Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 114th Congress · H.R. 6381 (Introduced in House) — To provide for certain homeland security improvements, and for other purposes. · Sec. 601

Sec. 601. Cybersecurity and Infrastructure Protection Agency

4,119 words·~19 min read·/bill/114/hr/6381/ih/section-601

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

The Homeland Security Act of 2002 is amended by adding at the end the following new title: In this subtitle— The term critical infrastructure incident means an occurrence that actually or immediately jeopardizes, without lawful authority, the integrity, confidentially, or availability of critical infrastructure. The term critical infrastructure information has the meaning given such term in section 2215. The term critical infrastructure risk means threats to and vulnerabilities of critical infrastructure and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such critical infrastructure, including such related consequences caused by an act of terrorism.
The term cybersecurity risk has the meaning given such term in section 2209. The term cybersecurity threat has the meaning given such term in paragraph
(5)of section 102 of the Cybersecurity Information Sharing Act of 2015 (contained in division N of the Consolidated Appropriations Act, 2016 ( Public Law 114–113 ; 6 U.S.C. 1501 )). The term Federal entity has the meaning given such term in paragraph
(8)of section 102 of the Cybersecurity Information Sharing Act of 2015 (contained in division N of the Consolidated Appropriations Act, 2016 ( Public Law 114–113 ; 6 U.S.C. 1501 )). The term non-Federal entity has the meaning given such term in paragraph
(14)of section 102 of the Cybersecurity Information Sharing Act of 2015 (contained in division N of the Consolidated Appropriations Act, 2016 ( Public Law 114–113 ; 6 U.S.C. 1501 )). The term sharing has the meaning given such term in section 2209. The National Protection and Programs Directorate of the Department shall, on and after the date of the enactment of this subtitle, be known as the Cybersecurity and Infrastructure Protection Agency (in this subtitle referred to as the Agency ). Any reference to the National Protection and Programs Directorate of the Department in any law, regulation, map, document, record, or other paper of the United States shall be deemed to be a reference to the Cybersecurity and Infrastructure Protection Agency of the Department. The mission of the Agency shall be to lead national efforts to protect and enhance the security and resilience of the cyber and critical infrastructure of the United States. The Agency shall be headed by a Director of National Cybersecurity (in this subtitle referred to as the Director ). Any reference to an Under Secretary responsible for overseeing critical infrastructure protection, cybersecurity, and any other related program of the Department as described in section 103(a)(1)(H) as in effect on the day before the date of the enactment of this subtitle in any law, regulation, map, document, record, or other paper of the United States shall be deemed to be a reference to the Director of National Cybersecurity of the Department. The Director shall— lead cybersecurity and critical infrastructure protection policy and operations for the Department; serve as the primary representative of the Department for coordinating with Federal entities, non-Federal entities, and international partners the cybersecurity and critical infrastructure protection policy and operations referred to in paragraph (1); facilitate a national effort to strengthen and maintain secure, functioning, and resilient critical infrastructure from threats; maintain and utilize mechanisms, including a coordinating body for the regular and ongoing consultation and collaboration among the Agency’s Divisions to further operation coordination, integrated situational awareness, and improved integration across the Agency; develop, coordinate, and implement— comprehensive strategic plans for cybersecurity and critical infrastructure protection; and risk assessments for the Department, in accordance with subsection (f); carry out emergency communications responsibilities, in accordance with title XVIII; carry out the authorities designated to the Secretary under section 1315 of title 40 United States Code; and carry out such other duties and powers prescribed by law or delegated by the Secretary. The Director, in coordination with the heads of relevant components of the Department and other appropriate Federal entities, shall develop, coordinate, and update periodically (not less often than once every two years) a national risk assessment of— cybersecurity risks; and critical infrastructure risks. The Director shall develop, coordinate, and update periodically (not less often than once every two years) an integrated national risk assessment that assesses all of the cybersecurity risks and critical infrastructure risks referred to in paragraph
(1)and compares each such risk and incident against one another according to their relative risk, including cascading effects between each such risk. Each national risk assessment required under paragraph
(1)and integrated national risk assessment required under paragraph
(2)shall include— a description of the data and methodology used for each such assessment; and if applicable, actions or countermeasures recommended or taken by the Secretary or the head of another Federal agency to address issues identified in each such assessment. The Director shall ensure that each national risk assessment required under paragraph
