Professional Documents
Culture Documents
S.L.C.
111TH CONGRESS
2D SESSION
S. ll
To amend the Homeland Security Act of 2002 and other laws to enhance
the security and resiliency of the cyber and communications infrastructure of the United States.
A BILL
To amend the Homeland Security Act of 2002 and other
laws to enhance the security and resiliency of the cyber
and communications infrastructure of the United States.
1
HEN10553
S.L.C.
2
TITLE IOFFICE OF CYBERSPACE POLICY
Sec.
Sec.
Sec.
Sec.
101.
102.
103.
104.
401.
402.
403.
404.
405.
406.
407.
408.
Definitions.
Assessment of cybersecurity workforce.
Strategic cybersecurity workforce planning.
Cybersecurity occupation classifications.
Measures of cybersecurity hiring effectiveness.
Training and education.
Cybersecurity incentives.
Recruitment and retention program for the National Center for Cybersecurity and Communications.
TITLE VOTHER PROVISIONS
Sec.
Sec.
Sec.
Sec.
501.
502.
503.
504.
SEC. 3. DEFINITIONS.
In this Act:
(1) APPROPRIATE
TEES.The
mittees means
6
7
CONGRESSIONAL
COMMIT-
HEN10553
S.L.C.
3
1
2
tives; and
(2) CRITICAL
INFRASTRUCTURE.The
term
10
11
12
(3)
CYBERSPACE.The
term
cyberspace
13
14
frastructure,
15
16
17
dustries.
and
includes
the
Internet,
tele-
18
19
20
section 101.
21
22
(5) FEDERAL
AGENCY.The
term Federal
agency
23
24
25
HEN10553
S.L.C.
4
1
various subdivisions.
(6)
TURE.The
10
FEDERAL
INFORMATION
INFRASTRUC-
ture
11
12
13
14
15
16
and
17
18
19
20
21
22
23
24
25
occurrence that
HEN10553
S.L.C.
5
1
mation infrastructure; or
or transmits; or
10
tion infrastructure.
11
(8)
INFORMATION
INFRASTRUCTURE.The
12
13
14
15
16
17
18
(9) INFORMATION
SECURITY.The
term infor-
19
20
21
22
in order to provide
23
24
HEN10553
S.L.C.
6
1
(10) INFORMATION
TECHNOLOGY.The
term
10
11
12
Code.
13
(11) INTELLIGENCE
COMMUNITY.The
term
14
15
16
17
(12) KEY
RESOURCES.The
18
19
20
101)
21
(13) NATIONAL
22
AND COMMUNICATIONS.The
23
24
25
HEN10553
S.L.C.
7
1
Act.
(14) NATIONAL
INFORMATION
INFRASTRUC-
TURE.The
10
11
States; and
12
13
14
(15) NATIONAL
SECURITY SYSTEM.The
term
15
16
17
18
(16) NATIONAL
STRATEGY.The
term Na-
19
20
21
22
23
24
101.
HEN10553
S.L.C.
8
1
come
incident.
assessed
as
(19) RISK-BASED
function
SECURITY.The
of
threats,
term risk-
10
11
12
14
TITLE IOFFICE OF
CYBERSPACE POLICY
15
13
16
17
SPACE POLICY.
(a) ESTABLISHMENT
OF
OFFICE.There is estab-
21
22
23
24
25
lating to
HEN10553
S.L.C.
9
1
other activities;
key resources;
(F) diplomacy;
10
11
12
13
14
15
16
ing
17
18
19
20
agencies; and
21
22
23
24
space;
HEN10553
S.L.C.
10
1
10
11
12
13
14
evant to
15
16
17
structure; and
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
11
1
(1) IN
GENERAL.There
shall be a Director of
fice.
(2) EXECUTIVE
SCHEDULE POSITION.Section
7
8
9
10
11
(a) APPOINTMENT.
(1) IN
GENERAL.The
12
13
14
15
16
17
18
19
20
21
Federal Government.
22
23
24
HEN10553
S.L.C.
12
1
Nation;
ests;
10
11
12
13
14
15
16
17
18
19
20
21
22
23
and
HEN10553
S.L.C.
13
1
the Office;
10
11
egy
12
13
14
15
16
17
18
19
20
21
22
23
24
HEN10553
S.L.C.
14
1
House of Representatives;
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Government;
24
25
HEN10553
S.L.C.
15
1
10
11
12
13
14
15
16
17
18
19
20
21
22
23 is amended
24
HEN10553
S.L.C.
16
1
2
3
10
11
EGY.
12
21 eral agency shall ensure the timely development and sub22 mission to the Director of each proposed budget under this
23 section, in such format as may be designated by the Direc24 tor with the concurrence of the Director of the Office of
25 Management and Budget.
HEN10553
S.L.C.
17
1
2
(c) ADEQUACY
QUESTS.With
OF THE
3 with, the Office of E-Government and Information Tech4 nology and the National Center for Cybersecurity and
5 Communications, the Director shall review each budget
6 submission to assess the adequacy of the proposed request
7 with regard to implementation of the National Strategy.
8
9 tor concludes that a budget request submitted under sub10 section (a) is inadequate, in whole or in part, to implement
11 the objectives of the National Strategy, the Director shall
12 submit to the Director of the Office of Management and
13 Budget and the head of the Federal agency submitting
14 the budget request a written description of funding levels
15 and specific initiatives that would, in the determination
16 of the Director, make the request adequate.
17
18
HEN10553
S.L.C.
18
1
community;
9
10
17
18
19
20
21
22
23
HEN10553
S.L.C.
19
1
HEN10553
S.L.C.
