[Congressional Record Volume 158, Number 113 (Thursday, July 26, 2012)] [Senate] [Pages S5495-S5622] From the Congressional Record Online through the Government Publishing Office [www.gpo.gov] TEXT OF AMENDMENTS SA 2581. Mrs. HUTCHISON (for herself, Mr. McCain, Mr. Chambliss, Mr. Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of Wisconsin) submitted an amendment intended to be proposed by her to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) Short Title.--This Act may be cited as the ``Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012'' or ``SECURE IT''. (b) Table of Contents.--The table of contents of this Act is as follows: Sec. 1. Short title; table of contents. TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION Sec. 101. Definitions. Sec. 102. Authorization to share cyber threat information. Sec. 103. Information sharing by the Federal government. Sec. 104. Construction. Sec. 105. Report on implementation. Sec. 106. Inspector General review. Sec. 107. Technical amendments. Sec. 108. Access to classified information. TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY Sec. 201. Coordination of Federal information security policy. Sec. 202. Management of information technology. Sec. 203. No new funding. Sec. 204. Technical and conforming amendments. Sec. 205. Clarification of authorities. TITLE III--CRIMINAL PENALTIES Sec. 301. Penalties for fraud and related activity in connection with computers. Sec. 302. Trafficking in passwords. Sec. 303. Conspiracy and attempted computer fraud offenses. Sec. 304. Criminal and civil forfeiture for fraud and related activity in connection with computers. Sec. 305. Damage to critical infrastructure computers. Sec. 306. Limitation on actions involving unauthorized use. Sec. 307. No new funding. TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT Sec. 401. National High-Performance Computing Program planning and coordination. Sec. 402. Research in areas of national importance. Sec. 403. Program improvements. Sec. 404. Improving education of networking and information technology, including high performance computing. Sec. 405. Conforming and technical amendments to the High-Performance Computing Act of 1991. Sec. 406. Federal cyber scholarship-for-service program. Sec. 407. Study and analysis of certification and training of information infrastructure professionals. Sec. 408. International cybersecurity technical standards. Sec. 409. Identity management research and development. Sec. 410. Federal cybersecurity research and development. TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION SEC. 101. DEFINITIONS. In this title: (1) Agency.--The term ``agency'' has the meaning given the term in section 3502 of title 44, United States Code. (2) Antitrust laws.--The term ``antitrust laws''-- (A) has the meaning given the term in section 1(a) of the Clayton Act (15 U.S.C. 12(a)); (B) includes section 5 of the Federal Trade Commission Act (15 U.S.C. 45) to the extent that section 5 of that Act applies to unfair methods of competition; and (C) includes any State law that has the same intent and effect as the laws under subparagraphs (A) and (B). (3) Countermeasure.--The term ``countermeasure'' means an automated or a manual action with defensive intent to mitigate cyber threats. (4) Cyber threat information.--The term ``cyber threat information'' means information that indicates or describes-- (A) a technical or operation vulnerability or a cyber threat mitigation measure; (B) an action or operation to mitigate a cyber threat; (C) malicious reconnaissance, including anomalous patterns of network activity that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat; (D) a method of defeating a technical control; (E) a method of defeating an operational control; (F) network activity or protocols known to be associated with a malicious cyber actor or that signify malicious cyber intent; (G) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to inadvertently enable the defeat of a technical or operational control; (H) any other attribute of a cybersecurity threat or cyber defense information that would foster situational awareness of the United States cybersecurity posture, if disclosure of such attribute or information is not otherwise prohibited by law; (I) the actual or potential harm caused by a cyber incident, including information exfiltrated when it is necessary in order to identify or describe a cybersecurity threat; or (J) any combination of subparagraphs (A) through (I). (5) Cybersecurity center.--The term ``cybersecurity center'' means the Department of Defense Cyber Crime Center, the Intelligence Community Incident Response Center, the United States Cyber Command Joint [[Page S5496]] Operations Center, the National Cyber Investigative Joint Task Force, the National Security Agency/Central Security Service Threat Operations Center, the National Cybersecurity and Communications Integration Center, and any successor center. (6) Cybersecurity system.--The term ``cybersecurity system'' means a system designed or employed to ensure the integrity, confidentiality, or availability of, or to safeguard, a system or network, including measures intended to protect a system or network from-- (A) efforts to degrade, disrupt, or destroy such system or network; or (B) theft or misappropriations of private or government information, intellectual property, or personally identifiable information. (7) Entity.-- (A) In general.--The term ``entity'' means any private entity, non-Federal government agency or department, or State, tribal, or local government agency or department (including an officer, employee, or agent thereof). (B) Inclusions.--The term ``entity'' includes a government agency or department (including an officer, employee, or agent thereof) of the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa, the Northern Mariana Islands, and any other territory or possession of the United States. (8) Federal information system.--The term ``Federal information system'' means an information system of a Federal department or agency used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. (9) Information security.--The term ``information security'' means protecting information and information systems from disruption or unauthorized access, use, disclosure, modification, or destruction in order to provide-- (A) integrity, by guarding against improper information modification or destruction, including by ensuring information nonrepudiation and authenticity; (B) confidentiality, by preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; or (C) availability, by ensuring timely and reliable access to and use of information. (10) Information system.--The term ``information system'' has the meaning given the term in section 3502 of title 44, United States Code. (11) Local government.--The term ``local government'' means any borough, city, county, parish, town, township, village, or other general purpose political subdivision of a State. (12) Malicious reconnaissance.--The term ``malicious reconnaissance'' means a method for actively probing or passively monitoring an information system for the purpose of discerning technical vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat. (13) Operational control.--The term ``operational control'' means a security control for an information system that primarily is implemented and executed by people. (14) Operational vulnerability.--The term ``operational vulnerability'' means any attribute of policy, process, or procedure that could enable or facilitate the defeat of an operational control. (15) Private entity.--The term ``private entity'' means any individual or any private group, organization, or corporation, including an officer, employee, or agent thereof. (16) Significant cyber incident.--The term ``significant cyber incident'' means a cyber incident resulting in, or an attempted cyber incident that, if successful, would have resulted in-- (A) the exfiltration from a Federal information system of data that is essential to the operation of the Federal information system; or (B) an incident in which an operational or technical control essential to the security or operation of a Federal information system was defeated. (17) Technical control.--The term ``technical control'' means a hardware or software restriction on, or audit of, access or use of an information system or information that is stored on, processed by, or transiting an information system that is intended to ensure the confidentiality, integrity, or availability of that system. (18) Technical vulnerability.--The term ``technical vulnerability'' means any attribute of hardware or software that could enable or facilitate the defeat of a technical control. (19) Tribal.--The term ``tribal'' has the meaning given the term ``Indian tribe'' in section 4 of the Indian Self- Determination and Education Assistance Act (25 U.S.C. 450b). SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION. (a) Voluntary Disclosure.-- (1) Private entities.--Notwithstanding any other provision of law, a private entity may, for the purpose of preventing, investigating, or otherwise mitigating threats to information security, on its own networks, or as authorized by another entity, on such entity's networks, employ countermeasures and use cybersecurity systems in order to obtain, identify, or otherwise possess cyber threat information. (2) Entities.--Notwithstanding any other provision of law, an entity may disclose cyber threat information to-- (A) a cybersecurity center; or (B) any other entity in order to assist with preventing, investigating, or otherwise mitigating threats to information security. (3) Information security providers.--If the cyber threat information described in paragraph (1) is obtained, identified, or otherwise possessed in the course of providing information security products or services under contract to another entity, that entity shall be given, at any time prior to disclosure of such information, a reasonable opportunity to authorize or prevent such disclosure, to request anonymization of such information, or to request that reasonable efforts be made to safeguard such information that identifies specific persons from unauthorized access or disclosure. (b) Significant Cyber Incidents Involving Federal Information Systems.-- (1) In general.--An entity providing electronic communication services, remote computing services, or information security services to a Federal department or agency shall inform the Federal department or agency of a significant cyber incident involving the Federal information system of that Federal department or agency that-- (A) is directly known to the entity as a result of providing such services; (B) is directly related to the provision of such services by the entity; and (C) as determined by the entity, has impeded or will impede the performance of a critical mission of the Federal department or agency. (2) Advance coordination.--A Federal department or agency receiving the services described in paragraph (1) shall coordinate in advance with an entity described in paragraph (1) to develop the parameters of any information that may be provided under paragraph (1), including clarification of the type of significant cyber incident that will impede the performance of a critical mission of the Federal department or agency. (3) Report.--A Federal department or agency shall report information provided under this subsection to a cybersecurity center. (4) Construction.--Any information provided to a cybersecurity center under paragraph (3) shall be treated in the same manner as information provided to a cybersecurity center under subsection (a). (c) Information Shared With or Provided to a Cybersecurity Center.--Cyber threat information provided to a cybersecurity center under this section-- (1) may be disclosed to, retained by, and used by, consistent with otherwise applicable Federal law, any Federal agency or department, component, officer, employee, or agent of the Federal government for a cybersecurity purpose, a national security purpose, or in order to prevent, investigate, or prosecute any of the offenses listed in section 2516 of title 18, United States Code, and such information shall not be disclosed to, retained by, or used by any Federal agency or department for any use not permitted under this paragraph; (2) may, with the prior written consent of the entity submitting such information, be disclosed to and used by a State, tribal, or local government or government agency for the purpose of protecting information systems, or in furtherance of preventing, investigating, or prosecuting a criminal act, except that if the need for immediate disclosure prevents obtaining written consent, such consent may be provided orally with subsequent documentation of such consent; (3) shall be considered the commercial, financial, or proprietary information of the entity providing such information to the Federal government and any disclosure outside the Federal government may only be made upon the prior written consent by such entity and shall not constitute a waiver of any applicable privilege or protection provided by law, except that if the need for immediate disclosure prevents obtaining written consent, such consent may be provided orally with subsequent documentation of such consent; (4) shall be deemed voluntarily shared information and exempt from disclosure under section 552 of title 5, United States Code, and any State, tribal, or local law requiring disclosure of information or records; (5) shall be, without discretion, withheld from the public under section 552(b)(3)(B) of title 5, United States Code, and any State, tribal, or local law requiring disclosure of information or records; (6) shall not be subject to the rules of any Federal agency or department or any judicial doctrine regarding ex parte communications with a decision-making official; (7) shall not, if subsequently provided to a State, tribal, or local government or government agency, otherwise be disclosed or distributed to any entity by such State, tribal, or local government or government agency without the prior written consent of the entity submitting such information, notwithstanding any State, tribal, or local law requiring disclosure of information or records, except that if the need for immediate disclosure prevents obtaining written consent, such consent may be provided orally with subsequent documentation of such consent; and (8) shall not be directly used by any Federal, State, tribal, or local department or agency to regulate the lawful activities of an entity, including activities relating to obtaining, identifying, or otherwise possessing [[Page S5497]] cyber threat information, except that the procedures required to be developed and implemented under this title shall not be considered regulations within the meaning of this paragraph. (d) Procedures Relating to Information Sharing With a Cybersecurity Center.--Not later than 60 days after the date of enactment of this Act, the heads of each department or agency containing a cybersecurity center shall jointly develop, promulgate, and submit to Congress procedures to ensure that cyber threat information shared with or provided to-- (1) a cybersecurity center under this section-- (A) may be submitted to a cybersecurity center by an entity, to the greatest extent possible, through a uniform, publicly available process or format that is easily accessible on the website of such cybersecurity center, and that includes the ability to provide relevant details about the cyber threat information and written consent to any subsequent disclosures authorized by this paragraph; (B) shall immediately be further shared with each cybersecurity center in order to prevent, investigate, or otherwise mitigate threats to information security across the Federal government; (C) is handled by the Federal government in a reasonable manner, including consideration of the need to protect the privacy and civil liberties of individuals through anonymization or other appropriate methods, while fully accomplishing the objectives of this title, and the Federal government may undertake efforts consistent with this subparagraph to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the Federal government; and (D) except as provided in this section, shall only be used, disclosed, or handled in accordance with the provisions of subsection (c); and (2) a Federal agency or department under subsection (b) is provided immediately to a cybersecurity center in order to prevent, investigate, or otherwise mitigate threats to information security across the Federal government. (e) Information Shared Between Entities.-- (1) In general.--An entity sharing cyber threat information with another entity under this title may restrict the use or sharing of such information by such other entity. (2) Further sharing.--Cyber threat information shared by any entity with another entity under this title-- (A) shall only be further shared in accordance with any restrictions placed on the sharing of such information by the entity authorizing such sharing, such as appropriate anonymization of such information; and (B) may not be used by any entity to gain an unfair competitive advantage to the detriment of the entity authorizing the sharing of such information, except that the conduct described in paragraph (3) shall not constitute unfair competitive conduct. (3) Information shared with state, tribal, or local government or government agency.--Cyber threat information shared with a State, tribal, or local government or government agency under this title-- (A) may, with the prior written consent of the entity sharing such information, be disclosed to and used by a State, tribal, or local government or government agency for the purpose of protecting information systems, or in furtherance of preventing, investigating, or prosecuting a criminal act, except if the need for immediate disclosure prevents obtaining written consent, consent may be provided orally with subsequent documentation of the consent; (B) shall be deemed voluntarily shared information and exempt from disclosure under any State, tribal, or local law requiring disclosure of information or records; (C) shall not be disclosed or distributed to any entity by the State, tribal, or local government or government agency without the prior written consent of the entity submitting such information, notwithstanding any State, tribal, or local law requiring disclosure of information or records, except if the need for immediate disclosure prevents obtaining written consent, consent may be provided orally with subsequent documentation of the consent; and (D) shall not be directly used by any State, tribal, or local department or agency to regulate the lawful activities of an entity, including activities relating to obtaining, identifying, or otherwise possessing cyber threat information, except that the procedures required to be developed and implemented under this title shall not be considered regulations within the meaning of this subparagraph. (4) Antitrust exemption.--The exchange or provision of cyber threat information or assistance between 2 or more private entities under this title shall not be considered a violation of any provision of antitrust laws if exchanged or provided in order to assist with-- (A) facilitating the prevention, investigation, or mitigation of threats to information security; or (B) communicating or disclosing of cyber threat information to help prevent, investigate or otherwise mitigate the effects of a threat to information security. (5) No right or benefit.--The provision of cyber threat information to an entity under this section shall not create a right or a benefit to similar information by such entity or any other entity. (f) Federal Preemption.-- (1) In general.--This section supersedes any statute or other law of a State or political subdivision of a State that restricts or otherwise expressly regulates an activity authorized under this section. (2) State law enforcement.--Nothing in this section shall be construed to supersede any statute or other law of a State or political subdivision of a State concerning the use of authorized law enforcement techniques. (3) Public disclosure.--No information shared with or provided to a State, tribal, or local government or government agency pursuant to this section shall be made publicly available pursuant to any State, tribal, or local law requiring disclosure of information or records. (g) Civil and Criminal Liability.-- (1) General protections.-- (A) Private entities.--No cause of action shall lie or be maintained in any court against any private entity for-- (i) the use of countermeasures and cybersecurity systems as authorized by this title; (ii) the use, receipt, or disclosure of any cyber threat information as authorized by this title; or (iii) the subsequent actions or inactions of any lawful recipient of cyber threat information provided by such private entity. (B) Entities.--No cause of action shall lie or be maintained in any court against any entity for-- (i) the use, receipt, or disclosure of any cyber threat information as authorized by this title; or (ii) the subsequent actions or inactions of any lawful recipient of cyber threat information provided by such entity. (2) Construction.--Nothing in this subsection shall be construed as creating any immunity against, or otherwise affecting, any action brought by the Federal government, or any agency or department thereof, to enforce any law, executive order, or procedure governing the appropriate handling, disclosure, and use of classified information. (h) Otherwise Lawful Disclosures.--Nothing in this section shall be construed to limit or prohibit otherwise lawful disclosures of communications, records, or other information by a private entity to any other governmental or private entity not covered under this section. (i) Whistleblower Protection.--Nothing in this Act shall be construed to preempt or preclude any employee from exercising rights currently provided under any whistleblower law, rule, or regulation. (j) Relationship to Other Laws.--The submission of cyber threat information under this section to a cybersecurity center shall not affect any requirement under any other provision of law for an entity to provide information to the Federal government. SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT. (a) Classified Information.-- (1) Procedures.--Consistent with the protection of intelligence sources and methods, and as otherwise determined appropriate, the Director of National Intelligence and the Secretary of Defense, in consultation with the heads of the appropriate Federal departments or agencies, shall develop and promulgate procedures to facilitate and promote-- (A) the immediate sharing, through the cybersecurity centers, of classified cyber threat information in the possession of the Federal government with appropriately cleared representatives of any appropriate entity; and (B) the declassification and immediate sharing, through the cybersecurity centers, with any entity or, if appropriate, public availability of cyber threat information in the possession of the Federal government; (2) Handling of classified information.--The procedures developed under paragraph (1) shall ensure that each entity receiving classified cyber threat information pursuant to this section has acknowledged in writing the ongoing obligation to comply with all laws, executive orders, and procedures concerning the appropriate handling, disclosure, or use of classified information. (b) Unclassified Cyber Threat Information.--The heads of each department or agency containing a cybersecurity center shall jointly develop and promulgate procedures that ensure that, consistent with the provisions of this section, unclassified, including controlled unclassified, cyber threat information in the possession of the Federal government-- (1) is shared, through the cybersecurity centers, in an immediate and adequate manner with appropriate entities; and (2) if appropriate, is made publicly available. (c) Development of Procedures.-- (1) In general.--The procedures developed under this section shall incorporate, to the greatest extent possible, existing processes utilized by sector specific information sharing and analysis centers. (2) Coordination with entities.--In developing the procedures required under this section, the Director of National Intelligence and the heads of each department or agency containing a cybersecurity center shall coordinate with appropriate entities to ensure that protocols are implemented that will facilitate and promote the sharing of cyber threat information by the Federal government. [[Page S5498]] (d) Additional Responsibilities of Cybersecurity Centers.-- Consistent with section 102, a cybersecurity center shall-- (1) facilitate information sharing, interaction, and collaboration among and between cybersecurity centers and-- (A) other Federal entities; (B) any entity; and (C) international partners, in consultation with the Secretary of State; (2) disseminate timely and actionable cybersecurity threat, vulnerability, mitigation, and warning information, including alerts, advisories, indicators, signatures, and mitigation and response measures, to improve the security and protection of information systems; and (3) coordinate with other Federal entities, as appropriate, to integrate information from across the Federal government to provide situational awareness of the cybersecurity posture of the United States. (e) Sharing Within the Federal Government.--The heads of appropriate Federal departments and agencies shall ensure that cyber threat information in the possession of such Federal departments or agencies that relates to the prevention, investigation, or mitigation of threats to information security across the Federal government is shared effectively with the cybersecurity centers. (f) Submission to Congress.--Not later than 60 days after the date of enactment of this Act, the Director of National Intelligence, in coordination with the appropriate head of a department or an agency containing a cybersecurity center, shall submit the procedures required by this section to Congress. SEC. 104. CONSTRUCTION. (a) Information Sharing Relationships.--Nothing in this title shall be construed-- (1) to limit or modify an existing information sharing relationship; (2) to prohibit a new information sharing relationship; (3) to require a new information sharing relationship between any entity and the Federal government, except as specified under section 102(b); or (4) to modify the authority of a department or agency of the Federal government to protect sources and methods and the national security of the United States. (b) Anti-tasking Restriction.--Nothing in this title shall be construed to permit the Federal government-- (1) to require an entity to share information with the Federal government, except as expressly provided under section 102(b); or (2) to condition the sharing of cyber threat information with an entity on such entity's provision of cyber threat information to the Federal government. (c) No Liability for Non-participation.--Nothing in this title shall be construed to subject any entity to liability for choosing not to engage in the voluntary activities authorized under this title. (d) Use and Retention of Information.--Nothing in this title shall be construed to authorize, or to modify any existing authority of, a department or agency of the Federal government to retain or use any information shared under section 102 for any use other than a use permitted under subsection 102(c)(1). (e) No New Funding.--An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. SEC. 105. REPORT ON IMPLEMENTATION. (a) Content of Report.--Not later than 1 year after the date of enactment of this Act, and biennially thereafter, the heads of each department or agency containing a cybersecurity center shall jointly submit, in coordination with the privacy and civil liberties officials of such departments or agencies and the Privacy and Civil Liberties Oversight Board, a detailed report to Congress concerning the implementation of this title, including-- (1) an assessment of the sufficiency of the procedures developed under section 103 of this Act in ensuring that cyber threat information in the possession of the Federal government is provided in an immediate and adequate manner to appropriate entities or, if appropriate, is made publicly available; (2) an assessment of whether information has been appropriately classified and an accounting of the number of security clearances authorized by the Federal government for purposes of this title; (3) a review of the type of cyber threat information shared with a cybersecurity center under section 102 of this Act, including whether such information meets the definition of cyber threat information under section 101, the degree to which such information may impact the privacy and civil liberties of individuals, any appropriate metrics to determine any impact of the sharing of such information with the Federal government on privacy and civil liberties, and the adequacy of any steps taken to reduce such impact; (4) a review of actions taken by the Federal government based on information provided to a cybersecurity center under section 102 of this Act, including the appropriateness of any subsequent use under section 102(c)(1) of this Act and whether there was inappropriate stovepiping within the Federal government of any such information; (5) a description of any violations of the requirements of this title by the Federal government; (6) a classified list of entities that received classified information from the Federal government under section 103 of this Act and a description of any indication that such information may not have been appropriately handled; (7) a summary of any breach of information security, if known, attributable to a specific failure by any entity or the Federal government to act on cyber threat information in the possession of such entity or the Federal government that resulted in substantial economic harm or injury to a specific entity or the Federal government; and (8) any recommendation for improvements or modifications to the authorities under this title. (b) Form of Report.--The report under subsection (a) shall be submitted in unclassified form, but shall include a classified annex. SEC. 106. INSPECTOR GENERAL REVIEW. (a) In General.--The Council of the Inspectors General on Integrity and Efficiency are authorized to review compliance by the cybersecurity centers, and by any Federal department or agency receiving cyber threat information from such cybersecurity centers, with the procedures required under section 102 of this Act. (b) Scope of Review.--The review under subsection (a) shall consider whether the Federal government has handled such cyber threat information in a reasonable manner, including consideration of the need to protect the privacy and civil liberties of individuals through anonymization or other appropriate methods, while fully accomplishing the objectives of this title. (c) Report to Congress.--Each review conducted under this section shall be provided to Congress not later than 30 days after the date of completion of the review. SEC. 107. TECHNICAL AMENDMENTS. Section 552(b) of title 5, United States Code, is amended-- (1) in paragraph (8), by striking ``or''; (2) in paragraph (9), by striking ``wells.'' and inserting ``wells; or''; and (3) by adding at the end the following: ``(10) information shared with or provided to a cybersecurity center under section 102 of title I of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012.''. SEC. 108. ACCESS TO CLASSIFIED INFORMATION. (a) Authorization Required.--No person shall be provided with access to classified information (as defined in section 6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to classified national security information)) relating to cyber security threats or cyber security vulnerabilities under this title without the appropriate security clearances. (b) Security Clearances.--The appropriate Federal agencies or departments shall, consistent with applicable procedures and requirements, and if otherwise deemed appropriate, assist an individual in timely obtaining an appropriate security clearance where such individual has been determined to be eligible for such clearance and has a need-to-know (as defined in section 6.1 of that Executive Order) classified information to carry out this title. TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) In General.--Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting the following: ``SUBCHAPTER II--INFORMATION SECURITY ``Sec. 3551. Purposes ``The purposes of this subchapter are-- ``(1) to provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets; ``(2) to recognize the highly networked nature of the current Federal computing environment and provide effective government-wide management of policies, directives, standards, and guidelines, as well as effective and nimble oversight of and response to information security risks, including coordination of information security efforts throughout the Federal civilian, national security, and law enforcement communities; ``(3) to provide for development and maintenance of controls required to protect agency information and information systems and contribute to the overall improvement of agency information security posture; ``(4) to provide for the development of tools and methods to assess and respond to real-time situational risk for Federal information system operations and assets; and ``(5) to provide a mechanism for improving agency information security programs through continuous monitoring of agency information systems and streamlined reporting requirements rather than overly prescriptive manual reporting. ``Sec. 3552. Definitions ``In this subchapter: ``(1) Adequate security.--The term `adequate security' means security commensurate with the risk and magnitude of the harm resulting from the unauthorized access to or loss, misuse, destruction, or modification of information. ``(2) Agency.--The term `agency' has the meaning given the term in section 3502 of title 44. [[Page S5499]] ``(3) Cybersecurity center.--The term `cybersecurity center' means the Department of Defense Cyber Crime Center, the Intelligence Community Incident Response Center, the United States Cyber Command Joint Operations Center, the National Cyber Investigative Joint Task Force, the National Security Agency/Central Security Service Threat Operations Center, the National Cybersecurity and Communications Integration Center, and any successor center. ``(4) Cyber threat information.--The term `cyber threat information' means information that indicates or describes-- ``(A) a technical or operation vulnerability or a cyber threat mitigation measure; ``(B) an action or operation to mitigate a cyber threat; ``(C) malicious reconnaissance, including anomalous patterns of network activity that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat; ``(D) a method of defeating a technical control; ``(E) a method of defeating an operational control; ``(F) network activity or protocols known to be associated with a malicious cyber actor or that signify malicious cyber intent; ``(G) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to inadvertently enable the defeat of a technical or operational control; ``(H) any other attribute of a cybersecurity threat or cyber defense information that would foster situational awareness of the United States cybersecurity posture, if disclosure of such attribute or information is not otherwise prohibited by law; ``(I) the actual or potential harm caused by a cyber incident, including information exfiltrated when it is necessary in order to identify or describe a cybersecurity threat; or ``(J) any combination of subparagraphs (A) through (I). ``(5) Director.--The term `Director' means the Director of the Office of Management and Budget unless otherwise specified. ``(6) Environment of operation.--The term `environment of operation' means the information system and environment in which those systems operate, including changing threats, vulnerabilities, technologies, and missions and business practices. ``(7) Federal information system.--The term `Federal information system' means an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. ``(8) Incident.--The term `incident' means an occurrence that-- ``(A) actually or imminently jeopardizes the integrity, confidentiality, or availability of an information system or the information that system controls, processes, stores, or transmits; or ``(B) constitutes a violation of law or an imminent threat of violation of a law, a security policy, a security procedure, or an acceptable use policy. ``(9) Information resources.--The term `information resources' has the meaning given the term in section 3502 of title 44. ``(10) Information security.--The term `information security' means protecting information and information systems from disruption or unauthorized access, use, disclosure, modification, or destruction in order to provide-- ``(A) integrity, by guarding against improper information modification or destruction, including by ensuring information nonrepudiation and authenticity; ``(B) confidentiality, by preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; or ``(C) availability, by ensuring timely and reliable access to and use of information. ``(11) Information system.--The term `information system' has the meaning given the term in section 3502 of title 44. ``(12) Information technology.--The term `information technology' has the meaning given the term in section 11101 of title 40. ``(13) Malicious reconnaissance.--The term `malicious reconnaissance' means a method for actively probing or passively monitoring an information system for the purpose of discerning technical vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat. ``(14) National security system.-- ``(A) In general.--The term `national security system' means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency-- ``(i) the function, operation, or use of which-- ``(I) involves intelligence activities; ``(II) involves cryptologic activities related to national security; ``(III) involves command and control of military forces; ``(IV) involves equipment that is an integral part of a weapon or weapons system; or ``(V) subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or ``(ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. ``(B) Limitation.--Subparagraph (A)(i)(V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). ``(15) Operational control.--The term `operational control' means a security control for an information system that primarily is implemented and executed by people. ``(16) Person.--The term `person' has the meaning given the term in section 3502 of title 44. ``(17) Secretary.--The term `Secretary' means the Secretary of Commerce unless otherwise specified. ``(18) Security control.--The term `security control' means the management, operational, and technical controls, including safeguards or countermeasures, prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. ``(19) Significant cyber incident.--The term `significant cyber incident' means a cyber incident resulting in, or an attempted cyber incident that, if successful, would have resulted in-- ``(A) the exfiltration from a Federal information system of data that is essential to the operation of the Federal information system; or ``(B) an incident in which an operational or technical control essential to the security or operation of a Federal information system was defeated. ``(20) Technical control.--The term `technical control' means a hardware or software restriction on, or audit of, access or use of an information system or information that is stored on, processed by, or transiting an information system that is intended to ensure the confidentiality, integrity, or availability of that system. ``Sec. 3553. Federal information security authority and coordination ``(a) In General.--The Secretary, in consultation with the Secretary of Homeland Security, shall-- ``(1) issue compulsory and binding policies and directives governing agency information security operations, and require implementation of such policies and directives, including-- ``(A) policies and directives consistent with the standards and guidelines promulgated under section 11331 of title 40 to identify and provide information security protections prioritized and commensurate with the risk and impact resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of-- ``(i) information collected or maintained by or on behalf of an agency; or ``(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; ``(B) minimum operational requirements for Federal Government to protect agency information systems and provide common situational awareness across all agency information systems; ``(C) reporting requirements, consistent with relevant law, regarding information security incidents and cyber threat information; ``(D) requirements for agencywide information security programs; ``(E) performance requirements and metrics for the security of agency information systems; ``(F) training requirements to ensure that agencies are able to fully and timely comply with the policies and directives issued by the Secretary under this subchapter; ``(G) training requirements regarding privacy, civil rights, and civil liberties, and information oversight for agency information security personnel; ``(H) requirements for the annual reports to the Secretary under section 3554(d); ``(I) any other information security operations or information security requirements as determined by the Secretary in coordination with relevant agency heads; and ``(J) coordinating the development of standards and guidelines under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) with agencies and offices operating or exercising control of national security systems (including the National Security Agency) to assure, to the maximum extent feasible, that such standards and guidelines are complementary with standards and guidelines developed for national security systems; ``(2) review the agencywide information security programs under section 3554; and ``(3) designate an individual or an entity at each cybersecurity center, among other responsibilities-- ``(A) to receive reports and information about information security incidents, cyber threat information, and deterioration of security control affecting agency information systems; and ``(B) to act on or share the information under subparagraph (A) in accordance with this subchapter. ``(b) Considerations.--When issuing policies and directives under subsection (a), the Secretary shall consider any applicable standards or guidelines developed by the National Institute of Standards and Technology under section 11331 of title 40. ``(c) Limitation of Authority.--The authorities of the Secretary under this section [[Page S5500]] shall not apply to national security systems. Information security policies, directives, standards and guidelines for national security systems shall be overseen as directed by the President and, in accordance with that direction, carried out under the authority of the heads of agencies that operate or exercise authority over such national security systems. ``(d) Statutory Construction.--Nothing in this subchapter shall be construed to alter or amend any law regarding the authority of any head of an agency over such agency. ``Sec. 3554. Agency responsibilities ``(a) In General.--The head of each agency shall-- ``(1) be responsible for-- ``(A) complying with the policies and directives issued under section 3553; ``(B) providing information security protections commensurate with the risk resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of-- ``(i) information collected or maintained by the agency or by a contractor of an agency or other organization on behalf of an agency; and ``(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; ``(C) complying with the requirements of this subchapter, including-- ``(i) information security standards and guidelines promulgated under section 11331 of title 40; ``(ii) for any national security systems operated or controlled by that agency, information security policies, directives, standards and guidelines issued as directed by the President; and ``(iii) for any non-national security systems operated or controlled by that agency, information security policies, directives, standards and guidelines issued under section 3553; ``(D) ensuring that information security management processes are integrated with agency strategic and operational planning processes; ``(E) reporting and sharing, for an agency operating or exercising control of a national security system, information about information security incidents, cyber threat information, and deterioration of security controls to the individual or entity designated at each cybersecurity center and to other appropriate entities consistent with policies and directives for national security systems issued as directed by the President; and ``(F) reporting and sharing, for those agencies operating or exercising control of non-national security systems, information about information security incidents, cyber threat information, and deterioration of security controls to the individual or entity designated at each cybersecurity center and to other appropriate entities consistent with policies and directives for non-national security systems as prescribed under section 3553(a), including information to assist the entity designated under section 3555(a) with the ongoing security analysis under section 3555; ``(2) ensure that each senior agency official provides information security for the information and information systems that support the operations and assets under the senior agency official's control, including by-- ``(A) assessing the risk and impact that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems; ``(B) determining the level of information security appropriate to protect such information and information systems in accordance with policies and directives issued under section 3553(a), and standards and guidelines promulgated under section 11331 of title 40 for information security classifications and related requirements; ``(C) implementing policies, procedures, and capabilities to reduce risks to an acceptable level in a cost-effective manner; ``(D) actively monitoring the effective implementation of information security controls and techniques; and ``(E) reporting information about information security incidents, cyber threat information, and deterioration of security controls in a timely and adequate manner to the entity designated under section 3553(a)(3) in accordance with paragraph (1); ``(3) assess and maintain the resiliency of information technology systems critical to agency mission and operations; ``(4) designate the agency Inspector General (or an independent entity selected in consultation with the Director and the Council of Inspectors General on Integrity and Efficiency if the agency does not have an Inspector General) to conduct the annual independent evaluation required under section 3556, and allow the agency Inspector General to contract with an independent entity to perform such evaluation; ``(5) delegate to the Chief Information Officer or equivalent (or to a senior agency official who reports to the Chief Information Officer or equivalent)-- ``(A) the authority and primary responsibility to implement an agencywide information security program; and ``(B) the authority to provide information security for the information collected and maintained by the agency (or by a contractor, other agency, or other source on behalf of the agency) and for the information systems that support the operations, assets, and mission of the agency (including any information system provided or managed by a contractor, other agency, or other source on behalf of the agency); ``(6) delegate to the appropriate agency official (who is responsible for a particular agency system or subsystem) the responsibility to ensure and enforce compliance with all requirements of the agency's agencywide information security program in coordination with the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5); ``(7) ensure that an agency has trained personnel who have obtained any necessary security clearances to permit them to assist the agency in complying with this subchapter; ``(8) ensure that the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5), in coordination with other senior agency officials, reports to the agency head on the effectiveness of the agencywide information security program, including the progress of any remedial actions; and ``(9) ensure that the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5) has the necessary qualifications to administer the functions described in this subchapter and has information security duties as a primary duty of that official. ``(b) Chief Information Officers.--Each Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under subsection (a)(5) shall-- ``(1) establish and maintain an enterprise security operations capability that on a continuous basis-- ``(A) detects, reports, contains, mitigates, and responds to information security incidents that impair adequate security of the agency's information or information system in a timely manner and in accordance with the policies and directives under section 3553; and ``(B) reports any information security incident under subparagraph (A) to the entity designated under section 3555; ``(2) develop, maintain, and oversee an agencywide information security program; ``(3) develop, maintain, and oversee information security policies, procedures, and control techniques to address applicable requirements, including requirements under section 3553 of this title and section 11331 of title 40; and ``(4) train and oversee the agency personnel who have significant responsibility for information security with respect to that responsibility. ``(c) Agencywide Information Security Programs.-- ``(1) In general.--Each agencywide information security program under subsection (b)(2) shall include-- ``(A) relevant security risk assessments, including technical assessments and others related to the acquisition process; ``(B) security testing commensurate with risk and impact; ``(C) mitigation of deterioration of security controls commensurate with risk and impact; ``(D) risk-based continuous monitoring and threat assessment of the operational status and security of agency information systems to enable evaluation of the effectiveness of and compliance with information security policies, procedures, and practices, including a relevant and appropriate selection of security controls of information systems identified in the inventory under section 3505(c); ``(E) operation of appropriate technical capabilities in order to detect, mitigate, report, and respond to information security incidents, cyber threat information, and deterioration of security controls in a manner that is consistent with the policies and directives under section 3553, including-- ``(i) mitigating risks associated with such information security incidents; ``(ii) notifying and consulting with the entity designated under section 3555; and ``(iii) notifying and consulting with, as appropriate-- ``(I) law enforcement and the relevant Office of the Inspector General; and ``(II) any other entity, in accordance with law and as directed by the President; ``(F) a process to ensure that remedial action is taken to address any deficiencies in the information security policies, procedures, and practices of the agency; and ``(G) a plan and procedures to ensure the continuity of operations for information systems that support the operations and assets of the agency. ``(2) Risk management strategies.--Each agencywide information security program under subsection (b)(2) shall include the development and maintenance of a risk management strategy for information security. The risk management strategy shall include-- ``(A) consideration of information security incidents, cyber threat information, and deterioration of security controls; and ``(B) consideration of the consequences that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency, including any information system provided or managed by a contractor, other agency, or other source on behalf of the agency; [[Page S5501]] ``(3) Policies and procedures.--Each agencywide information security program under subsection (b)(2) shall include policies and procedures that-- ``(A) are based on the risk management strategy under paragraph (2); ``(B) reduce information security risks to an acceptable level in a cost-effective manner; ``(C) ensure that cost-effective and adequate information security is addressed as part of the acquisition and ongoing management of each agency information system; and ``(D) ensure compliance with-- ``(i) this subchapter; and ``(ii) any other applicable requirements. ``(4) Training requirements.--Each agencywide information security program under subsection (b)(2) shall include information security, privacy, civil rights, civil liberties, and information oversight training that meets any applicable requirements under section 3553. The training shall inform each information security personnel that has access to agency information systems (including contractors and other users of information systems that support the operations and assets of the agency) of-- ``(A) the information security risks associated with the information security personnel's activities; and ``(B) the individual's responsibility to comply with the agency policies and procedures that reduce the risks under subparagraph (A). ``(d) Annual Report.--Each agency shall submit a report annually to the Secretary of Homeland Security on its agencywide information security program and information systems. ``Sec. 3555. Multiagency ongoing threat assessment ``(a) Implementation.--The Director of the Office of Management and Budget, in coordination with the Secretary of Homeland Security, shall designate an entity to implement ongoing security analysis concerning agency information systems-- ``(1) based on cyber threat information; ``(2) based on agency information system and environment of operation changes, including-- ``(A) an ongoing evaluation of the information system security controls; and ``(B) the security state, risk level, and environment of operation of an agency information system, including-- ``(i) a change in risk level due to a new cyber threat; ``(ii) a change resulting from a new technology; ``(iii) a change resulting from the agency's mission; and ``(iv) a change resulting from the business practice; and ``(3) using automated processes to the maximum extent possible-- ``(A) to increase information system security; ``(B) to reduce paper-based reporting requirements; and ``(C) to maintain timely and actionable knowledge of the state of the information system security. ``(b) Standards.--The National Institute of Standards and Technology may promulgate standards, in coordination with the Secretary of Homeland Security, to assist an agency with its duties under this section. ``(c) Compliance.--The head of each appropriate department and agency shall be responsible for ensuring compliance and implementing necessary procedures to comply with this section. The head of each appropriate department and agency, in consultation with the Director of the Office of Management and Budget and the Secretary of Homeland Security, shall-- ``(1) monitor compliance under this section; ``(2) develop a timeline and implement for the department or agency-- ``(A) adoption of any technology, system, or method that facilitates continuous monitoring and threat assessments of an agency information system; ``(B) adoption or updating of any technology, system, or method that prevents, detects, or remediates a significant cyber incident to a Federal information system of the department or agency that has impeded, or is reasonably likely to impede, the performance of a critical mission of the department or agency; and ``(C) adoption of any technology, system, or method that satisfies a requirement under this section. ``(d) Limitation of Authority.--The authorities of the Director of the Office of Management and Budget and of the Secretary of Homeland Security under this section shall not apply to national security systems. ``(e) Report.--Not later than 6 months after the date of enactment of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the Government Accountability Office shall issue a report evaluating each agency's status toward implementing this section. ``Sec. 3556. Independent evaluations ``(a) In General.--The Council of the Inspectors General on Integrity and Efficiency, in consultation with the Director and the Secretary of Homeland Security, the Secretary of Commerce, and the Secretary of Defense, shall issue and maintain criteria for the timely, cost-effective, risk-based, and independent evaluation of each agencywide information security program (and practices) to determine the effectiveness of the agencywide information security program (and practices). The criteria shall include measures to assess any conflicts of interest in the performance of the evaluation and whether the agencywide information security program includes appropriate safeguards against disclosure of information where such disclosure may adversely affect information security. ``(b) Annual Independent Evaluations.--Each agency shall perform an annual independent evaluation of its agencywide information security program (and practices) in accordance with the criteria under subsection (a). ``(c) Distribution of Reports.--Not later than 30 days after receiving an independent evaluation under subsection (b), each agency head shall transmit a copy of the independent evaluation to the Secretary of Homeland Security, the Secretary of Commerce, and the Secretary of Defense. ``(d) National Security Systems.--Evaluations involving national security systems shall be conducted as directed by President. ``Sec. 3557. National security systems. ``The head of each agency operating or exercising control of a national security system shall be responsible for ensuring that the agency-- ``(1) provides information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information contained in such system; and ``(2) implements information security policies and practices as required by standards and guidelines for national security systems, issued in accordance with law and as directed by the President.''. (b) Savings Provisions.-- (1) Policy and compliance guidance.--Policy and compliance guidance issued by the Director before the date of enactment of this Act under section 3543(a)(1) of title 44, United States Code (as in effect on the day before the date of enactment of this Act), shall continue in effect, according to its terms, until modified, terminated, superseded, or repealed pursuant to section 3553(a)(1) of title 44, United States Code. (2) Standards and guidelines.--Standards and guidelines issued by the Secretary of Commerce or by the Director before the date of enactment of this Act under section 11331(a)(1) of title 40, United States Code, (as in effect on the day before the date of enactment of this Act) shall continue in effect, according to their terms, until modified, terminated, superseded, or repealed pursuant to section 11331(a)(1) of title 40, United States Code, as amended by this Act. (c) Technical and Conforming Amendments.-- (1) Chapter analysis.--The chapter analysis for chapter 35 of title 44, United States Code, is amended-- (A) by striking the items relating to sections 3531 through 3538; (B) by striking the items relating to sections 3541 through 3549; and (C) by inserting the following: ``3551. Purposes. ``3552. Definitions. ``3553. Federal information security authority and coordination. ``3554. Agency responsibilities. ``3555. Multiagency ongoing threat assessment. ``3556. Independent evaluations. ``3557. National security systems.''. (2) Other references.-- (A) Section 1001(c)(1)(A) of the Homeland Security Act of 2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section 3532(3)'' and inserting ``section 3552''. (B) Section 2222(j)(5) of title 10, United States Code, is amended by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (C) Section 2223(c)(3) of title 10, United States Code, is amended, by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (D) Section 2315 of title 10, United States Code, is amended by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (E) Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) is amended-- (i) in subsection (a)(2), by striking ``section 3532(b)(2)'' and inserting ``section 3552''; (ii) in subsection (c)(3), by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (iii) in subsection (d)(1), by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (iv) in subsection (d)(8) by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (v) in subsection (d)(8), by striking ``submitted to the Director'' and inserting ``submitted to the Secretary''; (vi) in subsection (e)(2), by striking ``section 3532(1) of such title'' and inserting ``section 3552 of title 44''; and (vii) in subsection (e)(5), by striking ``section 3532(b)(2) of such title'' and inserting ``section 3552 of title 44''. (F) Section 8(d)(1) of the Cyber Security Research and Development Act (15 U.S.C. 7406(d)(1)) is amended by striking ``section 3534(b)'' and inserting ``section 3554(b)(2)''. SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY. (a) In General.--Section 11331 of title 40, United States Code, is amended to read as follows: [[Page S5502]] ``Sec. 11331. Responsibilities for Federal information systems standards ``(a) Standards and Guidelines.-- ``(1) Authority to prescribe.--Except as provided under paragraph (2), the Secretary of Commerce shall prescribe standards and guidelines pertaining to Federal information systems-- ``(A) in consultation with the Secretary of Homeland Security; and ``(B) on the basis of standards and guidelines developed by the National Institute of Standards and Technology under paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g- 3(a)(2) and (a)(3)). ``(2) National security systems.--Standards and guidelines for national security systems shall be developed, prescribed, enforced, and overseen as otherwise authorized by law and as directed by the President. ``(b) Mandatory Standards and Guidelines.-- ``(1) Authority to make mandatory standards and guidelines.--The Secretary of Commerce shall make standards and guidelines under subsection (a)(1) compulsory and binding to the extent determined necessary by the Secretary of Commerce to improve the efficiency of operation or security of Federal information systems. ``(2) Required mandatory standards and guidelines.-- ``(A) In general.--Standards and guidelines under subsection (a)(1) shall include information security standards that-- ``(i) provide minimum information security requirements as determined under section 20(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(b)); and ``(ii) are otherwise necessary to improve the security of Federal information and information systems. ``(B) Binding effect.--Information security standards under subparagraph (A) shall be compulsory and binding. ``(c) Exercise of Authority.--To ensure fiscal and policy consistency, the Secretary of Commerce shall exercise the authority conferred by this section subject to direction by the President and in coordination with the Director. ``(d) Application of More Stringent Standards and Guidelines.--The head of an executive agency may employ standards for the cost-effective information security for information systems within or under the supervision of that agency that are more stringent than the standards and guidelines the Secretary of Commerce prescribes under this section if the more stringent standards and guidelines-- ``(1) contain at least the applicable standards and guidelines made compulsory and binding by the Secretary of Commerce; and ``(2) are otherwise consistent with the policies, directives, and implementation memoranda issued under section 3553(a) of title 44. ``(e) Decisions on Promulgation of Standards and Guidelines.--The decision by the Secretary of Commerce regarding the promulgation of any standard or guideline under this section shall occur not later than 6 months after the date of submission of the proposed standard to the Secretary of Commerce by the National Institute of Standards and Technology under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3). ``(f) Notice and Comment.--A decision by the Secretary of Commerce to significantly modify, or not promulgate, a proposed standard submitted to the Secretary by the National Institute of Standards and Technology under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) shall be made after the public is given an opportunity to comment on the Secretary's proposed decision. ``(g) Definitions.--In this section: ``(1) Federal information system.--The term `Federal information system' has the meaning given the term in section 3552 of title 44. ``(2) Information security.--The term `information security' has the meaning given the term in section 3552 of title 44. ``(3) National security system.--The term `national security system' has the meaning given the term in section 3552 of title 44.''. SEC. 203. NO NEW FUNDING. An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS. Section 21(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-4(b)) is amended-- (1) in paragraph (2), by striking ``and the Director of the Office of Management and Budget'' and inserting ``, the Secretary of Commerce, and the Secretary of Homeland Security''; and (2) in paragraph (3), by inserting ``, the Secretary of Homeland Security,'' after ``the Secretary of Commerce''. SEC. 205. CLARIFICATION OF AUTHORITIES. Nothing in this title shall be construed to convey any new regulatory authority to any government entity implementing or complying with any provision of this title. TITLE III--CRIMINAL PENALTIES SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS. Section 1030(c) of title 18, United States Code, is amended to read as follows: ``(c) The punishment for an offense under subsection (a) or (b) of this section is-- ``(1) a fine under this title or imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(1) of this section; ``(2)(A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than 3 years, or both, in the case of an offense under subsection (a)(2); or ``(B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2) of this section, if-- ``(i) the offense was committed for purposes of commercial advantage or private financial gain; ``(ii) the offense was committed in the furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States, or of any State; or ``(iii) the value of the information obtained, or that would have been obtained if the offense was completed, exceeds $5,000; ``(3) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(3) of this section; ``(4) a fine under this title or imprisonment of not more than 20 years, or both, in the case of an offense under subsection (a)(4) of this section; ``(5)(A) except as provided in subparagraph (C), a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(A) of this section, if the offense caused-- ``(i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value; ``(ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; ``(iii) physical injury to any person; ``(iv) a threat to public health or safety; ``(v) damage affecting a computer used by, or on behalf of, an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or ``(vi) damage affecting 10 or more protected computers during any 1-year period; ``(B) a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(B), if the offense caused a harm provided in clause (i) through (vi) of subparagraph (A) of this subsection; ``(C) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for any term of years or for life, or both; ``(D) a fine under this title, imprisonment for not more than 10 years, or both, for any other offense under subsection (a)(5); ``(E) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(6) of this section; or ``(F) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(7) of this section.''. SEC. 302. TRAFFICKING IN PASSWORDS. Section 1030(a)(6) of title 18, United States Code, is amended to read as follows: ``(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information or means of access through which a protected computer (as defined in subparagraphs (A) and (B) of subsection (e)(2)) may be accessed without authorization.''. SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES. Section 1030(b) of title 18, United States Code, is amended by inserting ``as if for the completed offense'' after ``punished as provided''. SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS. Section 1030 of title 18, United States Code, is amended by striking subsections (i) and (j) and inserting the following: ``(i) Criminal Forfeiture.-- ``(1) The court, in imposing sentence on any person convicted of a violation of this section, or convicted of conspiracy to violate this section, shall order, in addition to any other sentence imposed and irrespective of any provision of State law, that such person forfeit to the United States-- ``(A) such persons interest in any property, real or personal, that was used, or intended to be used, to commit or facilitate the commission of such violation; and ``(B) any property, real or personal, constituting or derived from any gross proceeds, or any property traceable to such property, that such person obtained, directly or indirectly, as a result of such violation. ``(2) The criminal forfeiture of property under this subsection, including any seizure and disposition of the property, and any related judicial or administrative proceeding, shall be governed by the provisions of section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853), except subsection (d) of that section. ``(j) Civil Forfeiture.-- ``(1) The following shall be subject to forfeiture to the United States and no property right, real or personal, shall exist in them: ``(A) Any property, real or personal, that was used, or intended to be used, to commit [[Page S5503]] or facilitate the commission of any violation of this section, or a conspiracy to violate this section. ``(B) Any property, real or personal, constituting or derived from any gross proceeds obtained directly or indirectly, or any property traceable to such property, as a result of the commission of any violation of this section, or a conspiracy to violate this section. ``(2) Seizures and forfeitures under this subsection shall be governed by the provisions in chapter 46 relating to civil forfeitures, except that such duties as are imposed on the Secretary of the Treasury under the customs laws described in section 981(d) shall be performed by such officers, agents and other persons as may be designated for that purpose by the Secretary of Homeland Security or the Attorney General.''. SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS. (a) In General.--Chapter 47 of title 18, United States Code, is amended by inserting after section 1030 the following: ``Sec. 1030A. Aggravated damage to a critical infrastructure computer ``(a) Definitions.--In this section-- ``(1) the term `computer' has the meaning given the term in section 1030; ``(2) the term `critical infrastructure computer' means a computer that manages or controls systems or assets vital to national defense, national security, national economic security, public health or safety, or any combination of those matters, whether publicly or privately owned or operated, including-- ``(A) oil and gas production, storage, conversion, and delivery systems; ``(B) water supply systems; ``(C) telecommunication networks; ``(D) electrical power generation and delivery systems; ``(E) finance and banking systems; ``(F) emergency services; ``(G) transportation systems and services; and ``(H) government operations that provide essential services to the public; and ``(3) the term `damage' has the meaning given the term in section 1030. ``(b) Offense.--It shall be unlawful, during and in relation to a felony violation of section 1030, to knowingly cause or attempt to cause damage to a critical infrastructure computer if the damage results in (or, in the case of an attempt, if completed, would have resulted in) the substantial impairment-- ``(1) of the operation of the critical infrastructure computer; or ``(2) of the critical infrastructure associated with the computer. ``(c) Penalty.--Any person who violates subsection (b) shall be-- ``(1) fined under this title; ``(2) imprisoned for not less than 3 years but not more than 20 years; or ``(3) penalized under paragraphs (1) and (2). ``(d) Consecutive Sentence.--Notwithstanding any other provision of law-- ``(1) a court shall not place on probation any person convicted of a violation of this section; ``(2) except as provided in paragraph (4), no term of imprisonment imposed on a person under this section shall run concurrently with any other term of imprisonment, including any term of imprisonment imposed on the person under any other provision of law, including any term of imprisonment imposed for a felony violation of section 1030; ``(3) in determining any term of imprisonment to be imposed for a felony violation of section 1030, a court shall not in any way reduce the term to be imposed for such crime so as to compensate for, or otherwise take into account, any separate term of imprisonment imposed or to be imposed for a violation of this section; and ``(4) a term of imprisonment imposed on a person for a violation of this section may, in the discretion of the court, run concurrently, in whole or in part, only with another term of imprisonment that is imposed by the court at the same time on that person for an additional violation of this section, provided that such discretion shall be exercised in accordance with any applicable guidelines and policy statements issued by the United States Sentencing Commission pursuant to section 994 of title 28.''. (b) Technical and Conforming Amendment.--The chapter analysis for chapter 47 of title 18, United States Code, is amended by inserting after the item relating to section 1030 the following: ``1030A. Aggravated damage to a critical infrastructure computer.''. SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE. Section 1030(e)(6) of title 18, United States Code, is amended by striking ``alter;'' and inserting ``alter, but does not include access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized;''. SEC. 307. NO NEW FUNDING. An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM PLANNING AND COORDINATION. (a) Goals and Priorities.--Section 101 of the High- Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(d) Goals and Priorities.--The goals and priorities for Federal high-performance computing research, development, networking, and other activities under subsection (a)(2)(A) shall include-- ``(1) encouraging and supporting mechanisms for interdisciplinary research and development in networking and information technology, including-- ``(A) through collaborations across agencies; ``(B) through collaborations across Program Component Areas; ``(C) through collaborations with industry; ``(D) through collaborations with institutions of higher education; ``(E) through collaborations with Federal laboratories (as defined in section 4 of the Stevenson-Wydler Technology Innovation Act of 1980 (15 U.S.C. 3703)); and ``(F) through collaborations with international organizations; ``(2) addressing national, multi-agency, multi-faceted challenges of national importance; and ``(3) fostering the transfer of research and development results into new technologies and applications for the benefit of society.''. (b) Development of Strategic Plan.--Section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(e) Strategic Plan.-- ``(1) In general.--Not later than 1 year after the date of enactment of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the agencies under subsection (a)(3)(B), working through the National Science and Technology Council and with the assistance of the Office of Science and Technology Policy shall develop a 5-year strategic plan to guide the activities under subsection (a)(1). ``(2) Contents.--The strategic plan shall specify-- ``(A) the near-term objectives for the Program; ``(B) the long-term objectives for the Program; ``(C) the anticipated time frame for achieving the near- term objectives; ``(D) the metrics that will be used to assess any progress made toward achieving the near-term objectives and the long- term objectives; and ``(E) how the Program will achieve the goals and priorities under subsection (d). ``(3) Implementation roadmap.-- ``(A) In general.--The agencies under subsection (a)(3)(B) shall develop and annually update an implementation roadmap for the strategic plan. ``(B) Requirements.--The information in the implementation roadmap shall be coordinated with the database under section 102(c) and the annual report under section 101(a)(3). The implementation roadmap shall-- ``(i) specify the role of each Federal agency in carrying out or sponsoring research and development to meet the research objectives of the strategic plan, including a description of how progress toward the research objectives will be evaluated, with consideration of any relevant recommendations of the advisory committee; ``(ii) specify the funding allocated to each major research objective of the strategic plan and the source of funding by agency for the current fiscal year; and ``(iii) estimate the funding required for each major research objective of the strategic plan for the next 3 fiscal years. ``(4) Recommendations.--The agencies under subsection (a)(3)(B) shall take into consideration when developing the strategic plan under paragraph (1) the recommendations of-- ``(A) the advisory committee under subsection (b); and ``(B) the stakeholders under section 102(a)(3). ``(5) Report to congress.--The Director of the Office of Science and Technology Policy shall transmit the strategic plan under this subsection, including the implementation roadmap and any updates under paragraph (3), to-- ``(A) the advisory committee under subsection (b); ``(B) the Committee on Commerce, Science, and Transportation of the Senate; and ``(C) the Committee on Science and Technology of the House of Representatives.''. (c) Periodic Reviews.--Section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(f) Periodic Reviews.--The agencies under subsection (a)(3)(B) shall-- ``(1) periodically assess the contents and funding levels of the Program Component Areas and restructure the Program when warranted, taking into consideration any relevant recommendations of the advisory committee under subsection (b); and ``(2) ensure that the Program includes national, multi- agency, multi-faceted research and development activities, including activities described in section 104.''. (d) Additional Responsibilities of Director.--Section 101(a)(2) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(2)) is amended-- [[Page S5504]] (1) by redesignating subparagraphs (E) and (F) as subparagraphs (G) and (H), respectively; and (2) by inserting after subparagraph (D) the following: ``(E) encourage and monitor the efforts of the agencies participating in the Program to allocate the level of resources and management attention necessary-- ``(i) to ensure that the strategic plan under subsection (e) is developed and executed effectively; and ``(ii) to ensure that the objectives of the Program are met; ``(F) working with the Office of Management and Budget and in coordination with the creation of the database under section 102(c), direct the Office of Science and Technology Policy and the agencies participating in the Program to establish a mechanism (consistent with existing law) to track all ongoing and completed research and development projects and associated funding;''. (e) Advisory Committee.--Section 101(b) of the High- Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is amended-- (1) in paragraph (1)-- (A) by inserting after the first sentence the following: ``The co-chairs of the advisory committee shall meet the qualifications of committee members and may be members of the Presidents Council of Advisors on Science and Technology.''; and (B) by striking ``high-performance'' in subparagraph (D) and inserting ``high-end''; and (2) by amending paragraph (2) to read as follows: ``(2) In addition to the duties under paragraph (1), the advisory committee shall conduct periodic evaluations of the funding, management, coordination, implementation, and activities of the Program. The advisory committee shall report its findings and recommendations not less frequently than once every 3 fiscal years to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science and Technology of the House of Representatives. The report shall be submitted in conjunction with the update of the strategic plan.''. (f) Report.--Section 101(a)(3) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended-- (1) in subparagraph (C)-- (A) by striking ``is submitted,'' and inserting ``is submitted, the levels for the previous fiscal year,''; and (B) by striking ``each Program Component Area'' and inserting ``each Program Component Area and each research area supported in accordance with section 104''; (2) in subparagraph (D)-- (A) by striking ``each Program Component Area,'' and inserting ``each Program Component Area and each research area supported in accordance with section 104,''; (B) by striking ``is submitted,'' and inserting ``is submitted, the levels for the previous fiscal year,''; and (C) by striking ``and'' after the semicolon; (3) by redesignating subparagraph (E) as subparagraph (G); and (4) by inserting after subparagraph (D) the following: ``(E) include a description of how the objectives for each Program Component Area, and the objectives for activities that involve multiple Program Component Areas, relate to the objectives of the Program identified in the strategic plan under subsection (e); ``(F) include-- ``(i) a description of the funding required by the Office of Science and Technology Policy to perform the functions under subsections (a) and (c) of section 102 for the next fiscal year by category of activity; ``(ii) a description of the funding required by the Office of Science and Technology Policy to perform the functions under subsections (a) and (c) of section 102 for the current fiscal year by category of activity; and ``(iii) the amount of funding provided for the Office of Science and Technology Policy for the current fiscal year by each agency participating in the Program; and''. (g) Definitions.--Section 4 of the High-Performance Computing Act of 1991 (15 U.S.C. 5503) is amended-- (1) by redesignating paragraphs (1) and (2) as paragraphs (2) and (3), respectively; (2) by redesignating paragraph (3) as paragraph (6); (3) by redesignating paragraphs (6) and (7) as paragraphs (7) and (8), respectively; (4) by inserting before paragraph (2), as redesignated, the following: ``(1) `cyber-physical systems' means physical or engineered systems whose networking and information technology functions and physical elements are deeply integrated and are actively connected to the physical world through sensors, actuators, or other means to perform monitoring and control functions;''; (5) in paragraph (3), as redesignated, by striking ``high- performance computing'' and inserting ``networking and information technology''; (6) in paragraph (6), as redesignated-- (A) by striking ``high-performance computing'' and inserting ``networking and information technology''; and (B) by striking ``supercomputer'' and inserting ``high-end computing''; (7) in paragraph (5), by striking ``network referred to as'' and all that follows through the semicolon and inserting ``network, including advanced computer networks of Federal agencies and departments''; and (8) in paragraph (7), as redesignated, by striking ``National High-Performance Computing Program'' and inserting ``networking and information technology research and development program''. SEC. 402. RESEARCH IN AREAS OF NATIONAL IMPORTANCE. (a) Research in Areas of National Importance.--Title I of the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et seq.) is amended by adding at the end the following: ``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE. ``(a) In General.--The Program shall encourage agencies under section 101(a)(3)(B) to support, maintain, and improve national, multi-agency, multi-faceted, research and development activities in networking and information technology directed toward application areas that have the potential for significant contributions to national economic competitiveness and for other significant societal benefits. ``(b) Technical Solutions.--An activity under subsection (a) shall be designed to advance the development of research discoveries by demonstrating technical solutions to important problems in areas including-- ``(1) cybersecurity; ``(2) health care; ``(3) energy management and low-power systems and devices; ``(4) transportation, including surface and air transportation; ``(5) cyber-physical systems; ``(6) large-scale data analysis and modeling of physical phenomena; ``(7) large scale data analysis and modeling of behavioral phenomena; ``(8) supply chain quality and security; and ``(9) privacy protection and protected disclosure of confidential data. ``(c) Recommendations.--The advisory committee under section 101(b) shall make recommendations to the Program for candidate research and development areas for support under this section. ``(d) Characteristics.-- ``(1) In general.--Research and development activities under this section-- ``(A) shall include projects selected on the basis of applications for support through a competitive, merit-based process; ``(B) shall leverage, when possible, Federal investments through collaboration with related State initiatives; ``(C) shall include a plan for fostering the transfer of research discoveries and the results of technology demonstration activities, including from institutions of higher education and Federal laboratories, to industry for commercial development; ``(D) shall involve collaborations among researchers in institutions of higher education and industry; and ``(E) may involve collaborations among nonprofit research institutions and Federal laboratories, as appropriate. ``(2) Cost-sharing.--In selecting applications for support, the agencies under section 101(a)(3)(B) shall give special consideration to projects that include cost sharing from non- Federal sources. ``(3) Multidisciplinary research centers.--Research and development activities under this section shall be supported through multidisciplinary research centers, including Federal laboratories, that are organized to investigate basic research questions and carry out technology demonstration activities in areas described in subsection (a). Research may be carried out through existing multidisciplinary centers, including those authorized under section 7024(b)(2) of the America COMPETES Act (42 U.S.C. 1862o-10(2)).''. (b) Cyber-Physical Systems.--Section 101(a)(1) of the High- Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is amended-- (1) in subparagraph (H), by striking ``and'' after the semicolon; (2) in subparagraph (I), by striking the period at the end and inserting a semicolon; and (3) by adding at the end the following: ``(J) provide for increased understanding of the scientific principles of cyber-physical systems and improve the methods available for the design, development, and operation of cyber-physical systems that are characterized by high reliability, safety, and security; and ``(K) provide for research and development on human- computer interactions, visualization, and big data.''. (c) Task Force.--Title I of the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section 402(a) of this Act, is amended by adding at the end the following: ``SEC. 105. TASK FORCE. ``(a) Establishment.--Not later than 180 days after the date of enactment the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the Director of the Office of Science and Technology Policy under section 102 shall convene a task force to explore mechanisms for carrying out collaborative research and development activities for cyber-physical systems (including the related technologies required to enable these systems) through a consortium or other appropriate entity with participants from institutions of higher education, Federal laboratories, and industry. ``(b) Functions.--The task force shall-- ``(1) develop options for a collaborative model and an organizational structure for such entity under which the joint research and development activities could be planned, [[Page S5505]] managed, and conducted effectively, including mechanisms for the allocation of resources among the participants in such entity for support of such activities; ``(2) propose a process for developing a research and development agenda for such entity, including guidelines to ensure an appropriate scope of work focused on nationally significant challenges and requiring collaboration and to ensure the development of related scientific and technological milestones; ``(3) define the roles and responsibilities for the participants from institutions of higher education, Federal laboratories, and industry in such entity; ``(4) propose guidelines for assigning intellectual property rights and for transferring research results to the private sector; and ``(5) make recommendations for how such entity could be funded from Federal, State, and non-governmental sources. ``(c) Composition.--In establishing the task force under subsection (a), the Director of the Office of Science and Technology Policy shall appoint an equal number of individuals from institutions of higher education and from industry with knowledge and expertise in cyber-physical systems, and may appoint not more than 2 individuals from Federal laboratories. ``(d) Report.--Not later than 1 year after the date of enactment of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the Director of the Office of Science and Technology Policy shall transmit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science and Technology of the House of Representatives a report describing the findings and recommendations of the task force. ``(e) Termination.--The task force shall terminate upon transmittal of the report required under subsection (d). ``(f) Compensation and Expenses.--Members of the task force shall serve without compensation.''. SEC. 403. PROGRAM IMPROVEMENTS. Section 102 of the High-Performance Computing Act of 1991 (15 U.S.C. 5512) is amended to read as follows: ``SEC. 102. PROGRAM IMPROVEMENTS. ``(a) Functions.--The Director of the Office of Science and Technology Policy shall continue-- ``(1) to provide technical and administrative support to-- ``(A) the agencies participating in planning and implementing the Program, including support needed to develop the strategic plan under section 101(e); and ``(B) the advisory committee under section 101(b); ``(2) to serve as the primary point of contact on Federal networking and information technology activities for government agencies, academia, industry, professional societies, State computing and networking technology programs, interested citizen groups, and others to exchange technical and programmatic information; ``(3) to solicit input and recommendations from a wide range of stakeholders during the development of each strategic plan under section 101(e) by convening at least 1 workshop with invitees from academia, industry, Federal laboratories, and other relevant organizations and institutions; ``(4) to conduct public outreach, including the dissemination of the advisory committee's findings and recommendations, as appropriate; ``(5) to promote access to and early application of the technologies, innovations, and expertise derived from Program activities to agency missions and systems across the Federal Government and to United States industry; ``(6) to ensure accurate and detailed budget reporting of networking and information technology research and development investment; and ``(7) to encourage agencies participating in the Program to use existing programs and resources to strengthen networking and information technology education and training, and increase participation in such fields, including by women and underrepresented minorities. ``(b) Source of Funding.-- ``(1) In general.--The functions under this section shall be supported by funds from each agency participating in the Program. ``(2) Specifications.--The portion of the total budget of the Office of Science and Technology Policy that is provided by each agency participating in the Program for each fiscal year shall be in the same proportion as each agency's share of the total budget for the Program for the previous fiscal year, as specified in the database under section 102(c). ``(c) Database.-- ``(1) In general.--The Director of the Office of Science and Technology Policy shall develop and maintain a database of projects funded by each agency for the fiscal year for each Program Component Area. ``(2) Public accessibility.--The Director of the Office of Science and Technology Policy shall make the database accessible to the public. ``(3) Database contents.--The database shall include, for each project in the database-- ``(A) a description of the project; ``(B) each agency, industry, institution of higher education, Federal laboratory, or international institution involved in the project; ``(C) the source funding of the project (set forth by agency); ``(D) the funding history of the project; and ``(E) whether the project has been completed.''. SEC. 404. IMPROVING EDUCATION OF NETWORKING AND INFORMATION TECHNOLOGY, INCLUDING HIGH PERFORMANCE COMPUTING. Section 201(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5521(a)) is amended-- (1) by redesignating paragraphs (2) through (4) as paragraphs (3) through (5), respectively; and (2) by inserting after paragraph (1) the following: ``(2) the National Science Foundation shall use its existing programs, in collaboration with other agencies, as appropriate, to improve the teaching and learning of networking and information technology at all levels of education and to increase participation in networking and information technology fields;''. SEC. 405. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH- PERFORMANCE COMPUTING ACT OF 1991. (a) Section 3.--Section 3 of the High-Performance Computing Act of 1991 (15 U.S.C. 5502) is amended-- (1) in the matter preceding paragraph (1), by striking ``high-performance computing'' and inserting ``networking and information technology''; (2) in paragraph (1)-- (A) in the matter preceding subparagraph (A), by striking ``high-performance computing'' and inserting ``networking and information technology''; (B) in subparagraphs (A), (F), and (G), by striking ``high- performance computing'' each place it appears and inserting ``networking and information technology''; and (C) in subparagraph (H), by striking ``high-performance'' and inserting ``high-end''; and (3) in paragraph (2)-- (A) by striking ``high-performance computing and'' and inserting ``networking and information technology, and''; and (B) by striking ``high-performance computing network'' and inserting ``networking and information technology''. (b) Title Heading.--The heading of title I of the High- Performance Computing Act of 1991 (105 Stat. 1595) is amended by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting ``NETWORKING AND INFORMATION TECHNOLOGY''. (c) Section 101.--Section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) is amended-- (1) in the section heading, by striking ``high-performance computing'' and inserting ``networking and information technology research and development''; (2) in subsection (a)-- (A) in the subsection heading, by striking ``National High- Performance Computing'' and inserting ``Networking and Information Technology Research and Development''; (B) in paragraph (1)-- (i) by striking ``National High-Performance Computing Program'' and inserting ``networking and information technology research and development program''; (ii) in subparagraph (A), by striking ``high-performance computing, including networking'' and inserting ``networking and information technology''; (iii) in subparagraphs (B) and (G), by striking ``high- performance'' each place it appears and inserting ``high- end''; and (iv) in subparagraph (C), by striking ``high-performance computing and networking'' and inserting ``high-end computing, distributed, and networking''; and (C) in paragraph (2)-- (i) in subparagraphs (A) and (C)-- (I) by striking ``high-performance computing'' each place it appears and inserting ``networking and information technology''; and (II) by striking ``development, networking,'' each place it appears and inserting ``development,''; and (ii) in subparagraphs (G) and (H), as redesignated by section 401(d) of this Act, by striking ``high-performance'' each place it appears and inserting ``high-end''; (3) in subsection (b)(1), in the matter preceding subparagraph (A), by striking ``high-performance computing'' each place it appears and inserting ``networking and information technology''; and (4) in subsection (c)(1)(A), by striking ``high-performance computing'' and inserting ``networking and information technology''. (d) Section 201.--Section 201(a)(1) of the High-Performance Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by striking ``high-performance computing and advanced high-speed computer networking'' and inserting ``networking and information technology research and development''. (e) Section 202.--Section 202(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by striking ``high-performance computing'' and inserting ``networking and information technology''. (f) Section 203.--Section 203(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5523(a)) is amended-- (1) in paragraph (1), by striking ``high-performance computing and networking'' and inserting ``networking and information technology''; and (2) in paragraph (2)(A), by striking ``high-performance'' and inserting ``high-end''. (g) Section 204.--Section 204 of the High-Performance Computing Act of 1991 (15 U.S.C. 5524) is amended-- [[Page S5506]] (1) in subsection (a)(1)-- (A) in subparagraph (A), by striking ``high-performance computing systems and networks'' and inserting ``networking and information technology systems and capabilities''; (B) in subparagraph (B), by striking ``interoperability of high-performance computing systems in networks and for common user interfaces to systems'' and inserting ``interoperability and usability of networking and information technology systems''; and (C) in subparagraph (C), by striking ``high-performance computing'' and inserting ``networking and information technology''; and (2) in subsection (b)-- (A) by striking ``High-Performance Computing and Network'' in the heading and inserting ``Networking and Information Technology''; and (B) by striking ``sensitive''. (h) Section 205.--Section 205(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by striking ``computational'' and inserting ``networking and information technology''. (i) Section 206.--Section 206(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by striking ``computational research'' and inserting ``networking and information technology research''. (j) Section 207.--Section 207 of the High-Performance Computing Act of 1991 (15 U.S.C. 5527) is amended by striking ``high-performance computing'' and inserting ``networking and information technology''. (k) Section 208.--Section 208 of the High-Performance Computing Act of 1991 (15 U.S.C. 5528) is amended-- (1) in the section heading, by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting ``NETWORKING AND INFORMATION TECHNOLOGY''; and (2) in subsection (a)-- (A) in paragraph (1), by striking ``High-performance computing and associated'' and inserting ``Networking and information''; (B) in paragraph (2), by striking ``high-performance computing'' and inserting ``networking and information technologies''; (C) in paragraph (3), by striking ``high-performance'' and inserting ``high-end''; (D) in paragraph (4), by striking ``high-performance computers and associated'' and inserting ``networking and information''; and (E) in paragraph (5), by striking ``high-performance computing and associated'' and inserting ``networking and information''. SEC. 406. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM. (a) In General.--The Director of the National Science Foundation, in coordination with the Secretary of Homeland Security, shall carry out a Federal cyber scholarship-for- service program to recruit and train the next generation of information technology professionals and security managers to meet the needs of the cybersecurity mission for the Federal government. (b) Program Description and Components.--The program shall-- (1) annually assess the workforce needs of the Federal government for cybersecurity professionals, including network engineers, software engineers, and other experts in order to determine how many scholarships should be awarded annually to ensure that the workforce needs following graduation match the number of scholarships awarded; (2) provide scholarships for up to 1,000 students per year in their pursuit of undergraduate or graduate degrees in the cybersecurity field, in an amount that may include coverage for full tuition, fees, and a stipend; (3) require each scholarship recipient, as a condition of receiving a scholarship under the program, to serve in a Federal information technology workforce for a period equal to one and one-half times each year, or partial year, of scholarship received, in addition to an internship in the cybersecurity field, if applicable, following graduation; (4) provide a procedure for the National Science Foundation or a Federal agency, consistent with regulations of the Office of Personnel Management, to request and fund a security clearance for a scholarship recipient, including providing for clearance during a summer internship and upon graduation; and (5) provide opportunities for students to receive temporary appointments for meaningful employment in the Federal information technology workforce during school vacation periods and for internships. (c) Hiring Authority.-- (1) In general.--For purposes of any law or regulation governing the appointment of an individual in the Federal civil service, upon the successful completion of the student's studies, a student receiving a scholarship under the program may-- (A) be hired under section 213.3102(r) of title 5, Code of Federal Regulations; and (B) be exempt from competitive service. (2) Competitive service.--Upon satisfactory fulfillment of the service term under paragraph (1), an individual may be converted to a competitive service position without competition if the individual meets the requirements for that position. (d) Eligibility.--The eligibility requirements for a scholarship under this section shall include that a scholarship applicant-- (1) be a citizen of the United States; (2) be eligible to be granted a security clearance; (3) maintain a grade point average of 3.2 or above on a 4.0 scale for undergraduate study or a 3.5 or above on a 4.0 scale for postgraduate study; (4) demonstrate a commitment to a career in improving the security of the information infrastructure; and (5) has demonstrated a level of proficiency in math or computer sciences. (e) Failure to Complete Service Obligation.-- (1) In general.--A scholarship recipient under this section shall be liable to the United States under paragraph (2) if the scholarship recipient-- (A) fails to maintain an acceptable level of academic standing in the educational institution in which the individual is enrolled, as determined by the Director; (B) is dismissed from such educational institution for disciplinary reasons; (C) withdraws from the program for which the award was made before the completion of such program; (D) declares that the individual does not intend to fulfill the service obligation under this section; (E) fails to fulfill the service obligation of the individual under this section; or (F) loses a security clearance or becomes ineligible for a security clearance. (2) Repayment amounts.-- (A) Less than 1 year of service.--If a circumstance under paragraph (1) occurs before the completion of 1 year of a service obligation under this section, the total amount of awards received by the individual under this section shall be repaid. (B) One or more years of service.--If a circumstance described in subparagraph (D) or (E) of paragraph (1) occurs after the completion of 1 year of a service obligation under this section, the total amount of scholarship awards received by the individual under this section, reduced by the ratio of the number of years of service completed divided by the number of years of service required, shall be repaid. (f) Evaluation and Report.--The Director of the National Science Foundation shall-- (1) evaluate the success of recruiting individuals for scholarships under this section and of hiring and retaining those individuals in the public sector workforce, including the annual cost and an assessment of how the program actually improves the Federal workforce; and (2) periodically report the findings under paragraph (1) to Congress. (g) Authorization of Appropriations.--From amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), the Secretary may use funds to carry out the requirements of this section for fiscal years 2012 through 2013. SEC. 407. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF INFORMATION INFRASTRUCTURE PROFESSIONALS. (a) Study.--The President shall enter into an agreement with the National Academies to conduct a comprehensive study of government, academic, and private-sector accreditation, training, and certification programs for personnel working in information infrastructure. The agreement shall require the National Academies to consult with sector coordinating councils and relevant governmental agencies, regulatory entities, and nongovernmental organizations in the course of the study. (b) Scope.--The study shall include-- (1) an evaluation of the body of knowledge and various skills that specific categories of personnel working in information infrastructure should possess in order to secure information systems; (2) an assessment of whether existing government, academic, and private-sector accreditation, training, and certification programs provide the body of knowledge and various skills described in paragraph (1); (3) an analysis of any barriers to the Federal Government recruiting and hiring cybersecurity talent, including barriers relating to compensation, the hiring process, job classification, and hiring flexibility; and (4) an analysis of the sources and availability of cybersecurity talent, a comparison of the skills and expertise sought by the Federal Government and the private sector, an examination of the current and future capacity of United States institutions of higher education, including community colleges, to provide current and future cybersecurity professionals, through education and training activities, with those skills sought by the Federal Government, State and local entities, and the private sector. (c) Report.