(1)and integrated national risk assessment required under paragraph
(2)has a classified and unclassified version. The Director shall provide to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate each national risk assessment required under paragraph
(1)and integrated national risk assessment required under paragraph
(2)not later than 30 days after the completion of each such assessment. In developing each national risk assessment required under subsection (f)(1) and integrated national risk assessment required under subsection (g)(2), the Director, in consultation with the heads of relevant Federal entities, shall— assess the proposed methodology to be used for such assessments; and consider the evolving threat to the United States as indicated by the intelligence community (as such term is defined in section 3(4) of the National Security Act of 1947 ( 50 U.S.C. 3003(4) )). The national risk assessments and integrated national risk assessments required under subsection
(f)shall be used to inform and guide allocation of resources for cybersecurity and critical infrastructure protection activities of the Department. The Director shall, for each national risk assessment and integrated national risk assessment required under subsection (f)— seek input from relevant Federal and non-Federal entities involved in efforts to counter threats; ensure that written procedures are in place to guide the development of such assessments, including for input, review, and implementation purposes, among relevant Federal entities; share the classified versions of such assessments with appropriate representatives from relevant Federal and non-Federal entities with appropriate security clearances and a need for such assessments; and to the maximum extent practicable, make available the unclassified versions of such assessments to relevant Federal and non-Federal entities for cybersecurity and critical infrastructure protection. The Agency shall be composed of the following divisions: The Cybersecurity Division, headed by a Principal Deputy Director. The Infrastructure Protection Division, headed by a Deputy Director. The Emergency Communications Division under title XVIII, headed by a Deputy Director. The Federal Protective Service, headed by a Deputy Director. In this subsection the term head of contracting activity means each official responsible for the creation, management, and oversight of a team of procurement professionals properly trained, certified, and warranted to accomplish the acquisition of products and services on behalf of the designated components, offices, and organizations of the Department, and as authorized, other Federal Government entities. All procurement and contracting activities for the Agency shall be performed in accordance with the Federal Acquisition Regulation, the Department of Homeland Security Acquisition Policy, and other applicable laws, Federal regulations, and policies. The Secretary, acting through the Chief Procurement Officer of the Department, may delegate procurement and contracting authority to the Agency head of contracting activity, as appropriate, after— verifying that the head of contracting activity has the training and experience to carry out the authority to be delegated; validating that Agency has identified the personnel, systems, and resources to carry out the authority to be delegated; and providing Congress with a notification of the delegation and attestations under paragraphs
(1)and (2). The Chief Procurement Officer shall provide input on the periodic performance review of the Agency’s head of contracting activity. None of the authorities authorized in this subsection shall prohibit the Chief Procurement Officer from retaining contracting authority for the Agency, as warranted. The Agency shall comply with Department policy prior to obligating funds when using reimbursable work agreements or interagency acquisitions with other Federal agencies or Department components. Not later than one year after any delegation pursuant to paragraph (3), the Director shall report to Congress on the exercise of procurement and contracting authority by the head of contracting activity of the Agency and the status of Agency major acquisition programs, cost, schedule, and performance. The Secretary shall provide the Agency with a staff of analysts having appropriate expertise and experience to assist the Agency in discharging its responsibilities under this section. Analysts under this subsection may include analysts from the private sector. Analysts under this subsection shall possess security clearances appropriate for their work under this section. In order to assist the Agency in discharging its responsibilities under this section, personnel of the Federal agencies referred to in paragraph
(2)may be detailed to the Agency for the performance of analytic functions and related duties. The Federal agencies referred to in paragraph