20
1
2
Subtitle ECybersecurity
10
In this subtitle
11
12
13
14
15
16
17
18
Representatives;
19
20
21
22
23
HEN10553
S.L.C.
21
1
4
5
10
11
12
13
14
15
16
17
18
19
20
21
22
23
cy; and
24
25
HEN10553
S.L.C.
22
1
various subdivisions;
ture
10
and
11
12
13
14
15
16
17
18
19
20
21
22
that
(A) actually or potentially jeopardizes
(i) the information security of information infrastructure; or
23
24
25
or transmits; or
HEN10553
S.L.C.
23
1
information infrastructure.
10
11
12
data;
13
14
15
16
17
vide
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
24
1
critical
10
11
specific sector;
information
relating
to
threats,
12
13
14
15
16
17
18
19
20
21
22
23
24
HEN10553
S.L.C.
25
1
8
9
10
11
12
13
14
15
States; and
16
17
18
19
20
21
22
23
24
HEN10553
S.L.C.
26
1
title;
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
27
1
10
11
12
13
14
15
section 244.
16
17
18
19
COMMUNICATIONS.
(a) ESTABLISHMENT.
(1) IN
GENERAL.There
is established within
20
21
and Communications.
22
23
(2)
may
OPERATIONAL
ENTITY.The
Center
HEN10553
S.L.C.
28
1
and
United States.
(b) DIRECTOR.
(1) IN
GENERAL.The
10
11
ate.
12
(2) REPORTING
TO SECRETARY.The
Direc-
13
14
15
16
17
States.
18
(3) PRESIDENTIAL
ADVICE.The
Director
19
20
21
22
23
formation infrastructure.
24
25
HEN10553
S.L.C.
29
1
sector.
(5) LIMITATION
(A) IN
ON SERVICE.
GENERAL.Subject
to subpara-
10
11
12
13
14
15
(B)
EXCEPTION.The
Director
may
16
17
18
19
20
21
22
law.
23
HEN10553
S.L.C.
30
1
(1) IN
GENERAL.There
(2) INFRASTRUCTURE
PROTECTION.
tection.
10
rector
11
shall
appointed
under
subparagraph
(A)
12
13
14
15
16
17
18
19
20
21
22
thereto;
23
24
25
HEN10553
S.L.C.
31
1
priately coordinated;
10
11
12
13
14
15
16
17
and
18
19
20
(C) ANNUAL
EVALUATION.The
Assist-
21
22
23
24
HEN10553
S.L.C.
32
1
(3) INTELLIGENCE
COMMUNITY.The
Direc-
10
GENERAL.The
Director, in consulta-
23
24
HEN10553
S.L.C.
33
1
(1) IN
GENERAL.The
Director shall
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
34
1
including
8
9
information
relating
to
threats,
10
11
12
13
14
15
16
17
18
19
20
21
tor; and
22
23
24
25
HEN10553
S.L.C.
35
1
10
11
12
13
14
15
16
17
18
19
20
21
Cyberspace Policy;
22
23
24
25
HEN10553
S.L.C.
36
1
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
37
1
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
telligence community;
HEN10553
S.L.C.
38
1
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
39
1
infrastructure;
10
11
12
13
14
15
16
17
emergency
18
19
20
21
22
23
24
25
tions;
preparedness
telecommunications
HEN10553
S.L.C.
40
1
sons;
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
41
1
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
42
1
nologies;
ing
10
11
12
13
14
the public;
15
16
17
18
19
20
21
22
(iii)
outcome-based
performance
23
24
programs;
HEN10553
S.L.C.
43
1
2
(X) develop and implement a national cybersecurity exercise program that includes
tor; and
10
mitigated;
11
12
13
that
14
15
16
17
18
19
20
21
22
23
HEN10553
S.L.C.
44
1
(2) BUDGET
9
10
ANALYSIS.In
conducting anal-
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
45
1
to
of the Senate;
9
10
Congress.
(g) USE
OF
MECHANISMS
FOR
COLLABORATION.
20
21
22
23
24
HEN10553
S.L.C.
46
1
3
4
(2) COMPTROLLER
(A) IN
GENERAL REVIEW.
GENERAL.The
Comptroller Gen-
10
11
12
13
14
HEN10553
S.L.C.
47
1 ture protection responsibilities and activities of the Center
2 and the Office of Infrastructure Protection.
3
6
7
NESS TEAM.
(a) ESTABLISHMENT
OF
OFFICE.There is estab-
15
16
17
18
19
20
21
22
23
24
or
the
national
information
infrastructure
HEN10553
S.L.C.
48
1
(A); and
6
7
8
AND
RE -
SPONSE.
10
11
formation infrastructure;
12
13
14
15
16
17
18
19
frastructure;
20
21
22
23
infrastructure;
HEN10553
S.L.C.
49
1
rity
vulnerabilities;
controls
to
mitigate
or
remediate
tion infrastructure;
10
structure;
11
12
13
14
ties;
15
16
17
18
19
20
21
22
incidents; and
23
24
HEN10553
S.L.C.
50
1
5
6
7
8
10
11
infrastructure
12
13
and
incorporate
lessons
14
15
16
17
18
19
20
21
22
23
24
HEN10553
S.L.C.
51
1
(d) PROCEDURES
FOR
FEDERAL GOVERNMENT.
OF
CONTACT.The Director
18 of the USCERT shall designate a principal point of con19 tact within the USCERT for each Federal agency to
20
21
22
23
24
25
HEN10553
S.L.C.
52
1
(1) INFORMATION
ACCESS.Upon
request of
10
11
12
this subtitle.