--Not later than 1 year after the date of enactment of this Act, the National Academies shall submit to the President and Congress a report on the results of the study. The report shall include-- (1) findings regarding the state of information infrastructure accreditation, training, and certification programs, including specific areas of deficiency and demonstrable progress; and (2) recommendations for the improvement of information infrastructure accreditation, training, and certification programs. SEC. 408. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS. (a) In General.--The Director of the National Institute of Standards and Technology, in coordination with appropriate Federal authorities, shall-- (1) as appropriate, ensure coordination of Federal agencies engaged in the development of international technical standards related to information system security; and (2) not later than 1 year after the date of enactment of this Act, develop and transmit to Congress a plan for ensuring such Federal agency coordination. [[Page S5507]] (b) Consultation With the Private Sector.--In carrying out the activities under subsection (a)(1), the Director shall ensure consultation with appropriate private sector stakeholders. SEC. 409. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT. The Director of the National Institute of Standards and Technology shall continue a program to support the development of technical standards, metrology, testbeds, and conformance criteria, taking into account appropriate user concerns-- (1) to improve interoperability among identity management technologies; (2) to strengthen authentication methods of identity management systems; (3) to improve privacy protection in identity management systems, including health information technology systems, through authentication and security protocols; and (4) to improve the usability of identity management systems. SEC. 410. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT. (a) National Science Foundation Computer and Network Security Research Grant Areas.--Section 4(a)(1) of the Cyber Security Research and Development Act (15 U.S.C. 7403(a)(1)) is amended-- (1) in subparagraph (H), by striking ``and'' after the semicolon; (2) in subparagraph (I), by striking ``property.'' and inserting ``property;''; and (3) by adding at the end the following: ``(J) secure fundamental protocols that are at the heart of inter-network communications and data exchange; ``(K) system security that addresses the building of secure systems from trusted and untrusted components; ``(L) monitoring and detection; and ``(M) resiliency and rapid recovery methods.''. (b) National Science Foundation Computer and Network Security Grants.--Section 4(a)(3) of the Cyber Security Research and Development Act (15 U.S.C. 7403(a)(3)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Secretary finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (c) Computer and Network Security Centers.--Section 4(b)(7) of the Cyber Security Research and Development Act (15 U.S.C. 7403(b)(7)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Secretary finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (d) Computer and Network Security Capacity Building Grants.--Section 5(a)(6) of the Cyber Security Research and Development Act (15 U.S.C. 7404(a)(6)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Secretary finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (e) Scientific and Advanced Technology Act Grants.--Section 5(b)(2) of the Cyber Security Research and Development Act (15 U.S.C. 7404(b)(2)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Secretary finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (f) Graduate Traineeships in Computer and Network Security Research.--Section 5(c)(7) of the Cyber Security Research and Development Act (15 U.S.C. 7404(c)(7)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Secretary finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. ______ SA 2582. Mrs. HUTCHISON (for herself, Mr. McCain, Mr. Chambliss, Mr. Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of Wisconsin) submitted an amendment intended to be proposed by her to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: Beginning on page 1, strike line 3 and all that follows through page 211, line 6 and insert the following: SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) Short Title.--This Act may be cited as the ``Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012'' or ``SECURE IT''. (b) Table of Contents.--The table of contents of this Act is as follows: Sec. 1. Short title; table of contents. TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION Sec. 101. Definitions. Sec. 102. Authorization to share cyber threat information. Sec. 103. Information sharing by the Federal government. Sec. 104. Construction. Sec. 105. Report on implementation. Sec. 106. Inspector General review. Sec. 107. Technical amendments. Sec. 108. Access to classified information. TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY Sec. 201. Coordination of Federal information security policy. Sec. 202. Management of information technology. Sec. 203. No new funding. Sec. 204. Technical and conforming amendments. Sec. 205. Clarification of authorities. TITLE III--CRIMINAL PENALTIES Sec. 301. Penalties for fraud and related activity in connection with computers. Sec. 302. Trafficking in passwords. Sec. 303. Conspiracy and attempted computer fraud offenses. Sec. 304. Criminal and civil forfeiture for fraud and related activity in connection with computers. Sec. 305. Damage to critical infrastructure computers. Sec. 306. Limitation on actions involving unauthorized use. Sec. 307. No new funding. TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT Sec. 401. National High-Performance Computing Program planning and coordination. Sec. 402. Research in areas of national importance. Sec. 403. Program improvements. Sec. 404. Improving education of networking and information technology, including high performance computing. Sec. 405. Conforming and technical amendments to the High-Performance Computing Act of 1991. Sec. 406. Federal cyber scholarship-for-service program. Sec. 407. Study and analysis of certification and training of information infrastructure professionals. Sec. 408. International cybersecurity technical standards. Sec. 409. Identity management research and development. Sec. 410. Federal cybersecurity research and development. TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION SEC. 101. DEFINITIONS. In this title: (1) Agency.--The term ``agency'' has the meaning given the term in section 3502 of title 44, United States Code. (2) Antitrust laws.--The term ``antitrust laws''-- (A) has the meaning given the term in section 1(a) of the Clayton Act (15 U.S.C. 12(a)); (B) includes section 5 of the Federal Trade Commission Act (15 U.S.C. 45) to the extent that section 5 of that Act applies to unfair methods of competition; and (C) includes any State law that has the same intent and effect as the laws under subparagraphs (A) and (B). (3) Countermeasure.--The term ``countermeasure'' means an automated or a manual action with defensive intent to mitigate cyber threats. (4) Cyber threat information.--The term ``cyber threat information'' means information that indicates or describes-- (A) a technical or operation vulnerability or a cyber threat mitigation measure; (B) an action or operation to mitigate a cyber threat; (C) malicious reconnaissance, including anomalous patterns of network activity that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat; (D) a method of defeating a technical control; (E) a method of defeating an operational control; (F) network activity or protocols known to be associated with a malicious cyber actor or that signify malicious cyber intent; (G) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to inadvertently enable the defeat of a technical or operational control; (H) any other attribute of a cybersecurity threat or cyber defense information that would foster situational awareness of the United States cybersecurity posture, if disclosure of such attribute or information is not otherwise prohibited by law; (I) the actual or potential harm caused by a cyber incident, including information exfiltrated when it is necessary in order to [[Page S5508]] identify or describe a cybersecurity threat; or (J) any combination of subparagraphs (A) through (I). (5) Cybersecurity center.--The term ``cybersecurity center'' means the Department of Defense Cyber Crime Center, the Intelligence Community Incident Response Center, the United States Cyber Command Joint Operations Center, the National Cyber Investigative Joint Task Force, the National Security Agency/Central Security Service Threat Operations Center, the National Cybersecurity and Communications Integration Center, and any successor center. (6) Cybersecurity system.--The term ``cybersecurity system'' means a system designed or employed to ensure the integrity, confidentiality, or availability of, or to safeguard, a system or network, including measures intended to protect a system or network from-- (A) efforts to degrade, disrupt, or destroy such system or network; or (B) theft or misappropriations of private or government information, intellectual property, or personally identifiable information. (7) Entity.-- (A) In general.--The term ``entity'' means any private entity, non-Federal government agency or department, or State, tribal, or local government agency or department (including an officer, employee, or agent thereof). (B) Inclusions.--The term ``entity'' includes a government agency or department (including an officer, employee, or agent thereof) of the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa, the Northern Mariana Islands, and any other territory or possession of the United States. (8) Federal information system.--The term ``Federal information system'' means an information system of a Federal department or agency used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. (9) Information security.--The term ``information security'' means protecting information and information systems from disruption or unauthorized access, use, disclosure, modification, or destruction in order to provide-- (A) integrity, by guarding against improper information modification or destruction, including by ensuring information nonrepudiation and authenticity; (B) confidentiality, by preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; or (C) availability, by ensuring timely and reliable access to and use of information. (10) Information system.--The term ``information system'' has the meaning given the term in section 3502 of title 44, United States Code. (11) Local government.--The term ``local government'' means any borough, city, county, parish, town, township, village, or other general purpose political subdivision of a State. (12) Malicious reconnaissance.--The term ``malicious reconnaissance'' means a method for actively probing or passively monitoring an information system for the purpose of discerning technical vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat. (13) Operational control.--The term ``operational control'' means a security control for an information system that primarily is implemented and executed by people. (14) Operational vulnerability.--The term ``operational vulnerability'' means any attribute of policy, process, or procedure that could enable or facilitate the defeat of an operational control. (15) Private entity.--The term ``private entity'' means any individual or any private group, organization, or corporation, including an officer, employee, or agent thereof. (16) Significant cyber incident.--The term ``significant cyber incident'' means a cyber incident resulting in, or an attempted cyber incident that, if successful, would have resulted in-- (A) the exfiltration from a Federal information system of data that is essential to the operation of the Federal information system; or (B) an incident in which an operational or technical control essential to the security or operation of a Federal information system was defeated. (17) Technical control.--The term ``technical control'' means a hardware or software restriction on, or audit of, access or use of an information system or information that is stored on, processed by, or transiting an information system that is intended to ensure the confidentiality, integrity, or availability of that system. (18) Technical vulnerability.--The term ``technical vulnerability'' means any attribute of hardware or software that could enable or facilitate the defeat of a technical control. (19) Tribal.--The term ``tribal'' has the meaning given the term ``Indian tribe'' in section 4 of the Indian Self- Determination and Education Assistance Act (25 U.S.C. 450b). SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION. (a) Voluntary Disclosure.-- (1) Private entities.--Notwithstanding any other provision of law, a private entity may, for the purpose of preventing, investigating, or otherwise mitigating threats to information security, on its own networks, or as authorized by another entity, on such entity's networks, employ countermeasures and use cybersecurity systems in order to obtain, identify, or otherwise possess cyber threat information. (2) Entities.--Notwithstanding any other provision of law, an entity may disclose cyber threat information to-- (A) a cybersecurity center; or (B) any other entity in order to assist with preventing, investigating, or otherwise mitigating threats to information security. (3) Information security providers.--If the cyber threat information described in paragraph (1) is obtained, identified, or otherwise possessed in the course of providing information security products or services under contract to another entity, that entity shall be given, at any time prior to disclosure of such information, a reasonable opportunity to authorize or prevent such disclosure, to request anonymization of such information, or to request that reasonable efforts be made to safeguard such information that identifies specific persons from unauthorized access or disclosure. (b) Significant Cyber Incidents Involving Federal Information Systems.-- (1) In general.--An entity providing electronic communication services, remote computing services, or information security services to a Federal department or agency shall inform the Federal department or agency of a significant cyber incident involving the Federal information system of that Federal department or agency that-- (A) is directly known to the entity as a result of providing such services; (B) is directly related to the provision of such services by the entity; and (C) as determined by the entity, has impeded or will impede the performance of a critical mission of the Federal department or agency. (2) Advance coordination.--A Federal department or agency receiving the services described in paragraph (1) shall coordinate in advance with an entity described in paragraph (1) to develop the parameters of any information that may be provided under paragraph (1), including clarification of the type of significant cyber incident that will impede the performance of a critical mission of the Federal department or agency. (3) Report.--A Federal department or agency shall report information provided under this subsection to a cybersecurity center. (4) Construction.--Any information provided to a cybersecurity center under paragraph (3) shall be treated in the same manner as information provided to a cybersecurity center under subsection (a). (c) Information Shared With or Provided to a Cybersecurity Center.--Cyber threat information provided to a cybersecurity center under this section-- (1) may be disclosed to, retained by, and used by, consistent with otherwise applicable Federal law, any Federal agency or department, component, officer, employee, or agent of the Federal government for a cybersecurity purpose, a national security purpose, or in order to prevent, investigate, or prosecute any of the offenses listed in section 2516 of title 18, United States Code, and such information shall not be disclosed to, retained by, or used by any Federal agency or department for any use not permitted under this paragraph; (2) may, with the prior written consent of the entity submitting such information, be disclosed to and used by a State, tribal, or local government or government agency for the purpose of protecting information systems, or in furtherance of preventing, investigating, or prosecuting a criminal act, except that if the need for immediate disclosure prevents obtaining written consent, such consent may be provided orally with subsequent documentation of such consent; (3) shall be considered the commercial, financial, or proprietary information of the entity providing such information to the Federal government and any disclosure outside the Federal government may only be made upon the prior written consent by such entity and shall not constitute a waiver of any applicable privilege or protection provided by law, except that if the need for immediate disclosure prevents obtaining written consent, such consent may be provided orally with subsequent documentation of such consent; (4) shall be deemed voluntarily shared information and exempt from disclosure under section 552 of title 5, United States Code, and any State, tribal, or local law requiring disclosure of information or records; (5) shall be, without discretion, withheld from the public under section 552(b)(3)(B) of title 5, United States Code, and any State, tribal, or local law requiring disclosure of information or records; (6) shall not be subject to the rules of any Federal agency or department or any judicial doctrine regarding ex parte communications with a decision-making official; (7) shall not, if subsequently provided to a State, tribal, or local government or government agency, otherwise be disclosed or distributed to any entity by such State, tribal, or local government or government agency without the prior written consent of the entity submitting such information, notwithstanding any State, tribal, or local law requiring disclosure of information or records, [[Page S5509]] except that if the need for immediate disclosure prevents obtaining written consent, such consent may be provided orally with subsequent documentation of such consent; and (8) shall not be directly used by any Federal, State, tribal, or local department or agency to regulate the lawful activities of an entity, including activities relating to obtaining, identifying, or otherwise possessing cyber threat information, except that the procedures required to be developed and implemented under this title shall not be considered regulations within the meaning of this paragraph. (d) Procedures Relating to Information Sharing With a Cybersecurity Center.--Not later than 60 days after the date of enactment of this Act, the heads of each department or agency containing a cybersecurity center shall jointly develop, promulgate, and submit to Congress procedures to ensure that cyber threat information shared with or provided to-- (1) a cybersecurity center under this section-- (A) may be submitted to a cybersecurity center by an entity, to the greatest extent possible, through a uniform, publicly available process or format that is easily accessible on the website of such cybersecurity center, and that includes the ability to provide relevant details about the cyber threat information and written consent to any subsequent disclosures authorized by this paragraph; (B) shall immediately be further shared with each cybersecurity center in order to prevent, investigate, or otherwise mitigate threats to information security across the Federal government; (C) is handled by the Federal government in a reasonable manner, including consideration of the need to protect the privacy and civil liberties of individuals through anonymization or other appropriate methods, while fully accomplishing the objectives of this title, and the Federal government may undertake efforts consistent with this subparagraph to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the Federal government; and (D) except as provided in this section, shall only be used, disclosed, or handled in accordance with the provisions of subsection (c); and (2) a Federal agency or department under subsection (b) is provided immediately to a cybersecurity center in order to prevent, investigate, or otherwise mitigate threats to information security across the Federal government. (e) Information Shared Between Entities.-- (1) In general.--An entity sharing cyber threat information with another entity under this title may restrict the use or sharing of such information by such other entity. (2) Further sharing.--Cyber threat information shared by any entity with another entity under this title-- (A) shall only be further shared in accordance with any restrictions placed on the sharing of such information by the entity authorizing such sharing, such as appropriate anonymization of such information; and (B) may not be used by any entity to gain an unfair competitive advantage to the detriment of the entity authorizing the sharing of such information, except that the conduct described in paragraph (3) shall not constitute unfair competitive conduct. (3) Information shared with state, tribal, or local government or government agency.--Cyber threat information shared with a State, tribal, or local government or government agency under this title-- (A) may, with the prior written consent of the entity sharing such information, be disclosed to and used by a State, tribal, or local government or government agency for the purpose of protecting information systems, or in furtherance of preventing, investigating, or prosecuting a criminal act, except if the need for immediate disclosure prevents obtaining written consent, consent may be provided orally with subsequent documentation of the consent; (B) shall be deemed voluntarily shared information and exempt from disclosure under any State, tribal, or local law requiring disclosure of information or records; (C) shall not be disclosed or distributed to any entity by the State, tribal, or local government or government agency without the prior written consent of the entity submitting such information, notwithstanding any State, tribal, or local law requiring disclosure of information or records, except if the need for immediate disclosure prevents obtaining written consent, consent may be provided orally with subsequent documentation of the consent; and (D) shall not be directly used by any State, tribal, or local department or agency to regulate the lawful activities of an entity, including activities relating to obtaining, identifying, or otherwise possessing cyber threat information, except that the procedures required to be developed and implemented under this title shall not be considered regulations within the meaning of this subparagraph. (4) Antitrust exemption.--The exchange or provision of cyber threat information or assistance between 2 or more private entities under this title shall not be considered a violation of any provision of antitrust laws if exchanged or provided in order to assist with-- (A) facilitating the prevention, investigation, or mitigation of threats to information security; or (B) communicating or disclosing of cyber threat information to help prevent, investigate or otherwise mitigate the effects of a threat to information security. (5) No right or benefit.--The provision of cyber threat information to an entity under this section shall not create a right or a benefit to similar information by such entity or any other entity. (f) Federal Preemption.-- (1) In general.--This section supersedes any statute or other law of a State or political subdivision of a State that restricts or otherwise expressly regulates an activity authorized under this section. (2) State law enforcement.--Nothing in this section shall be construed to supersede any statute or other law of a State or political subdivision of a State concerning the use of authorized law enforcement techniques. (3) Public disclosure.--No information shared with or provided to a State, tribal, or local government or government agency pursuant to this section shall be made publicly available pursuant to any State, tribal, or local law requiring disclosure of information or records. (g) Civil and Criminal Liability.-- (1) General protections.-- (A) Private entities.--No cause of action shall lie or be maintained in any court against any private entity for-- (i) the use of countermeasures and cybersecurity systems as authorized by this title; (ii) the use, receipt, or disclosure of any cyber threat information as authorized by this title; or (iii) the subsequent actions or inactions of any lawful recipient of cyber threat information provided by such private entity. (B) Entities.--No cause of action shall lie or be maintained in any court against any entity for-- (i) the use, receipt, or disclosure of any cyber threat information as authorized by this title; or (ii) the subsequent actions or inactions of any lawful recipient of cyber threat information provided by such entity. (2) Construction.--Nothing in this subsection shall be construed as creating any immunity against, or otherwise affecting, any action brought by the Federal government, or any agency or department thereof, to enforce any law, executive order, or procedure governing the appropriate handling, disclosure, and use of classified information. (h) Otherwise Lawful Disclosures.--Nothing in this section shall be construed to limit or prohibit otherwise lawful disclosures of communications, records, or other information by a private entity to any other governmental or private entity not covered under this section. (i) Whistleblower Protection.--Nothing in this Act shall be construed to preempt or preclude any employee from exercising rights currently provided under any whistleblower law, rule, or regulation. (j) Relationship to Other Laws.--The submission of cyber threat information under this section to a cybersecurity center shall not affect any requirement under any other provision of law for an entity to provide information to the Federal government. SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT. (a) Classified Information.-- (1) Procedures.--Consistent with the protection of intelligence sources and methods, and as otherwise determined appropriate, the Director of National Intelligence and the Secretary of Defense, in consultation with the heads of the appropriate Federal departments or agencies, shall develop and promulgate procedures to facilitate and promote-- (A) the immediate sharing, through the cybersecurity centers, of classified cyber threat information in the possession of the Federal government with appropriately cleared representatives of any appropriate entity; and (B) the declassification and immediate sharing, through the cybersecurity centers, with any entity or, if appropriate, public availability of cyber threat information in the possession of the Federal government; (2) Handling of classified information.--The procedures developed under paragraph (1) shall ensure that each entity receiving classified cyber threat information pursuant to this section has acknowledged in writing the ongoing obligation to comply with all laws, executive orders, and procedures concerning the appropriate handling, disclosure, or use of classified information. (b) Unclassified Cyber Threat Information.--The heads of each department or agency containing a cybersecurity center shall jointly develop and promulgate procedures that ensure that, consistent with the provisions of this section, unclassified, including controlled unclassified, cyber threat information in the possession of the Federal government-- (1) is shared, through the cybersecurity centers, in an immediate and adequate manner with appropriate entities; and (2) if appropriate, is made publicly available. (c) Development of Procedures.-- (1) In general.--The procedures developed under this section shall incorporate, to the greatest extent possible, existing processes utilized by sector specific information sharing and analysis centers. [[Page S5510]] (2) Coordination with entities.--In developing the procedures required under this section, the Director of National Intelligence and the heads of each department or agency containing a cybersecurity center shall coordinate with appropriate entities to ensure that protocols are implemented that will facilitate and promote the sharing of cyber threat information by the Federal government. (d) Additional Responsibilities of Cybersecurity Centers.-- Consistent with section 102, a cybersecurity center shall-- (1) facilitate information sharing, interaction, and collaboration among and between cybersecurity centers and-- (A) other Federal entities; (B) any entity; and (C) international partners, in consultation with the Secretary of State; (2) disseminate timely and actionable cybersecurity threat, vulnerability, mitigation, and warning information, including alerts, advisories, indicators, signatures, and mitigation and response measures, to improve the security and protection of information systems; and (3) coordinate with other Federal entities, as appropriate, to integrate information from across the Federal government to provide situational awareness of the cybersecurity posture of the United States. (e) Sharing Within the Federal Government.--The heads of appropriate Federal departments and agencies shall ensure that cyber threat information in the possession of such Federal departments or agencies that relates to the prevention, investigation, or mitigation of threats to information security across the Federal government is shared effectively with the cybersecurity centers. (f) Submission to Congress.--Not later than 60 days after the date of enactment of this Act, the Director of National Intelligence, in coordination with the appropriate head of a department or an agency containing a cybersecurity center, shall submit the procedures required by this section to Congress. SEC. 104. CONSTRUCTION. (a) Information Sharing Relationships.--Nothing in this title shall be construed-- (1) to limit or modify an existing information sharing relationship; (2) to prohibit a new information sharing relationship; (3) to require a new information sharing relationship between any entity and the Federal government, except as specified under section 102(b); or (4) to modify the authority of a department or agency of the Federal government to protect sources and methods and the national security of the United States. (b) Anti-tasking Restriction.--Nothing in this title shall be construed to permit the Federal government-- (1) to require an entity to share information with the Federal government, except as expressly provided under section 102(b); or (2) to condition the sharing of cyber threat information with an entity on such entity's provision of cyber threat information to the Federal government. (c) No Liability for Non-participation.--Nothing in this title shall be construed to subject any entity to liability for choosing not to engage in the voluntary activities authorized under this title. (d) Use and Retention of Information.--Nothing in this title shall be construed to authorize, or to modify any existing authority of, a department or agency of the Federal government to retain or use any information shared under section 102 for any use other than a use permitted under subsection 102(c)(1). (e) No New Funding.--An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. SEC. 105. REPORT ON IMPLEMENTATION. (a) Content of Report.--Not later than 1 year after the date of enactment of this Act, and biennially thereafter, the heads of each department or agency containing a cybersecurity center shall jointly submit, in coordination with the privacy and civil liberties officials of such departments or agencies and the Privacy and Civil Liberties Oversight Board, a detailed report to Congress concerning the implementation of this title, including-- (1) an assessment of the sufficiency of the procedures developed under section 103 of this Act in ensuring that cyber threat information in the possession of the Federal government is provided in an immediate and adequate manner to appropriate entities or, if appropriate, is made publicly available; (2) an assessment of whether information has been appropriately classified and an accounting of the number of security clearances authorized by the Federal government for purposes of this title; (3) a review of the type of cyber threat information shared with a cybersecurity center under section 102 of this Act, including whether such information meets the definition of cyber threat information under section 101, the degree to which such information may impact the privacy and civil liberties of individuals, any appropriate metrics to determine any impact of the sharing of such information with the Federal government on privacy and civil liberties, and the adequacy of any steps taken to reduce such impact; (4) a review of actions taken by the Federal government based on information provided to a cybersecurity center under section 102 of this Act, including the appropriateness of any subsequent use under section 102(c)(1) of this Act and whether there was inappropriate stovepiping within the Federal government of any such information; (5) a description of any violations of the requirements of this title by the Federal government; (6) a classified list of entities that received classified information from the Federal government under section 103 of this Act and a description of any indication that such information may not have been appropriately handled; (7) a summary of any breach of information security, if known, attributable to a specific failure by any entity or the Federal government to act on cyber threat information in the possession of such entity or the Federal government that resulted in substantial economic harm or injury to a specific entity or the Federal government; and (8) any recommendation for improvements or modifications to the authorities under this title. (b) Form of Report.--The report under subsection (a) shall be submitted in unclassified form, but shall include a classified annex. SEC. 106. INSPECTOR GENERAL REVIEW. (a) In General.--The Council of the Inspectors General on Integrity and Efficiency are authorized to review compliance by the cybersecurity centers, and by any Federal department or agency receiving cyber threat information from such cybersecurity centers, with the procedures required under section 102 of this Act. (b) Scope of Review.--The review under subsection (a) shall consider whether the Federal government has handled such cyber threat information in a reasonable manner, including consideration of the need to protect the privacy and civil liberties of individuals through anonymization or other appropriate methods, while fully accomplishing the objectives of this title. (c) Report to Congress.--Each review conducted under this section shall be provided to Congress not later than 30 days after the date of completion of the review. SEC. 107. TECHNICAL AMENDMENTS. Section 552(b) of title 5, United States Code, is amended-- (1) in paragraph (8), by striking ``or''; (2) in paragraph (9), by striking ``wells.'' and inserting ``wells; or''; and (3) by adding at the end the following: ``(10) information shared with or provided to a cybersecurity center under section 102 of title I of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012.''. SEC. 108. ACCESS TO CLASSIFIED INFORMATION. (a) Authorization Required.--No person shall be provided with access to classified information (as defined in section 6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to classified national security information)) relating to cyber security threats or cyber security vulnerabilities under this title without the appropriate security clearances. (b) Security Clearances.--The appropriate Federal agencies or departments shall, consistent with applicable procedures and requirements, and if otherwise deemed appropriate, assist an individual in timely obtaining an appropriate security clearance where such individual has been determined to be eligible for such clearance and has a need-to-know (as defined in section 6.1 of that Executive Order) classified information to carry out this title. TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) In General.--Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting the following: ``SUBCHAPTER II--INFORMATION SECURITY ``Sec. 3551. Purposes ``The purposes of this subchapter are-- ``(1) to provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets; ``(2) to recognize the highly networked nature of the current Federal computing environment and provide effective government-wide management of policies, directives, standards, and guidelines, as well as effective and nimble oversight of and response to information security risks, including coordination of information security efforts throughout the Federal civilian, national security, and law enforcement communities; ``(3) to provide for development and maintenance of controls required to protect agency information and information systems and contribute to the overall improvement of agency information security posture; ``(4) to provide for the development of tools and methods to assess and respond to real-time situational risk for Federal information system operations and assets; and ``(5) to provide a mechanism for improving agency information security programs through continuous monitoring of agency information systems and streamlined reporting requirements rather than overly prescriptive manual reporting. ``Sec. 3552. Definitions ``In this subchapter: ``(1) Adequate security.--The term `adequate security' means security commensurate with the risk and magnitude of the [[Page S5511]] harm resulting from the unauthorized access to or loss, misuse, destruction, or modification of information. ``(2) Agency.--The term `agency' has the meaning given the term in section 3502 of title 44. ``(3) Cybersecurity center.--The term `cybersecurity center' means the Department of Defense Cyber Crime Center, the Intelligence Community Incident Response Center, the United States Cyber Command Joint Operations Center, the National Cyber Investigative Joint Task Force, the National Security Agency/Central Security Service Threat Operations Center, the National Cybersecurity and Communications Integration Center, and any successor center. ``(4) Cyber threat information.--The term `cyber threat information' means information that indicates or describes-- ``(A) a technical or operation vulnerability or a cyber threat mitigation measure; ``(B) an action or operation to mitigate a cyber threat; ``(C) malicious reconnaissance, including anomalous patterns of network activity that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat; ``(D) a method of defeating a technical control; ``(E) a method of defeating an operational control; ``(F) network activity or protocols known to be associated with a malicious cyber actor or that signify malicious cyber intent; ``(G) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to inadvertently enable the defeat of a technical or operational control; ``(H) any other attribute of a cybersecurity threat or cyber defense information that would foster situational awareness of the United States cybersecurity posture, if disclosure of such attribute or information is not otherwise prohibited by law; ``(I) the actual or potential harm caused by a cyber incident, including information exfiltrated when it is necessary in order to identify or describe a cybersecurity threat; or ``(J) any combination of subparagraphs (A) through (I). ``(5) Director.--The term `Director' means the Director of the Office of Management and Budget unless otherwise specified. ``(6) Environment of operation.--The term `environment of operation' means the information system and environment in which those systems operate, including changing threats, vulnerabilities, technologies, and missions and business practices. ``(7) Federal information system.--The term `Federal information system' means an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. ``(8) Incident.--The term `incident' means an occurrence that-- ``(A) actually or imminently jeopardizes the integrity, confidentiality, or availability of an information system or the information that system controls, processes, stores, or transmits; or ``(B) constitutes a violation of law or an imminent threat of violation of a law, a security policy, a security procedure, or an acceptable use policy. ``(9) Information resources.--The term `information resources' has the meaning given the term in section 3502 of title 44. ``(10) Information security.--The term `information security' means protecting information and information systems from disruption or unauthorized access, use, disclosure, modification, or destruction in order to provide-- ``(A) integrity, by guarding against improper information modification or destruction, including by ensuring information nonrepudiation and authenticity; ``(B) confidentiality, by preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; or ``(C) availability, by ensuring timely and reliable access to and use of information. ``(11) Information system.--The term `information system' has the meaning given the term in section 3502 of title 44. ``(12) Information technology.--The term `information technology' has the meaning given the term in section 11101 of title 40. ``(13) Malicious reconnaissance.--The term `malicious reconnaissance' means a method for actively probing or passively monitoring an information system for the purpose of discerning technical vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat. ``(14) National security system.-- ``(A) In general.--The term `national security system' means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency-- ``(i) the function, operation, or use of which-- ``(I) involves intelligence activities; ``(II) involves cryptologic activities related to national security; ``(III) involves command and control of military forces; ``(IV) involves equipment that is an integral part of a weapon or weapons system; or ``(V) subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or ``(ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. ``(B) Limitation.--Subparagraph (A)(i)(V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). ``(15) Operational control.--The term `operational control' means a security control for an information system that primarily is implemented and executed by people. ``(16) Person.--The term `person' has the meaning given the term in section 3502 of title 44. ``(17) Secretary.--The term `Secretary' means the Secretary of Commerce unless otherwise specified. ``(18) Security control.--The term `security control' means the management, operational, and technical controls, including safeguards or countermeasures, prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. ``(19) Significant cyber incident.--The term `significant cyber incident' means a cyber incident resulting in, or an attempted cyber incident that, if successful, would have resulted in-- ``(A) the exfiltration from a Federal information system of data that is essential to the operation of the Federal information system; or ``(B) an incident in which an operational or technical control essential to the security or operation of a Federal information system was defeated. ``(20) Technical control.--The term `technical control' means a hardware or software restriction on, or audit of, access or use of an information system or information that is stored on, processed by, or transiting an information system that is intended to ensure the confidentiality, integrity, or availability of that system. ``Sec. 3553. Federal information security authority and coordination ``(a) In General.--The Secretary, in consultation with the Secretary of Homeland Security, shall-- ``(1) issue compulsory and binding policies and directives governing agency information security operations, and require implementation of such policies and directives, including-- ``(A) policies and directives consistent with the standards and guidelines promulgated under section 11331 of title 40 to identify and provide information security protections prioritized and commensurate with the risk and impact resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of-- ``(i) information collected or maintained by or on behalf of an agency; or ``(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; ``(B) minimum operational requirements for Federal Government to protect agency information systems and provide common situational awareness across all agency information systems; ``(C) reporting requirements, consistent with relevant law, regarding information security incidents and cyber threat information; ``(D) requirements for agencywide information security programs; ``(E) performance requirements and metrics for the security of agency information systems; ``(F) training requirements to ensure that agencies are able to fully and timely comply with the policies and directives issued by the Secretary under this subchapter; ``(G) training requirements regarding privacy, civil rights, and civil liberties, and information oversight for agency information security personnel; ``(H) requirements for the annual reports to the Secretary under section 3554(d); ``(I) any other information security operations or information security requirements as determined by the Secretary in coordination with relevant agency heads; and ``(J) coordinating the development of standards and guidelines under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) with agencies and offices operating or exercising control of national security systems (including the National Security Agency) to assure, to the maximum extent feasible, that such standards and guidelines are complementary with standards and guidelines developed for national security systems; ``(2) review the agencywide information security programs under section 3554; and ``(3) designate an individual or an entity at each cybersecurity center, among other responsibilities-- ``(A) to receive reports and information about information security incidents, cyber threat information, and deterioration of security control affecting agency information systems; and ``(B) to act on or share the information under subparagraph (A) in accordance with this subchapter. ``(b) Considerations.--When issuing policies and directives under subsection (a), the [[Page S5512]] Secretary shall consider any applicable standards or guidelines developed by the National Institute of Standards and Technology under section 11331 of title 40. ``(c) Limitation of Authority.--The authorities of the Secretary under this section shall not apply to national security systems. Information security policies, directives, standards and guidelines for national security systems shall be overseen as directed by the President and, in accordance with that direction, carried out under the authority of the heads of agencies that operate or exercise authority over such national security systems. ``(d) Statutory Construction.--Nothing in this subchapter shall be construed to alter or amend any law regarding the authority of any head of an agency over such agency. ``Sec. 3554. Agency responsibilities ``(a) In General.--The head of each agency shall-- ``(1) be responsible for-- ``(A) complying with the policies and directives issued under section 3553; ``(B) providing information security protections commensurate with the risk resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of-- ``(i) information collected or maintained by the agency or by a contractor of an agency or other organization on behalf of an agency; and ``(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; ``(C) complying with the requirements of this subchapter, including-- ``(i) information security standards and guidelines promulgated under section 11331 of title 40; ``(ii) for any national security systems operated or controlled by that agency, information security policies, directives, standards and guidelines issued as directed by the President; and ``(iii) for any non-national security systems operated or controlled by that agency, information security policies, directives, standards and guidelines issued under section 3553; ``(D) ensuring that information security management processes are integrated with agency strategic and operational planning processes; ``(E) reporting and sharing, for an agency operating or exercising control of a national security system, information about information security incidents, cyber threat information, and deterioration of security controls to the individual or entity designated at each cybersecurity center and to other appropriate entities consistent with policies and directives for national security systems issued as directed by the President; and ``(F) reporting and sharing, for those agencies operating or exercising control of non-national security systems, information about information security incidents, cyber threat information, and deterioration of security controls to the individual or entity designated at each cybersecurity center and to other appropriate entities consistent with policies and directives for non-national security systems as prescribed under section 3553(a), including information to assist the entity designated under section 3555(a) with the ongoing security analysis under section 3555; ``(2) ensure that each senior agency official provides information security for the information and information systems that support the operations and assets under the senior agency official's control, including by-- ``(A) assessing the risk and impact that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems; ``(B) determining the level of information security appropriate to protect such information and information systems in accordance with policies and directives issued under section 3553(a), and standards and guidelines promulgated under section 11331 of title 40 for information security classifications and related requirements; ``(C) implementing policies, procedures, and capabilities to reduce risks to an acceptable level in a cost-effective manner; ``(D) actively monitoring the effective implementation of information security controls and techniques; and ``(E) reporting information about information security incidents, cyber threat information, and deterioration of security controls in a timely and adequate manner to the entity designated under section 3553(a)(3) in accordance with paragraph (1); ``(3) assess and maintain the resiliency of information technology systems critical to agency mission and operations; ``(4) designate the agency Inspector General (or an independent entity selected in consultation with the Director and the Council of Inspectors General on Integrity and Efficiency if the agency does not have an Inspector General) to conduct the annual independent evaluation required under section 3556, and allow the agency Inspector General to contract with an independent entity to perform such evaluation; ``(5) delegate to the Chief Information Officer or equivalent (or to a senior agency official who reports to the Chief Information Officer or equivalent)-- ``(A) the authority and primary responsibility to implement an agencywide information security program; and ``(B) the authority to provide information security for the information collected and maintained by the agency (or by a contractor, other agency, or other source on behalf of the agency) and for the information systems that support the operations, assets, and mission of the agency (including any information system provided or managed by a contractor, other agency, or other source on behalf of the agency); ``(6) delegate to the appropriate agency official (who is responsible for a particular agency system or subsystem) the responsibility to ensure and enforce compliance with all requirements of the agency's agencywide information security program in coordination with the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5); ``(7) ensure that an agency has trained personnel who have obtained any necessary security clearances to permit them to assist the agency in complying with this subchapter; ``(8) ensure that the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5), in coordination with other senior agency officials, reports to the agency head on the effectiveness of the agencywide information security program, including the progress of any remedial actions; and ``(9) ensure that the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5) has the necessary qualifications to administer the functions described in this subchapter and has information security duties as a primary duty of that official. ``(b) Chief Information Officers.--Each Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under subsection (a)(5) shall-- ``(1) establish and maintain an enterprise security operations capability that on a continuous basis-- ``(A) detects, reports, contains, mitigates, and responds to information security incidents that impair adequate security of the agency's information or information system in a timely manner and in accordance with the policies and directives under section 3553; and ``(B) reports any information security incident under subparagraph (A) to the entity designated under section 3555; ``(2) develop, maintain, and oversee an agencywide information security program; ``(3) develop, maintain, and oversee information security policies, procedures, and control techniques to address applicable requirements, including requirements under section 3553 of this title and section 11331 of title 40; and ``(4) train and oversee the agency personnel who have significant responsibility for information security with respect to that responsibility. ``(c) Agencywide Information Security Programs.-- ``(1) In general.--Each agencywide information security program under subsection (b)(2) shall include-- ``(A) relevant security risk assessments, including technical assessments and others related to the acquisition process; ``(B) security testing commensurate with risk and impact; ``(C) mitigation of deterioration of security controls commensurate with risk and impact; ``(D) risk-based continuous monitoring and threat assessment of the operational status and security of agency information systems to enable evaluation of the effectiveness of and compliance with information security policies, procedures, and practices, including a relevant and appropriate selection of security controls of information systems identified in the inventory under section 3505(c); ``(E) operation of appropriate technical capabilities in order to detect, mitigate, report, and respond to information security incidents, cyber threat information, and deterioration of security controls in a manner that is consistent with the policies and directives under section 3553, including-- ``(i) mitigating risks associated with such information security incidents; ``(ii) notifying and consulting with the entity designated under section 3555; and ``(iii) notifying and consulting with, as appropriate-- ``(I) law enforcement and the relevant Office of the Inspector General; and ``(II) any other entity, in accordance with law and as directed by the President; ``(F) a process to ensure that remedial action is taken to address any deficiencies in the information security policies, procedures, and practices of the agency; and ``(G) a plan and procedures to ensure the continuity of operations for information systems that support the operations and assets of the agency. ``(2) Risk management strategies.--Each agencywide information security program under subsection (b)(2) shall include the development and maintenance of a risk management strategy for information security. The risk management strategy shall include-- ``(A) consideration of information security incidents, cyber threat information, and deterioration of security controls; and [[Page S5513]] ``(B) consideration of the consequences that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency, including any information system provided or managed by a contractor, other agency, or other source on behalf of the agency; ``(3) Policies and procedures.--Each agencywide information security program under subsection (b)(2) shall include policies and procedures that-- ``(A) are based on the risk management strategy under paragraph (2); ``(B) reduce information security risks to an acceptable level in a cost-effective manner; ``(C) ensure that cost-effective and adequate information security is addressed as part of the acquisition and ongoing management of each agency information system; and ``(D) ensure compliance with-- ``(i) this subchapter; and ``(ii) any other applicable requirements. ``(4) Training requirements.--Each agencywide information security program under subsection (b)(2) shall include information security, privacy, civil rights, civil liberties, and information oversight training that meets any applicable requirements under section 3553. The training shall inform each information security personnel that has access to agency information systems (including contractors and other users of information systems that support the operations and assets of the agency) of-- ``(A) the information security risks associated with the information security personnel's activities; and ``(B) the individual's responsibility to comply with the agency policies and procedures that reduce the risks under subparagraph (A). ``(d) Annual Report.--Each agency shall submit a report annually to the Secretary of Homeland Security on its agencywide information security program and information systems. ``Sec. 3555. Multiagency ongoing threat assessment ``(a) Implementation.--The Director of the Office of Management and Budget, in coordination with the Secretary of Homeland Security, shall designate an entity to implement ongoing security analysis concerning agency information systems-- ``(1) based on cyber threat information; ``(2) based on agency information system and environment of operation changes, including-- ``(A) an ongoing evaluation of the information system security controls; and ``(B) the security state, risk level, and environment of operation of an agency information system, including-- ``(i) a change in risk level due to a new cyber threat; ``(ii) a change resulting from a new technology; ``(iii) a change resulting from the agency's mission; and ``(iv) a change resulting from the business practice; and ``(3) using automated processes to the maximum extent possible-- ``(A) to increase information system security; ``(B) to reduce paper-based reporting requirements; and ``(C) to maintain timely and actionable knowledge of the state of the information system security. ``(b) Standards.--The National Institute of Standards and Technology may promulgate standards, in coordination with the Secretary of Homeland Security, to assist an agency with its duties under this section. ``(c) Compliance.--The head of each appropriate department and agency shall be responsible for ensuring compliance and implementing necessary procedures to comply with this section. The head of each appropriate department and agency, in consultation with the Director of the Office of Management and Budget and the Secretary of Homeland Security, shall-- ``(1) monitor compliance under this section; ``(2) develop a timeline and implement for the department or agency-- ``(A) adoption of any technology, system, or method that facilitates continuous monitoring and threat assessments of an agency information system; ``(B) adoption or updating of any technology, system, or method that prevents, detects, or remediates a significant cyber incident to a Federal information system of the department or agency that has impeded, or is reasonably likely to impede, the performance of a critical mission of the department or agency; and ``(C) adoption of any technology, system, or method that satisfies a requirement under this section. ``(d) Limitation of Authority.--The authorities of the Director of the Office of Management and Budget and of the Secretary of Homeland Security under this section shall not apply to national security systems. ``(e) Report.--Not later than 6 months after the date of enactment of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the Government Accountability Office shall issue a report evaluating each agency's status toward implementing this section. ``Sec. 3556. Independent evaluations ``(a) In General.--The Council of the Inspectors General on Integrity and Efficiency, in consultation with the Director and the Secretary of Homeland Security, the Secretary of Commerce, and the Secretary of Defense, shall issue and maintain criteria for the timely, cost-effective, risk-based, and independent evaluation of each agencywide information security program (and practices) to determine the effectiveness of the agencywide information security program (and practices). The criteria shall include measures to assess any conflicts of interest in the performance of the evaluation and whether the agencywide information security program includes appropriate safeguards against disclosure of information where such disclosure may adversely affect information security. ``(b) Annual Independent Evaluations.--Each agency shall perform an annual independent evaluation of its agencywide information security program (and practices) in accordance with the criteria under subsection (a). ``(c) Distribution of Reports.--Not later than 30 days after receiving an independent evaluation under subsection (b), each agency head shall transmit a copy of the independent evaluation to the Secretary of Homeland Security, the Secretary of Commerce, and the Secretary of Defense. ``(d) National Security Systems.--Evaluations involving national security systems shall be conducted as directed by President. ``Sec. 3557. National security systems. ``The head of each agency operating or exercising control of a national security system shall be responsible for ensuring that the agency-- ``(1) provides information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information contained in such system; and ``(2) implements information security policies and practices as required by standards and guidelines for national security systems, issued in accordance with law and as directed by the President.''. (b) Savings Provisions.-- (1) Policy and compliance guidance.--Policy and compliance guidance issued by the Director before the date of enactment of this Act under section 3543(a)(1) of title 44, United States Code (as in effect on the day before the date of enactment of this Act), shall continue in effect, according to its terms, until modified, terminated, superseded, or repealed pursuant to section 3553(a)(1) of title 44, United States Code. (2) Standards and guidelines.--Standards and guidelines issued by the Secretary of Commerce or by the Director before the date of enactment of this Act under section 11331(a)(1) of title 40, United States Code, (as in effect on the day before the date of enactment of this Act) shall continue in effect, according to their terms, until modified, terminated, superseded, or repealed pursuant to section 11331(a)(1) of title 40, United States Code, as amended by this Act. (c) Technical and Conforming Amendments.-- (1) Chapter analysis.--The chapter analysis for chapter 35 of title 44, United States Code, is amended-- (A) by striking the items relating to sections 3531 through 3538; (B) by striking the items relating to sections 3541 through 3549; and (C) by inserting the following: ``3551. Purposes. ``3552. Definitions. ``3553. Federal information security authority and coordination. ``3554. Agency responsibilities. ``3555. Multiagency ongoing threat assessment. ``3556. Independent evaluations. ``3557. National security systems.''. (2) Other references.-- (A) Section 1001(c)(1)(A) of the Homeland Security Act of 2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section 3532(3)'' and inserting ``section 3552''. (B) Section 2222(j)(5) of title 10, United States Code, is amended by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (C) Section 2223(c)(3) of title 10, United States Code, is amended, by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (D) Section 2315 of title 10, United States Code, is amended by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (E) Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) is amended-- (i) in subsection (a)(2), by striking ``section 3532(b)(2)'' and inserting ``section 3552''; (ii) in subsection (c)(3), by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (iii) in subsection (d)(1), by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (iv) in subsection (d)(8) by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (v) in subsection (d)(8), by striking ``submitted to the Director'' and inserting ``submitted to the Secretary''; (vi) in subsection (e)(2), by striking ``section 3532(1) of such title'' and inserting ``section 3552 of title 44''; and (vii) in subsection (e)(5), by striking ``section 3532(b)(2) of such title'' and inserting ``section 3552 of title 44''. [[Page S5514]] (F) Section 8(d)(1) of the Cyber Security Research and Development Act (15 U.S.C. 7406(d)(1)) is amended by striking ``section 3534(b)'' and inserting ``section 3554(b)(2)''. SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY. (a) In General.--Section 11331 of title 40, United States Code, is amended to read as follows: ``Sec. 11331. Responsibilities for Federal information systems standards ``(a) Standards and Guidelines.-- ``(1) Authority to prescribe.--Except as provided under paragraph (2), the Secretary of Commerce shall prescribe standards and guidelines pertaining to Federal information systems-- ``(A) in consultation with the Secretary of Homeland Security; and ``(B) on the basis of standards and guidelines developed by the National Institute of Standards and Technology under paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g- 3(a)(2) and (a)(3)). ``(2) National security systems.--Standards and guidelines for national security systems shall be developed, prescribed, enforced, and overseen as otherwise authorized by law and as directed by the President. ``(b) Mandatory Standards and Guidelines.-- ``(1) Authority to make mandatory standards and guidelines.--The Secretary of Commerce shall make standards and guidelines under subsection (a)(1) compulsory and binding to the extent determined necessary by the Secretary of Commerce to improve the efficiency of operation or security of Federal information systems. ``(2) Required mandatory standards and guidelines.-- ``(A) In general.--Standards and guidelines under subsection (a)(1) shall include information security standards that-- ``(i) provide minimum information security requirements as determined under section 20(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(b)); and ``(ii) are otherwise necessary to improve the security of Federal information and information systems. ``(B) Binding effect.--Information security standards under subparagraph (A) shall be compulsory and binding. ``(c) Exercise of Authority.--To ensure fiscal and policy consistency, the Secretary of Commerce shall exercise the authority conferred by this section subject to direction by the President and in coordination with the Director. ``(d) Application of More Stringent Standards and Guidelines.--The head of an executive agency may employ standards for the cost-effective information security for information systems within or under the supervision of that agency that are more stringent than the standards and guidelines the Secretary of Commerce prescribes under this section if the more stringent standards and guidelines-- ``(1) contain at least the applicable standards and guidelines made compulsory and binding by the Secretary of Commerce; and ``(2) are otherwise consistent with the policies, directives, and implementation memoranda issued under section 3553(a) of title 44. ``(e) Decisions on Promulgation of Standards and Guidelines.--The decision by the Secretary of Commerce regarding the promulgation of any standard or guideline under this section shall occur not later than 6 months after the date of submission of the proposed standard to the Secretary of Commerce by the National Institute of Standards and Technology under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3). ``(f) Notice and Comment.--A decision by the Secretary of Commerce to significantly modify, or not promulgate, a proposed standard submitted to the Secretary by the National Institute of Standards and Technology under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) shall be made after the public is given an opportunity to comment on the Secretary's proposed decision. ``(g) Definitions.--In this section: ``(1) Federal information system.--The term `Federal information system' has the meaning given the term in section 3552 of title 44. ``(2) Information security.--The term `information security' has the meaning given the term in section 3552 of title 44. ``(3) National security system.--The term `national security system' has the meaning given the term in section 3552 of title 44.''. SEC. 203. NO NEW FUNDING. An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS. Section 21(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-4(b)) is amended-- (1) in paragraph (2), by striking ``and the Director of the Office of Management and Budget'' and inserting ``, the Secretary of Commerce, and the Secretary of Homeland Security''; and (2) in paragraph (3), by inserting ``, the Secretary of Homeland Security,'' after ``the Secretary of Commerce''. SEC. 205. CLARIFICATION OF AUTHORITIES. Nothing in this title shall be construed to convey any new regulatory authority to any government entity implementing or complying with any provision of this title. TITLE III--CRIMINAL PENALTIES SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS. Section 1030(c) of title 18, United States Code, is amended to read as follows: ``(c) The punishment for an offense under subsection (a) or (b) of this section is-- ``(1) a fine under this title or imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(1) of this section; ``(2)(A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than 3 years, or both, in the case of an offense under subsection (a)(2); or ``(B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2) of this section, if-- ``(i) the offense was committed for purposes of commercial advantage or private financial gain; ``(ii) the offense was committed in the furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States, or of any State; or ``(iii) the value of the information obtained, or that would have been obtained if the offense was completed, exceeds $5,000; ``(3) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(3) of this section; ``(4) a fine under this title or imprisonment of not more than 20 years, or both, in the case of an offense under subsection (a)(4) of this section; ``(5)(A) except as provided in subparagraph (C), a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(A) of this section, if the offense caused-- ``(i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value; ``(ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; ``(iii) physical injury to any person; ``(iv) a threat to public health or safety; ``(v) damage affecting a computer used by, or on behalf of, an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or ``(vi) damage affecting 10 or more protected computers during any 1-year period; ``(B) a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(B), if the offense caused a harm provided in clause (i) through (vi) of subparagraph (A) of this subsection; ``(C) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for any term of years or for life, or both; ``(D) a fine under this title, imprisonment for not more than 10 years, or both, for any other offense under subsection (a)(5); ``(E) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(6) of this section; or ``(F) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(7) of this section.''. SEC. 302. TRAFFICKING IN PASSWORDS. Section 1030(a)(6) of title 18, United States Code, is amended to read as follows: ``(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information or means of access through which a protected computer (as defined in subparagraphs (A) and (B) of subsection (e)(2)) may be accessed without authorization.''. SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES. Section 1030(b) of title 18, United States Code, is amended by inserting ``as if for the completed offense'' after ``punished as provided''. SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS. Section 1030 of title 18, United States Code, is amended by striking subsections (i) and (j) and inserting the following: ``(i) Criminal Forfeiture.-- ``(1) The court, in imposing sentence on any person convicted of a violation of this section, or convicted of conspiracy to violate this section, shall order, in addition to any other sentence imposed and irrespective of any provision of State law, that such person forfeit to the United States-- ``(A) such persons interest in any property, real or personal, that was used, or intended to be used, to commit or facilitate the commission of such violation; and ``(B) any property, real or personal, constituting or derived from any gross proceeds, or any property traceable to such property, that such person obtained, directly or indirectly, as a result of such violation. ``(2) The criminal forfeiture of property under this subsection, including any seizure and disposition of the property, and any related judicial or administrative proceeding, shall be governed by the provisions of section 413 of the Comprehensive Drug Abuse [[Page S5515]] Prevention and Control Act of 1970 (21 U.S.C. 853), except subsection (d) of that section. ``(j) Civil Forfeiture.-- ``(1) The following shall be subject to forfeiture to the United States and no property right, real or personal, shall exist in them: ``(A) Any property, real or personal, that was used, or intended to be used, to commit or facilitate the commission of any violation of this section, or a conspiracy to violate this section. ``(B) Any property, real or personal, constituting or derived from any gross proceeds obtained directly or indirectly, or any property traceable to such property, as a result of the commission of any violation of this section, or a conspiracy to violate this section. ``(2) Seizures and forfeitures under this subsection shall be governed by the provisions in chapter 46 relating to civil forfeitures, except that such duties as are imposed on the Secretary of the Treasury under the customs laws described in section 981(d) shall be performed by such officers, agents and other persons as may be designated for that purpose by the Secretary of Homeland Security or the Attorney General.''. SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS. (a) In General.--Chapter 47 of title 18, United States Code, is amended by inserting after section 1030 the following: ``Sec. 1030A. Aggravated damage to a critical infrastructure computer ``(a) Definitions.--In this section-- ``(1) the term `computer' has the meaning given the term in section 1030; ``(2) the term `critical infrastructure computer' means a computer that manages or controls systems or assets vital to national defense, national security, national economic security, public health or safety, or any combination of those matters, whether publicly or privately owned or operated, including-- ``(A) oil and gas production, storage, conversion, and delivery systems; ``(B) water supply systems; ``(C) telecommunication networks; ``(D) electrical power generation and delivery systems; ``(E) finance and banking systems; ``(F) emergency services; ``(G) transportation systems and services; and ``(H) government operations that provide essential services to the public; and ``(3) the term `damage' has the meaning given the term in section 1030. ``(b) Offense.--It shall be unlawful, during and in relation to a felony violation of section 1030, to knowingly cause or attempt to cause damage to a critical infrastructure computer if the damage results in (or, in the case of an attempt, if completed, would have resulted in) the substantial impairment-- ``(1) of the operation of the critical infrastructure computer; or ``(2) of the critical infrastructure associated with the computer. ``(c) Penalty.--Any person who violates subsection (b) shall be-- ``(1) fined under this title; ``(2) imprisoned for not less than 3 years but not more than 20 years; or ``(3) penalized under paragraphs (1) and (2). ``(d) Consecutive Sentence.--Notwithstanding any other provision of law-- ``(1) a court shall not place on probation any person convicted of a violation of this section; ``(2) except as provided in paragraph (4), no term of imprisonment imposed on a person under this section shall run concurrently with any other term of imprisonment, including any term of imprisonment imposed on the person under any other provision of law, including any term of imprisonment imposed for a felony violation of section 1030; ``(3) in determining any term of imprisonment to be imposed for a felony violation of section 1030, a court shall not in any way reduce the term to be imposed for such crime so as to compensate for, or otherwise take into account, any separate term of imprisonment imposed or to be imposed for a violation of this section; and ``(4) a term of imprisonment imposed on a person for a violation of this section may, in the discretion of the court, run concurrently, in whole or in part, only with another term of imprisonment that is imposed by the court at the same time on that person for an additional violation of this section, provided that such discretion shall be exercised in accordance with any applicable guidelines and policy statements issued by the United States Sentencing Commission pursuant to section 994 of title 28.''. (b) Technical and Conforming Amendment.--The chapter analysis for chapter 47 of title 18, United States Code, is amended by inserting after the item relating to section 1030 the following: ``1030A. Aggravated damage to a critical infrastructure computer.''. SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE. Section 1030(e)(6) of title 18, United States Code, is amended by striking ``alter;'' and inserting ``alter, but does not include access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized;''. SEC. 307. NO NEW FUNDING. An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM PLANNING AND COORDINATION. (a) Goals and Priorities.--Section 101 of the High- Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(d) Goals and Priorities.--The goals and priorities for Federal high-performance computing research, development, networking, and other activities under subsection (a)(2)(A) shall include-- ``(1) encouraging and supporting mechanisms for interdisciplinary research and development in networking and information technology, including-- ``(A) through collaborations across agencies; ``(B) through collaborations across Program Component Areas; ``(C) through collaborations with industry; ``(D) through collaborations with institutions of higher education; ``(E) through collaborations with Federal laboratories (as defined in section 4 of the Stevenson-Wydler Technology Innovation Act of 1980 (15 U.S.C. 3703)); and ``(F) through collaborations with international organizations; ``(2) addressing national, multi-agency, multi-faceted challenges of national importance; and ``(3) fostering the transfer of research and development results into new technologies and applications for the benefit of society.''. (b) Development of Strategic Plan.--Section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(e) Strategic Plan.-- ``(1) In general.--Not later than 1 year after the date of enactment of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the agencies under subsection (a)(3)(B), working through the National Science and Technology Council and with the assistance of the Office of Science and Technology Policy shall develop a 5-year strategic plan to guide the activities under subsection (a)(1). ``(2) Contents.--The strategic plan shall specify-- ``(A) the near-term objectives for the Program; ``(B) the long-term objectives for the Program; ``(C) the anticipated time frame for achieving the near- term objectives; ``(D) the metrics that will be used to assess any progress made toward achieving the near-term objectives and the long- term objectives; and ``(E) how the Program will achieve the goals and priorities under subsection (d). ``(3) Implementation roadmap.-- ``(A) In general.--The agencies under subsection (a)(3)(B) shall develop and annually update an implementation roadmap for the strategic plan. ``(B) Requirements.--The information in the implementation roadmap shall be coordinated with the database under section 102(c) and the annual report under section 101(a)(3). The implementation roadmap shall-- ``(i) specify the role of each Federal agency in carrying out or sponsoring research and development to meet the research objectives of the strategic plan, including a description of how progress toward the research objectives will be evaluated, with consideration of any relevant recommendations of the advisory committee; ``(ii) specify the funding allocated to each major research objective of the strategic plan and the source of funding by agency for the current fiscal year; and ``(iii) estimate the funding required for each major research objective of the strategic plan for the next 3 fiscal years. ``(4) Recommendations.--The agencies under subsection (a)(3)(B) shall take into consideration when developing the strategic plan under paragraph (1) the recommendations of-- ``(A) the advisory committee under subsection (b); and ``(B) the stakeholders under section 102(a)(3). ``(5) Report to congress.--The Director of the Office of Science and Technology Policy shall transmit the strategic plan under this subsection, including the implementation roadmap and any updates under paragraph (3), to-- ``(A) the advisory committee under subsection (b); ``(B) the Committee on Commerce, Science, and Transportation of the Senate; and ``(C) the Committee on Science and Technology of the House of Representatives.''. (c) Periodic Reviews.--Section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(f) Periodic Reviews.--The agencies under subsection (a)(3)(B) shall-- ``(1) periodically assess the contents and funding levels of the Program Component Areas and restructure the Program when warranted, taking into consideration any relevant recommendations of the advisory committee under subsection (b); and [[Page S5516]] ``(2) ensure that the Program includes national, multi- agency, multi-faceted research and development activities, including activities described in section 104.''. (d) Additional Responsibilities of Director.--Section 101(a)(2) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(2)) is amended-- (1) by redesignating subparagraphs (E) and (F) as subparagraphs (G) and (H), respectively; and (2) by inserting after subparagraph (D) the following: ``(E) encourage and monitor the efforts of the agencies participating in the Program to allocate the level of resources and management attention necessary-- ``(i) to ensure that the strategic plan under subsection (e) is developed and executed effectively; and ``(ii) to ensure that the objectives of the Program are met; ``(F) working with the Office of Management and Budget and in coordination with the creation of the database under section 102(c), direct the Office of Science and Technology Policy and the agencies participating in the Program to establish a mechanism (consistent with existing law) to track all ongoing and completed research and development projects and associated funding;''. (e) Advisory Committee.--Section 101(b) of the High- Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is amended-- (1) in paragraph (1)-- (A) by inserting after the first sentence the following: ``The co-chairs of the advisory committee shall meet the qualifications of committee members and may be members of the Presidents Council of Advisors on Science and Technology.''; and (B) by striking ``high-performance'' in subparagraph (D) and inserting ``high-end''; and (2) by amending paragraph (2) to read as follows: ``(2) In addition to the duties under paragraph (1), the advisory committee shall conduct periodic evaluations of the funding, management, coordination, implementation, and activities of the Program. The advisory committee shall report its findings and recommendations not less frequently than once every 3 fiscal years to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science and Technology of the House of Representatives. The report shall be submitted in conjunction with the update of the strategic plan.''. (f) Report.--Section 101(a)(3) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended-- (1) in subparagraph (C)-- (A) by striking ``is submitted,'' and inserting ``is submitted, the levels for the previous fiscal year,''; and (B) by striking ``each Program Component Area'' and inserting ``each Program Component Area and each research area supported in accordance with section 104''; (2) in subparagraph (D)-- (A) by striking ``each Program Component Area,'' and inserting ``each Program Component Area and each research area supported in accordance with section 104,''; (B) by striking ``is submitted,'' and inserting ``is submitted, the levels for the previous fiscal year,''; and (C) by striking ``and'' after the semicolon; (3) by redesignating subparagraph (E) as subparagraph (G); and (4) by inserting after subparagraph (D) the following: ``(E) include a description of how the objectives for each Program Component Area, and the objectives for activities that involve multiple Program Component Areas, relate to the objectives of the Program identified in the strategic plan under subsection (e); ``(F) include-- ``(i) a description of the funding required by the Office of Science and Technology Policy to perform the functions under subsections (a) and (c) of section 102 for the next fiscal year by category of activity; ``(ii) a description of the funding required by the Office of Science and Technology Policy to perform the functions under subsections (a) and (c) of section 102 for the current fiscal year by category of activity; and ``(iii) the amount of funding provided for the Office of Science and Technology Policy for the current fiscal year by each agency participating in the Program; and''. (g) Definitions.--Section 4 of the High-Performance Computing Act of 1991 (15 U.S.C. 5503) is amended-- (1) by redesignating paragraphs (1) and (2) as paragraphs (2) and (3), respectively; (2) by redesignating paragraph (3) as paragraph (6); (3) by redesignating paragraphs (6) and (7) as paragraphs (7) and (8), respectively; (4) by inserting before paragraph (2), as redesignated, the following: ``(1) `cyber-physical systems' means physical or engineered systems whose networking and information technology functions and physical elements are deeply integrated and are actively connected to the physical world through sensors, actuators, or other means to perform monitoring and control functions;''; (5) in paragraph (3), as redesignated, by striking ``high- performance computing'' and inserting ``networking and information technology''; (6) in paragraph (6), as redesignated-- (A) by striking ``high-performance computing'' and inserting ``networking and information technology''; and (B) by striking ``supercomputer'' and inserting ``high-end computing''; (7) in paragraph (5), by striking ``network referred to as'' and all that follows through the semicolon and inserting ``network, including advanced computer networks of Federal agencies and departments''; and (8) in paragraph (7), as redesignated, by striking ``National High-Performance Computing Program'' and inserting ``networking and information technology research and development program''. SEC. 402. RESEARCH IN AREAS OF NATIONAL IMPORTANCE. (a) Research in Areas of National Importance.--Title I of the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et seq.) is amended by adding at the end the following: ``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE. ``(a) In General.--The Program shall encourage agencies under section 101(a)(3)(B) to support, maintain, and improve national, multi-agency, multi-faceted, research and development activities in networking and information technology directed toward application areas that have the potential for significant contributions to national economic competitiveness and for other significant societal benefits. ``(b) Technical Solutions.--An activity under subsection (a) shall be designed to advance the development of research discoveries by demonstrating technical solutions to important problems in areas including-- ``(1) cybersecurity; ``(2) health care; ``(3) energy management and low-power systems and devices; ``(4) transportation, including surface and air transportation; ``(5) cyber-physical systems; ``(6) large-scale data analysis and modeling of physical phenomena; ``(7) large scale data analysis and modeling of behavioral phenomena; ``(8) supply chain quality and security; and ``(9) privacy protection and protected disclosure of confidential data. ``(c) Recommendations.--The advisory committee under section 101(b) shall make recommendations to the Program for candidate research and development areas for support under this section. ``(d) Characteristics.-- ``(1) In general.--Research and development activities under this section-- ``(A) shall include projects selected on the basis of applications for support through a competitive, merit-based process; ``(B) shall leverage, when possible, Federal investments through collaboration with related State initiatives; ``(C) shall include a plan for fostering the transfer of research discoveries and the results of technology demonstration activities, including from institutions of higher education and Federal laboratories, to industry for commercial development; ``(D) shall involve collaborations among researchers in institutions of higher education and industry; and ``(E) may involve collaborations among nonprofit research institutions and Federal laboratories, as appropriate. ``(2) Cost-sharing.--In selecting applications for support, the agencies under section 101(a)(3)(B) shall give special consideration to projects that include cost sharing from non- Federal sources. ``(3) Multidisciplinary research centers.--Research and development activities under this section shall be supported through multidisciplinary research centers, including Federal laboratories, that are organized to investigate basic research questions and carry out technology demonstration activities in areas described in subsection (a). Research may be carried out through existing multidisciplinary centers, including those authorized under section 7024(b)(2) of the America COMPETES Act (42 U.S.C. 1862o-10(2)).''. (b) Cyber-Physical Systems.--Section 101(a)(1) of the High- Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is amended-- (1) in subparagraph (H), by striking ``and'' after the semicolon; (2) in subparagraph (I), by striking the period at the end and inserting a semicolon; and (3) by adding at the end the following: ``(J) provide for increased understanding of the scientific principles of cyber-physical systems and improve the methods available for the design, development, and operation of cyber-physical systems that are characterized by high reliability, safety, and security; and ``(K) provide for research and development on human- computer interactions, visualization, and big data.''. (c) Task Force.--Title I of the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section 402(a) of this Act, is amended by adding at the end the following: ``SEC. 105. TASK FORCE. ``(a) Establishment.--Not later than 180 days after the date of enactment the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the Director of the Office of Science and Technology Policy under section 102 shall convene a task force to explore mechanisms for carrying out collaborative research and development activities for cyber-physical systems (including the related technologies required to enable [[Page S5517]] these systems) through a consortium or other appropriate entity with participants from institutions of higher education, Federal laboratories, and industry. ``(b) Functions.--The task force shall-- ``(1) develop options for a collaborative model and an organizational structure for such entity under which the joint research and development activities could be planned, managed, and conducted effectively, including mechanisms for the allocation of resources among the participants in such entity for support of such activities; ``(2) propose a process for developing a research and development agenda for such entity, including guidelines to ensure an appropriate scope of work focused on nationally significant challenges and requiring collaboration and to ensure the development of related scientific and technological milestones; ``(3) define the roles and responsibilities for the participants from institutions of higher education, Federal laboratories, and industry in such entity; ``(4) propose guidelines for assigning intellectual property rights and for transferring research results to the private sector; and ``(5) make recommendations for how such entity could be funded from Federal, State, and non-governmental sources. ``(c) Composition.--In establishing the task force under subsection (a), the Director of the Office of Science and Technology Policy shall appoint an equal number of individuals from institutions of higher education and from industry with knowledge and expertise in cyber-physical systems, and may appoint not more than 2 individuals from Federal laboratories. ``(d) Report.--Not later than 1 year after the date of enactment of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the Director of the Office of Science and Technology Policy shall transmit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science and Technology of the House of Representatives a report describing the findings and recommendations of the task force. ``(e) Termination.--The task force shall terminate upon transmittal of the report required under subsection (d). ``(f) Compensation and Expenses.--Members of the task force shall serve without compensation.''. SEC. 403. PROGRAM IMPROVEMENTS. Section 102 of the High-Performance Computing Act of 1991 (15 U.S.C. 5512) is amended to read as follows: ``SEC. 102. PROGRAM IMPROVEMENTS. ``(a) Functions.--The Director of the Office of Science and Technology Policy shall continue-- ``(1) to provide technical and administrative support to-- ``(A) the agencies participating in planning and implementing the Program, including support needed to develop the strategic plan under section 101(e); and ``(B) the advisory committee under section 101(b); ``(2) to serve as the primary point of contact on Federal networking and information technology activities for government agencies, academia, industry, professional societies, State computing and networking technology programs, interested citizen groups, and others to exchange technical and programmatic information; ``(3) to solicit input and recommendations from a wide range of stakeholders during the development of each strategic plan under section 101(e) by convening at least 1 workshop with invitees from academia, industry, Federal laboratories, and other relevant organizations and institutions; ``(4) to conduct public outreach, including the dissemination of the advisory committee's findings and recommendations, as appropriate; ``(5) to promote access to and early application of the technologies, innovations, and expertise derived from Program activities to agency missions and systems across the Federal Government and to United States industry; ``(6) to ensure accurate and detailed budget reporting of networking and information technology research and development investment; and ``(7) to encourage agencies participating in the Program to use existing programs and resources to strengthen networking and information technology education and training, and increase participation in such fields, including by women and underrepresented minorities. ``(b) Source of Funding.-- ``(1) In general.--The functions under this section shall be supported by funds from each agency participating in the Program. ``(2) Specifications.--The portion of the total budget of the Office of Science and Technology Policy that is provided by each agency participating in the Program for each fiscal year shall be in the same proportion as each agency's share of the total budget for the Program for the previous fiscal year, as specified in the database under section 102(c). ``(c) Database.-- ``(1) In general.--The Director of the Office of Science and Technology Policy shall develop and maintain a database of projects funded by each agency for the fiscal year for each Program Component Area. ``(2) Public accessibility.--The Director of the Office of Science and Technology Policy shall make the database accessible to the public. ``(3) Database contents.--The database shall include, for each project in the database-- ``(A) a description of the project; ``(B) each agency, industry, institution of higher education, Federal laboratory, or international institution involved in the project; ``(C) the source funding of the project (set forth by agency); ``(D) the funding history of the project; and ``(E) whether the project has been completed.''. SEC. 404. IMPROVING EDUCATION OF NETWORKING AND INFORMATION TECHNOLOGY, INCLUDING HIGH PERFORMANCE COMPUTING. Section 201(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5521(a)) is amended-- (1) by redesignating paragraphs (2) through (4) as paragraphs (3) through (5), respectively; and (2) by inserting after paragraph (1) the following: ``(2) the National Science Foundation shall use its existing programs, in collaboration with other agencies, as appropriate, to improve the teaching and learning of networking and information technology at all levels of education and to increase participation in networking and information technology fields;''. SEC. 405. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH- PERFORMANCE COMPUTING ACT OF 1991. (a) Section 3.--Section 3 of the High-Performance Computing Act of 1991 (15 U.S.C. 5502) is amended-- (1) in the matter preceding paragraph (1), by striking ``high-performance computing'' and inserting ``networking and information technology''; (2) in paragraph (1)-- (A) in the matter preceding subparagraph (A), by striking ``high-performance computing'' and inserting ``networking and information technology''; (B) in subparagraphs (A), (F), and (G), by striking ``high- performance computing'' each place it appears and inserting ``networking and information technology''; and (C) in subparagraph (H), by striking ``high-performance'' and inserting ``high-end''; and (3) in paragraph (2)-- (A) by striking ``high-performance computing and'' and inserting ``networking and information technology, and''; and (B) by striking ``high-performance computing network'' and inserting ``networking and information technology''. (b) Title Heading.--The heading of title I of the High- Performance Computing Act of 1991 (105 Stat. 1595) is amended by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting ``NETWORKING AND INFORMATION TECHNOLOGY''. (c) Section 101.--Section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) is amended-- (1) in the section heading, by striking ``high-performance computing'' and inserting ``networking and information technology research and development''; (2) in subsection (a)-- (A) in the subsection heading, by striking ``National High- Performance Computing'' and inserting ``Networking and Information Technology Research and Development''; (B) in paragraph (1)-- (i) by striking ``National High-Performance Computing Program'' and inserting ``networking and information technology research and development program''; (ii) in subparagraph (A), by striking ``high-performance computing, including networking'' and inserting ``networking and information technology''; (iii) in subparagraphs (B) and (G), by striking ``high- performance'' each place it appears and inserting ``high- end''; and (iv) in subparagraph (C), by striking ``high-performance computing and networking'' and inserting ``high-end computing, distributed, and networking''; and (C) in paragraph (2)-- (i) in subparagraphs (A) and (C)-- (I) by striking ``high-performance computing'' each place it appears and inserting ``networking and information technology''; and (II) by striking ``development, networking,'' each place it appears and inserting ``development,''; and (ii) in subparagraphs (G) and (H), as redesignated by section 401(d) of this Act, by striking ``high-performance'' each place it appears and inserting ``high-end''; (3) in subsection (b)(1), in the matter preceding subparagraph (A), by striking ``high-performance computing'' each place it appears and inserting ``networking and information technology''; and (4) in subsection (c)(1)(A), by striking ``high-performance computing'' and inserting ``networking and information technology''. (d) Section 201.--Section 201(a)(1) of the High-Performance Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by striking ``high-performance computing and advanced high-speed computer networking'' and inserting ``networking and information technology research and development''. (e) Section 202.--Section 202(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by striking ``high-performance computing'' and inserting ``networking and information technology''. (f) Section 203.--Section 203(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5523(a)) is amended-- [[Page S5518]] (1) in paragraph (1), by striking ``high-performance computing and networking'' and inserting ``networking and information technology''; and (2) in paragraph (2)(A), by striking ``high-performance'' and inserting ``high-end''. (g) Section 204.--Section 204 of the High-Performance Computing Act of 1991 (15 U.S.C. 5524) is amended-- (1) in subsection (a)(1)-- (A) in subparagraph (A), by striking ``high-performance computing systems and networks'' and inserting ``networking and information technology systems and capabilities''; (B) in subparagraph (B), by striking ``interoperability of high-performance computing systems in networks and for common user interfaces to systems'' and inserting ``interoperability and usability of networking and information technology systems''; and (C) in subparagraph (C), by striking ``high-performance computing'' and inserting ``networking and information technology''; and (2) in subsection (b)-- (A) by striking ``High-Performance Computing and Network'' in the heading and inserting ``Networking and Information Technology''; and (B) by striking ``sensitive''. (h) Section 205.--Section 205(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by striking ``computational'' and inserting ``networking and information technology''. (i) Section 206.--Section 206(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by striking ``computational research'' and inserting ``networking and information technology research''. (j) Section 207.--Section 207 of the High-Performance Computing Act of 1991 (15 U.S.C. 5527) is amended by striking ``high-performance computing'' and inserting ``networking and information technology''. (k) Section 208.--Section 208 of the High-Performance Computing Act of 1991 (15 U.S.C. 5528) is amended-- (1) in the section heading, by striking ``high-performance computing'' and inserting ``networking and information technology''; and (2) in subsection (a)-- (A) in paragraph (1), by striking ``High-performance computing and associated'' and inserting ``Networking and information''; (B) in paragraph (2), by striking ``high-performance computing'' and inserting ``networking and information technologies''; (C) in paragraph (3), by striking ``high-performance'' and inserting ``high-end''; (D) in paragraph (4), by striking ``high-performance computers and associated'' and inserting ``networking and information''; and (E) in paragraph (5), by striking ``high-performance computing and associated'' and inserting ``networking and information''. SEC. 406. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM. (a) In General.--The Director of the National Science Foundation, in coordination with the Secretary of Homeland Security, shall carry out a Federal cyber scholarship-for- service program to recruit and train the next generation of information technology professionals and security managers to meet the needs of the cybersecurity mission for the Federal government. (b) Program Description and Components.--The program shall-- (1) annually assess the workforce needs of the Federal government for cybersecurity professionals, including network engineers, software engineers, and other experts in order to determine how many scholarships should be awarded annually to ensure that the workforce needs following graduation match the number of scholarships awarded; (2) provide scholarships for up to 1,000 students per year in their pursuit of undergraduate or graduate degrees in the cybersecurity field, in an amount that may include coverage for full tuition, fees, and a stipend; (3) require each scholarship recipient, as a condition of receiving a scholarship under the program, to serve in a Federal information technology workforce for a period equal to one and one-half times each year, or partial year, of scholarship received, in addition to an internship in the cybersecurity field, if applicable, following graduation; (4) provide a procedure for the National Science Foundation or a Federal agency, consistent with regulations of the Office of Personnel Management, to request and fund a security clearance for a scholarship recipient, including providing for clearance during a summer internship and upon graduation; and (5) provide opportunities for students to receive temporary appointments for meaningful employment in the Federal information technology workforce during school vacation periods and for internships. (c) Hiring Authority.-- (1) In general.--For purposes of any law or regulation governing the appointment of an individual in the Federal civil service, upon the successful completion of the student's studies, a student receiving a scholarship under the program may-- (A) be hired under section 213.3102(r) of title 5, Code of Federal Regulations; and (B) be exempt from competitive service. (2) Competitive service.--Upon satisfactory fulfillment of the service term under paragraph (1), an individual may be converted to a competitive service position without competition if the individual meets the requirements for that position. (d) Eligibility.