(1)are the following: The Department of State. The Central Intelligence Agency. The Federal Bureau of Investigation. The National Security Agency. The National Geospatial-Intelligence Agency. The Defense Intelligence Agency. Any other agency of the Federal Government that the President considers appropriate. The Secretary and the head of the agency concerned under this subsection may enter into cooperative agreements for the purpose of detailing personnel under this subsection. The detail of personnel under this subsection may be on a reimbursable or non-reimbursable basis. There is established in the Agency a Cybersecurity Division. The Cybersecurity Division shall be headed by a Principal Deputy Director of Cybersecurity (in this subtitle referred to as the Principal Deputy Director ), who shall— be at the level of Assistant Secretary within the Department; and report to the Director. Any reference to the Assistant Secretary for Cybersecurity and Communications in any law, regulation, map, document, record, or other paper of the United States shall be deemed to be a reference to Principal Deputy Director of Cybersecurity. The Cybersecurity Division shall— lead the cybersecurity efforts of the Agency; carry out— the Department’s activities related to Federal information security; and the functions of the national cybersecurity and communications integration center under section 2209; coordinate cybersecurity initiatives with Federal and non-Federal entities for all activities relating to stakeholder outreach, engagement, and education, including engagement and coordination activities for cybersecurity initiatives carried out by the National Protection and Programs Directorate, Office of Cybersecurity and Communications Stakeholder Engagement and Cyber Infrastructure Resilience division as of June 1, 2015; provide coordination and support to non-Federal entities to reduce cybersecurity risks, including through voluntary partnerships; conduct network and malicious code analysis for known and unknown cybersecurity threats; and in coordination with the Director, carry out the consultation, coordination, and collaboration required under subsection (d)(4) of section 2202. In addition to the responsibilities specified in subsection (b), the Principal Deputy Director shall also— under section 201, carry out paragraphs (1), (3), (4), (5), (6), (8), (10), (11), (13), (14), and
(22)of subsection
(d)of such section; carry out comprehensive assessments of the cybersecurity risks to critical infrastructure, including the performance of risk assessments to determine the risks posed by particular types of terrorist attacks within the United States (including an assessment of the probability of success of such attacks and the feasibility and potential efficacy of various countermeasures to such attacks); recommend cybersecurity measures necessary to protect critical infrastructure in coordination with other Federal entities and in cooperation with non-Federal entities; and ensure that any material received pursuant to this title is protected from unauthorized disclosure and handled and used only for the performance of official duties. There is established in the Agency an Infrastructure Protection Division. The Infrastructure Protection Division shall be headed by a Deputy Director of Infrastructure Protection (in this section referred to as the Deputy Director ), who shall report to the Director. Any reference to the Assistant Secretary for Infrastructure Protection in any law, regulation, map, document, record, or other paper of the United States shall be deemed to be a reference to Deputy Director of Infrastructure Protection. The Infrastructure Protection Division shall— lead the critical infrastructure protection efforts of the Agency; gather and manage critical infrastructure information and ensure that such information is available to the leadership of the Department and critical infrastructure owners and operators; lead the efforts of the Department to secure the United States high-risk chemical facilities, including the Chemical Facilities Anti-Terrorism Standards established under title XXI; provide coordination and support to non-Federal entities to reduce risk to critical infrastructure from terrorist attack or natural disaster, including through voluntary partnerships; operate stakeholder engagement mechanisms for appropriate critical infrastructure sectors, except that such mechanisms may not duplicate any engagement and coordination activities for cybersecurity initiatives carried out by the National Protection and Programs Directorate, Office of Cybersecurity and Communications Stakeholder Engagement and Cyber Infrastructure Resilience division as of June 1, 2015; administer the Coordinating Center established under subsection (d); in coordination with the Director, carry out the consultation and collaboration required under subsection (d)(4) of section 2202; and carry out such other duties and powers as prescribed by the Director. In addition to the responsibilities specified in subsection (b), the Deputy Director shall also— under section 201, carry out paragraphs (1), (3), (4), (5), (6), (8), (10), (11), (13), (14), and
(22)subsection
(d)of such section; carry out comprehensive assessments of the vulnerabilities of critical infrastructure, including the performance of risk assessments to determine the risks posed by particular types of terrorist attacks within the United States (including an assessment of the probability of success of such attacks and the feasibility and potential efficacy of various countermeasures to such attacks); recommend measures necessary to protect critical infrastructure in coordination with other Federal entities and in cooperation with non-Federal entities; and ensure that any material received pursuant to this title is protected from unauthorized disclosure and handled and used only for the performance of official duties. There shall be within the Infrastructure Protection Division a National Infrastructure Coordinating Center which shall be