13
(2) PHYSICAL
ACCESS.Upon
request of the
14
15
16
17
18
19
20
21
22
HEN10553
S.L.C.
53
1
(a) ACCESS
TO
INFORMATION.Unless otherwise
10
11
12
13
14
15
16
17
18
19
20
21
22
cy information infrastructure;
23
24
25
26
HEN10553
S.L.C.
54
1
10
11
12
13
14
15
16
17
18
19
20
sons.
21
22
(1) IN
GENERAL.The
Director
23
24
25
HEN10553
S.L.C.
55
1
infrastructure
as
described
in
section
10
11
12
13
14
15
16
17
18
19
20
21
22
(2) OPERATIONAL
23
(A) IN
EVALUATIONS.
GENERAL.The
Director may
24
25
HEN10553
S.L.C.
56
1
(B)
ANNUAL
EVALUATION
REQUIRE-
MENT.If
10
11
12
13
14
15
AND
MITIGATION
21
22
23
24
25
and
HEN10553
S.L.C.
57
1
shall
paragraph (1); or
10
11
12
13
14
15
16
17
18
19
20
21
22
23
in place, if
HEN10553
S.L.C.
58
1
frastructure.
(1) INFORMATION
SHARING PROGRAM.Con-
10
11
12
13
14
15
16
17
18
19
dures
20
21
22
23
24
25
HEN10553
S.L.C.
59
1
information
tivities;
relating
to
threats,
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
HEN10553
S.L.C.
60
1
2
3
4
dents;
10
11
12
13
14
15
16
17
18
19
20
(4) FEDERAL
(A) IN
AGENCIES.
GENERAL.The
head of a Federal
21
22
23
24
incidents.
HEN10553
S.L.C.
61
1
(B)
IMMEDIATE
NOTIFICATION
RE-
QUIRED.Unless
(b) STATE
AND
(1) IN
GENERAL.The
10
11
12
13
14
United States on
15
16
17
18
19
20
vulnerabilities.
21
22
23
clude
24
25
HEN10553
S.L.C.
62
1
relating
structure;
to
threats,
vulnerabilities,
traffic,
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
63
1
(c) INCIDENTS.
5
6
7
(1) NON-FEDERAL
(A) IN
ENTITIES.
GENERAL.
(i) MANDATORY
REPORTING.Sub-
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
64
1
sion of law.
(B) REPORTING
PROCEDURES.The
Di-
10
information infrastructure.
11
(2)
INFORMATION
PROTECTION.Notwith-
12
13
14
15
251.
16
19
20
21
22
23
24
and methods;
HEN10553
S.L.C.
65
1
2
3
4
5
10
11
12
13
HEN10553
S.L.C.
66
1
2
(b) ANALYSIS
AND
AND
IMPROVEMENT
OF
STANDARDS
cies; and
10
11
12
13
14
15
(1) IN
GENERAL.The
16
17
18
19
20
21
vulnerabilities.
22
23
24
25
based on risk.
HEN10553
S.L.C.
67
1
10
11
12
against
13
vulnerabilities;
14
15
16
17
and
mitigate
or
remediate
known
18
19
20
21
22
23
24
HEN10553
S.L.C.
68
1
2
3
ICAL INFRASTRUCTURE.
(a)
IDENTIFICATION
OF
CYBER
4 VULNERABILITIES.
5
(1) IN
GENERAL.Based
10
11
12
13
14
15
16
17
ical infrastructure.
18
(2) FACTORS
TO BE CONSIDERED.In
identi-
19
20
21
22
23
24
rence capabilities;
25
26
HEN10553
S.L.C.
69
1
frastructure;
ture;
10
11
12
13
14
15
ture; and
16
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
70
1
2
(3) REPORT.
(A) IN
GENERAL.Not
10
11
12
13
14
15
16
17
18
19
20
21
22
23
(1) IN
GENERAL.Not
24
25
HEN10553
S.L.C.
71
1
10
covered
11
12
13
14
15
critical
infrastructure
against
cyber
16
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
72
1
this subsection;
9
10
11
12
13
14
15
16
17
18
19
20
21
(3) INTERNATIONAL
COOPERATION ON SECUR-
(A) IN
GENERAL.The
Director, in co-
22
23
24
25
HEN10553
S.L.C.
73
1
10
11
12
13
14
15
16
17
18
19
20
vulnerabilities.
21
(B) INTERNATIONAL
AGREEMENTS.The
22
23
24
national agreements.
HEN10553
S.L.C.
74
1
2
3
(4) RISK-BASED
QUIREMENTS.
(A) IN
GENERAL.The
security perform-
6
7
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
75
1
critical infrastructure.
(C) ALTERNATIVE
(i) IN
MEASURES.
GENERAL.The
owners and
10
11
12
13
14
15
16
17
18
(ii) RECOMMENDED
SECURITY MEAS-
19
URES.The
20
21
22
23
24
25
HEN10553
S.L.C.
76
1
this section.
10
11
12
(a) DECLARATION.
(1) IN
GENERAL.The
13
14
15
16
17
18
19
20
21
22
23
24
25
shall
HEN10553
S.L.C.
77
1
tion 248(b)(2)(C);
10
11
12
13
14
15
16
17
18
19
20
21
22
23
cyber emergency;
HEN10553
S.L.C.
78
1
(4)
REIMBURSEMENT.A
Federal
agency
10
11
12
13
14
or supplies.
15
16
17
18
19
20
21
22
23
24
(b) DISCONTINUANCE
25
URES.
OF
EMERGENCY MEAS-
HEN10553
S.L.C.
79
1
(1) IN
GENERAL.Any
emergency measure or
emergency; and
10
11
12
13
14
15
tion.