--The eligibility requirements for a scholarship under this section shall include that a scholarship applicant-- (1) be a citizen of the United States; (2) be eligible to be granted a security clearance; (3) maintain a grade point average of 3.2 or above on a 4.0 scale for undergraduate study or a 3.5 or above on a 4.0 scale for postgraduate study; (4) demonstrate a commitment to a career in improving the security of the information infrastructure; and (5) has demonstrated a level of proficiency in math or computer sciences. (e) Failure to Complete Service Obligation.-- (1) In general.--A scholarship recipient under this section shall be liable to the United States under paragraph (2) if the scholarship recipient-- (A) fails to maintain an acceptable level of academic standing in the educational institution in which the individual is enrolled, as determined by the Director; (B) is dismissed from such educational institution for disciplinary reasons; (C) withdraws from the program for which the award was made before the completion of such program; (D) declares that the individual does not intend to fulfill the service obligation under this section; (E) fails to fulfill the service obligation of the individual under this section; or (F) loses a security clearance or becomes ineligible for a security clearance. (2) Repayment amounts.-- (A) Less than 1 year of service.--If a circumstance under paragraph (1) occurs before the completion of 1 year of a service obligation under this section, the total amount of awards received by the individual under this section shall be repaid. (B) One or more years of service.--If a circumstance described in subparagraph (D) or (E) of paragraph (1) occurs after the completion of 1 year of a service obligation under this section, the total amount of scholarship awards received by the individual under this section, reduced by the ratio of the number of years of service completed divided by the number of years of service required, shall be repaid. (f) Evaluation and Report.--The Director of the National Science Foundation shall-- (1) evaluate the success of recruiting individuals for scholarships under this section and of hiring and retaining those individuals in the public sector workforce, including the annual cost and an assessment of how the program actually improves the Federal workforce; and (2) periodically report the findings under paragraph (1) to Congress. (g) Authorization of Appropriations.--From amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), the Secretary may use funds to carry out the requirements of this section for fiscal years 2012 through 2013. SEC. 407. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF INFORMATION INFRASTRUCTURE PROFESSIONALS. (a) Study.--The President shall enter into an agreement with the National Academies to conduct a comprehensive study of government, academic, and private-sector accreditation, training, and certification programs for personnel working in information infrastructure. The agreement shall require the National Academies to consult with sector coordinating councils and relevant governmental agencies, regulatory entities, and nongovernmental organizations in the course of the study. (b) Scope.--The study shall include-- (1) an evaluation of the body of knowledge and various skills that specific categories of personnel working in information infrastructure should possess in order to secure information systems; (2) an assessment of whether existing government, academic, and private-sector accreditation, training, and certification programs provide the body of knowledge and various skills described in paragraph (1); (3) an analysis of any barriers to the Federal Government recruiting and hiring cybersecurity talent, including barriers relating to compensation, the hiring process, job classification, and hiring flexibility; and (4) an analysis of the sources and availability of cybersecurity talent, a comparison of the skills and expertise sought by the Federal Government and the private sector, an examination of the current and future capacity of United States institutions of higher education, including community colleges, to provide current and future cybersecurity professionals, through education and training activities, with those skills sought by the Federal Government, State and local entities, and the private sector. (c) Report.--Not later than 1 year after the date of enactment of this Act, the National Academies shall submit to the President and Congress a report on the results of the study. The report shall include-- (1) findings regarding the state of information infrastructure accreditation, training, and certification programs, including specific areas of deficiency and demonstrable progress; and (2) recommendations for the improvement of information infrastructure accreditation, training, and certification programs. SEC. 408. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS. (a) In General.--The Director of the National Institute of Standards and Technology, in coordination with appropriate Federal authorities, shall-- [[Page S5519]] (1) as appropriate, ensure coordination of Federal agencies engaged in the development of international technical standards related to information system security; and (2) not later than 1 year after the date of enactment of this Act, develop and transmit to Congress a plan for ensuring such Federal agency coordination. (b) Consultation With the Private Sector.--In carrying out the activities under subsection (a)(1), the Director shall ensure consultation with appropriate private sector stakeholders. SEC. 409. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT. The Director of the National Institute of Standards and Technology shall continue a program to support the development of technical standards, metrology, testbeds, and conformance criteria, taking into account appropriate user concerns-- (1) to improve interoperability among identity management technologies; (2) to strengthen authentication methods of identity management systems; (3) to improve privacy protection in identity management systems, including health information technology systems, through authentication and security protocols; and (4) to improve the usability of identity management systems. SEC. 410. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT. (a) National Science Foundation Computer and Network Security Research Grant Areas.--Section 4(a)(1) of the Cyber Security Research and Development Act (15 U.S.C. 7403(a)(1)) is amended-- (1) in subparagraph (H), by striking ``and'' after the semicolon; (2) in subparagraph (I), by striking ``property.'' and inserting ``property;''; and (3) by adding at the end the following: ``(J) secure fundamental protocols that are at the heart of inter-network communications and data exchange; ``(K) system security that addresses the building of secure systems from trusted and untrusted components; ``(L) monitoring and detection; and ``(M) resiliency and rapid recovery methods.''. (b) National Science Foundation Computer and Network Security Grants.--Section 4(a)(3) of the Cyber Security Research and Development Act (15 U.S.C. 7403(a)(3)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Secretary finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (c) Computer and Network Security Centers.--Section 4(b)(7) of the Cyber Security Research and Development Act (15 U.S.C. 7403(b)(7)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Secretary finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (d) Computer and Network Security Capacity Building Grants.--Section 5(a)(6) of the Cyber Security Research and Development Act (15 U.S.C. 7404(a)(6)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Secretary finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (e) Scientific and Advanced Technology Act Grants.--Section 5(b)(2) of the Cyber Security Research and Development Act (15 U.S.C. 7404(b)(2)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Secretary finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (f) Graduate Traineeships in Computer and Network Security Research.--Section 5(c)(7) of the Cyber Security Research and Development Act (15 U.S.C. 7404(c)(7)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Secretary finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. ______ SA 2583. Mr. GRASSLEY submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: Beginning on page 192, strike line 11 and all that follows through page 193, line 22. ______ SA 2584. Mr. GRASSLEY submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: On page 18, strike line 16 and all that follows through page 19, line 2, and insert the following: (5) Limitation.--The Council may not identify critical infrastructure as a category of critical cyber infrastructure under this section based solely on activities protected by the first amendment to the Constitution of the United States. ______ SA 2585. Mr. GRASSLEY submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: At the end, add the following: TITLE VIII--CRIMINAL PENALTIES SEC. 801. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS. Section 1030(c) of title 18, United States Code, is amended to read as follows: ``(c) The punishment for an offense under subsection (a) or (b) of this section is-- ``(1) a fine under this title or imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(1) of this section; ``(2)(A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than 3 years, or both, in the case of an offense under subsection (a)(2); or ``(B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2) of this section, if-- ``(i) the offense was committed for purposes of commercial advantage or private financial gain; ``(ii) the offense was committed in the furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States, or of any State; or ``(iii) the value of the information obtained, or that would have been obtained if the offense was completed, exceeds $5,000; ``(3) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(3) of this section; ``(4) a fine under this title or imprisonment of not more than 20 years, or both, in the case of an offense under subsection (a)(4) of this section; and ``(5)(A) except as provided in subparagraph (C), a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(A) of this section, if the offense caused-- ``(i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value; ``(ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; ``(iii) physical injury to any person; ``(iv) a threat to public health or safety; ``(v) damage affecting a computer used by, or on behalf of, an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or ``(vi) damage affecting 10 or more protected computers during any 1-year period; ``(B) a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(B), if the offense caused a harm described in clause (i) through (vi) of subparagraph (A) of this subsection; ``(C) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for any term of years or for life, or both; ``(D) a fine under this title, imprisonment for not more than 10 years, or both, for any other offense under subsection (a)(5); ``(E) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(6) of this section; or ``(F) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(7) of this section.''. SEC. 802. TRAFFICKING IN PASSWORDS. Section 1030(a)(6) of title 18, United States Code, is amended to read as follows: ``(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information or means of access through which a protected computer (as defined in subparagraphs (A) and (B) of subsection (e)(2)) may be accessed without authorization; or''. SEC. 803. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES. Section 1030(b) of title 18, United States Code, is amended by inserting ``as if for the [[Page S5520]] completed offense'' after ``punished as provided''. SEC. 804. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS. Section 1030 of title 18, United States Code, is amended by striking subsections (i) and (j) and inserting the following: ``(i) Criminal Forfeiture.-- ``(1) The court, in imposing sentence on any person convicted of a violation of this section, or convicted of conspiracy to violate this section, shall order, in addition to any other sentence imposed and irrespective of any provision of State law, that such person forfeit to the United States-- ``(A) such person's interest in any property, real or personal, that was used, or intended to be used, to commit or facilitate the commission of such violation; and ``(B) any property, real or personal, constituting or derived from any gross proceeds, or any property traceable to such property, that such person obtained, directly or indirectly, as a result of such violation. ``(2) The criminal forfeiture of property under this subsection, including any seizure and disposition of the property, and any related judicial or administrative proceeding, shall be governed by the provisions of section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853), except subsection (d) of that section. ``(j) Civil Forfeiture.-- ``(1) The following shall be subject to forfeiture to the United States and no property right, real or personal, shall exist in them: ``(A) Any property, real or personal, that was used, or intended to be used, to commit or facilitate the commission of any violation of this section, or a conspiracy to violate this section. ``(B) Any property, real or personal, constituting or derived from any gross proceeds obtained directly or indirectly, or any property traceable to such property, as a result of the commission of any violation of this section, or a conspiracy to violate this section. ``(2) Seizures and forfeitures under this subsection shall be governed by the provisions in chapter 46 relating to civil forfeitures, except that such duties as are imposed on the Secretary of the Treasury under the customs laws described in section 981(d) shall be performed by such officers, agents and other persons as may be designated for that purpose by the Secretary of Homeland Security or the Attorney General.''. SEC. 805. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS. (a) In General.--Chapter 47 of title 18, United States Code, is amended by inserting after section 1030 the following: ``Sec. 1030A. Aggravated damage to a critical infrastructure computer ``(a) Definitions.--In this section-- ``(1) the term `computer' has the meaning given the term in section 1030; ``(2) the term `critical infrastructure computer' means a computer that manages or controls systems or assets vital to national defense, national security, national economic security, public health or safety, or any combination of those matters, whether publicly or privately owned or operated, including-- ``(A) oil and gas production, storage, conversion, and delivery systems; ``(B) water supply systems; ``(C) telecommunication networks; ``(D) electrical power generation and delivery systems; ``(E) finance and banking systems; ``(F) emergency services; ``(G) transportation systems and services; and ``(H) government operations that provide essential services to the public; and ``(3) the term `damage' has the meaning given the term in section 1030. ``(b) Offense.--It shall be unlawful, during and in relation to a felony violation of section 1030, to knowingly cause or attempt to cause damage to a critical infrastructure computer if the damage results in (or, in the case of an attempt, if completed, would have resulted in) the substantial impairment-- ``(1) of the operation of the critical infrastructure computer; or ``(2) of the critical infrastructure associated with the computer. ``(c) Penalty.--Any person who violates subsection (b) shall be fined under this title, imprisoned for not less than 3 years but not more than 20 years, or both. ``(d) Consecutive Sentence.--Notwithstanding any other provision of law-- ``(1) a court shall not place on probation any person convicted of a violation of this section; ``(2) except as provided in paragraph (4), no term of imprisonment imposed on a person under this section shall run concurrently with any other term of imprisonment, including any term of imprisonment imposed on the person under any other provision of law, including any term of imprisonment imposed for a felony violation of section 1030; ``(3) in determining any term of imprisonment to be imposed for a felony violation of section 1030, a court shall not in any way reduce the term to be imposed for such crime so as to compensate for, or otherwise take into account, any separate term of imprisonment imposed or to be imposed for a violation of this section; and ``(4) a term of imprisonment imposed on a person for a violation of this section may, in the discretion of the court, run concurrently, in whole or in part, only with another term of imprisonment that is imposed by the court at the same time on that person for an additional violation of this section, provided that such discretion shall be exercised in accordance with any applicable guidelines and policy statements issued by the United States Sentencing Commission pursuant to section 994 of title 28.''. (b) Technical and Conforming Amendment.--The chapter analysis for chapter 47 of title 18, United States Code, is amended by inserting after the item relating to section 1030 the following: ``1030A. Aggravated damage to a critical infrastructure computer.''. SEC. 806. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE. Section 1030(e)(6) of title 18, United States Code, is amended by striking ``alter;'' and inserting ``alter, but does not include access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized;''. SEC. 807. NO NEW FUNDING. An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. ______ SA 2586. Mr. McCAIN submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: On page 22, strike lines 8 through 18. ______ SA 2587. Mr. McCAIN submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: On page 30, after line 24, add the following: (C) Rule of construction.--Nothing in this paragraph shall be construed to establish a civil cause of action, or a presumption of negligence in a civil action, against an owner that does not participate in the Voluntary Cybersecurity Program for Critical Infrastructure established under this section. ______ SA 2588. Mr. McCAIN submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: On page 22, line 10, strike ``fails'' and all that follows through line 18 and insert ``chooses not to propose to the Council cybersecurity practices under subsection (a), not later than 180 days after the date of enactment of this Act the sector coordinating council shall submit a report to the Council explaining why it chose not to propose cybersecurity practices.''. ______ SA 2589. Mr. McCAIN submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: On page 30, line 8, after ``106'' insert the following: ``and may not be used for other regulatory purposes by the Federal Government or a State or local government''. ______ SA 2590. Mr. McCAIN submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: On page 21, strike line 8 and all that follows through page 22, line 7, and insert the following: (B) review relevant regulations or compulsory standards or guidelines; and (C) review cybersecurity practices proposed under subsection (a) to ensure sufficient protection against cyber risks. (2) Adoption.-- (A) In general.--Not later than 1 year after the date of enactment of this Act, the Council shall-- (i) adopt any cybersecurity practices proposed under subsection (a) that adequately remediate or mitigate identified cyber risks and any associated consequences identified through an assessment conducted under section 102(a); and (ii) conduct a cost-benefit analysis in accordance with Executive Order 13563 (5 U.S.C. 601 note; relating to improving regulation and regulatory review), including sections 1 and 3 of such Executive Order. ______ SA 2591. Mr. McCAIN submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: On page 16, line 8, after ``mechanism'' insert ``, under which it shall be unlawful for [[Page S5521]] the Federal Government to compel participation,''. ______ SA 2592. Mr. McCAIN submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: Strike title IV. ______ SA 2593. Mr. McCAIN submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: On page 10, line 12, after ``shall'' insert the following: ``designate a Federal agency subject to full congressional oversight to''. ______ SA 2594. Mr. McCAIN submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: On page 20, line 2, after ``paragraph (1).'' insert the following: ``If Congress passes a resolution of disapproval of the identification of a category of critical infrastructure as critical cyber infrastructure, the category shall be removed from the list of identified categories of critical cyber infrastructure and may not be identified as a category of critical cyber infrastructure during the 2 year period beginning on the date on which Congress passes the resolution of disapproval.''. ______ SA 2595. Mr. McCAIN submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: On page 23, strike line 22 and all that follows through page 24, line 13, and insert the following: critical infrastructure may not adopt the cybersecurity practices as mandatory requirements. (B) Rule of construction.--Nothing in ______ SA 2596. Mr. McCAIN submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: On page 13, line 11, insert ``In addition, any authority of a Federal agency under another provision of law to compel owners or operators to provide information to the Federal Government may not be used in furtherance of this Act.'' after the period. ______ SA 2597. Mr. McCAIN submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: Strike title I. ______ SA 2598. Mr. McCAIN submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: On page 16, line 21, strike ``and''. On page 16, line 23, strike the period and insert ``; and''. On page 16, between lines 23 and 24, insert the following: (H) submit to the President and the appropriate congressional committees a report, which may be in classified or unclassified form, explaining the methodologies use to identify and results of the identification of categories of critical cyber infrastructure. ______ SA 2599. Mr. McCAIN submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: On page 24, strike lines 3 through 12 and insert the following: adopted the cybersecurity practices as mandatory requirements, the Federal agency shall submit to the appropriate congressional committees a report on the reasons the Federal agency did so, including an explanation of how the Federal agency conducted a detailed cost-benefit analysis in accordance with Executive Order 13563 (5 U.S.C. 601 note; relating to improving regulation and regulatory review), including sections 1 and 3 of such Executive Order. ______ SA 2600. Mr. McCAIN submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: Beginning on page 18, strike line 18 and all that follows through page 19, line 2, and insert the following: ``under this section critical infrastructure based solely on activities protected by the first amendment to the Constitution of the United States.''. ______ SA 2601. Mr. McCAIN submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: On page 34, strike lines 3 through 19 and insert the following: (1) provide additional authority for any sector-specific agency or any Federal agency that is not a sector-specific agency with responsibilities for regulating the security of critical infrastructure to establish standards or other cybersecurity measures that are applicable to the security of critical infrastructure not otherwise authorized by law; (2) limit or restrict the authority of the Department, or any other Federal agency, under any other provision of law; or (3) permit any owner (including a certified owner) to fail to comply with any other law or regulation, unless specifically authorized. ______ SA 2602. Mr. McCAIN submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: On page 173, beginning on line 14, strike ``The Secretary of Homeland Security, in consultation with'' and insert ``The President, in consultation with the Secretary,''. On page 173, line 19, strike ``civilian''. On page 174, line 11, strike ``Civilian''. On page 174, beginning on line 13, strike ``The Secretary, in consultation with'' and insert ``The President, in consultation with the Secretary,''. On page 174, line 16, strike ``civilian''. On page 174, beginning on line 21, strike ``civilian''. On page 177, line 2, strike ``civilian''. On page 177, line 6, strike ``Civilian''. On page 177, beginning on line 8, strike ``the Secretary, in consultation with'' and insert ``the President, in consultation with the Secretary,''. On page 177, line 11, strike ``civilian''. On page 177, line 23, strike ``the Secretary'' and insert ``the President''. On page 178, line 21, strike ``The Secretary'' and insert ``The President''. On page 179, beginning on line 6, strike ``The Secretary, in coordination with the Director of National Intelligence, the Attorney General, and the Secretary of Defense,'' and insert ``The President''. On page 183, beginning on line 15, strike ``the Secretary and approved by the Attorney General'' and insert ``the President''. On page 184, beginning on line 19, strike ``The Secretary, in consultation with privacy and civil liberties experts,'' and insert ``The President, in consultation with privacy and civil liberties experts, the Secretary,''. On page 186, strike lines 16 through 22. On page 186, line 24, strike ``The Secretary'' and insert ``The President''. On page 187, beginning on line 10, strike ``The Secretary and the Attorney General'' and insert ``The President, in consultation with the Secretary and the Attorney General,''. On page 187, beginning on line 20, strike ``the Secretary and approved by the Attorney General'' and insert ``the President''. On page 187, beginning on line 23, strike ``the Attorney General'' and insert ``the President''. On page 188, line 1, strike ``the Attorney General'' and insert ``the President''. On page 188, line 3, strike ``the Attorney General'' and insert ``the President''. On page 202, beginning on line 21, strike ``the Secretary, the Director of National Intelligence, the Attorney General, and the Secretary of Defense shall jointly'' and insert ``the President, in consultation with the Secretary, the Director of National Intelligence, the Attorney General, and the Secretary of Defense, shall''. ______ SA 2603. Mr. McCAIN submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: On page 173, beginning on line 14, strike ``The Secretary of Homeland Security, in consultation with'' and insert ``The President, in consultation with the Secretary,''. On page 173, line 19, strike ``civilian''. On page 174, line 11, strike ``Civilian''. On page 174, beginning on line 13, strike ``The Secretary, in consultation with'' and insert ``The President, in consultation with the Secretary,''. On page 174, line 16, strike ``civilian''. On page 174, beginning on line 21, strike ``civilian''. On page 177, line 2, strike ``civilian''. On page 177, line 6, strike ``Civilian''. On page 177, beginning on line 8, strike ``the Secretary, in consultation with'' and [[Page S5522]] insert ``the President, in consultation with the Secretary,''. On page 177, line 11, strike ``civilian''. On page 177, line 23, strike ``the Secretary'' and insert ``the President''. On page 178, line 21, strike ``The Secretary'' and insert ``The President''. On page 179, beginning on line 6, strike ``The Secretary, in coordination with the Director of National Intelligence, the Attorney General, and the Secretary of Defense,'' and insert ``The President''. On page 183, beginning on line 15, strike ``the Secretary and approved by the Attorney General'' and insert ``the President''. On page 184, beginning on line 19, strike ``The Secretary, in consultation with privacy and civil liberties experts,'' and insert ``The President, in consultation with privacy and civil liberties experts, the Secretary,''. On page 186, strike lines 16 through 22. On page 186, line 24, strike ``The Secretary'' and insert ``The President''. On page 187, beginning on line 10, strike ``The Secretary and the Attorney General'' and insert ``The President, in consultation with the Secretary and the Attorney General,''. On page 187, beginning on line 20, strike ``the Secretary and approved by the Attorney General'' and insert ``the President''. On page 187, beginning on line 23, strike ``the Attorney General'' and insert ``the President''. On page 188, line 1, strike ``the Attorney General'' and insert ``the President''. On page 188, line 3, strike ``the Attorney General'' and insert ``the President''. On page 199, strike lines 12 through 17. On page 202, beginning on line 21, strike ``the Secretary, the Director of National Intelligence, the Attorney General, and the Secretary of Defense shall jointly'' and insert ``the President, in consultation with the Secretary, the Director of National Intelligence, the Attorney General, and the Secretary of Defense, shall''. ______ SA 2604. Mr. McCAIN submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: At the end of title I, add the following: SEC. 111. SUNSET. This title is repealed effective on the date that is 4 years after the date of enactment of this Act. ______ SA 2605. Mr. McCAIN (for himself, Mrs. Hutchison, Mr. Chambliss, Mr. Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of Wisconsin) submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) Short Title.--This Act may be cited as the ``Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012'' or ``SECURE IT''. (b) Table of Contents.--The table of contents of this Act is as follows: Sec. 1. Short title; table of contents. TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION Sec. 101. Definitions. Sec. 102. Authorization to share cyber threat information. Sec. 103. Information sharing by the Federal government. Sec. 104. Construction. Sec. 105. Report on implementation. Sec. 106. Inspector General review. Sec. 107. Technical amendments. Sec. 108. Access to classified information. TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY Sec. 201. Coordination of Federal information security policy. Sec. 202. Management of information technology. Sec. 203. No new funding. Sec. 204. Technical and conforming amendments. Sec. 205. Clarification of authorities. TITLE III--CRIMINAL PENALTIES Sec. 301. Penalties for fraud and related activity in connection with computers. Sec. 302. Trafficking in passwords. Sec. 303. Conspiracy and attempted computer fraud offenses. Sec. 304. Criminal and civil forfeiture for fraud and related activity in connection with computers. Sec. 305. Damage to critical infrastructure computers. Sec. 306. Limitation on actions involving unauthorized use. Sec. 307. No new funding. TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT Sec. 401. National High-Performance Computing Program planning and coordination. Sec. 402. Research in areas of national importance. Sec. 403. Program improvements. Sec. 404. Improving education of networking and information technology, including high performance computing. Sec. 405. Conforming and technical amendments to the High-Performance Computing Act of 1991. Sec. 406. Federal cyber scholarship-for-service program. Sec. 407. Study and analysis of certification and training of information infrastructure professionals. Sec. 408. International cybersecurity technical standards. Sec. 409. Identity management research and development. Sec. 410. Federal cybersecurity research and development. TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION SEC. 101. DEFINITIONS. In this title: (1) Agency.--The term ``agency'' has the meaning given the term in section 3502 of title 44, United States Code. (2) Antitrust laws.--The term ``antitrust laws''-- (A) has the meaning given the term in section 1(a) of the Clayton Act (15 U.S.C. 12(a)); (B) includes section 5 of the Federal Trade Commission Act (15 U.S.C. 45) to the extent that section 5 of that Act applies to unfair methods of competition; and (C) includes any State law that has the same intent and effect as the laws under subparagraphs (A) and (B). (3) Countermeasure.--The term ``countermeasure'' means an automated or a manual action with defensive intent to mitigate cyber threats. (4) Cyber threat information.--The term ``cyber threat information'' means information that indicates or describes-- (A) a technical or operation vulnerability or a cyber threat mitigation measure; (B) an action or operation to mitigate a cyber threat; (C) malicious reconnaissance, including anomalous patterns of network activity that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat; (D) a method of defeating a technical control; (E) a method of defeating an operational control; (F) network activity or protocols known to be associated with a malicious cyber actor or that signify malicious cyber intent; (G) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to inadvertently enable the defeat of a technical or operational control; (H) any other attribute of a cybersecurity threat or cyber defense information that would foster situational awareness of the United States cybersecurity posture, if disclosure of such attribute or information is not otherwise prohibited by law; (I) the actual or potential harm caused by a cyber incident, including information exfiltrated when it is necessary in order to identify or describe a cybersecurity threat; or (J) any combination of subparagraphs (A) through (I). (5) Cybersecurity center.--The term ``cybersecurity center'' means the Department of Defense Cyber Crime Center, the Intelligence Community Incident Response Center, the United States Cyber Command Joint Operations Center, the National Cyber Investigative Joint Task Force, the National Security Agency/Central Security Service Threat Operations Center, the National Cybersecurity and Communications Integration Center, and any successor center. (6) Cybersecurity system.--The term ``cybersecurity system'' means a system designed or employed to ensure the integrity, confidentiality, or availability of, or to safeguard, a system or network, including measures intended to protect a system or network from-- (A) efforts to degrade, disrupt, or destroy such system or network; or (B) theft or misappropriations of private or government information, intellectual property, or personally identifiable information. (7) Entity.-- (A) In general.--The term ``entity'' means any private entity, non-Federal government agency or department, or State, tribal, or local government agency or department (including an officer, employee, or agent thereof). (B) Inclusions.--The term ``entity'' includes a government agency or department (including an officer, employee, or agent thereof) of the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa, the Northern Mariana Islands, and any other territory or possession of the United States. (8) Federal information system.--The term ``Federal information system'' means an information system of a Federal department or agency used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. (9) Information security.--The term ``information security'' means protecting information and information systems from disruption or unauthorized access, use, disclosure, modification, or destruction in order to provide-- (A) integrity, by guarding against improper information modification or destruction, including by ensuring information nonrepudiation and authenticity; [[Page S5523]] (B) confidentiality, by preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; or (C) availability, by ensuring timely and reliable access to and use of information. (10) Information system.--The term ``information system'' has the meaning given the term in section 3502 of title 44, United States Code. (11) Local government.--The term ``local government'' means any borough, city, county, parish, town, township, village, or other general purpose political subdivision of a State. (12) Malicious reconnaissance.--The term ``malicious reconnaissance'' means a method for actively probing or passively monitoring an information system for the purpose of discerning technical vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat. (13) Operational control.--The term ``operational control'' means a security control for an information system that primarily is implemented and executed by people. (14) Operational vulnerability.--The term ``operational vulnerability'' means any attribute of policy, process, or procedure that could enable or facilitate the defeat of an operational control. (15) Private entity.--The term ``private entity'' means any individual or any private group, organization, or corporation, including an officer, employee, or agent thereof. (16) Significant cyber incident.--The term ``significant cyber incident'' means a cyber incident resulting in, or an attempted cyber incident that, if successful, would have resulted in-- (A) the exfiltration from a Federal information system of data that is essential to the operation of the Federal information system; or (B) an incident in which an operational or technical control essential to the security or operation of a Federal information system was defeated. (17) Technical control.--The term ``technical control'' means a hardware or software restriction on, or audit of, access or use of an information system or information that is stored on, processed by, or transiting an information system that is intended to ensure the confidentiality, integrity, or availability of that system. (18) Technical vulnerability.--The term ``technical vulnerability'' means any attribute of hardware or software that could enable or facilitate the defeat of a technical control. (19) Tribal.--The term ``tribal'' has the meaning given the term ``Indian tribe'' in section 4 of the Indian Self- Determination and Education Assistance Act (25 U.S.C. 450b). SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION. (a) Voluntary Disclosure.-- (1) Private entities.--Notwithstanding any other provision of law, a private entity may, for the purpose of preventing, investigating, or otherwise mitigating threats to information security, on its own networks, or as authorized by another entity, on such entity's networks, employ countermeasures and use cybersecurity systems in order to obtain, identify, or otherwise possess cyber threat information. (2) Entities.--Notwithstanding any other provision of law, an entity may disclose cyber threat information to-- (A) a cybersecurity center; or (B) any other entity in order to assist with preventing, investigating, or otherwise mitigating threats to information security. (3) Information security providers.--If the cyber threat information described in paragraph (1) is obtained, identified, or otherwise possessed in the course of providing information security products or services under contract to another entity, that entity shall be given, at any time prior to disclosure of such information, a reasonable opportunity to authorize or prevent such disclosure, to request anonymization of such information, or to request that reasonable efforts be made to safeguard such information that identifies specific persons from unauthorized access or disclosure. (b) Significant Cyber Incidents Involving Federal Information Systems.-- (1) In general.--An entity providing electronic communication services, remote computing services, or information security services to a Federal department or agency shall inform the Federal department or agency of a significant cyber incident involving the Federal information system of that Federal department or agency that-- (A) is directly known to the entity as a result of providing such services; (B) is directly related to the provision of such services by the entity; and (C) as determined by the entity, has impeded or will impede the performance of a critical mission of the Federal department or agency. (2) Advance coordination.--A Federal department or agency receiving the services described in paragraph (1) shall coordinate in advance with an entity described in paragraph (1) to develop the parameters of any information that may be provided under paragraph (1), including clarification of the type of significant cyber incident that will impede the performance of a critical mission of the Federal department or agency. (3) Report.--A Federal department or agency shall report information provided under this subsection to a cybersecurity center. (4) Construction.--Any information provided to a cybersecurity center under paragraph (3) shall be treated in the same manner as information provided to a cybersecurity center under subsection (a). (c) Information Shared With or Provided to a Cybersecurity Center.--Cyber threat information provided to a cybersecurity center under this section-- (1) may be disclosed to, retained by, and used by, consistent with otherwise applicable Federal law, any Federal agency or department, component, officer, employee, or agent of the Federal government for a cybersecurity purpose, a national security purpose, or in order to prevent, investigate, or prosecute any of the offenses listed in section 2516 of title 18, United States Code, and such information shall not be disclosed to, retained by, or used by any Federal agency or department for any use not permitted under this paragraph; (2) may, with the prior written consent of the entity submitting such information, be disclosed to and used by a State, tribal, or local government or government agency for the purpose of protecting information systems, or in furtherance of preventing, investigating, or prosecuting a criminal act, except that if the need for immediate disclosure prevents obtaining written consent, such consent may be provided orally with subsequent documentation of such consent; (3) shall be considered the commercial, financial, or proprietary information of the entity providing such information to the Federal government and any disclosure outside the Federal government may only be made upon the prior written consent by such entity and shall not constitute a waiver of any applicable privilege or protection provided by law, except that if the need for immediate disclosure prevents obtaining written consent, such consent may be provided orally with subsequent documentation of such consent; (4) shall be deemed voluntarily shared information and exempt from disclosure under section 552 of title 5, United States Code, and any State, tribal, or local law requiring disclosure of information or records; (5) shall be, without discretion, withheld from the public under section 552(b)(3)(B) of title 5, United States Code, and any State, tribal, or local law requiring disclosure of information or records; (6) shall not be subject to the rules of any Federal agency or department or any judicial doctrine regarding ex parte communications with a decision-making official; (7) shall not, if subsequently provided to a State, tribal, or local government or government agency, otherwise be disclosed or distributed to any entity by such State, tribal, or local government or government agency without the prior written consent of the entity submitting such information, notwithstanding any State, tribal, or local law requiring disclosure of information or records, except that if the need for immediate disclosure prevents obtaining written consent, such consent may be provided orally with subsequent documentation of such consent; and (8) shall not be directly used by any Federal, State, tribal, or local department or agency to regulate the lawful activities of an entity, including activities relating to obtaining, identifying, or otherwise possessing cyber threat information, except that the procedures required to be developed and implemented under this title shall not be considered regulations within the meaning of this paragraph. (d) Procedures Relating to Information Sharing With a Cybersecurity Center.--Not later than 60 days after the date of enactment of this Act, the heads of each department or agency containing a cybersecurity center shall jointly develop, promulgate, and submit to Congress procedures to ensure that cyber threat information shared with or provided to-- (1) a cybersecurity center under this section-- (A) may be submitted to a cybersecurity center by an entity, to the greatest extent possible, through a uniform, publicly available process or format that is easily accessible on the website of such cybersecurity center, and that includes the ability to provide relevant details about the cyber threat information and written consent to any subsequent disclosures authorized by this paragraph; (B) shall immediately be further shared with each cybersecurity center in order to prevent, investigate, or otherwise mitigate threats to information security across the Federal government; (C) is handled by the Federal government in a reasonable manner, including consideration of the need to protect the privacy and civil liberties of individuals through anonymization or other appropriate methods, while fully accomplishing the objectives of this title, and the Federal government may undertake efforts consistent with this subparagraph to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the Federal government; and (D) except as provided in this section, shall only be used, disclosed, or handled in accordance with the provisions of subsection (c); and (2) a Federal agency or department under subsection (b) is provided immediately to a cybersecurity center in order to prevent, investigate, or otherwise mitigate threats to [[Page S5524]] information security across the Federal government. (e) Information Shared Between Entities.-- (1) In general.--An entity sharing cyber threat information with another entity under this title may restrict the use or sharing of such information by such other entity. (2) Further sharing.--Cyber threat information shared by any entity with another entity under this title-- (A) shall only be further shared in accordance with any restrictions placed on the sharing of such information by the entity authorizing such sharing, such as appropriate anonymization of such information; and (B) may not be used by any entity to gain an unfair competitive advantage to the detriment of the entity authorizing the sharing of such information, except that the conduct described in paragraph (3) shall not constitute unfair competitive conduct. (3) Information shared with state, tribal, or local government or government agency.--Cyber threat information shared with a State, tribal, or local government or government agency under this title-- (A) may, with the prior written consent of the entity sharing such information, be disclosed to and used by a State, tribal, or local government or government agency for the purpose of protecting information systems, or in furtherance of preventing, investigating, or prosecuting a criminal act, except if the need for immediate disclosure prevents obtaining written consent, consent may be provided orally with subsequent documentation of the consent; (B) shall be deemed voluntarily shared information and exempt from disclosure under any State, tribal, or local law requiring disclosure of information or records; (C) shall not be disclosed or distributed to any entity by the State, tribal, or local government or government agency without the prior written consent of the entity submitting such information, notwithstanding any State, tribal, or local law requiring disclosure of information or records, except if the need for immediate disclosure prevents obtaining written consent, consent may be provided orally with subsequent documentation of the consent; and (D) shall not be directly used by any State, tribal, or local department or agency to regulate the lawful activities of an entity, including activities relating to obtaining, identifying, or otherwise possessing cyber threat information, except that the procedures required to be developed and implemented under this title shall not be considered regulations within the meaning of this subparagraph. (4) Antitrust exemption.--The exchange or provision of cyber threat information or assistance between 2 or more private entities under this title shall not be considered a violation of any provision of antitrust laws if exchanged or provided in order to assist with-- (A) facilitating the prevention, investigation, or mitigation of threats to information security; or (B) communicating or disclosing of cyber threat information to help prevent, investigate or otherwise mitigate the effects of a threat to information security. (5) No right or benefit.--The provision of cyber threat information to an entity under this section shall not create a right or a benefit to similar information by such entity or any other entity. (f) Federal Preemption.-- (1) In general.--This section supersedes any statute or other law of a State or political subdivision of a State that restricts or otherwise expressly regulates an activity authorized under this section. (2) State law enforcement.--Nothing in this section shall be construed to supersede any statute or other law of a State or political subdivision of a State concerning the use of authorized law enforcement techniques. (3) Public disclosure.--No information shared with or provided to a State, tribal, or local government or government agency pursuant to this section shall be made publicly available pursuant to any State, tribal, or local law requiring disclosure of information or records. (g) Civil and Criminal Liability.-- (1) General protections.-- (A) Private entities.--No cause of action shall lie or be maintained in any court against any private entity for-- (i) the use of countermeasures and cybersecurity systems as authorized by this title; (ii) the use, receipt, or disclosure of any cyber threat information as authorized by this title; or (iii) the subsequent actions or inactions of any lawful recipient of cyber threat information provided by such private entity. (B) Entities.--No cause of action shall lie or be maintained in any court against any entity for-- (i) the use, receipt, or disclosure of any cyber threat information as authorized by this title; or (ii) the subsequent actions or inactions of any lawful recipient of cyber threat information provided by such entity. (2) Construction.--Nothing in this subsection shall be construed as creating any immunity against, or otherwise affecting, any action brought by the Federal government, or any agency or department thereof, to enforce any law, executive order, or procedure governing the appropriate handling, disclosure, and use of classified information. (h) Otherwise Lawful Disclosures.--Nothing in this section shall be construed to limit or prohibit otherwise lawful disclosures of communications, records, or other information by a private entity to any other governmental or private entity not covered under this section. (i) Whistleblower Protection.--Nothing in this Act shall be construed to preempt or preclude any employee from exercising rights currently provided under any whistleblower law, rule, or regulation. (j) Relationship to Other Laws.--The submission of cyber threat information under this section to a cybersecurity center shall not affect any requirement under any other provision of law for an entity to provide information to the Federal government. SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT. (a) Classified Information.-- (1) Procedures.--Consistent with the protection of intelligence sources and methods, and as otherwise determined appropriate, the Director of National Intelligence and the Secretary of Defense, in consultation with the heads of the appropriate Federal departments or agencies, shall develop and promulgate procedures to facilitate and promote-- (A) the immediate sharing, through the cybersecurity centers, of classified cyber threat information in the possession of the Federal government with appropriately cleared representatives of any appropriate entity; and (B) the declassification and immediate sharing, through the cybersecurity centers, with any entity or, if appropriate, public availability of cyber threat information in the possession of the Federal government; (2) Handling of classified information.--The procedures developed under paragraph (1) shall ensure that each entity receiving classified cyber threat information pursuant to this section has acknowledged in writing the ongoing obligation to comply with all laws, executive orders, and procedures concerning the appropriate handling, disclosure, or use of classified information. (b) Unclassified Cyber Threat Information.--The heads of each department or agency containing a cybersecurity center shall jointly develop and promulgate procedures that ensure that, consistent with the provisions of this section, unclassified, including controlled unclassified, cyber threat information in the possession of the Federal government-- (1) is shared, through the cybersecurity centers, in an immediate and adequate manner with appropriate entities; and (2) if appropriate, is made publicly available. (c) Development of Procedures.-- (1) In general.--The procedures developed under this section shall incorporate, to the greatest extent possible, existing processes utilized by sector specific information sharing and analysis centers. (2) Coordination with entities.--In developing the procedures required under this section, the Director of National Intelligence and the heads of each department or agency containing a cybersecurity center shall coordinate with appropriate entities to ensure that protocols are implemented that will facilitate and promote the sharing of cyber threat information by the Federal government. (d) Additional Responsibilities of Cybersecurity Centers.-- Consistent with section 102, a cybersecurity center shall-- (1) facilitate information sharing, interaction, and collaboration among and between cybersecurity centers and-- (A) other Federal entities; (B) any entity; and (C) international partners, in consultation with the Secretary of State; (2) disseminate timely and actionable cybersecurity threat, vulnerability, mitigation, and warning information, including alerts, advisories, indicators, signatures, and mitigation and response measures, to improve the security and protection of information systems; and (3) coordinate with other Federal entities, as appropriate, to integrate information from across the Federal government to provide situational awareness of the cybersecurity posture of the United States. (e) Sharing Within the Federal Government.--The heads of appropriate Federal departments and agencies shall ensure that cyber threat information in the possession of such Federal departments or agencies that relates to the prevention, investigation, or mitigation of threats to information security across the Federal government is shared effectively with the cybersecurity centers. (f) Submission to Congress.--Not later than 60 days after the date of enactment of this Act, the Director of National Intelligence, in coordination with the appropriate head of a department or an agency containing a cybersecurity center, shall submit the procedures required by this section to Congress. SEC. 104. CONSTRUCTION. (a) Information Sharing Relationships.--Nothing in this title shall be construed-- (1) to limit or modify an existing information sharing relationship; (2) to prohibit a new information sharing relationship; (3) to require a new information sharing relationship between any entity and the Federal government, except as specified under section 102(b); or (4) to modify the authority of a department or agency of the Federal government [[Page S5525]] to protect sources and methods and the national security of the United States. (b) Anti-tasking Restriction.--Nothing in this title shall be construed to permit the Federal government-- (1) to require an entity to share information with the Federal government, except as expressly provided under section 102(b); or (2) to condition the sharing of cyber threat information with an entity on such entity's provision of cyber threat information to the Federal government. (c) No Liability for Non-participation.--Nothing in this title shall be construed to subject any entity to liability for choosing not to engage in the voluntary activities authorized under this title. (d) Use and Retention of Information.--Nothing in this title shall be construed to authorize, or to modify any existing authority of, a department or agency of the Federal government to retain or use any information shared under section 102 for any use other than a use permitted under subsection 102(c)(1). (e) No New Funding.--An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. SEC. 105. REPORT ON IMPLEMENTATION. (a) Content of Report.--Not later than 1 year after the date of enactment of this Act, and biennially thereafter, the heads of each department or agency containing a cybersecurity center shall jointly submit, in coordination with the privacy and civil liberties officials of such departments or agencies and the Privacy and Civil Liberties Oversight Board, a detailed report to Congress concerning the implementation of this title, including-- (1) an assessment of the sufficiency of the procedures developed under section 103 of this Act in ensuring that cyber threat information in the possession of the Federal government is provided in an immediate and adequate manner to appropriate entities or, if appropriate, is made publicly available; (2) an assessment of whether information has been appropriately classified and an accounting of the number of security clearances authorized by the Federal government for purposes of this title; (3) a review of the type of cyber threat information shared with a cybersecurity center under section 102 of this Act, including whether such information meets the definition of cyber threat information under section 101, the degree to which such information may impact the privacy and civil liberties of individuals, any appropriate metrics to determine any impact of the sharing of such information with the Federal government on privacy and civil liberties, and the adequacy of any steps taken to reduce such impact; (4) a review of actions taken by the Federal government based on information provided to a cybersecurity center under section 102 of this Act, including the appropriateness of any subsequent use under section 102(c)(1) of this Act and whether there was inappropriate stovepiping within the Federal government of any such information; (5) a description of any violations of the requirements of this title by the Federal government; (6) a classified list of entities that received classified information from the Federal government under section 103 of this Act and a description of any indication that such information may not have been appropriately handled; (7) a summary of any breach of information security, if known, attributable to a specific failure by any entity or the Federal government to act on cyber threat information in the possession of such entity or the Federal government that resulted in substantial economic harm or injury to a specific entity or the Federal government; and (8) any recommendation for improvements or modifications to the authorities under this title. (b) Form of Report.--The report under subsection (a) shall be submitted in unclassified form, but shall include a classified annex. SEC. 106. INSPECTOR GENERAL REVIEW. (a) In General.--The Council of the Inspectors General on Integrity and Efficiency are authorized to review compliance by the cybersecurity centers, and by any Federal department or agency receiving cyber threat information from such cybersecurity centers, with the procedures required under section 102 of this Act. (b) Scope of Review.--The review under subsection (a) shall consider whether the Federal government has handled such cyber threat information in a reasonable manner, including consideration of the need to protect the privacy and civil liberties of individuals through anonymization or other appropriate methods, while fully accomplishing the objectives of this title. (c) Report to Congress.--Each review conducted under this section shall be provided to Congress not later than 30 days after the date of completion of the review. SEC. 107. TECHNICAL AMENDMENTS. Section 552(b) of title 5, United States Code, is amended-- (1) in paragraph (8), by striking ``or''; (2) in paragraph (9), by striking ``wells.'' and inserting ``wells; or''; and (3) by adding at the end the following: ``(10) information shared with or provided to a cybersecurity center under section 102 of title I of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012.''. SEC. 108. ACCESS TO CLASSIFIED INFORMATION. (a) Authorization Required.--No person shall be provided with access to classified information (as defined in section 6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to classified national security information)) relating to cyber security threats or cyber security vulnerabilities under this title without the appropriate security clearances. (b) Security Clearances.--The appropriate Federal agencies or departments shall, consistent with applicable procedures and requirements, and if otherwise deemed appropriate, assist an individual in timely obtaining an appropriate security clearance where such individual has been determined to be eligible for such clearance and has a need-to-know (as defined in section 6.1 of that Executive Order) classified information to carry out this title. TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) In General.--Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting the following: ``SUBCHAPTER II--INFORMATION SECURITY ``Sec. 3551. Purposes ``The purposes of this subchapter are-- ``(1) to provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets; ``(2) to recognize the highly networked nature of the current Federal computing environment and provide effective government-wide management of policies, directives, standards, and guidelines, as well as effective and nimble oversight of and response to information security risks, including coordination of information security efforts throughout the Federal civilian, national security, and law enforcement communities; ``(3) to provide for development and maintenance of controls required to protect agency information and information systems and contribute to the overall improvement of agency information security posture; ``(4) to provide for the development of tools and methods to assess and respond to real-time situational risk for Federal information system operations and assets; and ``(5) to provide a mechanism for improving agency information security programs through continuous monitoring of agency information systems and streamlined reporting requirements rather than overly prescriptive manual reporting. ``Sec. 3552. Definitions ``In this subchapter: ``(1) Adequate security.--The term `adequate security' means security commensurate with the risk and magnitude of the harm resulting from the unauthorized access to or loss, misuse, destruction, or modification of information. ``(2) Agency.--The term `agency' has the meaning given the term in section 3502 of title 44. ``(3) Cybersecurity center.--The term `cybersecurity center' means the Department of Defense Cyber Crime Center, the Intelligence Community Incident Response Center, the United States Cyber Command Joint Operations Center, the National Cyber Investigative Joint Task Force, the National Security Agency/Central Security Service Threat Operations Center, the National Cybersecurity and Communications Integration Center, and any successor center. ``(4) Cyber threat information.--The term `cyber threat information' means information that indicates or describes-- ``(A) a technical or operation vulnerability or a cyber threat mitigation measure; ``(B) an action or operation to mitigate a cyber threat; ``(C) malicious reconnaissance, including anomalous patterns of network activity that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat; ``(D) a method of defeating a technical control; ``(E) a method of defeating an operational control; ``(F) network activity or protocols known to be associated with a malicious cyber actor or that signify malicious cyber intent; ``(G) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to inadvertently enable the defeat of a technical or operational control; ``(H) any other attribute of a cybersecurity threat or cyber defense information that would foster situational awareness of the United States cybersecurity posture, if disclosure of such attribute or information is not otherwise prohibited by law; ``(I) the actual or potential harm caused by a cyber incident, including information exfiltrated when it is necessary in order to identify or describe a cybersecurity threat; or ``(J) any combination of subparagraphs (A) through (I). ``(5) Director.--The term `Director' means the Director of the Office of Management and Budget unless otherwise specified. ``(6) Environment of operation.--The term `environment of operation' means the information system and environment in [[Page S5526]] which those systems operate, including changing threats, vulnerabilities, technologies, and missions and business practices. ``(7) Federal information system.--The term `Federal information system' means an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. ``(8) Incident.--The term `incident' means an occurrence that-- ``(A) actually or imminently jeopardizes the integrity, confidentiality, or availability of an information system or the information that system controls, processes, stores, or transmits; or ``(B) constitutes a violation of law or an imminent threat of violation of a law, a security policy, a security procedure, or an acceptable use policy. ``(9) Information resources.--The term `information resources' has the meaning given the term in section 3502 of title 44. ``(10) Information security.--The term `information security' means protecting information and information systems from disruption or unauthorized access, use, disclosure, modification, or destruction in order to provide-- ``(A) integrity, by guarding against improper information modification or destruction, including by ensuring information nonrepudiation and authenticity; ``(B) confidentiality, by preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; or ``(C) availability, by ensuring timely and reliable access to and use of information. ``(11) Information system.--The term `information system' has the meaning given the term in section 3502 of title 44. ``(12) Information technology.--The term `information technology' has the meaning given the term in section 11101 of title 40. ``(13) Malicious reconnaissance.--The term `malicious reconnaissance' means a method for actively probing or passively monitoring an information system for the purpose of discerning technical vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat. ``(14) National security system.-- ``(A) In general.--The term `national security system' means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency-- ``(i) the function, operation, or use of which-- ``(I) involves intelligence activities; ``(II) involves cryptologic activities related to national security; ``(III) involves command and control of military forces; ``(IV) involves equipment that is an integral part of a weapon or weapons system; or ``(V) subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or ``(ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. ``(B) Limitation.--Subparagraph (A)(i)(V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). ``(15) Operational control.--The term `operational control' means a security control for an information system that primarily is implemented and executed by people. ``(16) Person.--The term `person' has the meaning given the term in section 3502 of title 44. ``(17) Secretary.--The term `Secretary' means the Secretary of Commerce unless otherwise specified. ``(18) Security control.--The term `security control' means the management, operational, and technical controls, including safeguards or countermeasures, prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. ``(19) Significant cyber incident.--The term `significant cyber incident' means a cyber incident resulting in, or an attempted cyber incident that, if successful, would have resulted in-- ``(A) the exfiltration from a Federal information system of data that is essential to the operation of the Federal information system; or ``(B) an incident in which an operational or technical control essential to the security or operation of a Federal information system was defeated. ``(20) Technical control.--The term `technical control' means a hardware or software restriction on, or audit of, access or use of an information system or information that is stored on, processed by, or transiting an information system that is intended to ensure the confidentiality, integrity, or availability of that system. ``Sec. 3553. Federal information security authority and coordination ``(a) In General.--The Secretary, in consultation with the Secretary of Homeland Security, shall-- ``(1) issue compulsory and binding policies and directives governing agency information security operations, and require implementation of such policies and directives, including-- ``(A) policies and directives consistent with the standards and guidelines promulgated under section 11331 of title 40 to identify and provide information security protections prioritized and commensurate with the risk and impact resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of-- ``(i) information collected or maintained by or on behalf of an agency; or ``(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; ``(B) minimum operational requirements for Federal Government to protect agency information systems and provide common situational awareness across all agency information systems; ``(C) reporting requirements, consistent with relevant law, regarding information security incidents and cyber threat information; ``(D) requirements for agencywide information security programs; ``(E) performance requirements and metrics for the security of agency information systems; ``(F) training requirements to ensure that agencies are able to fully and timely comply with the policies and directives issued by the Secretary under this subchapter; ``(G) training requirements regarding privacy, civil rights, and civil liberties, and information oversight for agency information security personnel; ``(H) requirements for the annual reports to the Secretary under section 3554(d); ``(I) any other information security operations or information security requirements as determined by the Secretary in coordination with relevant agency heads; and ``(J) coordinating the development of standards and guidelines under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) with agencies and offices operating or exercising control of national security systems (including the National Security Agency) to assure, to the maximum extent feasible, that such standards and guidelines are complementary with standards and guidelines developed for national security systems; ``(2) review the agencywide information security programs under section 3554; and ``(3) designate an individual or an entity at each cybersecurity center, among other responsibilities-- ``(A) to receive reports and information about information security incidents, cyber threat information, and deterioration of security control affecting agency information systems; and ``(B) to act on or share the information under subparagraph (A) in accordance with this subchapter. ``(b) Considerations.--When issuing policies and directives under subsection (a), the Secretary shall consider any applicable standards or guidelines developed by the National Institute of Standards and Technology under section 11331 of title 40. ``(c) Limitation of Authority.--The authorities of the Secretary under this section shall not apply to national security systems. Information security policies, directives, standards and guidelines for national security systems shall be overseen as directed by the President and, in accordance with that direction, carried out under the authority of the heads of agencies that operate or exercise authority over such national security systems. ``(d) Statutory Construction.--Nothing in this subchapter shall be construed to alter or amend any law regarding the authority of any head of an agency over such agency. ``Sec. 3554. Agency responsibilities ``(a) In General.--The head of each agency shall-- ``(1) be responsible for-- ``(A) complying with the policies and directives issued under section 3553; ``(B) providing information security protections commensurate with the risk resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of-- ``(i) information collected or maintained by the agency or by a contractor of an agency or other organization on behalf of an agency; and ``(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; ``(C) complying with the requirements of this subchapter, including-- ``(i) information security standards and guidelines promulgated under section 11331 of title 40; ``(ii) for any national security systems operated or controlled by that agency, information security policies, directives, standards and guidelines issued as directed by the President; and ``(iii) for any non-national security systems operated or controlled by that agency, information security policies, directives, standards and guidelines issued under section 3553; ``(D) ensuring that information security management processes are integrated with agency strategic and operational planning processes; ``(E) reporting and sharing, for an agency operating or exercising control of a national security system, information about information security incidents, cyber threat information, and deterioration of security controls to the individual or entity designated [[Page S5527]] at each cybersecurity center and to other appropriate entities consistent with policies and directives for national security systems issued as directed by the President; and ``(F) reporting and sharing, for those agencies operating or exercising control of non-national security systems, information about information security incidents, cyber threat information, and deterioration of security controls to the individual or entity designated at each cybersecurity center and to other appropriate entities consistent with policies and directives for non-national security systems as prescribed under section 3553(a), including information to assist the entity designated under section 3555(a) with the ongoing security analysis under section 3555; ``(2) ensure that each senior agency official provides information security for the information and information systems that support the operations and assets under the senior agency official's control, including by-- ``(A) assessing the risk and impact that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems; ``(B) determining the level of information security appropriate to protect such information and information systems in accordance with policies and directives issued under section 3553(a), and standards and guidelines promulgated under section 11331 of title 40 for information security classifications and related requirements; ``(C) implementing policies, procedures, and capabilities to reduce risks to an acceptable level in a cost-effective manner; ``(D) actively monitoring the effective implementation of information security controls and techniques; and ``(E) reporting information about information security incidents, cyber threat information, and deterioration of security controls in a timely and adequate manner to the entity designated under section 3553(a)(3) in accordance with paragraph (1); ``(3) assess and maintain the resiliency of information technology systems critical to agency mission and operations; ``(4) designate the agency Inspector General (or an independent entity selected in consultation with the Director and the Council of Inspectors General on Integrity and Efficiency if the agency does not have an Inspector General) to conduct the annual independent evaluation required under section 3556, and allow the agency Inspector General to contract with an independent entity to perform such evaluation; ``(5) delegate to the Chief Information Officer or equivalent (or to a senior agency official who reports to the Chief Information Officer or equivalent)-- ``(A) the authority and primary responsibility to implement an agencywide information security program; and ``(B) the authority to provide information security for the information collected and maintained by the agency (or by a contractor, other agency, or other source on behalf of the agency) and for the information systems that support the operations, assets, and mission of the agency (including any information system provided or managed by a contractor, other agency, or other source on behalf of the agency); ``(6) delegate to the appropriate agency official (who is responsible for a particular agency system or subsystem) the responsibility to ensure and enforce compliance with all requirements of the agency's agencywide information security program in coordination with the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5); ``(7) ensure that an agency has trained personnel who have obtained any necessary security clearances to permit them to assist the agency in complying with this subchapter; ``(8) ensure that the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5), in coordination with other senior agency officials, reports to the agency head on the effectiveness of the agencywide information security program, including the progress of any remedial actions; and ``(9) ensure that the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5) has the necessary qualifications to administer the functions described in this subchapter and has information security duties as a primary duty of that official. ``(b) Chief Information Officers.--Each Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under subsection (a)(5) shall-- ``(1) establish and maintain an enterprise security operations capability that on a continuous basis-- ``(A) detects, reports, contains, mitigates, and responds to information security incidents that impair adequate security of the agency's information or information system in a timely manner and in accordance with the policies and directives under section 3553; and ``(B) reports any information security incident under subparagraph (A) to the entity designated under section 3555; ``(2) develop, maintain, and oversee an agencywide information security program; ``(3) develop, maintain, and oversee information security policies, procedures, and control techniques to address applicable requirements, including requirements under section 3553 of this title and section 11331 of title 40; and ``(4) train and oversee the agency personnel who have significant responsibility for information security with respect to that responsibility. ``(c) Agencywide Information Security Programs.-- ``(1) In general.--Each agencywide information security program under subsection (b)(2) shall include-- ``(A) relevant security risk assessments, including technical assessments and others related to the acquisition process; ``(B) security testing commensurate with risk and impact; ``(C) mitigation of deterioration of security controls commensurate with risk and impact; ``(D) risk-based continuous monitoring and threat assessment of the operational status and security of agency information systems to enable evaluation of the effectiveness of and compliance with information security policies, procedures, and practices, including a relevant and appropriate selection of security controls of information systems identified in the inventory under section 3505(c); ``(E) operation of appropriate technical capabilities in order to detect, mitigate, report, and respond to information security incidents, cyber threat information, and deterioration of security controls in a manner that is consistent with the policies and directives under section 3553, including-- ``(i) mitigating risks associated with such information security incidents; ``(ii) notifying and consulting with the entity designated under section 3555; and ``(iii) notifying and consulting with, as appropriate-- ``(I) law enforcement and the relevant Office of the Inspector General; and ``(II) any other entity, in accordance with law and as directed by the President; ``(F) a process to ensure that remedial action is taken to address any deficiencies in the information security policies, procedures, and practices of the agency; and ``(G) a plan and procedures to ensure the continuity of operations for information systems that support the operations and assets of the agency. ``(2) Risk management strategies.--Each agencywide information security program under subsection (b)(2) shall include the development and maintenance of a risk management strategy for information security. The risk management strategy shall include-- ``(A) consideration of information security incidents, cyber threat information, and deterioration of security controls; and ``(B) consideration of the consequences that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency, including any information system provided or managed by a contractor, other agency, or other source on behalf of the agency; ``(3) Policies and procedures.--Each agencywide information security program under subsection (b)(2) shall include policies and procedures that-- ``(A) are based on the risk management strategy under paragraph (2); ``(B) reduce information security risks to an acceptable level in a cost-effective manner; ``(C) ensure that cost-effective and adequate information security is addressed as part of the acquisition and ongoing management of each agency information system; and ``(D) ensure compliance with-- ``(i) this subchapter; and ``(ii) any other applicable requirements. ``(4) Training requirements.--Each agencywide information security program under subsection (b)(2) shall include information security, privacy, civil rights, civil liberties, and information oversight training that meets any applicable requirements under section 3553. The training shall inform each information security personnel that has access to agency information systems (including contractors and other users of information systems that support the operations and assets of the agency) of-- ``(A) the information security risks associated with the information security personnel's activities; and ``(B) the individual's responsibility to comply with the agency policies and procedures that reduce the risks under subparagraph (A). ``(d) Annual Report.--Each agency shall submit a report annually to the Secretary of Homeland Security on its agencywide information security program and information systems. ``Sec. 3555. Multiagency ongoing threat assessment ``(a) Implementation.--The Director of the Office of Management and Budget, in coordination with the Secretary of Homeland Security, shall designate an entity to implement ongoing security analysis concerning agency information systems-- ``(1) based on cyber threat information; ``(2) based on agency information system and environment of operation changes, including-- ``(A) an ongoing evaluation of the information system security controls; and [[Page S5528]] ``(B) the security state, risk level, and environment of operation of an agency information system, including-- ``(i) a change in risk level due to a new cyber threat; ``(ii) a change resulting from a new technology; ``(iii) a change resulting from the agency's mission; and ``(iv) a change resulting from the business practice; and ``(3) using automated processes to the maximum extent possible-- ``(A) to increase information system security; ``(B) to reduce paper-based reporting requirements; and ``(C) to maintain timely and actionable knowledge of the state of the information system security. ``(b) Standards.--The National Institute of Standards and Technology may promulgate standards, in coordination with the Secretary of Homeland Security, to assist an agency with its duties under this section. ``(c) Compliance.--The head of each appropriate department and agency shall be responsible for ensuring compliance and implementing necessary procedures to comply with this section. The head of each appropriate department and agency, in consultation with the Director of the Office of Management and Budget and the Secretary of Homeland Security, shall-- ``(1) monitor compliance under this section; ``(2) develop a timeline and implement for the department or agency-- ``(A) adoption of any technology, system, or method that facilitates continuous monitoring and threat assessments of an agency information system; ``(B) adoption or updating of any technology, system, or method that prevents, detects, or remediates a significant cyber incident to a Federal information system of the department or agency that has impeded, or is reasonably likely to impede, the performance of a critical mission of the department or agency; and ``(C) adoption of any technology, system, or method that satisfies a requirement under this section. ``(d) Limitation of Authority.--The authorities of the Director of the Office of Management and Budget and of the Secretary of Homeland Security under this section shall not apply to national security systems. ``(e) Report.--Not later than 6 months after the date of enactment of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the Government Accountability Office shall issue a report evaluating each agency's status toward implementing this section. ``Sec. 3556. Independent evaluations ``(a) In General.--The Council of the Inspectors General on Integrity and Efficiency, in consultation with the Director and the Secretary of Homeland Security, the Secretary of Commerce, and the Secretary of Defense, shall issue and maintain criteria for the timely, cost-effective, risk-based, and independent evaluation of each agencywide information security program (and practices) to determine the effectiveness of the agencywide information security program (and practices). The criteria shall include measures to assess any conflicts of interest in the performance of the evaluation and whether the agencywide information security program includes appropriate safeguards against disclosure of information where such disclosure may adversely affect information security. ``(b) Annual Independent Evaluations.--Each agency shall perform an annual independent evaluation of its agencywide information security program (and practices) in accordance with the criteria under subsection (a). ``(c) Distribution of Reports.--Not later than 30 days after receiving an independent evaluation under subsection (b), each agency head shall transmit a copy of the independent evaluation to the Secretary of Homeland Security, the Secretary of Commerce, and the Secretary of Defense. ``(d) National Security Systems.--Evaluations involving national security systems shall be conducted as directed by President. ``Sec. 3557. National security systems. ``The head of each agency operating or exercising control of a national security system shall be responsible for ensuring that the agency-- ``(1) provides information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information contained in such system; and ``(2) implements information security policies and practices as required by standards and guidelines for national security systems, issued in accordance with law and as directed by the President.''. (b) Savings Provisions.-- (1) Policy and compliance guidance.--Policy and compliance guidance issued by the Director before the date of enactment of this Act under section 3543(a)(1) of title 44, United States Code (as in effect on the day before the date of enactment of this Act), shall continue in effect, according to its terms, until modified, terminated, superseded, or repealed pursuant to section 3553(a)(1) of title 44, United States Code. (2) Standards and guidelines.--Standards and guidelines issued by the Secretary of Commerce or by the Director before the date of enactment of this Act under section 11331(a)(1) of title 40, United States Code, (as in effect on the day before the date of enactment of this Act) shall continue in effect, according to their terms, until modified, terminated, superseded, or repealed pursuant to section 11331(a)(1) of title 40, United States Code, as amended by this Act. (c) Technical and Conforming Amendments.-- (1) Chapter analysis.--The chapter analysis for chapter 35 of title 44, United States Code, is amended-- (A) by striking the items relating to sections 3531 through 3538; (B) by striking the items relating to sections 3541 through 3549; and (C) by inserting the following: ``3551. Purposes. ``3552. Definitions. ``3553. Federal information security authority and coordination. ``3554. Agency responsibilities. ``3555. Multiagency ongoing threat assessment. ``3556. Independent evaluations. ``3557. National security systems.''. (2) Other references.-- (A) Section 1001(c)(1)(A) of the Homeland Security Act of 2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section 3532(3)'' and inserting ``section 3552''. (B) Section 2222(j)(5) of title 10, United States Code, is amended by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (C) Section 2223(c)(3) of title 10, United States Code, is amended, by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (D) Section 2315 of title 10, United States Code, is amended by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (E) Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) is amended-- (i) in subsection (a)(2), by striking ``section 3532(b)(2)'' and inserting ``section 3552''; (ii) in subsection (c)(3), by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (iii) in subsection (d)(1), by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (iv) in subsection (d)(8) by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (v) in subsection (d)(8), by striking ``submitted to the Director'' and inserting ``submitted to the Secretary''; (vi) in subsection (e)(2), by striking ``section 3532(1) of such title'' and inserting ``section 3552 of title 44''; and (vii) in subsection (e)(5), by striking ``section 3532(b)(2) of such title'' and inserting ``section 3552 of title 44''. (F) Section 8(d)(1) of the Cyber Security Research and Development Act (15 U.S.C. 7406(d)(1)) is amended by striking ``section 3534(b)'' and inserting ``section 3554(b)(2)''. SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY. (a) In General.--Section 11331 of title 40, United States Code, is amended to read as follows: ``Sec. 11331. Responsibilities for Federal information systems standards ``(a) Standards and Guidelines.-- ``(1) Authority to prescribe.--Except as provided under paragraph (2), the Secretary of Commerce shall prescribe standards and guidelines pertaining to Federal information systems-- ``(A) in consultation with the Secretary of Homeland Security; and ``(B) on the basis of standards and guidelines developed by the National Institute of Standards and Technology under paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g- 3(a)(2) and (a)(3)). ``(2) National security systems.--Standards and guidelines for national security systems shall be developed, prescribed, enforced, and overseen as otherwise authorized by law and as directed by the President. ``(b) Mandatory Standards and Guidelines.-- ``(1) Authority to make mandatory standards and guidelines.--The Secretary of Commerce shall make standards and guidelines under subsection (a)(1) compulsory and binding to the extent determined necessary by the Secretary of Commerce to improve the efficiency of operation or security of Federal information systems. ``(2) Required mandatory standards and guidelines.-- ``(A) In general.--Standards and guidelines under subsection (a)(1) shall include information security standards that-- ``(i) provide minimum information security requirements as determined under section 20(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(b)); and ``(ii) are otherwise necessary to improve the security of Federal information and information systems. ``(B) Binding effect.--Information security standards under subparagraph (A) shall be compulsory and binding. ``(c) Exercise of Authority.--To ensure fiscal and policy consistency, the Secretary of Commerce shall exercise the authority conferred by this section subject to direction by the President and in coordination with the Director. ``(d) Application of More Stringent Standards and Guidelines.--The head of an executive agency may employ standards for the cost-effective information security for [[Page S5529]] information systems within or under the supervision of that agency that are more stringent than the standards and guidelines the Secretary of Commerce prescribes under this section if the more stringent standards and guidelines-- ``(1) contain at least the applicable standards and guidelines made compulsory and binding by the Secretary of Commerce; and ``(2) are otherwise consistent with the policies, directives, and implementation memoranda issued under section 3553(a) of title 44. ``(e) Decisions on Promulgation of Standards and Guidelines.--The decision by the Secretary of Commerce regarding the promulgation of any standard or guideline under this section shall occur not later than 6 months after the date of submission of the proposed standard to the Secretary of Commerce by the National Institute of Standards and Technology under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3). ``(f) Notice and Comment.--A decision by the Secretary of Commerce to significantly modify, or not promulgate, a proposed standard submitted to the Secretary by the National Institute of Standards and Technology under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) shall be made after the public is given an opportunity to comment on the Secretary's proposed decision. ``(g) Definitions.--In this section: ``(1) Federal information system.--The term `Federal information system' has the meaning given the term in section 3552 of title 44. ``(2) Information security.--The term `information security' has the meaning given the term in section 3552 of title 44. ``(3) National security system.--The term `national security system' has the meaning given the term in section 3552 of title 44.''. SEC. 203. NO NEW FUNDING. An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS. Section 21(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-4(b)) is amended-- (1) in paragraph (2), by striking ``and the Director of the Office of Management and Budget'' and inserting ``, the Secretary of Commerce, and the Secretary of Homeland Security''; and (2) in paragraph (3), by inserting ``, the Secretary of Homeland Security,'' after ``the Secretary of Commerce''. SEC. 205. CLARIFICATION OF AUTHORITIES. Nothing in this title shall be construed to convey any new regulatory authority to any government entity implementing or complying with any provision of this title. TITLE III--CRIMINAL PENALTIES SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS. Section 1030(c) of title 18, United States Code, is amended to read as follows: ``(c) The punishment for an offense under subsection (a) or (b) of this section is-- ``(1) a fine under this title or imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(1) of this section; ``(2)(A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than 3 years, or both, in the case of an offense under subsection (a)(2); or ``(B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2) of this section, if-- ``(i) the offense was committed for purposes of commercial advantage or private financial gain; ``(ii) the offense was committed in the furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States, or of any State; or ``(iii) the value of the information obtained, or that would have been obtained if the offense was completed, exceeds $5,000; ``(3) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(3) of this section; ``(4) a fine under this title or imprisonment of not more than 20 years, or both, in the case of an offense under subsection (a)(4) of this section; ``(5)(A) except as provided in subparagraph (C), a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(A) of this section, if the offense caused-- ``(i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value; ``(ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; ``(iii) physical injury to any person; ``(iv) a threat to public health or safety; ``(v) damage affecting a computer used by, or on behalf of, an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or ``(vi) damage affecting 10 or more protected computers during any 1-year period; ``(B) a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(B), if the offense caused a harm provided in clause (i) through (vi) of subparagraph (A) of this subsection; ``(C) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for any term of years or for life, or both; ``(D) a fine under this title, imprisonment for not more than 10 years, or both, for any other offense under subsection (a)(5); ``(E) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(6) of this section; or ``(F) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(7) of this section.''. SEC. 302. TRAFFICKING IN PASSWORDS. Section 1030(a)(6) of title 18, United States Code, is amended to read as follows: ``(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information or means of access through which a protected computer (as defined in subparagraphs (A) and (B) of subsection (e)(2)) may be accessed without authorization.''. SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES. Section 1030(b) of title 18, United States Code, is amended by inserting ``as if for the completed offense'' after ``punished as provided''. SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS. Section 1030 of title 18, United States Code, is amended by striking subsections (i) and (j) and inserting the following: ``(i) Criminal Forfeiture.-- ``(1) The court, in imposing sentence on any person convicted of a violation of this section, or convicted of conspiracy to violate this section, shall order, in addition to any other sentence imposed and irrespective of any provision of State law, that such person forfeit to the United States-- ``(A) such person's interest in any property, real or personal, that was used, or intended to be used, to commit or facilitate the commission of such violation; and ``(B) any property, real or personal, constituting or derived from any gross proceeds, or any property traceable to such property, that such person obtained, directly or indirectly, as a result of such violation. ``(2) The criminal forfeiture of property under this subsection, including any seizure and disposition of the property, and any related judicial or administrative proceeding, shall be governed by the provisions of section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853), except subsection (d) of that section. ``(j) Civil Forfeiture.-- ``(1) The following shall be subject to forfeiture to the United States and no property right, real or personal, shall exist in them: ``(A) Any property, real or personal, that was used, or intended to be used, to commit or facilitate the commission of any violation of this section, or a conspiracy to violate this section. ``(B) Any property, real or personal, constituting or derived from any gross proceeds obtained directly or indirectly, or any property traceable to such property, as a result of the commission of any violation of this section, or a conspiracy to violate this section. ``(2) Seizures and forfeitures under this subsection shall be governed by the provisions in chapter 46 relating to civil forfeitures, except that such duties as are imposed on the Secretary of the Treasury under the customs laws described in section 981(d) shall be performed by such officers, agents and other persons as may be designated for that purpose by the Secretary of Homeland Security or the Attorney General.''. SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS. (a) In General.--Chapter 47 of title 18, United States Code, is amended by inserting after section 1030 the following: ``Sec. 1030A. Aggravated damage to a critical infrastructure computer ``(a) Definitions.--In this section-- ``(1) the term `computer' has the meaning given the term in section 1030; ``(2) the term `critical infrastructure computer' means a computer that manages or controls systems or assets vital to national defense, national security, national economic security, public health or safety, or any combination of those matters, whether publicly or privately owned or operated, including-- ``(A) oil and gas production, storage, conversion, and delivery systems; ``(B) water supply systems; ``(C) telecommunication networks; ``(D) electrical power generation and delivery systems; ``(E) finance and banking systems; ``(F) emergency services; ``(G) transportation systems and services; and ``(H) government operations that provide essential services to the public; and ``(3) the term `damage' has the meaning given the term in section 1030. ``(b) Offense.--It shall be unlawful, during and in relation to a felony violation of section 1030, to knowingly cause or attempt to cause damage to a critical infrastructure computer if the damage results in (or, in the [[Page S5530]] case of an attempt, if completed, would have resulted in) the substantial impairment-- ``(1) of the operation of the critical infrastructure computer; or ``(2) of the critical infrastructure associated with the computer. ``(c) Penalty.--Any person who violates subsection (b) shall be-- ``(1) fined under this title; ``(2) imprisoned for not less than 3 years but not more than 20 years; or ``(3) penalized under paragraphs (1) and (2). ``(d) Consecutive Sentence.--Notwithstanding any other provision of law-- ``(1) a court shall not place on probation any person convicted of a violation of this section; ``(2) except as provided in paragraph (4), no term of imprisonment imposed on a person under this section shall run concurrently with any other term of imprisonment, including any term of imprisonment imposed on the person under any other provision of law, including any term of imprisonment imposed for a felony violation of section 1030; ``(3) in determining any term of imprisonment to be imposed for a felony violation of section 1030, a court shall not in any way reduce the term to be imposed for such crime so as to compensate for, or otherwise take into account, any separate term of imprisonment imposed or to be imposed for a violation of this section; and ``(4) a term of imprisonment imposed on a person for a violation of this section may, in the discretion of the court, run concurrently, in whole or in part, only with another term of imprisonment that is imposed by the court at the same time on that person for an additional violation of this section, provided that such discretion shall be exercised in accordance with any applicable guidelines and policy statements issued by the United States Sentencing Commission pursuant to section 994 of title 28.''. (b) Technical and Conforming Amendment.--The chapter analysis for chapter 47 of title 18, United States Code, is amended by inserting after the item relating to section 1030 the following: ``1030A. Aggravated damage to a critical infrastructure computer.''. SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE. Section 1030(e)(6) of title 18, United States Code, is amended by striking ``alter;'' and inserting ``alter, but does not include access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized;''. SEC. 307. NO NEW FUNDING. An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM PLANNING AND COORDINATION. (a) Goals and Priorities.--Section 101 of the High- Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(d) Goals and Priorities.--The goals and priorities for Federal high-performance computing research, development, networking, and other activities under subsection (a)(2)(A) shall include-- ``(1) encouraging and supporting mechanisms for interdisciplinary research and development in networking and information technology, including-- ``(A) through collaborations across agencies; ``(B) through collaborations across Program Component Areas; ``(C) through collaborations with industry; ``(D) through collaborations with institutions of higher education; ``(E) through collaborations with Federal laboratories (as defined in section 4 of the Stevenson-Wydler Technology Innovation Act of 1980 (15 U.S.C. 3703)); and ``(F) through collaborations with international organizations; ``(2) addressing national, multi-agency, multi-faceted challenges of national importance; and ``(3) fostering the transfer of research and development results into new technologies and applications for the benefit of society.''. (b) Development of Strategic Plan.--Section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(e) Strategic Plan.-- ``(1) In general.--Not later than 1 year after the date of enactment of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the agencies under subsection (a)(3)(B), working through the National Science and Technology Council and with the assistance of the Office of Science and Technology Policy shall develop a 5-year strategic plan to guide the activities under subsection (a)(1). ``(2) Contents.--The strategic plan shall specify-- ``(A) the near-term objectives for the Program; ``(B) the long-term objectives for the Program; ``(C) the anticipated time frame for achieving the near- term objectives; ``(D) the metrics that will be used to assess any progress made toward achieving the near-term objectives and the long- term objectives; and ``(E) how the Program will achieve the goals and priorities under subsection (d). ``(3) Implementation roadmap.-- ``(A) In general.--The agencies under subsection (a)(3)(B) shall develop and annually update an implementation roadmap for the strategic plan. ``(B) Requirements.--The information in the implementation roadmap shall be coordinated with the database under section 102(c) and the annual report under section 101(a)(3). The implementation roadmap shall-- ``(i) specify the role of each Federal agency in carrying out or sponsoring research and development to meet the research objectives of the strategic plan, including a description of how progress toward the research objectives will be evaluated, with consideration of any relevant recommendations of the advisory committee; ``(ii) specify the funding allocated to each major research objective of the strategic plan and the source of funding by agency for the current fiscal year; and ``(iii) estimate the funding required for each major research objective of the strategic plan for the next 3 fiscal years. ``(4) Recommendations.--The agencies under subsection (a)(3)(B) shall take into consideration when developing the strategic plan under paragraph (1) the recommendations of-- ``(A) the advisory committee under subsection (b); and ``(B) the stakeholders under section 102(a)(3). ``(5) Report to congress.