Sec. 103. Protection of critical infrastructure and information sharing
2,360 words·~11 min read·
/bill/113/hr/3696/rh/section-103·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Subtitle C of title II of the Homeland Security Act of 2002, as amended by section 102, is further amended by adding at the end the following new section: The Secretary shall coordinate, on an ongoing basis, with Federal, State, and local governments, national laboratories, critical infrastructure owners, critical infrastructure operators, and other cross sector coordinating entities to— facilitate a national effort to strengthen and maintain secure, functioning, and resilient critical infrastructure from cyber threats; ensure that Department policies and procedures enable critical infrastructure owners and critical infrastructure operators to receive real-time, actionable, and relevant cyber threat information; seek industry sector-specific expertise to— assist in the development of voluntary security and resiliency strategies; and ensure that the allocation of Federal resources are cost effective and reduce any burden on critical infrastructure owners and critical infrastructure operators; upon request of entities, facilitate and assist risk management efforts of such entities to reduce vulnerabilities, identify and disrupt threats, and minimize consequences to their critical infrastructure; upon request of critical infrastructure owners or critical infrastructure operators, provide education and assistance to such owners and operators on how they may use protective measures and countermeasures to strengthen the security and resilience of the Nation’s critical infrastructure; and coordinate a research and development strategy to facilitate and promote advancements and innovation in cybersecurity technologies to protect critical infrastructure.
The Secretary shall— manage Federal efforts to secure, protect, and ensure the resiliency of Federal civilian information systems using a risk-based and performance-based approach, and, upon request of critical infrastructure owners or critical infrastructure operators, support such owners’ and operators’ efforts to secure, protect, and ensure the resiliency of critical infrastructure from cyber threats; direct an entity within the Department to serve as a Federal civilian entity by and among Federal, State, and local governments, private entities, and critical infrastructure sectors to provide multi-directional sharing of real-time, actionable, and relevant cyber threat information; build upon existing mechanisms to promote a national awareness effort to educate the general public on the importance of securing information systems; upon request of Federal, State, and local government entities and private entities, facilitate expeditious cyber incident response and recovery assistance, and provide analysis and warnings related to threats to and vulnerabilities of critical information systems, crisis and consequence management support, and other remote or on-site technical assistance with the heads of other appropriate Federal agencies to Federal, State, and local government entities and private entities for cyber incidents affecting critical infrastructure; engage with international partners to strengthen the security and resilience of domestic critical infrastructure and critical infrastructure located outside of the United States upon which the United States depends; and conduct outreach to educational institutions, including historically black colleges and universities, Hispanic serving institutions, Native American colleges, and institutions serving persons with disabilities, to encourage such institutions to promote cybersecurity awareness.
Nothing in this section may be construed to require any private entity to request assistance from the Secretary, or require any private entity requesting such assistance to implement any measure or recommendation suggested by the Secretary. The Secretary, in collaboration with the heads of other appropriate Federal agencies, shall designate critical infrastructure sectors (that may include subdivisions of sectors within a sector as the Secretary may determine appropriate). The critical infrastructure sectors designated under this subsection may include the following:
Chemical. Commercial facilities. Communications. Critical manufacturing. Dams. Defense Industrial Base. Emergency services. Energy. Financial services. Food and agriculture. Government facilities. Healthcare and public health. Information technology. Nuclear reactors, materials, and waste. Transportation systems. Water and wastewater systems. Such other sectors as the Secretary determines appropriate. The Secretary, in collaboration with the relevant critical infrastructure sector and the heads of other appropriate Federal agencies, shall recognize the Federal agency designated as of November 1, 2013, as the Sector Specific Agency for each critical infrastructure sector designated under subsection (b).
If the designated Sector Specific Agency for a particular critical infrastructure sector is the Department, for the purposes of this section, the Secretary shall carry out this section. The Secretary, in coordination with the heads of each such Sector Specific Agency shall— support the security and resilience activities of the relevant critical infrastructure sector in accordance with this subtitle; and provide institutional knowledge and specialized expertise to the relevant critical infrastructure sector.