16
17
18
may
19
20
21
22
and
23
24
25
HEN10553
S.L.C.
80
1
2
GENERAL.Subject
to paragraph (2),
(2) ALTERNATIVE
MEASURES.If
the Director
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
81
1
(3) INTERNATIONAL
10
(A) IN
COOPERATION
GENERAL.The
ON
NA-
Director, in co-
11
12
13
14
15
16
17
18
19
20
21
22
23
24
HEN10553
S.L.C.
82
1
ture; and
10
11
12
13
(B) INTERNATIONAL
AGREEMENTS.The
14
15
16
agreements.
17
(4) LIMITATION
ON
COMPLIANCE
AUTHOR-
18
ITY.The
19
20
21
22
23
24
25
HEN10553
S.L.C.
83
1
law.
(d) REPORTING.
(1) IN
GENERAL.Except
as provided in para-
10
subsection (a)(3).
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
and
HEN10553
S.L.C.
84
1
reliable
critical infrastructure.
operation
and
6 LIMITATIONS
FOR
mitigate
AND
the
con-
CIVIL LIABILITY
7 MEASURES.
8
10
11
12
entity; and
13
14
15
16
17
18
and 1828);
19
20
21
22
23
24
25
structure; and
HEN10553
S.L.C.
85
1
niary losses.
(2) APPLICATION
10
LIABILITY.The
11
OF LIMITATIONS ON CIVIL
12
13
14
(a)(1);
15
16
17
18
19
(ii)
approved
security
measures
20
21
22
23
24
with
(i) the emergency measures or actions required under subsection (c)(1); or
HEN10553
S.L.C.
86
1
(c)(2); and
10
11
subsection (c)(1); or
12
13
14
(c)(2); or
15
16
17
18
19
20
the implementation of
21
22
23
subsection (c)(1); or
HEN10553
S.L.C.
87
1
(c)(2).
(3) LIMITATIONS
ON CIVIL LIABILITY.In
any
10
11
12
13
14
15
section (c)(2)
16
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
88
1
physical harm.
(4) CIVIL
MENTATION
TIONS.A
10
OF
EMERGENCY
MEASURES
OR
AC-
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
89
1
or
10
11
(c)(1).
12
(5) CERTAIN
13
14
TATIONS ON LIABILITY.
(A)
ADDITIONAL
OR
INTERVENING
15
ACTS.Paragraphs
16
17
18
entity.
19
(B) SERIOUS
OR
SUBSTANTIAL
20
AGE.Paragraph
21
DAM-
22
23
24
and
25
HEN10553
S.L.C.
90
1
death; or
4
5
OF CONSTRUCTION.Recovery
10
11
12
13
14
15
16
17
18
19
20
21
22
(f) RULE
OF
25
HEN10553
S.L.C.
91
1
section expires.
7
8
GENERAL.Not
10
11
12
13
14
15
16
17
18
19
(2) FAILURE
TO COMPLY.If
an owner or op-
20
21
22
23
24
25
HEN10553
S.L.C.
92
1
(1) IN
GENERAL.Consistent
10
11
(a)(1).
(2) DOCUMENT
12
13
include
14
15
16
17
18
19
20
21
22
(3) EVALUATION
SELECTION
FACTORS.In
23
24
25
shall consider
HEN10553
S.L.C.
93
1
10
ture;
11
12
13
14
15
inaccurate;
16
17
18
an evaluation; and
19
20
21
(4) SECTOR-SPECIFIC
AGENCIES.To
carry
22
23
24
25
HEN10553
S.L.C.
94
1
(5) INFORMATION
PROTECTION.Information
9
10
11
(1) IN
GENERAL.Any
12
13
14
15
16
17
18
19
20
21
entity; and
22
23
24
25
HEN10553
S.L.C.
95
1
and 1828);
structure; and
10
11
12
13
14
15
16
17
niary losses.
18
(2) LIMITATIONS
ON CIVIL LIABILITY.If
19
20
21
22
23
ability
24
25
HEN10553
S.L.C.
96
1
10
physical harm.
11
(3)
APPLICATION.This
subsection
shall
12
13
14
15
16
covered entity
17
18
19
20
21
Director;
22
23
24
25
HEN10553
S.L.C.
97
1
(5) RULE
OF CONSTRUCTION.Except
as pro-
10
11
12
13
14
15
16
17
(e) REPORT
TO
24
25
HEN10553
S.L.C.
98
1
4
5
6
7
8 information
9
(1) means
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
HEN10553
S.L.C.
99
1
structure; and
mitted to
or administrative error;
10
11
organization, or agency; or
12
13
14
15
vate sector.
(b) VOLUNTARILY SHARED CRITICAL INFRASTRUCTURE
(c) GUIDELINES.
(1) IN
GENERAL.Subject
to paragraph (2),
24
25
HEN10553
S.L.C.
100
1
3
4
10
11
12
the Director;
13
14
15
16
17
18
19
20
21
22
23
24
25
(d) PROCESS
LEMS.
FOR
HEN10553
S.L.C.
101
1
(1) ESTABLISHMENT
OF PROCESS.The
Di-
retary
7
8
regarding
cybersecurity
threats,
10
11
12
13
14
15
OF RECEIPT.If
a re-
16
17
18
19
the report.
20
(3) STEPS
TO ADDRESS PROBLEM.The
Di-
21
22
23
24
HEN10553
S.L.C.
102
1
ciencies identified.
(4) DISCLOSURE
(A) IN
OF IDENTITY.