--The Director of the Office of Science and Technology Policy shall transmit the strategic plan under this subsection, including the implementation roadmap and any updates under paragraph (3), to-- ``(A) the advisory committee under subsection (b); ``(B) the Committee on Commerce, Science, and Transportation of the Senate; and ``(C) the Committee on Science and Technology of the House of Representatives.''. (c) Periodic Reviews.--Section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(f) Periodic Reviews.--The agencies under subsection (a)(3)(B) shall-- ``(1) periodically assess the contents and funding levels of the Program Component Areas and restructure the Program when warranted, taking into consideration any relevant recommendations of the advisory committee under subsection (b); and ``(2) ensure that the Program includes national, multi- agency, multi-faceted research and development activities, including activities described in section 104.''. (d) Additional Responsibilities of Director.--Section 101(a)(2) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(2)) is amended-- (1) by redesignating subparagraphs (E) and (F) as subparagraphs (G) and (H), respectively; and (2) by inserting after subparagraph (D) the following: ``(E) encourage and monitor the efforts of the agencies participating in the Program to allocate the level of resources and management attention necessary-- ``(i) to ensure that the strategic plan under subsection (e) is developed and executed effectively; and ``(ii) to ensure that the objectives of the Program are met; ``(F) working with the Office of Management and Budget and in coordination with the creation of the database under section 102(c), direct the Office of Science and Technology Policy and the agencies participating in the Program to establish a mechanism (consistent with existing law) to track all ongoing and completed research and development projects and associated funding;''. (e) Advisory Committee.--Section 101(b) of the High- Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is amended-- (1) in paragraph (1)-- (A) by inserting after the first sentence the following: ``The co-chairs of the advisory committee shall meet the qualifications of committee members and may be members of the Presidents Council of Advisors on Science and Technology.''; and (B) by striking ``high-performance'' in subparagraph (D) and inserting ``high-end''; and (2) by amending paragraph (2) to read as follows: ``(2) In addition to the duties under paragraph (1), the advisory committee shall conduct periodic evaluations of the funding, management, coordination, implementation, and activities of the Program. The advisory committee shall report its findings and recommendations not less frequently than once every 3 fiscal years to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science and Technology of the House of Representatives. The report shall be submitted in conjunction with the update of the strategic plan.''. (f) Report.--Section 101(a)(3) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended-- (1) in subparagraph (C)-- (A) by striking ``is submitted,'' and inserting ``is submitted, the levels for the previous fiscal year,''; and [[Page S5531]] (B) by striking ``each Program Component Area'' and inserting ``each Program Component Area and each research area supported in accordance with section 104''; (2) in subparagraph (D)-- (A) by striking ``each Program Component Area,'' and inserting ``each Program Component Area and each research area supported in accordance with section 104,''; (B) by striking ``is submitted,'' and inserting ``is submitted, the levels for the previous fiscal year,''; and (C) by striking ``and'' after the semicolon; (3) by redesignating subparagraph (E) as subparagraph (G); and (4) by inserting after subparagraph (D) the following: ``(E) include a description of how the objectives for each Program Component Area, and the objectives for activities that involve multiple Program Component Areas, relate to the objectives of the Program identified in the strategic plan under subsection (e); ``(F) include-- ``(i) a description of the funding required by the Office of Science and Technology Policy to perform the functions under subsections (a) and (c) of section 102 for the next fiscal year by category of activity; ``(ii) a description of the funding required by the Office of Science and Technology Policy to perform the functions under subsections (a) and (c) of section 102 for the current fiscal year by category of activity; and ``(iii) the amount of funding provided for the Office of Science and Technology Policy for the current fiscal year by each agency participating in the Program; and''. (g) Definitions.--Section 4 of the High-Performance Computing Act of 1991 (15 U.S.C. 5503) is amended-- (1) by redesignating paragraphs (1) and (2) as paragraphs (2) and (3), respectively; (2) by redesignating paragraph (3) as paragraph (6); (3) by redesignating paragraphs (6) and (7) as paragraphs (7) and (8), respectively; (4) by inserting before paragraph (2), as redesignated, the following: ``(1) `cyber-physical systems' means physical or engineered systems whose networking and information technology functions and physical elements are deeply integrated and are actively connected to the physical world through sensors, actuators, or other means to perform monitoring and control functions;''; (5) in paragraph (3), as redesignated, by striking ``high- performance computing'' and inserting ``networking and information technology''; (6) in paragraph (6), as redesignated-- (A) by striking ``high-performance computing'' and inserting ``networking and information technology''; and (B) by striking ``supercomputer'' and inserting ``high-end computing''; (7) in paragraph (5), by striking ``network referred to as'' and all that follows through the semicolon and inserting ``network, including advanced computer networks of Federal agencies and departments''; and (8) in paragraph (7), as redesignated, by striking ``National High-Performance Computing Program'' and inserting ``networking and information technology research and development program''. SEC. 402. RESEARCH IN AREAS OF NATIONAL IMPORTANCE. (a) Research in Areas of National Importance.--Title I of the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et seq.) is amended by adding at the end the following: ``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE. ``(a) In General.--The Program shall encourage agencies under section 101(a)(3)(B) to support, maintain, and improve national, multi-agency, multi-faceted, research and development activities in networking and information technology directed toward application areas that have the potential for significant contributions to national economic competitiveness and for other significant societal benefits. ``(b) Technical Solutions.--An activity under subsection (a) shall be designed to advance the development of research discoveries by demonstrating technical solutions to important problems in areas including-- ``(1) cybersecurity; ``(2) health care; ``(3) energy management and low-power systems and devices; ``(4) transportation, including surface and air transportation; ``(5) cyber-physical systems; ``(6) large-scale data analysis and modeling of physical phenomena; ``(7) large scale data analysis and modeling of behavioral phenomena; ``(8) supply chain quality and security; and ``(9) privacy protection and protected disclosure of confidential data. ``(c) Recommendations.--The advisory committee under section 101(b) shall make recommendations to the Program for candidate research and development areas for support under this section. ``(d) Characteristics.-- ``(1) In general.--Research and development activities under this section-- ``(A) shall include projects selected on the basis of applications for support through a competitive, merit-based process; ``(B) shall leverage, when possible, Federal investments through collaboration with related State initiatives; ``(C) shall include a plan for fostering the transfer of research discoveries and the results of technology demonstration activities, including from institutions of higher education and Federal laboratories, to industry for commercial development; ``(D) shall involve collaborations among researchers in institutions of higher education and industry; and ``(E) may involve collaborations among nonprofit research institutions and Federal laboratories, as appropriate. ``(2) Cost-sharing.--In selecting applications for support, the agencies under section 101(a)(3)(B) shall give special consideration to projects that include cost sharing from non- Federal sources. ``(3) Multidisciplinary research centers.--Research and development activities under this section shall be supported through multidisciplinary research centers, including Federal laboratories, that are organized to investigate basic research questions and carry out technology demonstration activities in areas described in subsection (a). Research may be carried out through existing multidisciplinary centers, including those authorized under section 7024(b)(2) of the America COMPETES Act (42 U.S.C. 1862o-10(2)).''. (b) Cyber-Physical Systems.--Section 101(a)(1) of the High- Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is amended-- (1) in subparagraph (H), by striking ``and'' after the semicolon; (2) in subparagraph (I), by striking the period at the end and inserting a semicolon; and (3) by adding at the end the following: ``(J) provide for increased understanding of the scientific principles of cyber-physical systems and improve the methods available for the design, development, and operation of cyber-physical systems that are characterized by high reliability, safety, and security; and ``(K) provide for research and development on human- computer interactions, visualization, and big data.''. (c) Task Force.--Title I of the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section 402(a) of this Act, is amended by adding at the end the following: ``SEC. 105. TASK FORCE. ``(a) Establishment.--Not later than 180 days after the date of enactment the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the Director of the Office of Science and Technology Policy under section 102 shall convene a task force to explore mechanisms for carrying out collaborative research and development activities for cyber-physical systems (including the related technologies required to enable these systems) through a consortium or other appropriate entity with participants from institutions of higher education, Federal laboratories, and industry. ``(b) Functions.--The task force shall-- ``(1) develop options for a collaborative model and an organizational structure for such entity under which the joint research and development activities could be planned, managed, and conducted effectively, including mechanisms for the allocation of resources among the participants in such entity for support of such activities; ``(2) propose a process for developing a research and development agenda for such entity, including guidelines to ensure an appropriate scope of work focused on nationally significant challenges and requiring collaboration and to ensure the development of related scientific and technological milestones; ``(3) define the roles and responsibilities for the participants from institutions of higher education, Federal laboratories, and industry in such entity; ``(4) propose guidelines for assigning intellectual property rights and for transferring research results to the private sector; and ``(5) make recommendations for how such entity could be funded from Federal, State, and non-governmental sources. ``(c) Composition.--In establishing the task force under subsection (a), the Director of the Office of Science and Technology Policy shall appoint an equal number of individuals from institutions of higher education and from industry with knowledge and expertise in cyber-physical systems, and may appoint not more than 2 individuals from Federal laboratories. ``(d) Report.--Not later than 1 year after the date of enactment of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the Director of the Office of Science and Technology Policy shall transmit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science and Technology of the House of Representatives a report describing the findings and recommendations of the task force. ``(e) Termination.--The task force shall terminate upon transmittal of the report required under subsection (d). ``(f) Compensation and Expenses.--Members of the task force shall serve without compensation.''. SEC. 403. PROGRAM IMPROVEMENTS. Section 102 of the High-Performance Computing Act of 1991 (15 U.S.C. 5512) is amended to read as follows: ``SEC. 102. PROGRAM IMPROVEMENTS. ``(a) Functions.--The Director of the Office of Science and Technology Policy shall continue-- ``(1) to provide technical and administrative support to-- [[Page S5532]] ``(A) the agencies participating in planning and implementing the Program, including support needed to develop the strategic plan under section 101(e); and ``(B) the advisory committee under section 101(b); ______ SA 2606. Mr. McCAIN (for himself, Mrs. Hutchison, Mr. Chambliss, Mr. Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of Wisconsin) submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: Beginning on page 1, strike line 3 and all that follows through page 211, line 6 and insert the following: SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) Short Title.--This Act may be cited as the ``Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012'' or ``SECURE IT''. (b) Table of Contents.--The table of contents of this Act is as follows: Sec. 1. Short title; table of contents. TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION Sec. 101. Definitions. Sec. 102. Authorization to share cyber threat information. Sec. 103. Information sharing by the Federal government. Sec. 104. Construction. Sec. 105. Report on implementation. Sec. 106. Inspector General review. Sec. 107. Technical amendments. Sec. 108. Access to classified information. TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY Sec. 201. Coordination of Federal information security policy. Sec. 202. Management of information technology. Sec. 203. No new funding. Sec. 204. Technical and conforming amendments. Sec. 205. Clarification of authorities. TITLE III--CRIMINAL PENALTIES Sec. 301. Penalties for fraud and related activity in connection with computers. Sec. 302. Trafficking in passwords. Sec. 303. Conspiracy and attempted computer fraud offenses. Sec. 304. Criminal and civil forfeiture for fraud and related activity in connection with computers. Sec. 305. Damage to critical infrastructure computers. Sec. 306. Limitation on actions involving unauthorized use. Sec. 307. No new funding. TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT Sec. 401. National High-Performance Computing Program planning and coordination. Sec. 402. Research in areas of national importance. Sec. 403. Program improvements. Sec. 404. Improving education of networking and information technology, including high performance computing. Sec. 405. Conforming and technical amendments to the High-Performance Computing Act of 1991. Sec. 406. Federal cyber scholarship-for-service program. Sec. 407. Study and analysis of certification and training of information infrastructure professionals. Sec. 408. International cybersecurity technical standards. Sec. 409. Identity management research and development. Sec. 410. Federal cybersecurity research and development. TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION SEC. 101. DEFINITIONS. In this title: (1) Agency.--The term ``agency'' has the meaning given the term in section 3502 of title 44, United States Code. (2) Antitrust laws.--The term ``antitrust laws''-- (A) has the meaning given the term in section 1(a) of the Clayton Act (15 U.S.C. 12(a)); (B) includes section 5 of the Federal Trade Commission Act (15 U.S.C. 45) to the extent that section 5 of that Act applies to unfair methods of competition; and (C) includes any State law that has the same intent and effect as the laws under subparagraphs (A) and (B). (3) Countermeasure.--The term ``countermeasure'' means an automated or a manual action with defensive intent to mitigate cyber threats. (4) Cyber threat information.--The term ``cyber threat information'' means information that indicates or describes-- (A) a technical or operation vulnerability or a cyber threat mitigation measure; (B) an action or operation to mitigate a cyber threat; (C) malicious reconnaissance, including anomalous patterns of network activity that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat; (D) a method of defeating a technical control; (E) a method of defeating an operational control; (F) network activity or protocols known to be associated with a malicious cyber actor or that signify malicious cyber intent; (G) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to inadvertently enable the defeat of a technical or operational control; (H) any other attribute of a cybersecurity threat or cyber defense information that would foster situational awareness of the United States cybersecurity posture, if disclosure of such attribute or information is not otherwise prohibited by law; (I) the actual or potential harm caused by a cyber incident, including information exfiltrated when it is necessary in order to identify or describe a cybersecurity threat; or (J) any combination of subparagraphs (A) through (I). (5) Cybersecurity center.--The term ``cybersecurity center'' means the Department of Defense Cyber Crime Center, the Intelligence Community Incident Response Center, the United States Cyber Command Joint Operations Center, the National Cyber Investigative Joint Task Force, the National Security Agency/Central Security Service Threat Operations Center, the National Cybersecurity and Communications Integration Center, and any successor center. (6) Cybersecurity system.--The term ``cybersecurity system'' means a system designed or employed to ensure the integrity, confidentiality, or availability of, or to safeguard, a system or network, including measures intended to protect a system or network from-- (A) efforts to degrade, disrupt, or destroy such system or network; or (B) theft or misappropriations of private or government information, intellectual property, or personally identifiable information. (7) Entity.-- (A) In general.--The term ``entity'' means any private entity, non-Federal government agency or department, or State, tribal, or local government agency or department (including an officer, employee, or agent thereof). (B) Inclusions.--The term ``entity'' includes a government agency or department (including an officer, employee, or agent thereof) of the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa, the Northern Mariana Islands, and any other territory or possession of the United States. (8) Federal information system.--The term ``Federal information system'' means an information system of a Federal department or agency used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. (9) Information security.--The term ``information security'' means protecting information and information systems from disruption or unauthorized access, use, disclosure, modification, or destruction in order to provide-- (A) integrity, by guarding against improper information modification or destruction, including by ensuring information nonrepudiation and authenticity; (B) confidentiality, by preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; or (C) availability, by ensuring timely and reliable access to and use of information. (10) Information system.--The term ``information system'' has the meaning given the term in section 3502 of title 44, United States Code. (11) Local government.--The term ``local government'' means any borough, city, county, parish, town, township, village, or other general purpose political subdivision of a State. (12) Malicious reconnaissance.--The term ``malicious reconnaissance'' means a method for actively probing or passively monitoring an information system for the purpose of discerning technical vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat. (13) Operational control.--The term ``operational control'' means a security control for an information system that primarily is implemented and executed by people. (14) Operational vulnerability.--The term ``operational vulnerability'' means any attribute of policy, process, or procedure that could enable or facilitate the defeat of an operational control. (15) Private entity.--The term ``private entity'' means any individual or any private group, organization, or corporation, including an officer, employee, or agent thereof. (16) Significant cyber incident.--The term ``significant cyber incident'' means a cyber incident resulting in, or an attempted cyber incident that, if successful, would have resulted in-- (A) the exfiltration from a Federal information system of data that is essential to the operation of the Federal information system; or (B) an incident in which an operational or technical control essential to the security or operation of a Federal information system was defeated. [[Page S5533]] (17) Technical control.--The term ``technical control'' means a hardware or software restriction on, or audit of, access or use of an information system or information that is stored on, processed by, or transiting an information system that is intended to ensure the confidentiality, integrity, or availability of that system. (18) Technical vulnerability.--The term ``technical vulnerability'' means any attribute of hardware or software that could enable or facilitate the defeat of a technical control. (19) Tribal.--The term ``tribal'' has the meaning given the term ``Indian tribe'' in section 4 of the Indian Self- Determination and Education Assistance Act (25 U.S.C. 450b). SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION. (a) Voluntary Disclosure.-- (1) Private entities.--Notwithstanding any other provision of law, a private entity may, for the purpose of preventing, investigating, or otherwise mitigating threats to information security, on its own networks, or as authorized by another entity, on such entity's networks, employ countermeasures and use cybersecurity systems in order to obtain, identify, or otherwise possess cyber threat information. (2) Entities.--Notwithstanding any other provision of law, an entity may disclose cyber threat information to-- (A) a cybersecurity center; or (B) any other entity in order to assist with preventing, investigating, or otherwise mitigating threats to information security. (3) Information security providers.--If the cyber threat information described in paragraph (1) is obtained, identified, or otherwise possessed in the course of providing information security products or services under contract to another entity, that entity shall be given, at any time prior to disclosure of such information, a reasonable opportunity to authorize or prevent such disclosure, to request anonymization of such information, or to request that reasonable efforts be made to safeguard such information that identifies specific persons from unauthorized access or disclosure. (b) Significant Cyber Incidents Involving Federal Information Systems.-- (1) In general.--An entity providing electronic communication services, remote computing services, or information security services to a Federal department or agency shall inform the Federal department or agency of a significant cyber incident involving the Federal information system of that Federal department or agency that-- (A) is directly known to the entity as a result of providing such services; (B) is directly related to the provision of such services by the entity; and (C) as determined by the entity, has impeded or will impede the performance of a critical mission of the Federal department or agency. (2) Advance coordination.--A Federal department or agency receiving the services described in paragraph (1) shall coordinate in advance with an entity described in paragraph (1) to develop the parameters of any information that may be provided under paragraph (1), including clarification of the type of significant cyber incident that will impede the performance of a critical mission of the Federal department or agency. (3) Report.--A Federal department or agency shall report information provided under this subsection to a cybersecurity center. (4) Construction.--Any information provided to a cybersecurity center under paragraph (3) shall be treated in the same manner as information provided to a cybersecurity center under subsection (a). (c) Information Shared With or Provided to a Cybersecurity Center.--Cyber threat information provided to a cybersecurity center under this section-- (1) may be disclosed to, retained by, and used by, consistent with otherwise applicable Federal law, any Federal agency or department, component, officer, employee, or agent of the Federal government for a cybersecurity purpose, a national security purpose, or in order to prevent, investigate, or prosecute any of the offenses listed in section 2516 of title 18, United States Code, and such information shall not be disclosed to, retained by, or used by any Federal agency or department for any use not permitted under this paragraph; (2) may, with the prior written consent of the entity submitting such information, be disclosed to and used by a State, tribal, or local government or government agency for the purpose of protecting information systems, or in furtherance of preventing, investigating, or prosecuting a criminal act, except that if the need for immediate disclosure prevents obtaining written consent, such consent may be provided orally with subsequent documentation of such consent; (3) shall be considered the commercial, financial, or proprietary information of the entity providing such information to the Federal government and any disclosure outside the Federal government may only be made upon the prior written consent by such entity and shall not constitute a waiver of any applicable privilege or protection provided by law, except that if the need for immediate disclosure prevents obtaining written consent, such consent may be provided orally with subsequent documentation of such consent; (4) shall be deemed voluntarily shared information and exempt from disclosure under section 552 of title 5, United States Code, and any State, tribal, or local law requiring disclosure of information or records; (5) shall be, without discretion, withheld from the public under section 552(b)(3)(B) of title 5, United States Code, and any State, tribal, or local law requiring disclosure of information or records; (6) shall not be subject to the rules of any Federal agency or department or any judicial doctrine regarding ex parte communications with a decision-making official; (7) shall not, if subsequently provided to a State, tribal, or local government or government agency, otherwise be disclosed or distributed to any entity by such State, tribal, or local government or government agency without the prior written consent of the entity submitting such information, notwithstanding any State, tribal, or local law requiring disclosure of information or records, except that if the need for immediate disclosure prevents obtaining written consent, such consent may be provided orally with subsequent documentation of such consent; and (8) shall not be directly used by any Federal, State, tribal, or local department or agency to regulate the lawful activities of an entity, including activities relating to obtaining, identifying, or otherwise possessing cyber threat information, except that the procedures required to be developed and implemented under this title shall not be considered regulations within the meaning of this paragraph. (d) Procedures Relating to Information Sharing With a Cybersecurity Center.--Not later than 60 days after the date of enactment of this Act, the heads of each department or agency containing a cybersecurity center shall jointly develop, promulgate, and submit to Congress procedures to ensure that cyber threat information shared with or provided to-- (1) a cybersecurity center under this section-- (A) may be submitted to a cybersecurity center by an entity, to the greatest extent possible, through a uniform, publicly available process or format that is easily accessible on the website of such cybersecurity center, and that includes the ability to provide relevant details about the cyber threat information and written consent to any subsequent disclosures authorized by this paragraph; (B) shall immediately be further shared with each cybersecurity center in order to prevent, investigate, or otherwise mitigate threats to information security across the Federal government; (C) is handled by the Federal government in a reasonable manner, including consideration of the need to protect the privacy and civil liberties of individuals through anonymization or other appropriate methods, while fully accomplishing the objectives of this title, and the Federal government may undertake efforts consistent with this subparagraph to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the Federal government; and (D) except as provided in this section, shall only be used, disclosed, or handled in accordance with the provisions of subsection (c); and (2) a Federal agency or department under subsection (b) is provided immediately to a cybersecurity center in order to prevent, investigate, or otherwise mitigate threats to information security across the Federal government. (e) Information Shared Between Entities.-- (1) In general.--An entity sharing cyber threat information with another entity under this title may restrict the use or sharing of such information by such other entity. (2) Further sharing.--Cyber threat information shared by any entity with another entity under this title-- (A) shall only be further shared in accordance with any restrictions placed on the sharing of such information by the entity authorizing such sharing, such as appropriate anonymization of such information; and (B) may not be used by any entity to gain an unfair competitive advantage to the detriment of the entity authorizing the sharing of such information, except that the conduct described in paragraph (3) shall not constitute unfair competitive conduct. (3) Information shared with state, tribal, or local government or government agency.--Cyber threat information shared with a State, tribal, or local government or government agency under this title-- (A) may, with the prior written consent of the entity sharing such information, be disclosed to and used by a State, tribal, or local government or government agency for the purpose of protecting information systems, or in furtherance of preventing, investigating, or prosecuting a criminal act, except if the need for immediate disclosure prevents obtaining written consent, consent may be provided orally with subsequent documentation of the consent; (B) shall be deemed voluntarily shared information and exempt from disclosure under any State, tribal, or local law requiring disclosure of information or records; (C) shall not be disclosed or distributed to any entity by the State, tribal, or local government or government agency without the prior written consent of the entity submitting such information, notwithstanding any [[Page S5534]] State, tribal, or local law requiring disclosure of information or records, except if the need for immediate disclosure prevents obtaining written consent, consent may be provided orally with subsequent documentation of the consent; and (D) shall not be directly used by any State, tribal, or local department or agency to regulate the lawful activities of an entity, including activities relating to obtaining, identifying, or otherwise possessing cyber threat information, except that the procedures required to be developed and implemented under this title shall not be considered regulations within the meaning of this subparagraph. (4) Antitrust exemption.--The exchange or provision of cyber threat information or assistance between 2 or more private entities under this title shall not be considered a violation of any provision of antitrust laws if exchanged or provided in order to assist with-- (A) facilitating the prevention, investigation, or mitigation of threats to information security; or (B) communicating or disclosing of cyber threat information to help prevent, investigate or otherwise mitigate the effects of a threat to information security. (5) No right or benefit.--The provision of cyber threat information to an entity under this section shall not create a right or a benefit to similar information by such entity or any other entity. (f) Federal Preemption.-- (1) In general.--This section supersedes any statute or other law of a State or political subdivision of a State that restricts or otherwise expressly regulates an activity authorized under this section. (2) State law enforcement.--Nothing in this section shall be construed to supersede any statute or other law of a State or political subdivision of a State concerning the use of authorized law enforcement techniques. (3) Public disclosure.--No information shared with or provided to a State, tribal, or local government or government agency pursuant to this section shall be made publicly available pursuant to any State, tribal, or local law requiring disclosure of information or records. (g) Civil and Criminal Liability.-- (1) General protections.-- (A) Private entities.--No cause of action shall lie or be maintained in any court against any private entity for-- (i) the use of countermeasures and cybersecurity systems as authorized by this title; (ii) the use, receipt, or disclosure of any cyber threat information as authorized by this title; or (iii) the subsequent actions or inactions of any lawful recipient of cyber threat information provided by such private entity. (B) Entities.--No cause of action shall lie or be maintained in any court against any entity for-- (i) the use, receipt, or disclosure of any cyber threat information as authorized by this title; or (ii) the subsequent actions or inactions of any lawful recipient of cyber threat information provided by such entity. (2) Construction.--Nothing in this subsection shall be construed as creating any immunity against, or otherwise affecting, any action brought by the Federal government, or any agency or department thereof, to enforce any law, executive order, or procedure governing the appropriate handling, disclosure, and use of classified information. (h) Otherwise Lawful Disclosures.--Nothing in this section shall be construed to limit or prohibit otherwise lawful disclosures of communications, records, or other information by a private entity to any other governmental or private entity not covered under this section. (i) Whistleblower Protection.--Nothing in this Act shall be construed to preempt or preclude any employee from exercising rights currently provided under any whistleblower law, rule, or regulation. (j) Relationship to Other Laws.--The submission of cyber threat information under this section to a cybersecurity center shall not affect any requirement under any other provision of law for an entity to provide information to the Federal government. SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT. (a) Classified Information.-- (1) Procedures.--Consistent with the protection of intelligence sources and methods, and as otherwise determined appropriate, the Director of National Intelligence and the Secretary of Defense, in consultation with the heads of the appropriate Federal departments or agencies, shall develop and promulgate procedures to facilitate and promote-- (A) the immediate sharing, through the cybersecurity centers, of classified cyber threat information in the possession of the Federal government with appropriately cleared representatives of any appropriate entity; and (B) the declassification and immediate sharing, through the cybersecurity centers, with any entity or, if appropriate, public availability of cyber threat information in the possession of the Federal government; (2) Handling of classified information.--The procedures developed under paragraph (1) shall ensure that each entity receiving classified cyber threat information pursuant to this section has acknowledged in writing the ongoing obligation to comply with all laws, executive orders, and procedures concerning the appropriate handling, disclosure, or use of classified information. (b) Unclassified Cyber Threat Information.--The heads of each department or agency containing a cybersecurity center shall jointly develop and promulgate procedures that ensure that, consistent with the provisions of this section, unclassified, including controlled unclassified, cyber threat information in the possession of the Federal government-- (1) is shared, through the cybersecurity centers, in an immediate and adequate manner with appropriate entities; and (2) if appropriate, is made publicly available. (c) Development of Procedures.-- (1) In general.--The procedures developed under this section shall incorporate, to the greatest extent possible, existing processes utilized by sector specific information sharing and analysis centers. (2) Coordination with entities.--In developing the procedures required under this section, the Director of National Intelligence and the heads of each department or agency containing a cybersecurity center shall coordinate with appropriate entities to ensure that protocols are implemented that will facilitate and promote the sharing of cyber threat information by the Federal government. (d) Additional Responsibilities of Cybersecurity Centers.-- Consistent with section 102, a cybersecurity center shall-- (1) facilitate information sharing, interaction, and collaboration among and between cybersecurity centers and-- (A) other Federal entities; (B) any entity; and (C) international partners, in consultation with the Secretary of State; (2) disseminate timely and actionable cybersecurity threat, vulnerability, mitigation, and warning information, including alerts, advisories, indicators, signatures, and mitigation and response measures, to improve the security and protection of information systems; and (3) coordinate with other Federal entities, as appropriate, to integrate information from across the Federal government to provide situational awareness of the cybersecurity posture of the United States. (e) Sharing Within the Federal Government.--The heads of appropriate Federal departments and agencies shall ensure that cyber threat information in the possession of such Federal departments or agencies that relates to the prevention, investigation, or mitigation of threats to information security across the Federal government is shared effectively with the cybersecurity centers. (f) Submission to Congress.--Not later than 60 days after the date of enactment of this Act, the Director of National Intelligence, in coordination with the appropriate head of a department or an agency containing a cybersecurity center, shall submit the procedures required by this section to Congress. SEC. 104. CONSTRUCTION. (a) Information Sharing Relationships.--Nothing in this title shall be construed-- (1) to limit or modify an existing information sharing relationship; (2) to prohibit a new information sharing relationship; (3) to require a new information sharing relationship between any entity and the Federal government, except as specified under section 102(b); or (4) to modify the authority of a department or agency of the Federal government to protect sources and methods and the national security of the United States. (b) Anti-tasking Restriction.--Nothing in this title shall be construed to permit the Federal government-- (1) to require an entity to share information with the Federal government, except as expressly provided under section 102(b); or (2) to condition the sharing of cyber threat information with an entity on such entity's provision of cyber threat information to the Federal government. (c) No Liability for Non-participation.--Nothing in this title shall be construed to subject any entity to liability for choosing not to engage in the voluntary activities authorized under this title. (d) Use and Retention of Information.--Nothing in this title shall be construed to authorize, or to modify any existing authority of, a department or agency of the Federal government to retain or use any information shared under section 102 for any use other than a use permitted under subsection 102(c)(1). (e) No New Funding.--An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. SEC. 105. REPORT ON IMPLEMENTATION. (a) Content of Report.--Not later than 1 year after the date of enactment of this Act, and biennially thereafter, the heads of each department or agency containing a cybersecurity center shall jointly submit, in coordination with the privacy and civil liberties officials of such departments or agencies and the Privacy and Civil Liberties Oversight Board, a detailed report to Congress concerning the implementation of this title, including-- (1) an assessment of the sufficiency of the procedures developed under section 103 of this Act in ensuring that cyber threat information in the possession of the Federal government is provided in an immediate and adequate manner to appropriate entities or, if appropriate, is made publicly available; [[Page S5535]] (2) an assessment of whether information has been appropriately classified and an accounting of the number of security clearances authorized by the Federal government for purposes of this title; (3) a review of the type of cyber threat information shared with a cybersecurity center under section 102 of this Act, including whether such information meets the definition of cyber threat information under section 101, the degree to which such information may impact the privacy and civil liberties of individuals, any appropriate metrics to determine any impact of the sharing of such information with the Federal government on privacy and civil liberties, and the adequacy of any steps taken to reduce such impact; (4) a review of actions taken by the Federal government based on information provided to a cybersecurity center under section 102 of this Act, including the appropriateness of any subsequent use under section 102(c)(1) of this Act and whether there was inappropriate stovepiping within the Federal government of any such information; (5) a description of any violations of the requirements of this title by the Federal government; (6) a classified list of entities that received classified information from the Federal government under section 103 of this Act and a description of any indication that such information may not have been appropriately handled; (7) a summary of any breach of information security, if known, attributable to a specific failure by any entity or the Federal government to act on cyber threat information in the possession of such entity or the Federal government that resulted in substantial economic harm or injury to a specific entity or the Federal government; and (8) any recommendation for improvements or modifications to the authorities under this title. (b) Form of Report.--The report under subsection (a) shall be submitted in unclassified form, but shall include a classified annex. SEC. 106. INSPECTOR GENERAL REVIEW. (a) In General.--The Council of the Inspectors General on Integrity and Efficiency are authorized to review compliance by the cybersecurity centers, and by any Federal department or agency receiving cyber threat information from such cybersecurity centers, with the procedures required under section 102 of this Act. (b) Scope of Review.--The review under subsection (a) shall consider whether the Federal government has handled such cyber threat information in a reasonable manner, including consideration of the need to protect the privacy and civil liberties of individuals through anonymization or other appropriate methods, while fully accomplishing the objectives of this title. (c) Report to Congress.--Each review conducted under this section shall be provided to Congress not later than 30 days after the date of completion of the review. SEC. 107. TECHNICAL AMENDMENTS. Section 552(b) of title 5, United States Code, is amended-- (1) in paragraph (8), by striking ``or''; (2) in paragraph (9), by striking ``wells.'' and inserting ``wells; or''; and (3) by adding at the end the following: ``(10) information shared with or provided to a cybersecurity center under section 102 of title I of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012.''. SEC. 108. ACCESS TO CLASSIFIED INFORMATION. (a) Authorization Required.--No person shall be provided with access to classified information (as defined in section 6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to classified national security information)) relating to cyber security threats or cyber security vulnerabilities under this title without the appropriate security clearances. (b) Security Clearances.--The appropriate Federal agencies or departments shall, consistent with applicable procedures and requirements, and if otherwise deemed appropriate, assist an individual in timely obtaining an appropriate security clearance where such individual has been determined to be eligible for such clearance and has a need-to-know (as defined in section 6.1 of that Executive Order) classified information to carry out this title. TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) In General.--Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting the following: ``SUBCHAPTER II--INFORMATION SECURITY ``Sec. 3551. Purposes ``The purposes of this subchapter are-- ``(1) to provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets; ``(2) to recognize the highly networked nature of the current Federal computing environment and provide effective government-wide management of policies, directives, standards, and guidelines, as well as effective and nimble oversight of and response to information security risks, including coordination of information security efforts throughout the Federal civilian, national security, and law enforcement communities; ``(3) to provide for development and maintenance of controls required to protect agency information and information systems and contribute to the overall improvement of agency information security posture; ``(4) to provide for the development of tools and methods to assess and respond to real-time situational risk for Federal information system operations and assets; and ``(5) to provide a mechanism for improving agency information security programs through continuous monitoring of agency information systems and streamlined reporting requirements rather than overly prescriptive manual reporting. ``Sec. 3552. Definitions ``In this subchapter: ``(1) Adequate security.--The term `adequate security' means security commensurate with the risk and magnitude of the harm resulting from the unauthorized access to or loss, misuse, destruction, or modification of information. ``(2) Agency.--The term `agency' has the meaning given the term in section 3502 of title 44. ``(3) Cybersecurity center.--The term `cybersecurity center' means the Department of Defense Cyber Crime Center, the Intelligence Community Incident Response Center, the United States Cyber Command Joint Operations Center, the National Cyber Investigative Joint Task Force, the National Security Agency/Central Security Service Threat Operations Center, the National Cybersecurity and Communications Integration Center, and any successor center. ``(4) Cyber threat information.--The term `cyber threat information' means information that indicates or describes-- ``(A) a technical or operation vulnerability or a cyber threat mitigation measure; ``(B) an action or operation to mitigate a cyber threat; ``(C) malicious reconnaissance, including anomalous patterns of network activity that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat; ``(D) a method of defeating a technical control; ``(E) a method of defeating an operational control; ``(F) network activity or protocols known to be associated with a malicious cyber actor or that signify malicious cyber intent; ``(G) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to inadvertently enable the defeat of a technical or operational control; ``(H) any other attribute of a cybersecurity threat or cyber defense information that would foster situational awareness of the United States cybersecurity posture, if disclosure of such attribute or information is not otherwise prohibited by law; ``(I) the actual or potential harm caused by a cyber incident, including information exfiltrated when it is necessary in order to identify or describe a cybersecurity threat; or ``(J) any combination of subparagraphs (A) through (I). ``(5) Director.--The term `Director' means the Director of the Office of Management and Budget unless otherwise specified. ``(6) Environment of operation.--The term `environment of operation' means the information system and environment in which those systems operate, including changing threats, vulnerabilities, technologies, and missions and business practices. ``(7) Federal information system.--The term `Federal information system' means an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. ``(8) Incident.--The term `incident' means an occurrence that-- ``(A) actually or imminently jeopardizes the integrity, confidentiality, or availability of an information system or the information that system controls, processes, stores, or transmits; or ``(B) constitutes a violation of law or an imminent threat of violation of a law, a security policy, a security procedure, or an acceptable use policy. ``(9) Information resources.--The term `information resources' has the meaning given the term in section 3502 of title 44. ``(10) Information security.--The term `information security' means protecting information and information systems from disruption or unauthorized access, use, disclosure, modification, or destruction in order to provide-- ``(A) integrity, by guarding against improper information modification or destruction, including by ensuring information nonrepudiation and authenticity; ``(B) confidentiality, by preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; or ``(C) availability, by ensuring timely and reliable access to and use of information. ``(11) Information system.--The term `information system' has the meaning given the term in section 3502 of title 44. ``(12) Information technology.--The term `information technology' has the meaning given the term in section 11101 of title 40. ``(13) Malicious reconnaissance.--The term `malicious reconnaissance' means a method for actively probing or passively monitoring an information system for the purpose of discerning technical [[Page S5536]] vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat. ``(14) National security system.-- ``(A) In general.--The term `national security system' means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency-- ``(i) the function, operation, or use of which-- ``(I) involves intelligence activities; ``(II) involves cryptologic activities related to national security; ``(III) involves command and control of military forces; ``(IV) involves equipment that is an integral part of a weapon or weapons system; or ``(V) subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or ``(ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. ``(B) Limitation.--Subparagraph (A)(i)(V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). ``(15) Operational control.--The term `operational control' means a security control for an information system that primarily is implemented and executed by people. ``(16) Person.--The term `person' has the meaning given the term in section 3502 of title 44. ``(17) Secretary.--The term `Secretary' means the Secretary of Commerce unless otherwise specified. ``(18) Security control.--The term `security control' means the management, operational, and technical controls, including safeguards or countermeasures, prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. ``(19) Significant cyber incident.--The term `significant cyber incident' means a cyber incident resulting in, or an attempted cyber incident that, if successful, would have resulted in-- ``(A) the exfiltration from a Federal information system of data that is essential to the operation of the Federal information system; or ``(B) an incident in which an operational or technical control essential to the security or operation of a Federal information system was defeated. ``(20) Technical control.--The term `technical control' means a hardware or software restriction on, or audit of, access or use of an information system or information that is stored on, processed by, or transiting an information system that is intended to ensure the confidentiality, integrity, or availability of that system. ``Sec. 3553. Federal information security authority and coordination ``(a) In General.--The Secretary, in consultation with the Secretary of Homeland Security, shall-- ``(1) issue compulsory and binding policies and directives governing agency information security operations, and require implementation of such policies and directives, including-- ``(A) policies and directives consistent with the standards and guidelines promulgated under section 11331 of title 40 to identify and provide information security protections prioritized and commensurate with the risk and impact resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of-- ``(i) information collected or maintained by or on behalf of an agency; or ``(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; ``(B) minimum operational requirements for Federal Government to protect agency information systems and provide common situational awareness across all agency information systems; ``(C) reporting requirements, consistent with relevant law, regarding information security incidents and cyber threat information; ``(D) requirements for agencywide information security programs; ``(E) performance requirements and metrics for the security of agency information systems; ``(F) training requirements to ensure that agencies are able to fully and timely comply with the policies and directives issued by the Secretary under this subchapter; ``(G) training requirements regarding privacy, civil rights, and civil liberties, and information oversight for agency information security personnel; ``(H) requirements for the annual reports to the Secretary under section 3554(d); ``(I) any other information security operations or information security requirements as determined by the Secretary in coordination with relevant agency heads; and ``(J) coordinating the development of standards and guidelines under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) with agencies and offices operating or exercising control of national security systems (including the National Security Agency) to assure, to the maximum extent feasible, that such standards and guidelines are complementary with standards and guidelines developed for national security systems; ``(2) review the agencywide information security programs under section 3554; and ``(3) designate an individual or an entity at each cybersecurity center, among other responsibilities-- ``(A) to receive reports and information about information security incidents, cyber threat information, and deterioration of security control affecting agency information systems; and ``(B) to act on or share the information under subparagraph (A) in accordance with this subchapter. ``(b) Considerations.--When issuing policies and directives under subsection (a), the Secretary shall consider any applicable standards or guidelines developed by the National Institute of Standards and Technology under section 11331 of title 40. ``(c) Limitation of Authority.--The authorities of the Secretary under this section shall not apply to national security systems. Information security policies, directives, standards and guidelines for national security systems shall be overseen as directed by the President and, in accordance with that direction, carried out under the authority of the heads of agencies that operate or exercise authority over such national security systems. ``(d) Statutory Construction.--Nothing in this subchapter shall be construed to alter or amend any law regarding the authority of any head of an agency over such agency. ``Sec. 3554. Agency responsibilities ``(a) In General.--The head of each agency shall-- ``(1) be responsible for-- ``(A) complying with the policies and directives issued under section 3553; ``(B) providing information security protections commensurate with the risk resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of-- ``(i) information collected or maintained by the agency or by a contractor of an agency or other organization on behalf of an agency; and ``(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; ``(C) complying with the requirements of this subchapter, including-- ``(i) information security standards and guidelines promulgated under section 11331 of title 40; ``(ii) for any national security systems operated or controlled by that agency, information security policies, directives, standards and guidelines issued as directed by the President; and ``(iii) for any non-national security systems operated or controlled by that agency, information security policies, directives, standards and guidelines issued under section 3553; ``(D) ensuring that information security management processes are integrated with agency strategic and operational planning processes; ``(E) reporting and sharing, for an agency operating or exercising control of a national security system, information about information security incidents, cyber threat information, and deterioration of security controls to the individual or entity designated at each cybersecurity center and to other appropriate entities consistent with policies and directives for national security systems issued as directed by the President; and ``(F) reporting and sharing, for those agencies operating or exercising control of non-national security systems, information about information security incidents, cyber threat information, and deterioration of security controls to the individual or entity designated at each cybersecurity center and to other appropriate entities consistent with policies and directives for non-national security systems as prescribed under section 3553(a), including information to assist the entity designated under section 3555(a) with the ongoing security analysis under section 3555; ``(2) ensure that each senior agency official provides information security for the information and information systems that support the operations and assets under the senior agency official's control, including by-- ``(A) assessing the risk and impact that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems; ``(B) determining the level of information security appropriate to protect such information and information systems in accordance with policies and directives issued under section 3553(a), and standards and guidelines promulgated under section 11331 of title 40 for information security classifications and related requirements; ``(C) implementing policies, procedures, and capabilities to reduce risks to an acceptable level in a cost-effective manner; ``(D) actively monitoring the effective implementation of information security controls and techniques; and ``(E) reporting information about information security incidents, cyber threat information, and deterioration of security controls in a timely and adequate manner to the entity designated under section 3553(a)(3) in accordance with paragraph (1); ``(3) assess and maintain the resiliency of information technology systems critical to agency mission and operations; [[Page S5537]] ``(4) designate the agency Inspector General (or an independent entity selected in consultation with the Director and the Council of Inspectors General on Integrity and Efficiency if the agency does not have an Inspector General) to conduct the annual independent evaluation required under section 3556, and allow the agency Inspector General to contract with an independent entity to perform such evaluation; ``(5) delegate to the Chief Information Officer or equivalent (or to a senior agency official who reports to the Chief Information Officer or equivalent)-- ``(A) the authority and primary responsibility to implement an agencywide information security program; and ``(B) the authority to provide information security for the information collected and maintained by the agency (or by a contractor, other agency, or other source on behalf of the agency) and for the information systems that support the operations, assets, and mission of the agency (including any information system provided or managed by a contractor, other agency, or other source on behalf of the agency); ``(6) delegate to the appropriate agency official (who is responsible for a particular agency system or subsystem) the responsibility to ensure and enforce compliance with all requirements of the agency's agencywide information security program in coordination with the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5); ``(7) ensure that an agency has trained personnel who have obtained any necessary security clearances to permit them to assist the agency in complying with this subchapter; ``(8) ensure that the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5), in coordination with other senior agency officials, reports to the agency head on the effectiveness of the agencywide information security program, including the progress of any remedial actions; and ``(9) ensure that the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5) has the necessary qualifications to administer the functions described in this subchapter and has information security duties as a primary duty of that official. ``(b) Chief Information Officers.--Each Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under subsection (a)(5) shall-- ``(1) establish and maintain an enterprise security operations capability that on a continuous basis-- ``(A) detects, reports, contains, mitigates, and responds to information security incidents that impair adequate security of the agency's information or information system in a timely manner and in accordance with the policies and directives under section 3553; and ``(B) reports any information security incident under subparagraph (A) to the entity designated under section 3555; ``(2) develop, maintain, and oversee an agencywide information security program; ``(3) develop, maintain, and oversee information security policies, procedures, and control techniques to address applicable requirements, including requirements under section 3553 of this title and section 11331 of title 40; and ``(4) train and oversee the agency personnel who have significant responsibility for information security with respect to that responsibility. ``(c) Agencywide Information Security Programs.-- ``(1) In general.--Each agencywide information security program under subsection (b)(2) shall include-- ``(A) relevant security risk assessments, including technical assessments and others related to the acquisition process; ``(B) security testing commensurate with risk and impact; ``(C) mitigation of deterioration of security controls commensurate with risk and impact; ``(D) risk-based continuous monitoring and threat assessment of the operational status and security of agency information systems to enable evaluation of the effectiveness of and compliance with information security policies, procedures, and practices, including a relevant and appropriate selection of security controls of information systems identified in the inventory under section 3505(c); ``(E) operation of appropriate technical capabilities in order to detect, mitigate, report, and respond to information security incidents, cyber threat information, and deterioration of security controls in a manner that is consistent with the policies and directives under section 3553, including-- ``(i) mitigating risks associated with such information security incidents; ``(ii) notifying and consulting with the entity designated under section 3555; and ``(iii) notifying and consulting with, as appropriate-- ``(I) law enforcement and the relevant Office of the Inspector General; and ``(II) any other entity, in accordance with law and as directed by the President; ``(F) a process to ensure that remedial action is taken to address any deficiencies in the information security policies, procedures, and practices of the agency; and ``(G) a plan and procedures to ensure the continuity of operations for information systems that support the operations and assets of the agency. ``(2) Risk management strategies.--Each agencywide information security program under subsection (b)(2) shall include the development and maintenance of a risk management strategy for information security. The risk management strategy shall include-- ``(A) consideration of information security incidents, cyber threat information, and deterioration of security controls; and ``(B) consideration of the consequences that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency, including any information system provided or managed by a contractor, other agency, or other source on behalf of the agency; ``(3) Policies and procedures.--Each agencywide information security program under subsection (b)(2) shall include policies and procedures that-- ``(A) are based on the risk management strategy under paragraph (2); ``(B) reduce information security risks to an acceptable level in a cost-effective manner; ``(C) ensure that cost-effective and adequate information security is addressed as part of the acquisition and ongoing management of each agency information system; and ``(D) ensure compliance with-- ``(i) this subchapter; and ``(ii) any other applicable requirements. ``(4) Training requirements.--Each agencywide information security program under subsection (b)(2) shall include information security, privacy, civil rights, civil liberties, and information oversight training that meets any applicable requirements under section 3553. The training shall inform each information security personnel that has access to agency information systems (including contractors and other users of information systems that support the operations and assets of the agency) of-- ``(A) the information security risks associated with the information security personnel's activities; and ``(B) the individual's responsibility to comply with the agency policies and procedures that reduce the risks under subparagraph (A). ``(d) Annual Report.--Each agency shall submit a report annually to the Secretary of Homeland Security on its agencywide information security program and information systems. ``Sec. 3555. Multiagency ongoing threat assessment ``(a) Implementation.--The Director of the Office of Management and Budget, in coordination with the Secretary of Homeland Security, shall designate an entity to implement ongoing security analysis concerning agency information systems-- ``(1) based on cyber threat information; ``(2) based on agency information system and environment of operation changes, including-- ``(A) an ongoing evaluation of the information system security controls; and ``(B) the security state, risk level, and environment of operation of an agency information system, including-- ``(i) a change in risk level due to a new cyber threat; ``(ii) a change resulting from a new technology; ``(iii) a change resulting from the agency's mission; and ``(iv) a change resulting from the business practice; and ``(3) using automated processes to the maximum extent possible-- ``(A) to increase information system security; ``(B) to reduce paper-based reporting requirements; and ``(C) to maintain timely and actionable knowledge of the state of the information system security. ``(b) Standards.--The National Institute of Standards and Technology may promulgate standards, in coordination with the Secretary of Homeland Security, to assist an agency with its duties under this section. ``(c) Compliance.--The head of each appropriate department and agency shall be responsible for ensuring compliance and implementing necessary procedures to comply with this section. The head of each appropriate department and agency, in consultation with the Director of the Office of Management and Budget and the Secretary of Homeland Security, shall-- ``(1) monitor compliance under this section; ``(2) develop a timeline and implement for the department or agency-- ``(A) adoption of any technology, system, or method that facilitates continuous monitoring and threat assessments of an agency information system; ``(B) adoption or updating of any technology, system, or method that prevents, detects, or remediates a significant cyber incident to a Federal information system of the department or agency that has impeded, or is reasonably likely to impede, the performance of a critical mission of the department or agency; and ``(C) adoption of any technology, system, or method that satisfies a requirement under this section. [[Page S5538]] ``(d) Limitation of Authority.--The authorities of the Director of the Office of Management and Budget and of the Secretary of Homeland Security under this section shall not apply to national security systems. ``(e) Report.--Not later than 6 months after the date of enactment of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the Government Accountability Office shall issue a report evaluating each agency's status toward implementing this section. ``Sec. 3556. Independent evaluations ``(a) In General.--The Council of the Inspectors General on Integrity and Efficiency, in consultation with the Director and the Secretary of Homeland Security, the Secretary of Commerce, and the Secretary of Defense, shall issue and maintain criteria for the timely, cost-effective, risk-based, and independent evaluation of each agencywide information security program (and practices) to determine the effectiveness of the agencywide information security program (and practices). The criteria shall include measures to assess any conflicts of interest in the performance of the evaluation and whether the agencywide information security program includes appropriate safeguards against disclosure of information where such disclosure may adversely affect information security. ``(b) Annual Independent Evaluations.--Each agency shall perform an annual independent evaluation of its agencywide information security program (and practices) in accordance with the criteria under subsection (a). ``(c) Distribution of Reports.--Not later than 30 days after receiving an independent evaluation under subsection (b), each agency head shall transmit a copy of the independent evaluation to the Secretary of Homeland Security, the Secretary of Commerce, and the Secretary of Defense. ``(d) National Security Systems.--Evaluations involving national security systems shall be conducted as directed by President. ``Sec. 3557. National security systems. ``The head of each agency operating or exercising control of a national security system shall be responsible for ensuring that the agency-- ``(1) provides information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information contained in such system; and ``(2) implements information security policies and practices as required by standards and guidelines for national security systems, issued in accordance with law and as directed by the President.''. (b) Savings Provisions.-- (1) Policy and compliance guidance.--Policy and compliance guidance issued by the Director before the date of enactment of this Act under section 3543(a)(1) of title 44, United States Code (as in effect on the day before the date of enactment of this Act), shall continue in effect, according to its terms, until modified, terminated, superseded, or repealed pursuant to section 3553(a)(1) of title 44, United States Code. (2) Standards and guidelines.--Standards and guidelines issued by the Secretary of Commerce or by the Director before the date of enactment of this Act under section 11331(a)(1) of title 40, United States Code, (as in effect on the day before the date of enactment of this Act) shall continue in effect, according to their terms, until modified, terminated, superseded, or repealed pursuant to section 11331(a)(1) of title 40, United States Code, as amended by this Act. (c) Technical and Conforming Amendments.-- (1) Chapter analysis.--The chapter analysis for chapter 35 of title 44, United States Code, is amended-- (A) by striking the items relating to sections 3531 through 3538; (B) by striking the items relating to sections 3541 through 3549; and (C) by inserting the following: ``3551. Purposes. ``3552. Definitions. ``3553. Federal information security authority and coordination. ``3554. Agency responsibilities. ``3555. Multiagency ongoing threat assessment. ``3556. Independent evaluations. ``3557. National security systems.''. (2) Other references.-- (A) Section 1001(c)(1)(A) of the Homeland Security Act of 2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section 3532(3)'' and inserting ``section 3552''. (B) Section 2222(j)(5) of title 10, United States Code, is amended by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (C) Section 2223(c)(3) of title 10, United States Code, is amended, by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (D) Section 2315 of title 10, United States Code, is amended by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (E) Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) is amended-- (i) in subsection (a)(2), by striking ``section 3532(b)(2)'' and inserting ``section 3552''; (ii) in subsection (c)(3), by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (iii) in subsection (d)(1), by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (iv) in subsection (d)(8) by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (v) in subsection (d)(8), by striking ``submitted to the Director'' and inserting ``submitted to the Secretary''; (vi) in subsection (e)(2), by striking ``section 3532(1) of such title'' and inserting ``section 3552 of title 44''; and (vii) in subsection (e)(5), by striking ``section 3532(b)(2) of such title'' and inserting ``section 3552 of title 44''. (F) Section 8(d)(1) of the Cyber Security Research and Development Act (15 U.S.C. 7406(d)(1)) is amended by striking ``section 3534(b)'' and inserting ``section 3554(b)(2)''. SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY. (a) In General.--Section 11331 of title 40, United States Code, is amended to read as follows: ``Sec. 11331. Responsibilities for Federal information systems standards ``(a) Standards and Guidelines.-- ``(1) Authority to prescribe.--Except as provided under paragraph (2), the Secretary of Commerce shall prescribe standards and guidelines pertaining to Federal information systems-- ``(A) in consultation with the Secretary of Homeland Security; and ``(B) on the basis of standards and guidelines developed by the National Institute of Standards and Technology under paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g- 3(a)(2) and (a)(3)). ``(2) National security systems.--Standards and guidelines for national security systems shall be developed, prescribed, enforced, and overseen as otherwise authorized by law and as directed by the President. ``(b) Mandatory Standards and Guidelines.-- ``(1) Authority to make mandatory standards and guidelines.--The Secretary of Commerce shall make standards and guidelines under subsection (a)(1) compulsory and binding to the extent determined necessary by the Secretary of Commerce to improve the efficiency of operation or security of Federal information systems. ``(2) Required mandatory standards and guidelines.-- ``(A) In general.--Standards and guidelines under subsection (a)(1) shall include information security standards that-- ``(i) provide minimum information security requirements as determined under section 20(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(b)); and ``(ii) are otherwise necessary to improve the security of Federal information and information systems. ``(B) Binding effect.--Information security standards under subparagraph (A) shall be compulsory and binding. ``(c) Exercise of Authority.--To ensure fiscal and policy consistency, the Secretary of Commerce shall exercise the authority conferred by this section subject to direction by the President and in coordination with the Director. ``(d) Application of More Stringent Standards and Guidelines.--The head of an executive agency may employ standards for the cost-effective information security for information systems within or under the supervision of that agency that are more stringent than the standards and guidelines the Secretary of Commerce prescribes under this section if the more stringent standards and guidelines-- ``(1) contain at least the applicable standards and guidelines made compulsory and binding by the Secretary of Commerce; and ``(2) are otherwise consistent with the policies, directives, and implementation memoranda issued under section 3553(a) of title 44. ``(e) Decisions on Promulgation of Standards and Guidelines.--The decision by the Secretary of Commerce regarding the promulgation of any standard or guideline under this section shall occur not later than 6 months after the date of submission of the proposed standard to the Secretary of Commerce by the National Institute of Standards and Technology under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3). ``(f) Notice and Comment.--A decision by the Secretary of Commerce to significantly modify, or not promulgate, a proposed standard submitted to the Secretary by the National Institute of Standards and Technology under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) shall be made after the public is given an opportunity to comment on the Secretary's proposed decision. ``(g) Definitions.--In this section: ``(1) Federal information system.--The term `Federal information system' has the meaning given the term in section 3552 of title 44. ``(2) Information security.--The term `information security' has the meaning given the term in section 3552 of title 44. ``(3) National security system.--The term `national security system' has the meaning given the term in section 3552 of title 44.''. SEC. 203. NO NEW FUNDING. An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. [[Page S5539]] SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS. Section 21(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-4(b)) is amended-- (1) in paragraph (2), by striking ``and the Director of the Office of Management and Budget'' and inserting ``, the Secretary of Commerce, and the Secretary of Homeland Security''; and (2) in paragraph (3), by inserting ``, the Secretary of Homeland Security,'' after ``the Secretary of Commerce''. SEC. 205. CLARIFICATION OF AUTHORITIES. Nothing in this title shall be construed to convey any new regulatory authority to any government entity implementing or complying with any provision of this title. TITLE III--CRIMINAL PENALTIES SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS. Section 1030(c) of title 18, United States Code, is amended to read as follows: ``(c) The punishment for an offense under subsection (a) or (b) of this section is-- ``(1) a fine under this title or imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(1) of this section; ``(2)(A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than 3 years, or both, in the case of an offense under subsection (a)(2); or ``(B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2) of this section, if-- ``(i) the offense was committed for purposes of commercial advantage or private financial gain; ``(ii) the offense was committed in the furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States, or of any State; or ``(iii) the value of the information obtained, or that would have been obtained if the offense was completed, exceeds $5,000; ``(3) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(3) of this section; ``(4) a fine under this title or imprisonment of not more than 20 years, or both, in the case of an offense under subsection (a)(4) of this section; ``(5)(A) except as provided in subparagraph (C), a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(A) of this section, if the offense caused-- ``(i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value; ``(ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; ``(iii) physical injury to any person; ``(iv) a threat to public health or safety; ``(v) damage affecting a computer used by, or on behalf of, an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or ``(vi) damage affecting 10 or more protected computers during any 1-year period; ``(B) a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(B), if the offense caused a harm provided in clause (i) through (vi) of subparagraph (A) of this subsection; ``(C) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for any term of years or for life, or both; ``(D) a fine under this title, imprisonment for not more than 10 years, or both, for any other offense under subsection (a)(5); ``(E) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(6) of this section; or ``(F) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(7) of this section.''. SEC. 302. TRAFFICKING IN PASSWORDS. Section 1030(a)(6) of title 18, United States Code, is amended to read as follows: ``(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information or means of access through which a protected computer (as defined in subparagraphs (A) and (B) of subsection (e)(2)) may be accessed without authorization.''. SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES. Section 1030(b) of title 18, United States Code, is amended by inserting ``as if for the completed offense'' after ``punished as provided''. SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS. Section 1030 of title 18, United States Code, is amended by striking subsections (i) and (j) and inserting the following: ``(i) Criminal Forfeiture.-- ``(1) The court, in imposing sentence on any person convicted of a violation of this section, or convicted of conspiracy to violate this section, shall order, in addition to any other sentence imposed and irrespective of any provision of State law, that such person forfeit to the United States-- ``(A) such persons interest in any property, real or personal, that was used, or intended to be used, to commit or facilitate the commission of such violation; and ``(B) any property, real or personal, constituting or derived from any gross proceeds, or any property traceable to such property, that such person obtained, directly or indirectly, as a result of such violation. ``(2) The criminal forfeiture of property under this subsection, including any seizure and disposition of the property, and any related judicial or administrative proceeding, shall be governed by the provisions of section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853), except subsection (d) of that section. ``(j) Civil Forfeiture.-- ``(1) The following shall be subject to forfeiture to the United States and no property right, real or personal, shall exist in them: ``(A) Any property, real or personal, that was used, or intended to be used, to commit or facilitate the commission of any violation of this section, or a conspiracy to violate this section. ``(B) Any property, real or personal, constituting or derived from any gross proceeds obtained directly or indirectly, or any property traceable to such property, as a result of the commission of any violation of this section, or a conspiracy to violate this section. ``(2) Seizures and forfeitures under this subsection shall be governed by the provisions in chapter 46 relating to civil forfeitures, except that such duties as are imposed on the Secretary of the Treasury under the customs laws described in section 981(d) shall be performed by such officers, agents and other persons as may be designated for that purpose by the Secretary of Homeland Security or the Attorney General.''. SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS. (a) In General.--Chapter 47 of title 18, United States Code, is amended by inserting after section 1030 the following: ``Sec. 1030A. Aggravated damage to a critical infrastructure computer ``(a) Definitions.--In this section-- ``(1) the term `computer' has the meaning given the term in section 1030; ``(2) the term `critical infrastructure computer' means a computer that manages or controls systems or assets vital to national defense, national security, national economic security, public health or safety, or any combination of those matters, whether publicly or privately owned or operated, including-- ``(A) oil and gas production, storage, conversion, and delivery systems; ``(B) water supply systems; ``(C) telecommunication networks; ``(D) electrical power generation and delivery systems; ``(E) finance and banking systems; ``(F) emergency services; ``(G) transportation systems and services; and ``(H) government operations that provide essential services to the public; and ``(3) the term `damage' has the meaning given the term in section 1030. ``(b) Offense.--It shall be unlawful, during and in relation to a felony violation of section 1030, to knowingly cause or attempt to cause damage to a critical infrastructure computer if the damage results in (or, in the case of an attempt, if completed, would have resulted in) the substantial impairment-- ``(1) of the operation of the critical infrastructure computer; or ``(2) of the critical infrastructure associated with the computer. ``(c) Penalty.--Any person who violates subsection (b) shall be-- ``(1) fined under this title; ``(2) imprisoned for not less than 3 years but not more than 20 years; or ``(3) penalized under paragraphs (1) and (2). ``(d) Consecutive Sentence.--Notwithstanding any other provision of law-- ``(1) a court shall not place on probation any person convicted of a violation of this section; ``(2) except as provided in paragraph (4), no term of imprisonment imposed on a person under this section shall run concurrently with any other term of imprisonment, including any term of imprisonment imposed on the person under any other provision of law, including any term of imprisonment imposed for a felony violation of section 1030; ``(3) in determining any term of imprisonment to be imposed for a felony violation of section 1030, a court shall not in any way reduce the term to be imposed for such crime so as to compensate for, or otherwise take into account, any separate term of imprisonment imposed or to be imposed for a violation of this section; and ``(4) a term of imprisonment imposed on a person for a violation of this section may, in the discretion of the court, run concurrently, in whole or in part, only with another term of imprisonment that is imposed by the court at the same time on that person for an additional violation of this section, provided that such discretion shall be exercised in accordance with any applicable guidelines and policy statements issued by the United States Sentencing Commission pursuant to section 994 of title 28.''. (b) Technical and Conforming Amendment.--The chapter analysis for chapter 47 of title 18, United States Code, is amended by inserting after the item relating to section 1030 the following: [[Page S5540]] ``1030A. Aggravated damage to a critical infrastructure computer.''. SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE. Section 1030(e)(6) of title 18, United States Code, is amended by striking ``alter;'' and inserting ``alter, but does not include access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized;''. SEC. 307. NO NEW FUNDING. An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM PLANNING AND COORDINATION. (a) Goals and Priorities.--Section 101 of the High- Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(d) Goals and Priorities.--The goals and priorities for Federal high-performance computing research, development, networking, and other activities under subsection (a)(2)(A) shall include-- ``(1) encouraging and supporting mechanisms for interdisciplinary research and development in networking and information technology, including-- ``(A) through collaborations across agencies; ``(B) through collaborations across Program Component Areas; ``(C) through collaborations with industry; ``(D) through collaborations with institutions of higher education; ``(E) through collaborations with Federal laboratories (as defined in section 4 of the Stevenson-Wydler Technology Innovation Act of 1980 (15 U.S.C. 3703)); and ``(F) through collaborations with international organizations; ``(2) addressing national, multi-agency, multi-faceted challenges of national importance; and ``(3) fostering the transfer of research and development results into new technologies and applications for the benefit of society.''. (b) Development of Strategic Plan.--Section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(e) Strategic Plan.-- ``(1) In general.--Not later than 1 year after the date of enactment of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the agencies under subsection (a)(3)(B), working through the National Science and Technology Council and with the assistance of the Office of Science and Technology Policy shall develop a 5-year strategic plan to guide the activities under subsection (a)(1). ``(2) Contents.--The strategic plan shall specify-- ``(A) the near-term objectives for the Program; ``(B) the long-term objectives for the Program; ``(C) the anticipated time frame for achieving the near- term objectives; ``(D) the metrics that will be used to assess any progress made toward achieving the near-term objectives and the long- term objectives; and ``(E) how the Program will achieve the goals and priorities under subsection (d). ``(3) Implementation roadmap.-- ``(A) In general.--The agencies under subsection (a)(3)(B) shall develop and annually update an implementation roadmap for the strategic plan. ``(B) Requirements.--The information in the implementation roadmap shall be coordinated with the database under section 102(c) and the annual report under section 101(a)(3). The implementation roadmap shall-- ``(i) specify the role of each Federal agency in carrying out or sponsoring research and development to meet the research objectives of the strategic plan, including a description of how progress toward the research objectives will be evaluated, with consideration of any relevant recommendations of the advisory committee; ``(ii) specify the funding allocated to each major research objective of the strategic plan and the source of funding by agency for the current fiscal year; and ``(iii) estimate the funding required for each major research objective of the strategic plan for the next 3 fiscal years. ``(4) Recommendations.--The agencies under subsection (a)(3)(B) shall take into consideration when developing the strategic plan under paragraph (1) the recommendations of-- ``(A) the advisory committee under subsection (b); and ``(B) the stakeholders under section 102(a)(3). ``(5) Report to congress.--The Director of the Office of Science and Technology Policy shall transmit the strategic plan under this subsection, including the implementation roadmap and any updates under paragraph (3), to-- ``(A) the advisory committee under subsection (b); ``(B) the Committee on Commerce, Science, and Transportation of the Senate; and ``(C) the Committee on Science and Technology of the House of Representatives.''. (c) Periodic Reviews.--Section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(f) Periodic Reviews.--The agencies under subsection (a)(3)(B) shall-- ``(1) periodically assess the contents and funding levels of the Program Component Areas and restructure the Program when warranted, taking into consideration any relevant recommendations of the advisory committee under subsection (b); and ``(2) ensure that the Program includes national, multi- agency, multi-faceted research and development activities, including activities described in section 104.''. (d) Additional Responsibilities of Director.--Section 101(a)(2) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(2)) is amended-- (1) by redesignating subparagraphs (E) and (F) as subparagraphs (G) and (H), respectively; and (2) by inserting after subparagraph (D) the following: ``(E) encourage and monitor the efforts of the agencies participating in the Program to allocate the level of resources and management attention necessary-- ``(i) to ensure that the strategic plan under subsection (e) is developed and executed effectively; and ``(ii) to ensure that the objectives of the Program are met; ``(F) working with the Office of Management and Budget and in coordination with the creation of the database under section 102(c), direct the Office of Science and Technology Policy and the agencies participating in the Program to establish a mechanism (consistent with existing law) to track all ongoing and completed research and development projects and associated funding;''. (e) Advisory Committee.--Section 101(b) of the High- Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is amended-- (1) in paragraph (1)-- (A) by inserting after the first sentence the following: ``The co-chairs of the advisory committee shall meet the qualifications of committee members and may be members of the Presidents Council of Advisors on Science and Technology.''; and (B) by striking ``high-performance'' in subparagraph (D) and inserting ``high-end''; and (2) by amending paragraph (2) to read as follows: ``(2) In addition to the duties under paragraph (1), the advisory committee shall conduct periodic evaluations of the funding, management, coordination, implementation, and activities of the Program. The advisory committee shall report its findings and recommendations not less frequently than once every 3 fiscal years to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science and Technology of the House of Representatives. The report shall be submitted in conjunction with the update of the strategic plan.''. (f) Report.--Section 101(a)(3) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended-- (1) in subparagraph (C)-- (A) by striking ``is submitted,'' and inserting ``is submitted, the levels for the previous fiscal year,''; and (B) by striking ``each Program Component Area'' and inserting ``each Program Component Area and each research area supported in accordance with section 104''; (2) in subparagraph (D)-- (A) by striking ``each Program Component Area,'' and inserting ``each Program Component Area and each research area supported in accordance with section 104,''; (B) by striking ``is submitted,'' and inserting ``is submitted, the levels for the previous fiscal year,''; and (C) by striking ``and'' after the semicolon; (3) by redesignating subparagraph (E) as subparagraph (G); and (4) by inserting after subparagraph (D) the following: ``(E) include a description of how the objectives for each Program Component Area, and the objectives for activities that involve multiple Program Component Areas, relate to the objectives of the Program identified in the strategic plan under subsection (e); ``(F) include-- ``(i) a description of the funding required by the Office of Science and Technology Policy to perform the functions under subsections (a) and (c) of section 102 for the next fiscal year by category of activity; ``(ii) a description of the funding required by the Office of Science and Technology Policy to perform the functions under subsections (a) and (c) of section 102 for the current fiscal year by category of activity; and ``(iii) the amount of funding provided for the Office of Science and Technology Policy for the current fiscal year by each agency participating in the Program; and''. (g) Definitions.--Section 4 of the High-Performance Computing Act of 1991 (15 U.S.C. 5503) is amended-- (1) by redesignating paragraphs (1) and (2) as paragraphs (2) and (3), respectively; (2) by redesignating paragraph (3) as paragraph (6); (3) by redesignating paragraphs (6) and (7) as paragraphs (7) and (8), respectively; (4) by inserting before paragraph (2), as redesignated, the following: ``(1) `cyber-physical systems' means physical or engineered systems whose networking [[Page S5541]] and information technology functions and physical elements are deeply integrated and are actively connected to the physical world through sensors, actuators, or other means to perform monitoring and control functions;''; (5) in paragraph (3), as redesignated, by striking ``high- performance computing'' and inserting ``networking and information technology''; (6) in paragraph (6), as redesignated-- (A) by striking ``high-performance computing'' and inserting ``networking and information technology''; and (B) by striking ``supercomputer'' and inserting ``high-end computing''; (7) in paragraph (5), by striking ``network referred to as'' and all that follows through the semicolon and inserting ``network, including advanced computer networks of Federal agencies and departments''; and (8) in paragraph (7), as redesignated, by striking ``National High-Performance Computing Program'' and inserting ``networking and information technology research and development program''. SEC. 402. RESEARCH IN AREAS OF NATIONAL IMPORTANCE. (a) Research in Areas of National Importance.--Title I of the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et seq.) is amended by adding at the end the following: ``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE. ``(a) In General.--The Program shall encourage agencies under section 101(a)(3)(B) to support, maintain, and improve national, multi-agency, multi-faceted, research and development activities in networking and information technology directed toward application areas that have the potential for significant contributions to national economic competitiveness and for other significant societal benefits. ``(b) Technical Solutions.--An activity under subsection (a) shall be designed to advance the development of research discoveries by demonstrating technical solutions to important problems in areas including-- ``(1) cybersecurity; ``(2) health care; ``(3) energy management and low-power systems and devices; ``(4) transportation, including surface and air transportation; ``(5) cyber-physical systems; ``(6) large-scale data analysis and modeling of physical phenomena; ``(7) large scale data analysis and modeling of behavioral phenomena; ``(8) supply chain quality and security; and ``(9) privacy protection and protected disclosure of confidential data. ``(c) Recommendations.--The advisory committee under section 101(b) shall make recommendations to the Program for candidate research and development areas for support under this section. ``(d) Characteristics.-- ``(1) In general.--Research and development activities under this section-- ``(A) shall include projects selected on the basis of applications for support through a competitive, merit-based process; ``(B) shall leverage, when possible, Federal investments through collaboration with related State initiatives; ``(C) shall include a plan for fostering the transfer of research discoveries and the results of technology demonstration activities, including from institutions of higher education and Federal laboratories, to industry for commercial development; ``(D) shall involve collaborations among researchers in institutions of higher education and industry; and ``(E) may involve collaborations among nonprofit research institutions and Federal laboratories, as appropriate. ``(2) Cost-sharing.--In selecting applications for support, the agencies under section 101(a)(3)(B) shall give special consideration to projects that include cost sharing from non- Federal sources. ``(3) Multidisciplinary research centers.--Research and development activities under this section shall be supported through multidisciplinary research centers, including Federal laboratories, that are organized to investigate basic research questions and carry out technology demonstration activities in areas described in subsection (a). Research may be carried out through existing multidisciplinary centers, including those authorized under section 7024(b)(2) of the America COMPETES Act (42 U.S.C. 1862o-10(2)).''. (b) Cyber-Physical Systems.--Section 101(a)(1) of the High- Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is amended-- (1) in subparagraph (H), by striking ``and'' after the semicolon; (2) in subparagraph (I), by striking the period at the end and inserting a semicolon; and (3) by adding at the end the following: ``(J) provide for increased understanding of the scientific principles of cyber-physical systems and improve the methods available for the design, development, and operation of cyber-physical systems that are characterized by high reliability, safety, and security; and ``(K) provide for research and development on human- computer interactions, visualization, and big data.''. (c) Task Force.--Title I of the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section 402(a) of this Act, is amended by adding at the end the following: ``SEC. 105. TASK FORCE. ``(a) Establishment.--Not later than 180 days after the date of enactment the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the Director of the Office of Science and Technology Policy under section 102 shall convene a task force to explore mechanisms for carrying out collaborative research and development activities for cyber-physical systems (including the related technologies required to enable these systems) through a consortium or other appropriate entity with participants from institutions of higher education, Federal laboratories, and industry. ``(b) Functions.--The task force shall-- ``(1) develop options for a collaborative model and an organizational structure for such entity under which the joint research and development activities could be planned, managed, and conducted effectively, including mechanisms for the allocation of resources among the participants in such entity for support of such activities; ``(2) propose a process for developing a research and development agenda for such entity, including guidelines to ensure an appropriate scope of work focused on nationally significant challenges and requiring collaboration and to ensure the development of related scientific and technological milestones; ``(3) define the roles and responsibilities for the participants from institutions of higher education, Federal laboratories, and industry in such entity; ``(4) propose guidelines for assigning intellectual property rights and for transferring research results to the private sector; and ``(5) make recommendations for how such entity could be funded from Federal, State, and non-governmental sources. ``(c) Composition.--In establishing the task force under subsection (a), the Director of the Office of Science and Technology Policy shall appoint an equal number of individuals from institutions of higher education and from industry with knowledge and expertise in cyber-physical systems, and may appoint not more than 2 individuals from Federal laboratories. ``(d) Report.--Not later than 1 year after the date of enactment of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the Director of the Office of Science and Technology Policy shall transmit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science and Technology of the House of Representatives a report describing the findings and recommendations of the task force. ``(e) Termination.--The task force shall terminate upon transmittal of the report required under subsection (d). ``(f) Compensation and Expenses.--Members of the task force shall serve without compensation.''. SEC. 403. PROGRAM IMPROVEMENTS. Section 102 of the High-Performance Computing Act of 1991 (15 U.S.C. 5512) is amended to read as follows: ``SEC. 102. PROGRAM IMPROVEMENTS. ``(a) Functions.--The Director of the Office of Science and Technology Policy shall continue-- ``(1) to provide technical and administrative support to-- ``(A) the agencies participating in planning and implementing the Program, including support needed to develop the strategic plan under section 101(e); and ``(B) the advisory committee under section 101(b); ``(2) to serve as the primary point of contact on Federal networking and information technology activities for government agencies, academia, industry, professional societies, State computing and networking technology programs, interested citizen groups, and others to exchange technical and programmatic information; ``(3) to solicit input and recommendations from a wide range of stakeholders during the development of each strategic plan under section 101(e) by convening at least 1 workshop with invitees from academia, industry, Federal laboratories, and other relevant organizations and institutions; ``(4) to conduct public outreach, including the dissemination of the advisory committee's findings and recommendations, as appropriate; ``(5) to promote access to and early application of the technologies, innovations, and expertise derived from Program activities to agency missions and systems across the Federal Government and to United States industry; ``(6) to ensure accurate and detailed budget reporting of networking and information technology research and development investment; and ``(7) to encourage agencies participating in the Program to use existing programs and resources to strengthen networking and information technology education and training, and increase participation in such fields, including by women and underrepresented minorities. ``(b) Source of Funding.-- ``(1) In general.--The functions under this section shall be supported by funds from each agency participating in the Program. ``(2) Specifications.--The portion of the total budget of the Office of Science and Technology Policy that is provided by each agency participating in the Program for each [[Page S5542]] fiscal year shall be in the same proportion as each agency's share of the total budget for the Program for the previous fiscal year, as specified in the database under section 102(c). ``(c) Database.-- ``(1) In general.--The Director of the Office of Science and Technology Policy shall develop and maintain a database of projects funded by each agency for the fiscal year for each Program Component Area. ``(2) Public accessibility.--The Director of the Office of Science and Technology Policy shall make the database accessible to the public. ``(3) Database contents.--The database shall include, for each project in the database-- ``(A) a description of the project; ``(B) each agency, industry, institution of higher education, Federal laboratory, or international institution involved in the project; ``(C) the source funding of the project (set forth by agency); ``(D) the funding history of the project; and ``(E) whether the project has been completed.''