headed by an Assistant Director and be co-located with the national cybersecurity communications and integrated center established under section 2209. The National Infrastructure Coordinating Center shall— collect, maintain, and share critical infrastructure information; evaluate critical infrastructure information for accuracy, importance, and implications; provide recommendations to non-Federal entities and Department leadership; advise the Secretary and the Director regarding actions required before and after a critical infrastructure incident; and carry out such other duties and powers as prescribed by the Director. . The individual serving as the Under Secretary appointed pursuant to section 103(a)(1)(H) of the Homeland Security Act of 2002 ( 6 U.S.C. 113(a)(1) ) of the Department of Homeland Security on the day before the date of the enactment of this Act may continue to serve as the Director of the Cybersecurity and Infrastructure Protection Agency of the Department on and after such date. The individual serving as the Director for Emergency Communications of the Department of Homeland Security on the day before the date of the enactment of this Act may continue to serve as the Deputy Director of Emergency Communications of the Department on and after such date. The individual serving as the Assistant Secretary for Cybersecurity and Communications on the day before the date of the enactment of this Act may continue to serve as the Principal Deputy Director of Cybersecurity. The individual serving as the Assistant Secretary for Infrastructure Protection on the day before the date of the enactment of this Act may continue to serve as the Deputy Director of Infrastructure Protection. The Director of the Cybersecurity and Infrastructure Protection Agency of the Department of Homeland Security shall provide, in accordance with the deadlines specified in paragraphs
(1)and (2), to the Committee on Homeland Security of the House and the Committee on Homeland Security and Governmental Affairs of the Senate information on the following: Not later than 90 days after the date of the enactment of this Act, the Agency’s mechanisms for regular consultation and collaboration, including information on composition (including leadership structure), authorities, frequency of meetings, and visibility within the Agency. Not later than one year after the date of the enactment of this Act, the activities of the Agency’s consultation and collaboration mechanisms and how such mechanisms have impacted operational coordination, situational awareness, and integration across the Agency. The Homeland Security Act of 2002 is amended— in section 103(a) ( 6 U.S.C. 113(a) )— in paragraph (1), by amending subparagraphs
(H)and
(I)to read as follows: A Director of the Cybersecurity and Infrastructure Protection Agency. The Administrator of the Transportation Security Administration. ; and by amending paragraph
(2)to read as follows: The Department shall have the following officers appointed by the President: The Principal Deputy Director of the Cybersecurity Division under section 2203. The Assistant Secretary of the Office of Public Affairs. The Assistant Secretary of the Office of Legislative Affairs. The Department shall have the following Assistant Secretaries appointed by the Secretary: The Assistant Secretary for International Affairs under section 602. The Assistant Secretary for Partnership and Engagement under section 603. No Assistant Secretary position may be created in addition to the positions provided for by this section unless such position is authorized by a statute enacted after the date of the enactment of the Cybersecurity and Infrastructure Protection Agency Act of 2016. ; in title II ( 6 U.S.C. 121 et seq. )— in the title heading, by striking ; and infrastructure protection in the subtitle A heading, by striking ; and infrastructure protection; access to information in section 201 ( 6 U.S.C. 121 )— in the section heading, by striking ; and infrastructure protection in subsection (a)— in the heading, by striking ; and and infrastructure protection by striking and an Office of Infrastructure Protection ; in subsection (b)— in the heading, by striking ; and and Assistant Secretary for Infrastructure Protection by striking paragraph (3); in subsection (c)— by striking and infrastructure protection ; and by striking or the Assistant Secretary for Infrastructure Protection, as appropriate ; in subsection (d)— in the heading, by striking ; and infrastructure protection in the matter preceding paragraph (1), by striking and infrastructure protection ; by striking paragraphs
(5)and
(6)and redesignating paragraphs
(7)through
(25)as paragraphs
(4)through (23), respectively; and by striking paragraph (23), as so redesignated; in subsection (e)(1), by striking and the Office of Infrastructure Protection ; and in subsection (f)(1), by striking and the Office of Infrastructure Protection ; by redesignating sections 223 through 230 ( 6 U.S.C. 143–151 ) as sections 2205 through 2212, respectively, and inserting such redesignated sections after section 2204, as added by this title; by redesignating section 210E ( 6 U.S.C. 124 ) as section 2213 and inserting such redesignated section after section 2212; and in subtitle B, by redesignating sections 211 through 215 ( 6 U.S.C. 101 note through 134) as sections 2214 through 2218, respectively, and inserting such redesignated sections, including the subtitle B designation (including the enumerator and heading), after section 2213; in title