Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 113th Congress · H.R. 3696 (Engrossed in House) — To amend the Homeland Security Act of 2002 to make certain improvements regarding cybersecurity and critical infrastr... · Sec. 201

Sec. 201. Public-private collaboration on cybersecurity

898 words·~4 min read·/bill/113/hr/3696/eh/section-201

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

The Director of the National Institute of Standards and Technology, in coordination with the Secretary of Homeland Security, shall, on an ongoing basis, facilitate and support the development of a voluntary, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to reduce cyber risks to critical infrastructure. The Director, in coordination with the Secretary— shall— coordinate closely and continuously with relevant private entities, critical infrastructure owners and critical infrastructure operators, Sector Coordinating Councils, Information Sharing and Analysis Centers, and other relevant industry organizations, and incorporate industry expertise to the fullest extent possible; consult with the Sector Specific Agencies, Federal, State and local governments, the governments of other countries, and international organizations; utilize a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, that may be voluntarily adopted by critical infrastructure owners and critical infrastructure operators to help them identify, assess, and manage cyber risks; include methodologies to— identify and mitigate impacts of the cybersecurity measures or controls on business confidentiality; and protect individual privacy and civil liberties; incorporate voluntary consensus standards and industry best practices, and align with voluntary international standards to the fullest extent possible; prevent duplication of regulatory processes and prevent conflict with or superseding of regulatory requirements, mandatory standards, and processes; and include such other similar and consistent elements as determined necessary; and shall not prescribe or otherwise require— the use of specific solutions; the use of specific information technology products or services; or that information technology products or services be designed, developed, or manufactured in a particular manner.
Information shared with or provided to the Director of the National Institute of Standards and Technology or the Secretary of Homeland Security for the purpose of the activities under paragraph
(1)may not be used by any Federal, State, or local government department or agency to regulate the activity of any private entity. Subtitle C of title II of the Homeland Security Act of 2002, as amended by sections 102, 103, 104, and 105, is further amended by adding at the end the following new section: The Secretary shall meet with the Sector Coordinating Council for each critical infrastructure sector designated under section 227(b) on a biannual basis to discuss the cybersecurity threat to critical infrastructure, voluntary activities to address cybersecurity, and ideas to improve the public-private partnership to enhance cybersecurity, in which the Secretary shall— provide each Sector Coordinating Council an assessment of the cybersecurity threat to each critical infrastructure sector designated under section 227(b), including information relating to— any actual or assessed cyber threat, including a consideration of adversary capability and intent, preparedness, target attractiveness, and deterrence capabilities; the extent and likelihood of death, injury, or serious adverse effects to human health and safety caused by an act of terrorism or other disruption, destruction, or unauthorized use of critical infrastructure; the threat to national security caused by an act of terrorism or other disruption, destruction, or unauthorized use of critical infrastructure; and the harm to the economy that would result from an act of terrorism or other disruption, destruction, or unauthorized use of critical infrastructure; and provide recommendations, which may be voluntarily adopted, on ways to improve cybersecurity of critical infrastructure. Starting 30 days after the end of the fiscal year in which the National Cybersecurity and Critical Infrastructure Protection Act of 2013 is enacted and annually thereafter, the Secretary shall submit to the appropriate congressional committees a report on the state of cybersecurity for each critical infrastructure sector designated under section 227(b) based on discussions between the Department and the Sector Coordinating Council in accordance with subsection
(a)of this section. The Secretary shall maintain a public copy of each report, and each report may include a non-public annex for proprietary, business-sensitive information, or other sensitive information. Each report shall include, at a minimum information relating to— the risk to each critical infrastructure sector, including known cyber threats, vulnerabilities, and potential consequences; the extent and nature of any cybersecurity incidents during the previous year, including the extent to which cyber incidents jeopardized or imminently jeopardized information systems; the current status of the voluntary, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to reduce cyber risks within each critical infrastructure sector; and the volume and range of voluntary technical assistance sought and provided by the Department to each critical infrastructure sector. Before making public and submitting each report required under paragraph (1), the Secretary shall provide a draft of each report to the Sector Coordinating Council for the critical infrastructure sector covered by each such report. The Sector Coordinating Council at issue may provide to the Secretary a written response to such report within 45 days of receiving the draft. If such Sector Coordinating Council provides a written response, the Secretary shall include such written response in the final version of each report required under paragraph (1). Information shared with or provided to a Sector Coordinating Council, a critical infrastructure sector, or the Secretary for the purpose of the activities under subsections
(a)and
(b)may not be used by any Federal, State, or local government department or agency to regulate the activity of any private entity. . The table of contents in section 1(b) of such Act is amended by adding after the item relating to section 229 (as added by section 105) the following new item: Sec. 230. Public-private collaboration on cybersecurity. .
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.