activities under this section shall be supported
through multidisciplinary research centers, including Federal
laboratories, that are organized to investigate basic
research questions and carry out technology demonstration
activities in areas described in subsection (a). Research may
be carried out through existing multidisciplinary centers,
including those authorized under section 7024(b)(2) of the
America COMPETES Act (42 U.S.C. 1862o-10(2)).''.
(b) Cyber-Physical Systems.--Section 101(a)(1) of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is
amended--
(1) in subparagraph (H), by striking ``and'' after the
semicolon;
(2) in subparagraph (I), by striking the period at the end
and inserting a semicolon; and
(3) by adding at the end the following:
``(J) provide for increased understanding of the scientific
principles of cyber-physical systems and improve the methods
available for the design, development, and operation of
cyber-physical systems that are characterized by high
reliability, safety, and security; and
``(K) provide for research and development on human-
computer interactions, visualization, and big data.''.
(c) Task Force.--Title I of the High-Performance Computing
Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section
502(a) of this Act, is amended by adding at the end the
following:
``SEC. 105. TASK FORCE.
``(a) Establishment.--Not later than 180 days after the
date of enactment the Cybersecurity Act of 2012, the Director
of the Office of Science and Technology Policy under section
102 shall convene a task force to explore mechanisms for
carrying out collaborative research and development
activities for cyber-physical systems (including the related
technologies required to enable these systems) through a
consortium or other appropriate entity with participants from
institutions of higher education, Federal laboratories, and
industry.
``(b) Functions.--The task force shall--
``(1) develop options for a collaborative model and an
organizational structure for such entity under which the
joint research and development activities could be planned,
managed, and conducted effectively, including mechanisms for
the allocation of resources among the participants in such
entity for support of such activities;
``(2) propose a process for developing a research and
development agenda for such entity, including guidelines to
ensure an appropriate scope of work focused on nationally
significant challenges and requiring collaboration and to
ensure the development of related scientific and
technological milestones;
``(3) define the roles and responsibilities for the
participants from institutions of higher education, Federal
laboratories, and industry in such entity;
``(4) propose guidelines for assigning intellectual
property rights and for transferring research results to the
private sector; and
``(5) make recommendations for how such entity could be
funded from Federal, State, and non-governmental sources.
``(c) Composition.--In establishing the task force under
subsection (a), the Director of the Office of Science and
Technology Policy shall appoint an equal number of
individuals from institutions of higher education and from
industry with knowledge and expertise in cyber-physical
systems, and may appoint not more than 2 individuals from
Federal laboratories.
``(d) Report.--Not later than 1 year after the date of
enactment of the Cybersecurity Act of 2012, the Director of
the Office of Science and Technology Policy shall transmit to
the Committee on Commerce, Science, and Transportation of the
Senate and the Committee on Science and Technology of the
House of Representatives a report describing the findings and
recommendations of the task force.
``(e) Termination.--The task force shall terminate upon
transmittal of the report required under subsection (d).
``(f) Compensation and Expenses.--Members of the task force
shall serve without compensation.''.
SEC. 503. PROGRAM IMPROVEMENTS.
Section 102 of the High-Performance Computing Act of 1991
(15 U.S.C. 5512) is amended to read as follows:
``SEC. 102. PROGRAM IMPROVEMENTS.
``(a) Functions.--The Director of the Office of Science and
Technology Policy shall continue--
``(1) to provide technical and administrative support to--
[[Page S5613]]
``(A) the agencies participating in planning and
implementing the Program, including support needed to develop
the strategic plan under section 101(e); and
``(B) the advisory committee under section 101(b);
``(2) to serve as the primary point of contact on Federal
networking and information technology activities for
government agencies, academia, industry, professional
societies, State computing and networking technology
programs, interested citizen groups, and others to exchange
technical and programmatic information;
``(3) to solicit input and recommendations from a wide
range of stakeholders during the development of each
strategic plan under section 101(e) by convening at least 1
workshop with invitees from academia, industry, Federal
laboratories, and other relevant organizations and
institutions;
``(4) to conduct public outreach, including the
dissemination of the advisory committee's findings and
recommendations, as appropriate;
``(5) to promote access to and early application of the
technologies, innovations, and expertise derived from Program
activities to agency missions and systems across the Federal
Government and to United States industry;
``(6) to ensure accurate and detailed budget reporting of
networking and information technology research and
development investment; and
``(7) to encourage agencies participating in the Program to
use existing programs and resources to strengthen networking
and information technology education and training, and
increase participation in such fields, including by women and
underrepresented minorities.
``(b) Source of Funding.--
``(1) In general.--The functions under this section shall
be supported by funds from each agency participating in the
Program.
``(2) Specifications.--The portion of the total budget of
the Office of Science and Technology Policy that is provided
by each agency participating in the Program for each fiscal
year shall be in the same proportion as each agency's share
of the total budget for the Program for the previous fiscal
year, as specified in the database under section 102(c).
``(c) Database.--
``(1) In general.--The Director of the Office of Science
and Technology Policy shall develop and maintain a database
of projects funded by each agency for the fiscal year for
each Program Component Area.
``(2) Public accessibility.--The Director of the Office of
Science and Technology Policy shall make the database
accessible to the public.
``(3) Database contents.--The database shall include, for
each project in the database--
``(A) a description of the project;
``(B) each agency, industry, institution of higher
education, Federal laboratory, or international institution
involved in the project;
``(C) the source funding of the project (set forth by
agency);
``(D) the funding history of the project; and
``(E) whether the project has been completed.''.
SEC. 504. IMPROVING EDUCATION OF NETWORKING AND INFORMATION
TECHNOLOGY, INCLUDING HIGH PERFORMANCE
COMPUTING.
Section 201(a) of the High-Performance Computing Act of
1991 (15 U.S.C. 5521(a)) is amended--
(1) by redesignating paragraphs (2) through (4) as
paragraphs (3) through (5), respectively; and
(2) by inserting after paragraph (1) the following:
``(2) the National Science Foundation shall use its
existing programs, in collaboration with other agencies, as
appropriate, to improve the teaching and learning of
networking and information technology at all levels of
education and to increase participation in networking and
information technology fields;''.
SEC. 505. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH-
PERFORMANCE COMPUTING ACT OF 1991.
(a) Section 3.--Section 3 of the High-Performance Computing
Act of 1991 (15 U.S.C. 5502) is amended--
(1) in the matter preceding paragraph (1), by striking
``high-performance computing'' and inserting ``networking and
information technology'';
(2) in paragraph (1)--
(A) in the matter preceding subparagraph (A), by striking
``high-performance computing'' and inserting ``networking and
information technology'';
(B) in subparagraphs (A), (F), and (G), by striking ``high-
performance computing'' each place it appears and inserting
``networking and information technology''; and
(C) in subparagraph (H), by striking ``high-performance''
and inserting ``high-end''; and
(3) in paragraph (2)--
(A) by striking ``high-performance computing and'' and
inserting ``networking and information technology, and''; and
(B) by striking ``high-performance computing network'' and
inserting ``networking and information technology''.
(b) Title Heading.--The heading of title I of the High-
Performance Computing Act of 1991 (105 Stat. 1595) is amended
by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting
``NETWORKING AND INFORMATION TECHNOLOGY''.
(c) Section 101.--Section 101 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511) is amended--
(1) in the section heading, by striking ``high-performance
computing'' and inserting ``networking and information
technology research and development'';
(2) in subsection (a)--
(A) in the subsection heading, by striking ``National High-
Performance Computing'' and inserting ``Networking and
Information Technology Research and Development'';
(B) in paragraph (1)--
(i) by striking ``National High-Performance Computing
Program'' and inserting ``networking and information
technology research and development program'';
(ii) in subparagraph (A), by striking ``high-performance
computing, including networking'' and inserting ``networking
and information technology'';
(iii) in subparagraphs (B) and (G), by striking ``high-
performance'' each place it appears and inserting ``high-
end''; and
(iv) in subparagraph (C), by striking ``high-performance
computing and networking'' and inserting ``high-end
computing, distributed, and networking''; and
(C) in paragraph (2)--
(i) in subparagraphs (A) and (C)--
(I) by striking ``high-performance computing'' each place
it appears and inserting ``networking and information
technology''; and
(II) by striking ``development, networking,'' each place it
appears and inserting ``development,''; and
(ii) in subparagraphs (G) and (H), as redesignated by
section 501(d) of this Act, by striking ``high-performance''
each place it appears and inserting ``high-end'';
(3) in subsection (b)(1), in the matter preceding
subparagraph (A), by striking ``high-performance computing''
each place it appears and inserting ``networking and
information technology''; and
(4) in subsection (c)(1)(A), by striking ``high-performance
computing'' and inserting ``networking and information
technology''.
(d) Section 201.--Section 201(a)(1) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by
striking ``high-performance computing and advanced high-speed
computer networking'' and inserting ``networking and
information technology research and development''.
(e) Section 202.--Section 202(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by
striking ``high-performance computing'' and inserting
``networking and information technology''.
(f) Section 203.--Section 203(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5523(a)) is amended--
(1) in paragraph (1), by striking ``high-performance
computing and networking'' and inserting ``networking and
information technology''; and
(2) in paragraph (2)(A), by striking ``high-performance''
and inserting ``high-end''.
(g) Section 204.--Section 204 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5524) is amended--
(1) in subsection (a)(1)--
(A) in subparagraph (A), by striking ``high-performance
computing systems and networks'' and inserting ``networking
and information technology systems and capabilities'';
(B) in subparagraph (B), by striking ``interoperability of
high-performance computing systems in networks and for common
user interfaces to systems'' and inserting ``interoperability
and usability of networking and information technology
systems''; and
(C) in subparagraph (C), by striking ``high-performance
computing'' and inserting ``networking and information
technology''; and
(2) in subsection (b)--
(A) by striking ``High-Performance Computing and Network''
in the heading and inserting ``Networking and Information
Technology''; and
(B) by striking ``sensitive''.
(h) Section 205.--Section 205(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by
striking ``computational'' and inserting ``networking and
information technology''.
(i) Section 206.--Section 206(a) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by
striking ``computational research'' and inserting
``networking and information technology research''.
(j) Section 207.--Section 207 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5527) is amended by striking
``high-performance computing'' and inserting ``networking and
information technology''.