GENERAL.Except
as provided in
(B) REFERRAL
10
ERAL.The
11
12
13
14
15
16
17
18
19
(e) RULES
OF
CONSTRUCTION.Nothing in this
22
23
24
HEN10553
S.L.C.
103
1
5
6
Code;
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
fairs; or
HEN10553
S.L.C.
104
1
similar disclosures;
safeguards;
10
11
12
13
14
15
(f) AUDIT.
16
(1) IN
GENERAL.Not
17
18
19
20
21
22
committees of Congress.
23
24
HEN10553
S.L.C.
105
1
2
disputes;
is effective;
10
11
12
13
overbroad or overnarrow;
14
15
16
17
18
19
20
21
HEN10553
S.L.C.
106
1 Federal agency that relate to the efforts of the agency re2 garding security or resiliency of the national information
3 infrastructure, including critical infrastructure and cov4 ered critical infrastructure, within or under the super5 vision of the agency.
6
(c) REQUIREMENTS.
(1) IN
GENERAL.To
18
19
20
21
22
23
24
HEN10553
S.L.C.
107
1
10
11
and
12
13
14
15
16
17
(2)
COORDINATION.Coordination
under
18
19
20
21
actions.
22
(3) RULE
OF
CONSTRUCTION.Nothing
in
23
24
25
HEN10553
S.L.C.
108
1
authorized by law.
7
8
9
HEN10553
S.L.C.
109
1 mation in, disruption of operations of, interruption of com2 munications or services of, and insertion of malicious soft3 ware, engineering vulnerabilities, or otherwise corrupting
4 software, hardware, services, or products intended for use
5 in Federal information infrastructure.
6
10
11
12
mation infrastructure;
(2) place particular emphasis on
(A) securing critical information systems
13
14
15
16
17
18
structure;
19
20
21
22
structure;
23
24
HEN10553
S.L.C.
110
1
10
11
12
13
14
malicious functions;
15
16
17
18
19
20
21
22
23
24
HEN10553
S.L.C.
111
1
10
11
12
13
esses; and
14
15
16
17
18
identified; and
19
20
21
22
23
pliers.
24
HEN10553
S.L.C.
112
1 Office of Federal Procurement Policy Act (41 U.S.C.
2 421(a)) shall
3
4
10
11
12
13
14
15
16
17
18
19
20
22
23
21
24
25
ICY.
HEN10553
S.L.C.
113
1
positions; and
10
11
12
13
14
15
19 3550. Purposes
20
21
22
23
24
25
HEN10553
S.L.C.
114
1
enforcement communities;
10
11
12
13
14
grams.
15
16
17
18
19
20
21
22
23
24
HEN10553
S.L.C.
115
1
3 3551. Definitions
4
ture
10
11
12
13
14
15
16
systems.
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
116
1
10
11
12
ware, or data.
13
14
15
16
17
vide
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
117
1
40.
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
tem; or
HEN10553
S.L.C.
118
1
or intelligence missions; or
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
HEN10553
S.L.C.
119
1
10
11
12
13
14
15
16
17
20
tions
21
24
25
HEN10553
S.L.C.
120
1
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
121
1
Act of 2002;
10
11
12
13
14
requirements
15
3556(c);
16
17
18
19
20
21
22
23
24
25
under
sections
3553(c)
and
HEN10553
S.L.C.
122
1
such requirements;
10
11
12
13
14
15
16
17
18
and procedures.
19
HEN10553
S.L.C.
123
1
or destruction of
ture;
10
11
12
13
(i)
information
security
require-
14
15
16
17
18
19
20
(ii)
information
security
policies,
21
22
23
24
(15
25
3552(a)(1);
U.S.C.
278g3)
and
section
HEN10553
S.L.C.
124
1
practicable;
10
11
12
13
14
15
16
17
18
mation;
19
20
21
22
23
24
25
HEN10553
S.L.C.
125
1
through
10
11
12
13
information systems;
14
15
16
17
18
19
20
21
22
23
HEN10553
S.L.C.
126
1
level;
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
HEN10553
S.L.C.
127
1
toring
10
tions;
11
12
basis,
13
14
15
ture;
mitigate
and
remediate
the
16
17
18
19
20
21
22
systems;
23
24
25
HEN10553
S.L.C.
128
1
and
10
11
12
13
14
15
16
17
and includes
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
129
1
nications; and
10
11
12
13
14
tion 3552;
15
16
17
18
19
20
21
22
23
(2);
24
25
HEN10553
S.L.C.
130
1
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
131
1
GRAM.Each
6 ment an agency-wide information security program, ap7 proved by the National Center for Cybersecurity and Com8 munications under section 3552(a)(6) and consistent with
9 components across and within agencies, to provide infor10 mation security for the information and information sys11 tems that support the operations and assets of the agency,
12 including those provided or managed by another agency,
13 contractor, or other source, that includes
14
15
16
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
132
1
on that assessment;
8
9
10
11
(3)
ensure
that
information
security
12
13
14
(2);
15
16
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
133
1
President;
10
11
12
13
priate;
14
15
16
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
134
1
clude
10
11
3505(c);
12
13
14
15
16
17
18
(a)(3); and
19
20
21
22
23
24
25
HEN10553
S.L.C.
135
1
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
(1) IN
GENERAL.Each
agency shall
HEN10553
S.L.C.
136
1
ing to
8
9
10
11
12
13
14
15
16
17
18
19
20
21
structure; and
22
23
24
HEN10553
S.L.C.
137
1
10
paragraph (A);
11
12
13
14
15
lating to
16
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
138
1
39;
10
11
12
13
14
15
16
17
18
19
20
21
22
23
(i) as a material weakness in reporting under section 3512 of title 31; and
24
25
HEN10553
S.L.C.