The Secretary, in collaboration with each critical infrastructure sector and the relevant Sector Specific Agency, shall recognize and partner with the Sector Coordinating Council for each critical infrastructure sector designated under subsection
(b)to coordinate with each such sector on security and resilience activities and emergency response and recovery efforts. The Sector Coordinating Council for a critical infrastructure sector designated under subsection
(b)shall— be comprised exclusively of relevant critical infrastructure owners, critical infrastructure operators, private entities, and representative trade associations for the sector; reflect the unique composition of each sector; and include relevant small, medium, and large critical infrastructure owners, critical infrastructure operators, private entities, and representative trade associations for the sector. No government entity with regulating authority shall be a member of the Sector Coordinating Council. The Secretary shall have no role in the determination of the membership of a Sector Coordinating Council. The Sector Coordinating Council for a critical infrastructure sector shall— serve as a self-governing, self-organized primary policy, planning, and strategic communications entity for coordinating with the Department, the relevant Sector-Specific Agency designated under subsection (c), and the relevant Information Sharing and Analysis Centers under subsection
(e)on security and resilience activities and emergency response and recovery efforts; establish governance and operating procedures, and designate a chairperson for the sector to carry out the activities described in this subsection; coordinate with the Department, the relevant Information Sharing and Analysis Centers under subsection (e), and other Sector Coordinating Councils to update, maintain, and exercise the National Cybersecurity Incident Response Plan in accordance with section 229(b); and provide any recommendations to the Department on infrastructure protection technology gaps to help inform research and development efforts at the Department. The Secretary, in collaboration with the relevant Sector Coordinating Council and the critical infrastructure sector represented by such Council, and in coordination with the relevant Sector Specific Agency, shall recognize at least one Information Sharing and Analysis Center for each critical infrastructure sector designated under subsection
(b)for purposes of paragraph (3). No other Information Sharing and Analysis Organizations, including Information Sharing and Analysis Centers, may be precluded from having an information sharing relationship within the National Cybersecurity and Communications Integration Center established pursuant to section 228. Nothing in this subsection or any other provision of this subtitle may be construed to limit, restrict, or condition any private entity or activity utilized by, among, or between private entities. In addition to such other activities as may be authorized by law, at least one Information Sharing and Analysis Center for a critical infrastructure sector shall— serve as an information sharing resource for such sector and promote ongoing multi-directional sharing of real-time, relevant, and actionable cyber threat information and analysis by and among such sector, the Department, the relevant Sector Specific Agency, and other critical infrastructure sector Information Sharing and Analysis Centers; establish governance and operating procedures to carry out the activities conducted under this subsection; serve as an emergency response and recovery operations coordination point for such sector, and upon request, facilitate cyber incident response capabilities in coordination with the Department, the relevant Sector Specific Agency and the relevant Sector Coordinating Council; facilitate cross-sector coordination and sharing of cyber threat information to prevent related or consequential impacts to other critical infrastructure sectors; coordinate with the Department, the relevant Sector Coordinating Council, the relevant Sector Specific Agency, and other critical infrastructure sector Information Sharing and Analysis Centers on the development, integration, and implementation of procedures to support technology neutral, real-time information sharing capabilities and mechanisms within the National Cybersecurity and Communications Integration Center established pursuant to section 228, including— the establishment of a mechanism to voluntarily report identified vulnerabilities and opportunities for improvement; the establishment of metrics to assess the effectiveness and timeliness of the Department’s and Information Sharing and Analysis Centers’ information sharing capabilities; and the establishment of a mechanism for anonymous suggestions and comments; implement an integration and analysis function to inform sector planning, risk mitigation, and operational activities regarding the protection of each critical infrastructure sector from cyber incidents; combine consequence, vulnerability, and threat information to share actionable assessments of critical infrastructure sector risks from cyber incidents; coordinate with the Department, the relevant Sector Specific Agency, and the relevant Sector Coordinating Council to update, maintain, and exercise the National Cybersecurity Incident Response Plan in accordance with section 229(b); and safeguard cyber threat information from unauthorized disclosure. Of the amounts authorized to be appropriated for each of fiscal years 2014, 2015, and 2016 for the Cybersecurity and Communications Office of the Department, the Secretary is authorized to use not less than $25,000,000 for any such year for operations support at the National Cybersecurity and Communications Integration Center established under section 228(a) of all recognized Information Sharing and Analysis Centers under paragraph