(k) Section 208.--Section 208 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5528) is amended--
(1) in the section heading, by striking ``HIGH-PERFORMANCE
COMPUTING'' and inserting ``NETWORKING AND INFORMATION
TECHNOLOGY''; and
(2) in subsection (a)--
(A) in paragraph (1), by striking ``High-performance
computing and associated'' and inserting ``Networking and
information'';
(B) in paragraph (2), by striking ``high-performance
computing'' and inserting ``networking and information
technologies'';
(C) in paragraph (3), by striking ``high-performance'' and
inserting ``high-end'';
(D) in paragraph (4), by striking ``high-performance
computers and associated'' and inserting ``networking and
information''; and
(E) in paragraph (5), by striking ``high-performance
computing and associated'' and inserting ``networking and
information''.
[[Page S5614]]
SEC. 506. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.
(a) In General.--The Director of the National Science
Foundation, in coordination with the Secretary of Homeland
Security, shall carry out a Federal cyber scholarship-for-
service program to recruit and train the next generation of
information technology professionals and security managers to
meet the needs of the cybersecurity mission for the Federal
government.
(b) Program Description and Components.--The program
shall--
(1) annually assess the workforce needs of the Federal
government for cybersecurity professionals, including network
engineers, software engineers, and other experts in order to
determine how many scholarships should be awarded annually to
ensure that the workforce needs following graduation match
the number of scholarships awarded;
(2) provide scholarships for up to 1,000 students per year
in their pursuit of undergraduate or graduate degrees in the
cybersecurity field, in an amount that may include coverage
for full tuition, fees, and a stipend;
(3) require each scholarship recipient, as a condition of
receiving a scholarship under the program, to serve in a
Federal information technology workforce for a period equal
to one and one-half times each year, or partial year, of
scholarship received, in addition to an internship in the
cybersecurity field, if applicable, following graduation;
(4) provide a procedure for the National Science Foundation
or a Federal agency, consistent with regulations of the
Office of Personnel Management, to request and fund a
security clearance for a scholarship recipient, including
providing for clearance during a summer internship and upon
graduation; and
(5) provide opportunities for students to receive temporary
appointments for meaningful employment in the Federal
information technology workforce during school vacation
periods and for internships.
(c) Hiring Authority.--
(1) In general.--For purposes of any law or regulation
governing the appointment of an individual in the Federal
civil service, upon the successful completion of the
student's studies, a student receiving a scholarship under
the program may--
(A) be hired under section 213.3102(r) of title 5, Code of
Federal Regulations; and
(B) be exempt from competitive service.
(2) Competitive service.--Upon satisfactory fulfillment of
the service term under paragraph (1), an individual may be
converted to a competitive service position without
competition if the individual meets the requirements for that
position.
(d) Eligibility.--The eligibility requirements for a
scholarship under this section shall include that a
scholarship applicant--
(1) be a citizen of the United States;
(2) be eligible to be granted a security clearance;
(3) maintain a grade point average of 3.2 or above on a 4.0
scale for undergraduate study or a 3.5 or above on a 4.0
scale for postgraduate study;
(4) demonstrate a commitment to a career in improving the
security of the information infrastructure; and
(5) has demonstrated a level of proficiency in math or
computer sciences.
(e) Failure to Complete Service Obligation.--
(1) In general.--A scholarship recipient under this section
shall be liable to the United States under paragraph (2) if
the scholarship recipient--
(A) fails to maintain an acceptable level of academic
standing in the educational institution in which the
individual is enrolled, as determined by the Director;
(B) is dismissed from such educational institution for
disciplinary reasons;
(C) withdraws from the program for which the award was made
before the completion of such program;
(D) declares that the individual does not intend to fulfill
the service obligation under this section;
(E) fails to fulfill the service obligation of the
individual under this section; or
(F) loses a security clearance or becomes ineligible for a
security clearance.
(2) Repayment amounts.--
(A) Less than 1 year of service.--If a circumstance under
paragraph (1) occurs before the completion of 1 year of a
service obligation under this section, the total amount of
awards received by the individual under this section shall be
repaid.
(B) One or more years of service.--If a circumstance
described in subparagraph (D) or (E) of paragraph (1) occurs
after the completion of 1 year of a service obligation under
this section, the total amount of scholarship awards received
by the individual under this section, reduced by the ratio of
the number of years of service completed divided by the
number of years of service required, shall be repaid.
(f) Evaluation and Report.--The Director of the National
Science Foundation shall--
(1) evaluate the success of recruiting individuals for
scholarships under this section and of hiring and retaining
those individuals in the public sector workforce, including
the annual cost and an assessment of how the program actually
improves the Federal workforce; and
(2) periodically report the findings under paragraph (1) to
Congress.
(g) Authorization of Appropriations.--From amounts made
available under section 503 of the America COMPETES
Reauthorization Act of 2010 (124 Stat. 4005), the Director
may use funds to carry out the requirements of this section
for fiscal years 2012 through 2013.
SEC. 507. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF
INFORMATION INFRASTRUCTURE PROFESSIONALS.
(a) Study.--The President shall enter into an agreement
with the National Academies to conduct a comprehensive study
of government, academic, and private-sector accreditation,
training, and certification programs for personnel working in
information infrastructure. The agreement shall require the
National Academies to consult with sector coordinating
councils and relevant governmental agencies, regulatory
entities, and nongovernmental organizations in the course of
the study.
(b) Scope.--The study shall include--
(1) an evaluation of the body of knowledge and various
skills that specific categories of personnel working in
information infrastructure should possess in order to secure
information systems;
(2) an assessment of whether existing government, academic,
and private-sector accreditation, training, and certification
programs provide the body of knowledge and various skills
described in paragraph (1);
(3) an analysis of any barriers to the Federal Government
recruiting and hiring cybersecurity talent, including
barriers relating to compensation, the hiring process, job
classification, and hiring flexibility; and
(4) an analysis of the sources and availability of
cybersecurity talent, a comparison of the skills and
expertise sought by the Federal Government and the private
sector, an examination of the current and future capacity of
United States institutions of higher education, including
community colleges, to provide current and future
cybersecurity professionals, through education and training
activities, with those skills sought by the Federal
Government, State and local entities, and the private sector.
(c) Report.--Not later than 1 year after the date of
enactment of this Act, the National Academies shall submit to
the President and Congress a report on the results of the
study. The report shall include--
(1) findings regarding the state of information
infrastructure accreditation, training, and certification
programs, including specific areas of deficiency and
demonstrable progress; and
(2) recommendations for the improvement of information
infrastructure accreditation, training, and certification
programs.
SEC. 508. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.
(a) In General.--The Director of the National Institute of
Standards and Technology, in coordination with appropriate
Federal authorities, shall--
(1) as appropriate, ensure coordination of Federal agencies
engaged in the development of international technical
standards related to information system security; and
(2) not later than 1 year after the date of enactment of
this Act, develop and transmit to Congress a plan for
ensuring such Federal agency coordination.
(b) Consultation With the Private Sector.--In carrying out
the activities under subsection (a)(1), the Director shall
ensure consultation with appropriate private sector
stakeholders.
SEC. 509. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.
The Director of the National Institute of Standards and
Technology shall continue a program to support the
development of technical standards, metrology, testbeds, and
conformance criteria, taking into account appropriate user
concerns--
(1) to improve interoperability among identity management
technologies;
(2) to strengthen authentication methods of identity
management systems;
(3) to improve privacy protection in identity management
systems, including health information technology systems,
through authentication and security protocols; and
(4) to improve the usability of identity management
systems.
SEC. 510. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.
(a) National Science Foundation Computer and Network
Security Research Grant Areas.--Section 4(a)(1) of the Cyber
Security Research and Development Act (15 U.S.C. 7403(a)(1))
is amended--
(1) in subparagraph (H), by striking ``and'' after the
semicolon;
(2) in subparagraph (I), by striking ``property.'' and
inserting ``property;''; and
(3) by adding at the end the following:
``(J) secure fundamental protocols that are at the heart of
inter-network communications and data exchange;
``(K) system security that addresses the building of secure
systems from trusted and untrusted components;
``(L) monitoring and detection; and
``(M) resiliency and rapid recovery methods.''.
(b) National Science Foundation Computer and Network
Security Grants.--Section 4(a)(3) of the Cyber Security
Research and Development Act (15 U.S.C. 7403(a)(3)) is
amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to
[[Page S5615]]
carry out the requirements of this subsection for fiscal
years 2012 through 2013.''.
(c) Computer and Network Security Centers.--Section 4(b)(7)
of the Cyber Security Research and Development Act (15 U.S.C.
7403(b)(7)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
(d) Computer and Network Security Capacity Building
Grants.--Section 5(a)(6) of the Cyber Security Research and
Development Act (15 U.S.C. 7404(a)(6)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
(e) Scientific and Advanced Technology Act Grants.--Section
5(b)(2) of the Cyber Security Research and Development Act
(15 U.S.C. 7404(b)(2)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
(f) Graduate Traineeships in Computer and Network Security
Research.--Section 5(c)(7) of the Cyber Security Research and
Development Act (15 U.S.C. 7404(c)(7)) is amended--
(1) in subparagraph (D), by striking ``and'';
(2) in subparagraph (E), by striking ``2007.'' and
inserting ``2007;''; and
(3) by adding at the end the following:
``(F) such funds from amounts made available under section
503 of the America COMPETES Reauthorization Act of 2010 (124
Stat. 4005), as the Director finds necessary to carry out the
requirements of this subsection for fiscal years 2012 through
2013.''.
______
SA 2616. Mrs. SHAHEEN (for herself and Mr. Portman) submitted an
amendment intended to be proposed by him to the bill S. 3414, to
enhance the security and resiliency of the cyber and communications
infrastructure of the United States; which was ordered to lie on the
table; as follows:
At the end of the bill, add the following:
TITLE VIII--ENERGY SAVINGS AND INDUSTRIAL COMPETITIVENESS
SEC. 801. SHORT TITLE.
This title may be cited as the ``Energy Savings and
Industrial Competitiveness Act of 2012''.
Subtitle A--Buildings
PART I--BUILDING ENERGY CODES
SEC. 811. GREATER ENERGY EFFICIENCY IN BUILDING CODES.
(a) Definitions.--Section 303 of the Energy Conservation
and Production Act (42 U.S.C. 6832) is amended--
(1) by striking paragraph (14) and inserting the following:
``(14) Model building energy code.--The term `model
building energy code' means a voluntary building energy code
and standards developed and updated through a consensus
process among interested persons, such as the IECC or the
code used by--
``(A) the Council of American Building Officials;
``(B) the American Society of Heating, Refrigerating, and
Air-Conditioning Engineers; or
``(C) other appropriate organizations.''; and
(2) by adding at the end the following:
``(17) IECC.--The term `IECC' means the International
Energy Conservation Code.