139
1
(2) ADEQUACY
MATION.Information
to
10
11
12
13
14
15
16
tives;
17
18
19
20
21
22
23
24
HEN10553
S.L.C.
140
1
(1) IN
GENERAL.In
subsection (b).
10
(2)
RISK
ASSESSMENTS.The
description
11
12
13
14
(e) NOTICE
AND
20 an agency may employ standards for the cost effective in21 formation security for information systems within or
22 under the supervision of that agency that are more strin23 gent than the standards the Director of the National Cen24 ter for Cybersecurity and Communications prescribes
25 under this subchapter, subtitle E of title II of the Home-
HEN10553
S.L.C.
141
1 land Security Act of 2002, or any other provision of law,
2 if the more stringent standards
3
tions; and
7
8
(a) GUIDANCE.
11
(1) IN
GENERAL.Each
12
13
14
15
16
17
18
tices.
19
(2) COLLABORATION
IN DEVELOPMENT.In
20
21
22
23
24
25
HEN10553
S.L.C.
142
1
(3) CONTENTS
TION.Each
tion
OF
OPERATIONAL
EVALUA-
(B) shall
10
11
12
13
14
15
16
17
18
19
20
21
guidelines;
22
23
24
25
HEN10553
S.L.C.
143
1
agencies; and
10
11
dents; and
12
13
14
15
structure.
16
17
GENERAL.Except
as provided under
18
19
20
21
22
nually
23
24
agency
information
infrastructure
for
HEN10553
S.L.C.
144
1
10
11
(2) SATISFACTION
12
OTHER EVALUATION.Unless
13
14
15
16
17
18
19
20
21
22
graph is conducted.
23
24
MEDIATION
PLANS.
OF
REQUIREMENTS
BY
otherwise specified by
AND
RE -
HEN10553
S.L.C.
145
1
(1) IN
GENERAL.In
(2) RISK-BASED
PLAN.After
an operational
10
11
12
13
14
15
16
(3) APPROVAL
OR DISAPPROVAL.Not
later
17
18
19
20
21
22
23
24
(4) ISOLATION
FROM INFRASTRUCTURE.
HEN10553
S.L.C.
146
1
(A) IN
GENERAL.The
Director of the
10
11
12
13
14
tion infrastructure.
15
16
17
18
19
20
been implemented; or
21
22
23
24
HEN10553
S.L.C.
147
1
and
10
11
12
13
3552(a)(3)(D) to Congress on
14
15
16
17
18
19
20
23 executive
24 Taskforce.
branch
Federal
Information
Security
HEN10553
S.L.C.
148
1
2 formation Security Taskforce shall be full-time senior Gov3 ernment employees and shall be as follows:
4
5
Budget.
10
11
31.
12
13
14
15
16
17
18
19
20
21
22
23
24
HEN10553
S.L.C.
149
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Security Taskforce.
18
19
20
shall
21
22
23
bers;
24
25
HEN10553
S.L.C.
150
1
7 Taskforce shall
8
10
11
12
13
14
15
16
17
18
19
20
remediation;
21
22
23
24
25
HEN10553
S.L.C.
151
1
10
11
12
and experience;
13
14
15
16
17
and
18
19
20
21
22
23
24
25
nications.
HEN10553
S.L.C.
152
1
2
(e) TERMINATION.
(1) IN
GENERAL.Except
as provided under
7
8
9
10
11
12
may determine.
(a) IN GENERAL.
(1) INSPECTORS
GENERAL ASSESSMENTS.
16
17
18
19
20
21
22
(2) INDEPENDENT
ASSESSMENTS.For
each
23
24
25
HEN10553
S.L.C.
153
1
13 uators, and Inspectors General shall take appropriate ac14 tions to ensure the protection of information which, if dis15 closed, may adversely affect information security. Protec16 tions under this chapter shall be commensurate with the
17 risk and comply with all applicable laws and regulations..
18
(c) TECHNICAL
19
(1) TABLE
AND
CONFORMING AMENDMENTS.
OF SECTIONS.The
table of sections
20
21
22
IIINFORMATION SECURITY
3550. Purposes.
3551. Definitions.
3552. Authority and functions of the National Center for Cybersecurity and
Communications.
3553. Agency responsibilities.
3554. Annual operational evaluation.
HEN10553
S.L.C.
154
3555. Federal Information Security Taskforce.
3556. Independent assessments.
3557. Protection of information..
(2) OTHER
REFERENCES.
land
Security
Act
of
2002
(6
U.S.C.
10
11
12
13
Code,
14
is
amended
by
striking
section
15
16
17
18
19
20
21
22
23
24
HEN10553
S.L.C.
155
1
10
11
(3) HOMELAND
12
(A) TITLE
X.The
Homeland Security
13
14
by striking title X.
15
(B) TABLE
OF CONTENTS.The
table of
16
17
18
19
X.
20
21
22
23
24
GENERAL.Section
AND
CONFORMING
AMEND-
HEN10553
S.L.C.
156
1
Code.
10
11
12
13
14
15
16
17
cial
18
19
20
21
Code.
Security
Act
(42
U.S.C.1395kk-1
22
23
24
25
of title 44.
HEN10553
S.L.C.
157
1
10
11
12
13
11332.
14
15
16
17
18
19
20
21
22
23
In this title:
24
25
(1) CYBERSECURITY
MISSION.The
term cy-
HEN10553
S.L.C.
158
1
(2) FEDERAL
10
SION.The
11
12
13
14
15
(b) STRATEGY.
21
(1) IN
GENERAL.Not
22
23
24
25
HEN10553
S.L.C.
