[Congressional Bills 112th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3523 Reported in House (RH)]
Union Calendar No. 311
112th CONGRESS
2d Session
H. R. 3523
[Report No. 112-445]
To provide for the sharing of certain cyber threat intelligence and
cyber threat information between the intelligence community and
cybersecurity entities, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
November 30, 2011
Mr. Rogers of Michigan (for himself, Mr. Ruppersberger, Mr. King of New
York, Mr. Upton, Mrs. Myrick, Mr. Langevin, Mr. Conaway, Mr. Miller of
Florida, Mr. Boren, Mr. LoBiondo, Mr. Chandler, Mr. Nunes, Mr.
Gutierrez, Mr. Westmoreland, Mrs. Bachmann, Mr. Rooney, Mr. Heck, Mr.
Dicks, Mr. McCaul, Mr. Walden, Mr. Calvert, Mr. Shimkus, Mr. Terry, Mr.
Burgess, Mr. Gingrey of Georgia, Mr. Thompson of California, Mr.
Kinzinger of Illinois, Mr. Amodei, and Mr. Pompeo) introduced the
following bill; which was referred to the Select Committee on
Intelligence (Permanent Select)
April 17, 2012
Additional sponsors: Mr. Latta, Mr. Quayle, Mr. McHenry, Mr.
Frelinghuysen, Mr. Yoder, Mr. Walberg, Mr. Camp, Ms. Eshoo, Mr.
Michaud, Mrs. McMorris Rodgers, Mr. Sullivan, Mr. McKinley, Ms. Ros-
Lehtinen, Mr. Coffman of Colorado, Mr. Goodlatte, Mr. Wolf, Mr. Forbes,
Mr. Gary G. Miller of California, Mr. Stearns, Mr. Issa, Mr. Cole, Mr.
Turner of Ohio, Mr. Brooks, Mr. Huizenga of Michigan, Mr. Carter, Mrs.
Hartzler, Mr. Grimm, Mrs. Miller of Michigan, Mr. Guthrie, Mr. Rogers
of Alabama, Mr. Benishek, Mr. Broun of Georgia, Mr. Lance, Mr. Hastings
of Washington, Mr. Davis of Kentucky, Mr. Meehan, Mr. Shuster, Mr.
Olson, Mr. Kline, Mrs. Bono Mack, Mr. Bachus, Mr. Schock, Mr. Roe of
Tennessee, Mr. Fleischmann, Mr. Baca, Mr. Boswell, Mrs. Noem, Mr.
Wittman, Mr. Hultgren, Mrs. Blackburn, Mr. Hastings of Florida, Mr.
Hurt, Mr. Johnson of Ohio, Mr. Smith of Nebraska, Mr. Crawford, Mr.
Franks of Arizona, Mr. Larsen of Washington, Mr. Sires, Mr. Towns, Ms.
Bordallo, Mr. Ross of Arkansas, Mr. Cooper, Mr. Pitts, Mr. Runyan, Mr.
Costa, Mr. Cardoza, Mr. Woodall, Mr. Bartlett, Mr. Shuler, Mr. Stivers,
Mr. Wilson of South Carolina, Mr. McIntyre, Mr. Kissell, Mr. Scalise,
Mr. Bilbray, Mr. Griffith of Virginia, Mr. Peterson, Mr. Owens, Mr.
Mulvaney, Mr. Hall, Mr. Cuellar, Mr. Lamborn, Mr. Austria, and Mr.
McKeon
April 17, 2012
Reported with an amendment, committed to the Committee of the Whole
House on the State of the Union, and ordered to be printed
[Strike out all after the enacting clause and insert the part printed
in italic]
[For text of introduced bill, see copy of bill as introduced on
November 30, 2011]
_______________________________________________________________________
A BILL
To provide for the sharing of certain cyber threat intelligence and
cyber threat information between the intelligence community and
cybersecurity entities, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Cyber Intelligence Sharing and
Protection Act''.
SEC. 2. CYBER THREAT INTELLIGENCE AND INFORMATION SHARING.
(a) In General.--Title XI of the National Security Act of 1947 (50
U.S.C. 442 et seq.) is amended by adding at the end the following new
section:
``cyber threat intelligence and information sharing
``Sec. 1104. (a) Intelligence Community Sharing of Cyber Threat
Intelligence With Private Sector.--
``(1) In general.--The Director of National Intelligence
shall establish procedures to allow elements of the
intelligence community to share cyber threat intelligence with
private-sector entities and to encourage the sharing of such
intelligence.