``(18) Indian tribe.--The term `Indian tribe' has the
meaning given the term in section 4 of the Native American
Housing Assistance and Self-Determination Act of 1996 (25
U.S.C. 4103).''.
(b) State Building Energy Efficiency Codes.--Section 304 of
the Energy Conservation and Production Act (42 U.S.C. 6833)
is amended to read as follows:
``SEC. 304. UPDATING STATE BUILDING ENERGY EFFICIENCY CODES.
``(a) In General.--The Secretary shall--
``(1) encourage and support the adoption of building energy
codes by States, Indian tribes, and, as appropriate, by local
governments that meet or exceed the model building energy
codes, or achieve equivalent or greater energy savings; and
``(2) support full compliance with the State and local
codes.
``(b) State and Indian Tribe Certification of Building
Energy Code Updates.--
``(1) Review and updating of codes by each state and indian
tribe.--
``(A) In general.--Not later than 2 years after the date on
which a model building energy code is updated, each State or
Indian tribe shall certify whether or not the State or Indian
tribe, respectively, has reviewed and updated the energy
provisions of the building code of the State or Indian tribe,
respectively.
``(B) Demonstration.--The certification shall include a
demonstration of whether or not the energy savings for the
code provisions that are in effect throughout the State or
Indian tribal territory meet or exceed--
``(i) the energy savings of the updated model building
energy code; or
``(ii) the targets established under section 307(b)(2).
``(C) No model building energy code update.--If a model
building energy code is not updated by a target date
established under section 307(b)(2)(D), each State or Indian
tribe shall, not later than 2 years after the specified date,
certify whether or not the State or Indian tribe,
respectively, has reviewed and updated the energy provisions
of the building code of the State or Indian tribe,
respectively, to meet or exceed the target in section
307(b)(2).
``(2) Validation by secretary.--Not later than 90 days
after a State or Indian tribe certification under paragraph
(1), the Secretary shall--
``(A) determine whether the code provisions of the State or
Indian tribe, respectively, meet the criteria specified in
paragraph (1); and
``(B) if the determination is positive, validate the
certification.
``(c) Improvements in Compliance With Building Energy
Codes.--
``(1) Requirement.--
``(A) In general.--Not later than 3 years after the date of
a certification under subsection (b), each State and Indian
tribe shall certify whether or not the State and Indian
tribe, respectively, has--
``(i) achieved full compliance under paragraph (3) with the
applicable certified State and Indian tribe building energy
code or with the associated model building energy code; or
``(ii) made significant progress under paragraph (4) toward
achieving compliance with the applicable certified State and
Indian tribe building energy code or with the associated
model building energy code.
``(B) Repeat certifications.--If the State or Indian tribe
certifies progress toward achieving compliance, the State or
Indian tribe shall repeat the certification until the State
or Indian tribe certifies that the State or Indian tribe has
achieved full compliance, respectively.
``(2) Measurement of compliance.--A certification under
paragraph (1) shall include documentation of the rate of
compliance based on--
``(A) independent inspections of a random sample of the
buildings covered by the code in the preceding year; or
``(B) an alternative method that yields an accurate measure
of compliance.
``(3) Achievement of compliance.--A State or Indian tribe
shall be considered to achieve full compliance under
paragraph (1) if--
``(A) at least 90 percent of building space covered by the
code in the preceding year substantially meets all the
requirements of the applicable code specified in paragraph
(1), or achieves equivalent or greater energy savings level;
or
``(B) the estimated excess energy use of buildings that did
not meet the applicable code specified in paragraph (1) in
the preceding year, compared to a baseline of comparable
buildings that meet this code, is not more than 5 percent of
the estimated energy use of all buildings covered by this
code during the preceding year.
``(4) Significant progress toward achievement of
compliance.--A State or Indian tribe shall be considered to
have made significant progress toward achieving compliance
for purposes of paragraph (1) if the State or Indian tribe--
``(A) has developed and is implementing a plan for
achieving compliance during the 8-year-period beginning on
the date of enactment of this paragraph, including annual
targets for compliance and active training and enforcement
programs; and
``(B) has met the most recent target under subparagraph
(A).
``(5) Validation by secretary.--Not later than 90 days
after a State or Indian tribe certification under paragraph
(1), the Secretary shall--
``(A) determine whether the State or Indian tribe has
demonstrated meeting the criteria of this subsection,
including accurate measurement of compliance; and
``(B) if the determination is positive, validate the
certification.
``(d) States or Indian Tribes That Do Not Achieve
Compliance.--
``(1) Reporting.--A State or Indian tribe that has not made
a certification required under subsection (b) or (c) by the
applicable deadline shall submit to the Secretary a report
on--
``(A) the status of the State or Indian tribe with respect
to meeting the requirements and submitting the certification;
and
``(B) a plan for meeting the requirements and submitting
the certification.
``(2) Federal support.--For any State or Indian tribe for
which the Secretary has not validated a certification by a
deadline under subsection (b) or (c), the lack of the
certification may be a consideration for Federal support
authorized under this section for code adoption and
compliance activities.
``(3) Local government.--In any State or Indian tribe for
which the Secretary has not validated a certification under
subsection (b) or (c), a local government may be eligible for
Federal support by meeting the certification requirements of
subsections (b) and (c).
``(4) Annual reports by secretary.--
[[Page S5616]]
``(A) In general.--The Secretary shall annually submit to
Congress, and publish in the Federal Register, a report on--
``(i) the status of model building energy codes;
``(ii) the status of code adoption and compliance in the
States and Indian tribes;
``(iii) implementation of this section; and
``(iv) improvements in energy savings over time as result
of the targets established under section 307(b)(2).
``(B) Impacts.--The report shall include estimates of
impacts of past action under this section, and potential
impacts of further action, on--
``(i) upfront financial and construction costs, cost
benefits and returns (using investment analysis), and
lifetime energy use for buildings;
``(ii) resulting energy costs to individuals and
businesses; and
``(iii) resulting overall annual building ownership and
operating costs.
``(e) Technical Assistance to States and Indian Tribes.--
The Secretary shall provide technical assistance to States
and Indian tribes to implement the goals and requirements of
this section, including procedures and technical analysis for
States and Indian tribes--
``(1) to improve and implement State residential and
commercial building energy codes;
``(2) to demonstrate that the code provisions of the States
and Indian tribes achieve equivalent or greater energy
savings than the model building energy codes and targets;
``(3) to document the rate of compliance with a building
energy code; and
``(4) to otherwise promote the design and construction of
energy efficient buildings.
``(f) Availability of Incentive Funding.--
``(1) In general.--The Secretary shall provide incentive
funding to States and Indian tribes--
``(A) to implement the requirements of this section;
``(B) to improve and implement residential and commercial
building energy codes, including increasing and verifying
compliance with the codes and training of State, tribal, and
local building code officials to implement and enforce the
codes; and
``(C) to promote building energy efficiency through the use
of the codes.
``(2) Additional funding.--Additional funding shall be
provided under this subsection for implementation of a plan
to achieve and document full compliance with residential and
commercial building energy codes under subsection (c)--
``(A) to a State or Indian tribe for which the Secretary
has validated a certification under subsection (b) or (c);
and
``(B) in a State or Indian tribe that is not eligible under
subparagraph (A), to a local government that is eligible
under this section.
``(3) Training.--Of the amounts made available under this
subsection, the State may use amounts required, but not to
exceed $750,000 for a State, to train State and local
building code officials to implement and enforce codes
described in paragraph (2).
``(4) Local governments.--States may share grants under
this subsection with local governments that implement and
enforce the codes.
``(g) Stretch Codes and Advanced Standards.--
``(1) In general.--The Secretary shall provide technical
and financial support for the development of stretch codes
and advanced standards for residential and commercial
buildings for use as--
``(A) an option for adoption as a building energy code by
local, tribal, or State governments; and
``(B) guidelines for energy-efficient building design.
``(2) Targets.--The stretch codes and advanced standards
shall be designed--
``(A) to achieve substantial energy savings compared to the
model building energy codes; and
``(B) to meet targets under section 307(b), if available,
at least 3 to 6 years in advance of the target years.
``(h) Studies.--The Secretary, in consultation with
building science experts from the National Laboratories and
institutions of higher education, designers and builders of
energy-efficient residential and commercial buildings, code
officials, and other stakeholders, shall undertake a study of
the feasibility, impact, economics, and merit of--
``(1) code improvements that would require that buildings
be designed, sited, and constructed in a manner that makes
the buildings more adaptable in the future to become zero-
net-energy after initial construction, as advances are
achieved in energy-saving technologies;
``(2) code procedures to incorporate measured lifetimes,
not just first-year energy use, in trade-offs and performance
calculations; and
``(3) legislative options for increasing energy savings
from building energy codes, including additional incentives
for effective State and local action, and verification of
compliance with and enforcement of a code other than by a
State or local government.
``(i) Effect on Other Laws.--Nothing in this section or
section 307 supersedes or modifies the application of
sections 321 through 346 of the Energy Policy and
Conservation Act (42 U.S.C. 6291 et seq.).
``(j) Authorization of Appropriations.--There are
authorized to be appropriated to carry out this section and
section 307 $200,000,000, to remain available until
expended.''.
(c) Federal Building Energy Efficiency Standards.--Section
305 of the Energy Conservation and Production Act (42 U.S.C.
6834) is amended by striking ``voluntary building energy
code'' each place it appears in subsections (a)(2)(B) and (b)
and inserting ``model building energy code''.
(d) Model Building Energy Codes.--Section 307 of the Energy
Conservation and Production Act (42 U.S.C. 6836) is amended
to read as follows:
``SEC. 307. SUPPORT FOR MODEL BUILDING ENERGY CODES.
``(a) In General.--The Secretary shall support the updating
of model building energy codes.
``(b) Targets.--
``(1) In general.--The Secretary shall support the updating
of the model building energy codes to enable the achievement
of aggregate energy savings targets established under
paragraph (2).
``(2) Targets.--
``(A) In general.--The Secretary shall work with State,
Indian tribes, local governments, nationally recognized code
and standards developers, and other interested parties to
support the updating of model building energy codes by
establishing 1 or more aggregate energy savings targets to
achieve the purposes of this section.
``(B) Separate targets.--The Secretary may establish
separate targets for commercial and residential buildings.
``(C) Baselines.--The baseline for updating model building
energy codes shall be the 2009 IECC for residential buildings
and ASHRAE Standard 90.1-2010 for commercial buildings.
