In this section—
(1) the term "cybersecurity risk"—
(A) means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism; and
(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;
(2) the terms "cyber threat indicator" and "defensive measure" have the meanings given those terms in section 102 of the Cybersecurity Act of 2015 [6 U.S.C. 1501];
(3) the term "incident" means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system;
(4) the term "information sharing and analysis organization" has the meaning given that term in section 131(5) of this title;
(5) the term "information system" has the meaning given that term in section 3502(8) of title 44; and
(6) the term "sharing" (including all conjugations thereof) means providing, receiving, and disseminating (including all conjugations of each of such terms).
There is in the Department a national cybersecurity and communications integration center (referred to in this section as the "Center") to carry out certain responsibilities of the Under Secretary appointed under section 113(a)(1)(H) of this title.
The cybersecurity functions of the Center shall include—
(1) being a Federal civilian interface for the multi-directional and cross-sector sharing of information related to cyber threat indicators, defensive measures, cybersecurity risks, incidents, analysis, and warnings for Federal and non-Federal entities, including the implementation of title I of the Cybersecurity Act of 2015 [6 U.S.C. 1501 et seq.];
(2) providing shared situational awareness to enable real-time, integrated, and operational actions across the Federal Government and non-Federal entities to address cybersecurity risks and incidents to Federal and non-Federal entities;
(3) coordinating the sharing of information related to cyber threat indicators, defensive measures, cybersecurity risks, and incidents across the Federal Government;
(4) facilitating cross-sector coordination to address cybersecurity risks and incidents, including cybersecurity risks and incidents that may be related or could have consequential impacts across multiple sectors;
(5)(A) conducting integration and analysis, including cross-sector integration and analysis, of cyber threat indicators, defensive measures, cybersecurity risks, and incidents; and
(B) sharing the analysis conducted under subparagraph (A) with Federal and non-Federal entities;
(6) upon request, providing timely technical assistance, risk management support, and incident response capabilities to Federal and non-Federal entities with respect to cyber threat indicators, defensive measures, cybersecurity risks, and incidents, which may include attribution, mitigation, and remediation;
(7) providing information and recommendations on security and resilience measures to Federal and non-Federal entities, including information and recommendations to—
(A) facilitate information security;
(B) strengthen information systems against cybersecurity risks and incidents; and
(C) sharing 1 cyber threat indicators and defensive measures;
(8) engaging with international partners, in consultation with other appropriate agencies, to—
(A) collaborate on cyber threat indicators, defensive measures, and information related to cybersecurity risks and incidents; and
(B) enhance the security and resilience of global cybersecurity;
(9) sharing cyber threat indicators, defensive measures, and other information related to cybersecurity risks and incidents with Federal and non-Federal entities, including across sectors of critical infrastructure and with State and major urban area fusion centers, as appropriate;
(10) participating, as appropriate, in national exercises run by the Department; and
(11) in coordination with the Office of Emergency Communications of the Department, assessing and evaluating consequence, vulnerability, and threat information regarding cyber incidents to public safety communications to help facilitate continuous improvements to the security and resiliency of such communications.
The Center shall be composed of—
(A) appropriate representatives of Federal entities, such as—
(i) sector-specific agencies;
(ii) civilian and law enforcement agencies; and
(iii) elements of the intelligence community, as that term is defined under section 3003(4) of title 50;
(B) appropriate representatives of non-Federal entities, such as—
(i) State, local, and tribal governments;
(ii) information sharing and analysis organizations, including information sharing and analysis centers;
(iii) owners and operators of critical information systems; and
(iv) private entities;
(C) components within the Center that carry out cybersecurity and communications activities;
(D) a designated Federal official for operational coordination with and across each sector;
(E) an entity that collaborates with State and local governments on cybersecurity risks and incidents, and has entered into a voluntary information sharing relationship with the Center; and
(F) other appropriate representatives or entities, as determined by the Secretary.
In the event of an incident, during exigent circumstances the Secretary may grant a Federal or non-Federal entity immediate temporary access to the Center.
In carrying out the functions under subsection (c), the Center shall ensure—
(1) to the extent practicable, that—
(A) timely, actionable, and relevant cyber threat indicators, defensive measures, and information related to cybersecurity risks, incidents, and analysis is shared;
(B) when appropriate, cyber threat indicators, defensive measures, and information related to cybersecurity risks, incidents, and analysis is integrated with other relevant information and tailored to the specific characteristics of a sector;
(C) activities are prioritized and conducted based on the level of risk;
(D) industry sector-specific, academic, and national laboratory expertise is sought and receives appropriate consideration;
(E) continuous, collaborative, and inclusive coordination occurs—
(i) across sectors; and
(ii) with—
(I) sector coordinating councils;
(II) information sharing and analysis organizations; and
(III) other appropriate non-Federal partners;
(F) as appropriate, the Center works to develop and use mechanisms for sharing information related to cyber threat indicators, defensive measures, cybersecurity risks, and incidents that are technology-neutral, interoperable, real-time, cost-effective, and resilient;
(G) the Center works with other agencies to reduce unnecessarily duplicative sharing of information related to cyber threat indicators, defensive measures, cybersecurity risks, and incidents; and; 2
(H) the Center designates an agency contact for non-Federal entities;
(2) that information related to cyber threat indicators, defensive measures, cybersecurity risks, and incidents is appropriately safeguarded against unauthorized access or disclosure; and
(3) that activities conducted by the Center comply with all policies, regulations, and laws that protect the privacy and civil liberties of United States persons, including by working with the Privacy Officer appointed under section 142 of this title to ensure that the Center follows the policies and procedures specified in subsections (b) and (d)(5)(C) of section 105 of the Cybersecurity Act of 2015 [6 U.S.C. 1504].