``(2) Sharing and use of classified intelligence.--The
procedures established under paragraph (1) shall provide that
classified cyber threat intelligence may only be--
``(A) shared by an element of the intelligence
community with--
``(i) certified entities; or
``(ii) a person with an appropriate
security clearance to receive such cyber threat
intelligence;
``(B) shared consistent with the need to protect
the national security of the United States; and
``(C) used by a certified entity in a manner which
protects such cyber threat intelligence from
unauthorized disclosure.
``(3) Security clearance approvals.--The Director of
National Intelligence shall issue guidelines providing that the
head of an element of the intelligence community may, as the
head of such element considers necessary to carry out this
subsection--
``(A) grant a security clearance on a temporary or
permanent basis to an employee or officer of a
certified entity;
``(B) grant a security clearance on a temporary or
permanent basis to a certified entity and approval to
use appropriate facilities; and
``(C) expedite the security clearance process for a
person or entity as the head of such element considers
necessary, consistent with the need to protect the
national security of the United States.
``(4) No right or benefit.--The provision of information to
a private-sector entity under this subsection shall not create
a right or benefit to similar information by such entity or any
other private-sector entity.
``(b) Private Sector Use of Cybersecurity Systems and Sharing of
Cyber Threat Information.--
``(1) In general.--
``(A) Cybersecurity providers.--Notwithstanding any
other provision of law, a cybersecurity provider, with
the express consent of a protected entity for which
such cybersecurity provider is providing goods or
services for cybersecurity purposes, may, for
cybersecurity purposes--
``(i) use cybersecurity systems to identify
and obtain cyber threat information to protect
the rights and property of such protected
entity; and
``(ii) share such cyber threat information
with any other entity designated by such
protected entity, including, if specifically
designated, the Federal Government.
``(B) Self-protected entities.--Notwithstanding any
other provision of law, a self-protected entity may,
for cybersecurity purposes--
``(i) use cybersecurity systems to identify
and obtain cyber threat information to protect
the rights and property of such self-protected
entity; and
``(ii) share such cyber threat information
with any other entity, including the Federal
Government.
``(2) Use and protection of information.--Cyber threat
information shared in accordance with paragraph (1)--
``(A) shall only be shared in accordance with any
restrictions placed on the sharing of such information
by the protected entity or self-protected entity
authorizing such sharing, including appropriate
anonymization or minimization of such information;
``(B) may not be used by an entity to gain an
unfair competitive advantage to the detriment of the
protected entity or the self-protected entity
authorizing the sharing of information; and
``(C) if shared with the Federal Government--
``(i) shall be exempt from disclosure under
section 552 of title 5, United States Code;
``(ii) shall be considered proprietary
information and shall not be disclosed to an
entity outside of the Federal Government except
as authorized by the entity sharing such
information; and
``(iii) shall not be used by the Federal
Government for regulatory purposes.
``(3) Exemption from liability.--No civil or criminal cause
of action shall lie or be maintained in Federal or State court
against a protected entity, self-protected entity,
cybersecurity provider, or an officer, employee, or agent of a
protected entity, self-protected entity, or cybersecurity
provider, acting in good faith--
``(A) for using cybersecurity systems or sharing
information in accordance with this section; or
``(B) for not acting on information obtained or
shared in accordance with this section.
``(4) Relationship to other laws requiring the disclosure
of information.--The submission of information under this
subsection to the Federal Government shall not satisfy or
affect any requirement under any other provision of law for a
person or entity to provide information to the Federal
Government.
``(c) Federal Government Use of Information.--
``(1) Limitation.--The Federal Government may use cyber
threat information shared with the Federal Government in
accordance with subsection (b) for any lawful purpose only if--
``(A) the use of such information is not for a
regulatory purpose; and
``(B) at least one significant purpose of the use
of such information is--
``(i) a cybersecurity purpose; or
``(ii) the protection of the national
security of the United States.
``(2) Affirmative search restriction.--The Federal
Government may not affirmatively search cyber threat
information shared with the Federal Government under subsection
(b) for a purpose other than a purpose referred to in paragraph
(1)(B).
``(3) Anti-tasking restriction.--Nothing in this section
shall be construed to permit the Federal Government to--
``(A) require a private-sector entity to share
information with the Federal Government; or
``(B) condition the sharing of cyber threat
intelligence with a private-sector entity on the
provision of cyber threat information to the Federal
Government.