``(D) Specific years.--
``(i) In general.--Targets for specific years shall be
established and revised by the Secretary through rulemaking
and coordinated with nationally recognized code and standards
developers at a level that--
``(I) is at the maximum level of energy efficiency that is
technologically feasible and life-cycle cost effective, while
accounting for the economic considerations under paragraph
(4);
``(II) is higher than the preceding target; and
``(III) promotes the achievement of commercial and
residential high-performance buildings through high
performance energy efficiency (within the meaning of section
401 of the Energy Independence and Security Act of 2007 (42
U.S.C. 17061)).
``(ii) Initial targets.--Not later than 1 year after the
date of enactment of this clause, the Secretary shall
establish initial targets under this subparagraph.
``(iii) Different target years.--Subject to clause (i),
prior to the applicable year, the Secretary may set a later
target year for any of the model building energy codes
described in subparagraph (A) if the Secretary determines
that a target cannot be met.
``(iv) Small business.--When establishing targets under
this paragraph through rulemaking, the Secretary shall ensure
compliance with the Small Business Regulatory Enforcement
Fairness Act of 1996 (5 U.S.C. 601 note; Public Law 104-121).
``(3) Appliance standards and other factors affecting
building energy use.--In establishing building code targets
under paragraph (2), the Secretary shall develop and adjust
the targets in recognition of potential savings and costs
relating to--
``(A) efficiency gains made in appliances, lighting,
windows, insulation, and building envelope sealing;
``(B) advancement of distributed generation and on-site
renewable power generation technologies;
``(C) equipment improvements for heating, cooling, and
ventilation systems;
``(D) building management systems and SmartGrid
technologies to reduce energy use; and
``(E) other technologies, practices, and building systems
that the Secretary considers appropriate regarding building
plug load and other energy uses.
``(4) Economic considerations.--In establishing and
revising building code targets under paragraph (2), the
Secretary shall consider the economic feasibility of
achieving the proposed targets established under this section
and the potential costs and savings for consumers and
building owners, including a return on investment analysis.
``(c) Technical Assistance to Model Building Energy Code-
setting and Standard Development Organizations.--
``(1) In general.--The Secretary shall, on a timely basis,
provide technical assistance to model building energy code-
setting and standard development organizations consistent
with the goals of this section.
``(2) Assistance.--The assistance shall include, as
requested by the organizations, technical assistance in--
``(A) evaluating code or standards proposals or revisions;
``(B) building energy analysis and design tools;
``(C) building demonstrations;
``(D) developing definitions of energy use intensity and
building types for use in model building energy codes to
evaluate the efficiency impacts of the model building energy
codes;
``(E) performance-based standards;
``(F) evaluating economic considerations under subsection
(b)(4); and
``(G) developing model building energy codes by Indian
tribes in accordance with tribal law.
``(3) Amendment proposals.--The Secretary may submit timely
model building energy code amendment proposals to the
[[Page S5617]]
model building energy code-setting and standard development
organizations, with supporting evidence, sufficient to enable
the model building energy codes to meet the targets
established under subsection (b)(2).
``(4) Analysis methodology.--The Secretary shall make
publicly available the entire calculation methodology
(including input assumptions and data) used by the Secretary
to estimate the energy savings of code or standard proposals
and revisions.
``(d) Determination.--
``(1) Revision of model building energy codes.--If the
provisions of the IECC or ASHRAE Standard 90.1 regarding
building energy use are revised, the Secretary shall make a
preliminary determination not later than 90 days after the
date of the revision, and a final determination not later
than 15 months after the date of the revision, on whether or
not the revision will--
``(A) improve energy efficiency in buildings compared to
the existing model building energy code; and
``(B) meet the applicable targets under subsection (b)(2).
``(2) Codes or standards not meeting targets.--
``(A) In general.--If the Secretary makes a preliminary
determination under paragraph (1)(B) that a code or standard
does not meet the targets established under subsection
(b)(2), the Secretary may at the same time provide the model
building energy code or standard developer with proposed
changes that would result in a model building energy code
that meets the targets and with supporting evidence, taking
into consideration--
``(i) whether the modified code is technically feasible and
life-cycle cost effective;
``(ii) available appliances, technologies, materials, and
construction practices; and
``(iii) the economic considerations under subsection
(b)(4).
``(B) Incorporation of changes.--
``(i) In general.--On receipt of the proposed changes, the
model building energy code or standard developer shall have
an additional 270 days to accept or reject the proposed
changes of the Secretary to the model building energy code or
standard for the Secretary to make a final determination.
``(ii) Final determination.--A final determination under
paragraph (1) shall be on the modified model building energy
code or standard.
``(e) Administration.--In carrying out this section, the
Secretary shall--
``(1) publish notice of targets and supporting analysis and
determinations under this section in the Federal Register to
provide an explanation of and the basis for such actions,
including any supporting modeling, data, assumptions,
protocols, and cost-benefit analysis, including return on
investment; and
``(2) provide an opportunity for public comment on targets
and supporting analysis and determinations under this
section.
``(f) Voluntary Codes and Standards.--Nothwithstanding any
other provision of this section, any model building code or
standard established under this section shall not be binding
on a State, local government, or Indian tribe as a matter of
Federal law.''.
PART II--WORKER TRAINING AND CAPACITY BUILDING
SEC. 821. BUILDING TRAINING AND ASSESSMENT CENTERS.
(a) In General.--The Secretary of Energy shall provide
grants to institutions of higher education (as defined in
section 101 of the Higher Education Act of 1965 (20 U.S.C.
1001)) and Tribal Colleges or Universities (as defined in
section 316(b) of that Act (20 U.S.C. 1059c(b)) to establish
building training and assessment centers--
(1) to identify opportunities for optimizing energy
efficiency and environmental performance in buildings;
(2) to promote the application of emerging concepts and
technologies in commercial and institutional buildings;
(3) to train engineers, architects, building scientists,
building energy permitting and enforcement officials, and
building technicians in energy-efficient design and
operation;
(4) to assist institutions of higher education and Tribal
Colleges or Universities in training building technicians;
(5) to promote research and development for the use of
alternative energy sources and distributed generation to
supply heat and power for buildings, particularly energy-
intensive buildings; and
(6) to coordinate with and assist State-accredited
technical training centers, community colleges, Tribal
Colleges or Universities, and local offices of the National
Institute of Food and Agriculture and ensure appropriate
services are provided under this section to each region of
the United States.
(b) Coordination and Nonduplication.--
(1) In general.--The Secretary shall coordinate the program
with the Industrial Assessment Centers program and with other
Federal programs to avoid duplication of effort.
(2) Collocation.--To the maximum extent practicable,
building, training, and assessment centers established under
this section shall be collocated with Industrial Assessment
Centers.
Subtitle B--Building Efficiency Finance
SEC. 831. LOAN PROGRAM FOR ENERGY EFFICIENCY UPGRADES TO
EXISTING BUILDINGS.
Title XVII of the Energy Policy Act of 2005 (42 U.S.C.
16511 et seq.) is amended by adding at the end the following:
``SEC. 1706. BUILDING RETROFIT FINANCING PROGRAM.
``(a) Definitions.--In this section:
``(1) Credit support.--The term `credit support' means a
guarantee or commitment to issue a guarantee or other forms
of credit enhancement to ameliorate risks for efficiency
obligations.
``(2) Efficiency obligation.--The term `efficiency
obligation' means a debt or repayment obligation incurred in
connection with financing a project, or a portfolio of such
debt or payment obligations.
``(3) Project.--The term `project' means the installation
and implementation of efficiency, advanced metering,
distributed generation, or renewable energy technologies and
measures in a building (or in multiple buildings on a given
property) that are expected to increase the energy efficiency
of the building (including fixtures) in accordance with
criteria established by the Secretary.
``(b) Eligible Projects.--
``(1) In general.--Notwithstanding sections 1703 and 1705,
the Secretary may provide credit support under this section,
in accordance with section 1702.
``(2) Inclusions.--Buildings eligible for credit support
under this section include commercial, multifamily
residential, industrial, municipal, government, institution
of higher education, school, and hospital facilities that
satisfy criteria established by the Secretary.
``(c) Guidelines.--
``(1) In general.--Not later than 180 days after the date
of enactment of this section, the Secretary shall--
``(A) establish guidelines for credit support provided
under this section; and
``(B) publish the guidelines in the Federal Register; and
``(C) provide for an opportunity for public comment on the
guidelines.
``(2) Requirements.--The guidelines established by the
Secretary under this subsection shall include--
``(A) standards for assessing the energy savings that could
reasonably be expected to result from a project;
``(B) examples of financing mechanisms (and portfolios of
such financing mechanisms) that qualify as efficiency
obligations;
``(C) the threshold levels of energy savings that a
project, at the time of issuance of credit support, shall be
reasonably expected to achieve to be eligible for credit
support;
``(D) the eligibility criteria the Secretary determines to
be necessary for making credit support available under this
section; and
``(E) notwithstanding subsections (d)(3) and (g)(2)(B) of
section 1702, any lien priority requirements that the
Secretary determines to be necessary, in consultation with
the Director of the Office of Management and Budget, which
may include--
``(i) requirements to preserve priority lien status of
secured lenders and creditors in buildings eligible for
credit support;
``(ii) remedies available to the Secretary under chapter
176 of title 28, United States Code, in the event of default
on the efficiency obligation by the borrower; and
``(iii) measures to limit the exposure of the Secretary to
financial risk in the event of default, such as--
``(I) the collection of a credit subsidy fee from the
borrower as a loan loss reserve, taking into account the
limitation on credit support under subsection (d);
``(II) minimum debt-to-income levels of the borrower;
``(III) minimum levels of value relative to outstanding
mortgage or other debt on a building eligible for credit
support;
``(IV) allowable thresholds for the percent of the
efficiency obligation relative to the amount of any mortgage
or other debt on an eligible building;
``(V) analysis of historic and anticipated occupancy levels
and rental income of an eligible building;
``(VI) requirements of third-party contractors to guarantee
energy savings that will result from a retrofit project, and
whether financing on the efficiency obligation will amortize
from the energy savings;
``(VII) requirements that the retrofit project incorporate
protocols to measure and verify energy savings; and
``(VIII) recovery of payments equally by the Secretary and
the retrofit.
``(3) Efficiency obligations.--The financing mechanisms
qualified by the Secretary under paragraph (2)(B) may
include--
``(A) loans, including loans made by the Federal Financing
Bank;
``(B) power purchase agreements, including energy
efficiency power purchase agreements;
``(C) energy services agreements, including energy
performance contracts;
``(D) property assessed clean energy bonds and other tax
assessment-based financing mechanisms;
``(E) aggregate on-meter agreements that finance retrofit
projects; and
``(F) any other efficiency obligations the Secretary
determines to be appropriate.