The provision of assistance or information to, and inclusion in the Center of, governmental or private entities under this section shall be at the sole and unreviewable discretion of the Under Secretary appointed under section 113(a)(1)(H) of this title.
The provision of certain assistance or information to, or inclusion in the Center of, one governmental or private entity pursuant to this section shall not create a right or benefit, substantive or procedural, to similar assistance or information for any other governmental or private entity.
The Under Secretary appointed under section 113(a)(1)(H) of this title, in coordination with industry and other stakeholders, shall develop capabilities making use of existing information technology industry standards and best practices, as appropriate, that support and rapidly advance the development, adoption, and implementation of automated mechanisms for the sharing of cyber threat indicators and defensive measures in accordance with title I of the Cybersecurity Act of 2015 [6 U.S.C. 1501 et seq.].
The Under Secretary appointed under section 113(a)(1)(H) of this title shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives an annual report on the status and progress of the development of the capabilities described in paragraph (1). Such reports shall be required until such capabilities are fully implemented.
The Center may enter into a voluntary information sharing relationship with any consenting non-Federal entity for the sharing of cyber threat indicators and defensive measures for cybersecurity purposes in accordance with this section. Nothing in this subsection may be construed to require any non-Federal entity to enter into any such information sharing relationship with the Center or any other entity. The Center may terminate a voluntary information sharing relationship under this subsection, at the sole and unreviewable discretion of the Secretary, acting through the Under Secretary appointed under section 113(a)(1)(H) of this title, for any reason, including if the Center determines that the non-Federal entity with which the Center has entered into such a relationship has violated the terms of this subsection.
The Secretary may decline to enter into a voluntary information sharing relationship under this subsection, at the sole and unreviewable discretion of the Secretary, acting through the Under Secretary appointed under section 113(a)(1)(H) of this title, for any reason, including if the Secretary determines that such is appropriate for national security.
A voluntary information sharing relationship under this subsection may be characterized as an agreement described in this paragraph.
For the use of a non-Federal entity, the Center shall make available a standard agreement, consistent with this section, on the Department's website.
At the request of a non-Federal entity, and if determined appropriate by the Center, at the sole and unreviewable discretion of the Secretary, acting through the Under Secretary appointed under section 113(a)(1)(H) of this title, the Department shall negotiate a non-standard agreement, consistent with this section.
An agreement between the Center and a non-Federal entity that is entered into before December 18, 2015, or such an agreement that is in effect before such date, shall be deemed in compliance with the requirements of this subsection, notwithstanding any other provision or requirement of this subsection. An agreement under this subsection shall include the relevant privacy protections as in effect under the Cooperative Research and Development Agreement for Cybersecurity Information Sharing and Collaboration, as of December 31, 2014. Nothing in this subsection may be construed to require a non-Federal entity to enter into either a standard or negotiated agreement to be in compliance with this subsection.
The Secretary shall develop policies and procedures for direct reporting to the Secretary by the Director of the Center regarding significant cybersecurity risks and incidents.
Not later than 180 days after December 18, 2015, and periodically thereafter, the Secretary of Homeland Security shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the range of efforts underway to bolster cybersecurity collaboration with relevant international partners in accordance with subsection (c)(8).
Not later than 60 days after December 18, 2015, the Secretary, acting through the Under Secretary appointed under section 113(a)(1)(H) of this title, shall—
(1) disseminate to the public information about how to voluntarily share cyber threat indicators and defensive measures with the Center; and
(2) enhance outreach to critical infrastructure owners and operators for purposes of such sharing.
The Secretary, in coordination with industry and other stakeholders, may develop and adhere to Department policies and procedures for coordinating vulnerability disclosures.
(Pub. L. 107–296, title II, §227, formerly §226, as added Pub. L. 113–282, §3(a), Dec. 18, 2014, 128 Stat. 3066; renumbered §227 and amended Pub. L. 114–113, div. N, title II, §§203, 223(a)(3), Dec. 18, 2015, 129 Stat. 2957, 2963.)
Title I of the Cybersecurity Act of 2015, referred to in subsecs. (c)(1) and (g)(1), is title I of Pub. L. 114–113, div. N, Dec. 18, 2015, 129 Stat. 2936, also known as the Cybersecurity Information Sharing Act of 2015, which is classified generally to subchapter I of chapter 6 of this title. For complete classification of title I to the Code, see Short Title note set out under section 1501 of this title and Tables.