. SEC. 404. IMPROVING EDUCATION OF NETWORKING AND INFORMATION TECHNOLOGY, INCLUDING HIGH PERFORMANCE COMPUTING. Section 201(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5521(a)) is amended-- (1) by redesignating paragraphs (2) through (4) as paragraphs (3) through (5), respectively; and (2) by inserting after paragraph (1) the following: ``(2) the National Science Foundation shall use its existing programs, in collaboration with other agencies, as appropriate, to improve the teaching and learning of networking and information technology at all levels of education and to increase participation in networking and information technology fields;''. SEC. 405. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH- PERFORMANCE COMPUTING ACT OF 1991. (a) Section 3.--Section 3 of the High-Performance Computing Act of 1991 (15 U.S.C. 5502) is amended-- (1) in the matter preceding paragraph (1), by striking ``high-performance computing'' and inserting ``networking and information technology''; (2) in paragraph (1)-- (A) in the matter preceding subparagraph (A), by striking ``high-performance computing'' and inserting ``networking and information technology''; (B) in subparagraphs (A), (F), and (G), by striking ``high- performance computing'' each place it appears and inserting ``networking and information technology''; and (C) in subparagraph (H), by striking ``high-performance'' and inserting ``high-end''; and (3) in paragraph (2)-- (A) by striking ``high-performance computing and'' and inserting ``networking and information technology, and''; and (B) by striking ``high-performance computing network'' and inserting ``networking and information technology''. (b) Title Heading.--The heading of title I of the High- Performance Computing Act of 1991 (105 Stat. 1595) is amended by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting ``NETWORKING AND INFORMATION TECHNOLOGY''. (c) Section 101.--Section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) is amended-- (1) in the section heading, by striking ``high-performance computing'' and inserting ``networking and information technology research and development''; (2) in subsection (a)-- (A) in the subsection heading, by striking ``National High- Performance Computing'' and inserting ``Networking and Information Technology Research and Development''; (B) in paragraph (1)-- (i) by striking ``National High-Performance Computing Program'' and inserting ``networking and information technology research and development program''; (ii) in subparagraph (A), by striking ``high-performance computing, including networking'' and inserting ``networking and information technology''; (iii) in subparagraphs (B) and (G), by striking ``high- performance'' each place it appears and inserting ``high- end''; and (iv) in subparagraph (C), by striking ``high-performance computing and networking'' and inserting ``high-end computing, distributed, and networking''; and (C) in paragraph (2)-- (i) in subparagraphs (A) and (C)-- (I) by striking ``high-performance computing'' each place it appears and inserting ``networking and information technology''; and (II) by striking ``development, networking,'' each place it appears and inserting ``development,''; and (ii) in subparagraphs (G) and (H), as redesignated by section 401(d) of this Act, by striking ``high-performance'' each place it appears and inserting ``high-end''; (3) in subsection (b)(1), in the matter preceding subparagraph (A), by striking ``high-performance computing'' each place it appears and inserting ``networking and information technology''; and (4) in subsection (c)(1)(A), by striking ``high-performance computing'' and inserting ``networking and information technology''. (d) Section 201.--Section 201(a)(1) of the High-Performance Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by striking ``high-performance computing and advanced high-speed computer networking'' and inserting ``networking and information technology research and development''. (e) Section 202.--Section 202(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by striking ``high-performance computing'' and inserting ``networking and information technology''. (f) Section 203.--Section 203(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5523(a)) is amended-- (1) in paragraph (1), by striking ``high-performance computing and networking'' and inserting ``networking and information technology''; and (2) in paragraph (2)(A), by striking ``high-performance'' and inserting ``high-end''. (g) Section 204.--Section 204 of the High-Performance Computing Act of 1991 (15 U.S.C. 5524) is amended-- (1) in subsection (a)(1)-- (A) in subparagraph (A), by striking ``high-performance computing systems and networks'' and inserting ``networking and information technology systems and capabilities''; (B) in subparagraph (B), by striking ``interoperability of high-performance computing systems in networks and for common user interfaces to systems'' and inserting ``interoperability and usability of networking and information technology systems''; and (C) in subparagraph (C), by striking ``high-performance computing'' and inserting ``networking and information technology''; and (2) in subsection (b)-- (A) by striking ``High-Performance Computing and Network'' in the heading and inserting ``Networking and Information Technology''; and (B) by striking ``sensitive''. (h) Section 205.--Section 205(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by striking ``computational'' and inserting ``networking and information technology''. (i) Section 206.--Section 206(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by striking ``computational research'' and inserting ``networking and information technology research''. (j) Section 207.--Section 207 of the High-Performance Computing Act of 1991 (15 U.S.C. 5527) is amended by striking ``high-performance computing'' and inserting ``networking and information technology''. (k) Section 208.--Section 208 of the High-Performance Computing Act of 1991 (15 U.S.C. 5528) is amended-- (1) in the section heading, by striking ``high-performance computing'' and inserting ``networking and information technology''; and (2) in subsection (a)-- (A) in paragraph (1), by striking ``High-performance computing and associated'' and inserting ``Networking and information''; (B) in paragraph (2), by striking ``high-performance computing'' and inserting ``networking and information technologies''; (C) in paragraph (3), by striking ``high-performance'' and inserting ``high-end''; (D) in paragraph (4), by striking ``high-performance computers and associated'' and inserting ``networking and information''; and (E) in paragraph (5), by striking ``high-performance computing and associated'' and inserting ``networking and information''. SEC. 406. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM. (a) In General.--The Director of the National Science Foundation, in coordination with the Secretary of Homeland Security, shall carry out a Federal cyber scholarship-for- service program to recruit and train the next generation of information technology professionals and security managers to meet the needs of the cybersecurity mission for the Federal government. (b) Program Description and Components.--The program shall-- (1) annually assess the workforce needs of the Federal government for cybersecurity professionals, including network engineers, software engineers, and other experts in order to determine how many scholarships should be awarded annually to ensure that the workforce needs following graduation match the number of scholarships awarded; (2) provide scholarships for up to 1,000 students per year in their pursuit of undergraduate or graduate degrees in the cybersecurity field, in an amount that may include coverage for full tuition, fees, and a stipend; (3) require each scholarship recipient, as a condition of receiving a scholarship under the program, to serve in a Federal information technology workforce for a period equal to one and one-half times each year, or partial year, of scholarship received, in addition to an internship in the cybersecurity field, if applicable, following graduation; (4) provide a procedure for the National Science Foundation or a Federal agency, consistent with regulations of the Office of Personnel Management, to request and fund a security clearance for a scholarship recipient, including providing for clearance during a summer internship and upon graduation; and (5) provide opportunities for students to receive temporary appointments for meaningful employment in the Federal information technology workforce during school vacation periods and for internships. (c) Hiring Authority.-- (1) In general.--For purposes of any law or regulation governing the appointment of an [[Page S5543]] individual in the Federal civil service, upon the successful completion of the student's studies, a student receiving a scholarship under the program may-- (A) be hired under section 213.3102(r) of title 5, Code of Federal Regulations; and (B) be exempt from competitive service. (2) Competitive service.--Upon satisfactory fulfillment of the service term under paragraph (1), an individual may be converted to a competitive service position without competition if the individual meets the requirements for that position. (d) Eligibility.--The eligibility requirements for a scholarship under this section shall include that a scholarship applicant-- (1) be a citizen of the United States; (2) be eligible to be granted a security clearance; (3) maintain a grade point average of 3.2 or above on a 4.0 scale for undergraduate study or a 3.5 or above on a 4.0 scale for postgraduate study; (4) demonstrate a commitment to a career in improving the security of the information infrastructure; and (5) has demonstrated a level of proficiency in math or computer sciences. (e) Failure to Complete Service Obligation.-- (1) In general.--A scholarship recipient under this section shall be liable to the United States under paragraph (2) if the scholarship recipient-- (A) fails to maintain an acceptable level of academic standing in the educational institution in which the individual is enrolled, as determined by the Director; (B) is dismissed from such educational institution for disciplinary reasons; (C) withdraws from the program for which the award was made before the completion of such program; (D) declares that the individual does not intend to fulfill the service obligation under this section; (E) fails to fulfill the service obligation of the individual under this section; or (F) loses a security clearance or becomes ineligible for a security clearance. (2) Repayment amounts.-- (A) Less than 1 year of service.--If a circumstance under paragraph (1) occurs before the completion of 1 year of a service obligation under this section, the total amount of awards received by the individual under this section shall be repaid. (B) One or more years of service.--If a circumstance described in subparagraph (D) or (E) of paragraph (1) occurs after the completion of 1 year of a service obligation under this section, the total amount of scholarship awards received by the individual under this section, reduced by the ratio of the number of years of service completed divided by the number of years of service required, shall be repaid. (f) Evaluation and Report.--The Director of the National Science Foundation shall-- (1) evaluate the success of recruiting individuals for scholarships under this section and of hiring and retaining those individuals in the public sector workforce, including the annual cost and an assessment of how the program actually improves the Federal workforce; and (2) periodically report the findings under paragraph (1) to Congress. (g) Authorization of Appropriations.--From amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), the Secretary may use funds to carry out the requirements of this section for fiscal years 2012 through 2013. SEC. 407. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF INFORMATION INFRASTRUCTURE PROFESSIONALS. (a) Study.--The President shall enter into an agreement with the National Academies to conduct a comprehensive study of government, academic, and private-sector accreditation, training, and certification programs for personnel working in information infrastructure. The agreement shall require the National Academies to consult with sector coordinating councils and relevant governmental agencies, regulatory entities, and nongovernmental organizations in the course of the study. (b) Scope.--The study shall include-- (1) an evaluation of the body of knowledge and various skills that specific categories of personnel working in information infrastructure should possess in order to secure information systems; (2) an assessment of whether existing government, academic, and private-sector accreditation, training, and certification programs provide the body of knowledge and various skills described in paragraph (1); (3) an analysis of any barriers to the Federal Government recruiting and hiring cybersecurity talent, including barriers relating to compensation, the hiring process, job classification, and hiring flexibility; and (4) an analysis of the sources and availability of cybersecurity talent, a comparison of the skills and expertise sought by the Federal Government and the private sector, an examination of the current and future capacity of United States institutions of higher education, including community colleges, to provide current and future cybersecurity professionals, through education and training activities, with those skills sought by the Federal Government, State and local entities, and the private sector. (c) Report.--Not later than 1 year after the date of enactment of this Act, the National Academies shall submit to the President and Congress a report on the results of the study. The report shall include-- (1) findings regarding the state of information infrastructure accreditation, training, and certification programs, including specific areas of deficiency and demonstrable progress; and (2) recommendations for the improvement of information infrastructure accreditation, training, and certification programs. SEC. 408. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS. (a) In General.--The Director of the National Institute of Standards and Technology, in coordination with appropriate Federal authorities, shall-- (1) as appropriate, ensure coordination of Federal agencies engaged in the development of international technical standards related to information system security; and (2) not later than 1 year after the date of enactment of this Act, develop and transmit to Congress a plan for ensuring such Federal agency coordination. (b) Consultation With the Private Sector.--In carrying out the activities under subsection (a)(1), the Director shall ensure consultation with appropriate private sector stakeholders. SEC. 409. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT. The Director of the National Institute of Standards and Technology shall continue a program to support the development of technical standards, metrology, testbeds, and conformance criteria, taking into account appropriate user concerns-- (1) to improve interoperability among identity management technologies; (2) to strengthen authentication methods of identity management systems; (3) to improve privacy protection in identity management systems, including health information technology systems, through authentication and security protocols; and (4) to improve the usability of identity management systems. SEC. 410. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT. (a) National Science Foundation Computer and Network Security Research Grant Areas.--Section 4(a)(1) of the Cyber Security Research and Development Act (15 U.S.C. 7403(a)(1)) is amended-- (1) in subparagraph (H), by striking ``and'' after the semicolon; (2) in subparagraph (I), by striking ``property.'' and inserting ``property;''; and (3) by adding at the end the following: ``(J) secure fundamental protocols that are at the heart of inter-network communications and data exchange; ``(K) system security that addresses the building of secure systems from trusted and untrusted components; ``(L) monitoring and detection; and ``(M) resiliency and rapid recovery methods.''. (b) National Science Foundation Computer and Network Security Grants.--Section 4(a)(3) of the Cyber Security Research and Development Act (15 U.S.C. 7403(a)(3)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Secretary finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (c) Computer and Network Security Centers.--Section 4(b)(7) of the Cyber Security Research and Development Act (15 U.S.C. 7403(b)(7)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Secretary finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (d) Computer and Network Security Capacity Building Grants.--Section 5(a)(6) of the Cyber Security Research and Development Act (15 U.S.C. 7404(a)(6)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Secretary finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (e) Scientific and Advanced Technology Act Grants.--Section 5(b)(2) of the Cyber Security Research and Development Act (15 U.S.C. 7404(b)(2)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Secretary finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (f) Graduate Traineeships in Computer and Network Security Research.--Section 5(c)(7) of the Cyber Security Research and Development Act (15 U.S.C. 7404(c)(7)) is amended-- [[Page S5544]] (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Secretary finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. ______ SA 2607. Mr. McCAIN (for himself, Mrs. Hutchison, Mr. Chambliss, Mr. Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of Wisconsin) submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: Beginning on page 1, strike line 3 and all that follows through page 211, line 6 and insert the following: SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) Short Title.--This Act may be cited as the ``Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012'' or ``SECURE IT''. (b) Table of Contents.--The table of contents of this Act is as follows: Sec. 1. Short title; table of contents. TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION Sec. 101. Definitions. Sec. 102. Authorization to share cyber threat information. Sec. 103. Information sharing by the Federal government. Sec. 104. Construction. Sec. 105. Report on implementation. Sec. 106. Inspector General review. Sec. 107. Technical amendments. Sec. 108. Access to classified information. TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY Sec. 201. Coordination of Federal information security policy. Sec. 202. Management of information technology. Sec. 203. No new funding. Sec. 204. Technical and conforming amendments. Sec. 205. Clarification of authorities. TITLE III--CRIMINAL PENALTIES Sec. 301. Penalties for fraud and related activity in connection with computers. Sec. 302. Trafficking in passwords. Sec. 303. Conspiracy and attempted computer fraud offenses. Sec. 304. Criminal and civil forfeiture for fraud and related activity in connection with computers. Sec. 305. Damage to critical infrastructure computers. Sec. 306. Limitation on actions involving unauthorized use. Sec. 307. No new funding. TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT Sec. 401. National High-Performance Computing Program planning and coordination. Sec. 402. Research in areas of national importance. Sec. 403. Program improvements. Sec. 404. Improving education of networking and information technology, including high performance computing. Sec. 405. Conforming and technical amendments to the High-Performance Computing Act of 1991. Sec. 406. Federal cyber scholarship-for-service program. Sec. 407. Study and analysis of certification and training of information infrastructure professionals. Sec. 408. International cybersecurity technical standards. Sec. 409. Identity management research and development. Sec. 410. Federal cybersecurity research and development. TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION SEC. 101. DEFINITIONS. In this title: (1) Agency.--The term ``agency'' has the meaning given the term in section 3502 of title 44, United States Code. (2) Antitrust laws.--The term ``antitrust laws''-- (A) has the meaning given the term in section 1(a) of the Clayton Act (15 U.S.C. 12(a)); (B) includes section 5 of the Federal Trade Commission Act (15 U.S.C. 45) to the extent that section 5 of that Act applies to unfair methods of competition; and (C) includes any State law that has the same intent and effect as the laws under subparagraphs (A) and (B). (3) Countermeasure.--The term ``countermeasure'' means an automated or a manual action with defensive intent to mitigate cyber threats. (4) Cyber threat information.--The term ``cyber threat information'' means information that indicates or describes-- (A) a technical or operation vulnerability or a cyber threat mitigation measure; (B) an action or operation to mitigate a cyber threat; (C) malicious reconnaissance, including anomalous patterns of network activity that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat; (D) a method of defeating a technical control; (E) a method of defeating an operational control; (F) network activity or protocols known to be associated with a malicious cyber actor or that signify malicious cyber intent; (G) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to inadvertently enable the defeat of a technical or operational control; (H) any other attribute of a cybersecurity threat or cyber defense information that would foster situational awareness of the United States cybersecurity posture, if disclosure of such attribute or information is not otherwise prohibited by law; (I) the actual or potential harm caused by a cyber incident, including information exfiltrated when it is necessary in order to identify or describe a cybersecurity threat; or (J) any combination of subparagraphs (A) through (I). (5) Cybersecurity center.--The term ``cybersecurity center'' means the Department of Defense Cyber Crime Center, the Intelligence Community Incident Response Center, the United States Cyber Command Joint Operations Center, the National Cyber Investigative Joint Task Force, the National Security Agency/Central Security Service Threat Operations Center, the National Cybersecurity and Communications Integration Center, and any successor center. (6) Cybersecurity system.--The term ``cybersecurity system'' means a system designed or employed to ensure the integrity, confidentiality, or availability of, or to safeguard, a system or network, including measures intended to protect a system or network from-- (A) efforts to degrade, disrupt, or destroy such system or network; or (B) theft or misappropriations of private or government information, intellectual property, or personally identifiable information. (7) Entity.-- (A) In general.--The term ``entity'' means any private entity, non-Federal government agency or department, or State, tribal, or local government agency or department (including an officer, employee, or agent thereof). (B) Inclusions.--The term ``entity'' includes a government agency or department (including an officer, employee, or agent thereof) of the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa, the Northern Mariana Islands, and any other territory or possession of the United States. (8) Federal information system.--The term ``Federal information system'' means an information system of a Federal department or agency used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. (9) Information security.--The term ``information security'' means protecting information and information systems from disruption or unauthorized access, use, disclosure, modification, or destruction in order to provide-- (A) integrity, by guarding against improper information modification or destruction, including by ensuring information nonrepudiation and authenticity; (B) confidentiality, by preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; or (C) availability, by ensuring timely and reliable access to and use of information. (10) Information system.--The term ``information system'' has the meaning given the term in section 3502 of title 44, United States Code. (11) Local government.--The term ``local government'' means any borough, city, county, parish, town, township, village, or other general purpose political subdivision of a State. (12) Malicious reconnaissance.--The term ``malicious reconnaissance'' means a method for actively probing or passively monitoring an information system for the purpose of discerning technical vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat. (13) Operational control.--The term ``operational control'' means a security control for an information system that primarily is implemented and executed by people. (14) Operational vulnerability.--The term ``operational vulnerability'' means any attribute of policy, process, or procedure that could enable or facilitate the defeat of an operational control. (15) Private entity.--The term ``private entity'' means any individual or any private group, organization, or corporation, including an officer, employee, or agent thereof. (16) Significant cyber incident.--The term ``significant cyber incident'' means a cyber incident resulting in, or an attempted cyber incident that, if successful, would have resulted in-- (A) the exfiltration from a Federal information system of data that is essential to the operation of the Federal information system; or (B) an incident in which an operational or technical control essential to the security or [[Page S5545]] operation of a Federal information system was defeated. (17) Technical control.--The term ``technical control'' means a hardware or software restriction on, or audit of, access or use of an information system or information that is stored on, processed by, or transiting an information system that is intended to ensure the confidentiality, integrity, or availability of that system. (18) Technical vulnerability.--The term ``technical vulnerability'' means any attribute of hardware or software that could enable or facilitate the defeat of a technical control. (19) Tribal.--The term ``tribal'' has the meaning given the term ``Indian tribe'' in section 4 of the Indian Self- Determination and Education Assistance Act (25 U.S.C. 450b). SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION. (a) Voluntary Disclosure.-- (1) Private entities.--Notwithstanding any other provision of law, a private entity may, for the purpose of preventing, investigating, or otherwise mitigating threats to information security, on its own networks, or as authorized by another entity, on such entity's networks, employ countermeasures and use cybersecurity systems in order to obtain, identify, or otherwise possess cyber threat information. (2) Entities.--Notwithstanding any other provision of law, an entity may disclose cyber threat information to-- (A) a cybersecurity center; or (B) any other entity in order to assist with preventing, investigating, or otherwise mitigating threats to information security. (3) Information security providers.--If the cyber threat information described in paragraph (1) is obtained, identified, or otherwise possessed in the course of providing information security products or services under contract to another entity, that entity shall be given, at any time prior to disclosure of such information, a reasonable opportunity to authorize or prevent such disclosure, to request anonymization of such information, or to request that reasonable efforts be made to safeguard such information that identifies specific persons from unauthorized access or disclosure. (b) Significant Cyber Incidents Involving Federal Information Systems.-- (1) In general.--An entity providing electronic communication services, remote computing services, or information security services to a Federal department or agency shall inform the Federal department or agency of a significant cyber incident involving the Federal information system of that Federal department or agency that-- (A) is directly known to the entity as a result of providing such services; (B) is directly related to the provision of such services by the entity; and (C) as determined by the entity, has impeded or will impede the performance of a critical mission of the Federal department or agency. (2) Advance coordination.--A Federal department or agency receiving the services described in paragraph (1) shall coordinate in advance with an entity described in paragraph (1) to develop the parameters of any information that may be provided under paragraph (1), including clarification of the type of significant cyber incident that will impede the performance of a critical mission of the Federal department or agency. (3) Report.--A Federal department or agency shall report information provided under this subsection to a cybersecurity center. (4) Construction.--Any information provided to a cybersecurity center under paragraph (3) shall be treated in the same manner as information provided to a cybersecurity center under subsection (a). (c) Information Shared With or Provided to a Cybersecurity Center.--Cyber threat information provided to a cybersecurity center under this section-- (1) may be disclosed to, retained by, and used by, consistent with otherwise applicable Federal law, any Federal agency or department, component, officer, employee, or agent of the Federal government for a cybersecurity purpose, a national security purpose, or in order to prevent, investigate, or prosecute any of the offenses listed in section 2516 of title 18, United States Code, and such information shall not be disclosed to, retained by, or used by any Federal agency or department for any use not permitted under this paragraph; (2) may, with the prior written consent of the entity submitting such information, be disclosed to and used by a State, tribal, or local government or government agency for the purpose of protecting information systems, or in furtherance of preventing, investigating, or prosecuting a criminal act, except that if the need for immediate disclosure prevents obtaining written consent, such consent may be provided orally with subsequent documentation of such consent; (3) shall be considered the commercial, financial, or proprietary information of the entity providing such information to the Federal government and any disclosure outside the Federal government may only be made upon the prior written consent by such entity and shall not constitute a waiver of any applicable privilege or protection provided by law, except that if the need for immediate disclosure prevents obtaining written consent, such consent may be provided orally with subsequent documentation of such consent; (4) shall be deemed voluntarily shared information and exempt from disclosure under section 552 of title 5, United States Code, and any State, tribal, or local law requiring disclosure of information or records; (5) shall be, without discretion, withheld from the public under section 552(b)(3)(B) of title 5, United States Code, and any State, tribal, or local law requiring disclosure of information or records; (6) shall not be subject to the rules of any Federal agency or department or any judicial doctrine regarding ex parte communications with a decision-making official; (7) shall not, if subsequently provided to a State, tribal, or local government or government agency, otherwise be disclosed or distributed to any entity by such State, tribal, or local government or government agency without the prior written consent of the entity submitting such information, notwithstanding any State, tribal, or local law requiring disclosure of information or records, except that if the need for immediate disclosure prevents obtaining written consent, such consent may be provided orally with subsequent documentation of such consent; and (8) shall not be directly used by any Federal, State, tribal, or local department or agency to regulate the lawful activities of an entity, including activities relating to obtaining, identifying, or otherwise possessing cyber threat information, except that the procedures required to be developed and implemented under this title shall not be considered regulations within the meaning of this paragraph. (d) Procedures Relating to Information Sharing With a Cybersecurity Center.--Not later than 60 days after the date of enactment of this Act, the heads of each department or agency containing a cybersecurity center shall jointly develop, promulgate, and submit to Congress procedures to ensure that cyber threat information shared with or provided to-- (1) a cybersecurity center under this section-- (A) may be submitted to a cybersecurity center by an entity, to the greatest extent possible, through a uniform, publicly available process or format that is easily accessible on the website of such cybersecurity center, and that includes the ability to provide relevant details about the cyber threat information and written consent to any subsequent disclosures authorized by this paragraph; (B) shall immediately be further shared with each cybersecurity center in order to prevent, investigate, or otherwise mitigate threats to information security across the Federal government; (C) is handled by the Federal government in a reasonable manner, including consideration of the need to protect the privacy and civil liberties of individuals through anonymization or other appropriate methods, while fully accomplishing the objectives of this title, and the Federal government may undertake efforts consistent with this subparagraph to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the Federal government; and (D) except as provided in this section, shall only be used, disclosed, or handled in accordance with the provisions of subsection (c); and (2) a Federal agency or department under subsection (b) is provided immediately to a cybersecurity center in order to prevent, investigate, or otherwise mitigate threats to information security across the Federal government. (e) Information Shared Between Entities.-- (1) In general.--An entity sharing cyber threat information with another entity under this title may restrict the use or sharing of such information by such other entity. (2) Further sharing.--Cyber threat information shared by any entity with another entity under this title-- (A) shall only be further shared in accordance with any restrictions placed on the sharing of such information by the entity authorizing such sharing, such as appropriate anonymization of such information; and (B) may not be used by any entity to gain an unfair competitive advantage to the detriment of the entity authorizing the sharing of such information, except that the conduct described in paragraph (3) shall not constitute unfair competitive conduct. (3) Information shared with state, tribal, or local government or government agency.--Cyber threat information shared with a State, tribal, or local government or government agency under this title-- (A) may, with the prior written consent of the entity sharing such information, be disclosed to and used by a State, tribal, or local government or government agency for the purpose of protecting information systems, or in furtherance of preventing, investigating, or prosecuting a criminal act, except if the need for immediate disclosure prevents obtaining written consent, consent may be provided orally with subsequent documentation of the consent; (B) shall be deemed voluntarily shared information and exempt from disclosure under any State, tribal, or local law requiring disclosure of information or records; (C) shall not be disclosed or distributed to any entity by the State, tribal, or local government or government agency without the prior written consent of the entity submitting such information, notwithstanding any [[Page S5546]] State, tribal, or local law requiring disclosure of information or records, except if the need for immediate disclosure prevents obtaining written consent, consent may be provided orally with subsequent documentation of the consent; and (D) shall not be directly used by any State, tribal, or local department or agency to regulate the lawful activities of an entity, including activities relating to obtaining, identifying, or otherwise possessing cyber threat information, except that the procedures required to be developed and implemented under this title shall not be considered regulations within the meaning of this subparagraph. (4) Antitrust exemption.--The exchange or provision of cyber threat information or assistance between 2 or more private entities under this title shall not be considered a violation of any provision of antitrust laws if exchanged or provided in order to assist with-- (A) facilitating the prevention, investigation, or mitigation of threats to information security; or (B) communicating or disclosing of cyber threat information to help prevent, investigate or otherwise mitigate the effects of a threat to information security. (5) No right or benefit.--The provision of cyber threat information to an entity under this section shall not create a right or a benefit to similar information by such entity or any other entity. (f) Federal Preemption.-- (1) In general.--This section supersedes any statute or other law of a State or political subdivision of a State that restricts or otherwise expressly regulates an activity authorized under this section. (2) State law enforcement.--Nothing in this section shall be construed to supersede any statute or other law of a State or political subdivision of a State concerning the use of authorized law enforcement techniques. (3) Public disclosure.--No information shared with or provided to a State, tribal, or local government or government agency pursuant to this section shall be made publicly available pursuant to any State, tribal, or local law requiring disclosure of information or records. (g) Civil and Criminal Liability.-- (1) General protections.-- (A) Private entities.--No cause of action shall lie or be maintained in any court against any private entity for-- (i) the use of countermeasures and cybersecurity systems as authorized by this title; (ii) the use, receipt, or disclosure of any cyber threat information as authorized by this title; or (iii) the subsequent actions or inactions of any lawful recipient of cyber threat information provided by such private entity. (B) Entities.--No cause of action shall lie or be maintained in any court against any entity for-- (i) the use, receipt, or disclosure of any cyber threat information as authorized by this title; or (ii) the subsequent actions or inactions of any lawful recipient of cyber threat information provided by such entity. (2) Construction.--Nothing in this subsection shall be construed as creating any immunity against, or otherwise affecting, any action brought by the Federal government, or any agency or department thereof, to enforce any law, executive order, or procedure governing the appropriate handling, disclosure, and use of classified information. (h) Otherwise Lawful Disclosures.--Nothing in this section shall be construed to limit or prohibit otherwise lawful disclosures of communications, records, or other information by a private entity to any other governmental or private entity not covered under this section. (i) Whistleblower Protection.--Nothing in this Act shall be construed to preempt or preclude any employee from exercising rights currently provided under any whistleblower law, rule, or regulation. (j) Relationship to Other Laws.--The submission of cyber threat information under this section to a cybersecurity center shall not affect any requirement under any other provision of law for an entity to provide information to the Federal government. SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT. (a) Classified Information.-- (1) Procedures.--Consistent with the protection of intelligence sources and methods, and as otherwise determined appropriate, the Director of National Intelligence and the Secretary of Defense, in consultation with the heads of the appropriate Federal departments or agencies, shall develop and promulgate procedures to facilitate and promote-- (A) the immediate sharing, through the cybersecurity centers, of classified cyber threat information in the possession of the Federal government with appropriately cleared representatives of any appropriate entity; and (B) the declassification and immediate sharing, through the cybersecurity centers, with any entity or, if appropriate, public availability of cyber threat information in the possession of the Federal government; (2) Handling of classified information.--The procedures developed under paragraph (1) shall ensure that each entity receiving classified cyber threat information pursuant to this section has acknowledged in writing the ongoing obligation to comply with all laws, executive orders, and procedures concerning the appropriate handling, disclosure, or use of classified information. (b) Unclassified Cyber Threat Information.--The heads of each department or agency containing a cybersecurity center shall jointly develop and promulgate procedures that ensure that, consistent with the provisions of this section, unclassified, including controlled unclassified, cyber threat information in the possession of the Federal government-- (1) is shared, through the cybersecurity centers, in an immediate and adequate manner with appropriate entities; and (2) if appropriate, is made publicly available. (c) Development of Procedures.-- (1) In general.--The procedures developed under this section shall incorporate, to the greatest extent possible, existing processes utilized by sector specific information sharing and analysis centers. (2) Coordination with entities.--In developing the procedures required under this section, the Director of National Intelligence and the heads of each department or agency containing a cybersecurity center shall coordinate with appropriate entities to ensure that protocols are implemented that will facilitate and promote the sharing of cyber threat information by the Federal government. (d) Additional Responsibilities of Cybersecurity Centers.-- Consistent with section 102, a cybersecurity center shall-- (1) facilitate information sharing, interaction, and collaboration among and between cybersecurity centers and-- (A) other Federal entities; (B) any entity; and (C) international partners, in consultation with the Secretary of State; (2) disseminate timely and actionable cybersecurity threat, vulnerability, mitigation, and warning information, including alerts, advisories, indicators, signatures, and mitigation and response measures, to improve the security and protection of information systems; and (3) coordinate with other Federal entities, as appropriate, to integrate information from across the Federal government to provide situational awareness of the cybersecurity posture of the United States. (e) Sharing Within the Federal Government.--The heads of appropriate Federal departments and agencies shall ensure that cyber threat information in the possession of such Federal departments or agencies that relates to the prevention, investigation, or mitigation of threats to information security across the Federal government is shared effectively with the cybersecurity centers. (f) Submission to Congress.--Not later than 60 days after the date of enactment of this Act, the Director of National Intelligence, in coordination with the appropriate head of a department or an agency containing a cybersecurity center, shall submit the procedures required by this section to Congress. SEC. 104. CONSTRUCTION. (a) Information Sharing Relationships.--Nothing in this title shall be construed-- (1) to limit or modify an existing information sharing relationship; (2) to prohibit a new information sharing relationship; (3) to require a new information sharing relationship between any entity and the Federal government, except as specified under section 102(b); or (4) to modify the authority of a department or agency of the Federal government to protect sources and methods and the national security of the United States. (b) Anti-tasking Restriction.--Nothing in this title shall be construed to permit the Federal government-- (1) to require an entity to share information with the Federal government, except as expressly provided under section 102(b); or (2) to condition the sharing of cyber threat information with an entity on such entity's provision of cyber threat information to the Federal government. (c) No Liability for Non-participation.--Nothing in this title shall be construed to subject any entity to liability for choosing not to engage in the voluntary activities authorized under this title. (d) Use and Retention of Information.--Nothing in this title shall be construed to authorize, or to modify any existing authority of, a department or agency of the Federal government to retain or use any information shared under section 102 for any use other than a use permitted under subsection 102(c)(1). (e) No New Funding.--An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. SEC. 105. REPORT ON IMPLEMENTATION. (a) Content of Report.--Not later than 1 year after the date of enactment of this Act, and biennially thereafter, the heads of each department or agency containing a cybersecurity center shall jointly submit, in coordination with the privacy and civil liberties officials of such departments or agencies and the Privacy and Civil Liberties Oversight Board, a detailed report to Congress concerning the implementation of this title, including-- (1) an assessment of the sufficiency of the procedures developed under section 103 of this Act in ensuring that cyber threat information in the possession of the Federal government is provided in an immediate and adequate manner to appropriate entities or, if appropriate, is made publicly available; [[Page S5547]] (2) an assessment of whether information has been appropriately classified and an accounting of the number of security clearances authorized by the Federal government for purposes of this title; (3) a review of the type of cyber threat information shared with a cybersecurity center under section 102 of this Act, including whether such information meets the definition of cyber threat information under section 101, the degree to which such information may impact the privacy and civil liberties of individuals, any appropriate metrics to determine any impact of the sharing of such information with the Federal government on privacy and civil liberties, and the adequacy of any steps taken to reduce such impact; (4) a review of actions taken by the Federal government based on information provided to a cybersecurity center under section 102 of this Act, including the appropriateness of any subsequent use under section 102(c)(1) of this Act and whether there was inappropriate stovepiping within the Federal government of any such information; (5) a description of any violations of the requirements of this title by the Federal government; (6) a classified list of entities that received classified information from the Federal government under section 103 of this Act and a description of any indication that such information may not have been appropriately handled; (7) a summary of any breach of information security, if known, attributable to a specific failure by any entity or the Federal government to act on cyber threat information in the possession of such entity or the Federal government that resulted in substantial economic harm or injury to a specific entity or the Federal government; and (8) any recommendation for improvements or modifications to the authorities under this title. (b) Form of Report.--The report under subsection (a) shall be submitted in unclassified form, but shall include a classified annex. SEC. 106. INSPECTOR GENERAL REVIEW. (a) In General.--The Council of the Inspectors General on Integrity and Efficiency are authorized to review compliance by the cybersecurity centers, and by any Federal department or agency receiving cyber threat information from such cybersecurity centers, with the procedures required under section 102 of this Act. (b) Scope of Review.--The review under subsection (a) shall consider whether the Federal government has handled such cyber threat information in a reasonable manner, including consideration of the need to protect the privacy and civil liberties of individuals through anonymization or other appropriate methods, while fully accomplishing the objectives of this title. (c) Report to Congress.--Each review conducted under this section shall be provided to Congress not later than 30 days after the date of completion of the review. SEC. 107. TECHNICAL AMENDMENTS. Section 552(b) of title 5, United States Code, is amended-- (1) in paragraph (8), by striking ``or''; (2) in paragraph (9), by striking ``wells.'' and inserting ``wells; or''; and (3) by adding at the end the following: ``(10) information shared with or provided to a cybersecurity center under section 102 of title I of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012.''. SEC. 108. ACCESS TO CLASSIFIED INFORMATION. (a) Authorization Required.--No person shall be provided with access to classified information (as defined in section 6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to classified national security information)) relating to cyber security threats or cyber security vulnerabilities under this title without the appropriate security clearances. (b) Security Clearances.--The appropriate Federal agencies or departments shall, consistent with applicable procedures and requirements, and if otherwise deemed appropriate, assist an individual in timely obtaining an appropriate security clearance where such individual has been determined to be eligible for such clearance and has a need-to-know (as defined in section 6.1 of that Executive Order) classified information to carry out this title. TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) In General.--Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting the following: ``SUBCHAPTER II--INFORMATION SECURITY ``Sec. 3551. Purposes ``The purposes of this subchapter are-- ``(1) to provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets; ``(2) to recognize the highly networked nature of the current Federal computing environment and provide effective government-wide management of policies, directives, standards, and guidelines, as well as effective and nimble oversight of and response to information security risks, including coordination of information security efforts throughout the Federal civilian, national security, and law enforcement communities; ``(3) to provide for development and maintenance of controls required to protect agency information and information systems and contribute to the overall improvement of agency information security posture; ``(4) to provide for the development of tools and methods to assess and respond to real-time situational risk for Federal information system operations and assets; and ``(5) to provide a mechanism for improving agency information security programs through continuous monitoring of agency information systems and streamlined reporting requirements rather than overly prescriptive manual reporting. ``Sec. 3552. Definitions ``In this subchapter: ``(1) Adequate security.--The term `adequate security' means security commensurate with the risk and magnitude of the harm resulting from the unauthorized access to or loss, misuse, destruction, or modification of information. ``(2) Agency.--The term `agency' has the meaning given the term in section 3502 of title 44. ``(3) Cybersecurity center.--The term `cybersecurity center' means the Department of Defense Cyber Crime Center, the Intelligence Community Incident Response Center, the United States Cyber Command Joint Operations Center, the National Cyber Investigative Joint Task Force, the National Security Agency/Central Security Service Threat Operations Center, the National Cybersecurity and Communications Integration Center, and any successor center. ``(4) Cyber threat information.--The term `cyber threat information' means information that indicates or describes-- ``(A) a technical or operation vulnerability or a cyber threat mitigation measure; ``(B) an action or operation to mitigate a cyber threat; ``(C) malicious reconnaissance, including anomalous patterns of network activity that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat; ``(D) a method of defeating a technical control; ``(E) a method of defeating an operational control; ``(F) network activity or protocols known to be associated with a malicious cyber actor or that signify malicious cyber intent; ``(G) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to inadvertently enable the defeat of a technical or operational control; ``(H) any other attribute of a cybersecurity threat or cyber defense information that would foster situational awareness of the United States cybersecurity posture, if disclosure of such attribute or information is not otherwise prohibited by law; ``(I) the actual or potential harm caused by a cyber incident, including information exfiltrated when it is necessary in order to identify or describe a cybersecurity threat; or ``(J) any combination of subparagraphs (A) through (I). ``(5) Director.--The term `Director' means the Director of the Office of Management and Budget unless otherwise specified. ``(6) Environment of operation.--The term `environment of operation' means the information system and environment in which those systems operate, including changing threats, vulnerabilities, technologies, and missions and business practices. ``(7) Federal information system.--The term `Federal information system' means an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. ``(8) Incident.--The term `incident' means an occurrence that-- ``(A) actually or imminently jeopardizes the integrity, confidentiality, or availability of an information system or the information that system controls, processes, stores, or transmits; or ``(B) constitutes a violation of law or an imminent threat of violation of a law, a security policy, a security procedure, or an acceptable use policy. ``(9) Information resources.--The term `information resources' has the meaning given the term in section 3502 of title 44. ``(10) Information security.--The term `information security' means protecting information and information systems from disruption or unauthorized access, use, disclosure, modification, or destruction in order to provide-- ``(A) integrity, by guarding against improper information modification or destruction, including by ensuring information nonrepudiation and authenticity; ``(B) confidentiality, by preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; or ``(C) availability, by ensuring timely and reliable access to and use of information. ``(11) Information system.--The term `information system' has the meaning given the term in section 3502 of title 44. ``(12) Information technology.--The term `information technology' has the meaning given the term in section 11101 of title 40. ``(13) Malicious reconnaissance.--The term `malicious reconnaissance' means a method for actively probing or passively monitoring an information system for the purpose of discerning technical [[Page S5548]] vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat. ``(14) National security system.-- ``(A) In general.--The term `national security system' means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency-- ``(i) the function, operation, or use of which-- ``(I) involves intelligence activities; ``(II) involves cryptologic activities related to national security; ``(III) involves command and control of military forces; ``(IV) involves equipment that is an integral part of a weapon or weapons system; or ``(V) subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or ``(ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. ``(B) Limitation.--Subparagraph (A)(i)(V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). ``(15) Operational control.--The term `operational control' means a security control for an information system that primarily is implemented and executed by people. ``(16) Person.--The term `person' has the meaning given the term in section 3502 of title 44. ``(17) Secretary.--The term `Secretary' means the Secretary of Commerce unless otherwise specified. ``(18) Security control.--The term `security control' means the management, operational, and technical controls, including safeguards or countermeasures, prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. ``(19) Significant cyber incident.--The term `significant cyber incident' means a cyber incident resulting in, or an attempted cyber incident that, if successful, would have resulted in-- ``(A) the exfiltration from a Federal information system of data that is essential to the operation of the Federal information system; or ``(B) an incident in which an operational or technical control essential to the security or operation of a Federal information system was defeated. ``(20) Technical control.--The term `technical control' means a hardware or software restriction on, or audit of, access or use of an information system or information that is stored on, processed by, or transiting an information system that is intended to ensure the confidentiality, integrity, or availability of that system. ``Sec. 3553. Federal information security authority and coordination ``(a) In General.--The Secretary, in consultation with the Secretary of Homeland Security, shall-- ``(1) issue compulsory and binding policies and directives governing agency information security operations, and require implementation of such policies and directives, including-- ``(A) policies and directives consistent with the standards and guidelines promulgated under section 11331 of title 40 to identify and provide information security protections prioritized and commensurate with the risk and impact resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of-- ``(i) information collected or maintained by or on behalf of an agency; or ``(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; ``(B) minimum operational requirements for Federal Government to protect agency information systems and provide common situational awareness across all agency information systems; ``(C) reporting requirements, consistent with relevant law, regarding information security incidents and cyber threat information; ``(D) requirements for agencywide information security programs; ``(E) performance requirements and metrics for the security of agency information systems; ``(F) training requirements to ensure that agencies are able to fully and timely comply with the policies and directives issued by the Secretary under this subchapter; ``(G) training requirements regarding privacy, civil rights, and civil liberties, and information oversight for agency information security personnel; ``(H) requirements for the annual reports to the Secretary under section 3554(d); ``(I) any other information security operations or information security requirements as determined by the Secretary in coordination with relevant agency heads; and ``(J) coordinating the development of standards and guidelines under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) with agencies and offices operating or exercising control of national security systems (including the National Security Agency) to assure, to the maximum extent feasible, that such standards and guidelines are complementary with standards and guidelines developed for national security systems; ``(2) review the agencywide information security programs under section 3554; and ``(3) designate an individual or an entity at each cybersecurity center, among other responsibilities-- ``(A) to receive reports and information about information security incidents, cyber threat information, and deterioration of security control affecting agency information systems; and ``(B) to act on or share the information under subparagraph (A) in accordance with this subchapter. ``(b) Considerations.--When issuing policies and directives under subsection (a), the Secretary shall consider any applicable standards or guidelines developed by the National Institute of Standards and Technology under section 11331 of title 40. ``(c) Limitation of Authority.--The authorities of the Secretary under this section shall not apply to national security systems. Information security policies, directives, standards and guidelines for national security systems shall be overseen as directed by the President and, in accordance with that direction, carried out under the authority of the heads of agencies that operate or exercise authority over such national security systems. ``(d) Statutory Construction.--Nothing in this subchapter shall be construed to alter or amend any law regarding the authority of any head of an agency over such agency. ``Sec. 3554. Agency responsibilities ``(a) In General.--The head of each agency shall-- ``(1) be responsible for-- ``(A) complying with the policies and directives issued under section 3553; ``(B) providing information security protections commensurate with the risk resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of-- ``(i) information collected or maintained by the agency or by a contractor of an agency or other organization on behalf of an agency; and ``(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; ``(C) complying with the requirements of this subchapter, including-- ``(i) information security standards and guidelines promulgated under section 11331 of title 40; ``(ii) for any national security systems operated or controlled by that agency, information security policies, directives, standards and guidelines issued as directed by the President; and ``(iii) for any non-national security systems operated or controlled by that agency, information security policies, directives, standards and guidelines issued under section 3553; ``(D) ensuring that information security management processes are integrated with agency strategic and operational planning processes; ``(E) reporting and sharing, for an agency operating or exercising control of a national security system, information about information security incidents, cyber threat information, and deterioration of security controls to the individual or entity designated at each cybersecurity center and to other appropriate entities consistent with policies and directives for national security systems issued as directed by the President; and ``(F) reporting and sharing, for those agencies operating or exercising control of non-national security systems, information about information security incidents, cyber threat information, and deterioration of security controls to the individual or entity designated at each cybersecurity center and to other appropriate entities consistent with policies and directives for non-national security systems as prescribed under section 3553(a), including information to assist the entity designated under section 3555(a) with the ongoing security analysis under section 3555; ``(2) ensure that each senior agency official provides information security for the information and information systems that support the operations and assets under the senior agency official's control, including by-- ``(A) assessing the risk and impact that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems; ``(B) determining the level of information security appropriate to protect such information and information systems in accordance with policies and directives issued under section 3553(a), and standards and guidelines promulgated under section 11331 of title 40 for information security classifications and related requirements; ``(C) implementing policies, procedures, and capabilities to reduce risks to an acceptable level in a cost-effective manner; ``(D) actively monitoring the effective implementation of information security controls and techniques; and ``(E) reporting information about information security incidents, cyber threat information, and deterioration of security controls in a timely and adequate manner to the entity designated under section 3553(a)(3) in accordance with paragraph (1); ``(3) assess and maintain the resiliency of information technology systems critical to agency mission and operations; [[Page S5549]] ``(4) designate the agency Inspector General (or an independent entity selected in consultation with the Director and the Council of Inspectors General on Integrity and Efficiency if the agency does not have an Inspector General) to conduct the annual independent evaluation required under section 3556, and allow the agency Inspector General to contract with an independent entity to perform such evaluation; ``(5) delegate to the Chief Information Officer or equivalent (or to a senior agency official who reports to the Chief Information Officer or equivalent)-- ``(A) the authority and primary responsibility to implement an agencywide information security program; and ``(B) the authority to provide information security for the information collected and maintained by the agency (or by a contractor, other agency, or other source on behalf of the agency) and for the information systems that support the operations, assets, and mission of the agency (including any information system provided or managed by a contractor, other agency, or other source on behalf of the agency); ``(6) delegate to the appropriate agency official (who is responsible for a particular agency system or subsystem) the responsibility to ensure and enforce compliance with all requirements of the agency's agencywide information security program in coordination with the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5); ``(7) ensure that an agency has trained personnel who have obtained any necessary security clearances to permit them to assist the agency in complying with this subchapter; ``(8) ensure that the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5), in coordination with other senior agency officials, reports to the agency head on the effectiveness of the agencywide information security program, including the progress of any remedial actions; and ``(9) ensure that the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5) has the necessary qualifications to administer the functions described in this subchapter and has information security duties as a primary duty of that official. ``(b) Chief Information Officers.--Each Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under subsection (a)(5) shall-- ``(1) establish and maintain an enterprise security operations capability that on a continuous basis-- ``(A) detects, reports, contains, mitigates, and responds to information security incidents that impair adequate security of the agency's information or information system in a timely manner and in accordance with the policies and directives under section 3553; and ``(B) reports any information security incident under subparagraph (A) to the entity designated under section 3555; ``(2) develop, maintain, and oversee an agencywide information security program; ``(3) develop, maintain, and oversee information security policies, procedures, and control techniques to address applicable requirements, including requirements under section 3553 of this title and section 11331 of title 40; and ``(4) train and oversee the agency personnel who have significant responsibility for information security with respect to that responsibility. ``(c) Agencywide Information Security Programs.-- ``(1) In general.--Each agencywide information security program under subsection (b)(2) shall include-- ``(A) relevant security risk assessments, including technical assessments and others related to the acquisition process; ``(B) security testing commensurate with risk and impact; ``(C) mitigation of deterioration of security controls commensurate with risk and impact; ``(D) risk-based continuous monitoring and threat assessment of the operational status and security of agency information systems to enable evaluation of the effectiveness of and compliance with information security policies, procedures, and practices, including a relevant and appropriate selection of security controls of information systems identified in the inventory under section 3505(c); ``(E) operation of appropriate technical capabilities in order to detect, mitigate, report, and respond to information security incidents, cyber threat information, and deterioration of security controls in a manner that is consistent with the policies and directives under section 3553, including-- ``(i) mitigating risks associated with such information security incidents; ``(ii) notifying and consulting with the entity designated under section 3555; and ``(iii) notifying and consulting with, as appropriate-- ``(I) law enforcement and the relevant Office of the Inspector General; and ``(II) any other entity, in accordance with law and as directed by the President; ``(F) a process to ensure that remedial action is taken to address any deficiencies in the information security policies, procedures, and practices of the agency; and ``(G) a plan and procedures to ensure the continuity of operations for information systems that support the operations and assets of the agency. ``(2) Risk management strategies.--Each agencywide information security program under subsection (b)(2) shall include the development and maintenance of a risk management strategy for information security. The risk management strategy shall include-- ``(A) consideration of information security incidents, cyber threat information, and deterioration of security controls; and ``(B) consideration of the consequences that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency, including any information system provided or managed by a contractor, other agency, or other source on behalf of the agency; ``(3) Policies and procedures.--Each agencywide information security program under subsection (b)(2) shall include policies and procedures that-- ``(A) are based on the risk management strategy under paragraph (2); ``(B) reduce information security risks to an acceptable level in a cost-effective manner; ``(C) ensure that cost-effective and adequate information security is addressed as part of the acquisition and ongoing management of each agency information system; and ``(D) ensure compliance with-- ``(i) this subchapter; and ``(ii) any other applicable requirements. ``(4) Training requirements.--Each agencywide information security program under subsection (b)(2) shall include information security, privacy, civil rights, civil liberties, and information oversight training that meets any applicable requirements under section 3553. The training shall inform each information security personnel that has access to agency information systems (including contractors and other users of information systems that support the operations and assets of the agency) of-- ``(A) the information security risks associated with the information security personnel's activities; and ``(B) the individual's responsibility to comply with the agency policies and procedures that reduce the risks under subparagraph (A). ``(d) Annual Report.--Each agency shall submit a report annually to the Secretary of Homeland Security on its agencywide information security program and information systems. ``Sec. 3555. Multiagency ongoing threat assessment ``(a) Implementation.--The Director of the Office of Management and Budget, in coordination with the Secretary of Homeland Security, shall designate an entity to implement ongoing security analysis concerning agency information systems-- ``(1) based on cyber threat information; ``(2) based on agency information system and environment of operation changes, including-- ``(A) an ongoing evaluation of the information system security controls; and ``(B) the security state, risk level, and environment of operation of an agency information system, including-- ``(i) a change in risk level due to a new cyber threat; ``(ii) a change resulting from a new technology; ``(iii) a change resulting from the agency's mission; and ``(iv) a change resulting from the business practice; and ``(3) using automated processes to the maximum extent possible-- ``(A) to increase information system security; ``(B) to reduce paper-based reporting requirements; and ``(C) to maintain timely and actionable knowledge of the state of the information system security. ``(b) Standards.--The National Institute of Standards and Technology may promulgate standards, in coordination with the Secretary of Homeland Security, to assist an agency with its duties under this section. ``(c) Compliance.--The head of each appropriate department and agency shall be responsible for ensuring compliance and implementing necessary procedures to comply with this section. The head of each appropriate department and agency, in consultation with the Director of the Office of Management and Budget and the Secretary of Homeland Security, shall-- ``(1) monitor compliance under this section; ``(2) develop a timeline and implement for the department or agency-- ``(A) adoption of any technology, system, or method that facilitates continuous monitoring and threat assessments of an agency information system; ``(B) adoption or updating of any technology, system, or method that prevents, detects, or remediates a significant cyber incident to a Federal information system of the department or agency that has impeded, or is reasonably likely to impede, the performance of a critical mission of the department or agency; and ``(C) adoption of any technology, system, or method that satisfies a requirement under this section. [[Page S5550]] ``(d) Limitation of Authority.--The authorities of the Director of the Office of Management and Budget and of the Secretary of Homeland Security under this section shall not apply to national security systems. ``(e) Report.--Not later than 6 months after the date of enactment of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the Government Accountability Office shall issue a report evaluating each agency's status toward implementing this section. ``Sec. 3556. Independent evaluations ``(a) In General.--The Council of the Inspectors General on Integrity and Efficiency, in consultation with the Director and the Secretary of Homeland Security, the Secretary of Commerce, and the Secretary of Defense, shall issue and maintain criteria for the timely, cost-effective, risk-based, and independent evaluation of each agencywide information security program (and practices) to determine the effectiveness of the agencywide information security program (and practices). The criteria shall include measures to assess any conflicts of interest in the performance of the evaluation and whether the agencywide information security program includes appropriate safeguards against disclosure of information where such disclosure may adversely affect information security. ``(b) Annual Independent Evaluations.--Each agency shall perform an annual independent evaluation of its agencywide information security program (and practices) in accordance with the criteria under subsection (a). ``(c) Distribution of Reports.--Not later than 30 days after receiving an independent evaluation under subsection (b), each agency head shall transmit a copy of the independent evaluation to the Secretary of Homeland Security, the Secretary of Commerce, and the Secretary of Defense. ``(d) National Security Systems.--Evaluations involving national security systems shall be conducted as directed by President. ``Sec. 3557. National security systems. ``The head of each agency operating or exercising control of a national security system shall be responsible for ensuring that the agency-- ``(1) provides information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information contained in such system; and ``(2) implements information security policies and practices as required by standards and guidelines for national security systems, issued in accordance with law and as directed by the President.''. (b) Savings Provisions.-- (1) Policy and compliance guidance.--Policy and compliance guidance issued by the Director before the date of enactment of this Act under section 3543(a)(1) of title 44, United States Code (as in effect on the day before the date of enactment of this Act), shall continue in effect, according to its terms, until modified, terminated, superseded, or repealed pursuant to section 3553(a)(1) of title 44, United States Code. (2) Standards and guidelines.--Standards and guidelines issued by the Secretary of Commerce or by the Director before the date of enactment of this Act under section 11331(a)(1) of title 40, United States Code, (as in effect on the day before the date of enactment of this Act) shall continue in effect, according to their terms, until modified, terminated, superseded, or repealed pursuant to section 11331(a)(1) of title 40, United States Code, as amended by this Act. (c) Technical and Conforming Amendments.-- (1) Chapter analysis.--The chapter analysis for chapter 35 of title 44, United States Code, is amended-- (A) by striking the items relating to sections 3531 through 3538; (B) by striking the items relating to sections 3541 through 3549; and (C) by inserting the following: ``3551. Purposes. ``3552. Definitions. ``3553. Federal information security authority and coordination. ``3554. Agency responsibilities. ``3555. Multiagency ongoing threat assessment. ``3556. Independent evaluations. ``3557. National security systems.''. (2) Other references.-- (A) Section 1001(c)(1)(A) of the Homeland Security Act of 2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section 3532(3)'' and inserting ``section 3552''. (B) Section 2222(j)(5) of title 10, United States Code, is amended by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (C) Section 2223(c)(3) of title 10, United States Code, is amended, by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (D) Section 2315 of title 10, United States Code, is amended by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (E) Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) is amended-- (i) in subsection (a)(2), by striking ``section 3532(b)(2)'' and inserting ``section 3552''; (ii) in subsection (c)(3), by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (iii) in subsection (d)(1), by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (iv) in subsection (d)(8) by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (v) in subsection (d)(8), by striking ``submitted to the Director'' and inserting ``submitted to the Secretary''; (vi) in subsection (e)(2), by striking ``section 3532(1) of such title'' and inserting ``section 3552 of title 44''; and (vii) in subsection (e)(5), by striking ``section 3532(b)(2) of such title'' and inserting ``section 3552 of title 44''. (F) Section 8(d)(1) of the Cyber Security Research and Development Act (15 U.S.C. 7406(d)(1)) is amended by striking ``section 3534(b)'' and inserting ``section 3554(b)(2)''. SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY. (a) In General.--Section 11331 of title 40, United States Code, is amended to read as follows: ``Sec. 11331. Responsibilities for Federal information systems standards ``(a) Standards and Guidelines.-- ``(1) Authority to prescribe.--Except as provided under paragraph (2), the Secretary of Commerce shall prescribe standards and guidelines pertaining to Federal information systems-- ``(A) in consultation with the Secretary of Homeland Security; and ``(B) on the basis of standards and guidelines developed by the National Institute of Standards and Technology under paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g- 3(a)(2) and (a)(3)). ``(2) National security systems.--Standards and guidelines for national security systems shall be developed, prescribed, enforced, and overseen as otherwise authorized by law and as directed by the President. ``(b) Mandatory Standards and Guidelines.-- ``(1) Authority to make mandatory standards and guidelines.--The Secretary of Commerce shall make standards and guidelines under subsection (a)(1) compulsory and binding to the extent determined necessary by the Secretary of Commerce to improve the efficiency of operation or security of Federal information systems. ``(2) Required mandatory standards and guidelines.-- ``(A) In general.--Standards and guidelines under subsection (a)(1) shall include information security standards that-- ``(i) provide minimum information security requirements as determined under section 20(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(b)); and ``(ii) are otherwise necessary to improve the security of Federal information and information systems. ``(B) Binding effect.--Information security standards under subparagraph (A) shall be compulsory and binding. ``(c) Exercise of Authority.--To ensure fiscal and policy consistency, the Secretary of Commerce shall exercise the authority conferred by this section subject to direction by the President and in coordination with the Director. ``(d) Application of More Stringent Standards and Guidelines.--The head of an executive agency may employ standards for the cost-effective information security for information systems within or under the supervision of that agency that are more stringent than the standards and guidelines the Secretary of Commerce prescribes under this section if the more stringent standards and guidelines-- ``(1) contain at least the applicable standards and guidelines made compulsory and binding by the Secretary of Commerce; and ``(2) are otherwise consistent with the policies, directives, and implementation memoranda issued under section 3553(a) of title 44. ``(e) Decisions on Promulgation of Standards and Guidelines.--The decision by the Secretary of Commerce regarding the promulgation of any standard or guideline under this section shall occur not later than 6 months after the date of submission of the proposed standard to the Secretary of Commerce by the National Institute of Standards and Technology under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3). ``(f) Notice and Comment.--A decision by the Secretary of Commerce to significantly modify, or not promulgate, a proposed standard submitted to the Secretary by the National Institute of Standards and Technology under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) shall be made after the public is given an opportunity to comment on the Secretary's proposed decision. ``(g) Definitions.--In this section: ``(1) Federal information system.--The term `Federal information system' has the meaning given the term in section 3552 of title 44. ``(2) Information security.--The term `information security' has the meaning given the term in section 3552 of title 44. ``(3) National security system.--The term `national security system' has the meaning given the term in section 3552 of title 44.''. SEC. 203. NO NEW FUNDING. An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. [[Page S5551]] SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS. Section 21(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-4(b)) is amended-- (1) in paragraph (2), by striking ``and the Director of the Office of Management and Budget'' and inserting ``, the Secretary of Commerce, and the Secretary of Homeland Security''; and (2) in paragraph (3), by inserting ``, the Secretary of Homeland Security,'' after ``the Secretary of Commerce''. SEC. 205. CLARIFICATION OF AUTHORITIES. Nothing in this title shall be construed to convey any new regulatory authority to any government entity implementing or complying with any provision of this title. TITLE III--CRIMINAL PENALTIES SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS. Section 1030(c) of title 18, United States Code, is amended to read as follows: ``(c) The punishment for an offense under subsection (a) or (b) of this section is-- ``(1) a fine under this title or imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(1) of this section; ``(2)(A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than 3 years, or both, in the case of an offense under subsection (a)(2); or ``(B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2) of this section, if-- ``(i) the offense was committed for purposes of commercial advantage or private financial gain; ``(ii) the offense was committed in the furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States, or of any State; or ``(iii) the value of the information obtained, or that would have been obtained if the offense was completed, exceeds $5,000; ``(3) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(3) of this section; ``(4) a fine under this title or imprisonment of not more than 20 years, or both, in the case of an offense under subsection (a)(4) of this section; ``(5)(A) except as provided in subparagraph (C), a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(A) of this section, if the offense caused-- ``(i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value; ``(ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; ``(iii) physical injury to any person; ``(iv) a threat to public health or safety; ``(v) damage affecting a computer used by, or on behalf of, an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or ``(vi) damage affecting 10 or more protected computers during any 1-year period; ``(B) a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(B), if the offense caused a harm provided in clause (i) through (vi) of subparagraph (A) of this subsection; ``(C) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for any term of years or for life, or both; ``(D) a fine under this title, imprisonment for not more than 10 years, or both, for any other offense under subsection (a)(5); ``(E) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(6) of this section; or ``(F) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(7) of this section.''. SEC. 302. TRAFFICKING IN PASSWORDS. Section 1030(a)(6) of title 18, United States Code, is amended to read as follows: ``(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information or means of access through which a protected computer (as defined in subparagraphs (A) and (B) of subsection (e)(2)) may be accessed without authorization.''. SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES. Section 1030(b) of title 18, United States Code, is amended by inserting ``as if for the completed offense'' after ``punished as provided''. SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS. Section 1030 of title 18, United States Code, is amended by striking subsections (i) and (j) and inserting the following: ``(i) Criminal Forfeiture.-- ``(1) The court, in imposing sentence on any person convicted of a violation of this section, or convicted of conspiracy to violate this section, shall order, in addition to any other sentence imposed and irrespective of any provision of State law, that such person forfeit to the United States-- ``(A) such persons interest in any property, real or personal, that was used, or intended to be used, to commit or facilitate the commission of such violation; and ``(B) any property, real or personal, constituting or derived from any gross proceeds, or any property traceable to such property, that such person obtained, directly or indirectly, as a result of such violation. ``(2) The criminal forfeiture of property under this subsection, including any seizure and disposition of the property, and any related judicial or administrative proceeding, shall be governed by the provisions of section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853), except subsection (d) of that section. ``(j) Civil Forfeiture.-- ``(1) The following shall be subject to forfeiture to the United States and no property right, real or personal, shall exist in them: ``(A) Any property, real or personal, that was used, or intended to be used, to commit or facilitate the commission of any violation of this section, or a conspiracy to violate this section. ``(B) Any property, real or personal, constituting or derived from any gross proceeds obtained directly or indirectly, or any property traceable to such property, as a result of the commission of any violation of this section, or a conspiracy to violate this section. ``(2) Seizures and forfeitures under this subsection shall be governed by the provisions in chapter 46 relating to civil forfeitures, except that such duties as are imposed on the Secretary of the Treasury under the customs laws described in section 981(d) shall be performed by such officers, agents and other persons as may be designated for that purpose by the Secretary of Homeland Security or the Attorney General.''. SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS. (a) In General.--Chapter 47 of title 18, United States Code, is amended by inserting after section 1030 the following: ``Sec. 1030A. Aggravated damage to a critical infrastructure computer ``(a) Definitions.--In this section-- ``(1) the term `computer' has the meaning given the term in section 1030; ``(2) the term `critical infrastructure computer' means a computer that manages or controls systems or assets vital to national defense, national security, national economic security, public health or safety, or any combination of those matters, whether publicly or privately owned or operated, including-- ``(A) oil and gas production, storage, conversion, and delivery systems; ``(B) water supply systems; ``(C) telecommunication networks; ``(D) electrical power generation and delivery systems; ``(E) finance and banking systems; ``(F) emergency services; ``(G) transportation systems and services; and ``(H) government operations that provide essential services to the public; and ``(3) the term `damage' has the meaning given the term in section 1030. ``(b) Offense.--It shall be unlawful, during and in relation to a felony violation of section 1030, to knowingly cause or attempt to cause damage to a critical infrastructure computer if the damage results in (or, in the case of an attempt, if completed, would have resulted in) the substantial impairment-- ``(1) of the operation of the critical infrastructure computer; or ``(2) of the critical infrastructure associated with the computer. ``(c) Penalty.--Any person who violates subsection (b) shall be-- ``(1) fined under this title; ``(2) imprisoned for not less than 3 years but not more than 20 years; or ``(3) penalized under paragraphs (1) and (2). ``(d) Consecutive Sentence.--Notwithstanding any other provision of law-- ``(1) a court shall not place on probation any person convicted of a violation of this section; ``(2) except as provided in paragraph (4), no term of imprisonment imposed on a person under this section shall run concurrently with any other term of imprisonment, including any term of imprisonment imposed on the person under any other provision of law, including any term of imprisonment imposed for a felony violation of section 1030; ``(3) in determining any term of imprisonment to be imposed for a felony violation of section 1030, a court shall not in any way reduce the term to be imposed for such crime so as to compensate for, or otherwise take into account, any separate term of imprisonment imposed or to be imposed for a violation of this section; and ``(4) a term of imprisonment imposed on a person for a violation of this section may, in the discretion of the court, run concurrently, in whole or in part, only with another term of imprisonment that is imposed by the court at the same time on that person for an additional violation of this section, provided that such discretion shall be exercised in accordance with any applicable guidelines and policy statements issued by the United States Sentencing Commission pursuant to section 994 of title 28.''. (b) Technical and Conforming Amendment.--The chapter analysis for chapter 47 of title 18, United States Code, is amended by inserting after the item relating to section 1030 the following: [[Page S5552]] ``1030A. Aggravated damage to a critical infrastructure computer.''. SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE. Section 1030(e)(6) of title 18, United States Code, is amended by striking ``alter;'' and inserting ``alter, but does not include access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized;''. SEC. 307. NO NEW FUNDING. An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM PLANNING AND COORDINATION. (a) Goals and Priorities.--Section 101 of the High- Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(d) Goals and Priorities.--The goals and priorities for Federal high-performance computing research, development, networking, and other activities under subsection (a)(2)(A) shall include-- ``(1) encouraging and supporting mechanisms for interdisciplinary research and development in networking and information technology, including-- ``(A) through collaborations across agencies; ``(B) through collaborations across Program Component Areas; ``(C) through collaborations with industry; ``(D) through collaborations with institutions of higher education; ``(E) through collaborations with Federal laboratories (as defined in section 4 of the Stevenson-Wydler Technology Innovation Act of 1980 (15 U.S.C. 3703)); and ``(F) through collaborations with international organizations; ``(2) addressing national, multi-agency, multi-faceted challenges of national importance; and ``(3) fostering the transfer of research and development results into new technologies and applications for the benefit of society.''. (b) Development of Strategic Plan.--Section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(e) Strategic Plan.-- ``(1) In general.--Not later than 1 year after the date of enactment of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the agencies under subsection (a)(3)(B), working through the National Science and Technology Council and with the assistance of the Office of Science and Technology Policy shall develop a 5-year strategic plan to guide the activities under subsection (a)(1). ``(2) Contents.--The strategic plan shall specify-- ``(A) the near-term objectives for the Program; ``(B) the long-term objectives for the Program; ``(C) the anticipated time frame for achieving the near- term objectives; ``(D) the metrics that will be used to assess any progress made toward achieving the near-term objectives and the long- term objectives; and ``(E) how the Program will achieve the goals and priorities under subsection (d). ``(3) Implementation roadmap.-- ``(A) In general.--The agencies under subsection (a)(3)(B) shall develop and annually update an implementation roadmap for the strategic plan. ``(B) Requirements.--The information in the implementation roadmap shall be coordinated with the database under section 102(c) and the annual report under section 101(a)(3). The implementation roadmap shall-- ``(i) specify the role of each Federal agency in carrying out or sponsoring research and development to meet the research objectives of the strategic plan, including a description of how progress toward the research objectives will be evaluated, with consideration of any relevant recommendations of the advisory committee; ``(ii) specify the funding allocated to each major research objective of the strategic plan and the source of funding by agency for the current fiscal year; and ``(iii) estimate the funding required for each major research objective of the strategic plan for the next 3 fiscal years. ``(4) Recommendations.--The agencies under subsection (a)(3)(B) shall take into consideration when developing the strategic plan under paragraph (1) the recommendations of-- ``(A) the advisory committee under subsection (b); and ``(B) the stakeholders under section 102(a)(3). ``(5) Report to congress.--The Director of the Office of Science and Technology Policy shall transmit the strategic plan under this subsection, including the implementation roadmap and any updates under paragraph (3), to-- ``(A) the advisory committee under subsection (b); ``(B) the Committee on Commerce, Science, and Transportation of the Senate; and ``(C) the Committee on Science and Technology of the House of Representatives.''. (c) Periodic Reviews.--Section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(f) Periodic Reviews.--The agencies under subsection (a)(3)(B) shall-- ``(1) periodically assess the contents and funding levels of the Program Component Areas and restructure the Program when warranted, taking into consideration any relevant recommendations of the advisory committee under subsection (b); and ``(2) ensure that the Program includes national, multi- agency, multi-faceted research and development activities, including activities described in section 104.''. (d) Additional Responsibilities of Director.--Section 101(a)(2) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(2)) is amended-- (1) by redesignating subparagraphs (E) and (F) as subparagraphs (G) and (H), respectively; and (2) by inserting after subparagraph (D) the following: ``(E) encourage and monitor the efforts of the agencies participating in the Program to allocate the level of resources and management attention necessary-- ``(i) to ensure that the strategic plan under subsection (e) is developed and executed effectively; and ``(ii) to ensure that the objectives of the Program are met; ``(F) working with the Office of Management and Budget and in coordination with the creation of the database under section 102(c), direct the Office of Science and Technology Policy and the agencies participating in the Program to establish a mechanism (consistent with existing law) to track all ongoing and completed research and development projects and associated funding;''. (e) Advisory Committee.--Section 101(b) of the High- Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is amended-- (1) in paragraph (1)-- (A) by inserting after the first sentence the following: ``The co-chairs of the advisory committee shall meet the qualifications of committee members and may be members of the Presidents Council of Advisors on Science and Technology.''; and (B) by striking ``high-performance'' in subparagraph (D) and inserting ``high-end''; and (2) by amending paragraph (2) to read as follows: ``(2) In addition to the duties under paragraph (1), the advisory committee shall conduct periodic evaluations of the funding, management, coordination, implementation, and activities of the Program. The advisory committee shall report its findings and recommendations not less frequently than once every 3 fiscal years to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science and Technology of the House of Representatives. The report shall be submitted in conjunction with the update of the strategic plan.''. (f) Report.--Section 101(a)(3) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended-- (1) in subparagraph (C)-- (A) by striking ``is submitted,'' and inserting ``is submitted, the levels for the previous fiscal year,''; and (B) by striking ``each Program Component Area'' and inserting ``each Program Component Area and each research area supported in accordance with section 104''; (2) in subparagraph (D)-- (A) by striking ``each Program Component Area,'' and inserting ``each Program Component Area and each research area supported in accordance with section 104,''; (B) by striking ``is submitted,'' and inserting ``is submitted, the levels for the previous fiscal year,''; and (C) by striking ``and'' after the semicolon; (3) by redesignating subparagraph (E) as subparagraph (G); and (4) by inserting after subparagraph (D) the following: ``(E) include a description of how the objectives for each Program Component Area, and the objectives for activities that involve multiple Program Component Areas, relate to the objectives of the Program identified in the strategic plan under subsection (e); ``(F) include-- ``(i) a description of the funding required by the Office of Science and Technology Policy to perform the functions under subsections (a) and (c) of section 102 for the next fiscal year by category of activity; ``(ii) a description of the funding required by the Office of Science and Technology Policy to perform the functions under subsections (a) and (c) of section 102 for the current fiscal year by category of activity; and ``(iii) the amount of funding provided for the Office of Science and Technology Policy for the current fiscal year by each agency participating in the Program; and''. (g) Definitions.--Section 4 of the High-Performance Computing Act of 1991 (15 U.S.C. 5503) is amended-- (1) by redesignating paragraphs (1) and (2) as paragraphs (2) and (3), respectively; (2) by redesignating paragraph (3) as paragraph (6); (3) by redesignating paragraphs (6) and (7) as paragraphs (7) and (8), respectively; (4) by inserting before paragraph (2), as redesignated, the following: ``(1) `cyber-physical systems' means physical or engineered systems whose networking [[Page S5553]] and information technology functions and physical elements are deeply integrated and are actively connected to the physical world through sensors, actuators, or other means to perform monitoring and control functions;''; (5) in paragraph (3), as redesignated, by striking ``high- performance computing'' and inserting ``networking and information technology''; (6) in paragraph (6), as redesignated-- (A) by striking ``high-performance computing'' and inserting ``networking and information technology''; and (B) by striking ``supercomputer'' and inserting ``high-end computing''; (7) in paragraph (5), by striking ``network referred to as'' and all that follows through the semicolon and inserting ``network, including advanced computer networks of Federal agencies and departments''; and (8) in paragraph (7), as redesignated, by striking ``National High-Performance Computing Program'' and inserting ``networking and information technology research and development program''. SEC. 402. RESEARCH IN AREAS OF NATIONAL IMPORTANCE. (a) Research in Areas of National Importance.--Title I of the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et seq.) is amended by adding at the end the following: ``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE. ``(a) In General.--The Program shall encourage agencies under section 101(a)(3)(B) to support, maintain, and improve national, multi-agency, multi-faceted, research and development activities in networking and information technology directed toward application areas that have the potential for significant contributions to national economic competitiveness and for other significant societal benefits. ``(b) Technical Solutions.--An activity under subsection (a) shall be designed to advance the development of research discoveries by demonstrating technical solutions to important problems in areas including-- ``(1) cybersecurity; ``(2) health care; ``(3) energy management and low-power systems and devices; ``(4) transportation, including surface and air transportation; ``(5) cyber-physical systems; ``(6) large-scale data analysis and modeling of physical phenomena; ``(7) large scale data analysis and modeling of behavioral phenomena; ``(8) supply chain quality and security; and ``(9) privacy protection and protected disclosure of confidential data. ``(c) Recommendations.--The advisory committee under section 101(b) shall make recommendations to the Program for candidate research and development areas for support under this section. ``(d) Characteristics.-- ``(1) In general.--Research and development activities under this section-- ``(A) shall include projects selected on the basis of applications for support through a competitive, merit-based process; ``(B) shall leverage, when possible, Federal investments through collaboration with related State initiatives; ``(C) shall include a plan for fostering the transfer of research discoveries and the results of technology demonstration activities, including from institutions of higher education and Federal laboratories, to industry for commercial development; ``(D) shall involve collaborations among researchers in institutions of higher education and industry; and ``(E) may involve collaborations among nonprofit research institutions and Federal laboratories, as appropriate. ``(2) Cost-sharing.--In selecting applications for support, the agencies under section 101(a)(3)(B) shall give special consideration to projects that include cost sharing from non- Federal sources. ``(3) Multidisciplinary research centers.--Research and development activities under this section shall be supported through multidisciplinary research centers, including Federal laboratories, that are organized to investigate basic research questions and carry out technology demonstration activities in areas described in subsection (a). Research may be carried out through existing multidisciplinary centers, including those authorized under section 7024(b)(2) of the America COMPETES Act (42 U.S.C. 1862o-10(2)).''. (b) Cyber-Physical Systems.--Section 101(a)(1) of the High- Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is amended-- (1) in subparagraph (H), by striking ``and'' after the semicolon; (2) in subparagraph (I), by striking the period at the end and inserting a semicolon; and (3) by adding at the end the following: ``(J) provide for increased understanding of the scientific principles of cyber-physical systems and improve the methods available for the design, development, and operation of cyber-physical systems that are characterized by high reliability, safety, and security; and ``(K) provide for research and development on human- computer interactions, visualization, and big data.''. (c) Task Force.--Title I of the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section 402(a) of this Act, is amended by adding at the end the following: ``SEC. 105. TASK FORCE. ``(a) Establishment.--Not later than 180 days after the date of enactment the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the Director of the Office of Science and Technology Policy under section 102 shall convene a task force to explore mechanisms for carrying out collaborative research and development activities for cyber-physical systems (including the related technologies required to enable these systems) through a consortium or other appropriate entity with participants from institutions of higher education, Federal laboratories, and industry. ``(b) Functions.--The task force shall-- ``(1) develop options for a collaborative model and an organizational structure for such entity under which the joint research and development activities could be planned, managed, and conducted effectively, including mechanisms for the allocation of resources among the participants in such entity for support of such activities; ``(2) propose a process for developing a research and development agenda for such entity, including guidelines to ensure an appropriate scope of work focused on nationally significant challenges and requiring collaboration and to ensure the development of related scientific and technological milestones; ``(3) define the roles and responsibilities for the participants from institutions of higher education, Federal laboratories, and industry in such entity; ``(4) propose guidelines for assigning intellectual property rights and for transferring research results to the private sector; and ``(5) make recommendations for how such entity could be funded from Federal, State, and non-governmental sources. ``(c) Composition.