``(4) Priorities.--In carrying out this section, the
Secretary shall prioritize--
``(A) the maximization of energy savings with the available
credit support funding;
``(B) the establishment of a clear application and approval
process that allows private building owners, lenders, and
investors to reasonably expect to receive credit support for
projects that conform to guidelines;
``(C) the distribution of projects receiving credit support
under this section across
[[Page S5618]]
States or geographical regions of the United States; and
``(D) projects designed to achieve whole-building
retrofits.
``(d) Limitation.--Notwithstanding section 1702(c), the
Secretary shall not issue credit support under this section
in an amount that exceeds--
``(1) 90 percent of the principal amount of the efficiency
obligation that is the subject of the credit support; or
``(2) $10,000,000 for any single project.
``(e) Aggregation of Projects.--To the extent provided in
the guidelines developed in accordance with subsection (c),
the Secretary may issue credit support on a portfolio, or
pool of projects, that are not required to be geographically
contiguous, if each efficiency obligation in the pool
fulfills the requirements described in this section.
``(f) Application.--
``(1) In general.--To be eligible to receive credit support
under this section, the applicant shall submit to the
Secretary an application at such time, in such manner, and
containing such information as the Secretary determines to be
necessary.
``(2) Contents.--An application submitted under this
section shall include assurances by the applicant that--
``(A) each contractor carrying out the project meets
minimum experience level criteria, including local retrofit
experience, as determined by the Secretary;
``(B) the project is reasonably expected to achieve energy
savings, as set forth in the application using any
methodology that meets the standards described in the program
guidelines;
``(C) the project meets any technical criteria described in
the program guidelines;
``(D) the recipient of the credit support and the parties
to the efficiency obligation will provide the Secretary
with--
``(i) any information the Secretary requests to assess the
energy savings that result from the project, including
historical energy usage data, a simulation-based benchmark,
and detailed descriptions of the building work, as described
in the program guidelines; and
``(ii) permission to access information relating to
building operations and usage for the period described in the
program guidelines; and
``(E) any other assurances that the Secretary determines to
be necessary.
``(3) Determination.--Not later than 90 days after
receiving an application, the Secretary shall make a final
determination on the application, which may include requests
for additional information.
``(g) Fees.--
``(1) In general.--In addition to the fees required by
section 1702(h)(1), the Secretary may charge reasonable fees
for credit support provided under this section.
``(2) Availability.--Fees collected under this section
shall be subject to section 1702(h)(2).
``(h) Underwriting.--The Secretary may delegate the
underwriting activities under this section to 1 or more
entities that the Secretary determines to be qualified.
``(i) Report.--Not later than 1 year after commencement of
the program, the Secretary shall submit to the appropriate
committees of Congress a report that describes in reasonable
detail--
``(1) the manner in which this section is being carried
out;
``(2) the number and type of projects supported;
``(3) the types of funding mechanisms used to provide
credit support to projects;
``(4) the energy savings expected to result from projects
supported by this section;
``(5) any tracking efforts the Secretary is using to
calculate the actual energy savings produced by the projects;
and
``(6) any plans to improve the tracking efforts described
in paragraph (5).
``(j) Funding.--
``(1) Authorization of appropriations.--There is authorized
to be appropriated to the Secretary to carry out this section
$400,000,000 for the period of fiscal years 2012 through
2021, to remain available until expended.
``(2) Administrative costs.--Not more than 1 percent of any
amounts made available to the Secretary under paragraph (1)
may be used by the Secretary for administrative costs
incurred in carrying out this section.''.
Subtitle C--Industrial Efficiency and Competitiveness
PART I--MANUFACTURING ENERGY EFFICIENCY
SEC. 841. STATE PARTNERSHIP INDUSTRIAL ENERGY EFFICIENCY
REVOLVING LOAN PROGRAM.
Section 399A of the Energy Policy and Conservation Act (42
U.S.C. 6371h-1) is amended--
(1) in the section heading, by inserting ``AND INDUSTRY''
before the period at the end;
(2) by redesignating subsections (h) and (i) as subsections
(i) and (j), respectively; and
(3) by inserting after subsection (g) the following:
``(h) State Partnership Industrial Energy Efficiency
Revolving Loan Program.--
``(1) In general.--The Secretary shall carry out a program
under which the Secretary shall provide grants to eligible
lenders to pay the Federal share of creating a revolving loan
program under which loans are provided to commercial and
industrial manufacturers to implement commercially available
technologies or processes that significantly--
``(A) reduce systems energy intensity, including the use of
energy-intensive feedstocks; and
``(B) improve the industrial competitiveness of the United
States.
``(2) Eligible lenders.--To be eligible to receive cost-
matched Federal funds under this subsection, a lender shall--
``(A) be a community and economic development lender that
the Secretary certifies meets the requirements of this
subsection;
``(B) lead a partnership that includes participation by, at
a minimum--
``(i) a State government agency; and
``(ii) a private financial institution or other provider of
loan capital;
``(C) submit an application to the Secretary, and receive
the approval of the Secretary, for cost-matched Federal funds
to carry out a loan program described in paragraph (1); and
``(D) ensure that non-Federal funds are provided to match,
on at least a dollar-for-dollar basis, the amount of Federal
funds that are provided to carry out a revolving loan program
described in paragraph (1).
``(3) Award.--The amount of cost-matched Federal funds
provided to an eligible lender shall not exceed $100,000,000
for any fiscal year.
``(4) Recapture of awards.--
``(A) In general.--An eligible lender that receives an
award under paragraph (1) shall be required to repay to the
Secretary an amount of cost-match Federal funds, as
determined by the Secretary under subparagraph (B), if the
eligible lender is unable or unwilling to operate a program
described in this subsection for a period of not less than 10
years beginning on the date on which the eligible lender
first receives funds made available through the award.
``(B) Determination by secretary.--The Secretary shall
determine the amount of cost-match Federal funds that an
eligible lender shall be required to repay to the Secretary
under subparagraph (A) based on the consideration by the
Secretary of--
``(i) the amount of non-Federal funds matched by the
eligible lender;
``(ii) the amount of loan losses incurred by the revolving
loan program described in paragraph (1); and
``(iii) any other appropriate factor, as determined by the
Secretary.
``(C) Use of recaptured cost-match federal funds.--The
Secretary may distribute to eligible lenders under this
subsection each amount received by the Secretary under this
paragraph.
``(5) Eligible projects.--A program for which cost-matched
Federal funds are provided under this subsection shall be
designed to accelerate the implementation of industrial and
commercial applications of technologies or processes
(including distributed generation, applications or
technologies that use sensors, meters, software, and
information networks, controls, and drives or that have been
installed pursuant to an energy savings performance contract,
project, or strategy) that--
``(A) improve energy efficiency, including improvements in
efficiency and use of water, power factor, or load
management;
``(B) enhance the industrial competitiveness of the United
States; and
``(C) achieve such other goals as the Secretary determines
to be appropriate.
``(6) Evaluation.--The Secretary shall evaluate
applications for cost-matched Federal funds under this
subsection on the basis of--
``(A) the description of the program to be carried out with
the cost-matched Federal funds;
``(B) the commitment to provide non-Federal funds in
accordance with paragraph (2)(D);
``(C) program sustainability over a 10-year period;
``(D) the capability of the applicant;
``(E) the quantity of energy savings or energy feedstock
minimization;
``(F) the advancement of the goal under this Act of 25-
percent energy avoidance;
``(G) the ability to fund energy efficient projects not
later than 120 days after the date of the grant award; and
``(H) such other factors as the Secretary determines
appropriate.
``(7) Authorization of appropriations.--There are
authorized to be appropriated to carry out this subsection,
$400,000,000 for the period of fiscal years 2012 through
2021.''.
SEC. 842. COORDINATION OF RESEARCH AND DEVELOPMENT OF ENERGY
EFFICIENT TECHNOLOGIES FOR INDUSTRY.
(a) In General.--As part of the research and development
activities of the Industrial Technologies Program of the
Department of Energy, the Secretary shall establish, as
appropriate, collaborative research and development
partnerships with other programs within the Office of Energy
Efficiency and Renewable Energy (including the Building
Technologies Program), the Office of Electricity Delivery and
Energy Reliability, and the Office of Science that--
(1) leverage the research and development expertise of
those programs to promote early stage energy efficiency
technology development;
(2) support the use of innovative manufacturing processes
and applied research for development, demonstration, and
commercialization of new technologies and processes
[[Page S5619]]
to improve efficiency (including improvements in efficient
use of water), reduce emissions, reduce industrial waste, and
improve industrial cost-competitiveness; and
(3) apply the knowledge and expertise of the Industrial
Technologies Program to help achieve the program goals of the
other programs.
(b) Reports.--Not later than 2 years after the date of
enactment of this Act and biennially thereafter, the
Secretary shall submit to Congress a report that describes
actions taken to carry out subsection (a) and the results of
those actions.
SEC. 843. REDUCING BARRIERS TO THE DEPLOYMENT OF INDUSTRIAL
ENERGY EFFICIENCY.
(a) Definitions.--In this section:
(1) Industrial energy efficiency.--The term ``industrial
energy efficiency'' means the energy efficiency derived from
commercial technologies and measures to improve energy
efficiency or to generate or transmit electric power and
heat, including electric motor efficiency improvements,
demand response, direct or indirect combined heat and power,
and waste heat recovery.
(2) Industrial sector.--The term ``industrial sector''
means any subsector of the manufacturing sector (as defined
in North American Industry Classification System codes 31-33
(as in effect on the date of enactment of this Act))
establishments of which have, or could have, thermal host
facilities with electricity requirements met in whole, or in
part, by onsite electricity generation, including direct and
indirect combined heat and power or waste recovery.
(3) Secretary.--The term ``Secretary'' means the Secretary
of Energy.
(b) Report on the Deployment of Industrial Energy
Efficiency.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act, the Secretary shall submit to the
Committee on Energy and Commerce of the House of
Representatives and the Committee on Energy and Natural
Resources of the Senate a report describing--
(A) the results of the study conducted under paragraph (2);
and
(B) recommendations and guidance developed under paragraph
(3).
(2) Study.--The Secretary, in coordination with the
industrial sector, shall conduct a study of the following:
(A) The legal, regulatory, and economic barriers to the
deployment of industrial energy efficiency in all electricity
markets (including organized wholesale electricity markets,
and regulated electricity markets), including, as applicable,
the following:
(i) Transmission and distribution interconnection
requirements.
(ii) Standby, back-up, and maintenance fees (including
demand ratchets).
(iii) Exit fees.
(iv) Life of contract demand ratchets.
(v) Net metering.