A prior section 227 of Pub. L. 107–296, as added by Pub. L. 113–282, §7(a), Dec. 18, 2014, 128 Stat. 3070, was classified to section 149 of this title prior to redesignation by Pub. L. 114–113 as section 228(c) of Pub. L. 107–296, which is now classified to section 149(c) of this title.
2015—Subsec. (a)(1) to (5). Pub. L. 114–113, §203(1)(A), (B), added pars. (1) to (3), redesignated former pars. (3) and (4) as (4) and (5), respectively, and struck out former pars. (1) and (2), which defined "cybersecurity risk" and "incident", respectively.
Subsec. (a)(6). Pub. L. 114–113, §203(1)(C)–(E), added par. (6).
Subsec. (c)(1). Pub. L. 114–113, §203(2)(A), inserted "cyber threat indicators, defensive measures," before "cybersecurity risks" and ", including the implementation of title I of the Cybersecurity Act of 2015" before semicolon at end.
Subsec. (c)(3). Pub. L. 114–113, §203(2)(B), substituted "cyber threat indicators, defensive measures, cybersecurity risks," for "cybersecurity risks".
Subsec. (c)(5)(A). Pub. L. 114–113, §203(2)(C), substituted "cyber threat indicators, defensive measures, cybersecurity risks," for "cybersecurity risks".
Subsec. (c)(6). Pub. L. 114–113, §203(2)(D), substituted "cyber threat indicators, defensive measures, cybersecurity risks," for "cybersecurity risks" and struck out "and" at end.
Subsec. (c)(7)(C). Pub. L. 114–113, §203(2)(E), added subpar. (C).
Subsec. (c)(8) to (11). Pub. L. 114–113, §203(2)(F), added pars. (8) to (11).
Subsec. (d)(1)(B)(i). Pub. L. 114–113, §203(3)(A)(i), substituted ", local, and tribal" for "and local".
Subsec. (d)(1)(B)(ii). Pub. L. 114–113, §203(3)(A)(ii), substituted ", including information sharing and analysis centers;" for "; and".
Subsec. (d)(1)(B)(iv). Pub. L. 114–113, §203(3)(A)(iii), (iv), added cl. (iv).
Subsec. (d)(1)(E), (F). Pub. L. 114–113, §203(3)(B)–(D), added subpar. (E) and redesignated former subpar. (E) as (F).
Subsec. (e)(1)(A). Pub. L. 114–113, §203(4)(A)(i), inserted "cyber threat indicators, defensive measures, and" before "information".
Subsec. (e)(1)(B). Pub. L. 114–113, §203(4)(A)(ii), inserted "cyber threat indicators, defensive measures, and" before "information related".
Subsec. (e)(1)(F). Pub. L. 114–113, §203(4)(A)(iii), substituted "cyber threat indicators, defensive measures, cybersecurity risks," for "cybersecurity risks" and struck out "and" at end.
Subsec. (e)(1)(G). Pub. L. 114–113, §203(4)(A)(iv), substituted "cyber threat indicators, defensive measures, cybersecurity risks, and incidents; and" for "cybersecurity risks and incidents".
Subsec. (e)(1)(H). Pub. L. 114–113, §203(4)(A)(v), added subpar. (H).
Subsec. (e)(2). Pub. L. 114–113, §203(4)(B), substituted "cyber threat indicators, defensive measures, cybersecurity risks," for "cybersecurity risks" and inserted "or disclosure" after "access".
Subsec. (e)(3). Pub. L. 114–113, §203(4)(C), inserted ", including by working with the Privacy Officer appointed under section 142 of this title to ensure that the Center follows the policies and procedures specified in subsections (b) and (d)(5)(C) of section 105 of the Cybersecurity Act of 2015" before period at end.
Subsecs. (g) to (l). Pub. L. 114–113, §203(5), added subsecs. (g) to (l).
Pub. L. 113–282, §8, Dec. 18, 2014, 128 Stat. 3072, provided that:
"(a)
"(b)
"(1) to request assistance from the Secretary; or
"(2) that requested such assistance from the Secretary to implement any measure or recommendation suggested by the Secretary."
Pub. L. 113–282, §2, Dec. 18, 2014, 128 Stat. 3066, provided that: "In this Act [see section 1 of Pub. L. 113–282, set out as a Short Title of 2014 Amendment note under section 101 of this title]—
"(1) the term 'Center' means the national cybersecurity and communications integration center under section 226 [renumbered 227 by section 223(a)(3) of Pub. L. 114–113] of the Homeland Security Act of 2002 [6 U.S.C. 148], as added by section 3;
"(2) the term 'critical infrastructure' has the meaning given that term in section 2 of the Homeland Security Act of 2002 (6 U.S.C. 101);
"(3) the term 'cybersecurity risk' has the meaning given that term in section 226 of the Homeland Security Act of 2002, as added by section 3;
"(4) the term 'information sharing and analysis organization' has the meaning given that term in section 212(5) of the Homeland Security Act of 2002 (6 U.S.C. 131(5));
"(5) the term 'information system' has the meaning given that term in section 3502(8) of title 44, United States Code; and
"(6) the term 'Secretary' means the Secretary of Homeland Security."