--In establishing the task force under subsection (a), the Director of the Office of Science and Technology Policy shall appoint an equal number of individuals from institutions of higher education and from industry with knowledge and expertise in cyber-physical systems, and may appoint not more than 2 individuals from Federal laboratories. ``(d) Report.--Not later than 1 year after the date of enactment of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the Director of the Office of Science and Technology Policy shall transmit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science and Technology of the House of Representatives a report describing the findings and recommendations of the task force. ``(e) Termination.--The task force shall terminate upon transmittal of the report required under subsection (d). ``(f) Compensation and Expenses.--Members of the task force shall serve without compensation.''. SEC. 403. PROGRAM IMPROVEMENTS. Section 102 of the High-Performance Computing Act of 1991 (15 U.S.C. 5512) is amended to read as follows: ``SEC. 102. PROGRAM IMPROVEMENTS. ``(a) Functions.--The Director of the Office of Science and Technology Policy shall continue-- ``(1) to provide technical and administrative support to-- ``(A) the agencies participating in planning and implementing the Program, including support needed to develop the strategic plan under section 101(e); and ``(B) the advisory committee under section 101(b); ``(2) to serve as the primary point of contact on Federal networking and information technology activities for government agencies, academia, industry, professional societies, State computing and networking technology programs, interested citizen groups, and others to exchange technical and programmatic information; ``(3) to solicit input and recommendations from a wide range of stakeholders during the development of each strategic plan under section 101(e) by convening at least 1 workshop with invitees from academia, industry, Federal laboratories, and other relevant organizations and institutions; ``(4) to conduct public outreach, including the dissemination of the advisory committee's findings and recommendations, as appropriate; ``(5) to promote access to and early application of the technologies, innovations, and expertise derived from Program activities to agency missions and systems across the Federal Government and to United States industry; ``(6) to ensure accurate and detailed budget reporting of networking and information technology research and development investment; and ``(7) to encourage agencies participating in the Program to use existing programs and resources to strengthen networking and information technology education and training, and increase participation in such fields, including by women and underrepresented minorities. ``(b) Source of Funding.-- ``(1) In general.--The functions under this section shall be supported by funds from each agency participating in the Program. ``(2) Specifications.--The portion of the total budget of the Office of Science and Technology Policy that is provided by each agency participating in the Program for each [[Page S5554]] fiscal year shall be in the same proportion as each agency's share of the total budget for the Program for the previous fiscal year, as specified in the database under section 102(c). ``(c) Database.-- ``(1) In general.--The Director of the Office of Science and Technology Policy shall develop and maintain a database of projects funded by each agency for the fiscal year for each Program Component Area. ``(2) Public accessibility.--The Director of the Office of Science and Technology Policy shall make the database accessible to the public. ``(3) Database contents.--The database shall include, for each project in the database-- ``(A) a description of the project; ``(B) each agency, industry, institution of higher education, Federal laboratory, or international institution involved in the project; ``(C) the source funding of the project (set forth by agency); ``(D) the funding history of the project; and ``(E) whether the project has been completed.''. SEC. 404. IMPROVING EDUCATION OF NETWORKING AND INFORMATION TECHNOLOGY, INCLUDING HIGH PERFORMANCE COMPUTING. Section 201(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5521(a)) is amended-- (1) by redesignating paragraphs (2) through (4) as paragraphs (3) through (5), respectively; and (2) by inserting after paragraph (1) the following: ``(2) the National Science Foundation shall use its existing programs, in collaboration with other agencies, as appropriate, to improve the teaching and learning of networking and information technology at all levels of education and to increase participation in networking and information technology fields;''. SEC. 405. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH- PERFORMANCE COMPUTING ACT OF 1991. (a) Section 3.--Section 3 of the High-Performance Computing Act of 1991 (15 U.S.C. 5502) is amended-- (1) in the matter preceding paragraph (1), by striking ``high-performance computing'' and inserting ``networking and information technology''; (2) in paragraph (1)-- (A) in the matter preceding subparagraph (A), by striking ``high-performance computing'' and inserting ``networking and information technology''; (B) in subparagraphs (A), (F), and (G), by striking ``high- performance computing'' each place it appears and inserting ``networking and information technology''; and (C) in subparagraph (H), by striking ``high-performance'' and inserting ``high-end''; and (3) in paragraph (2)-- (A) by striking ``high-performance computing and'' and inserting ``networking and information technology, and''; and (B) by striking ``high-performance computing network'' and inserting ``networking and information technology''. (b) Title Heading.--The heading of title I of the High- Performance Computing Act of 1991 (105 Stat. 1595) is amended by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting ``NETWORKING AND INFORMATION TECHNOLOGY''. (c) Section 101.--Section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) is amended-- (1) in the section heading, by striking ``high-performance computing'' and inserting ``networking and information technology research and development''; (2) in subsection (a)-- (A) in the subsection heading, by striking ``National High- Performance Computing'' and inserting ``Networking and Information Technology Research and Development''; (B) in paragraph (1)-- (i) by striking ``National High-Performance Computing Program'' and inserting ``networking and information technology research and development program''; (ii) in subparagraph (A), by striking ``high-performance computing, including networking'' and inserting ``networking and information technology''; (iii) in subparagraphs (B) and (G), by striking ``high- performance'' each place it appears and inserting ``high- end''; and (iv) in subparagraph (C), by striking ``high-performance computing and networking'' and inserting ``high-end computing, distributed, and networking''; and (C) in paragraph (2)-- (i) in subparagraphs (A) and (C)-- (I) by striking ``high-performance computing'' each place it appears and inserting ``networking and information technology''; and (II) by striking ``development, networking,'' each place it appears and inserting ``development,''; and (ii) in subparagraphs (G) and (H), as redesignated by section 401(d) of this Act, by striking ``high-performance'' each place it appears and inserting ``high-end''; (3) in subsection (b)(1), in the matter preceding subparagraph (A), by striking ``high-performance computing'' each place it appears and inserting ``networking and information technology''; and (4) in subsection (c)(1)(A), by striking ``high-performance computing'' and inserting ``networking and information technology''. (d) Section 201.--Section 201(a)(1) of the High-Performance Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by striking ``high-performance computing and advanced high-speed computer networking'' and inserting ``networking and information technology research and development''. (e) Section 202.--Section 202(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by striking ``high-performance computing'' and inserting ``networking and information technology''. (f) Section 203.--Section 203(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5523(a)) is amended-- (1) in paragraph (1), by striking ``high-performance computing and networking'' and inserting ``networking and information technology''; and (2) in paragraph (2)(A), by striking ``high-performance'' and inserting ``high-end''. (g) Section 204.--Section 204 of the High-Performance Computing Act of 1991 (15 U.S.C. 5524) is amended-- (1) in subsection (a)(1)-- (A) in subparagraph (A), by striking ``high-performance computing systems and networks'' and inserting ``networking and information technology systems and capabilities''; (B) in subparagraph (B), by striking ``interoperability of high-performance computing systems in networks and for common user interfaces to systems'' and inserting ``interoperability and usability of networking and information technology systems''; and (C) in subparagraph (C), by striking ``high-performance computing'' and inserting ``networking and information technology''; and (2) in subsection (b)-- (A) by striking ``High-Performance Computing and Network'' in the heading and inserting ``Networking and Information Technology''; and (B) by striking ``sensitive''. (h) Section 205.--Section 205(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by striking ``computational'' and inserting ``networking and information technology''. (i) Section 206.--Section 206(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by striking ``computational research'' and inserting ``networking and information technology research''. (j) Section 207.--Section 207 of the High-Performance Computing Act of 1991 (15 U.S.C. 5527) is amended by striking ``high-performance computing'' and inserting ``networking and information technology''. (k) Section 208.--Section 208 of the High-Performance Computing Act of 1991 (15 U.S.C. 5528) is amended-- (1) in the section heading, by striking ``high-performance computing'' and inserting ``networking and information technology''; and (2) in subsection (a)-- (A) in paragraph (1), by striking ``High-performance computing and associated'' and inserting ``Networking and information''; (B) in paragraph (2), by striking ``high-performance computing'' and inserting ``networking and information technologies''; (C) in paragraph (3), by striking ``high-performance'' and inserting ``high-end''; (D) in paragraph (4), by striking ``high-performance computers and associated'' and inserting ``networking and information''; and (E) in paragraph (5), by striking ``high-performance computing and associated'' and inserting ``networking and information''. SEC. 406. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM. (a) In General.--The Director of the National Science Foundation, in coordination with the Secretary of Homeland Security, shall carry out a Federal cyber scholarship-for- service program to recruit and train the next generation of information technology professionals and security managers to meet the needs of the cybersecurity mission for the Federal government. (b) Program Description and Components.--The program shall-- (1) annually assess the workforce needs of the Federal government for cybersecurity professionals, including network engineers, software engineers, and other experts in order to determine how many scholarships should be awarded annually to ensure that the workforce needs following graduation match the number of scholarships awarded; (2) provide scholarships for up to 1,000 students per year in their pursuit of undergraduate or graduate degrees in the cybersecurity field, in an amount that may include coverage for full tuition, fees, and a stipend; (3) require each scholarship recipient, as a condition of receiving a scholarship under the program, to serve in a Federal information technology workforce for a period equal to one and one-half times each year, or partial year, of scholarship received, in addition to an internship in the cybersecurity field, if applicable, following graduation; (4) provide a procedure for the National Science Foundation or a Federal agency, consistent with regulations of the Office of Personnel Management, to request and fund a security clearance for a scholarship recipient, including providing for clearance during a summer internship and upon graduation; and (5) provide opportunities for students to receive temporary appointments for meaningful employment in the Federal information technology workforce during school vacation periods and for internships. (c) Hiring Authority.-- (1) In general.--For purposes of any law or regulation governing the appointment of an [[Page S5555]] individual in the Federal civil service, upon the successful completion of the student's studies, a student receiving a scholarship under the program may-- (A) be hired under section 213.3102(r) of title 5, Code of Federal Regulations; and (B) be exempt from competitive service. (2) Competitive service.--Upon satisfactory fulfillment of the service term under paragraph (1), an individual may be converted to a competitive service position without competition if the individual meets the requirements for that position. (d) Eligibility.--The eligibility requirements for a scholarship under this section shall include that a scholarship applicant-- (1) be a citizen of the United States; (2) be eligible to be granted a security clearance; (3) maintain a grade point average of 3.2 or above on a 4.0 scale for undergraduate study or a 3.5 or above on a 4.0 scale for postgraduate study; (4) demonstrate a commitment to a career in improving the security of the information infrastructure; and (5) has demonstrated a level of proficiency in math or computer sciences. (e) Failure to Complete Service Obligation.-- (1) In general.--A scholarship recipient under this section shall be liable to the United States under paragraph (2) if the scholarship recipient-- (A) fails to maintain an acceptable level of academic standing in the educational institution in which the individual is enrolled, as determined by the Director; (B) is dismissed from such educational institution for disciplinary reasons; (C) withdraws from the program for which the award was made before the completion of such program; (D) declares that the individual does not intend to fulfill the service obligation under this section; (E) fails to fulfill the service obligation of the individual under this section; or (F) loses a security clearance or becomes ineligible for a security clearance. (2) Repayment amounts.-- (A) Less than 1 year of service.--If a circumstance under paragraph (1) occurs before the completion of 1 year of a service obligation under this section, the total amount of awards received by the individual under this section shall be repaid. (B) One or more years of service.--If a circumstance described in subparagraph (D) or (E) of paragraph (1) occurs after the completion of 1 year of a service obligation under this section, the total amount of scholarship awards received by the individual under this section, reduced by the ratio of the number of years of service completed divided by the number of years of service required, shall be repaid. (f) Evaluation and Report.--The Director of the National Science Foundation shall-- (1) evaluate the success of recruiting individuals for scholarships under this section and of hiring and retaining those individuals in the public sector workforce, including the annual cost and an assessment of how the program actually improves the Federal workforce; and (2) periodically report the findings under paragraph (1) to Congress. (g) Authorization of Appropriations.--From amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), the Director may use funds to carry out the requirements of this section for fiscal years 2012 through 2013. SEC. 407. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF INFORMATION INFRASTRUCTURE PROFESSIONALS. (a) Study.--The President shall enter into an agreement with the National Academies to conduct a comprehensive study of government, academic, and private-sector accreditation, training, and certification programs for personnel working in information infrastructure. The agreement shall require the National Academies to consult with sector coordinating councils and relevant governmental agencies, regulatory entities, and nongovernmental organizations in the course of the study. (b) Scope.--The study shall include-- (1) an evaluation of the body of knowledge and various skills that specific categories of personnel working in information infrastructure should possess in order to secure information systems; (2) an assessment of whether existing government, academic, and private-sector accreditation, training, and certification programs provide the body of knowledge and various skills described in paragraph (1); (3) an analysis of any barriers to the Federal Government recruiting and hiring cybersecurity talent, including barriers relating to compensation, the hiring process, job classification, and hiring flexibility; and (4) an analysis of the sources and availability of cybersecurity talent, a comparison of the skills and expertise sought by the Federal Government and the private sector, an examination of the current and future capacity of United States institutions of higher education, including community colleges, to provide current and future cybersecurity professionals, through education and training activities, with those skills sought by the Federal Government, State and local entities, and the private sector. (c) Report.--Not later than 1 year after the date of enactment of this Act, the National Academies shall submit to the President and Congress a report on the results of the study. The report shall include-- (1) findings regarding the state of information infrastructure accreditation, training, and certification programs, including specific areas of deficiency and demonstrable progress; and (2) recommendations for the improvement of information infrastructure accreditation, training, and certification programs. SEC. 408. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS. (a) In General.--The Director of the National Institute of Standards and Technology, in coordination with appropriate Federal authorities, shall-- (1) as appropriate, ensure coordination of Federal agencies engaged in the development of international technical standards related to information system security; and (2) not later than 1 year after the date of enactment of this Act, develop and transmit to Congress a plan for ensuring such Federal agency coordination. (b) Consultation With the Private Sector.--In carrying out the activities under subsection (a)(1), the Director shall ensure consultation with appropriate private sector stakeholders. SEC. 409. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT. The Director of the National Institute of Standards and Technology shall continue a program to support the development of technical standards, metrology, testbeds, and conformance criteria, taking into account appropriate user concerns-- (1) to improve interoperability among identity management technologies; (2) to strengthen authentication methods of identity management systems; (3) to improve privacy protection in identity management systems, including health information technology systems, through authentication and security protocols; and (4) to improve the usability of identity management systems. SEC. 410. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT. (a) National Science Foundation Computer and Network Security Research Grant Areas.--Section 4(a)(1) of the Cyber Security Research and Development Act (15 U.S.C. 7403(a)(1)) is amended-- (1) in subparagraph (H), by striking ``and'' after the semicolon; (2) in subparagraph (I), by striking ``property.'' and inserting ``property;''; and (3) by adding at the end the following: ``(J) secure fundamental protocols that are at the heart of inter-network communications and data exchange; ``(K) system security that addresses the building of secure systems from trusted and untrusted components; ``(L) monitoring and detection; and ``(M) resiliency and rapid recovery methods.''. (b) National Science Foundation Computer and Network Security Grants.--Section 4(a)(3) of the Cyber Security Research and Development Act (15 U.S.C. 7403(a)(3)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Director finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (c) Computer and Network Security Centers.--Section 4(b)(7) of the Cyber Security Research and Development Act (15 U.S.C. 7403(b)(7)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Director finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (d) Computer and Network Security Capacity Building Grants.--Section 5(a)(6) of the Cyber Security Research and Development Act (15 U.S.C. 7404(a)(6)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Director finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (e) Scientific and Advanced Technology Act Grants.--Section 5(b)(2) of the Cyber Security Research and Development Act (15 U.S.C. 7404(b)(2)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Director finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (f) Graduate Traineeships in Computer and Network Security Research.--Section 5(c)(7) of the Cyber Security Research and Development Act (15 U.S.C. 7404(c)(7)) is amended-- [[Page S5556]] (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Director finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. ______ SA 2608. Mr. McCAIN (for himself, Mrs. Hutchison, Mr. Chambliss, Mr. Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of Wisconsin) submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastrucutre of the United States; which was ordered to lie on the table; as follows: Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) Short Title.--This Act may be cited as the ``Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012'' or ``SECURE IT''. (b) Table of Contents.--The table of contents of this Act is as follows: Sec. 1. Short title; table of contents. TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION Sec. 101. Definitions. Sec. 102. Authorization to share cyber threat information. Sec. 103. Information sharing by the Federal government. Sec. 104. Construction. Sec. 105. Report on implementation. Sec. 106. Inspector General review. Sec. 107. Technical amendments. Sec. 108. Access to classified information. TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY Sec. 201. Coordination of Federal information security policy. Sec. 202. Management of information technology. Sec. 203. No new funding. Sec. 204. Technical and conforming amendments. Sec. 205. Clarification of authorities. TITLE III--CRIMINAL PENALTIES Sec. 301. Penalties for fraud and related activity in connection with computers. Sec. 302. Trafficking in passwords. Sec. 303. Conspiracy and attempted computer fraud offenses. Sec. 304. Criminal and civil forfeiture for fraud and related activity in connection with computers. Sec. 305. Damage to critical infrastructure computers. Sec. 306. Limitation on actions involving unauthorized use. Sec. 307. No new funding. TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT Sec. 401. National High-Performance Computing Program planning and coordination. Sec. 402. Research in areas of national importance. Sec. 403. Program improvements. Sec. 404. Improving education of networking and information technology, including high performance computing. Sec. 405. Conforming and technical amendments to the High-Performance Computing Act of 1991. Sec. 406. Federal cyber scholarship-for-service program. Sec. 407. Study and analysis of certification and training of information infrastructure professionals. Sec. 408. International cybersecurity technical standards. Sec. 409. Identity management research and development. Sec. 410. Federal cybersecurity research and development. TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION SEC. 101. DEFINITIONS. In this title: (1) Agency.--The term ``agency'' has the meaning given the term in section 3502 of title 44, United States Code. (2) Antitrust laws.--The term ``antitrust laws''-- (A) has the meaning given the term in section 1(a) of the Clayton Act (15 U.S.C. 12(a)); (B) includes section 5 of the Federal Trade Commission Act (15 U.S.C. 45) to the extent that section 5 of that Act applies to unfair methods of competition; and (C) includes any State law that has the same intent and effect as the laws under subparagraphs (A) and (B). (3) Countermeasure.--The term ``countermeasure'' means an automated or a manual action with defensive intent to mitigate cyber threats. (4) Cyber threat information.--The term ``cyber threat information'' means information that indicates or describes-- (A) a technical or operation vulnerability or a cyber threat mitigation measure; (B) an action or operation to mitigate a cyber threat; (C) malicious reconnaissance, including anomalous patterns of network activity that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat; (D) a method of defeating a technical control; (E) a method of defeating an operational control; (F) network activity or protocols known to be associated with a malicious cyber actor or that signify malicious cyber intent; (G) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to inadvertently enable the defeat of a technical or operational control; (H) any other attribute of a cybersecurity threat or cyber defense information that would foster situational awareness of the United States cybersecurity posture, if disclosure of such attribute or information is not otherwise prohibited by law; (I) the actual or potential harm caused by a cyber incident, including information exfiltrated when it is necessary in order to identify or describe a cybersecurity threat; or (J) any combination of subparagraphs (A) through (I). (5) Cybersecurity center.--The term ``cybersecurity center'' means the Department of Defense Cyber Crime Center, the Intelligence Community Incident Response Center, the United States Cyber Command Joint Operations Center, the National Cyber Investigative Joint Task Force, the National Security Agency/Central Security Service Threat Operations Center, the National Cybersecurity and Communications Integration Center, and any successor center. (6) Cybersecurity system.--The term ``cybersecurity system'' means a system designed or employed to ensure the integrity, confidentiality, or availability of, or to safeguard, a system or network, including measures intended to protect a system or network from-- (A) efforts to degrade, disrupt, or destroy such system or network; or (B) theft or misappropriations of private or government information, intellectual property, or personally identifiable information. (7) Entity.-- (A) In general.--The term ``entity'' means any private entity, non-Federal government agency or department, or State, tribal, or local government agency or department (including an officer, employee, or agent thereof). (B) Inclusions.--The term ``entity'' includes a government agency or department (including an officer, employee, or agent thereof) of the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa, the Northern Mariana Islands, and any other territory or possession of the United States. (8) Federal information system.--The term ``Federal information system'' means an information system of a Federal department or agency used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. (9) Information security.--The term ``information security'' means protecting information and information systems from disruption or unauthorized access, use, disclosure, modification, or destruction in order to provide-- (A) integrity, by guarding against improper information modification or destruction, including by ensuring information nonrepudiation and authenticity; (B) confidentiality, by preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; or (C) availability, by ensuring timely and reliable access to and use of information. (10) Information system.--The term ``information system'' has the meaning given the term in section 3502 of title 44, United States Code. (11) Local government.--The term ``local government'' means any borough, city, county, parish, town, township, village, or other general purpose political subdivision of a State. (12) Malicious reconnaissance.--The term ``malicious reconnaissance'' means a method for actively probing or passively monitoring an information system for the purpose of discerning technical vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat. (13) Operational control.--The term ``operational control'' means a security control for an information system that primarily is implemented and executed by people. (14) Operational vulnerability.--The term ``operational vulnerability'' means any attribute of policy, process, or procedure that could enable or facilitate the defeat of an operational control. (15) Private entity.--The term ``private entity'' means any individual or any private group, organization, or corporation, including an officer, employee, or agent thereof. (16) Significant cyber incident.--The term ``significant cyber incident'' means a cyber incident resulting in, or an attempted cyber incident that, if successful, would have resulted in-- (A) the exfiltration from a Federal information system of data that is essential to the operation of the Federal information system; or (B) an incident in which an operational or technical control essential to the security or [[Page S5557]] operation of a Federal information system was defeated. (17) Technical control.--The term ``technical control'' means a hardware or software restriction on, or audit of, access or use of an information system or information that is stored on, processed by, or transiting an information system that is intended to ensure the confidentiality, integrity, or availability of that system. (18) Technical vulnerability.--The term ``technical vulnerability'' means any attribute of hardware or software that could enable or facilitate the defeat of a technical control. (19) Tribal.--The term ``tribal'' has the meaning given the term ``Indian tribe'' in section 4 of the Indian Self- Determination and Education Assistance Act (25 U.S.C. 450b). SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION. (a) Voluntary Disclosure.-- (1) Private entities.--Notwithstanding any other provision of law, a private entity may, for the purpose of preventing, investigating, or otherwise mitigating threats to information security, on its own networks, or as authorized by another entity, on such entity's networks, employ countermeasures and use cybersecurity systems in order to obtain, identify, or otherwise possess cyber threat information. (2) Entities.--Notwithstanding any other provision of law, an entity may disclose cyber threat information to-- (A) a cybersecurity center; or (B) any other entity in order to assist with preventing, investigating, or otherwise mitigating threats to information security. (3) Information security providers.--If the cyber threat information described in paragraph (1) is obtained, identified, or otherwise possessed in the course of providing information security products or services under contract to another entity, that entity shall be given, at any time prior to disclosure of such information, a reasonable opportunity to authorize or prevent such disclosure, to request anonymization of such information, or to request that reasonable efforts be made to safeguard such information that identifies specific persons from unauthorized access or disclosure. (b) Significant Cyber Incidents Involving Federal Information Systems.-- (1) In general.--An entity providing electronic communication services, remote computing services, or information security services to a Federal department or agency shall inform the Federal department or agency of a significant cyber incident involving the Federal information system of that Federal department or agency that-- (A) is directly known to the entity as a result of providing such services; (B) is directly related to the provision of such services by the entity; and (C) as determined by the entity, has impeded or will impede the performance of a critical mission of the Federal department or agency. (2) Advance coordination.--A Federal department or agency receiving the services described in paragraph (1) shall coordinate in advance with an entity described in paragraph (1) to develop the parameters of any information that may be provided under paragraph (1), including clarification of the type of significant cyber incident that will impede the performance of a critical mission of the Federal department or agency. (3) Report.--A Federal department or agency shall report information provided under this subsection to a cybersecurity center. (4) Construction.--Any information provided to a cybersecurity center under paragraph (3) shall be treated in the same manner as information provided to a cybersecurity center under subsection (a). (c) Information Shared With or Provided to a Cybersecurity Center.--Cyber threat information provided to a cybersecurity center under this section-- (1) may be disclosed to, retained by, and used by, consistent with otherwise applicable Federal law, any Federal agency or department, component, officer, employee, or agent of the Federal government for a cybersecurity purpose, a national security purpose, or in order to prevent, investigate, or prosecute any of the offenses listed in section 2516 of title 18, United States Code, and such information shall not be disclosed to, retained by, or used by any Federal agency or department for any use not permitted under this paragraph; (2) may, with the prior written consent of the entity submitting such information, be disclosed to and used by a State, tribal, or local government or government agency for the purpose of protecting information systems, or in furtherance of preventing, investigating, or prosecuting a criminal act, except that if the need for immediate disclosure prevents obtaining written consent, such consent may be provided orally with subsequent documentation of such consent; (3) shall be considered the commercial, financial, or proprietary information of the entity providing such information to the Federal government and any disclosure outside the Federal government may only be made upon the prior written consent by such entity and shall not constitute a waiver of any applicable privilege or protection provided by law, except that if the need for immediate disclosure prevents obtaining written consent, such consent may be provided orally with subsequent documentation of such consent; (4) shall be deemed voluntarily shared information and exempt from disclosure under section 552 of title 5, United States Code, and any State, tribal, or local law requiring disclosure of information or records; (5) shall be, without discretion, withheld from the public under section 552(b)(3)(B) of title 5, United States Code, and any State, tribal, or local law requiring disclosure of information or records; (6) shall not be subject to the rules of any Federal agency or department or any judicial doctrine regarding ex parte communications with a decision-making official; (7) shall not, if subsequently provided to a State, tribal, or local government or government agency, otherwise be disclosed or distributed to any entity by such State, tribal, or local government or government agency without the prior written consent of the entity submitting such information, notwithstanding any State, tribal, or local law requiring disclosure of information or records, except that if the need for immediate disclosure prevents obtaining written consent, such consent may be provided orally with subsequent documentation of such consent; and (8) shall not be directly used by any Federal, State, tribal, or local department or agency to regulate the lawful activities of an entity, including activities relating to obtaining, identifying, or otherwise possessing cyber threat information, except that the procedures required to be developed and implemented under this title shall not be considered regulations within the meaning of this paragraph. (d) Procedures Relating to Information Sharing With a Cybersecurity Center.--Not later than 60 days after the date of enactment of this Act, the heads of each department or agency containing a cybersecurity center shall jointly develop, promulgate, and submit to Congress procedures to ensure that cyber threat information shared with or provided to-- (1) a cybersecurity center under this section-- (A) may be submitted to a cybersecurity center by an entity, to the greatest extent possible, through a uniform, publicly available process or format that is easily accessible on the website of such cybersecurity center, and that includes the ability to provide relevant details about the cyber threat information and written consent to any subsequent disclosures authorized by this paragraph; (B) shall immediately be further shared with each cybersecurity center in order to prevent, investigate, or otherwise mitigate threats to information security across the Federal government; (C) is handled by the Federal government in a reasonable manner, including consideration of the need to protect the privacy and civil liberties of individuals through anonymization or other appropriate methods, while fully accomplishing the objectives of this title, and the Federal government may undertake efforts consistent with this subparagraph to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the Federal government; and (D) except as provided in this section, shall only be used, disclosed, or handled in accordance with the provisions of subsection (c); and (2) a Federal agency or department under subsection (b) is provided immediately to a cybersecurity center in order to prevent, investigate, or otherwise mitigate threats to information security across the Federal government. (e) Information Shared Between Entities.-- (1) In general.--An entity sharing cyber threat information with another entity under this title may restrict the use or sharing of such information by such other entity. (2) Further sharing.--Cyber threat information shared by any entity with another entity under this title-- (A) shall only be further shared in accordance with any restrictions placed on the sharing of such information by the entity authorizing such sharing, such as appropriate anonymization of such information; and (B) may not be used by any entity to gain an unfair competitive advantage to the detriment of the entity authorizing the sharing of such information, except that the conduct described in paragraph (3) shall not constitute unfair competitive conduct. (3) Information shared with state, tribal, or local government or government agency.--Cyber threat information shared with a State, tribal, or local government or government agency under this title-- (A) may, with the prior written consent of the entity sharing such information, be disclosed to and used by a State, tribal, or local government or government agency for the purpose of protecting information systems, or in furtherance of preventing, investigating, or prosecuting a criminal act, except if the need for immediate disclosure prevents obtaining written consent, consent may be provided orally with subsequent documentation of the consent; (B) shall be deemed voluntarily shared information and exempt from disclosure under any State, tribal, or local law requiring disclosure of information or records; (C) shall not be disclosed or distributed to any entity by the State, tribal, or local government or government agency without the prior written consent of the entity submitting such information, notwithstanding any [[Page S5558]] State, tribal, or local law requiring disclosure of information or records, except if the need for immediate disclosure prevents obtaining written consent, consent may be provided orally with subsequent documentation of the consent; and (D) shall not be directly used by any State, tribal, or local department or agency to regulate the lawful activities of an entity, including activities relating to obtaining, identifying, or otherwise possessing cyber threat information, except that the procedures required to be developed and implemented under this title shall not be considered regulations within the meaning of this subparagraph. (4) Antitrust exemption.--The exchange or provision of cyber threat information or assistance between 2 or more private entities under this title shall not be considered a violation of any provision of antitrust laws if exchanged or provided in order to assist with-- (A) facilitating the prevention, investigation, or mitigation of threats to information security; or (B) communicating or disclosing of cyber threat information to help prevent, investigate or otherwise mitigate the effects of a threat to information security. (5) No right or benefit.--The provision of cyber threat information to an entity under this section shall not create a right or a benefit to similar information by such entity or any other entity. (f) Federal Preemption.-- (1) In general.--This section supersedes any statute or other law of a State or political subdivision of a State that restricts or otherwise expressly regulates an activity authorized under this section. (2) State law enforcement.--Nothing in this section shall be construed to supersede any statute or other law of a State or political subdivision of a State concerning the use of authorized law enforcement techniques. (3) Public disclosure.--No information shared with or provided to a State, tribal, or local government or government agency pursuant to this section shall be made publicly available pursuant to any State, tribal, or local law requiring disclosure of information or records. (g) Civil and Criminal Liability.-- (1) General protections.-- (A) Private entities.--No cause of action shall lie or be maintained in any court against any private entity for-- (i) the use of countermeasures and cybersecurity systems as authorized by this title; (ii) the use, receipt, or disclosure of any cyber threat information as authorized by this title; or (iii) the subsequent actions or inactions of any lawful recipient of cyber threat information provided by such private entity. (B) Entities.--No cause of action shall lie or be maintained in any court against any entity for-- (i) the use, receipt, or disclosure of any cyber threat information as authorized by this title; or (ii) the subsequent actions or inactions of any lawful recipient of cyber threat information provided by such entity. (2) Construction.--Nothing in this subsection shall be construed as creating any immunity against, or otherwise affecting, any action brought by the Federal government, or any agency or department thereof, to enforce any law, executive order, or procedure governing the appropriate handling, disclosure, and use of classified information. (h) Otherwise Lawful Disclosures.--Nothing in this section shall be construed to limit or prohibit otherwise lawful disclosures of communications, records, or other information by a private entity to any other governmental or private entity not covered under this section. (i) Whistleblower Protection.--Nothing in this Act shall be construed to preempt or preclude any employee from exercising rights currently provided under any whistleblower law, rule, or regulation. (j) Relationship to Other Laws.--The submission of cyber threat information under this section to a cybersecurity center shall not affect any requirement under any other provision of law for an entity to provide information to the Federal government. SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT. (a) Classified Information.-- (1) Procedures.--Consistent with the protection of intelligence sources and methods, and as otherwise determined appropriate, the Director of National Intelligence and the Secretary of Defense, in consultation with the heads of the appropriate Federal departments or agencies, shall develop and promulgate procedures to facilitate and promote-- (A) the immediate sharing, through the cybersecurity centers, of classified cyber threat information in the possession of the Federal government with appropriately cleared representatives of any appropriate entity; and (B) the declassification and immediate sharing, through the cybersecurity centers, with any entity or, if appropriate, public availability of cyber threat information in the possession of the Federal government; (2) Handling of classified information.--The procedures developed under paragraph (1) shall ensure that each entity receiving classified cyber threat information pursuant to this section has acknowledged in writing the ongoing obligation to comply with all laws, executive orders, and procedures concerning the appropriate handling, disclosure, or use of classified information. (b) Unclassified Cyber Threat Information.--The heads of each department or agency containing a cybersecurity center shall jointly develop and promulgate procedures that ensure that, consistent with the provisions of this section, unclassified, including controlled unclassified, cyber threat information in the possession of the Federal government-- (1) is shared, through the cybersecurity centers, in an immediate and adequate manner with appropriate entities; and (2) if appropriate, is made publicly available. (c) Development of Procedures.-- (1) In general.--The procedures developed under this section shall incorporate, to the greatest extent possible, existing processes utilized by sector specific information sharing and analysis centers. (2) Coordination with entities.--In developing the procedures required under this section, the Director of National Intelligence and the heads of each department or agency containing a cybersecurity center shall coordinate with appropriate entities to ensure that protocols are implemented that will facilitate and promote the sharing of cyber threat information by the Federal government. (d) Additional Responsibilities of Cybersecurity Centers.-- Consistent with section 102, a cybersecurity center shall-- (1) facilitate information sharing, interaction, and collaboration among and between cybersecurity centers and-- (A) other Federal entities; (B) any entity; and (C) international partners, in consultation with the Secretary of State; (2) disseminate timely and actionable cybersecurity threat, vulnerability, mitigation, and warning information, including alerts, advisories, indicators, signatures, and mitigation and response measures, to improve the security and protection of information systems; and (3) coordinate with other Federal entities, as appropriate, to integrate information from across the Federal government to provide situational awareness of the cybersecurity posture of the United States. (e) Sharing Within the Federal Government.--The heads of appropriate Federal departments and agencies shall ensure that cyber threat information in the possession of such Federal departments or agencies that relates to the prevention, investigation, or mitigation of threats to information security across the Federal government is shared effectively with the cybersecurity centers. (f) Submission to Congress.--Not later than 60 days after the date of enactment of this Act, the Director of National Intelligence, in coordination with the appropriate head of a department or an agency containing a cybersecurity center, shall submit the procedures required by this section to Congress. SEC. 104. CONSTRUCTION. (a) Information Sharing Relationships.--Nothing in this title shall be construed-- (1) to limit or modify an existing information sharing relationship; (2) to prohibit a new information sharing relationship; (3) to require a new information sharing relationship between any entity and the Federal government, except as specified under section 102(b); or (4) to modify the authority of a department or agency of the Federal government to protect sources and methods and the national security of the United States. (b) Anti-tasking Restriction.--Nothing in this title shall be construed to permit the Federal government-- (1) to require an entity to share information with the Federal government, except as expressly provided under section 102(b); or (2) to condition the sharing of cyber threat information with an entity on such entity's provision of cyber threat information to the Federal government. (c) No Liability for Non-participation.--Nothing in this title shall be construed to subject any entity to liability for choosing not to engage in the voluntary activities authorized under this title. (d) Use and Retention of Information.--Nothing in this title shall be construed to authorize, or to modify any existing authority of, a department or agency of the Federal government to retain or use any information shared under section 102 for any use other than a use permitted under subsection 102(c)(1). (e) No New Funding.--An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. SEC. 105. REPORT ON IMPLEMENTATION. (a) Content of Report.--Not later than 1 year after the date of enactment of this Act, and biennially thereafter, the heads of each department or agency containing a cybersecurity center shall jointly submit, in coordination with the privacy and civil liberties officials of such departments or agencies and the Privacy and Civil Liberties Oversight Board, a detailed report to Congress concerning the implementation of this title, including-- (1) an assessment of the sufficiency of the procedures developed under section 103 of this Act in ensuring that cyber threat information in the possession of the Federal government is provided in an immediate and adequate manner to appropriate entities or, if appropriate, is made publicly available; [[Page S5559]] (2) an assessment of whether information has been appropriately classified and an accounting of the number of security clearances authorized by the Federal government for purposes of this title; (3) a review of the type of cyber threat information shared with a cybersecurity center under section 102 of this Act, including whether such information meets the definition of cyber threat information under section 101, the degree to which such information may impact the privacy and civil liberties of individuals, any appropriate metrics to determine any impact of the sharing of such information with the Federal government on privacy and civil liberties, and the adequacy of any steps taken to reduce such impact; (4) a review of actions taken by the Federal government based on information provided to a cybersecurity center under section 102 of this Act, including the appropriateness of any subsequent use under section 102(c)(1) of this Act and whether there was inappropriate stovepiping within the Federal government of any such information; (5) a description of any violations of the requirements of this title by the Federal government; (6) a classified list of entities that received classified information from the Federal government under section 103 of this Act and a description of any indication that such information may not have been appropriately handled; (7) a summary of any breach of information security, if known, attributable to a specific failure by any entity or the Federal government to act on cyber threat information in the possession of such entity or the Federal government that resulted in substantial economic harm or injury to a specific entity or the Federal government; and (8) any recommendation for improvements or modifications to the authorities under this title. (b) Form of Report.--The report under subsection (a) shall be submitted in unclassified form, but shall include a classified annex. SEC. 106. INSPECTOR GENERAL REVIEW. (a) In General.--The Council of the Inspectors General on Integrity and Efficiency are authorized to review compliance by the cybersecurity centers, and by any Federal department or agency receiving cyber threat information from such cybersecurity centers, with the procedures required under section 102 of this Act. (b) Scope of Review.--The review under subsection (a) shall consider whether the Federal government has handled such cyber threat information in a reasonable manner, including consideration of the need to protect the privacy and civil liberties of individuals through anonymization or other appropriate methods, while fully accomplishing the objectives of this title. (c) Report to Congress.--Each review conducted under this section shall be provided to Congress not later than 30 days after the date of completion of the review. SEC. 107. TECHNICAL AMENDMENTS. Section 552(b) of title 5, United States Code, is amended-- (1) in paragraph (8), by striking ``or''; (2) in paragraph (9), by striking ``wells.'' and inserting ``wells; or''; and (3) by adding at the end the following: ``(10) information shared with or provided to a cybersecurity center under section 102 of title I of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012.''. SEC. 108. ACCESS TO CLASSIFIED INFORMATION. (a) Authorization Required.--No person shall be provided with access to classified information (as defined in section 6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to classified national security information)) relating to cyber security threats or cyber security vulnerabilities under this title without the appropriate security clearances. (b) Security Clearances.--The appropriate Federal agencies or departments shall, consistent with applicable procedures and requirements, and if otherwise deemed appropriate, assist an individual in timely obtaining an appropriate security clearance where such individual has been determined to be eligible for such clearance and has a need-to-know (as defined in section 6.1 of that Executive Order) classified information to carry out this title. TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) In General.--Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting the following: ``SUBCHAPTER II--INFORMATION SECURITY ``Sec. 3551. Purposes ``The purposes of this subchapter are-- ``(1) to provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets; ``(2) to recognize the highly networked nature of the current Federal computing environment and provide effective government-wide management of policies, directives, standards, and guidelines, as well as effective and nimble oversight of and response to information security risks, including coordination of information security efforts throughout the Federal civilian, national security, and law enforcement communities; ``(3) to provide for development and maintenance of controls required to protect agency information and information systems and contribute to the overall improvement of agency information security posture; ``(4) to provide for the development of tools and methods to assess and respond to real-time situational risk for Federal information system operations and assets; and ``(5) to provide a mechanism for improving agency information security programs through continuous monitoring of agency information systems and streamlined reporting requirements rather than overly prescriptive manual reporting. ``Sec. 3552. Definitions ``In this subchapter: ``(1) Adequate security.--The term `adequate security' means security commensurate with the risk and magnitude of the harm resulting from the unauthorized access to or loss, misuse, destruction, or modification of information. ``(2) Agency.--The term `agency' has the meaning given the term in section 3502 of title 44. ``(3) Cybersecurity center.--The term `cybersecurity center' means the Department of Defense Cyber Crime Center, the Intelligence Community Incident Response Center, the United States Cyber Command Joint Operations Center, the National Cyber Investigative Joint Task Force, the National Security Agency/Central Security Service Threat Operations Center, the National Cybersecurity and Communications Integration Center, and any successor center. ``(4) Cyber threat information.--The term `cyber threat information' means information that indicates or describes-- ``(A) a technical or operation vulnerability or a cyber threat mitigation measure; ``(B) an action or operation to mitigate a cyber threat; ``(C) malicious reconnaissance, including anomalous patterns of network activity that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat; ``(D) a method of defeating a technical control; ``(E) a method of defeating an operational control; ``(F) network activity or protocols known to be associated with a malicious cyber actor or that signify malicious cyber intent; ``(G) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to inadvertently enable the defeat of a technical or operational control; ``(H) any other attribute of a cybersecurity threat or cyber defense information that would foster situational awareness of the United States cybersecurity posture, if disclosure of such attribute or information is not otherwise prohibited by law; ``(I) the actual or potential harm caused by a cyber incident, including information exfiltrated when it is necessary in order to identify or describe a cybersecurity threat; or ``(J) any combination of subparagraphs (A) through (I). ``(5) Director.--The term `Director' means the Director of the Office of Management and Budget unless otherwise specified. ``(6) Environment of operation.--The term `environment of operation' means the information system and environment in which those systems operate, including changing threats, vulnerabilities, technologies, and missions and business practices. ``(7) Federal information system.--The term `Federal information system' means an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. ``(8) Incident.--The term `incident' means an occurrence that-- ``(A) actually or imminently jeopardizes the integrity, confidentiality, or availability of an information system or the information that system controls, processes, stores, or transmits; or ``(B) constitutes a violation of law or an imminent threat of violation of a law, a security policy, a security procedure, or an acceptable use policy. ``(9) Information resources.--The term `information resources' has the meaning given the term in section 3502 of title 44. ``(10) Information security.--The term `information security' means protecting information and information systems from disruption or unauthorized access, use, disclosure, modification, or destruction in order to provide-- ``(A) integrity, by guarding against improper information modification or destruction, including by ensuring information nonrepudiation and authenticity; ``(B) confidentiality, by preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; or ``(C) availability, by ensuring timely and reliable access to and use of information. ``(11) Information system.--The term `information system' has the meaning given the term in section 3502 of title 44. ``(12) Information technology.--The term `information technology' has the meaning given the term in section 11101 of title 40. ``(13) Malicious reconnaissance.--The term `malicious reconnaissance' means a method for actively probing or passively monitoring an information system for the purpose of discerning technical [[Page S5560]] vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat. ``(14) National security system.-- ``(A) In general.--The term `national security system' means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency-- ``(i) the function, operation, or use of which-- ``(I) involves intelligence activities; ``(II) involves cryptologic activities related to national security; ``(III) involves command and control of military forces; ``(IV) involves equipment that is an integral part of a weapon or weapons system; or ``(V) subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or ``(ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. ``(B) Limitation.--Subparagraph (A)(i)(V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). ``(15) Operational control.--The term `operational control' means a security control for an information system that primarily is implemented and executed by people. ``(16) Person.--The term `person' has the meaning given the term in section 3502 of title 44. ``(17) Secretary.--The term `Secretary' means the Secretary of Commerce unless otherwise specified. ``(18) Security control.--The term `security control' means the management, operational, and technical controls, including safeguards or countermeasures, prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. ``(19) Significant cyber incident.--The term `significant cyber incident' means a cyber incident resulting in, or an attempted cyber incident that, if successful, would have resulted in-- ``(A) the exfiltration from a Federal information system of data that is essential to the operation of the Federal information system; or ``(B) an incident in which an operational or technical control essential to the security or operation of a Federal information system was defeated. ``(20) Technical control.--The term `technical control' means a hardware or software restriction on, or audit of, access or use of an information system or information that is stored on, processed by, or transiting an information system that is intended to ensure the confidentiality, integrity, or availability of that system. ``Sec. 3553. Federal information security authority and coordination ``(a) In General.--The Secretary, in consultation with the Secretary of Homeland Security, shall-- ``(1) issue compulsory and binding policies and directives governing agency information security operations, and require implementation of such policies and directives, including-- ``(A) policies and directives consistent with the standards and guidelines promulgated under section 11331 of title 40 to identify and provide information security protections prioritized and commensurate with the risk and impact resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of-- ``(i) information collected or maintained by or on behalf of an agency; or ``(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; ``(B) minimum operational requirements for Federal Government to protect agency information systems and provide common situational awareness across all agency information systems; ``(C) reporting requirements, consistent with relevant law, regarding information security incidents and cyber threat information; ``(D) requirements for agencywide information security programs; ``(E) performance requirements and metrics for the security of agency information systems; ``(F) training requirements to ensure that agencies are able to fully and timely comply with the policies and directives issued by the Secretary under this subchapter; ``(G) training requirements regarding privacy, civil rights, and civil liberties, and information oversight for agency information security personnel; ``(H) requirements for the annual reports to the Secretary under section 3554(d); ``(I) any other information security operations or information security requirements as determined by the Secretary in coordination with relevant agency heads; and ``(J) coordinating the development of standards and guidelines under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) with agencies and offices operating or exercising control of national security systems (including the National Security Agency) to assure, to the maximum extent feasible, that such standards and guidelines are complementary with standards and guidelines developed for national security systems; ``(2) review the agencywide information security programs under section 3554; and ``(3) designate an individual or an entity at each cybersecurity center, among other responsibilities-- ``(A) to receive reports and information about information security incidents, cyber threat information, and deterioration of security control affecting agency information systems; and ``(B) to act on or share the information under subparagraph (A) in accordance with this subchapter. ``(b) Considerations.--When issuing policies and directives under subsection (a), the Secretary shall consider any applicable standards or guidelines developed by the National Institute of Standards and Technology under section 11331 of title 40. ``(c) Limitation of Authority.--The authorities of the Secretary under this section shall not apply to national security systems. Information security policies, directives, standards and guidelines for national security systems shall be overseen as directed by the President and, in accordance with that direction, carried out under the authority of the heads of agencies that operate or exercise authority over such national security systems. ``(d) Statutory Construction.--Nothing in this subchapter shall be construed to alter or amend any law regarding the authority of any head of an agency over such agency. ``Sec. 3554. Agency responsibilities ``(a) In General.--The head of each agency shall-- ``(1) be responsible for-- ``(A) complying with the policies and directives issued under section 3553; ``(B) providing information security protections commensurate with the risk resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of-- ``(i) information collected or maintained by the agency or by a contractor of an agency or other organization on behalf of an agency; and ``(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; ``(C) complying with the requirements of this subchapter, including-- ``(i) information security standards and guidelines promulgated under section 11331 of title 40; ``(ii) for any national security systems operated or controlled by that agency, information security policies, directives, standards and guidelines issued as directed by the President; and ``(iii) for any non-national security systems operated or controlled by that agency, information security policies, directives, standards and guidelines issued under section 3553; ``(D) ensuring that information security management processes are integrated with agency strategic and operational planning processes; ``(E) reporting and sharing, for an agency operating or exercising control of a national security system, information about information security incidents, cyber threat information, and deterioration of security controls to the individual or entity designated at each cybersecurity center and to other appropriate entities consistent with policies and directives for national security systems issued as directed by the President; and ``(F) reporting and sharing, for those agencies operating or exercising control of non-national security systems, information about information security incidents, cyber threat information, and deterioration of security controls to the individual or entity designated at each cybersecurity center and to other appropriate entities consistent with policies and directives for non-national security systems as prescribed under section 3553(a), including information to assist the entity designated under section 3555(a) with the ongoing security analysis under section 3555; ``(2) ensure that each senior agency official provides information security for the information and information systems that support the operations and assets under the senior agency official's control, including by-- ``(A) assessing the risk and impact that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems; ``(B) determining the level of information security appropriate to protect such information and information systems in accordance with policies and directives issued under section 3553(a), and standards and guidelines promulgated under section 11331 of title 40 for information security classifications and related requirements; ``(C) implementing policies, procedures, and capabilities to reduce risks to an acceptable level in a cost-effective manner; ``(D) actively monitoring the effective implementation of information security controls and techniques; and ``(E) reporting information about information security incidents, cyber threat information, and deterioration of security controls in a timely and adequate manner to the entity designated under section 3553(a)(3) in accordance with paragraph (1); ``(3) assess and maintain the resiliency of information technology systems critical to agency mission and operations; [[Page S5561]] ``(4) designate the agency Inspector General (or an independent entity selected in consultation with the Director and the Council of Inspectors General on Integrity and Efficiency if the agency does not have an Inspector General) to conduct the annual independent evaluation required under section 3556, and allow the agency Inspector General to contract with an independent entity to perform such evaluation; ``(5) delegate to the Chief Information Officer or equivalent (or to a senior agency official who reports to the Chief Information Officer or equivalent)-- ``(A) the authority and primary responsibility to implement an agencywide information security program; and ``(B) the authority to provide information security for the information collected and maintained by the agency (or by a contractor, other agency, or other source on behalf of the agency) and for the information systems that support the operations, assets, and mission of the agency (including any information system provided or managed by a contractor, other agency, or other source on behalf of the agency); ``(6) delegate to the appropriate agency official (who is responsible for a particular agency system or subsystem) the responsibility to ensure and enforce compliance with all requirements of the agency's agencywide information security program in coordination with the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5); ``(7) ensure that an agency has trained personnel who have obtained any necessary security clearances to permit them to assist the agency in complying with this subchapter; ``(8) ensure that the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5), in coordination with other senior agency officials, reports to the agency head on the effectiveness of the agencywide information security program, including the progress of any remedial actions; and ``(9) ensure that the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5) has the necessary qualifications to administer the functions described in this subchapter and has information security duties as a primary duty of that official. ``(b) Chief Information Officers.--Each Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under subsection (a)(5) shall-- ``(1) establish and maintain an enterprise security operations capability that on a continuous basis-- ``(A) detects, reports, contains, mitigates, and responds to information security incidents that impair adequate security of the agency's information or information system in a timely manner and in accordance with the policies and directives under section 3553; and ``(B) reports any information security incident under subparagraph (A) to the entity designated under section 3555; ``(2) develop, maintain, and oversee an agencywide information security program; ``(3) develop, maintain, and oversee information security policies, procedures, and control techniques to address applicable requirements, including requirements under section 3553 of this title and section 11331 of title 40; and ``(4) train and oversee the agency personnel who have significant responsibility for information security with respect to that responsibility. ``(c) Agencywide Information Security Programs.-- ``(1) In general.--Each agencywide information security program under subsection (b)(2) shall include-- ``(A) relevant security risk assessments, including technical assessments and others related to the acquisition process; ``(B) security testing commensurate with risk and impact; ``(C) mitigation of deterioration of security controls commensurate with risk and impact; ``(D) risk-based continuous monitoring and threat assessment of the operational status and security of agency information systems to enable evaluation of the effectiveness of and compliance with information security policies, procedures, and practices, including a relevant and appropriate selection of security controls of information systems identified in the inventory under section 3505(c); ``(E) operation of appropriate technical capabilities in order to detect, mitigate, report, and respond to information security incidents, cyber threat information, and deterioration of security controls in a manner that is consistent with the policies and directives under section 3553, including-- ``(i) mitigating risks associated with such information security incidents; ``(ii) notifying and consulting with the entity designated under section 3555; and ``(iii) notifying and consulting with, as appropriate-- ``(I) law enforcement and the relevant Office of the Inspector General; and ``(II) any other entity, in accordance with law and as directed by the President; ``(F) a process to ensure that remedial action is taken to address any deficiencies in the information security policies, procedures, and practices of the agency; and ``(G) a plan and procedures to ensure the continuity of operations for information systems that support the operations and assets of the agency. ``(2) Risk management strategies.--Each agencywide information security program under subsection (b)(2) shall include the development and maintenance of a risk management strategy for information security. The risk management strategy shall include-- ``(A) consideration of information security incidents, cyber threat information, and deterioration of security controls; and ``(B) consideration of the consequences that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency, including any information system provided or managed by a contractor, other agency, or other source on behalf of the agency; ``(3) Policies and procedures.--Each agencywide information security program under subsection (b)(2) shall include policies and procedures that-- ``(A) are based on the risk management strategy under paragraph (2); ``(B) reduce information security risks to an acceptable level in a cost-effective manner; ``(C) ensure that cost-effective and adequate information security is addressed as part of the acquisition and ongoing management of each agency information system; and ``(D) ensure compliance with-- ``(i) this subchapter; and ``(ii) any other applicable requirements. ``(4) Training requirements.--Each agencywide information security program under subsection (b)(2) shall include information security, privacy, civil rights, civil liberties, and information oversight training that meets any applicable requirements under section 3553. The training shall inform each information security personnel that has access to agency information systems (including contractors and other users of information systems that support the operations and assets of the agency) of-- ``(A) the information security risks associated with the information security personnel's activities; and ``(B) the individual's responsibility to comply with the agency policies and procedures that reduce the risks under subparagraph (A). ``(d) Annual Report.--Each agency shall submit a report annually to the Secretary of Homeland Security on its agencywide information security program and information systems. ``Sec. 3555. Multiagency ongoing threat assessment ``(a) Implementation.--The Director of the Office of Management and Budget, in coordination with the Secretary of Homeland Security, shall designate an entity to implement ongoing security analysis concerning agency information systems-- ``(1) based on cyber threat information; ``(2) based on agency information system and environment of operation changes, including-- ``(A) an ongoing evaluation of the information system security controls; and ``(B) the security state, risk level, and environment of operation of an agency information system, including-- ``(i) a change in risk level due to a new cyber threat; ``(ii) a change resulting from a new technology; ``(iii) a change resulting from the agency's mission; and ``(iv) a change resulting from the business practice; and ``(3) using automated processes to the maximum extent possible-- ``(A) to increase information system security; ``(B) to reduce paper-based reporting requirements; and ``(C) to maintain timely and actionable knowledge of the state of the information system security. ``(b) Standards.--The National Institute of Standards and Technology may promulgate standards, in coordination with the Secretary of Homeland Security, to assist an agency with its duties under this section. ``(c) Compliance.--The head of each appropriate department and agency shall be responsible for ensuring compliance and implementing necessary procedures to comply with this section. The head of each appropriate department and agency, in consultation with the Director of the Office of Management and Budget and the Secretary of Homeland Security, shall-- ``(1) monitor compliance under this section; ``(2) develop a timeline and implement for the department or agency-- ``(A) adoption of any technology, system, or method that facilitates continuous monitoring and threat assessments of an agency information system; ``(B) adoption or updating of any technology, system, or method that prevents, detects, or remediates a significant cyber incident to a Federal information system of the department or agency that has impeded, or is reasonably likely to impede, the performance of a critical mission of the department or agency; and ``(C) adoption of any technology, system, or method that satisfies a requirement under this section. [[Page S5562]] ``(d) Limitation of Authority.--The authorities of the Director of the Office of Management and Budget and of the Secretary of Homeland Security under this section shall not apply to national security systems. ``(e) Report.--Not later than 6 months after the date of enactment of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the Government Accountability Office shall issue a report evaluating each agency's status toward implementing this section. ``Sec. 3556. Independent evaluations ``(a) In General.--The Council of the Inspectors General on Integrity and Efficiency, in consultation with the Director and the Secretary of Homeland Security, the Secretary of Commerce, and the Secretary of Defense, shall issue and maintain criteria for the timely, cost-effective, risk-based, and independent evaluation of each agencywide information security program (and practices) to determine the effectiveness of the agencywide information security program (and practices). The criteria shall include measures to assess any conflicts of interest in the performance of the evaluation and whether the agencywide information security program includes appropriate safeguards against disclosure of information where such disclosure may adversely affect information security. ``(b) Annual Independent Evaluations.--Each agency shall perform an annual independent evaluation of its agencywide information security program (and practices) in accordance with the criteria under subsection (a). ``(c) Distribution of Reports.--Not later than 30 days after receiving an independent evaluation under subsection (b), each agency head shall transmit a copy of the independent evaluation to the Secretary of Homeland Security, the Secretary of Commerce, and the Secretary of Defense. ``(d) National Security Systems.--Evaluations involving national security systems shall be conducted as directed by President. ``Sec. 3557. National security systems. ``The head of each agency operating or exercising control of a national security system shall be responsible for ensuring that the agency-- ``(1) provides information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information contained in such system; and ``(2) implements information security policies and practices as required by standards and guidelines for national security systems, issued in accordance with law and as directed by the President.''. (b) Savings Provisions.-- (1) Policy and compliance guidance.--Policy and compliance guidance issued by the Director before the date of enactment of this Act under section 3543(a)(1) of title 44, United States Code (as in effect on the day before the date of enactment of this Act), shall continue in effect, according to its terms, until modified, terminated, superseded, or repealed pursuant to section 3553(a)(1) of title 44, United States Code. (2) Standards and guidelines.--Standards and guidelines issued by the Secretary of Commerce or by the Director before the date of enactment of this Act under section 11331(a)(1) of title 40, United States Code, (as in effect on the day before the date of enactment of this Act) shall continue in effect, according to their terms, until modified, terminated, superseded, or repealed pursuant to section 11331(a)(1) of title 40, United States Code, as amended by this Act. (c) Technical and Conforming Amendments.-- (1) Chapter analysis.--The chapter analysis for chapter 35 of title 44, United States Code, is amended-- (A) by striking the items relating to sections 3531 through 3538; (B) by striking the items relating to sections 3541 through 3549; and (C) by inserting the following: ``3551. Purposes. ``3552. Definitions. ``3553. Federal information security authority and coordination. ``3554. Agency responsibilities. ``3555. Multiagency ongoing threat assessment. ``3556. Independent evaluations. ``3557. National security systems.''. (2) Other references.-- (A) Section 1001(c)(1)(A) of the Homeland Security Act of 2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section 3532(3)'' and inserting ``section 3552''. (B) Section 2222(j)(5) of title 10, United States Code, is amended by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (C) Section 2223(c)(3) of title 10, United States Code, is amended, by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (D) Section 2315 of title 10, United States Code, is amended by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (E) Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) is amended-- (i) in subsection (a)(2), by striking ``section 3532(b)(2)'' and inserting ``section 3552''; (ii) in subsection (c)(3), by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (iii) in subsection (d)(1), by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (iv) in subsection (d)(8) by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (v) in subsection (d)(8), by striking ``submitted to the Director'' and inserting ``submitted to the Secretary''; (vi) in subsection (e)(2), by striking ``section 3532(1) of such title'' and inserting ``section 3552 of title 44''; and (vii) in subsection (e)(5), by striking ``section 3532(b)(2) of such title'' and inserting ``section 3552 of title 44''. (F) Section 8(d)(1) of the Cyber Security Research and Development Act (15 U.S.C. 7406(d)(1)) is amended by striking ``section 3534(b)'' and inserting ``section 3554(b)(2)''. SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY. (a) In General.--Section 11331 of title 40, United States Code, is amended to read as follows: ``Sec. 11331. Responsibilities for Federal information systems standards ``(a) Standards and Guidelines.-- ``(1) Authority to prescribe.--Except as provided under paragraph (2), the Secretary of Commerce shall prescribe standards and guidelines pertaining to Federal information systems-- ``(A) in consultation with the Secretary of Homeland Security; and ``(B) on the basis of standards and guidelines developed by the National Institute of Standards and Technology under paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g- 3(a)(2) and (a)(3)). ``(2) National security systems.--Standards and guidelines for national security systems shall be developed, prescribed, enforced, and overseen as otherwise authorized by law and as directed by the President. ``(b) Mandatory Standards and Guidelines.-- ``(1) Authority to make mandatory standards and guidelines.--The Secretary of Commerce shall make standards and guidelines under subsection (a)(1) compulsory and binding to the extent determined necessary by the Secretary of Commerce to improve the efficiency of operation or security of Federal information systems. ``(2) Required mandatory standards and guidelines.-- ``(A) In general.--Standards and guidelines under subsection (a)(1) shall include information security standards that-- ``(i) provide minimum information security requirements as determined under section 20(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(b)); and ``(ii) are otherwise necessary to improve the security of Federal information and information systems. ``(B) Binding effect.--Information security standards under subparagraph (A) shall be compulsory and binding. ``(c) Exercise of Authority.--To ensure fiscal and policy consistency, the Secretary of Commerce shall exercise the authority conferred by this section subject to direction by the President and in coordination with the Director. ``(d) Application of More Stringent Standards and Guidelines.--The head of an executive agency may employ standards for the cost-effective information security for information systems within or under the supervision of that agency that are more stringent than the standards and guidelines the Secretary of Commerce prescribes under this section if the more stringent standards and guidelines-- ``(1) contain at least the applicable standards and guidelines made compulsory and binding by the Secretary of Commerce; and ``(2) are otherwise consistent with the policies, directives, and implementation memoranda issued under section 3553(a) of title 44. ``(e) Decisions on Promulgation of Standards and Guidelines.--The decision by the Secretary of Commerce regarding the promulgation of any standard or guideline under this section shall occur not later than 6 months after the date of submission of the proposed standard to the Secretary of Commerce by the National Institute of Standards and Technology under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3). ``(f) Notice and Comment.--A decision by the Secretary of Commerce to significantly modify, or not promulgate, a proposed standard submitted to the Secretary by the National Institute of Standards and Technology under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) shall be made after the public is given an opportunity to comment on the Secretary's proposed decision. ``(g) Definitions.--In this section: ``(1) Federal information system.--The term `Federal information system' has the meaning given the term in section 3552 of title 44. ``(2) Information security.--The term `information security' has the meaning given the term in section 3552 of title 44. ``(3) National security system.--The term `national security system' has the meaning given the term in section 3552 of title 44.''. SEC. 203. NO NEW FUNDING. An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. [[Page S5563]] SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS. Section 21(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-4(b)) is amended-- (1) in paragraph (2), by striking ``and the Director of the Office of Management and Budget'' and inserting ``, the Secretary of Commerce, and the Secretary of Homeland Security''; and (2) in paragraph (3), by inserting ``, the Secretary of Homeland Security,'' after ``the Secretary of Commerce''. SEC. 205. CLARIFICATION OF AUTHORITIES. Nothing in this title shall be construed to convey any new regulatory authority to any government entity implementing or complying with any provision of this title. TITLE III--CRIMINAL PENALTIES SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS. Section 1030(c) of title 18, United States Code, is amended to read as follows: ``(c) The punishment for an offense under subsection (a) or (b) of this section is-- ``(1) a fine under this title or imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(1) of this section; ``(2)(A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than 3 years, or both, in the case of an offense under subsection (a)(2); or ``(B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2) of this section, if-- ``(i) the offense was committed for purposes of commercial advantage or private financial gain; ``(ii) the offense was committed in the furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States, or of any State; or ``(iii) the value of the information obtained, or that would have been obtained if the offense was completed, exceeds $5,000; ``(3) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(3) of this section; ``(4) a fine under this title or imprisonment of not more than 20 years, or both, in the case of an offense under subsection (a)(4) of this section; ``(5)(A) except as provided in subparagraph (C), a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(A) of this section, if the offense caused-- ``(i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value; ``(ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; ``(iii) physical injury to any person; ``(iv) a threat to public health or safety; ``(v) damage affecting a computer used by, or on behalf of, an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or ``(vi) damage affecting 10 or more protected computers during any 1-year period; ``(B) a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(B), if the offense caused a harm provided in clause (i) through (vi) of subparagraph (A) of this subsection; ``(C) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for any term of years or for life, or both; ``(D) a fine under this title, imprisonment for not more than 10 years, or both, for any other offense under subsection (a)(5); ``(E) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(6) of this section; or ``(F) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(7) of this section.''. SEC. 302. TRAFFICKING IN PASSWORDS. Section 1030(a)(6) of title 18, United States Code, is amended to read as follows: ``(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information or means of access through which a protected computer (as defined in subparagraphs (A) and (B) of subsection (e)(2)) may be accessed without authorization.''. SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES. Section 1030(b) of title 18, United States Code, is amended by inserting ``as if for the completed offense'' after ``punished as provided''. SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS. Section 1030 of title 18, United States Code, is amended by striking subsections (i) and (j) and inserting the following: ``(i) Criminal Forfeiture.-- ``(1) The court, in imposing sentence on any person convicted of a violation of this section, or convicted of conspiracy to violate this section, shall order, in addition to any other sentence imposed and irrespective of any provision of State law, that such person forfeit to the United States-- ``(A) such persons interest in any property, real or personal, that was used, or intended to be used, to commit or facilitate the commission of such violation; and ``(B) any property, real or personal, constituting or derived from any gross proceeds, or any property traceable to such property, that such person obtained, directly or indirectly, as a result of such violation. ``(2) The criminal forfeiture of property under this subsection, including any seizure and disposition of the property, and any related judicial or administrative proceeding, shall be governed by the provisions of section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853), except subsection (d) of that section. ``(j) Civil Forfeiture.-- ``(1) The following shall be subject to forfeiture to the United States and no property right, real or personal, shall exist in them: ``(A) Any property, real or personal, that was used, or intended to be used, to commit or facilitate the commission of any violation of this section, or a conspiracy to violate this section. ``(B) Any property, real or personal, constituting or derived from any gross proceeds obtained directly or indirectly, or any property traceable to such property, as a result of the commission of any violation of this section, or a conspiracy to violate this section. ``(2) Seizures and forfeitures under this subsection shall be governed by the provisions in chapter 46 relating to civil forfeitures, except that such duties as are imposed on the Secretary of the Treasury under the customs laws described in section 981(d) shall be performed by such officers, agents and other persons as may be designated for that purpose by the Secretary of Homeland Security or the Attorney General.''. SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS. (a) In General.--Chapter 47 of title 18, United States Code, is amended by inserting after section 1030 the following: ``Sec. 1030A. Aggravated damage to a critical infrastructure computer ``(a) Definitions.--In this section-- ``(1) the term `computer' has the meaning given the term in section 1030; ``(2) the term `critical infrastructure computer' means a computer that manages or controls systems or assets vital to national defense, national security, national economic security, public health or safety, or any combination of those matters, whether publicly or privately owned or operated, including-- ``(A) oil and gas production, storage, conversion, and delivery systems; ``(B) water supply systems; ``(C) telecommunication networks; ``(D) electrical power generation and delivery systems; ``(E) finance and banking systems; ``(F) emergency services; ``(G) transportation systems and services; and ``(H) government operations that provide essential services to the public; and ``(3) the term `damage' has the meaning given the term in section 1030. ``(b) Offense.--It shall be unlawful, during and in relation to a felony violation of section 1030, to knowingly cause or attempt to cause damage to a critical infrastructure computer if the damage results in (or, in the case of an attempt, if completed, would have resulted in) the substantial impairment-- ``(1) of the operation of the critical infrastructure computer; or ``(2) of the critical infrastructure associated with the computer. ``(c) Penalty.--Any person who violates subsection (b) shall be-- ``(1) fined under this title; ``(2) imprisoned for not less than 3 years but not more than 20 years; or ``(3) penalized under paragraphs (1) and (2). ``(d) Consecutive Sentence.--Notwithstanding any other provision of law-- ``(1) a court shall not place on probation any person convicted of a violation of this section; ``(2) except as provided in paragraph (4), no term of imprisonment imposed on a person under this section shall run concurrently with any other term of imprisonment, including any term of imprisonment imposed on the person under any other provision of law, including any term of imprisonment imposed for a felony violation of section 1030; ``(3) in determining any term of imprisonment to be imposed for a felony violation of section 1030, a court shall not in any way reduce the term to be imposed for such crime so as to compensate for, or otherwise take into account, any separate term of imprisonment imposed or to be imposed for a violation of this section; and ``(4) a term of imprisonment imposed on a person for a violation of this section may, in the discretion of the court, run concurrently, in whole or in part, only with another term of imprisonment that is imposed by the court at the same time on that person for an additional violation of this section, provided that such discretion shall be exercised in accordance with any applicable guidelines and policy statements issued by the United States Sentencing Commission pursuant to section 994 of title 28.''. (b) Technical and Conforming Amendment.--The chapter analysis for chapter 47 of title 18, United States Code, is amended by inserting after the item relating to section 1030 the following: [[Page S5564]] ``1030A. Aggravated damage to a critical infrastructure computer.''. SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE. Section 1030(e)(6) of title 18, United States Code, is amended by striking ``alter;'' and inserting ``alter, but does not include access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized;''. SEC. 307. NO NEW FUNDING. An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM PLANNING AND COORDINATION. (a) Goals and Priorities.--Section 101 of the High- Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(d) Goals and Priorities.--The goals and priorities for Federal high-performance computing research, development, networking, and other activities under subsection (a)(2)(A) shall include-- ``(1) encouraging and supporting mechanisms for interdisciplinary research and development in networking and information technology, including-- ``(A) through collaborations across agencies; ``(B) through collaborations across Program Component Areas; ``(C) through collaborations with industry; ``(D) through collaborations with institutions of higher education; ``(E) through collaborations with Federal laboratories (as defined in section 4 of the Stevenson-Wydler Technology Innovation Act of 1980 (15 U.S.C. 3703)); and ``(F) through collaborations with international organizations; ``(2) addressing national, multi-agency, multi-faceted challenges of national importance; and ``(3) fostering the transfer of research and development results into new technologies and applications for the benefit of society.''. (b) Development of Strategic Plan.--Section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(e) Strategic Plan.-- ``(1) In general.--Not later than 1 year after the date of enactment of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the agencies under subsection (a)(3)(B), working through the National Science and Technology Council and with the assistance of the Office of Science and Technology Policy shall develop a 5-year strategic plan to guide the activities under subsection (a)(1). ``(2) Contents.--The strategic plan shall specify-- ``(A) the near-term objectives for the Program; ``(B) the long-term objectives for the Program; ``(C) the anticipated time frame for achieving the near- term objectives; ``(D) the metrics that will be used to assess any progress made toward achieving the near-term objectives and the long- term objectives; and ``(E) how the Program will achieve the goals and priorities under subsection (d). ``(3) Implementation roadmap.-- ``(A) In general.--The agencies under subsection (a)(3)(B) shall develop and annually update an implementation roadmap for the strategic plan. ``(B) Requirements.--The information in the implementation roadmap shall be coordinated with the database under section 102(c) and the annual report under section 101(a)(3). The implementation roadmap shall-- ``(i) specify the role of each Federal agency in carrying out or sponsoring research and development to meet the research objectives of the strategic plan, including a description of how progress toward the research objectives will be evaluated, with consideration of any relevant recommendations of the advisory committee; ``(ii) specify the funding allocated to each major research objective of the strategic plan and the source of funding by agency for the current fiscal year; and ``(iii) estimate the funding required for each major research objective of the strategic plan for the next 3 fiscal years. ``(4) Recommendations.--The agencies under subsection (a)(3)(B) shall take into consideration when developing the strategic plan under paragraph (1) the recommendations of-- ``(A) the advisory committee under subsection (b); and ``(B) the stakeholders under section 102(a)(3). ``(5) Report to congress.--The Director of the Office of Science and Technology Policy shall transmit the strategic plan under this subsection, including the implementation roadmap and any updates under paragraph (3), to-- ``(A) the advisory committee under subsection (b); ``(B) the Committee on Commerce, Science, and Transportation of the Senate; and ``(C) the Committee on Science and Technology of the House of Representatives.''. (c) Periodic Reviews.--Section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(f) Periodic Reviews.--The agencies under subsection (a)(3)(B) shall-- ``(1) periodically assess the contents and funding levels of the Program Component Areas and restructure the Program when warranted, taking into consideration any relevant recommendations of the advisory committee under subsection (b); and ``(2) ensure that the Program includes national, multi- agency, multi-faceted research and development activities, including activities described in section 104.''. (d) Additional Responsibilities of Director.--Section 101(a)(2) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(2)) is amended-- (1) by redesignating subparagraphs (E) and (F) as subparagraphs (G) and (H), respectively; and (2) by inserting after subparagraph (D) the following: ``(E) encourage and monitor the efforts of the agencies participating in the Program to allocate the level of resources and management attention necessary-- ``(i) to ensure that the strategic plan under subsection (e) is developed and executed effectively; and ``(ii) to ensure that the objectives of the Program are met; ``(F) working with the Office of Management and Budget and in coordination with the creation of the database under section 102(c), direct the Office of Science and Technology Policy and the agencies participating in the Program to establish a mechanism (consistent with existing law) to track all ongoing and completed research and development projects and associated funding;''. (e) Advisory Committee.--Section 101(b) of the High- Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is amended-- (1) in paragraph (1)-- (A) by inserting after the first sentence the following: ``The co-chairs of the advisory committee shall meet the qualifications of committee members and may be members of the Presidents Council of Advisors on Science and Technology.''; and (B) by striking ``high-performance'' in subparagraph (D) and inserting ``high-end''; and (2) by amending paragraph (2) to read as follows: ``(2) In addition to the duties under paragraph (1), the advisory committee shall conduct periodic evaluations of the funding, management, coordination, implementation, and activities of the Program. The advisory committee shall report its findings and recommendations not less frequently than once every 3 fiscal years to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science and Technology of the House of Representatives. The report shall be submitted in conjunction with the update of the strategic plan.''. (f) Report.--Section 101(a)(3) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended-- (1) in subparagraph (C)-- (A) by striking ``is submitted,'' and inserting ``is submitted, the levels for the previous fiscal year,''; and (B) by striking ``each Program Component Area'' and inserting ``each Program Component Area and each research area supported in accordance with section 104''; (2) in subparagraph (D)-- (A) by striking ``each Program Component Area,'' and inserting ``each Program Component Area and each research area supported in accordance with section 104,''; (B) by striking ``is submitted,'' and inserting ``is submitted, the levels for the previous fiscal year,''; and (C) by striking ``and'' after the semicolon; (3) by redesignating subparagraph (E) as subparagraph (G); and (4) by inserting after subparagraph (D) the following: ``(E) include a description of how the objectives for each Program Component Area, and the objectives for activities that involve multiple Program Component Areas, relate to the objectives of the Program identified in the strategic plan under subsection (e); ``(F) include-- ``(i) a description of the funding required by the Office of Science and Technology Policy to perform the functions under subsections (a) and (c) of section 102 for the next fiscal year by category of activity; ``(ii) a description of the funding required by the Office of Science and Technology Policy to perform the functions under subsections (a) and (c) of section 102 for the current fiscal year by category of activity; and ``(iii) the amount of funding provided for the Office of Science and Technology Policy for the current fiscal year by each agency participating in the Program; and''. (g) Definitions.--Section 4 of the High-Performance Computing Act of 1991 (15 U.S.C. 5503) is amended-- (1) by redesignating paragraphs (1) and (2) as paragraphs (2) and (3), respectively; (2) by redesignating paragraph (3) as paragraph (6); (3) by redesignating paragraphs (6) and (7) as paragraphs (7) and (8), respectively; (4) by inserting before paragraph (2), as redesignated, the following: ``(1) `cyber-physical systems' means physical or engineered systems whose networking [[Page S5565]] and information technology functions and physical elements are deeply integrated and are actively connected to the physical world through sensors, actuators, or other means to perform monitoring and control functions;''; (5) in paragraph (3), as redesignated, by striking ``high- performance computing'' and inserting ``networking and information technology''; (6) in paragraph (6), as redesignated-- (A) by striking ``high-performance computing'' and inserting ``networking and information technology''; and (B) by striking ``supercomputer'' and inserting ``high-end computing''; (7) in paragraph (5), by striking ``network referred to as'' and all that follows through the semicolon and inserting ``network, including advanced computer networks of Federal agencies and departments''; and (8) in paragraph (7), as redesignated, by striking ``National High-Performance Computing Program'' and inserting ``networking and information technology research and development program''. SEC. 402. RESEARCH IN AREAS OF NATIONAL IMPORTANCE. (a) Research in Areas of National Importance.--Title I of the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et seq.) is amended by adding at the end the following: ``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE. ``(a) In General.--The Program shall encourage agencies under section 101(a)(3)(B) to support, maintain, and improve national, multi-agency, multi-faceted, research and development activities in networking and information technology directed toward application areas that have the potential for significant contributions to national economic competitiveness and for other significant societal benefits. ``(b) Technical Solutions.--An activity under subsection (a) shall be designed to advance the development of research discoveries by demonstrating technical solutions to important problems in areas including-- ``(1) cybersecurity; ``(2) health care; ``(3) energy management and low-power systems and devices; ``(4) transportation, including surface and air transportation; ``(5) cyber-physical systems; ``(6) large-scale data analysis and modeling of physical phenomena; ``(7) large scale data analysis and modeling of behavioral phenomena; ``(8) supply chain quality and security; and ``(9) privacy protection and protected disclosure of confidential data. ``(c) Recommendations.--The advisory committee under section 101(b) shall make recommendations to the Program for candidate research and development areas for support under this section. ``(d) Characteristics.