(vi) Calculation of avoided cost rates.
(vii) Power purchase agreements.
(viii) Energy market structures.
(ix) Capacity market structures.
(x) Other barriers as may be identified by the Secretary,
in coordination with the industrial sector.
(B) Examples of --
(i) successful State and Federal policies that resulted in
greater use of industrial energy efficiency;
(ii) successful private initiatives that resulted in
greater use of industrial energy efficiency; and
(iii) cost-effective policies used by foreign countries to
foster industrial energy efficiency.
(C) The estimated economic benefits to the national economy
of providing the industrial sector with Federal energy
efficiency matching grants of $5,000,000,000 for 5- and 10-
year periods, including benefits relating to--
(i) estimated energy and emission reductions;
(ii) direct and indirect jobs saved or created;
(iii) direct and indirect capital investment;
(iv) the gross domestic product; and
(v) trade balance impacts.
(D) The estimated energy savings available from increased
use of recycled material in energy-intensive manufacturing
processes.
(3) Recommendations and guidance.--The Secretary, in
coordination with the industrial sector, shall develop policy
recommendations regarding the deployment of industrial energy
efficiency, including proposed regulatory guidance to States
and relevant Federal agencies to address barriers to
deployment.
SEC. 844. FUTURE OF INDUSTRY PROGRAM.
(a) In General.--Section 452 of the Energy Independence and
Security Act of 2007 (42 U.S.C. 17111) is amended by striking
the section heading and inserting the following: ``FUTURE OF
INDUSTRY PROGRAM''.
(b) Definition of Energy Service Provider.--Section 452(a)
of the Energy Independence and Security Act of 2007 (42
U.S.C. 17111(a)) is amended--
(1) by redesignating paragraphs (3) through (5) as
paragraphs (4) through (6), respectively; and
(2) by inserting after paragraph (3):
``(5) Energy service provider.--The term `energy service
provider' means any private company or similar entity
providing technology or services to improve energy efficiency
in an energy-intensive industry.''.
(c) Industrial Research and Assessment Centers.--
(1) In general.--Section 452(e) of the Energy Independence
and Security Act of 2007 (42 U.S.C. 17111(e)) is amended--
(A) by redesignating paragraphs (1) through (5) as
subparagraphs (A) through (E), respectively, and indenting
appropriately;
(B) by striking ``The Secretary'' and inserting the
following:
``(1) In general.--The Secretary'';
(C) in subparagraph (A) (as redesignated by subparagraph
(A)), by inserting before the semicolon at the end the
following: ``, including assessments of sustainable
manufacturing goals and the implementation of information
technology advancements for supply chain analysis, logistics,
system monitoring, industrial and manufacturing processes,
and other purposes''; and
(D) by adding at the end the following:
``(2) Centers of excellence.--
``(A) In general.--The Secretary shall establish a Center
of Excellence at up to 10 of the highest performing
industrial research and assessment centers, as determined by
the Secretary.
``(B) Duties.--A Center of Excellence shall coordinate with
and advise the industrial research and assessment centers
located in the region of the Center of Excellence.
``(C) Funding.--Subject to the availability of
appropriations, of the funds made available under subsection
(f), the Secretary shall use to support each Center of
Excellence not less than $500,000 for fiscal year 2012 and
each fiscal year thereafter, as determined by the Secretary.
``(3) Expansion of centers.--The Secretary shall provide
funding to establish additional industrial research and
assessment centers at institutions of higher education that
do not have industrial research and assessment centers
established under paragraph (1), taking into account the size
of, and potential energy efficiency savings for, the
manufacturing base within the region of the proposed center.
``(4) Coordination.--
``(A) In general.--To increase the value and capabilities
of the industrial research and assessment centers, the
centers shall--
``(i) coordinate with Manufacturing Extension Partnership
Centers of the National Institute of Standards and
Technology;
``(ii) coordinate with the Building Technologies Program of
the Department of Energy to provide building assessment
services to manufacturers;
``(iii) increase partnerships with the National
Laboratories of the Department of Energy to leverage the
expertise and technologies of the National Laboratories for
national industrial and manufacturing needs;
``(iv) increase partnerships with energy service providers
and technology providers to leverage private sector expertise
and accelerate deployment of new and existing technologies
and processes for energy efficiency, power factor, and load
management;
``(v) identify opportunities for reducing greenhouse gas
emissions; and
``(vi) promote sustainable manufacturing practices for
small- and medium-sized manufacturers.
``(5) Outreach.--The Secretary shall provide funding for--
``(A) outreach activities by the industrial research and
assessment centers to inform small- and medium-sized
manufacturers of the information, technologies, and services
available; and
``(B) a full-time equivalent employee at each center of
excellence whose primary mission shall be to coordinate and
leverage the efforts of the center with--
``(i) Federal and State efforts;
``(ii) the efforts of utilities and energy service
providers;
``(iii) the efforts of regional energy efficiency
organizations; and
``(iv) the efforts of other centers in the region of the
center of excellence.
``(6) Workforce training.--
``(A) In general.--The Secretary shall pay the Federal
share of associated internship programs under which students
work with or for industries, manufacturers, and energy
service providers to implement the recommendations of
industrial research and assessment centers.
``(B) Federal share.--The Federal share of the cost of
carrying out internship programs described in subparagraph
(A) shall be 50 percent.
``(C) Funding.--Subject to the availability of
appropriations, of the funds made available under subsection
(f), the Secretary shall use to carry out this paragraph not
less than $5,000,000 for fiscal year 2012 and each fiscal
year thereafter.
``(7) Small business loans.--The Administrator of the Small
Business Administration shall, to the maximum practicable,
expedite consideration of applications from eligible small
business concerns for loans under the Small Business Act (15
U.S.C. 631 et seq.) to implement recommendations of
industrial research and assessment centers established under
paragraph (1).''.
SEC. 845. SUSTAINABLE MANUFACTURING INITIATIVE.
(a) In General.--Part E of title III of the Energy Policy
and Conservation Act (42 U.S.C. 6341) is amended by adding at
the end the following:
``SEC. 376. SUSTAINABLE MANUFACTURING INITIATIVE.
``(a) In General.--As part of the Industrial Technologies
Program of the Department of Energy, the Secretary shall
carry out a sustainable manufacturing initiative under which
the Secretary, on the request of a manufacturer, shall
conduct onsite technical assessments to identify
opportunities for--
[[Page S5620]]
``(1) maximizing the energy efficiency of industrial
processes and cross-cutting systems;
``(2) preventing pollution and minimizing waste;
``(3) improving efficient use of water in manufacturing
processes;
``(4) conserving natural resources; and
``(5) achieving such other goals as the Secretary
determines to be appropriate.
``(b) Coordination.--The Secretary shall carry out the
initiative in coordination with the private sector and
appropriate agencies, including the National Institute of
Standards and Technology to accelerate adoption of new and
existing technologies or processes that improve energy
efficiency.
``(c) Research and Development Program for Sustainable
Manufacturing and Industrial Technologies and Processes.--As
part of the Industrial Technologies Program of the Department
of Energy, the Secretary shall carry out a joint industry-
government partnership program to research, develop, and
demonstrate new sustainable manufacturing and industrial
technologies and processes that maximize the energy
efficiency of industrial systems, reduce pollution, and
conserve natural resources.
``(d) Authorization of Appropriations.--There is authorized
to be to carry out this section $10,000,000 for the period of
fiscal years 2012 through 2021.''.
(b) Table of Contents.--The table of contents of the Energy
Policy and Conservation Act (42 U.S.C. prec. 6201) is amended
by adding at the end of the items relating to part E of title
III the following:
``Sec. 376. Sustainable manufacturing initiative.''.
SEC. 846. STUDY OF ADVANCED ENERGY TECHNOLOGY MANUFACTURING
CAPABILITIES IN THE UNITED STATES.
(a) In General.--Not later than 60 days after the date of
enactment of this Act, the Secretary shall enter into an
arrangement with the National Academy of Sciences under which
the Academy shall conduct a study of the development of
advanced manufacturing capabilities for various energy
technologies, including--
(1) an assessment of the manufacturing supply chains of
established and emerging industries;
(2) an analysis of--
(A) the manner in which supply chains have changed over the
25-year period ending on the date of enactment of this Act;
(B) current trends in supply chains; and
(C) the energy intensity of each part of the supply chain
and opportunities for improvement;
(3) for each technology or manufacturing sector, an
analysis of which sections of the supply chain are critical
for the United States to retain or develop to be competitive
in the manufacturing of the technology;
(4) an assessment of which emerging energy technologies the
United States should focus on to create or enhance
manufacturing capabilities; and
(5) recommendations on leveraging the expertise of energy
efficiency and renewable energy user facilities so that best
materials and manufacturing practices are designed and
implemented.
(b) Report.--Not later than 2 years after the date on which
the Secretary enters into the agreement with the Academy
described in subsection (a), the Academy shall submit to the
Committee on Energy and Natural Resources of the Senate, the
Committee on Energy and Commerce of the House of
Representatives, and the Secretary a report describing the
results of the study required under this section, including
any findings and recommendations.
SEC. 847. INDUSTRIAL TECHNOLOGIES STEERING COMMITTEE.
The Secretary shall establish an advisory steering
committee that includes national trade associations
representing energy-intensive industries or energy service
providers to provide recommendations to the Secretary on
planning and implementation of the Industrial Technologies
Program of the Department of Energy.
PART II--SUPPLY STAR
SEC. 851. SUPPLY STAR.
Part B of title III of the Energy Policy and Conservation
Act (42 U.S.C. 6291) is amended by inserting after section
324A (42 U.S.C. 6294a) the following:
``SEC. 324B. SUPPLY STAR PROGRAM.
``(a) In General.--There is established within the
Department of Energy a Supply Star program to identify and
promote practices, recognize companies, and, as appropriate,
recognize products that use highly efficient supply chains in
a manner that conserves energy, water, and other resources.
``(b) Coordination.--In carrying out the program described
in subsection (a), the Secretary shall--
``(1) consult with other appropriate agencies; and
``(2) coordinate efforts with the Energy Star program
established under section 324A.
``(c) Duties.--In carrying out the Supply Star program
described in subsection (a), the Secretary shall--
``(1) promote practices, recognize companies, and, as
appropriate, recognize products that comply with the Supply
Star program as the preferred practices, companies, and
products in the marketplace for maximizing supply chain
efficiency;
``(2) work to enhance industry and public awareness of the
Supply Star program;
``(3) collect and disseminate data on supply chain energy
resource consumption;
``(4) develop and disseminate metrics, processes, and
analytical tools (including software) for evaluating supply
chain energy resource use;
``(5) develop guidance at the sector level for improving
supply chain efficiency;
``(6) work with domestic and international organizations to
harmonize approaches to analyzing supply chain efficiency,
including the development of a consistent set of tools,
templates, calculators, and databases; and
``(7) work with industry, including small businesses, to
improve supply chain efficiency through activities that
include--
``(A) developing and sharing best practices; and
``(B) providing opportunities to benchmark supply chain
efficiency.