159
1
personnel.
3
4
8
9
workforce needs.
SEC. 403. STRATEGIC CYBERSECURITY WORKFORCE PLAN-
10
11
12
NING.
OF
STRA-
13 than 180 days after the date of enactment of this Act and
14 in every subsequent year, the head of each Federal agency
15 shall develop a strategic cybersecurity workforce plan as
16 part of the Federal agency performance plan required
17 under section 1115 of title 31, United States Code.
18
22
23
24
HEN10553
S.L.C.
160
1
4
5
6
7
(1) IN
GENERAL.Each
10
11
12
ing
13
14
15
16
needs;
17
18
19
20
els;
21
22
23
24
HEN10553
S.L.C.
161
1
geographic locations;
pertise;
10
11
12
13
14
15
riers; and
16
17
18
19
20
(2) FEDERAL
21
IZED WORKFORCE.In
22
23
24
25
HEN10553
S.L.C.
162
1
States Code.
(b) APPLICABILITY
OF
CLASSIFICATIONS.The Di-
(b) TYPES
OF
HEN10553
S.L.C.
163
1 tion under subsection (a) shall include indicators with re2 spect to the following:
3
4
5
6
(1) RECRUITING
AND HIRING.In
relation to
10
11
permanent hires;
12
13
14
15
16
17
18
plicants.
19
20
21
22
23
24
25
Federal agency;
HEN10553
S.L.C.
164
1
2
10
11
12
13
14
15
16
(4) HIRED
INDIVIDUALS.In
dividuals hired
17
18
19
20
21
22
23
(c) REPORTS.
24
(1) IN
25
GENERAL.The
HEN10553
S.L.C.
165
1
section (d).
5
6
7
(2) AVAILABILITY
INFORMATION.
(A) IN
GENERAL.The
10
11
12
13
14
15
16
17
18
19
20
21
22
and
23
24
HEN10553
S.L.C.
166
1
to Congress.
3
4
(d) REGULATIONS.
(1) IN
GENERAL.Not
10
(2) SCOPE
11
MATION.The
12
13
14
15
16
17
mission.
18
19
20
(a) TRAINING.
(1) FEDERAL
21
FEDERAL CONTRACTORS.The
22
23
24
25
HEN10553
S.L.C.
167
1
9
10
11
12
13
14
15
16
17
18
19
20
21
22
traveling abroad;
(D) unclassified counterintelligence information;
(E) information regarding industrial espionage;
(F) information regarding malicious activity online;
(G) information regarding cybersecurity
and law enforcement;
23
24
25
curity;
HEN10553
S.L.C.
168
1
2
(3)
FEDERAL
CYBERSECURITY
PROFES-
SIONALS.The
10
11
12
13
14
15
16
17
18
19
20
(4) HEADS
OF FEDERAL AGENCIES.Not
later
21
22
23
24
25
HEN10553
S.L.C.
169
1
threat briefing.
section.
10
(b) EDUCATION.
11
(1) FEDERAL
EMPLOYEES.The
Director of
12
13
14
15
16
17
18
(2) K
THROUGH 12.The
Secretary of Edu-
19
20
21
22
23
24
25
grade 12.
HEN10553
S.L.C.
170
1
2
3
(3)
UNDERGRADUATE,
GRADUATE,
VOCA-
(A)
SECRETARY
OF
EDUCATION.The
10
11
12
13
14
15
16
17
18
to cybersecurity.
19
(B) OFFICE
OF
PERSONNEL
MANAGE-
20
MENT.The
21
22
23
24
25
HEN10553
S.L.C.
171
1
8
9
10
AND
CHAL-
LENGES.
(1) IN
GENERAL.The
11
12
13
14
15
16
17
18
19
information infrastructure.
20
21
(2) GROUPS
AND INDIVIDUALS.The
program
22
23
24
25
HEN10553
S.L.C.
172
1
(3) SUPPORT
CHALLENGES.The
10
11
12
professionals; or
13
14
OF TALENT.The
program under
15
16
17
18
19
20
21
22
23
ations.
HEN10553
S.L.C.
173
1
2
10 agency shall adopt best practices, developed by the Direc11 tor of the National Center for Cybersecurity and Commu12 nications and the Office of Management and Budget, re13 garding effective ways to educate and motivate employees
14 of the Federal Government to demonstrate leadership in
15 cybersecurity, including
16
17
18
19
20
21
22
23
24
HEN10553
S.L.C.
174
1
tions.
4
5
6
7
8
9
10
11
12
LEVEL POSITION.The
term entry
13
14
15
16
17
18
19
POSITION.The
20
21
22
23
24
HEN10553
S.L.C.
175
1
(2) CONSULTATION
AND CONSIDERATIONS.In
tor shall
(B) consider
10
11
12
13
14
15
16
17
18
19
20
21
HIRE AUTHORITY.Without
regard
22
23
24
HEN10553
S.L.C.
176
1
ter.
3
4
(2) RATES
OF PAY.
(A) ENTRY
LEVEL POSITIONS.The
Direc-
10
11
12
13
14
15
16
(B) SENIOR
(i) IN
POSITIONS.
GENERAL.The
Director may
17
18
19
20
21
22
23
24
HEN10553
S.L.C.
177
1
(ii) HIGHER
(I)
MAXIMUM RATES.
IN
GENERAL.Notwith-
10
11
12
13
14
15
16
17
18
19
20
21
22
23
(II) NONDELEGATION
24
THORITY.The
OF
AU-
HEN10553
S.L.C.
178
1
information infrastructure.
