Sec. 4. Directives and imminent threats
527 words·~2 min read·
/bill/114/hr/3313/ih/section-4A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Section 3553 of title 44, United States Code, is amended by adding at the end the following: Notwithstanding section 3554, and subject to subparagraph (B), in response to a known or reasonably suspected information security threat, vulnerability, risk, or incident, including an act of terrorism, that represents a substantial threat to the information security of an agency, the Secretary may issue a directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems owned or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat or an act of terrorism.
The authorities of the Secretary under this subsection shall not apply to a system described in paragraph
(2)or
(3)of subsection (e). The Secretary shall— in coordination with the Director and in consultation with Federal contractors, as appropriate, establish procedures under which a directive may be issued under this subsection, which shall include— thresholds and other criteria; privacy and civil liberties protections; and providing notice to potentially affected third parties; specify the reasons for the required action and the duration of the directive; minimize the impact of a directive under this subsection by— adopting the least intrusive means possible under the circumstances to secure the agency information systems; and limiting the directive to the shortest period practicable; and notify the Director and the head of any affected agency immediately upon the issuance of a directive under this subsection. If the Secretary determines that there is an imminent threat, including a threat of terrorism, to agency information systems and a directive under this subsection is not reasonably likely to result in a timely response to the threat, the Secretary may authorize the use of protective capabilities under the control of the Secretary for communications or other system traffic transiting to or from or stored on an agency information system without prior consultation with the affected agency for the purpose of ensuring the security of the information, information system, or other agency information systems. The authority under this paragraph may not be delegated to an official in a position lower than an Assistant Secretary of the Department of Homeland Security. The Secretary shall immediately notify the Director and the head and chief information officer (or equivalent official) of each affected agency of— any action taken under this subsection; and the reasons for and duration and nature of the action. Any action of the Secretary under this paragraph shall be consistent with applicable law. The Secretary may direct or authorize lawful action or protective capability under this subsection only to— protect agency information from unauthorized access, use, disclosure, disruption, modification, or destruction; or require the remediation of or protect against identified information security risks, including acts of terrorism, with respect to— information collected or maintained by or on behalf of an agency; or that portion of an information system used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. .