-- ``(1) In general.--Research and development activities under this section-- ``(A) shall include projects selected on the basis of applications for support through a competitive, merit-based process; ``(B) shall leverage, when possible, Federal investments through collaboration with related State initiatives; ``(C) shall include a plan for fostering the transfer of research discoveries and the results of technology demonstration activities, including from institutions of higher education and Federal laboratories, to industry for commercial development; ``(D) shall involve collaborations among researchers in institutions of higher education and industry; and ``(E) may involve collaborations among nonprofit research institutions and Federal laboratories, as appropriate. ``(2) Cost-sharing.--In selecting applications for support, the agencies under section 101(a)(3)(B) shall give special consideration to projects that include cost sharing from non- Federal sources. ``(3) Multidisciplinary research centers.--Research and development activities under this section shall be supported through multidisciplinary research centers, including Federal laboratories, that are organized to investigate basic research questions and carry out technology demonstration activities in areas described in subsection (a). Research may be carried out through existing multidisciplinary centers, including those authorized under section 7024(b)(2) of the America COMPETES Act (42 U.S.C. 1862o-10(2)).''. (b) Cyber-Physical Systems.--Section 101(a)(1) of the High- Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is amended-- (1) in subparagraph (H), by striking ``and'' after the semicolon; (2) in subparagraph (I), by striking the period at the end and inserting a semicolon; and (3) by adding at the end the following: ``(J) provide for increased understanding of the scientific principles of cyber-physical systems and improve the methods available for the design, development, and operation of cyber-physical systems that are characterized by high reliability, safety, and security; and ``(K) provide for research and development on human- computer interactions, visualization, and big data.''. (c) Task Force.--Title I of the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section 402(a) of this Act, is amended by adding at the end the following: ``SEC. 105. TASK FORCE. ``(a) Establishment.--Not later than 180 days after the date of enactment the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the Director of the Office of Science and Technology Policy under section 102 shall convene a task force to explore mechanisms for carrying out collaborative research and development activities for cyber-physical systems (including the related technologies required to enable these systems) through a consortium or other appropriate entity with participants from institutions of higher education, Federal laboratories, and industry. ``(b) Functions.--The task force shall-- ``(1) develop options for a collaborative model and an organizational structure for such entity under which the joint research and development activities could be planned, managed, and conducted effectively, including mechanisms for the allocation of resources among the participants in such entity for support of such activities; ``(2) propose a process for developing a research and development agenda for such entity, including guidelines to ensure an appropriate scope of work focused on nationally significant challenges and requiring collaboration and to ensure the development of related scientific and technological milestones; ``(3) define the roles and responsibilities for the participants from institutions of higher education, Federal laboratories, and industry in such entity; ``(4) propose guidelines for assigning intellectual property rights and for transferring research results to the private sector; and ``(5) make recommendations for how such entity could be funded from Federal, State, and non-governmental sources. ``(c) Composition.--In establishing the task force under subsection (a), the Director of the Office of Science and Technology Policy shall appoint an equal number of individuals from institutions of higher education and from industry with knowledge and expertise in cyber-physical systems, and may appoint not more than 2 individuals from Federal laboratories. ``(d) Report.--Not later than 1 year after the date of enactment of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the Director of the Office of Science and Technology Policy shall transmit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science and Technology of the House of Representatives a report describing the findings and recommendations of the task force. ``(e) Termination.--The task force shall terminate upon transmittal of the report required under subsection (d). ``(f) Compensation and Expenses.--Members of the task force shall serve without compensation.''. SEC. 403. PROGRAM IMPROVEMENTS. Section 102 of the High-Performance Computing Act of 1991 (15 U.S.C. 5512) is amended to read as follows: ``SEC. 102. PROGRAM IMPROVEMENTS. ``(a) Functions.--The Director of the Office of Science and Technology Policy shall continue-- ``(1) to provide technical and administrative support to-- ``(A) the agencies participating in planning and implementing the Program, including support needed to develop the strategic plan under section 101(e); and ``(B) the advisory committee under section 101(b); ``(2) to serve as the primary point of contact on Federal networking and information technology activities for government agencies, academia, industry, professional societies, State computing and networking technology programs, interested citizen groups, and others to exchange technical and programmatic information; ``(3) to solicit input and recommendations from a wide range of stakeholders during the development of each strategic plan under section 101(e) by convening at least 1 workshop with invitees from academia, industry, Federal laboratories, and other relevant organizations and institutions; ``(4) to conduct public outreach, including the dissemination of the advisory committee's findings and recommendations, as appropriate; ``(5) to promote access to and early application of the technologies, innovations, and expertise derived from Program activities to agency missions and systems across the Federal Government and to United States industry; ``(6) to ensure accurate and detailed budget reporting of networking and information technology research and development investment; and ``(7) to encourage agencies participating in the Program to use existing programs and resources to strengthen networking and information technology education and training, and increase participation in such fields, including by women and underrepresented minorities. ``(b) Source of Funding.-- ``(1) In general.--The functions under this section shall be supported by funds from each agency participating in the Program. ``(2) Specifications.--The portion of the total budget of the Office of Science and Technology Policy that is provided by each agency participating in the Program for each [[Page S5566]] fiscal year shall be in the same proportion as each agency's share of the total budget for the Program for the previous fiscal year, as specified in the database under section 102(c). ``(c) Database.-- ``(1) In general.--The Director of the Office of Science and Technology Policy shall develop and maintain a database of projects funded by each agency for the fiscal year for each Program Component Area. ``(2) Public accessibility.--The Director of the Office of Science and Technology Policy shall make the database accessible to the public. ``(3) Database contents.--The database shall include, for each project in the database-- ``(A) a description of the project; ``(B) each agency, industry, institution of higher education, Federal laboratory, or international institution involved in the project; ``(C) the source funding of the project (set forth by agency); ``(D) the funding history of the project; and ``(E) whether the project has been completed.''. SEC. 404. IMPROVING EDUCATION OF NETWORKING AND INFORMATION TECHNOLOGY, INCLUDING HIGH PERFORMANCE COMPUTING. Section 201(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5521(a)) is amended-- (1) by redesignating paragraphs (2) through (4) as paragraphs (3) through (5), respectively; and (2) by inserting after paragraph (1) the following: ``(2) the National Science Foundation shall use its existing programs, in collaboration with other agencies, as appropriate, to improve the teaching and learning of networking and information technology at all levels of education and to increase participation in networking and information technology fields;''. SEC. 405. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH- PERFORMANCE COMPUTING ACT OF 1991. (a) Section 3.--Section 3 of the High-Performance Computing Act of 1991 (15 U.S.C. 5502) is amended-- (1) in the matter preceding paragraph (1), by striking ``high-performance computing'' and inserting ``networking and information technology''; (2) in paragraph (1)-- (A) in the matter preceding subparagraph (A), by striking ``high-performance computing'' and inserting ``networking and information technology''; (B) in subparagraphs (A), (F), and (G), by striking ``high- performance computing'' each place it appears and inserting ``networking and information technology''; and (C) in subparagraph (H), by striking ``high-performance'' and inserting ``high-end''; and (3) in paragraph (2)-- (A) by striking ``high-performance computing and'' and inserting ``networking and information technology, and''; and (B) by striking ``high-performance computing network'' and inserting ``networking and information technology''. (b) Title Heading.--The heading of title I of the High- Performance Computing Act of 1991 (105 Stat. 1595) is amended by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting ``NETWORKING AND INFORMATION TECHNOLOGY''. (c) Section 101.--Section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) is amended-- (1) in the section heading, by striking ``high-performance computing'' and inserting ``networking and information technology research and development''; (2) in subsection (a)-- (A) in the subsection heading, by striking ``National High- Performance Computing'' and inserting ``Networking and Information Technology Research and Development''; (B) in paragraph (1)-- (i) by striking ``National High-Performance Computing Program'' and inserting ``networking and information technology research and development program''; (ii) in subparagraph (A), by striking ``high-performance computing, including networking'' and inserting ``networking and information technology''; (iii) in subparagraphs (B) and (G), by striking ``high- performance'' each place it appears and inserting ``high- end''; and (iv) in subparagraph (C), by striking ``high-performance computing and networking'' and inserting ``high-end computing, distributed, and networking''; and (C) in paragraph (2)-- (i) in subparagraphs (A) and (C)-- (I) by striking ``high-performance computing'' each place it appears and inserting ``networking and information technology''; and (II) by striking ``development, networking,'' each place it appears and inserting ``development,''; and (ii) in subparagraphs (G) and (H), as redesignated by section 401(d) of this Act, by striking ``high-performance'' each place it appears and inserting ``high-end''; (3) in subsection (b)(1), in the matter preceding subparagraph (A), by striking ``high-performance computing'' each place it appears and inserting ``networking and information technology''; and (4) in subsection (c)(1)(A), by striking ``high-performance computing'' and inserting ``networking and information technology''. (d) Section 201.--Section 201(a)(1) of the High-Performance Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by striking ``high-performance computing and advanced high-speed computer networking'' and inserting ``networking and information technology research and development''. (e) Section 202.--Section 202(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by striking ``high-performance computing'' and inserting ``networking and information technology''. (f) Section 203.--Section 203(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5523(a)) is amended-- (1) in paragraph (1), by striking ``high-performance computing and networking'' and inserting ``networking and information technology''; and (2) in paragraph (2)(A), by striking ``high-performance'' and inserting ``high-end''. (g) Section 204.--Section 204 of the High-Performance Computing Act of 1991 (15 U.S.C. 5524) is amended-- (1) in subsection (a)(1)-- (A) in subparagraph (A), by striking ``high-performance computing systems and networks'' and inserting ``networking and information technology systems and capabilities''; (B) in subparagraph (B), by striking ``interoperability of high-performance computing systems in networks and for common user interfaces to systems'' and inserting ``interoperability and usability of networking and information technology systems''; and (C) in subparagraph (C), by striking ``high-performance computing'' and inserting ``networking and information technology''; and (2) in subsection (b)-- (A) by striking ``High-Performance Computing and Network'' in the heading and inserting ``Networking and Information Technology''; and (B) by striking ``sensitive''. (h) Section 205.--Section 205(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by striking ``computational'' and inserting ``networking and information technology''. (i) Section 206.--Section 206(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by striking ``computational research'' and inserting ``networking and information technology research''. (j) Section 207.--Section 207 of the High-Performance Computing Act of 1991 (15 U.S.C. 5527) is amended by striking ``high-performance computing'' and inserting ``networking and information technology''. (k) Section 208.--Section 208 of the High-Performance Computing Act of 1991 (15 U.S.C. 5528) is amended-- (1) in the section heading, by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting ``NETWORKING AND INFORMATION TECHNOLOGY''; and (2) in subsection (a)-- (A) in paragraph (1), by striking ``High-performance computing and associated'' and inserting ``Networking and information''; (B) in paragraph (2), by striking ``high-performance computing'' and inserting ``networking and information technologies''; (C) in paragraph (3), by striking ``high-performance'' and inserting ``high-end''; (D) in paragraph (4), by striking ``high-performance computers and associated'' and inserting ``networking and information''; and (E) in paragraph (5), by striking ``high-performance computing and associated'' and inserting ``networking and information''. SEC. 406. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM. (a) In General.--The Director of the National Science Foundation, in coordination with the Secretary of Homeland Security, shall carry out a Federal cyber scholarship-for- service program to recruit and train the next generation of information technology professionals and security managers to meet the needs of the cybersecurity mission for the Federal government. (b) Program Description and Components.--The program shall-- (1) annually assess the workforce needs of the Federal government for cybersecurity professionals, including network engineers, software engineers, and other experts in order to determine how many scholarships should be awarded annually to ensure that the workforce needs following graduation match the number of scholarships awarded; (2) provide scholarships for up to 1,000 students per year in their pursuit of undergraduate or graduate degrees in the cybersecurity field, in an amount that may include coverage for full tuition, fees, and a stipend; (3) require each scholarship recipient, as a condition of receiving a scholarship under the program, to serve in a Federal information technology workforce for a period equal to one and one-half times each year, or partial year, of scholarship received, in addition to an internship in the cybersecurity field, if applicable, following graduation; (4) provide a procedure for the National Science Foundation or a Federal agency, consistent with regulations of the Office of Personnel Management, to request and fund a security clearance for a scholarship recipient, including providing for clearance during a summer internship and upon graduation; and (5) provide opportunities for students to receive temporary appointments for meaningful employment in the Federal information technology workforce during school vacation periods and for internships. (c) Hiring Authority.-- (1) In general.--For purposes of any law or regulation governing the appointment of an [[Page S5567]] individual in the Federal civil service, upon the successful completion of the student's studies, a student receiving a scholarship under the program may-- (A) be hired under section 213.3102(r) of title 5, Code of Federal Regulations; and (B) be exempt from competitive service. (2) Competitive service.--Upon satisfactory fulfillment of the service term under paragraph (1), an individual may be converted to a competitive service position without competition if the individual meets the requirements for that position. (d) Eligibility.--The eligibility requirements for a scholarship under this section shall include that a scholarship applicant-- (1) be a citizen of the United States; (2) be eligible to be granted a security clearance; (3) maintain a grade point average of 3.2 or above on a 4.0 scale for undergraduate study or a 3.5 or above on a 4.0 scale for postgraduate study; (4) demonstrate a commitment to a career in improving the security of the information infrastructure; and (5) has demonstrated a level of proficiency in math or computer sciences. (e) Failure to Complete Service Obligation.-- (1) In general.--A scholarship recipient under this section shall be liable to the United States under paragraph (2) if the scholarship recipient-- (A) fails to maintain an acceptable level of academic standing in the educational institution in which the individual is enrolled, as determined by the Director; (B) is dismissed from such educational institution for disciplinary reasons; (C) withdraws from the program for which the award was made before the completion of such program; (D) declares that the individual does not intend to fulfill the service obligation under this section; (E) fails to fulfill the service obligation of the individual under this section; or (F) loses a security clearance or becomes ineligible for a security clearance. (2) Repayment amounts.-- (A) Less than 1 year of service.--If a circumstance under paragraph (1) occurs before the completion of 1 year of a service obligation under this section, the total amount of awards received by the individual under this section shall be repaid. (B) One or more years of service.--If a circumstance described in subparagraph (D) or (E) of paragraph (1) occurs after the completion of 1 year of a service obligation under this section, the total amount of scholarship awards received by the individual under this section, reduced by the ratio of the number of years of service completed divided by the number of years of service required, shall be repaid. (f) Evaluation and Report.--The Director of the National Science Foundation shall-- (1) evaluate the success of recruiting individuals for scholarships under this section and of hiring and retaining those individuals in the public sector workforce, including the annual cost and an assessment of how the program actually improves the Federal workforce; and (2) periodically report the findings under paragraph (1) to Congress. (g) Authorization of Appropriations.--From amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), the Director may use funds to carry out the requirements of this section for fiscal years 2012 through 2013. SEC. 407. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF INFORMATION INFRASTRUCTURE PROFESSIONALS. (a) Study.--The President shall enter into an agreement with the National Academies to conduct a comprehensive study of government, academic, and private-sector accreditation, training, and certification programs for personnel working in information infrastructure. The agreement shall require the National Academies to consult with sector coordinating councils and relevant governmental agencies, regulatory entities, and nongovernmental organizations in the course of the study. (b) Scope.--The study shall include-- (1) an evaluation of the body of knowledge and various skills that specific categories of personnel working in information infrastructure should possess in order to secure information systems; (2) an assessment of whether existing government, academic, and private-sector accreditation, training, and certification programs provide the body of knowledge and various skills described in paragraph (1); (3) an analysis of any barriers to the Federal Government recruiting and hiring cybersecurity talent, including barriers relating to compensation, the hiring process, job classification, and hiring flexibility; and (4) an analysis of the sources and availability of cybersecurity talent, a comparison of the skills and expertise sought by the Federal Government and the private sector, an examination of the current and future capacity of United States institutions of higher education, including community colleges, to provide current and future cybersecurity professionals, through education and training activities, with those skills sought by the Federal Government, State and local entities, and the private sector. (c) Report.--Not later than 1 year after the date of enactment of this Act, the National Academies shall submit to the President and Congress a report on the results of the study. The report shall include-- (1) findings regarding the state of information infrastructure accreditation, training, and certification programs, including specific areas of deficiency and demonstrable progress; and (2) recommendations for the improvement of information infrastructure accreditation, training, and certification programs. SEC. 408. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS. (a) In General.--The Director of the National Institute of Standards and Technology, in coordination with appropriate Federal authorities, shall-- (1) as appropriate, ensure coordination of Federal agencies engaged in the development of international technical standards related to information system security; and (2) not later than 1 year after the date of enactment of this Act, develop and transmit to Congress a plan for ensuring such Federal agency coordination. (b) Consultation With the Private Sector.--In carrying out the activities under subsection (a)(1), the Director shall ensure consultation with appropriate private sector stakeholders. SEC. 409. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT. The Director of the National Institute of Standards and Technology shall continue a program to support the development of technical standards, metrology, testbeds, and conformance criteria, taking into account appropriate user concerns-- (1) to improve interoperability among identity management technologies; (2) to strengthen authentication methods of identity management systems; (3) to improve privacy protection in identity management systems, including health information technology systems, through authentication and security protocols; and (4) to improve the usability of identity management systems. SEC. 410. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT. (a) National Science Foundation Computer and Network Security Research Grant Areas.--Section 4(a)(1) of the Cyber Security Research and Development Act (15 U.S.C. 7403(a)(1)) is amended-- (1) in subparagraph (H), by striking ``and'' after the semicolon; (2) in subparagraph (I), by striking ``property.'' and inserting ``property;''; and (3) by adding at the end the following: ``(J) secure fundamental protocols that are at the heart of inter-network communications and data exchange; ``(K) system security that addresses the building of secure systems from trusted and untrusted components; ``(L) monitoring and detection; and ``(M) resiliency and rapid recovery methods.''. (b) National Science Foundation Computer and Network Security Grants.--Section 4(a)(3) of the Cyber Security Research and Development Act (15 U.S.C. 7403(a)(3)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Director finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (c) Computer and Network Security Centers.--Section 4(b)(7) of the Cyber Security Research and Development Act (15 U.S.C. 7403(b)(7)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Director finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (d) Computer and Network Security Capacity Building Grants.--Section 5(a)(6) of the Cyber Security Research and Development Act (15 U.S.C. 7404(a)(6)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Director finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (e) Scientific and Advanced Technology Act Grants.--Section 5(b)(2) of the Cyber Security Research and Development Act (15 U.S.C. 7404(b)(2)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Director finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (f) Graduate Traineeships in Computer and Network Security Research.--Section 5(c)(7) of the Cyber Security Research and Development Act (15 U.S.C. 7404(c)(7)) is amended-- [[Page S5568]] (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Director finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. ______ SA 2609. Mr. PAUL submitted an amendment intended to be proposed by him to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: At the appropriate place, insert the following: SEC. __. LIMITATION ON FOREIGN ASSISTANCE TO PAKISTAN. No amounts may be obligated or expended to provide any direct United States assistance to the Government of Pakistan unless the President certifies to Congress that-- (1) Dr. Shakil Afridi has been released from prison in Pakistan; (2) any criminal charges brought against Dr. Afridi, including treason, have been dropped; and (3) if necessary to ensure his freedom, Dr. Afridi has been allowed to leave Pakistan. ______ SA 2610. Mrs. HUTCHISON submitted an amendment intended to be proposed by her to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: Beginning on page 106, strike line 8 and all that follows through page 156, line 13, and insert the following: TITLE III--CYBERSECURITY RESEARCH AND DEVELOPMENT SEC. 301. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM PLANNING AND COORDINATION. (a) Goals and Priorities.--Section 101 of the High- Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(d) Goals and Priorities.--The goals and priorities for Federal high-performance computing research, development, networking, and other activities under subsection (a)(2)(A) shall include-- ``(1) encouraging and supporting mechanisms for interdisciplinary research and development in networking and information technology, including-- ``(A) through collaborations across agencies; ``(B) through collaborations across Program Component Areas; ``(C) through collaborations with industry; ``(D) through collaborations with institutions of higher education; ``(E) through collaborations with Federal laboratories (as defined in section 4 of the Stevenson-Wydler Technology Innovation Act of 1980 (15 U.S.C. 3703)); and ``(F) through collaborations with international organizations; ``(2) addressing national, multi-agency, multi-faceted challenges of national importance; and ``(3) fostering the transfer of research and development results into new technologies and applications for the benefit of society.''. (b) Development of Strategic Plan.--Section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(e) Strategic Plan.-- ``(1) In general.--Not later than 1 year after the date of enactment of the Cybersecurity Act of 2012, the agencies under subsection (a)(3)(B), working through the National Science and Technology Council and with the assistance of the Office of Science and Technology Policy shall develop a 5- year strategic plan to guide the activities under subsection (a)(1). ``(2) Contents.--The strategic plan shall specify-- ``(A) the near-term objectives for the Program; ``(B) the long-term objectives for the Program; ``(C) the anticipated time frame for achieving the near- term objectives; ``(D) the metrics that will be used to assess any progress made toward achieving the near-term objectives and the long- term objectives; and ``(E) how the Program will achieve the goals and priorities under subsection (d). ``(3) Implementation roadmap.-- ``(A) In general.--The agencies under subsection (a)(3)(B) shall develop and annually update an implementation roadmap for the strategic plan. ``(B) Requirements.--The information in the implementation roadmap shall be coordinated with the database under section 102(c) and the annual report under section 101(a)(3). The implementation roadmap shall-- ``(i) specify the role of each Federal agency in carrying out or sponsoring research and development to meet the research objectives of the strategic plan, including a description of how progress toward the research objectives will be evaluated, with consideration of any relevant recommendations of the advisory committee; ``(ii) specify the funding allocated to each major research objective of the strategic plan and the source of funding by agency for the current fiscal year; and ``(iii) estimate the funding required for each major research objective of the strategic plan for the next 3 fiscal years. ``(4) Recommendations.--The agencies under subsection (a)(3)(B) shall take into consideration when developing the strategic plan under paragraph (1) the recommendations of-- ``(A) the advisory committee under subsection (b); and ``(B) the stakeholders under section 102(a)(3). ``(5) Report to congress.--The Director of the Office of Science and Technology Policy shall transmit the strategic plan under this subsection, including the implementation roadmap and any updates under paragraph (3), to-- ``(A) the advisory committee under subsection (b); ``(B) the Committee on Commerce, Science, and Transportation of the Senate; and ``(C) the Committee on Science and Technology of the House of Representatives.''. (c) Periodic Reviews.--Section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(f) Periodic Reviews.--The agencies under subsection (a)(3)(B) shall-- ``(1) periodically assess the contents and funding levels of the Program Component Areas and restructure the Program when warranted, taking into consideration any relevant recommendations of the advisory committee under subsection (b); and ``(2) ensure that the Program includes national, multi- agency, multi-faceted research and development activities, including activities described in section 104.''. (d) Additional Responsibilities of Director.--Section 101(a)(2) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(2)) is amended-- (1) by redesignating subparagraphs (E) and (F) as subparagraphs (G) and (H), respectively; and (2) by inserting after subparagraph (D) the following: ``(E) encourage and monitor the efforts of the agencies participating in the Program to allocate the level of resources and management attention necessary-- ``(i) to ensure that the strategic plan under subsection (e) is developed and executed effectively; and ``(ii) to ensure that the objectives of the Program are met; ``(F) working with the Office of Management and Budget and in coordination with the creation of the database under section 102(c), direct the Office of Science and Technology Policy and the agencies participating in the Program to establish a mechanism (consistent with existing law) to track all ongoing and completed research and development projects and associated funding;''. (e) Advisory Committee.--Section 101(b) of the High- Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is amended-- (1) in paragraph (1)-- (A) by inserting after the first sentence the following: ``The co-chairs of the advisory committee shall meet the qualifications of committee members and may be members of the Presidents Council of Advisors on Science and Technology.''; and (B) by striking ``high-performance'' in subparagraph (D) and inserting ``high-end''; and (2) by amending paragraph (2) to read as follows: ``(2) In addition to the duties under paragraph (1), the advisory committee shall conduct periodic evaluations of the funding, management, coordination, implementation, and activities of the Program. The advisory committee shall report its findings and recommendations not less frequently than once every 3 fiscal years to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science and Technology of the House of Representatives. The report shall be submitted in conjunction with the update of the strategic plan.''. (f) Report.--Section 101(a)(3) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended-- (1) in subparagraph (C)-- (A) by striking ``is submitted,'' and inserting ``is submitted, the levels for the previous fiscal year,''; and (B) by striking ``each Program Component Area'' and inserting ``each Program Component Area and each research area supported in accordance with section 104''; (2) in subparagraph (D)-- (A) by striking ``each Program Component Area,'' and inserting ``each Program Component Area and each research area supported in accordance with section 104,''; (B) by striking ``is submitted,'' and inserting ``is submitted, the levels for the previous fiscal year,''; and (C) by striking ``and'' after the semicolon; (3) by redesignating subparagraph (E) as subparagraph (G); and (4) by inserting after subparagraph (D) the following: ``(E) include a description of how the objectives for each Program Component Area, and the objectives for activities that involve multiple Program Component Areas, relate to the objectives of the Program identified in the strategic plan under subsection (e); ``(F) include-- [[Page S5569]] ``(i) a description of the funding required by the Office of Science and Technology Policy to perform the functions under subsections (a) and (c) of section 102 for the next fiscal year by category of activity; ``(ii) a description of the funding required by the Office of Science and Technology Policy to perform the functions under subsections (a) and (c) of section 102 for the current fiscal year by category of activity; and ``(iii) the amount of funding provided for the Office of Science and Technology Policy for the current fiscal year by each agency participating in the Program; and''. (g) Definitions.--Section 4 of the High-Performance Computing Act of 1991 (15 U.S.C. 5503) is amended-- (1) by redesignating paragraphs (1) and (2) as paragraphs (2) and (3), respectively; (2) by redesignating paragraph (3) as paragraph (6); (3) by redesignating paragraphs (6) and (7) as paragraphs (7) and (8), respectively; (4) by inserting before paragraph (2), as redesignated, the following: ``(1) `cyber-physical systems' means physical or engineered systems whose networking and information technology functions and physical elements are deeply integrated and are actively connected to the physical world through sensors, actuators, or other means to perform monitoring and control functions;''; (5) in paragraph (3), as redesignated, by striking ``high- performance computing'' and inserting ``networking and information technology''; (6) in paragraph (6), as redesignated-- (A) by striking ``high-performance computing'' and inserting ``networking and information technology''; and (B) by striking ``supercomputer'' and inserting ``high-end computing''; (7) in paragraph (5), by striking ``network referred to as'' and all that follows through the semicolon and inserting ``network, including advanced computer networks of Federal agencies and departments''; and (8) in paragraph (7), as redesignated, by striking ``National High-Performance Computing Program'' and inserting ``networking and information technology research and development program''. SEC. 302. RESEARCH IN AREAS OF NATIONAL IMPORTANCE. (a) Research in Areas of National Importance.--Title I of the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et seq.) is amended by adding at the end the following: ``SEC. 104. RESEARCH IN AREAS OF NATIONAL IMPORTANCE. ``(a) In General.--The Program shall encourage agencies under section 101(a)(3)(B) to support, maintain, and improve national, multi-agency, multi-faceted, research and development activities in networking and information technology directed toward application areas that have the potential for significant contributions to national economic competitiveness and for other significant societal benefits. ``(b) Technical Solutions.--An activity under subsection (a) shall be designed to advance the development of research discoveries by demonstrating technical solutions to important problems in areas including-- ``(1) cybersecurity; ``(2) health care; ``(3) energy management and low-power systems and devices; ``(4) transportation, including surface and air transportation; ``(5) cyber-physical systems; ``(6) large-scale data analysis and modeling of physical phenomena; ``(7) large scale data analysis and modeling of behavioral phenomena; ``(8) supply chain quality and security; and ``(9) privacy protection and protected disclosure of confidential data. ``(c) Recommendations.--The advisory committee under section 101(b) shall make recommendations to the Program for candidate research and development areas for support under this section. ``(d) Characteristics.-- ``(1) In general.--Research and development activities under this section-- ``(A) shall include projects selected on the basis of applications for support through a competitive, merit-based process; ``(B) shall leverage, when possible, Federal investments through collaboration with related State initiatives; ``(C) shall include a plan for fostering the transfer of research discoveries and the results of technology demonstration activities, including from institutions of higher education and Federal laboratories, to industry for commercial development; ``(D) shall involve collaborations among researchers in institutions of higher education and industry; and ``(E) may involve collaborations among nonprofit research institutions and Federal laboratories, as appropriate. ``(2) Cost-sharing.--In selecting applications for support, the agencies under section 101(a)(3)(B) shall give special consideration to projects that include cost sharing from non- Federal sources. ``(3) Multidisciplinary research centers.--Research and development activities under this section shall be supported through multidisciplinary research centers, including Federal laboratories, that are organized to investigate basic research questions and carry out technology demonstration activities in areas described in subsection (a). Research may be carried out through existing multidisciplinary centers, including those authorized under section 7024(b)(2) of the America COMPETES Act (42 U.S.C. 1862o-10(2)).''. (b) Cyber-Physical Systems.--Section 101(a)(1) of the High- Performance Computing Act of 1991 (15 U.S.C. 5511(a)(1)) is amended-- (1) in subparagraph (H), by striking ``and'' after the semicolon; (2) in subparagraph (I), by striking the period at the end and inserting a semicolon; and (3) by adding at the end the following: ``(J) provide for increased understanding of the scientific principles of cyber-physical systems and improve the methods available for the design, development, and operation of cyber-physical systems that are characterized by high reliability, safety, and security; and ``(K) provide for research and development on human- computer interactions, visualization, and big data.''. (c) Task Force.--Title I of the High-Performance Computing Act of 1991 (15 U.S.C. 5511 et seq.), as amended by section 302(a) of this Act, is amended by adding at the end the following: ``SEC. 105. TASK FORCE. ``(a) Establishment.--Not later than 180 days after the date of enactment the Cybersecurity Act of 2012, the Director of the Office of Science and Technology Policy under section 102 shall convene a task force to explore mechanisms for carrying out collaborative research and development activities for cyber-physical systems (including the related technologies required to enable these systems) through a consortium or other appropriate entity with participants from institutions of higher education, Federal laboratories, and industry. ``(b) Functions.--The task force shall-- ``(1) develop options for a collaborative model and an organizational structure for such entity under which the joint research and development activities could be planned, managed, and conducted effectively, including mechanisms for the allocation of resources among the participants in such entity for support of such activities; ``(2) propose a process for developing a research and development agenda for such entity, including guidelines to ensure an appropriate scope of work focused on nationally significant challenges and requiring collaboration and to ensure the development of related scientific and technological milestones; ``(3) define the roles and responsibilities for the participants from institutions of higher education, Federal laboratories, and industry in such entity; ``(4) propose guidelines for assigning intellectual property rights and for transferring research results to the private sector; and ``(5) make recommendations for how such entity could be funded from Federal, State, and non-governmental sources. ``(c) Composition.--In establishing the task force under subsection (a), the Director of the Office of Science and Technology Policy shall appoint an equal number of individuals from institutions of higher education and from industry with knowledge and expertise in cyber-physical systems, and may appoint not more than 2 individuals from Federal laboratories. ``(d) Report.--Not later than 1 year after the date of enactment of the Cybersecurity Act of 2012, the Director of the Office of Science and Technology Policy shall transmit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science and Technology of the House of Representatives a report describing the findings and recommendations of the task force. ``(e) Termination.--The task force shall terminate upon transmittal of the report required under subsection (d). ``(f) Compensation and Expenses.--Members of the task force shall serve without compensation.''. SEC. 303. PROGRAM IMPROVEMENTS. Section 102 of the High-Performance Computing Act of 1991 (15 U.S.C. 5512) is amended to read as follows: ``SEC. 102. PROGRAM IMPROVEMENTS. ``(a) Functions.--The Director of the Office of Science and Technology Policy shall continue-- ``(1) to provide technical and administrative support to-- ``(A) the agencies participating in planning and implementing the Program, including support needed to develop the strategic plan under section 101(e); and ``(B) the advisory committee under section 101(b); ``(2) to serve as the primary point of contact on Federal networking and information technology activities for government agencies, academia, industry, professional societies, State computing and networking technology programs, interested citizen groups, and others to exchange technical and programmatic information; ``(3) to solicit input and recommendations from a wide range of stakeholders during the development of each strategic plan under section 101(e) by convening at least 1 workshop with invitees from academia, industry, Federal laboratories, and other relevant organizations and institutions; ``(4) to conduct public outreach, including the dissemination of the advisory committee's findings and recommendations, as appropriate; ``(5) to promote access to and early application of the technologies, innovations, and expertise derived from Program activities to [[Page S5570]] agency missions and systems across the Federal Government and to United States industry; ``(6) to ensure accurate and detailed budget reporting of networking and information technology research and development investment; and ``(7) to encourage agencies participating in the Program to use existing programs and resources to strengthen networking and information technology education and training, and increase participation in such fields, including by women and underrepresented minorities. ``(b) Source of Funding.-- ``(1) In general.--The functions under this section shall be supported by funds from each agency participating in the Program. ``(2) Specifications.--The portion of the total budget of the Office of Science and Technology Policy that is provided by each agency participating in the Program for each fiscal year shall be in the same proportion as each agency's share of the total budget for the Program for the previous fiscal year, as specified in the database under section 102(c). ``(c) Database.-- ``(1) In general.--The Director of the Office of Science and Technology Policy shall develop and maintain a database of projects funded by each agency for the fiscal year for each Program Component Area. ``(2) Public accessibility.--The Director of the Office of Science and Technology Policy shall make the database accessible to the public. ``(3) Database contents.--The database shall include, for each project in the database-- ``(A) a description of the project; ``(B) each agency, industry, institution of higher education, Federal laboratory, or international institution involved in the project; ``(C) the source funding of the project (set forth by agency); ``(D) the funding history of the project; and ``(E) whether the project has been completed.''. SEC. 304. IMPROVING EDUCATION OF NETWORKING AND INFORMATION TECHNOLOGY, INCLUDING HIGH PERFORMANCE COMPUTING. Section 201(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5521(a)) is amended-- (1) by redesignating paragraphs (2) through (4) as paragraphs (3) through (5), respectively; and (2) by inserting after paragraph (1) the following: ``(2) the National Science Foundation shall use its existing programs, in collaboration with other agencies, as appropriate, to improve the teaching and learning of networking and information technology at all levels of education and to increase participation in networking and information technology fields;''. SEC. 305. CONFORMING AND TECHNICAL AMENDMENTS TO THE HIGH- PERFORMANCE COMPUTING ACT OF 1991. (a) Section 3.--Section 3 of the High-Performance Computing Act of 1991 (15 U.S.C. 5502) is amended-- (1) in the matter preceding paragraph (1), by striking ``high-performance computing'' and inserting ``networking and information technology''; (2) in paragraph (1)-- (A) in the matter preceding subparagraph (A), by striking ``high-performance computing'' and inserting ``networking and information technology''; (B) in subparagraphs (A), (F), and (G), by striking ``high- performance computing'' each place it appears and inserting ``networking and information technology''; and (C) in subparagraph (H), by striking ``high-performance'' and inserting ``high-end''; and (3) in paragraph (2)-- (A) by striking ``high-performance computing and'' and inserting ``networking and information technology, and''; and (B) by striking ``high-performance computing network'' and inserting ``networking and information technology''. (b) Title Heading.--The heading of title I of the High- Performance Computing Act of 1991 (105 Stat. 1595) is amended by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting ``NETWORKING AND INFORMATION TECHNOLOGY''. (c) Section 101.--Section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) is amended-- (1) in the section heading, by striking ``high-performance computing'' and inserting ``networking and information technology research and development''; (2) in subsection (a)-- (A) in the subsection heading, by striking ``National High- Performance Computing'' and inserting ``Networking and Information Technology Research and Development''; (B) in paragraph (1)-- (i) by striking ``National High-Performance Computing Program'' and inserting ``networking and information technology research and development program''; (ii) in subparagraph (A), by striking ``high-performance computing, including networking'' and inserting ``networking and information technology''; (iii) in subparagraphs (B) and (G), by striking ``high- performance'' each place it appears and inserting ``high- end''; and (iv) in subparagraph (C), by striking ``high-performance computing and networking'' and inserting ``high-end computing, distributed, and networking''; and (C) in paragraph (2)-- (i) in subparagraphs (A) and (C)-- (I) by striking ``high-performance computing'' each place it appears and inserting ``networking and information technology''; and (II) by striking ``development, networking,'' each place it appears and inserting ``development,''; and (ii) in subparagraphs (G) and (H), as redesignated by section 301(d) of this Act, by striking ``high-performance'' each place it appears and inserting ``high-end''; (3) in subsection (b)(1), in the matter preceding subparagraph (A), by striking ``high-performance computing'' each place it appears and inserting ``networking and information technology''; and (4) in subsection (c)(1)(A), by striking ``high-performance computing'' and inserting ``networking and information technology''. (d) Section 201.--Section 201(a)(1) of the High-Performance Computing Act of 1991 (15 U.S.C. 5521(a)(1)) is amended by striking ``high-performance computing and advanced high-speed computer networking'' and inserting ``networking and information technology research and development''. (e) Section 202.--Section 202(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5522(a)) is amended by striking ``high-performance computing'' and inserting ``networking and information technology''. (f) Section 203.--Section 203(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5523(a)) is amended-- (1) in paragraph (1), by striking ``high-performance computing and networking'' and inserting ``networking and information technology''; and (2) in paragraph (2)(A), by striking ``high-performance'' and inserting ``high-end''. (g) Section 204.--Section 204 of the High-Performance Computing Act of 1991 (15 U.S.C. 5524) is amended-- (1) in subsection (a)(1)-- (A) in subparagraph (A), by striking ``high-performance computing systems and networks'' and inserting ``networking and information technology systems and capabilities''; (B) in subparagraph (B), by striking ``interoperability of high-performance computing systems in networks and for common user interfaces to systems'' and inserting ``interoperability and usability of networking and information technology systems''; and (C) in subparagraph (C), by striking ``high-performance computing'' and inserting ``networking and information technology''; and (2) in subsection (b)-- (A) by striking ``High-Performance Computing and Network'' in the heading and inserting ``Networking and Information Technology''; and (B) by striking ``sensitive''. (h) Section 205.--Section 205(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5525(a)) is amended by striking ``computational'' and inserting ``networking and information technology''. (i) Section 206.--Section 206(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5526(a)) is amended by striking ``computational research'' and inserting ``networking and information technology research''. (j) Section 207.--Section 207 of the High-Performance Computing Act of 1991 (15 U.S.C. 5527) is amended by striking ``high-performance computing'' and inserting ``networking and information technology''. (k) Section 208.--Section 208 of the High-Performance Computing Act of 1991 (15 U.S.C. 5528) is amended-- (1) in the section heading, by striking ``HIGH-PERFORMANCE COMPUTING'' and inserting ``NETWORKING AND INFORMATION TECHNOLOGY''; and (2) in subsection (a)-- (A) in paragraph (1), by striking ``High-performance computing and associated'' and inserting ``Networking and information''; (B) in paragraph (2), by striking ``high-performance computing'' and inserting ``networking and information technologies''; (C) in paragraph (3), by striking ``high-performance'' and inserting ``high-end''; (D) in paragraph (4), by striking ``high-performance computers and associated'' and inserting ``networking and information''; and (E) in paragraph (5), by striking ``high-performance computing and associated'' and inserting ``networking and information''. SEC. 306. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM. (a) In General.--The Director of the National Science Foundation, in coordination with the Secretary of Homeland Security, shall carry out a Federal cyber scholarship-for- service program to recruit and train the next generation of information technology professionals and security managers to meet the needs of the cybersecurity mission for the Federal government. (b) Program Description and Components.--The program shall-- (1) annually assess the workforce needs of the Federal government for cybersecurity professionals, including network engineers, software engineers, and other experts in order to determine how many scholarships should be awarded annually to ensure that the workforce needs following graduation match the number of scholarships awarded; (2) provide scholarships for up to 1,000 students per year in their pursuit of undergraduate or graduate degrees in the cybersecurity field, in an amount that may include coverage for full tuition, fees, and a stipend; (3) require each scholarship recipient, as a condition of receiving a scholarship under the program, to serve in a Federal information technology workforce for a period equal [[Page S5571]] to one and one-half times each year, or partial year, of scholarship received, in addition to an internship in the cybersecurity field, if applicable, following graduation; (4) provide a procedure for the National Science Foundation or a Federal agency, consistent with regulations of the Office of Personnel Management, to request and fund a security clearance for a scholarship recipient, including providing for clearance during a summer internship and upon graduation; and (5) provide opportunities for students to receive temporary appointments for meaningful employment in the Federal information technology workforce during school vacation periods and for internships. (c) Hiring Authority.-- (1) In general.--For purposes of any law or regulation governing the appointment of an individual in the Federal civil service, upon the successful completion of the student's studies, a student receiving a scholarship under the program may-- (A) be hired under section 213.3102(r) of title 5, Code of Federal Regulations; and (B) be exempt from competitive service. (2) Competitive service.--Upon satisfactory fulfillment of the service term under paragraph (1), an individual may be converted to a competitive service position without competition if the individual meets the requirements for that position. (d) Eligibility.--The eligibility requirements for a scholarship under this section shall include that a scholarship applicant-- (1) be a citizen of the United States; (2) be eligible to be granted a security clearance; (3) maintain a grade point average of 3.2 or above on a 4.0 scale for undergraduate study or a 3.5 or above on a 4.0 scale for postgraduate study; (4) demonstrate a commitment to a career in improving the security of the information infrastructure; and (5) has demonstrated a level of proficiency in math or computer sciences. (e) Failure to Complete Service Obligation.-- (1) In general.--A scholarship recipient under this section shall be liable to the United States under paragraph (2) if the scholarship recipient-- (A) fails to maintain an acceptable level of academic standing in the educational institution in which the individual is enrolled, as determined by the Director; (B) is dismissed from such educational institution for disciplinary reasons; (C) withdraws from the program for which the award was made before the completion of such program; (D) declares that the individual does not intend to fulfill the service obligation under this section; (E) fails to fulfill the service obligation of the individual under this section; or (F) loses a security clearance or becomes ineligible for a security clearance. (2) Repayment amounts.-- (A) Less than 1 year of service.--If a circumstance under paragraph (1) occurs before the completion of 1 year of a service obligation under this section, the total amount of awards received by the individual under this section shall be repaid. (B) One or more years of service.--If a circumstance described in subparagraph (D) or (E) of paragraph (1) occurs after the completion of 1 year of a service obligation under this section, the total amount of scholarship awards received by the individual under this section, reduced by the ratio of the number of years of service completed divided by the number of years of service required, shall be repaid. (f) Evaluation and Report.--The Director of the National Science Foundation shall-- (1) evaluate the success of recruiting individuals for scholarships under this section and of hiring and retaining those individuals in the public sector workforce, including the annual cost and an assessment of how the program actually improves the Federal workforce; and (2) periodically report the findings under paragraph (1) to Congress. (g) Authorization of Appropriations.--From amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), the Director may use funds to carry out the requirements of this section for fiscal years 2012 through 2013. SEC. 307. STUDY AND ANALYSIS OF CERTIFICATION AND TRAINING OF INFORMATION INFRASTRUCTURE PROFESSIONALS. (a) Study.--The President shall enter into an agreement with the National Academies to conduct a comprehensive study of government, academic, and private-sector accreditation, training, and certification programs for personnel working in information infrastructure. The agreement shall require the National Academies to consult with sector coordinating councils and relevant governmental agencies, regulatory entities, and nongovernmental organizations in the course of the study. (b) Scope.--The study shall include-- (1) an evaluation of the body of knowledge and various skills that specific categories of personnel working in information infrastructure should possess in order to secure information systems; (2) an assessment of whether existing government, academic, and private-sector accreditation, training, and certification programs provide the body of knowledge and various skills described in paragraph (1); (3) an analysis of any barriers to the Federal Government recruiting and hiring cybersecurity talent, including barriers relating to compensation, the hiring process, job classification, and hiring flexibility; and (4) an analysis of the sources and availability of cybersecurity talent, a comparison of the skills and expertise sought by the Federal Government and the private sector, an examination of the current and future capacity of United States institutions of higher education, including community colleges, to provide current and future cybersecurity professionals, through education and training activities, with those skills sought by the Federal Government, State and local entities, and the private sector. (c) Report.--Not later than 1 year after the date of enactment of this Act, the National Academies shall submit to the President and Congress a report on the results of the study. The report shall include-- (1) findings regarding the state of information infrastructure accreditation, training, and certification programs, including specific areas of deficiency and demonstrable progress; and (2) recommendations for the improvement of information infrastructure accreditation, training, and certification programs. SEC. 308. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS. (a) In General.--The Director of the National Institute of Standards and Technology, in coordination with appropriate Federal authorities, shall-- (1) as appropriate, ensure coordination of Federal agencies engaged in the development of international technical standards related to information system security; and (2) not later than 1 year after the date of enactment of this Act, develop and transmit to Congress a plan for ensuring such Federal agency coordination. (b) Consultation With the Private Sector.--In carrying out the activities under subsection (a)(1), the Director shall ensure consultation with appropriate private sector stakeholders. SEC. 309. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT. The Director of the National Institute of Standards and Technology shall continue a program to support the development of technical standards, metrology, testbeds, and conformance criteria, taking into account appropriate user concerns-- (1) to improve interoperability among identity management technologies; (2) to strengthen authentication methods of identity management systems; (3) to improve privacy protection in identity management systems, including health information technology systems, through authentication and security protocols; and (4) to improve the usability of identity management systems. SEC. 310. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT. (a) National Science Foundation Computer and Network Security Research Grant Areas.--Section 4(a)(1) of the Cyber Security Research and Development Act (15 U.S.C. 7403(a)(1)) is amended-- (1) in subparagraph (H), by striking ``and'' after the semicolon; (2) in subparagraph (I), by striking ``property.'' and inserting ``property;''; and (3) by adding at the end the following: ``(J) secure fundamental protocols that are at the heart of inter-network communications and data exchange; ``(K) system security that addresses the building of secure systems from trusted and untrusted components; ``(L) monitoring and detection; and ``(M) resiliency and rapid recovery methods.''. (b) National Science Foundation Computer and Network Security Grants.--Section 4(a)(3) of the Cyber Security Research and Development Act (15 U.S.C. 7403(a)(3)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Director finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (c) Computer and Network Security Centers.--Section 4(b)(7) of the Cyber Security Research and Development Act (15 U.S.C. 7403(b)(7)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Director finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (d) Computer and Network Security Capacity Building Grants.--Section 5(a)(6) of the Cyber Security Research and Development Act (15 U.S.C. 7404(a)(6)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Director finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. [[Page S5572]] (e) Scientific and Advanced Technology Act Grants.--Section 5(b)(2) of the Cyber Security Research and Development Act (15 U.S.C. 7404(b)(2)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Director finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. (f) Graduate Traineeships in Computer and Network Security Research.--Section 5(c)(7) of the Cyber Security Research and Development Act (15 U.S.C. 7404(c)(7)) is amended-- (1) in subparagraph (D), by striking ``and''; (2) in subparagraph (E), by striking ``2007.'' and inserting ``2007;''; and (3) by adding at the end the following: ``(F) such funds from amounts made available under section 503 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 4005), as the Director finds necessary to carry out the requirements of this subsection for fiscal years 2012 through 2013.''. ______ SA 2611. Mrs. HUTCHISON submitted an amendment intended to be proposed by her to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: Beginning on page 45, strike line 1 and all that follows through page 87, line 22, and insert the following: TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) In General.--Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting the following: ``SUBCHAPTER II--INFORMATION SECURITY ``Sec. 3551. Purposes ``The purposes of this subchapter are-- ``(1) to provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets; ``(2) to recognize the highly networked nature of the current Federal computing environment and provide effective government-wide management of policies, directives, standards, and guidelines, as well as effective and nimble oversight of and response to information security risks, including coordination of information security efforts throughout the Federal civilian, national security, and law enforcement communities; ``(3) to provide for development and maintenance of controls required to protect agency information and information systems and contribute to the overall improvement of agency information security posture; ``(4) to provide for the development of tools and methods to assess and respond to real-time situational risk for Federal information system operations and assets; and ``(5) to provide a mechanism for improving agency information security programs through continuous monitoring of agency information systems and streamlined reporting requirements rather than overly prescriptive manual reporting. ``Sec. 3552. Definitions ``In this subchapter: ``(1) Adequate security.--The term `adequate security' means security commensurate with the risk and magnitude of the harm resulting from the unauthorized access to or loss, misuse, destruction, or modification of information. ``(2) Agency.--The term `agency' has the meaning given the term in section 3502 of title 44. ``(3) Cybersecurity center.--The term `cybersecurity center' means the Department of Defense Cyber Crime Center, the Intelligence Community Incident Response Center, the United States Cyber Command Joint Operations Center, the National Cyber Investigative Joint Task Force, the National Security Agency/Central Security Service Threat Operations Center, the National Cybersecurity and Communications Integration Center, and any successor center. ``(4) Cyber threat information.--The term `cyber threat information' means information that indicates or describes-- ``(A) a technical or operation vulnerability or a cyber threat mitigation measure; ``(B) an action or operation to mitigate a cyber threat; ``(C) malicious reconnaissance, including anomalous patterns of network activity that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat; ``(D) a method of defeating a technical control; ``(E) a method of defeating an operational control; ``(F) network activity or protocols known to be associated with a malicious cyber actor or that signify malicious cyber intent; ``(G) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to inadvertently enable the defeat of a technical or operational control; ``(H) any other attribute of a cybersecurity threat or cyber defense information that would foster situational awareness of the United States cybersecurity posture, if disclosure of such attribute or information is not otherwise prohibited by law; ``(I) the actual or potential harm caused by a cyber incident, including information exfiltrated when it is necessary in order to identify or describe a cybersecurity threat; or ``(J) any combination of subparagraphs (A) through (I). ``(5) Director.--The term `Director' means the Director of the Office of Management and Budget unless otherwise specified. ``(6) Environment of operation.--The term `environment of operation' means the information system and environment in which those systems operate, including changing threats, vulnerabilities, technologies, and missions and business practices. ``(7) Federal information system.--The term `Federal information system' means an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. ``(8) Incident.--The term `incident' means an occurrence that-- ``(A) actually or imminently jeopardizes the integrity, confidentiality, or availability of an information system or the information that system controls, processes, stores, or transmits; or ``(B) constitutes a violation of law or an imminent threat of violation of a law, a security policy, a security procedure, or an acceptable use policy. ``(9) Information resources.--The term `information resources' has the meaning given the term in section 3502 of title 44. ``(10) Information security.--The term `information security' means protecting information and information systems from disruption or unauthorized access, use, disclosure, modification, or destruction in order to provide-- ``(A) integrity, by guarding against improper information modification or destruction, including by ensuring information nonrepudiation and authenticity; ``(B) confidentiality, by preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; or ``(C) availability, by ensuring timely and reliable access to and use of information. ``(11) Information system.--The term `information system' has the meaning given the term in section 3502 of title 44. ``(12) Information technology.--The term `information technology' has the meaning given the term in section 11101 of title 40. ``(13) Malicious reconnaissance.--The term `malicious reconnaissance' means a method for actively probing or passively monitoring an information system for the purpose of discerning technical vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat. ``(14) National security system.-- ``(A) In general.--The term `national security system' means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency-- ``(i) the function, operation, or use of which-- ``(I) involves intelligence activities; ``(II) involves cryptologic activities related to national security; ``(III) involves command and control of military forces; ``(IV) involves equipment that is an integral part of a weapon or weapons system; or ``(V) subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or ``(ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. ``(B) Limitation.--Subparagraph (A)(i)(V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). ``(15) Operational control.--The term `operational control' means a security control for an information system that primarily is implemented and executed by people. ``(16) Person.--The term `person' has the meaning given the term in section 3502 of title 44. ``(17) Secretary.--The term `Secretary' means the Secretary of Commerce unless otherwise specified. ``(18) Security control.--The term `security control' means the management, operational, and technical controls, including safeguards or countermeasures, prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. ``(19) Significant cyber incident.--The term `significant cyber incident' means a cyber incident resulting in, or an attempted cyber incident that, if successful, would have resulted in-- ``(A) the exfiltration from a Federal information system of data that is essential to the operation of the Federal information system; or ``(B) an incident in which an operational or technical control essential to the security or [[Page S5573]] operation of a Federal information system was defeated. ``(20) Technical control.--The term `technical control' means a hardware or software restriction on, or audit of, access or use of an information system or information that is stored on, processed by, or transiting an information system that is intended to ensure the confidentiality, integrity, or availability of that system. ``Sec. 3553. Federal information security authority and coordination ``(a) In General.--The Secretary, in consultation with the Secretary of Homeland Security, shall-- ``(1) issue compulsory and binding policies and directives governing agency information security operations, and require implementation of such policies and directives, including-- ``(A) policies and directives consistent with the standards and guidelines promulgated under section 11331 of title 40 to identify and provide information security protections prioritized and commensurate with the risk and impact resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of-- ``(i) information collected or maintained by or on behalf of an agency; or ``(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; ``(B) minimum operational requirements for Federal Government to protect agency information systems and provide common situational awareness across all agency information systems; ``(C) reporting requirements, consistent with relevant law, regarding information security incidents and cyber threat information; ``(D) requirements for agencywide information security programs; ``(E) performance requirements and metrics for the security of agency information systems; ``(F) training requirements to ensure that agencies are able to fully and timely comply with the policies and directives issued by the Secretary under this subchapter; ``(G) training requirements regarding privacy, civil rights, and civil liberties, and information oversight for agency information security personnel; ``(H) requirements for the annual reports to the Secretary under section 3554(d); ``(I) any other information security operations or information security requirements as determined by the Secretary in coordination with relevant agency heads; and ``(J) coordinating the development of standards and guidelines under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) with agencies and offices operating or exercising control of national security systems (including the National Security Agency) to assure, to the maximum extent feasible, that such standards and guidelines are complementary with standards and guidelines developed for national security systems; ``(2) review the agencywide information security programs under section 3554; and ``(3) designate an individual or an entity at each cybersecurity center, among other responsibilities-- ``(A) to receive reports and information about information security incidents, cyber threat information, and deterioration of security control affecting agency information systems; and ``(B) to act on or share the information under subparagraph (A) in accordance with this subchapter. ``(b) Considerations.--When issuing policies and directives under subsection (a), the Secretary shall consider any applicable standards or guidelines developed by the National Institute of Standards and Technology under section 11331 of title 40. ``(c) Limitation of Authority.--The authorities of the Secretary under this section shall not apply to national security systems. Information security policies, directives, standards and guidelines for national security systems shall be overseen as directed by the President and, in accordance with that direction, carried out under the authority of the heads of agencies that operate or exercise authority over such national security systems. ``(d) Statutory Construction.--Nothing in this subchapter shall be construed to alter or amend any law regarding the authority of any head of an agency over such agency. ``Sec. 3554. Agency responsibilities ``(a) In General.--The head of each agency shall-- ``(1) be responsible for-- ``(A) complying with the policies and directives issued under section 3553; ``(B) providing information security protections commensurate with the risk resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of-- ``(i) information collected or maintained by the agency or by a contractor of an agency or other organization on behalf of an agency; and ``(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; ``(C) complying with the requirements of this subchapter, including-- ``(i) information security standards and guidelines promulgated under section 11331 of title 40; ``(ii) for any national security systems operated or controlled by that agency, information security policies, directives, standards and guidelines issued as directed by the President; and ``(iii) for any non-national security systems operated or controlled by that agency, information security policies, directives, standards and guidelines issued under section 3553; ``(D) ensuring that information security management processes are integrated with agency strategic and operational planning processes; ``(E) reporting and sharing, for an agency operating or exercising control of a national security system, information about information security incidents, cyber threat information, and deterioration of security controls to the individual or entity designated at each cybersecurity center and to other appropriate entities consistent with policies and directives for national security systems issued as directed by the President; and ``(F) reporting and sharing, for those agencies operating or exercising control of non-national security systems, information about information security incidents, cyber threat information, and deterioration of security controls to the individual or entity designated at each cybersecurity center and to other appropriate entities consistent with policies and directives for non-national security systems as prescribed under section 3553(a), including information to assist the entity designated under section 3555(a) with the ongoing security analysis under section 3555; ``(2) ensure that each senior agency official provides information security for the information and information systems that support the operations and assets under the senior agency official's control, including by-- ``(A) assessing the risk and impact that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems; ``(B) determining the level of information security appropriate to protect such information and information systems in accordance with policies and directives issued under section 3553(a), and standards and guidelines promulgated under section 11331 of title 40 for information security classifications and related requirements; ``(C) implementing policies, procedures, and capabilities to reduce risks to an acceptable level in a cost-effective manner; ``(D) actively monitoring the effective implementation of information security controls and techniques; and ``(E) reporting information about information security incidents, cyber threat information, and deterioration of security controls in a timely and adequate manner to the entity designated under section 3553(a)(3) in accordance with paragraph (1); ``(3) assess and maintain the resiliency of information technology systems critical to agency mission and operations; ``(4) designate the agency Inspector General (or an independent entity selected in consultation with the Director and the Council of Inspectors General on Integrity and Efficiency if the agency does not have an Inspector General) to conduct the annual independent evaluation required under section 3556, and allow the agency Inspector General to contract with an independent entity to perform such evaluation; ``(5) delegate to the Chief Information Officer or equivalent (or to a senior agency official who reports to the Chief Information Officer or equivalent)-- ``(A) the authority and primary responsibility to implement an agencywide information security program; and ``(B) the authority to provide information security for the information collected and maintained by the agency (or by a contractor, other agency, or other source on behalf of the agency) and for the information systems that support the operations, assets, and mission of the agency (including any information system provided or managed by a contractor, other agency, or other source on behalf of the agency); ``(6) delegate to the appropriate agency official (who is responsible for a particular agency system or subsystem) the responsibility to ensure and enforce compliance with all requirements of the agency's agencywide information security program in coordination with the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5); ``(7) ensure that an agency has trained personnel who have obtained any necessary security clearances to permit them to assist the agency in complying with this subchapter; ``(8) ensure that the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5), in coordination with other senior agency officials, reports to the agency head on the effectiveness of the agencywide information security program, including the progress of any remedial actions; and ``(9) ensure that the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5) has the necessary qualifications to administer the functions described in this subchapter and has information security duties as a primary duty of that official. ``(b) Chief Information Officers.--Each Chief Information Officer or equivalent (or the senior agency official who reports to the [[Page S5574]] Chief Information Officer or equivalent) under subsection (a)(5) shall-- ``(1) establish and maintain an enterprise security operations capability that on a continuous basis-- ``(A) detects, reports, contains, mitigates, and responds to information security incidents that impair adequate security of the agency's information or information system in a timely manner and in accordance with the policies and directives under section 3553; and ``(B) reports any information security incident under subparagraph (A) to the entity designated under section 3555; ``(2) develop, maintain, and oversee an agencywide information security program; ``(3) develop, maintain, and oversee information security policies, procedures, and control techniques to address applicable requirements, including requirements under section 3553 of this title and section 11331 of title 40; and ``(4) train and oversee the agency personnel who have significant responsibility for information security with respect to that responsibility. ``(c) Agencywide Information Security Programs.-- ``(1) In general.--Each agencywide information security program under subsection (b)(2) shall include-- ``(A) relevant security risk assessments, including technical assessments and others related to the acquisition process; ``(B) security testing commensurate with risk and impact; ``(C) mitigation of deterioration of security controls commensurate with risk and impact; ``(D) risk-based continuous monitoring and threat assessment of the operational status and security of agency information systems to enable evaluation of the effectiveness of and compliance with information security policies, procedures, and practices, including a relevant and appropriate selection of security controls of information systems identified in the inventory under section 3505(c); ``(E) operation of appropriate technical capabilities in order to detect, mitigate, report, and respond to information security incidents, cyber threat information, and deterioration of security controls in a manner that is consistent with the policies and directives under section 3553, including-- ``(i) mitigating risks associated with such information security incidents; ``(ii) notifying and consulting with the entity designated under section 3555; and ``(iii) notifying and consulting with, as appropriate-- ``(I) law enforcement and the relevant Office of the Inspector General; and ``(II) any other entity, in accordance with law and as directed by the President; ``(F) a process to ensure that remedial action is taken to address any deficiencies in the information security policies, procedures, and practices of the agency; and ``(G) a plan and procedures to ensure the continuity of operations for information systems that support the operations and assets of the agency. ``(2) Risk management strategies.--Each agencywide information security program under subsection (b)(2) shall include the development and maintenance of a risk management strategy for information security. The risk management strategy shall include-- ``(A) consideration of information security incidents, cyber threat information, and deterioration of security controls; and ``(B) consideration of the consequences that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency, including any information system provided or managed by a contractor, other agency, or other source on behalf of the agency; ``(3) Policies and procedures.--Each agencywide information security program under subsection (b)(2) shall include policies and procedures that-- ``(A) are based on the risk management strategy under paragraph (2); ``(B) reduce information security risks to an acceptable level in a cost-effective manner; ``(C) ensure that cost-effective and adequate information security is addressed as part of the acquisition and ongoing management of each agency information system; and ``(D) ensure compliance with-- ``(i) this subchapter; and ``(ii) any other applicable requirements. ``(4) Training requirements.--Each agencywide information security program under subsection (b)(2) shall include information security, privacy, civil rights, civil liberties, and information oversight training that meets any applicable requirements under section 3553. The training shall inform each information security personnel that has access to agency information systems (including contractors and other users of information systems that support the operations and assets of the agency) of-- ``(A) the information security risks associated with the information security personnel's activities; and ``(B) the individual's responsibility to comply with the agency policies and procedures that reduce the risks under subparagraph (A). ``(d) Annual Report.--Each agency shall submit a report annually to the Secretary of Homeland Security on its agencywide information security program and information systems. ``Sec. 3555. Multiagency ongoing threat assessment ``(a) Implementation.--The Director of the Office of Management and Budget, in coordination with the Secretary of Homeland Security, shall designate an entity to implement ongoing security analysis concerning agency information systems-- ``(1) based on cyber threat information; ``(2) based on agency information system and environment of operation changes, including-- ``(A) an ongoing evaluation of the information system security controls; and ``(B) the security state, risk level, and environment of operation of an agency information system, including-- ``(i) a change in risk level due to a new cyber threat; ``(ii) a change resulting from a new technology; ``(iii) a change resulting from the agency's mission; and ``(iv) a change resulting from the business practice; and ``(3) using automated processes to the maximum extent possible-- ``(A) to increase information system security; ``(B) to reduce paper-based reporting requirements; and ``(C) to maintain timely and actionable knowledge of the state of the information system security. ``(b) Standards.--The National Institute of Standards and Technology may promulgate standards, in coordination with the Secretary of Homeland Security, to assist an agency with its duties under this section. ``(c) Compliance.--The head of each appropriate department and agency shall be responsible for ensuring compliance and implementing necessary procedures to comply with this section. The head of each appropriate department and agency, in consultation with the Director of the Office of Management and Budget and the Secretary of Homeland Security, shall-- ``(1) monitor compliance under this section; ``(2) develop a timeline and implement for the department or agency-- ``(A) adoption of any technology, system, or method that facilitates continuous monitoring and threat assessments of an agency information system; ``(B) adoption or updating of any technology, system, or method that prevents, detects, or remediates a significant cyber incident to a Federal information system of the department or agency that has impeded, or is reasonably likely to impede, the performance of a critical mission of the department or agency; and ``(C) adoption of any technology, system, or method that satisfies a requirement under this section. ``(d) Limitation of Authority.--The authorities of the Director of the Office of Management and Budget and of the Secretary of Homeland Security under this section shall not apply to national security systems. ``(e) Report.--Not later than 6 months after the date of enactment of the Cybersecurity Act of 2012, the Government Accountability Office shall issue a report evaluating each agency's status toward implementing this section. ``Sec. 3556. Independent evaluations ``(a) In General.--The Council of the Inspectors General on Integrity and Efficiency, in consultation with the Director and the Secretary of Homeland Security, the Secretary of Commerce, and the Secretary of Defense, shall issue and maintain criteria for the timely, cost-effective, risk-based, and independent evaluation of each agencywide information security program (and practices) to determine the effectiveness of the agencywide information security program (and practices). The criteria shall include measures to assess any conflicts of interest in the performance of the evaluation and whether the agencywide information security program includes appropriate safeguards against disclosure of information where such disclosure may adversely affect information security. ``(b) Annual Independent Evaluations.--Each agency shall perform an annual independent evaluation of its agencywide information security program (and practices) in accordance with the criteria under subsection (a). ``(c) Distribution of Reports.--Not later than 30 days after receiving an independent evaluation under subsection (b), each agency head shall transmit a copy of the independent evaluation to the Secretary of Homeland Security, the Secretary of Commerce, and the Secretary of Defense. ``(d) National Security Systems.--Evaluations involving national security systems shall be conducted as directed by President. ``Sec. 3557. National security systems. ``The head of each agency operating or exercising control of a national security system shall be responsible for ensuring that the agency-- ``(1) provides information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information contained in such system; and ``(2) implements information security policies and practices as required by standards and guidelines for national security systems, [[Page S5575]] issued in accordance with law and as directed by the President.''. (b) Savings Provisions.-- (1) Policy and compliance guidance.--Policy and compliance guidance issued by the Director before the date of enactment of this Act under section 3543(a)(1) of title 44, United States Code (as in effect on the day before the date of enactment of this Act), shall continue in effect, according to its terms, until modified, terminated, superseded, or repealed pursuant to section 3553(a)(1) of title 44, United States Code. (2) Standards and guidelines.--Standards and guidelines issued by the Secretary of Commerce or by the Director before the date of enactment of this Act under section 11331(a)(1) of title 40, United States Code, (as in effect on the day before the date of enactment of this Act) shall continue in effect, according to their terms, until modified, terminated, superseded, or repealed pursuant to section 11331(a)(1) of title 40, United States Code, as amended by this Act. (c) Technical and Conforming Amendments.-- (1) Chapter analysis.--The chapter analysis for chapter 35 of title 44, United States Code, is amended-- (A) by striking the items relating to sections 3531 through 3538; (B) by striking the items relating to sections 3541 through 3549; and (C) by inserting the following: ``3551. Purposes. ``3552. Definitions. ``3553. Federal information security authority and coordination. ``3554. Agency responsibilities. ``3555. Multiagency ongoing threat assessment. ``3556. Independent evaluations. ``3557. National security systems.''. (2) Other references.-- (A) Section 1001(c)(1)(A) of the Homeland Security Act of 2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section 3532(3)'' and inserting ``section 3552''. (B) Section 2222(j)(5) of title 10, United States Code, is amended by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (C) Section 2223(c)(3) of title 10, United States Code, is amended, by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (D) Section 2315 of title 10, United States Code, is amended by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (E) Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) is amended-- (i) in subsection (a)(2), by striking ``section 3532(b)(2)'' and inserting ``section 3552''; (ii) in subsection (c)(3), by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (iii) in subsection (d)(1), by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (iv) in subsection (d)(8) by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (v) in subsection (d)(8), by striking ``submitted to the Director'' and inserting ``submitted to the Secretary''; (vi) in subsection (e)(2), by striking ``section 3532(1) of such title'' and inserting ``section 3552 of title 44''; and (vii) in subsection (e)(5), by striking ``section 3532(b)(2) of such title'' and inserting ``section 3552 of title 44''. (F) Section 8(d)(1) of the Cyber Security Research and Development Act (15 U.S.C. 7406(d)(1)) is amended by striking ``section 3534(b)'' and inserting ``section 3554(b)(2)''. SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY. (a) In General.--Section 11331 of title 40, United States Code, is amended to read as follows: ``Sec. 11331. Responsibilities for Federal information systems standards ``(a) Standards and Guidelines.-- ``(1) Authority to prescribe.--Except as provided under paragraph (2), the Secretary of Commerce shall prescribe standards and guidelines pertaining to Federal information systems-- ``(A) in consultation with the Secretary of Homeland Security; and ``(B) on the basis of standards and guidelines developed by the National Institute of Standards and Technology under paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g- 3(a)(2) and (a)(3)). ``(2) National security systems.--Standards and guidelines for national security systems shall be developed, prescribed, enforced, and overseen as otherwise authorized by law and as directed by the President. ``(b) Mandatory Standards and Guidelines.-- ``(1) Authority to make mandatory standards and guidelines.--The Secretary of Commerce shall make standards and guidelines under subsection (a)(1) compulsory and binding to the extent determined necessary by the Secretary of Commerce to improve the efficiency of operation or security of Federal information systems. ``(2) Required mandatory standards and guidelines.-- ``(A) In general.--Standards and guidelines under subsection (a)(1) shall include information security standards that-- ``(i) provide minimum information security requirements as determined under section 20(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(b)); and ``(ii) are otherwise necessary to improve the security of Federal information and information systems. ``(B) Binding effect.--Information security standards under subparagraph (A) shall be compulsory and binding. ``(c) Exercise of Authority.--To ensure fiscal and policy consistency, the Secretary of Commerce shall exercise the authority conferred by this section subject to direction by the President and in coordination with the Director. ``(d) Application of More Stringent Standards and Guidelines.--The head of an executive agency may employ standards for the cost-effective information security for information systems within or under the supervision of that agency that are more stringent than the standards and guidelines the Secretary of Commerce prescribes under this section if the more stringent standards and guidelines-- ``(1) contain at least the applicable standards and guidelines made compulsory and binding by the Secretary of Commerce; and ``(2) are otherwise consistent with the policies, directives, and implementation memoranda issued under section 3553(a) of title 44. ``(e) Decisions on Promulgation of Standards and Guidelines.--The decision by the Secretary of Commerce regarding the promulgation of any standard or guideline under this section shall occur not later than 6 months after the date of submission of the proposed standard to the Secretary of Commerce by the National Institute of Standards and Technology under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3). ``(f) Notice and Comment.--A decision by the Secretary of Commerce to significantly modify, or not promulgate, a proposed standard submitted to the Secretary by the National Institute of Standards and Technology under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) shall be made after the public is given an opportunity to comment on the Secretary's proposed decision. ``(g) Definitions.--In this section: ``(1) Federal information system.--The term `Federal information system' has the meaning given the term in section 3552 of title 44. ``(2) Information security.--The term `information security' has the meaning given the term in section 3552 of title 44. ``(3) National security system.--The term `national security system' has the meaning given the term in section 3552 of title 44.''. SEC. 203. NO NEW FUNDING. An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS. Section 21(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-4(b)) is amended-- (1) in paragraph (2), by striking ``and the Director of the Office of Management and Budget'' and inserting ``, the Secretary of Commerce, and the Secretary of Homeland Security''; and (2) in paragraph (3), by inserting ``, the Secretary of Homeland Security,'' after ``the Secretary of Commerce''. SEC. 205. CLARIFICATION OF AUTHORITIES. Nothing in this title shall be construed to convey any new regulatory authority to any government entity implementing or complying with any provision of this title. ______ SA 2612. Mrs. HUTCHISON submitted an amendment intended to be proposed by her to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: Beginning on page 45, strike line 1 and all that follows through the undesignated matter between lines 7 and 8 on page 106, and insert the following: TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) In General.--Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting the following: ``SUBCHAPTER II--INFORMATION SECURITY ``Sec. 3551. Purposes ``The purposes of this subchapter are-- ``(1) to provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets; ``(2) to recognize the highly networked nature of the current Federal computing environment and provide effective government-wide management of policies, directives, standards, and guidelines, as well as effective and nimble oversight of and response to information security risks, including coordination of information security efforts throughout the Federal civilian, national security, and law enforcement communities; ``(3) to provide for development and maintenance of controls required to protect agency information and information systems and contribute to the overall improvement of agency information security posture; [[Page S5576]] ``(4) to provide for the development of tools and methods to assess and respond to real-time situational risk for Federal information system operations and assets; and ``(5) to provide a mechanism for improving agency information security programs through continuous monitoring of agency information systems and streamlined reporting requirements rather than overly prescriptive manual reporting. ``Sec. 3552. Definitions ``In this subchapter: ``(1) Adequate security.--The term `adequate security' means security commensurate with the risk and magnitude of the harm resulting from the unauthorized access to or loss, misuse, destruction, or modification of information. ``(2) Agency.--The term `agency' has the meaning given the term in section 3502 of title 44. ``(3) Cybersecurity center.--The term `cybersecurity center' means the Department of Defense Cyber Crime Center, the Intelligence Community Incident Response Center, the United States Cyber Command Joint Operations Center, the National Cyber Investigative Joint Task Force, the National Security Agency/Central Security Service Threat Operations Center, the National Cybersecurity and Communications Integration Center, and any successor center. ``(4) Cyber threat information.--The term `cyber threat information' means information that indicates or describes-- ``(A) a technical or operation vulnerability or a cyber threat mitigation measure; ``(B) an action or operation to mitigate a cyber threat; ``(C) malicious reconnaissance, including anomalous patterns of network activity that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat; ``(D) a method of defeating a technical control; ``(E) a method of defeating an operational control; ``(F) network activity or protocols known to be associated with a malicious cyber actor or that signify malicious cyber intent; ``(G) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to inadvertently enable the defeat of a technical or operational control; ``(H) any other attribute of a cybersecurity threat or cyber defense information that would foster situational awareness of the United States cybersecurity posture, if disclosure of such attribute or information is not otherwise prohibited by law; ``(I) the actual or potential harm caused by a cyber incident, including information exfiltrated when it is necessary in order to identify or describe a cybersecurity threat; or ``(J) any combination of subparagraphs (A) through (I). ``(5) Director.--The term `Director' means the Director of the Office of Management and Budget unless otherwise specified. ``(6) Environment of operation.--The term `environment of operation' means the information system and environment in which those systems operate, including changing threats, vulnerabilities, technologies, and missions and business practices. ``(7) Federal information system.--The term `Federal information system' means an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. ``(8) Incident.--The term `incident' means an occurrence that-- ``(A) actually or imminently jeopardizes the integrity, confidentiality, or availability of an information system or the information that system controls, processes, stores, or transmits; or ``(B) constitutes a violation of law or an imminent threat of violation of a law, a security policy, a security procedure, or an acceptable use policy. ``(9) Information resources.--The term `information resources' has the meaning given the term in section 3502 of title 44. ``(10) Information security.--The term `information security' means protecting information and information systems from disruption or unauthorized access, use, disclosure, modification, or destruction in order to provide-- ``(A) integrity, by guarding against improper information modification or destruction, including by ensuring information nonrepudiation and authenticity; ``(B) confidentiality, by preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; or ``(C) availability, by ensuring timely and reliable access to and use of information. ``(11) Information system.--The term `information system' has the meaning given the term in section 3502 of title 44. ``(12) Information technology.--The term `information technology' has the meaning given the term in section 11101 of title 40. ``(13) Malicious reconnaissance.--The term `malicious reconnaissance' means a method for actively probing or passively monitoring an information system for the purpose of discerning technical vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat. ``(14) National security system.-- ``(A) In general.--The term `national security system' means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency-- ``(i) the function, operation, or use of which-- ``(I) involves intelligence activities; ``(II) involves cryptologic activities related to national security; ``(III) involves command and control of military forces; ``(IV) involves equipment that is an integral part of a weapon or weapons system; or ``(V) subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or ``(ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. ``(B) Limitation.--Subparagraph (A)(i)(V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). ``(15) Operational control.--The term `operational control' means a security control for an information system that primarily is implemented and executed by people. ``(16) Person.--The term `person' has the meaning given the term in section 3502 of title 44. ``(17) Secretary.--The term `Secretary' means the Secretary of Commerce unless otherwise specified. ``(18) Security control.--The term `security control' means the management, operational, and technical controls, including safeguards or countermeasures, prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. ``(19) Significant cyber incident.--The term `significant cyber incident' means a cyber incident resulting in, or an attempted cyber incident that, if successful, would have resulted in-- ``(A) the exfiltration from a Federal information system of data that is essential to the operation of the Federal information system; or ``(B) an incident in which an operational or technical control essential to the security or operation of a Federal information system was defeated. ``(20) Technical control.--The term `technical control' means a hardware or software restriction on, or audit of, access or use of an information system or information that is stored on, processed by, or transiting an information system that is intended to ensure the confidentiality, integrity, or availability of that system. ``Sec. 3553. Federal information security authority and coordination ``(a) In General.--The Secretary, in consultation with the Secretary of Homeland Security, shall-- ``(1) issue compulsory and binding policies and directives governing agency information security operations, and require implementation of such policies and directives, including-- ``(A) policies and directives consistent with the standards and guidelines promulgated under section 11331 of title 40 to identify and provide information security protections prioritized and commensurate with the risk and impact resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of-- ``(i) information collected or maintained by or on behalf of an agency; or ``(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; ``(B) minimum operational requirements for Federal Government to protect agency information systems and provide common situational awareness across all agency information systems; ``(C) reporting requirements, consistent with relevant law, regarding information security incidents and cyber threat information; ``(D) requirements for agencywide information security programs; ``(E) performance requirements and metrics for the security of agency information systems; ``(F) training requirements to ensure that agencies are able to fully and timely comply with the policies and directives issued by the Secretary under this subchapter; ``(G) training requirements regarding privacy, civil rights, and civil liberties, and information oversight for agency information security personnel; ``(H) requirements for the annual reports to the Secretary under section 3554(d); ``(I) any other information security operations or information security requirements as determined by the Secretary in coordination with relevant agency heads; and ``(J) coordinating the development of standards and guidelines under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) with agencies and offices operating or exercising control of national security systems (including the National Security Agency) to assure, to the maximum extent feasible, that such standards and guidelines are complementary with standards and guidelines developed for national security systems; ``(2) review the agencywide information security programs under section 3554; and [[Page S5577]] ``(3) designate an individual or an entity at each cybersecurity center, among other responsibilities-- ``(A) to receive reports and information about information security incidents, cyber threat information, and deterioration of security control affecting agency information systems; and ``(B) to act on or share the information under subparagraph (A) in accordance with this subchapter. ``(b) Considerations.