``(d) Report on Information Sharing.--
``(1) Report.--The Inspector General of the Intelligence
Community shall annually submit to the congressional
intelligence committees a report containing a review of the use
of information shared with the Federal Government under this
section, including--
``(A) a review of the use by the Federal Government
of such information for a purpose other than a
cybersecurity purpose;
``(B) a review of the type of information shared
with the Federal Government under this section;
``(C) a review of the actions taken by the Federal
Government based on such information;
``(D) appropriate metrics to determine the impact
of the sharing of such information with the Federal
Government on privacy and civil liberties, if any; and
``(E) any recommendations of the Inspector General
for improvements or modifications to the authorities
under this section.
``(2) Form.--Each report required under paragraph (1) shall
be submitted in unclassified form, but may include a classified
annex.
``(e) Federal Preemption.--This section supersedes any statute of a
State or political subdivision of a State that restricts or otherwise
expressly regulates an activity authorized under subsection (b).
``(f) Savings Clause.--Nothing in this section shall be construed
to limit any other authority to use a cybersecurity system or to
identify, obtain, or share cyber threat intelligence or cyber threat
information.
``(g) Definitions.--In this section:
``(1) Certified entity.--The term `certified entity' means
a protected entity, self-protected entity, or cybersecurity
provider that--
``(A) possesses or is eligible to obtain a security
clearance, as determined by the Director of National
Intelligence; and
``(B) is able to demonstrate to the Director of
National Intelligence that such provider or such entity
can appropriately protect classified cyber threat
intelligence.
``(2) Cyber threat information.--The term `cyber threat
information' means information directly pertaining to a
vulnerability of, or threat to, a system or network of a
government or private entity, including information pertaining
to the protection of a system or network from--
``(A) efforts to degrade, disrupt, or destroy such
system or network; or
``(B) theft or misappropriation of private or
government information, intellectual property, or
personally identifiable information.
``(3) Cyber threat intelligence.--The term `cyber threat
intelligence' means information in the possession of an element
of the intelligence community directly pertaining to a
vulnerability of, or threat to, a system or network of a
government or private entity, including information pertaining
to the protection of a system or network from--
``(A) efforts to degrade, disrupt, or destroy such
system or network; or
``(B) theft or misappropriation of private or
government information, intellectual property, or
personally identifiable information.
``(4) Cybersecurity provider.--The term `cybersecurity
provider' means a non-governmental entity that provides goods
or services intended to be used for cybersecurity purposes.
``(5) Cybersecurity purpose.--The term `cybersecurity
purpose' means the purpose of ensuring the integrity,
confidentiality, or availability of, or safeguarding, a system
or network, including protecting a system or network from--
``(A) efforts to degrade, disrupt, or destroy such
system or network; or
``(B) theft or misappropriation of private or
government information, intellectual property, or
personally identifiable information.
``(6) Cybersecurity system.--The term `cybersecurity
system' means a system designed or employed to ensure the
integrity, confidentiality, or availability of, or safeguard, a
system or network, including protecting a system or network
from--
``(A) efforts to degrade, disrupt, or destroy such
system or network; or
``(B) theft or misappropriation of private or
government information, intellectual property, or
personally identifiable information.
``(7) Protected entity.--The term `protected entity' means
an entity, other than an individual, that contracts with a
cybersecurity provider for goods or services to be used for
cybersecurity purposes.
``(8) Self-protected entity.--The term `self-protected
entity' means an entity, other than an individual, that
provides goods or services for cybersecurity purposes to
itself.''.
(b) Procedures and Guidelines.--The Director of National
Intelligence shall--
(1) not later than 60 days after the date of the enactment
of this Act, establish procedures under paragraph (1) of
section 1104(a) of the National Security Act of 1947, as added
by subsection (a) of this section, and issue guidelines under
paragraph (3) of such section 1104(a); and
(2) following the establishment of such procedures and the
issuance of such guidelines, expeditiously distribute such
procedures and such guidelines to appropriate Federal
Government and private-sector entities.
(c) Initial Report.--The first report required to be submitted
under subsection (d) of section 1104 of the National Security Act of
1947, as added by subsection (a) of this section, shall be submitted
not later than one year after the date of the enactment of this Act.
(d) Table of Contents Amendment.--The table of contents in the
first section of the National Security Act of 1947 is amended by adding
at the end the following new item:
``Sec. 1104. Cyber threat intelligence and information sharing.''.
Union Calendar No. 311
112th CONGRESS
2d Session
H. R. 3523
[Report No. 112-445]
_______________________________________________________________________
A BILL
To provide for the sharing of certain cyber threat intelligence and
cyber threat information between the intelligence community and
cybersecurity entities, and for other purposes.
_______________________________________________________________________
April 17, 2012
Reported with an amendment, committed to the Committee of the Whole
House on the State of the Union, and ordered to be printed