10
(2) COMPETITIVE
11
12
13
14
15
16
17
AUTHORITY.Notwithstanding
section
18
19
may
20
21
22
23
24
25
HEN10553
S.L.C.
179
1
(2) LIMITATIONS
6
7
8
9
NUSES.
TOTAL PAY.The
term
10
11
12
13
14
15
16
17
States Code;
18
19
described
20
21
22
23
24
Executive
under
Schedule
under
sub-
section
HEN10553
S.L.C.
180
1
and
described
10
Code.
11
(ii)
12
TOTAL
under
sub-
COMPENSATION.The
13
14
15
16
17
calendar year.
18
19
20
21
22
total pay.
23
(f) TERMINATION
OF
AUTHORITY.The authority to
HEN10553
S.L.C.
181
1 section shall terminate 3 years after the date of enactment
2 of this Act.
3
4
(g) REPORTS.
(1) PLAN
(2) ANNUAL
REPORT.Not
later than 6
10
11
12
13
report that
14
15
16
17
18
19
ing
20
21
22
23
hired
24
25
HEN10553
S.L.C.
182
1
2
3
4
5
6
10
11
12
13
14
15
16
17
18
19
20
21
22
offer; and
23
24
25
HEN10553
S.L.C.
183
1
available; and
18
22
MENT.
23
(a) ESTABLISHMENT
24
MENT
OF
RESEARCH
AND
DEVELOP-
HEN10553
S.L.C.
184
1 tional Center for Cybersecurity and Communications, shall
2 carry out a research and development program for the
3 purpose of improving the security of information infra4 structure.
5
6 opment program carried out under subsection (a) may in7 clude projects to
8
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
nologies;
HEN10553
S.L.C.
185
1
trol systems;
4
5
10
11
12
13
14
15
16
communications networks;
17
18
19
tices; and
20
21
22
Communications.
23
24
TIATIVES.The
Under Secretary
HEN10553
S.L.C.
186
1
10
11
12
being conducted by
13
14
15
16
17
18
19
20
21
22
23
States;
24
25
HEN10553
S.L.C.
187
1
agency
4
5
10
11
12
13
14
15
16
17
18
19
(d) PRIVACY
20
AND
CIVIL RIGHTS
AND
CIVIL LIB-
ERTIES ISSUES.
21
22
23
24
HEN10553
S.L.C.
188
1
(2) PRIVACY
IMPACT ASSESSMENTS.In
ac-
10
11
12
(b) RESPONSIBILITIES.
(1) IN
GENERAL.The
20
21
22
23
24
25
(2) INCENTIVES
AND
REGULATIONS.The
HEN10553
S.L.C.
189
1
(c) MEMBERSHIP.
(1) IN
GENERAL.The
10
11
12
13
14
15
16
priate
17
18
19
20
21
22
(A) representatives of covered critical infrastructure (as defined under section 241);
(B) academic institutions with expertise
in cybersecurity;
(C) Federal, State, and local government
agencies with expertise in cybersecurity;
23
24
25
HEN10553
S.L.C.
190
1
cessor entity;
10
successor entity;
11
12
13
in cybersecurity; and
14
15
16
17
18
632)).
19
20
21
to consecutive terms.
22
23
24
25
HEN10553
S.L.C.
191
1
2
(d) APPLICABILITY
MITTEE
OF
GENERAL.In
accordance; and
12
13
14
15
16
17
National
18
shall
19
20
21
22
Cybersecurity
Advisory
Council,
23
24
HEN10553
S.L.C.
192
1
241); and
Secretary; and
10
11
12
13
14
15
16
soon as is practicable;
17
18
19
20
21
22
23
24
HEN10553
S.L.C.
193
1
(ii)..
COMMUNICATIONS
TIES.
10
ACQUISITION
AUTHORI-
11 curity and Communications is authorized to use the au12 thorities under subsections (c)(1) and (d)(1)(B) of section
13 2304 of title 10, United States Code, instead of the au14 thorities under subsections (c)(1) and (d)(1)(B) of section
15 303 of the Federal Property and Administrative Services
16 Act of 1949 (41 U.S.C. 253), subject to all other require17 ments of section 303 of the Federal Property and Admin18 istrative Services Act of 1949.
19
20 date of enactment of this Act, the chief procurement offi21 cer of the Department of Homeland Security shall issue
22 guidelines for use of the authority under subsection (a).
23
HEN10553
S.L.C.
194
1 under subsection (a) on and after the date that is 3 years
2 after the date of enactment of this Act.
3
4
(d) REPORTING.
(1) IN
GENERAL.On
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
HEN10553
S.L.C.
195
1
253(f)).
(3) CLASSIFIED
ANNEX.A
report submitted
10
11
if necessary.
12
13
(a) ELIMINATION
OF
ASSISTANT SECRETARY
FOR
19
20
21
22
23
24
HEN10553
S.L.C.
196
1
10
11
14
15
16
spectively.
17
25 and Communications..
HEN10553
S.L.C.
197
1
(f) TABLE
OF
241.
242.
243.
244.
245.
Sec.
Sec.
Sec.
Sec.
Sec.
Sec.
Sec.
Sec.
246.
247.
248.
249.
250.
251.
252.
253.
Definitions.
National Center for Cybersecurity and Communications.
Physical and cyber infrastructure collaboration.
United States Computer Emergency Readiness Team.
Additional authorities of the Director of the National Center for Cybersecurity and Communications.
Information sharing.
Private sector assistance.
Cyber vulnerabilities to covered critical infrastructure.
National cyber emergencies..
Enforcement.
Protection of information.
Sector-specific agencies.
Strategy for Federal cybersecurity supply chain management..