--When issuing policies and directives under subsection (a), the Secretary shall consider any applicable standards or guidelines developed by the National Institute of Standards and Technology under section 11331 of title 40. ``(c) Limitation of Authority.--The authorities of the Secretary under this section shall not apply to national security systems. Information security policies, directives, standards and guidelines for national security systems shall be overseen as directed by the President and, in accordance with that direction, carried out under the authority of the heads of agencies that operate or exercise authority over such national security systems. ``(d) Statutory Construction.--Nothing in this subchapter shall be construed to alter or amend any law regarding the authority of any head of an agency over such agency. ``Sec. 3554. Agency responsibilities ``(a) In General.--The head of each agency shall-- ``(1) be responsible for-- ``(A) complying with the policies and directives issued under section 3553; ``(B) providing information security protections commensurate with the risk resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of-- ``(i) information collected or maintained by the agency or by a contractor of an agency or other organization on behalf of an agency; and ``(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; ``(C) complying with the requirements of this subchapter, including-- ``(i) information security standards and guidelines promulgated under section 11331 of title 40; ``(ii) for any national security systems operated or controlled by that agency, information security policies, directives, standards and guidelines issued as directed by the President; and ``(iii) for any non-national security systems operated or controlled by that agency, information security policies, directives, standards and guidelines issued under section 3553; ``(D) ensuring that information security management processes are integrated with agency strategic and operational planning processes; ``(E) reporting and sharing, for an agency operating or exercising control of a national security system, information about information security incidents, cyber threat information, and deterioration of security controls to the individual or entity designated at each cybersecurity center and to other appropriate entities consistent with policies and directives for national security systems issued as directed by the President; and ``(F) reporting and sharing, for those agencies operating or exercising control of non-national security systems, information about information security incidents, cyber threat information, and deterioration of security controls to the individual or entity designated at each cybersecurity center and to other appropriate entities consistent with policies and directives for non-national security systems as prescribed under section 3553(a), including information to assist the entity designated under section 3555(a) with the ongoing security analysis under section 3555; ``(2) ensure that each senior agency official provides information security for the information and information systems that support the operations and assets under the senior agency official's control, including by-- ``(A) assessing the risk and impact that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems; ``(B) determining the level of information security appropriate to protect such information and information systems in accordance with policies and directives issued under section 3553(a), and standards and guidelines promulgated under section 11331 of title 40 for information security classifications and related requirements; ``(C) implementing policies, procedures, and capabilities to reduce risks to an acceptable level in a cost-effective manner; ``(D) actively monitoring the effective implementation of information security controls and techniques; and ``(E) reporting information about information security incidents, cyber threat information, and deterioration of security controls in a timely and adequate manner to the entity designated under section 3553(a)(3) in accordance with paragraph (1); ``(3) assess and maintain the resiliency of information technology systems critical to agency mission and operations; ``(4) designate the agency Inspector General (or an independent entity selected in consultation with the Director and the Council of Inspectors General on Integrity and Efficiency if the agency does not have an Inspector General) to conduct the annual independent evaluation required under section 3556, and allow the agency Inspector General to contract with an independent entity to perform such evaluation; ``(5) delegate to the Chief Information Officer or equivalent (or to a senior agency official who reports to the Chief Information Officer or equivalent)-- ``(A) the authority and primary responsibility to implement an agencywide information security program; and ``(B) the authority to provide information security for the information collected and maintained by the agency (or by a contractor, other agency, or other source on behalf of the agency) and for the information systems that support the operations, assets, and mission of the agency (including any information system provided or managed by a contractor, other agency, or other source on behalf of the agency); ``(6) delegate to the appropriate agency official (who is responsible for a particular agency system or subsystem) the responsibility to ensure and enforce compliance with all requirements of the agency's agencywide information security program in coordination with the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5); ``(7) ensure that an agency has trained personnel who have obtained any necessary security clearances to permit them to assist the agency in complying with this subchapter; ``(8) ensure that the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5), in coordination with other senior agency officials, reports to the agency head on the effectiveness of the agencywide information security program, including the progress of any remedial actions; and ``(9) ensure that the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5) has the necessary qualifications to administer the functions described in this subchapter and has information security duties as a primary duty of that official. ``(b) Chief Information Officers.--Each Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under subsection (a)(5) shall-- ``(1) establish and maintain an enterprise security operations capability that on a continuous basis-- ``(A) detects, reports, contains, mitigates, and responds to information security incidents that impair adequate security of the agency's information or information system in a timely manner and in accordance with the policies and directives under section 3553; and ``(B) reports any information security incident under subparagraph (A) to the entity designated under section 3555; ``(2) develop, maintain, and oversee an agencywide information security program; ``(3) develop, maintain, and oversee information security policies, procedures, and control techniques to address applicable requirements, including requirements under section 3553 of this title and section 11331 of title 40; and ``(4) train and oversee the agency personnel who have significant responsibility for information security with respect to that responsibility. ``(c) Agencywide Information Security Programs.-- ``(1) In general.--Each agencywide information security program under subsection (b)(2) shall include-- ``(A) relevant security risk assessments, including technical assessments and others related to the acquisition process; ``(B) security testing commensurate with risk and impact; ``(C) mitigation of deterioration of security controls commensurate with risk and impact; ``(D) risk-based continuous monitoring and threat assessment of the operational status and security of agency information systems to enable evaluation of the effectiveness of and compliance with information security policies, procedures, and practices, including a relevant and appropriate selection of security controls of information systems identified in the inventory under section 3505(c); ``(E) operation of appropriate technical capabilities in order to detect, mitigate, report, and respond to information security incidents, cyber threat information, and deterioration of security controls in a manner that is consistent with the policies and directives under section 3553, including-- ``(i) mitigating risks associated with such information security incidents; ``(ii) notifying and consulting with the entity designated under section 3555; and ``(iii) notifying and consulting with, as appropriate-- ``(I) law enforcement and the relevant Office of the Inspector General; and ``(II) any other entity, in accordance with law and as directed by the President; ``(F) a process to ensure that remedial action is taken to address any deficiencies in the information security policies, procedures, and practices of the agency; and ``(G) a plan and procedures to ensure the continuity of operations for information systems that support the operations and assets of the agency. [[Page S5578]] ``(2) Risk management strategies.--Each agencywide information security program under subsection (b)(2) shall include the development and maintenance of a risk management strategy for information security. The risk management strategy shall include-- ``(A) consideration of information security incidents, cyber threat information, and deterioration of security controls; and ``(B) consideration of the consequences that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency, including any information system provided or managed by a contractor, other agency, or other source on behalf of the agency; ``(3) Policies and procedures.--Each agencywide information security program under subsection (b)(2) shall include policies and procedures that-- ``(A) are based on the risk management strategy under paragraph (2); ``(B) reduce information security risks to an acceptable level in a cost-effective manner; ``(C) ensure that cost-effective and adequate information security is addressed as part of the acquisition and ongoing management of each agency information system; and ``(D) ensure compliance with-- ``(i) this subchapter; and ``(ii) any other applicable requirements. ``(4) Training requirements.--Each agencywide information security program under subsection (b)(2) shall include information security, privacy, civil rights, civil liberties, and information oversight training that meets any applicable requirements under section 3553. The training shall inform each information security personnel that has access to agency information systems (including contractors and other users of information systems that support the operations and assets of the agency) of-- ``(A) the information security risks associated with the information security personnel's activities; and ``(B) the individual's responsibility to comply with the agency policies and procedures that reduce the risks under subparagraph (A). ``(d) Annual Report.--Each agency shall submit a report annually to the Secretary of Homeland Security on its agencywide information security program and information systems. ``Sec. 3555. Multiagency ongoing threat assessment ``(a) Implementation.--The Director of the Office of Management and Budget, in coordination with the Secretary of Homeland Security, shall designate an entity to implement ongoing security analysis concerning agency information systems-- ``(1) based on cyber threat information; ``(2) based on agency information system and environment of operation changes, including-- ``(A) an ongoing evaluation of the information system security controls; and ``(B) the security state, risk level, and environment of operation of an agency information system, including-- ``(i) a change in risk level due to a new cyber threat; ``(ii) a change resulting from a new technology; ``(iii) a change resulting from the agency's mission; and ``(iv) a change resulting from the business practice; and ``(3) using automated processes to the maximum extent possible-- ``(A) to increase information system security; ``(B) to reduce paper-based reporting requirements; and ``(C) to maintain timely and actionable knowledge of the state of the information system security. ``(b) Standards.--The National Institute of Standards and Technology may promulgate standards, in coordination with the Secretary of Homeland Security, to assist an agency with its duties under this section. ``(c) Compliance.--The head of each appropriate department and agency shall be responsible for ensuring compliance and implementing necessary procedures to comply with this section. The head of each appropriate department and agency, in consultation with the Director of the Office of Management and Budget and the Secretary of Homeland Security, shall-- ``(1) monitor compliance under this section; ``(2) develop a timeline and implement for the department or agency-- ``(A) adoption of any technology, system, or method that facilitates continuous monitoring and threat assessments of an agency information system; ``(B) adoption or updating of any technology, system, or method that prevents, detects, or remediates a significant cyber incident to a Federal information system of the department or agency that has impeded, or is reasonably likely to impede, the performance of a critical mission of the department or agency; and ``(C) adoption of any technology, system, or method that satisfies a requirement under this section. ``(d) Limitation of Authority.--The authorities of the Director of the Office of Management and Budget and of the Secretary of Homeland Security under this section shall not apply to national security systems. ``(e) Report.--Not later than 6 months after the date of enactment of the Cybersecurity Act of 2012, the Government Accountability Office shall issue a report evaluating each agency's status toward implementing this section. ``Sec. 3556. Independent evaluations ``(a) In General.--The Council of the Inspectors General on Integrity and Efficiency, in consultation with the Director and the Secretary of Homeland Security, the Secretary of Commerce, and the Secretary of Defense, shall issue and maintain criteria for the timely, cost-effective, risk-based, and independent evaluation of each agencywide information security program (and practices) to determine the effectiveness of the agencywide information security program (and practices). The criteria shall include measures to assess any conflicts of interest in the performance of the evaluation and whether the agencywide information security program includes appropriate safeguards against disclosure of information where such disclosure may adversely affect information security. ``(b) Annual Independent Evaluations.--Each agency shall perform an annual independent evaluation of its agencywide information security program (and practices) in accordance with the criteria under subsection (a). ``(c) Distribution of Reports.--Not later than 30 days after receiving an independent evaluation under subsection (b), each agency head shall transmit a copy of the independent evaluation to the Secretary of Homeland Security, the Secretary of Commerce, and the Secretary of Defense. ``(d) National Security Systems.--Evaluations involving national security systems shall be conducted as directed by President. ``Sec. 3557. National security systems. ``The head of each agency operating or exercising control of a national security system shall be responsible for ensuring that the agency-- ``(1) provides information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information contained in such system; and ``(2) implements information security policies and practices as required by standards and guidelines for national security systems, issued in accordance with law and as directed by the President.''. (b) Savings Provisions.-- (1) Policy and compliance guidance.--Policy and compliance guidance issued by the Director before the date of enactment of this Act under section 3543(a)(1) of title 44, United States Code (as in effect on the day before the date of enactment of this Act), shall continue in effect, according to its terms, until modified, terminated, superseded, or repealed pursuant to section 3553(a)(1) of title 44, United States Code. (2) Standards and guidelines.--Standards and guidelines issued by the Secretary of Commerce or by the Director before the date of enactment of this Act under section 11331(a)(1) of title 40, United States Code, (as in effect on the day before the date of enactment of this Act) shall continue in effect, according to their terms, until modified, terminated, superseded, or repealed pursuant to section 11331(a)(1) of title 40, United States Code, as amended by this Act. (c) Technical and Conforming Amendments.-- (1) Chapter analysis.--The chapter analysis for chapter 35 of title 44, United States Code, is amended-- (A) by striking the items relating to sections 3531 through 3538; (B) by striking the items relating to sections 3541 through 3549; and (C) by inserting the following: ``3551. Purposes. ``3552. Definitions. ``3553. Federal information security authority and coordination. ``3554. Agency responsibilities. ``3555. Multiagency ongoing threat assessment. ``3556. Independent evaluations. ``3557. National security systems.''. (2) Other references.-- (A) Section 1001(c)(1)(A) of the Homeland Security Act of 2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section 3532(3)'' and inserting ``section 3552''. (B) Section 2222(j)(5) of title 10, United States Code, is amended by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (C) Section 2223(c)(3) of title 10, United States Code, is amended, by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (D) Section 2315 of title 10, United States Code, is amended by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (E) Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) is amended-- (i) in subsection (a)(2), by striking ``section 3532(b)(2)'' and inserting ``section 3552''; (ii) in subsection (c)(3), by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (iii) in subsection (d)(1), by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (iv) in subsection (d)(8) by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; [[Page S5579]] (v) in subsection (d)(8), by striking ``submitted to the Director'' and inserting ``submitted to the Secretary''; (vi) in subsection (e)(2), by striking ``section 3532(1) of such title'' and inserting ``section 3552 of title 44''; and (vii) in subsection (e)(5), by striking ``section 3532(b)(2) of such title'' and inserting ``section 3552 of title 44''. (F) Section 8(d)(1) of the Cyber Security Research and Development Act (15 U.S.C. 7406(d)(1)) is amended by striking ``section 3534(b)'' and inserting ``section 3554(b)(2)''. SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY. (a) In General.--Section 11331 of title 40, United States Code, is amended to read as follows: ``Sec. 11331. Responsibilities for Federal information systems standards ``(a) Standards and Guidelines.-- ``(1) Authority to prescribe.--Except as provided under paragraph (2), the Secretary of Commerce shall prescribe standards and guidelines pertaining to Federal information systems-- ``(A) in consultation with the Secretary of Homeland Security; and ``(B) on the basis of standards and guidelines developed by the National Institute of Standards and Technology under paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g- 3(a)(2) and (a)(3)). ``(2) National security systems.--Standards and guidelines for national security systems shall be developed, prescribed, enforced, and overseen as otherwise authorized by law and as directed by the President. ``(b) Mandatory Standards and Guidelines.-- ``(1) Authority to make mandatory standards and guidelines.--The Secretary of Commerce shall make standards and guidelines under subsection (a)(1) compulsory and binding to the extent determined necessary by the Secretary of Commerce to improve the efficiency of operation or security of Federal information systems. ``(2) Required mandatory standards and guidelines.-- ``(A) In general.--Standards and guidelines under subsection (a)(1) shall include information security standards that-- ``(i) provide minimum information security requirements as determined under section 20(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(b)); and ``(ii) are otherwise necessary to improve the security of Federal information and information systems. ``(B) Binding effect.--Information security standards under subparagraph (A) shall be compulsory and binding. ``(c) Exercise of Authority.--To ensure fiscal and policy consistency, the Secretary of Commerce shall exercise the authority conferred by this section subject to direction by the President and in coordination with the Director. ``(d) Application of More Stringent Standards and Guidelines.--The head of an executive agency may employ standards for the cost-effective information security for information systems within or under the supervision of that agency that are more stringent than the standards and guidelines the Secretary of Commerce prescribes under this section if the more stringent standards and guidelines-- ``(1) contain at least the applicable standards and guidelines made compulsory and binding by the Secretary of Commerce; and ``(2) are otherwise consistent with the policies, directives, and implementation memoranda issued under section 3553(a) of title 44. ``(e) Decisions on Promulgation of Standards and Guidelines.--The decision by the Secretary of Commerce regarding the promulgation of any standard or guideline under this section shall occur not later than 6 months after the date of submission of the proposed standard to the Secretary of Commerce by the National Institute of Standards and Technology under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3). ``(f) Notice and Comment.--A decision by the Secretary of Commerce to significantly modify, or not promulgate, a proposed standard submitted to the Secretary by the National Institute of Standards and Technology under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) shall be made after the public is given an opportunity to comment on the Secretary's proposed decision. ``(g) Definitions.--In this section: ``(1) Federal information system.--The term `Federal information system' has the meaning given the term in section 3552 of title 44. ``(2) Information security.--The term `information security' has the meaning given the term in section 3552 of title 44. ``(3) National security system.--The term `national security system' has the meaning given the term in section 3552 of title 44.''. SEC. 203. NO NEW FUNDING. An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS. Section 21(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-4(b)) is amended-- (1) in paragraph (2), by striking ``and the Director of the Office of Management and Budget'' and inserting ``, the Secretary of Commerce, and the Secretary of Homeland Security''; and (2) in paragraph (3), by inserting ``, the Secretary of Homeland Security,'' after ``the Secretary of Commerce''. SEC. 205. CLARIFICATION OF AUTHORITIES. Nothing in this title shall be construed to convey any new regulatory authority to any government entity implementing or complying with any provision of this title. ______ SA 2613. Mrs. HUTCHISON (for herself, Mr. McCain, Mr. Chambliss, Mr. Grassley, Ms. Murkowski, Mr. Coats, Mr. Burr, and Mr. Johnson of Wisconsin) submitted an amendment intended to be proposed by her to the bill S. 3414, to enhance the security and resiliency of the cyber and communications infrastructure of the United States; which was ordered to lie on the table; as follows: Beginning on page 1, strike line 3 and all that follows through page 211, line 6 and insert the following: SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) Short Title.--This Act may be cited as the ``Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012'' or ``SECURE IT''. (b) Table of Contents.--The table of contents of this Act is as follows: Sec. 1. Short title; table of contents. TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION Sec. 101. Definitions. Sec. 102. Authorization to share cyber threat information. Sec. 103. Information sharing by the Federal government. Sec. 104. Construction. Sec. 105. Report on implementation. Sec. 106. Inspector General review. Sec. 107. Technical amendments. Sec. 108. Access to classified information. TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY Sec. 201. Coordination of Federal information security policy. Sec. 202. Management of information technology. Sec. 203. No new funding. Sec. 204. Technical and conforming amendments. Sec. 205. Clarification of authorities. TITLE III--CRIMINAL PENALTIES Sec. 301. Penalties for fraud and related activity in connection with computers. Sec. 302. Trafficking in passwords. Sec. 303. Conspiracy and attempted computer fraud offenses. Sec. 304. Criminal and civil forfeiture for fraud and related activity in connection with computers. Sec. 305. Damage to critical infrastructure computers. Sec. 306. Limitation on actions involving unauthorized use. Sec. 307. No new funding. TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT Sec. 401. National High-Performance Computing Program planning and coordination. Sec. 402. Research in areas of national importance. Sec. 403. Program improvements. Sec. 404. Improving education of networking and information technology, including high performance computing. Sec. 405. Conforming and technical amendments to the High-Performance Computing Act of 1991. Sec. 406. Federal cyber scholarship-for-service program. Sec. 407. Study and analysis of certification and training of information infrastructure professionals. Sec. 408. International cybersecurity technical standards. Sec. 409. Identity management research and development. Sec. 410. Federal cybersecurity research and development. TITLE I--FACILITATING SHARING OF CYBER THREAT INFORMATION SEC. 101. DEFINITIONS. In this title: (1) Agency.--The term ``agency'' has the meaning given the term in section 3502 of title 44, United States Code. (2) Antitrust laws.--The term ``antitrust laws''-- (A) has the meaning given the term in section 1(a) of the Clayton Act (15 U.S.C. 12(a)); (B) includes section 5 of the Federal Trade Commission Act (15 U.S.C. 45) to the extent that section 5 of that Act applies to unfair methods of competition; and (C) includes any State law that has the same intent and effect as the laws under subparagraphs (A) and (B). (3) Countermeasure.--The term ``countermeasure'' means an automated or a manual action with defensive intent to mitigate cyber threats. (4) Cyber threat information.--The term ``cyber threat information'' means information that indicates or describes-- (A) a technical or operation vulnerability or a cyber threat mitigation measure; (B) an action or operation to mitigate a cyber threat; (C) malicious reconnaissance, including anomalous patterns of network activity that [[Page S5580]] appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat; (D) a method of defeating a technical control; (E) a method of defeating an operational control; (F) network activity or protocols known to be associated with a malicious cyber actor or that signify malicious cyber intent; (G) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to inadvertently enable the defeat of a technical or operational control; (H) any other attribute of a cybersecurity threat or cyber defense information that would foster situational awareness of the United States cybersecurity posture, if disclosure of such attribute or information is not otherwise prohibited by law; (I) the actual or potential harm caused by a cyber incident, including information exfiltrated when it is necessary in order to identify or describe a cybersecurity threat; or (J) any combination of subparagraphs (A) through (I). (5) Cybersecurity center.--The term ``cybersecurity center'' means the Department of Defense Cyber Crime Center, the Intelligence Community Incident Response Center, the United States Cyber Command Joint Operations Center, the National Cyber Investigative Joint Task Force, the National Security Agency/Central Security Service Threat Operations Center, the National Cybersecurity and Communications Integration Center, and any successor center. (6) Cybersecurity system.--The term ``cybersecurity system'' means a system designed or employed to ensure the integrity, confidentiality, or availability of, or to safeguard, a system or network, including measures intended to protect a system or network from-- (A) efforts to degrade, disrupt, or destroy such system or network; or (B) theft or misappropriations of private or government information, intellectual property, or personally identifiable information. (7) Entity.-- (A) In general.--The term ``entity'' means any private entity, non-Federal government agency or department, or State, tribal, or local government agency or department (including an officer, employee, or agent thereof). (B) Inclusions.--The term ``entity'' includes a government agency or department (including an officer, employee, or agent thereof) of the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa, the Northern Mariana Islands, and any other territory or possession of the United States. (8) Federal information system.--The term ``Federal information system'' means an information system of a Federal department or agency used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. (9) Information security.--The term ``information security'' means protecting information and information systems from disruption or unauthorized access, use, disclosure, modification, or destruction in order to provide-- (A) integrity, by guarding against improper information modification or destruction, including by ensuring information nonrepudiation and authenticity; (B) confidentiality, by preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; or (C) availability, by ensuring timely and reliable access to and use of information. (10) Information system.--The term ``information system'' has the meaning given the term in section 3502 of title 44, United States Code. (11) Local government.--The term ``local government'' means any borough, city, county, parish, town, township, village, or other general purpose political subdivision of a State. (12) Malicious reconnaissance.--The term ``malicious reconnaissance'' means a method for actively probing or passively monitoring an information system for the purpose of discerning technical vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat. (13) Operational control.--The term ``operational control'' means a security control for an information system that primarily is implemented and executed by people. (14) Operational vulnerability.--The term ``operational vulnerability'' means any attribute of policy, process, or procedure that could enable or facilitate the defeat of an operational control. (15) Private entity.--The term ``private entity'' means any individual or any private group, organization, or corporation, including an officer, employee, or agent thereof. (16) Significant cyber incident.--The term ``significant cyber incident'' means a cyber incident resulting in, or an attempted cyber incident that, if successful, would have resulted in-- (A) the exfiltration from a Federal information system of data that is essential to the operation of the Federal information system; or (B) an incident in which an operational or technical control essential to the security or operation of a Federal information system was defeated. (17) Technical control.--The term ``technical control'' means a hardware or software restriction on, or audit of, access or use of an information system or information that is stored on, processed by, or transiting an information system that is intended to ensure the confidentiality, integrity, or availability of that system. (18) Technical vulnerability.--The term ``technical vulnerability'' means any attribute of hardware or software that could enable or facilitate the defeat of a technical control. (19) Tribal.--The term ``tribal'' has the meaning given the term ``Indian tribe'' in section 4 of the Indian Self- Determination and Education Assistance Act (25 U.S.C. 450b). SEC. 102. AUTHORIZATION TO SHARE CYBER THREAT INFORMATION. (a) Voluntary Disclosure.-- (1) Private entities.--Notwithstanding any other provision of law, a private entity may, for the purpose of preventing, investigating, or otherwise mitigating threats to information security, on its own networks, or as authorized by another entity, on such entity's networks, employ countermeasures and use cybersecurity systems in order to obtain, identify, or otherwise possess cyber threat information. (2) Entities.--Notwithstanding any other provision of law, an entity may disclose cyber threat information to-- (A) a cybersecurity center; or (B) any other entity in order to assist with preventing, investigating, or otherwise mitigating threats to information security. (3) Information security providers.--If the cyber threat information described in paragraph (1) is obtained, identified, or otherwise possessed in the course of providing information security products or services under contract to another entity, that entity shall be given, at any time prior to disclosure of such information, a reasonable opportunity to authorize or prevent such disclosure, to request anonymization of such information, or to request that reasonable efforts be made to safeguard such information that identifies specific persons from unauthorized access or disclosure. (b) Significant Cyber Incidents Involving Federal Information Systems.-- (1) In general.--An entity providing electronic communication services, remote computing services, or information security services to a Federal department or agency shall inform the Federal department or agency of a significant cyber incident involving the Federal information system of that Federal department or agency that-- (A) is directly known to the entity as a result of providing such services; (B) is directly related to the provision of such services by the entity; and (C) as determined by the entity, has impeded or will impede the performance of a critical mission of the Federal department or agency. (2) Advance coordination.--A Federal department or agency receiving the services described in paragraph (1) shall coordinate in advance with an entity described in paragraph (1) to develop the parameters of any information that may be provided under paragraph (1), including clarification of the type of significant cyber incident that will impede the performance of a critical mission of the Federal department or agency. (3) Report.--A Federal department or agency shall report information provided under this subsection to a cybersecurity center. (4) Construction.--Any information provided to a cybersecurity center under paragraph (3) shall be treated in the same manner as information provided to a cybersecurity center under subsection (a). (c) Information Shared With or Provided to a Cybersecurity Center.--Cyber threat information provided to a cybersecurity center under this section-- (1) may be disclosed to, retained by, and used by, consistent with otherwise applicable Federal law, any Federal agency or department, component, officer, employee, or agent of the Federal government for a cybersecurity purpose, a national security purpose, or in order to prevent, investigate, or prosecute any of the offenses listed in section 2516 of title 18, United States Code, and such information shall not be disclosed to, retained by, or used by any Federal agency or department for any use not permitted under this paragraph; (2) may, with the prior written consent of the entity submitting such information, be disclosed to and used by a State, tribal, or local government or government agency for the purpose of protecting information systems, or in furtherance of preventing, investigating, or prosecuting a criminal act, except that if the need for immediate disclosure prevents obtaining written consent, such consent may be provided orally with subsequent documentation of such consent; (3) shall be considered the commercial, financial, or proprietary information of the entity providing such information to the Federal government and any disclosure outside the Federal government may only be made upon the prior written consent by such entity and shall not constitute a waiver of any applicable privilege or protection provided by law, except that if the need for immediate disclosure prevents obtaining written consent, such consent may be provided orally with subsequent documentation of such consent; [[Page S5581]] (4) shall be deemed voluntarily shared information and exempt from disclosure under section 552 of title 5, United States Code, and any State, tribal, or local law requiring disclosure of information or records; (5) shall be, without discretion, withheld from the public under section 552(b)(3)(B) of title 5, United States Code, and any State, tribal, or local law requiring disclosure of information or records; (6) shall not be subject to the rules of any Federal agency or department or any judicial doctrine regarding ex parte communications with a decision-making official; (7) shall not, if subsequently provided to a State, tribal, or local government or government agency, otherwise be disclosed or distributed to any entity by such State, tribal, or local government or government agency without the prior written consent of the entity submitting such information, notwithstanding any State, tribal, or local law requiring disclosure of information or records, except that if the need for immediate disclosure prevents obtaining written consent, such consent may be provided orally with subsequent documentation of such consent; and (8) shall not be directly used by any Federal, State, tribal, or local department or agency to regulate the lawful activities of an entity, including activities relating to obtaining, identifying, or otherwise possessing cyber threat information, except that the procedures required to be developed and implemented under this title shall not be considered regulations within the meaning of this paragraph. (d) Procedures Relating to Information Sharing With a Cybersecurity Center.--Not later than 60 days after the date of enactment of this Act, the heads of each department or agency containing a cybersecurity center shall jointly develop, promulgate, and submit to Congress procedures to ensure that cyber threat information shared with or provided to-- (1) a cybersecurity center under this section-- (A) may be submitted to a cybersecurity center by an entity, to the greatest extent possible, through a uniform, publicly available process or format that is easily accessible on the website of such cybersecurity center, and that includes the ability to provide relevant details about the cyber threat information and written consent to any subsequent disclosures authorized by this paragraph; (B) shall immediately be further shared with each cybersecurity center in order to prevent, investigate, or otherwise mitigate threats to information security across the Federal government; (C) is handled by the Federal government in a reasonable manner, including consideration of the need to protect the privacy and civil liberties of individuals through anonymization or other appropriate methods, while fully accomplishing the objectives of this title, and the Federal government may undertake efforts consistent with this subparagraph to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the Federal government; and (D) except as provided in this section, shall only be used, disclosed, or handled in accordance with the provisions of subsection (c); and (2) a Federal agency or department under subsection (b) is provided immediately to a cybersecurity center in order to prevent, investigate, or otherwise mitigate threats to information security across the Federal government. (e) Information Shared Between Entities.-- (1) In general.--An entity sharing cyber threat information with another entity under this title may restrict the use or sharing of such information by such other entity. (2) Further sharing.--Cyber threat information shared by any entity with another entity under this title-- (A) shall only be further shared in accordance with any restrictions placed on the sharing of such information by the entity authorizing such sharing, such as appropriate anonymization of such information; and (B) may not be used by any entity to gain an unfair competitive advantage to the detriment of the entity authorizing the sharing of such information, except that the conduct described in paragraph (3) shall not constitute unfair competitive conduct. (3) Information shared with state, tribal, or local government or government agency.--Cyber threat information shared with a State, tribal, or local government or government agency under this title-- (A) may, with the prior written consent of the entity sharing such information, be disclosed to and used by a State, tribal, or local government or government agency for the purpose of protecting information systems, or in furtherance of preventing, investigating, or prosecuting a criminal act, except if the need for immediate disclosure prevents obtaining written consent, consent may be provided orally with subsequent documentation of the consent; (B) shall be deemed voluntarily shared information and exempt from disclosure under any State, tribal, or local law requiring disclosure of information or records; (C) shall not be disclosed or distributed to any entity by the State, tribal, or local government or government agency without the prior written consent of the entity submitting such information, notwithstanding any State, tribal, or local law requiring disclosure of information or records, except if the need for immediate disclosure prevents obtaining written consent, consent may be provided orally with subsequent documentation of the consent; and (D) shall not be directly used by any State, tribal, or local department or agency to regulate the lawful activities of an entity, including activities relating to obtaining, identifying, or otherwise possessing cyber threat information, except that the procedures required to be developed and implemented under this title shall not be considered regulations within the meaning of this subparagraph. (4) Antitrust exemption.--The exchange or provision of cyber threat information or assistance between 2 or more private entities under this title shall not be considered a violation of any provision of antitrust laws if exchanged or provided in order to assist with-- (A) facilitating the prevention, investigation, or mitigation of threats to information security; or (B) communicating or disclosing of cyber threat information to help prevent, investigate or otherwise mitigate the effects of a threat to information security. (5) No right or benefit.--The provision of cyber threat information to an entity under this section shall not create a right or a benefit to similar information by such entity or any other entity. (f) Federal Preemption.-- (1) In general.--This section supersedes any statute or other law of a State or political subdivision of a State that restricts or otherwise expressly regulates an activity authorized under this section. (2) State law enforcement.--Nothing in this section shall be construed to supersede any statute or other law of a State or political subdivision of a State concerning the use of authorized law enforcement techniques. (3) Public disclosure.--No information shared with or provided to a State, tribal, or local government or government agency pursuant to this section shall be made publicly available pursuant to any State, tribal, or local law requiring disclosure of information or records. (g) Civil and Criminal Liability.-- (1) General protections.-- (A) Private entities.--No cause of action shall lie or be maintained in any court against any private entity for-- (i) the use of countermeasures and cybersecurity systems as authorized by this title; (ii) the use, receipt, or disclosure of any cyber threat information as authorized by this title; or (iii) the subsequent actions or inactions of any lawful recipient of cyber threat information provided by such private entity. (B) Entities.--No cause of action shall lie or be maintained in any court against any entity for-- (i) the use, receipt, or disclosure of any cyber threat information as authorized by this title; or (ii) the subsequent actions or inactions of any lawful recipient of cyber threat information provided by such entity. (2) Construction.--Nothing in this subsection shall be construed as creating any immunity against, or otherwise affecting, any action brought by the Federal government, or any agency or department thereof, to enforce any law, executive order, or procedure governing the appropriate handling, disclosure, and use of classified information. (h) Otherwise Lawful Disclosures.--Nothing in this section shall be construed to limit or prohibit otherwise lawful disclosures of communications, records, or other information by a private entity to any other governmental or private entity not covered under this section. (i) Whistleblower Protection.--Nothing in this Act shall be construed to preempt or preclude any employee from exercising rights currently provided under any whistleblower law, rule, or regulation. (j) Relationship to Other Laws.--The submission of cyber threat information under this section to a cybersecurity center shall not affect any requirement under any other provision of law for an entity to provide information to the Federal government. SEC. 103. INFORMATION SHARING BY THE FEDERAL GOVERNMENT. (a) Classified Information.-- (1) Procedures.--Consistent with the protection of intelligence sources and methods, and as otherwise determined appropriate, the Director of National Intelligence and the Secretary of Defense, in consultation with the heads of the appropriate Federal departments or agencies, shall develop and promulgate procedures to facilitate and promote-- (A) the immediate sharing, through the cybersecurity centers, of classified cyber threat information in the possession of the Federal government with appropriately cleared representatives of any appropriate entity; and (B) the declassification and immediate sharing, through the cybersecurity centers, with any entity or, if appropriate, public availability of cyber threat information in the possession of the Federal government; (2) Handling of classified information.--The procedures developed under paragraph (1) shall ensure that each entity receiving classified cyber threat information pursuant to this section has acknowledged in writing the ongoing obligation to comply with all [[Page S5582]] laws, executive orders, and procedures concerning the appropriate handling, disclosure, or use of classified information. (b) Unclassified Cyber Threat Information.--The heads of each department or agency containing a cybersecurity center shall jointly develop and promulgate procedures that ensure that, consistent with the provisions of this section, unclassified, including controlled unclassified, cyber threat information in the possession of the Federal government-- (1) is shared, through the cybersecurity centers, in an immediate and adequate manner with appropriate entities; and (2) if appropriate, is made publicly available. (c) Development of Procedures.-- (1) In general.--The procedures developed under this section shall incorporate, to the greatest extent possible, existing processes utilized by sector specific information sharing and analysis centers. (2) Coordination with entities.--In developing the procedures required under this section, the Director of National Intelligence and the heads of each department or agency containing a cybersecurity center shall coordinate with appropriate entities to ensure that protocols are implemented that will facilitate and promote the sharing of cyber threat information by the Federal government. (d) Additional Responsibilities of Cybersecurity Centers.-- Consistent with section 102, a cybersecurity center shall-- (1) facilitate information sharing, interaction, and collaboration among and between cybersecurity centers and-- (A) other Federal entities; (B) any entity; and (C) international partners, in consultation with the Secretary of State; (2) disseminate timely and actionable cybersecurity threat, vulnerability, mitigation, and warning information, including alerts, advisories, indicators, signatures, and mitigation and response measures, to improve the security and protection of information systems; and (3) coordinate with other Federal entities, as appropriate, to integrate information from across the Federal government to provide situational awareness of the cybersecurity posture of the United States. (e) Sharing Within the Federal Government.--The heads of appropriate Federal departments and agencies shall ensure that cyber threat information in the possession of such Federal departments or agencies that relates to the prevention, investigation, or mitigation of threats to information security across the Federal government is shared effectively with the cybersecurity centers. (f) Submission to Congress.--Not later than 60 days after the date of enactment of this Act, the Director of National Intelligence, in coordination with the appropriate head of a department or an agency containing a cybersecurity center, shall submit the procedures required by this section to Congress. SEC. 104. CONSTRUCTION. (a) Information Sharing Relationships.--Nothing in this title shall be construed-- (1) to limit or modify an existing information sharing relationship; (2) to prohibit a new information sharing relationship; (3) to require a new information sharing relationship between any entity and the Federal government, except as specified under section 102(b); or (4) to modify the authority of a department or agency of the Federal government to protect sources and methods and the national security of the United States. (b) Anti-tasking Restriction.--Nothing in this title shall be construed to permit the Federal government-- (1) to require an entity to share information with the Federal government, except as expressly provided under section 102(b); or (2) to condition the sharing of cyber threat information with an entity on such entity's provision of cyber threat information to the Federal government. (c) No Liability for Non-participation.--Nothing in this title shall be construed to subject any entity to liability for choosing not to engage in the voluntary activities authorized under this title. (d) Use and Retention of Information.--Nothing in this title shall be construed to authorize, or to modify any existing authority of, a department or agency of the Federal government to retain or use any information shared under section 102 for any use other than a use permitted under subsection 102(c)(1). (e) No New Funding.--An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. SEC. 105. REPORT ON IMPLEMENTATION. (a) Content of Report.--Not later than 1 year after the date of enactment of this Act, and biennially thereafter, the heads of each department or agency containing a cybersecurity center shall jointly submit, in coordination with the privacy and civil liberties officials of such departments or agencies and the Privacy and Civil Liberties Oversight Board, a detailed report to Congress concerning the implementation of this title, including-- (1) an assessment of the sufficiency of the procedures developed under section 103 of this Act in ensuring that cyber threat information in the possession of the Federal government is provided in an immediate and adequate manner to appropriate entities or, if appropriate, is made publicly available; (2) an assessment of whether information has been appropriately classified and an accounting of the number of security clearances authorized by the Federal government for purposes of this title; (3) a review of the type of cyber threat information shared with a cybersecurity center under section 102 of this Act, including whether such information meets the definition of cyber threat information under section 101, the degree to which such information may impact the privacy and civil liberties of individuals, any appropriate metrics to determine any impact of the sharing of such information with the Federal government on privacy and civil liberties, and the adequacy of any steps taken to reduce such impact; (4) a review of actions taken by the Federal government based on information provided to a cybersecurity center under section 102 of this Act, including the appropriateness of any subsequent use under section 102(c)(1) of this Act and whether there was inappropriate stovepiping within the Federal government of any such information; (5) a description of any violations of the requirements of this title by the Federal government; (6) a classified list of entities that received classified information from the Federal government under section 103 of this Act and a description of any indication that such information may not have been appropriately handled; (7) a summary of any breach of information security, if known, attributable to a specific failure by any entity or the Federal government to act on cyber threat information in the possession of such entity or the Federal government that resulted in substantial economic harm or injury to a specific entity or the Federal government; and (8) any recommendation for improvements or modifications to the authorities under this title. (b) Form of Report.--The report under subsection (a) shall be submitted in unclassified form, but shall include a classified annex. SEC. 106. INSPECTOR GENERAL REVIEW. (a) In General.--The Council of the Inspectors General on Integrity and Efficiency are authorized to review compliance by the cybersecurity centers, and by any Federal department or agency receiving cyber threat information from such cybersecurity centers, with the procedures required under section 102 of this Act. (b) Scope of Review.--The review under subsection (a) shall consider whether the Federal government has handled such cyber threat information in a reasonable manner, including consideration of the need to protect the privacy and civil liberties of individuals through anonymization or other appropriate methods, while fully accomplishing the objectives of this title. (c) Report to Congress.--Each review conducted under this section shall be provided to Congress not later than 30 days after the date of completion of the review. SEC. 107. TECHNICAL AMENDMENTS. Section 552(b) of title 5, United States Code, is amended-- (1) in paragraph (8), by striking ``or''; (2) in paragraph (9), by striking ``wells.'' and inserting ``wells; or''; and (3) by adding at the end the following: ``(10) information shared with or provided to a cybersecurity center under section 102 of title I of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012.''. SEC. 108. ACCESS TO CLASSIFIED INFORMATION. (a) Authorization Required.--No person shall be provided with access to classified information (as defined in section 6.1 of Executive Order 13526 (50 U.S.C. 435 note; relating to classified national security information)) relating to cyber security threats or cyber security vulnerabilities under this title without the appropriate security clearances. (b) Security Clearances.--The appropriate Federal agencies or departments shall, consistent with applicable procedures and requirements, and if otherwise deemed appropriate, assist an individual in timely obtaining an appropriate security clearance where such individual has been determined to be eligible for such clearance and has a need-to-know (as defined in section 6.1 of that Executive Order) classified information to carry out this title. TITLE II--COORDINATION OF FEDERAL INFORMATION SECURITY POLICY SEC. 201. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) In General.--Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting the following: ``SUBCHAPTER II--INFORMATION SECURITY ``Sec. 3551. Purposes ``The purposes of this subchapter are-- ``(1) to provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets; ``(2) to recognize the highly networked nature of the current Federal computing environment and provide effective government-wide management of policies, directives, standards, and guidelines, as well as effective and nimble oversight of and response to [[Page S5583]] information security risks, including coordination of information security efforts throughout the Federal civilian, national security, and law enforcement communities; ``(3) to provide for development and maintenance of controls required to protect agency information and information systems and contribute to the overall improvement of agency information security posture; ``(4) to provide for the development of tools and methods to assess and respond to real-time situational risk for Federal information system operations and assets; and ``(5) to provide a mechanism for improving agency information security programs through continuous monitoring of agency information systems and streamlined reporting requirements rather than overly prescriptive manual reporting. ``Sec. 3552. Definitions ``In this subchapter: ``(1) Adequate security.--The term `adequate security' means security commensurate with the risk and magnitude of the harm resulting from the unauthorized access to or loss, misuse, destruction, or modification of information. ``(2) Agency.--The term `agency' has the meaning given the term in section 3502 of title 44. ``(3) Cybersecurity center.--The term `cybersecurity center' means the Department of Defense Cyber Crime Center, the Intelligence Community Incident Response Center, the United States Cyber Command Joint Operations Center, the National Cyber Investigative Joint Task Force, the National Security Agency/Central Security Service Threat Operations Center, the National Cybersecurity and Communications Integration Center, and any successor center. ``(4) Cyber threat information.--The term `cyber threat information' means information that indicates or describes-- ``(A) a technical or operation vulnerability or a cyber threat mitigation measure; ``(B) an action or operation to mitigate a cyber threat; ``(C) malicious reconnaissance, including anomalous patterns of network activity that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat; ``(D) a method of defeating a technical control; ``(E) a method of defeating an operational control; ``(F) network activity or protocols known to be associated with a malicious cyber actor or that signify malicious cyber intent; ``(G) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to inadvertently enable the defeat of a technical or operational control; ``(H) any other attribute of a cybersecurity threat or cyber defense information that would foster situational awareness of the United States cybersecurity posture, if disclosure of such attribute or information is not otherwise prohibited by law; ``(I) the actual or potential harm caused by a cyber incident, including information exfiltrated when it is necessary in order to identify or describe a cybersecurity threat; or ``(J) any combination of subparagraphs (A) through (I). ``(5) Director.--The term `Director' means the Director of the Office of Management and Budget unless otherwise specified. ``(6) Environment of operation.--The term `environment of operation' means the information system and environment in which those systems operate, including changing threats, vulnerabilities, technologies, and missions and business practices. ``(7) Federal information system.--The term `Federal information system' means an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. ``(8) Incident.--The term `incident' means an occurrence that-- ``(A) actually or imminently jeopardizes the integrity, confidentiality, or availability of an information system or the information that system controls, processes, stores, or transmits; or ``(B) constitutes a violation of law or an imminent threat of violation of a law, a security policy, a security procedure, or an acceptable use policy. ``(9) Information resources.--The term `information resources' has the meaning given the term in section 3502 of title 44. ``(10) Information security.--The term `information security' means protecting information and information systems from disruption or unauthorized access, use, disclosure, modification, or destruction in order to provide-- ``(A) integrity, by guarding against improper information modification or destruction, including by ensuring information nonrepudiation and authenticity; ``(B) confidentiality, by preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; or ``(C) availability, by ensuring timely and reliable access to and use of information. ``(11) Information system.--The term `information system' has the meaning given the term in section 3502 of title 44. ``(12) Information technology.--The term `information technology' has the meaning given the term in section 11101 of title 40. ``(13) Malicious reconnaissance.--The term `malicious reconnaissance' means a method for actively probing or passively monitoring an information system for the purpose of discerning technical vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat. ``(14) National security system.-- ``(A) In general.--The term `national security system' means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency-- ``(i) the function, operation, or use of which-- ``(I) involves intelligence activities; ``(II) involves cryptologic activities related to national security; ``(III) involves command and control of military forces; ``(IV) involves equipment that is an integral part of a weapon or weapons system; or ``(V) subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or ``(ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. ``(B) Limitation.--Subparagraph (A)(i)(V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). ``(15) Operational control.--The term `operational control' means a security control for an information system that primarily is implemented and executed by people. ``(16) Person.--The term `person' has the meaning given the term in section 3502 of title 44. ``(17) Secretary.--The term `Secretary' means the Secretary of Commerce unless otherwise specified. ``(18) Security control.--The term `security control' means the management, operational, and technical controls, including safeguards or countermeasures, prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. ``(19) Significant cyber incident.--The term `significant cyber incident' means a cyber incident resulting in, or an attempted cyber incident that, if successful, would have resulted in-- ``(A) the exfiltration from a Federal information system of data that is essential to the operation of the Federal information system; or ``(B) an incident in which an operational or technical control essential to the security or operation of a Federal information system was defeated. ``(20) Technical control.--The term `technical control' means a hardware or software restriction on, or audit of, access or use of an information system or information that is stored on, processed by, or transiting an information system that is intended to ensure the confidentiality, integrity, or availability of that system. ``Sec. 3553. Federal information security authority and coordination ``(a) In General.--The Secretary, in consultation with the Secretary of Homeland Security, shall-- ``(1) issue compulsory and binding policies and directives governing agency information security operations, and require implementation of such policies and directives, including-- ``(A) policies and directives consistent with the standards and guidelines promulgated under section 11331 of title 40 to identify and provide information security protections prioritized and commensurate with the risk and impact resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of-- ``(i) information collected or maintained by or on behalf of an agency; or ``(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; ``(B) minimum operational requirements for Federal Government to protect agency information systems and provide common situational awareness across all agency information systems; ``(C) reporting requirements, consistent with relevant law, regarding information security incidents and cyber threat information; ``(D) requirements for agencywide information security programs; ``(E) performance requirements and metrics for the security of agency information systems; ``(F) training requirements to ensure that agencies are able to fully and timely comply with the policies and directives issued by the Secretary under this subchapter; ``(G) training requirements regarding privacy, civil rights, and civil liberties, and information oversight for agency information security personnel; ``(H) requirements for the annual reports to the Secretary under section 3554(d); ``(I) any other information security operations or information security requirements as determined by the Secretary in coordination with relevant agency heads; and ``(J) coordinating the development of standards and guidelines under section 20 of [[Page S5584]] the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) with agencies and offices operating or exercising control of national security systems (including the National Security Agency) to assure, to the maximum extent feasible, that such standards and guidelines are complementary with standards and guidelines developed for national security systems; ``(2) review the agencywide information security programs under section 3554; and ``(3) designate an individual or an entity at each cybersecurity center, among other responsibilities-- ``(A) to receive reports and information about information security incidents, cyber threat information, and deterioration of security control affecting agency information systems; and ``(B) to act on or share the information under subparagraph (A) in accordance with this subchapter. ``(b) Considerations.--When issuing policies and directives under subsection (a), the Secretary shall consider any applicable standards or guidelines developed by the National Institute of Standards and Technology under section 11331 of title 40. ``(c) Limitation of Authority.--The authorities of the Secretary under this section shall not apply to national security systems. Information security policies, directives, standards and guidelines for national security systems shall be overseen as directed by the President and, in accordance with that direction, carried out under the authority of the heads of agencies that operate or exercise authority over such national security systems. ``(d) Statutory Construction.--Nothing in this subchapter shall be construed to alter or amend any law regarding the authority of any head of an agency over such agency. ``Sec. 3554. Agency responsibilities ``(a) In General.--The head of each agency shall-- ``(1) be responsible for-- ``(A) complying with the policies and directives issued under section 3553; ``(B) providing information security protections commensurate with the risk resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of-- ``(i) information collected or maintained by the agency or by a contractor of an agency or other organization on behalf of an agency; and ``(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; ``(C) complying with the requirements of this subchapter, including-- ``(i) information security standards and guidelines promulgated under section 11331 of title 40; ``(ii) for any national security systems operated or controlled by that agency, information security policies, directives, standards and guidelines issued as directed by the President; and ``(iii) for any non-national security systems operated or controlled by that agency, information security policies, directives, standards and guidelines issued under section 3553; ``(D) ensuring that information security management processes are integrated with agency strategic and operational planning processes; ``(E) reporting and sharing, for an agency operating or exercising control of a national security system, information about information security incidents, cyber threat information, and deterioration of security controls to the individual or entity designated at each cybersecurity center and to other appropriate entities consistent with policies and directives for national security systems issued as directed by the President; and ``(F) reporting and sharing, for those agencies operating or exercising control of non-national security systems, information about information security incidents, cyber threat information, and deterioration of security controls to the individual or entity designated at each cybersecurity center and to other appropriate entities consistent with policies and directives for non-national security systems as prescribed under section 3553(a), including information to assist the entity designated under section 3555(a) with the ongoing security analysis under section 3555; ``(2) ensure that each senior agency official provides information security for the information and information systems that support the operations and assets under the senior agency official's control, including by-- ``(A) assessing the risk and impact that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems; ``(B) determining the level of information security appropriate to protect such information and information systems in accordance with policies and directives issued under section 3553(a), and standards and guidelines promulgated under section 11331 of title 40 for information security classifications and related requirements; ``(C) implementing policies, procedures, and capabilities to reduce risks to an acceptable level in a cost-effective manner; ``(D) actively monitoring the effective implementation of information security controls and techniques; and ``(E) reporting information about information security incidents, cyber threat information, and deterioration of security controls in a timely and adequate manner to the entity designated under section 3553(a)(3) in accordance with paragraph (1); ``(3) assess and maintain the resiliency of information technology systems critical to agency mission and operations; ``(4) designate the agency Inspector General (or an independent entity selected in consultation with the Director and the Council of Inspectors General on Integrity and Efficiency if the agency does not have an Inspector General) to conduct the annual independent evaluation required under section 3556, and allow the agency Inspector General to contract with an independent entity to perform such evaluation; ``(5) delegate to the Chief Information Officer or equivalent (or to a senior agency official who reports to the Chief Information Officer or equivalent)-- ``(A) the authority and primary responsibility to implement an agencywide information security program; and ``(B) the authority to provide information security for the information collected and maintained by the agency (or by a contractor, other agency, or other source on behalf of the agency) and for the information systems that support the operations, assets, and mission of the agency (including any information system provided or managed by a contractor, other agency, or other source on behalf of the agency); ``(6) delegate to the appropriate agency official (who is responsible for a particular agency system or subsystem) the responsibility to ensure and enforce compliance with all requirements of the agency's agencywide information security program in coordination with the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5); ``(7) ensure that an agency has trained personnel who have obtained any necessary security clearances to permit them to assist the agency in complying with this subchapter; ``(8) ensure that the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5), in coordination with other senior agency officials, reports to the agency head on the effectiveness of the agencywide information security program, including the progress of any remedial actions; and ``(9) ensure that the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5) has the necessary qualifications to administer the functions described in this subchapter and has information security duties as a primary duty of that official. ``(b) Chief Information Officers.--Each Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under subsection (a)(5) shall-- ``(1) establish and maintain an enterprise security operations capability that on a continuous basis-- ``(A) detects, reports, contains, mitigates, and responds to information security incidents that impair adequate security of the agency's information or information system in a timely manner and in accordance with the policies and directives under section 3553; and ``(B) reports any information security incident under subparagraph (A) to the entity designated under section 3555; ``(2) develop, maintain, and oversee an agencywide information security program; ``(3) develop, maintain, and oversee information security policies, procedures, and control techniques to address applicable requirements, including requirements under section 3553 of this title and section 11331 of title 40; and ``(4) train and oversee the agency personnel who have significant responsibility for information security with respect to that responsibility. ``(c) Agencywide Information Security Programs.-- ``(1) In general.--Each agencywide information security program under subsection (b)(2) shall include-- ``(A) relevant security risk assessments, including technical assessments and others related to the acquisition process; ``(B) security testing commensurate with risk and impact; ``(C) mitigation of deterioration of security controls commensurate with risk and impact; ``(D) risk-based continuous monitoring and threat assessment of the operational status and security of agency information systems to enable evaluation of the effectiveness of and compliance with information security policies, procedures, and practices, including a relevant and appropriate selection of security controls of information systems identified in the inventory under section 3505(c); ``(E) operation of appropriate technical capabilities in order to detect, mitigate, report, and respond to information security incidents, cyber threat information, and deterioration of security controls in a manner that is consistent with the policies and directives under section 3553, including-- ``(i) mitigating risks associated with such information security incidents; ``(ii) notifying and consulting with the entity designated under section 3555; and ``(iii) notifying and consulting with, as appropriate-- [[Page S5585]] ``(I) law enforcement and the relevant Office of the Inspector General; and ``(II) any other entity, in accordance with law and as directed by the President; ``(F) a process to ensure that remedial action is taken to address any deficiencies in the information security policies, procedures, and practices of the agency; and ``(G) a plan and procedures to ensure the continuity of operations for information systems that support the operations and assets of the agency. ``(2) Risk management strategies.--Each agencywide information security program under subsection (b)(2) shall include the development and maintenance of a risk management strategy for information security. The risk management strategy shall include-- ``(A) consideration of information security incidents, cyber threat information, and deterioration of security controls; and ``(B) consideration of the consequences that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency, including any information system provided or managed by a contractor, other agency, or other source on behalf of the agency; ``(3) Policies and procedures.--Each agencywide information security program under subsection (b)(2) shall include policies and procedures that-- ``(A) are based on the risk management strategy under paragraph (2); ``(B) reduce information security risks to an acceptable level in a cost-effective manner; ``(C) ensure that cost-effective and adequate information security is addressed as part of the acquisition and ongoing management of each agency information system; and ``(D) ensure compliance with-- ``(i) this subchapter; and ``(ii) any other applicable requirements. ``(4) Training requirements.--Each agencywide information security program under subsection (b)(2) shall include information security, privacy, civil rights, civil liberties, and information oversight training that meets any applicable requirements under section 3553. The training shall inform each information security personnel that has access to agency information systems (including contractors and other users of information systems that support the operations and assets of the agency) of-- ``(A) the information security risks associated with the information security personnel's activities; and ``(B) the individual's responsibility to comply with the agency policies and procedures that reduce the risks under subparagraph (A). ``(d) Annual Report.--Each agency shall submit a report annually to the Secretary of Homeland Security on its agencywide information security program and information systems. ``Sec. 3555. Multiagency ongoing threat assessment ``(a) Implementation.--The Director of the Office of Management and Budget, in coordination with the Secretary of Homeland Security, shall designate an entity to implement ongoing security analysis concerning agency information systems-- ``(1) based on cyber threat information; ``(2) based on agency information system and environment of operation changes, including-- ``(A) an ongoing evaluation of the information system security controls; and ``(B) the security state, risk level, and environment of operation of an agency information system, including-- ``(i) a change in risk level due to a new cyber threat; ``(ii) a change resulting from a new technology; ``(iii) a change resulting from the agency's mission; and ``(iv) a change resulting from the business practice; and ``(3) using automated processes to the maximum extent possible-- ``(A) to increase information system security; ``(B) to reduce paper-based reporting requirements; and ``(C) to maintain timely and actionable knowledge of the state of the information system security. ``(b) Standards.--The National Institute of Standards and Technology may promulgate standards, in coordination with the Secretary of Homeland Security, to assist an agency with its duties under this section. ``(c) Compliance.--The head of each appropriate department and agency shall be responsible for ensuring compliance and implementing necessary procedures to comply with this section. The head of each appropriate department and agency, in consultation with the Director of the Office of Management and Budget and the Secretary of Homeland Security, shall-- ``(1) monitor compliance under this section; ``(2) develop a timeline and implement for the department or agency-- ``(A) adoption of any technology, system, or method that facilitates continuous monitoring and threat assessments of an agency information system; ``(B) adoption or updating of any technology, system, or method that prevents, detects, or remediates a significant cyber incident to a Federal information system of the department or agency that has impeded, or is reasonably likely to impede, the performance of a critical mission of the department or agency; and ``(C) adoption of any technology, system, or method that satisfies a requirement under this section. ``(d) Limitation of Authority.--The authorities of the Director of the Office of Management and Budget and of the Secretary of Homeland Security under this section shall not apply to national security systems. ``(e) Report.--Not later than 6 months after the date of enactment of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the Government Accountability Office shall issue a report evaluating each agency's status toward implementing this section. ``Sec. 3556. Independent evaluations ``(a) In General.--The Council of the Inspectors General on Integrity and Efficiency, in consultation with the Director and the Secretary of Homeland Security, the Secretary of Commerce, and the Secretary of Defense, shall issue and maintain criteria for the timely, cost-effective, risk-based, and independent evaluation of each agencywide information security program (and practices) to determine the effectiveness of the agencywide information security program (and practices). The criteria shall include measures to assess any conflicts of interest in the performance of the evaluation and whether the agencywide information security program includes appropriate safeguards against disclosure of information where such disclosure may adversely affect information security. ``(b) Annual Independent Evaluations.--Each agency shall perform an annual independent evaluation of its agencywide information security program (and practices) in accordance with the criteria under subsection (a). ``(c) Distribution of Reports.--Not later than 30 days after receiving an independent evaluation under subsection (b), each agency head shall transmit a copy of the independent evaluation to the Secretary of Homeland Security, the Secretary of Commerce, and the Secretary of Defense. ``(d) National Security Systems.--Evaluations involving national security systems shall be conducted as directed by President. ``Sec. 3557. National security systems. ``The head of each agency operating or exercising control of a national security system shall be responsible for ensuring that the agency-- ``(1) provides information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information contained in such system; and ``(2) implements information security policies and practices as required by standards and guidelines for national security systems, issued in accordance with law and as directed by the President.''. (b) Savings Provisions.-- (1) Policy and compliance guidance.--Policy and compliance guidance issued by the Director before the date of enactment of this Act under section 3543(a)(1) of title 44, United States Code (as in effect on the day before the date of enactment of this Act), shall continue in effect, according to its terms, until modified, terminated, superseded, or repealed pursuant to section 3553(a)(1) of title 44, United States Code. (2) Standards and guidelines.--Standards and guidelines issued by the Secretary of Commerce or by the Director before the date of enactment of this Act under section 11331(a)(1) of title 40, United States Code, (as in effect on the day before the date of enactment of this Act) shall continue in effect, according to their terms, until modified, terminated, superseded, or repealed pursuant to section 11331(a)(1) of title 40, United States Code, as amended by this Act. (c) Technical and Conforming Amendments.-- (1) Chapter analysis.--The chapter analysis for chapter 35 of title 44, United States Code, is amended-- (A) by striking the items relating to sections 3531 through 3538; (B) by striking the items relating to sections 3541 through 3549; and (C) by inserting the following: ``3551. Purposes. ``3552. Definitions. ``3553. Federal information security authority and coordination. ``3554. Agency responsibilities. ``3555. Multiagency ongoing threat assessment. ``3556. Independent evaluations. ``3557. National security systems.''. (2) Other references.-- (A) Section 1001(c)(1)(A) of the Homeland Security Act of 2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section 3532(3)'' and inserting ``section 3552''. (B) Section 2222(j)(5) of title 10, United States Code, is amended by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (C) Section 2223(c)(3) of title 10, United States Code, is amended, by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (D) Section 2315 of title 10, United States Code, is amended by striking ``section 3542(b)(2)'' and inserting ``section 3552''. (E) Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) is amended-- [[Page S5586]] (i) in subsection (a)(2), by striking ``section 3532(b)(2)'' and inserting ``section 3552''; (ii) in subsection (c)(3), by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (iii) in subsection (d)(1), by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (iv) in subsection (d)(8) by striking ``Director of the Office of Management and Budget'' and inserting ``Secretary of Commerce''; (v) in subsection (d)(8), by striking ``submitted to the Director'' and inserting ``submitted to the Secretary''; (vi) in subsection (e)(2), by striking ``section 3532(1) of such title'' and inserting ``section 3552 of title 44''; and (vii) in subsection (e)(5), by striking ``section 3532(b)(2) of such title'' and inserting ``section 3552 of title 44''. (F) Section 8(d)(1) of the Cyber Security Research and Development Act (15 U.S.C. 7406(d)(1)) is amended by striking ``section 3534(b)'' and inserting ``section 3554(b)(2)''. SEC. 202. MANAGEMENT OF INFORMATION TECHNOLOGY. (a) In General.--Section 11331 of title 40, United States Code, is amended to read as follows: ``Sec. 11331. Responsibilities for Federal information systems standards ``(a) Standards and Guidelines.-- ``(1) Authority to prescribe.--Except as provided under paragraph (2), the Secretary of Commerce shall prescribe standards and guidelines pertaining to Federal information systems-- ``(A) in consultation with the Secretary of Homeland Security; and ``(B) on the basis of standards and guidelines developed by the National Institute of Standards and Technology under paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g- 3(a)(2) and (a)(3)). ``(2) National security systems.--Standards and guidelines for national security systems shall be developed, prescribed, enforced, and overseen as otherwise authorized by law and as directed by the President. ``(b) Mandatory Standards and Guidelines.-- ``(1) Authority to make mandatory standards and guidelines.--The Secretary of Commerce shall make standards and guidelines under subsection (a)(1) compulsory and binding to the extent determined necessary by the Secretary of Commerce to improve the efficiency of operation or security of Federal information systems. ``(2) Required mandatory standards and guidelines.-- ``(A) In general.--Standards and guidelines under subsection (a)(1) shall include information security standards that-- ``(i) provide minimum information security requirements as determined under section 20(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(b)); and ``(ii) are otherwise necessary to improve the security of Federal information and information systems. ``(B) Binding effect.--Information security standards under subparagraph (A) shall be compulsory and binding. ``(c) Exercise of Authority.--To ensure fiscal and policy consistency, the Secretary of Commerce shall exercise the authority conferred by this section subject to direction by the President and in coordination with the Director. ``(d) Application of More Stringent Standards and Guidelines.--The head of an executive agency may employ standards for the cost-effective information security for information systems within or under the supervision of that agency that are more stringent than the standards and guidelines the Secretary of Commerce prescribes under this section if the more stringent standards and guidelines-- ``(1) contain at least the applicable standards and guidelines made compulsory and binding by the Secretary of Commerce; and ``(2) are otherwise consistent with the policies, directives, and implementation memoranda issued under section 3553(a) of title 44. ``(e) Decisions on Promulgation of Standards and Guidelines.--The decision by the Secretary of Commerce regarding the promulgation of any standard or guideline under this section shall occur not later than 6 months after the date of submission of the proposed standard to the Secretary of Commerce by the National Institute of Standards and Technology under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3). ``(f) Notice and Comment.--A decision by the Secretary of Commerce to significantly modify, or not promulgate, a proposed standard submitted to the Secretary by the National Institute of Standards and Technology under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) shall be made after the public is given an opportunity to comment on the Secretary's proposed decision. ``(g) Definitions.--In this section: ``(1) Federal information system.--The term `Federal information system' has the meaning given the term in section 3552 of title 44. ``(2) Information security.--The term `information security' has the meaning given the term in section 3552 of title 44. ``(3) National security system.--The term `national security system' has the meaning given the term in section 3552 of title 44.''. SEC. 203. NO NEW FUNDING. An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. SEC. 204. TECHNICAL AND CONFORMING AMENDMENTS. Section 21(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-4(b)) is amended-- (1) in paragraph (2), by striking ``and the Director of the Office of Management and Budget'' and inserting ``, the Secretary of Commerce, and the Secretary of Homeland Security''; and (2) in paragraph (3), by inserting ``, the Secretary of Homeland Security,'' after ``the Secretary of Commerce''. SEC. 205. CLARIFICATION OF AUTHORITIES. Nothing in this title shall be construed to convey any new regulatory authority to any government entity implementing or complying with any provision of this title. TITLE III--CRIMINAL PENALTIES SEC. 301. PENALTIES FOR FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS. Section 1030(c) of title 18, United States Code, is amended to read as follows: ``(c) The punishment for an offense under subsection (a) or (b) of this section is-- ``(1) a fine under this title or imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(1) of this section; ``(2)(A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than 3 years, or both, in the case of an offense under subsection (a)(2); or ``(B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2) of this section, if-- ``(i) the offense was committed for purposes of commercial advantage or private financial gain; ``(ii) the offense was committed in the furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States, or of any State; or ``(iii) the value of the information obtained, or that would have been obtained if the offense was completed, exceeds $5,000; ``(3) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(3) of this section; ``(4) a fine under this title or imprisonment of not more than 20 years, or both, in the case of an offense under subsection (a)(4) of this section; ``(5)(A) except as provided in subparagraph (C), a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(A) of this section, if the offense caused-- ``(i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value; ``(ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; ``(iii) physical injury to any person; ``(iv) a threat to public health or safety; ``(v) damage affecting a computer used by, or on behalf of, an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or ``(vi) damage affecting 10 or more protected computers during any 1-year period; ``(B) a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(B), if the offense caused a harm provided in clause (i) through (vi) of subparagraph (A) of this subsection; ``(C) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for any term of years or for life, or both; ``(D) a fine under this title, imprisonment for not more than 10 years, or both, for any other offense under subsection (a)(5); ``(E) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(6) of this section; or ``(F) a fine under this title or imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(7) of this section.''. SEC. 302. TRAFFICKING IN PASSWORDS. Section 1030(a)(6) of title 18, United States Code, is amended to read as follows: ``(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information or means of access through which a protected computer (as defined in subparagraphs (A) and (B) of subsection (e)(2)) may be accessed without authorization.''. SEC. 303. CONSPIRACY AND ATTEMPTED COMPUTER FRAUD OFFENSES. Section 1030(b) of title 18, United States Code, is amended by inserting ``as if for the completed offense'' after ``punished as provided''. SEC. 304. CRIMINAL AND CIVIL FORFEITURE FOR FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS. Section 1030 of title 18, United States Code, is amended by striking subsections (i) and (j) and inserting the following: [[Page S5587]] ``(i) Criminal Forfeiture.-- ``(1) The court, in imposing sentence on any person convicted of a violation of this section, or convicted of conspiracy to violate this section, shall order, in addition to any other sentence imposed and irrespective of any provision of State law, that such person forfeit to the United States-- ``(A) such persons interest in any property, real or personal, that was used, or intended to be used, to commit or facilitate the commission of such violation; and ``(B) any property, real or personal, constituting or derived from any gross proceeds, or any property traceable to such property, that such person obtained, directly or indirectly, as a result of such violation. ``(2) The criminal forfeiture of property under this subsection, including any seizure and disposition of the property, and any related judicial or administrative proceeding, shall be governed by the provisions of section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853), except subsection (d) of that section. ``(j) Civil Forfeiture.-- ``(1) The following shall be subject to forfeiture to the United States and no property right, real or personal, shall exist in them: ``(A) Any property, real or personal, that was used, or intended to be used, to commit or facilitate the commission of any violation of this section, or a conspiracy to violate this section. ``(B) Any property, real or personal, constituting or derived from any gross proceeds obtained directly or indirectly, or any property traceable to such property, as a result of the commission of any violation of this section, or a conspiracy to violate this section. ``(2) Seizures and forfeitures under this subsection shall be governed by the provisions in chapter 46 relating to civil forfeitures, except that such duties as are imposed on the Secretary of the Treasury under the customs laws described in section 981(d) shall be performed by such officers, agents and other persons as may be designated for that purpose by the Secretary of Homeland Security or the Attorney General.''. SEC. 305. DAMAGE TO CRITICAL INFRASTRUCTURE COMPUTERS. (a) In General.--Chapter 47 of title 18, United States Code, is amended by inserting after section 1030 the following: ``Sec. 1030A. Aggravated damage to a critical infrastructure computer ``(a) Definitions.--In this section-- ``(1) the term `computer' has the meaning given the term in section 1030; ``(2) the term `critical infrastructure computer' means a computer that manages or controls systems or assets vital to national defense, national security, national economic security, public health or safety, or any combination of those matters, whether publicly or privately owned or operated, including-- ``(A) oil and gas production, storage, conversion, and delivery systems; ``(B) water supply systems; ``(C) telecommunication networks; ``(D) electrical power generation and delivery systems; ``(E) finance and banking systems; ``(F) emergency services; ``(G) transportation systems and services; and ``(H) government operations that provide essential services to the public; and ``(3) the term `damage' has the meaning given the term in section 1030. ``(b) Offense.--It shall be unlawful, during and in relation to a felony violation of section 1030, to knowingly cause or attempt to cause damage to a critical infrastructure computer if the damage results in (or, in the case of an attempt, if completed, would have resulted in) the substantial impairment-- ``(1) of the operation of the critical infrastructure computer; or ``(2) of the critical infrastructure associated with the computer. ``(c) Penalty.--Any person who violates subsection (b) shall be-- ``(1) fined under this title; ``(2) imprisoned for not less than 3 years but not more than 20 years; or ``(3) penalized under paragraphs (1) and (2). ``(d) Consecutive Sentence.--Notwithstanding any other provision of law-- ``(1) a court shall not place on probation any person convicted of a violation of this section; ``(2) except as provided in paragraph (4), no term of imprisonment imposed on a person under this section shall run concurrently with any other term of imprisonment, including any term of imprisonment imposed on the person under any other provision of law, including any term of imprisonment imposed for a felony violation of section 1030; ``(3) in determining any term of imprisonment to be imposed for a felony violation of section 1030, a court shall not in any way reduce the term to be imposed for such crime so as to compensate for, or otherwise take into account, any separate term of imprisonment imposed or to be imposed for a violation of this section; and ``(4) a term of imprisonment imposed on a person for a violation of this section may, in the discretion of the court, run concurrently, in whole or in part, only with another term of imprisonment that is imposed by the court at the same time on that person for an additional violation of this section, provided that such discretion shall be exercised in accordance with any applicable guidelines and policy statements issued by the United States Sentencing Commission pursuant to section 994 of title 28.''. (b) Technical and Conforming Amendment.--The chapter analysis for chapter 47 of title 18, United States Code, is amended by inserting after the item relating to section 1030 the following: ``1030A. Aggravated damage to a critical infrastructure computer.''. SEC. 306. LIMITATION ON ACTIONS INVOLVING UNAUTHORIZED USE. Section 1030(e)(6) of title 18, United States Code, is amended by striking ``alter;'' and inserting ``alter, but does not include access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized;''. SEC. 307. NO NEW FUNDING. An applicable Federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate. TITLE IV--CYBERSECURITY RESEARCH AND DEVELOPMENT SEC. 401. NATIONAL HIGH-PERFORMANCE COMPUTING PROGRAM PLANNING AND COORDINATION. (a) Goals and Priorities.--Section 101 of the High- Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(d) Goals and Priorities.--The goals and priorities for Federal high-performance computing research, development, networking, and other activities under subsection (a)(2)(A) shall include-- ``(1) encouraging and supporting mechanisms for interdisciplinary research and development in networking and information technology, including-- ``(A) through collaborations across agencies; ``(B) through collaborations across Program Component Areas; ``(C) through collaborations with industry; ``(D) through collaborations with institutions of higher education; ``(E) through collaborations with Federal laboratories (as defined in section 4 of the Stevenson-Wydler Technology Innovation Act of 1980 (15 U.S.C. 3703)); and ``(F) through collaborations with international organizations; ``(2) addressing national, multi-agency, multi-faceted challenges of national importance; and ``(3) fostering the transfer of research and development results into new technologies and applications for the benefit of society.''. (b) Development of Strategic Plan.--Section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(e) Strategic Plan.-- ``(1) In general.--Not later than 1 year after the date of enactment of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the agencies under subsection (a)(3)(B), working through the National Science and Technology Council and with the assistance of the Office of Science and Technology Policy shall develop a 5-year strategic plan to guide the activities under subsection (a)(1). ``(2) Contents.--The strategic plan shall specify-- ``(A) the near-term objectives for the Program; ``(B) the long-term objectives for the Program; ``(C) the anticipated time frame for achieving the near- term objectives; ``(D) the metrics that will be used to assess any progress made toward achieving the near-term objectives and the long- term objectives; and ``(E) how the Program will achieve the goals and priorities under subsection (d). ``(3) Implementation roadmap.-- ``(A) In general.--The agencies under subsection (a)(3)(B) shall develop and annually update an implementation roadmap for the strategic plan. ``(B) Requirements.--The information in the implementation roadmap shall be coordinated with the database under section 102(c) and the annual report under section 101(a)(3). The implementation roadmap shall-- ``(i) specify the role of each Federal agency in carrying out or sponsoring research and development to meet the research objectives of the strategic plan, including a description of how progress toward the research objectives will be evaluated, with consideration of any relevant recommendations of the advisory committee; ``(ii) specify the funding allocated to each major research objective of the strategic plan and the source of funding by agency for the current fiscal year; and ``(iii) estimate the funding required for each major research objective of the strategic plan for the next 3 fiscal years. ``(4) Recommendations.--The agencies under subsection (a)(3)(B) shall take into consideration when developing the strategic plan under paragraph (1) the recommendations of-- ``(A) the advisory committee under subsection (b); and ``(B) the stakeholders under section 102(a)(3). ``(5) Report to congress.--The Director of the Office of Science and Technology Policy shall transmit the strategic plan under this [[Page S5588]] subsection, including the implementation roadmap and any updates under paragraph (3), to-- ``(A) the advisory committee under subsection (b); ``(B) the Committee on Commerce, Science, and Transportation of the Senate; and ``(C) the Committee on Science and Technology of the House of Representatives.''. (c) Periodic Reviews.--Section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) is amended by adding at the end the following: ``(f) Periodic Reviews.--The agencies under subsection (a)(3)(B) shall-- ``(1) periodically assess the contents and funding levels of the Program Component Areas and restructure the Program when warranted, taking into consideration any relevant recommendations of the advisory committee under subsection (b); and ``(2) ensure that the Program includes national, multi- agency, multi-faceted research and development activities, including activities described in section 104.''. (d) Additional Responsibilities of Director.--Section 101(a)(2) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(2)) is amended-- (1) by redesignating subparagraphs (E) and (F) as subparagraphs (G) and (H), respectively; and (2) by inserting after subparagraph (D) the following: ``(E) encourage and monitor the efforts of the agencies participating in the Program to allocate the level of resources and management attention necessary-- ``(i) to ensure that the strategic plan under subsection (e) is developed and executed effectively; and ``(ii) to ensure that the objectives of the Program are met; ``(F) working with the Office of Management and Budget and in coordination with the creation of the database under section 102(c), direct the Office of Science and Technology Policy and the agencies participating in the Program to establish a mechanism (consistent with existing law) to track all ongoing and completed research and development projects and associated funding;''. (e) Advisory Committee.--Section 101(b) of the High- Performance Computing Act of 1991 (15 U.S.C. 5511(b)) is amended-- (1) in paragraph (1)-- (A) by inserting after the first sentence the following: ``The co-chairs of the advisory committee shall meet the qualifications of committee members and may be members of the Presidents Council of Advisors on Science and Technology.''; and (B) by striking ``high-performance'' in subparagraph (D) and inserting ``high-end''; and (2) by amending paragraph (2) to read as follows: ``(2) In addition to the duties under paragraph (1), the advisory committee shall conduct periodic evaluations of the funding, management, coordination, implementation, and activities of the Program. The advisory committee shall report its findings and recommendations not less frequently than once every 3 fiscal years to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science and Technology of the House of Representatives. The report shall be submitted in conjunction with the update of the strategic plan.''. (f) Report.--Section 101(a)(3) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(3)) is amended-- (1) in subparagraph (C)-- (A) by striking ``is submitted,'' and inserting ``is submitted, the levels for the previous fiscal year,''; and (B) by striking ``each Program Component Area'' and inserting ``each Program Component Area and each research area supported in accordance with section 104''; (2) in subparagraph (D)-- (A) by striking ``each Program Component Area,'' and inserting ``each Program Component Area and each research area supported in accordance with section 104,''; (B) by striking ``is submitted,'' and inserting ``is submitted, the levels for the previous fiscal year,''; and (C) by striking ``and'' after the semicolon; (3) by redesignating subparagraph (E) as subparagraph (G); and (4) by inserting after subparagraph (D) the following: ``(E) include a description of how the objectives for each Program Component Area, and the objectives for activities that involve multiple Program Component Areas, relate to the objectives of the Program identified in the strategic plan under subsection (e); ``(F) include-- ``(i) a description of the funding required by the Office of Science and Technology Policy to perform the functions under subsections (a) and (c) of section 102 for the next fiscal year by category of a