``(d) Evaluation.--In any evaluation of supply chain
efficiency carried out by the Secretary with respect to a
specific product, the Secretary shall consider energy
consumption and resource use throughout the entire lifecycle
of a product, including production, transport, packaging,
use, and disposal.
``(e) Grants and Incentives.--
``(1) In general.--The Secretary may award grants or other
forms of incentives on a competitive basis to eligible
entities, as determined by the Secretary, for the purposes
of--
``(A) studying supply chain energy resource efficiency; and
``(B) demonstrating and achieving reductions in the energy
resource consumption of commercial products through changes
and improvements to the production supply and distribution
chain of the products.
``(2) Use of information.--Any information or data
generated as a result of the grants or incentives described
in paragraph (1) shall be used to inform the development of
the Supply Star Program.
``(f) Training.--The Secretary shall use funds to support
professional training programs to develop and communicate
methods, practices, and tools for improving supply chain
efficiency.
``(g) Effect of Impact on Climate Change.--For purposes of
this section, the impact on climate change shall not be a
factor in determining supply chain efficiency.
``(h) Effect of Outsourcing of American Jobs.--For purposes
of this section, the outsourcing of American jobs in the
production of a product shall not count as a positive factor
in determining supply chain efficiency.
``(i) Authorization of Appropriations.--There are
authorized to be appropriated to carry out this section
$10,000,000 for the period of fiscal years 2012 through
2021.''.
PART III--ELECTRIC MOTOR REBATE PROGRAM
SEC. 861. ENERGY SAVING MOTOR CONTROL REBATE PROGRAM.
(a) Establishment.--Not later than January 1, 2012, the
Secretary of Energy (referred to in this section as the
``Secretary'') shall establish a program to provide rebates
for expenditures made by entities for the purchase and
installation of a new constant speed electric motor control
that reduces motor energy use by not less than 5 percent.
(b) Requirements.--
(1) Application.--To be eligible to receive a rebate under
this section, an entity shall submit to the Secretary an
application in such form, at such time, and containing such
information as the Secretary may require, including--
(A) demonstrated evidence that the entity purchased a
constant speed electric motor control that reduces motor
energy use by not less than 5 percent; and
(B) the physical nameplate of the installed motor of the
entity to which the energy saving motor control is attached.
(2) Authorized amount of rebate.--The Secretary may provide
to an entity that meets the requirements of paragraph (1) a
rebate the amount of which shall be equal to the product
obtained by multiplying--
(A) the nameplate horsepower of the electric motor to which
the energy saving motor control is attached; and
(B) $25.
(c) Authorization of Appropriations.--There is authorized
to be appropriated to carry out this section $5,000,000 for
each of fiscal years 2012 and 2013, to remain available until
expended.
PART IV--TRANSFORMER REBATE PROGRAM
SEC. 871. ENERGY EFFICIENT TRANSFORMER REBATE PROGRAM.
(a) Definition of Qualified Transformer.--In this section,
the term ``qualified transformer'' means a transformer that
meets or exceeds the National Electrical Manufacturers
Association (NEMA) Premium Efficiency designation, calculated
to 2 decimal points, as having 30 percent fewer losses than
the NEMA TP-1-2002 efficiency standard for a transformer of
the same number of phases and capacity, as measured in
kilovolt-amperes.
(b) Establishment.--Not later than January 1, 2012, the
Secretary of Energy (referred to in this section as the
``Secretary'') shall establish a program to provide rebates
for expenditures made by owners of commercial buildings and
multifamily residential buildings for the purchase and
installation of a new energy efficient transformers.
(c) Requirements.--
(1) Application.--To be eligible to receive a rebate under
this section, an owner shall submit to the Secretary an
application in such form, at such time, and containing such
information as the Secretary may require,
[[Page S5621]]
including demonstrated evidence that the owner purchased a
qualified transformer.
(2) Authorized amount of rebate.--For qualified
transformers, rebates, in dollars per kilovolt-ampere
(referred to in this paragraph as ``kVA'') shall be--
(A) for 3-phase transformers--
(i) with a capacity of not greater than 10 kVA, $15;
(ii) with a capacity of not less than 10 kVA and not
greater than 100 kVA, the difference between 15 and the
quotient obtained by dividing--
(I) the difference between--
(aa) the capacity of the transformer in kVA; and
(bb) 10; by
(II) 9; and
(iii) with a capacity greater than or equal to 100 kVA, $5;
and
(B) for single-phase transformers, 75 percent of the rebate
for a 3-phase transformer of the same capacity.
(d) Authorization of Appropriations.--There is authorized
to be appropriated to carry out this section $5,000,000 for
each of fiscal years 2012 and 2013, to remain available until
expended.
Subtitle D--Federal Agency Energy Efficiency
SEC. 881. ADOPTION OF PERSONAL COMPUTER POWER SAVINGS
TECHNIQUES BY FEDERAL AGENCIES.
(a) In General.--Not later than 360 days after the date of
enactment of this Act, the Secretary of Energy, in
consultation with the Secretary of Defense, the Secretary of
Veterans Affairs, and the Administrator of General Services,
shall issue guidance for Federal agencies to employ advanced
tools allowing energy savings through the use of computer
hardware, energy efficiency software, and power management
tools.
(b) Reports on Plans and Savings.--Not later than 180 days
after the date of the issuance of the guidance under
subsection (a), each Federal agency shall submit to the
Secretary of Energy a report that describes--
(1) the plan of the agency for implementing the guidance
within the agency; and
(2) estimated energy and financial savings from employing
the tools described in subsection (a).
SEC. 882. AVAILABILITY OF FUNDS FOR DESIGN UPDATES.
Section 3307 of title 40, United States Code, is amended--
(1) by redesignating subsections (d) through (h) as
subsections (e) through (i), respectively; and
(2) by inserting after subsection (c) the following:
``(d) Availability of Funds for Design Updates.--
``(1) In general.--Subject to paragraph (2), for any
project for which congressional approval is received under
subsection (a) and for which the design has been
substantially completed but construction has not begun, the
Administrator of General Services may use appropriated funds
to update the project design to meet applicable Federal
building energy efficiency standards established under
section 305 of the Energy Conservation and Production Act (42
U.S.C. 6834) and other requirements established under section
3312.
``(2) Limitation.--The use of funds under paragraph (1)
shall not exceed 125 percent of the estimated energy or other
cost savings associated with the updates as determined by a
life-cycle cost analysis under section 544 of the National
Energy Conservation Policy Act (42 U.S.C. 8254).''.
SEC. 883. BEST PRACTICES FOR ADVANCED METERING.
Section 543(e) of the National Energy Conservation Policy
Act (42 U.S.C. 8253(e) is amended by striking paragraph (3)
and inserting the following:
``(3) Plan.--
``(A) In general.--Not later than 180 days after the date
on which guidelines are established under paragraph (2), in a
report submitted by the agency under section 548(a), each
agency shall submit to the Secretary a plan describing the
manner in which the agency will implement the requirements of
paragraph (1), including--
``(i) how the agency will designate personnel primarily
responsible for achieving the requirements; and
``(ii) a demonstration by the agency, complete with
documentation, of any finding that advanced meters or
advanced metering devices (as those terms are used in
paragraph (1)), are not practicable.
``(B) Updates.--Reports submitted under subparagraph (A)
shall be updated annually.
``(4) Best practices report.--
``(A) In general.--Not later than 180 days after the date
of enactment of the Energy Savings and Industrial
Competitiveness Act of 2012, the Secretary of Energy, in
consultation with the Secretary of Defense and the
Administrator of General Services, shall develop, and issue a
report on, best practices for the use of advanced metering of
energy use in Federal facilities, buildings, and equipment by
Federal agencies.
``(B) Updating.--The report described under subparagraph
(A) shall be updated annually.
``(C) Components.--The report shall include, at a minimum--
``(i) summaries and analysis of the reports by agencies
under paragraph (3);
``(ii) recommendations on standard requirements or
guidelines for automated energy management systems,
including--
``(I) potential common communications standards to allow
data sharing and reporting;
``(II) means of facilitating continuous commissioning of
buildings and evidence-based maintenance of buildings and
building systems; and
``(III) standards for sufficient levels of security and
protection against cyber threats to ensure systems cannot be
controlled by unauthorized persons; and
``(iii) an analysis of--
``(I) the types of advanced metering and monitoring systems
being piloted, tested, or installed in Federal buildings; and
``(II) existing techniques used within the private sector
or other non-Federal government buildings.''.
SEC. 884. FEDERAL ENERGY MANAGEMENT AND DATA COLLECTION
STANDARD.
Section 543 of the National Energy Conservation Policy Act
(42 U.S.C. 8253) is amended--
(1) by redesignating the second subsection (f) (as added by
section 434(a) of Public Law 110-140 (121 Stat. 1614)) as
subsection (g); and
(2) in subsection (f)(7), by striking subparagraph (A) and
inserting the following:
``(A) In general.--For each facility that meets the
criteria established by the Secretary under paragraph (2)(B),
the energy manager shall use the web-based tracking system
under subparagraph (B)--
``(i) to certify compliance with the requirements for--
``(I) energy and water evaluations under paragraph (3);
``(II) implementation of identified energy and water
measures under paragraph (4); and
``(III) follow-up on implemented measures under paragraph
(5); and
``(ii) to publish energy and water consumption data on an
individual facility basis.''.
SEC. 885. ELECTRIC VEHICLE CHARGING INFRASTRUCTURE.
Section 804(4) of the National Energy Conservation Policy
Act (42 U.S.C. 8287c(4)) is amended--
(1) in subparagraph (A), by striking ``or'' after the
semicolon;
(2) in subparagraph (B), by striking the period at the end
and inserting ``; or''; and
(3) by adding at the end the following:
``(C) a measure to support the use of electric vehicles or
the fueling or charging infrastructure necessary for electric
vehicles.''.
SEC. 886. FEDERAL PURCHASE REQUIREMENT.
Section 203 of the Energy Policy Act of 2005 (42 U.S.C.