(1)of this subsection. The Secretary— shall expedite the process of security clearances under Executive Order 13549 or successor orders for appropriate representatives of Sector Coordinating Councils and the critical infrastructure sector Information Sharing and Analysis Centers; and may so expedite such processing to— appropriate personnel of critical infrastructure owners and critical infrastructure operators; and any other person as determined by the Secretary. The Secretary, in collaboration with the critical infrastructure sectors designated under subsection (b), such sectors’ Sector Specific Agencies recognized under subsection (c), and the Sector Coordinating Councils recognized under subsection (d), shall— conduct an analysis and review of the existing public-private partnership model and evaluate how the model between the Department and critical infrastructure owners and critical infrastructure operators can be improved to ensure the Department, critical infrastructure owners, and critical infrastructure operators are equal partners and regularly collaborate on all programs and activities of the Department to protect critical infrastructure; develop and implement procedures to ensure continuous, collaborative, and effective interactions between the Department, critical infrastructure owners, and critical infrastructure operators; and ensure critical infrastructure sectors have a reasonable period for review and comment of all jointly produced materials with the Department. The Secretary shall administer the operational information security activities and functions to protect and ensure the resiliency of all Federal civilian information systems. The Secretary, in coordination with the heads of other Federal civilian agencies, shall— develop, issue, and oversee the implementation and compliance of all operational information security policies and procedures to protect and ensure the resiliency of Federal civilian information systems; administer Federal Government-wide efforts to develop and provide adequate, risk-based, cost-effective, and technology neutral information security capabilities; establish and sustain continuous diagnostics systems for Federal civilian information systems to aggregate data and identify and prioritize the mitigation of cyber vulnerabilities in such systems for cybersecurity purposes; develop, acquire, and operate an integrated and consolidated system of intrusion detection, analytics, intrusion prevention, and other information sharing and protective capabilities to defend Federal civilian information systems from cyber threats; develop and conduct targeted risk assessments and operational evaluations of Federal civilian information systems, in consultation with government and private entities that own and operate such information systems, including threat, vulnerability, and impact assessments and penetration testing; develop and provide technical assistance and cyber incident response capabilities to secure and ensure the resilience of Federal civilian information systems; review annually the operational information security activities and functions of each of the Federal civilian agencies; develop minimum technology neutral operational requirements for network and security operations centers to facilitate the protection of all Federal civilian information systems; develop reporting requirements, consistent with relevant law, to ensure the National Cybersecurity and Communications Integration Center established pursuant to section 228 receives all actionable cyber threat information identified on Federal civilian information systems; develop technology neutral performance requirements and metrics for the security of Federal civilian information systems; implement training requirements that include industry recognized certifications to ensure that Federal civilian agencies are able to fully and timely comply with policies and procedures issued by the Secretary under this subsection; and develop training requirements regarding privacy, civil rights, civil liberties, and information oversight for information security employees who operate Federal civilian information systems. The Secretary may enter into contracts or other agreements, or otherwise request and obtain, in accordance with applicable law, the assistance of private entities that provide electronic communication services, remote computing services, or cybersecurity services to acquire, intercept, retain, use, and disclose communications and other system traffic, deploy countermeasures, or otherwise operate protective capabilities in accordance with subparagraphs (C), (D), (E), and
(F)of paragraph (2). No cause of action shall exist against private entities for assistance provided to the Secretary in accordance with this subsection. Nothing in subparagraph
(A)may be construed to— require or compel any private entity to enter in a contract or agreement described in such subparagraph; or authorize the Secretary to take any action with respect to any communications or system traffic transiting or residing on any information system or network of information systems other than a Federal civilian information system. Not later than 180 days after the date of the enactment of this section, the Secretary shall submit to the appropriate congressional committees recommendations on how to expedite the implementation of information sharing agreements for cybersecurity purposes between the Secretary and critical information owners and critical infrastructure operators and other private entities. Such recommendations shall address the development and utilization of a scalable form that retains all privacy and other protections in such agreements in existence as of such date, including Cooperative and Research Development Agreements. Such recommendations should also include any additional authorities or resources that may be needed to carry out the implementation of any such new agreements. No provision of this title may be construed as modifying, limiting, or otherwise affecting the authority of any other Federal agency under any other provision of law. . The table of contents in section 1(b) of such Act is amended by adding after the item relating to section 226 (as added by section 102) the following new item: Sec. 227. Protection of critical infrastructure and information sharing. .
Connectionstraces to 1
Traces to 1 document
Citation graph
cites case law
Sec. 103
Protection of critical infrastructure and information sharing
Cites 1Cited by 0 across 0 sources