15852) is amended--
(1) in subsections (a) and (b)(2), by striking ``electric
energy'' each place it appears and inserting ``electric,
direct, and thermal energy'';
(2) in subsection (b)(2)--
(A) by inserting ``, or avoided by,'' after ``generated
from''; and
(B) by inserting ``(including ground-source, reclaimed, and
ground water)''after ``geothermal'';
(3) by redesignating subsection (d) as subsection (e); and
(4) by inserting after subsection (c) the following:
``(d) Separate Calculation.--Renewable energy produced at a
Federal facility, on Federal land, or on Indian land (as
defined in section 2601 of the Energy Policy Act of 1992 (25
U.S.C. 3501))--
``(1) shall be calculated (on a BTU-equivalent basis)
separately from renewable energy used; and
``(2) may be used individually or in combination to comply
with subsection (a).''.
SEC. 887. STUDY ON FEDERAL DATA CENTER CONSOLIDATION.
(a) In General.--The Secretary of Energy shall conduct a
study on the feasibility of a government-wide data center
consolidation, with an overall Federal target of a minimum of
800 Federal data center closures by October 1, 2015.
(b) Coordination.--In conducting the study, the Secretary
shall coordinate with Federal data center program managers,
facilities managers, and sustainability officers.
(c) Report.--Not later than 1 year after the date of
enactment of this Act, the Secretary shall submit to Congress
a report that describes the results of the study, including a
description of agency best practices in data center
consolidation.
Subtitle E--Miscellaneous
SEC. 891. OFFSETS.
(a) Zero-Net Energy Commercial Buildings Initiative.--
Section 422(f) of the Energy Independence and Security Act of
2007 (42 U.S.C. 17082(f)) is amended by striking paragraphs
(2) through (4) and inserting the following:
``(2) $50,000,000 for each of fiscal years 2009 through
2012;
``(3) $100,000,000 for fiscal year 2013; and
``(4) $200,000,000 for each of fiscal years 2014 through
2018.''.
(b) Energy Sustainability and Efficiency Grants and Loans
for Institutions.--Subsection (j) of section 399A of the
Energy Policy and Conservation Act (42 U.S.C. 6371h-1) (as
redesignated by section 841(2)) is amended--
(1) in paragraph (1), by striking ``through 2013'' and
inserting ``and 2010, $100,000,000 for each of fiscal years
2011 and 2012, and $250,000,000 for fiscal year 2013''; and
(2) in paragraph (2), by striking ``through 2013'' and
inserting ``and 2010, $100,000,000 for each of fiscal years
2011 and 2012, and $425,000,000 for fiscal year 2013''.
(c) Waste Energy Recovery Incentive Program.--Section
373(f)(1) of the Energy
[[Page S5622]]
Policy and Conservation Act (42 U.S.C. 6343(f)(1)) is
amended--
(1) by redesignating subparagraph (B) as subparagraph (D);
and
(2) by striking subparagraph (A) and inserting the
following:
``(A) $100,000,000 for fiscal year 2008;
``(B) $200,000,000 for each of fiscal years 2009 and 2010;
``(C) $100,000,000 for each of fiscal years 2011 and 2012;
and''.
(d) Energy-intensive Industries Program.--Section 452(f)(1)
of the Energy Independence and Security Act of 2007 (42
U.S.C. 17111(f)(1)) is amended--
(1) in subparagraph (D), by striking ``$202,000,000'' and
inserting ``$102,000,000''; and
(2) in subparagraph (E), by striking ``$208,000,000'' and
inserting ``$108,000,000''.
SEC. 892. ADVANCE APPROPRIATIONS REQUIRED.
The authorization of amounts under this title and the
amendments made by this title shall be effective for any
fiscal year only to the extent and in the amount provided in
advance in appropriations Acts.
______
SA 2617. Mr. COONS (for himself, Mr. Wyden, Mr. Akaka, Mr. Franken,
Mr. Udall of New Mexico, and Mr. Sanders) submitted an amendment
intended to be proposed by him to the bill S. 3414, to enhance the
security and resiliency of the cyber and communications infrastructure
of the United States; which was ordered to lie on the table; as
follows:
At the end of title VII, add the following:
SEC. 709. SUNSET.
(a) In General.--Except as provided in subsection (b), this
title shall cease to have effect five years after the date of
enactment of this Act.
(b) Exception.--With respect to any particular disclosure
or sharing that occurred before the date on which the
provisions referred to in subsection (a) cease to have
effect, such provisions shall continue in effect.
______
SA 2618. Mr. AKAKA (for himself, Mr. Blumenthal, Mr. Coons, Mr.
Franken, Mr. Sanders, Mr. Udall of New Mexico, and Mr. Wyden) submitted
an amendment intended to be proposed by him to the bill S. 3414, to
enhance the security and resiliency of the cyber and communications
infrastructure of the United States; which was ordered to lie on the
table; as follows:
On page 105, after the end of the matter between lines 11
and 12, insert the following:
SEC. 205. PRIVACY BREACH REQUIREMENTS.
(a) In General.--Subchapter II of chapter 35 of title 44,
United States Code, as amended by section 201 of this Act, is
amended by adding at the end the following:
``Sec. 3559. Privacy breach requirements
``(a) Policies and Procedures.--The Secretary shall
establish and oversee policies and procedures for agencies to
follow in the event of a breach of information security
involving the disclosure of personally identifiable
information, including requirements for--
``(1) timely notice to the individuals whose personally
identifiable information could be compromised as a result of
such breach;
``(2) timely reporting to a Federal cybersecurity center
(as defined in section 708 of the Cybersecurity Act of 2012),
as designated by the Secretary; and
``(3) additional actions as necessary and appropriate,
including data breach analysis, fraud resolution services,
identity theft insurance, and credit protection or monitoring
services.
``(b) Required Agency Action.--The head of each agency
shall ensure that actions taken in response to a breach of
information security involving the disclosure of personally
identifiable information under the authority or control of
the agency comply with policies and procedures established by
the Secretary under subsection (a).
``(c) Report.--Not later than March 1 of each year, the
Secretary shall report to Congress on agency compliance with
the policies and procedures established under subsection
(a).''.
(b) Technical and Conforming Amendment.--The table of
sections for subtitle II for chapter 35 of title 44, United
States Code, as amended by section 201 of this Act, is
amended by adding at the end the following:
``3559. Privacy breach requirements.''.
SEC. 206. AMENDMENTS TO THE E-GOVERNMENT ACT OF 2002.
Section 208(b)(1)(A) of the E-Government Act of 2002 (44
U.S.C. 3501 note; Public Law 107-347) is amended--
(1) in clause (i), by striking ``or'' at the end;
(2) in clause (ii), by striking the period at the end and
inserting ``; or''; and
(3) by adding at the end the following:
``(iii) using information in an identifiable form
purchased, or subscribed to for a fee, from a commercial data
source.''.
SEC. 207. AUTHORITY OF THE DIRECTOR OF THE OFFICE OF
MANAGEMENT AND BUDGET WITH RESPECT TO FEDERAL
INFORMATION POLICY.
Section 3504(g) of title 44, United States Code, is
amended--
(1) paragraph (1), by striking ``and'' at the end;
(2) in paragraph (2), by striking the period at the end and
inserting ``; and''; and
(3) by adding at the end the following:
``(3) designate a Federal Chief Privacy Officer within the
Office of Management and Budget who is a noncareer appointee
in a Senior Executive Service position and who is a trained
and experienced privacy professional to carry out the
responsibilities of the Director with regard to privacy.''.
SEC. 208. CIVIL REMEDIES UNDER THE PRIVACY ACT.
Section 552a(g)(4)(A) of title 5, United States Code, is
amended--
(1) by striking ``actual damages'' and inserting ``provable
damages, including damages that are not pecuniary damages,'';
and
(2) by striking ``, but in no case shall a person entitled
to recovery receive less than the sum of $1,000'' and
inserting ``or the sum of $1,000, whichever is greater.''.
On page 188, lines 5 through 7, strike ``the Chief Privacy
and Civil Liberties Officer of the Department of Justice and
the Chief Privacy Officer of the Department'' and insert
``the Federal Chief Privacy Officer''.
On page 191, line 19, strike ``actual damages'' and insert
``provable damages, including damages that are not pecuniary
damages,''
______
SA 2619. Mr. DeMINT submitted an amendment intended to be proposed by
him to the bill S. 3414, to enhance the security and resiliency of the
cyber and communications infrastructure of the United States; which was
ordered to lie on the table; as follows:
At the appropriate place, insert the following:
SEC. __. RIGHT TO WORK.
(a) Amendments to the National Labor Relations Act.--
(1) Rights of employees.--Section 7 of the National Labor
Relations Act (29 U.S.C. 157) is amended by striking ``except
to'' and all that follows through ``authorized in section
8(a)(3)''.
(2) Unfair labor practices.--Section 8 of the National
Labor Relations Act (29 U.S.C. 158) is amended--
(A) in subsection (a)(3), by striking ``: Provided, That''
and all that follows through ``retaining membership'';
(B) in subsection (b)--
(i) in paragraph (2), by striking ``or to discriminate''
and all that follows through ``retaining membership''; and
(ii) in paragraph (5), by striking ``covered by an
agreement authorized under subsection (a)(3) of this
section''; and
(C) in subsection (f), by striking clause (2) and
redesignating clauses (3) and (4) as clauses (2) and (3),
respectively.
(b) Amendment to the Railway Labor Act.--Section 2 of the
Railway Labor Act (45 U.S.C. 152) is amended by striking
paragraph Eleven.
______
SA 2620. Mr. HOEVEN submitted an amendment intended to be proposed by
him to the bill S. 3414, to enhance the security and resiliency of the
cyber and communications infrastructure of the United States; which was
ordered to lie on the table; as follows:
On page 109, strike line 17 and all that follows through
page 110, line 20, and insert the following:
institutions and to provide funds to the military service
academies to establish cybersecurity test beds capable of
realistic modeling of real-time cyber attacks and defenses.
(B) Requirement.--The test beds established under
subparagraph (A) shall be sufficiently large in order to
model the scale and complexity of real world networks and
environments.
(3) Purpose.--The purpose of the program established under
paragraph (2) shall be to support the rapid development of
new cybersecurity defenses, techniques, and processes by
improving understanding and assessing the latest technologies
in a real-world environment.
(e) Coordination With Other Research Initiatives.--The
Director shall to the extent practicable, coordinate research
and development activities under this section with other
ongoing research and development security-related
initiatives, including research being conducted by--
(1) the National Institute of Standards and Technology;
(2) the Department;
(3) other Federal agencies;
(4) other Federal and private research laboratories,
research entities, the military service academies, and
universities and institutions of higher education, and
relevant nonprofit organizations; and
____________________