XVIII ( 6 U.S.C. 571 et seq. )— in section 1801 ( 6 U.S.C. 571 )— in the section heading, by striking and inserting Office of Emergency Communications ; Emergency Communications Division in subsection (a)— by striking Office of Emergency Communications and inserting Emergency Communications Division ; and by adding at the end the following new sentence: The Division shall be located in the Cybersecurity and Infrastructure Protection Agency. ; and in subsection (b)— in the first sentence, by striking Director for and inserting Deputy Director of ; and in the second sentence, by striking Assistant Secretary for Cybersecurity and Communications and inserting Director of the Cybersecurity and Infrastructure Protection Agency ; and in subsection (e)— in the matter preceding paragraph (1), by striking Director for and inserting Deputy Director of ; by redesignating paragraphs
(1)and
(2)as paragraphs
(2)and (3), respectively; and by inserting before paragraph (2), as so redesignated, the following new paragraph: with the Director of the Cybersecurity and Infrastructure Protection Agency to carry out the consultation and collaboration required under subsection (d)(4) of section 2202; ; in sections 1801 through 1805 ( 6 U.S.C. 575 ), by striking Director for Emergency Communications each place it appears and inserting Deputy Director of Emergency Communications ; in section 1809 ( 6 U.S.C. 579 )— by striking Director for Emergency Communications each place it appears and inserting Deputy Director of Emergency Communications ; and by striking Office of Emergency Communications each place it appears and inserting Emergency Communications Division ; and in section 1810 ( 6 U.S.C. 580 )— by striking Director each place it appears and inserting Deputy Director ; by striking Office of Emergency Communications each place it appears and inserting Emergency Communications Division ; and in subsection (a)(1), by striking Director of the Office of Emergency Communications (referred to in this section as the and inserting Director ) Deputy Director of the Emergency Communications Division (referred to in this section as the ; Deputy Director ) in title XXI ( 6 U.S.C. 621 et seq. )— in section 2101 ( 6 U.S.C. 621 )— by redesignating paragraphs
(4)through
(14)as paragraphs
(5)through (15), respectively; by inserting after paragraph
(3)the following new paragraph: the term Director means the Director of the Cybersecurity and Infrastructure Protection Agency; ; by further redesignating paragraphs
(11)through
(15)(as redesignated pursuant to clause (i)) as paragraphs
(12)through (16); and by inserting after paragraph
(10)(as redesignated pursuant to clause (i)) the following new paragraph: the term Secretary means the Secretary acting through the Director; ; in paragraph
(1)of section 2102(a) ( 6 U.S.C. 622(a) ), by inserting at the end the following new sentence: Such Programs shall be located in the Cybersecurity and Infrastructure Protection Agency. ; and in paragraph
(2)of section 2104(c) ( 6 U.S.C. 624(c) ), by striking Under Secretary responsible for overseeing critical infrastructure protection, cybersecurity, and other related programs of the Department appointed under section 103(a)(1)(H) and inserting Director of the Cybersecurity and Infrastructure Protection Agency ; and in title XXII, as added by this title— in section 2205, as so redesignated, in the matter preceding paragraph (1), by striking Under Secretary appointed under section 103(a)(1)(H) and inserting Director of the Cybersecurity and Infrastructure Protection Agency ; in section 2209, as so redesignated— by striking Under Secretary appointed under section 103(a)(1)(H) each place it appears and inserting Director of the Cybersecurity and Infrastructure Protection Agency ; in subsection (b), by adding at the end the following new sentences: The Center shall be located in the Cybersecurity and Infrastructure Protection Agency. The head of the Center shall be an Assistant Director of the Center, who shall report to the Principal Deputy Director for Cybersecurity. ; and in subsection (c), by striking Office of Emergency Communications and inserting Emergency Communications Division ; in section 2210, as so redesignated— by striking section 227 each place it appears and inserting section 2209 ; and in subsection (c), by striking Under Secretary appointed under section 103(a)(1)(H) and inserting Director of the Cybersecurity and Infrastructure Protection Agency ; in section 2211, as so redesignated, by striking section 212(5) and inserting section 2215(5) ; and in section 2212, as so redesignated, in subsection (a)— in paragraph (3), by striking section 228 and inserting section 2210 ; and in paragraph (4), by striking section 227 and inserting section 2209 . The table of contents in section 1(b) of the Homeland Security Act of 2002 is amended— by striking the item relating to section 210E; by striking the items relating to section 211 through section 215, including the subtitle B designation (including the enumerator and heading); by striking the items relating to section 223 through section 230; and by adding at the end the following new items: Title XXII—Cybersecurity and Infrastructure Protection Agency Subtitle A—Cybersecurity and Infrastructure Protection Sec. 2201. Definitions. Sec. 2202. Cybersecurity and Infrastructure Protection Agency. Sec. 2203. Cybersecurity Division. Sec. 2204. Infrastructure Protection Division. Sec. 2205. Enhancement of Federal and non-Federal cybersecurity. Sec. 2206. Net guard. Sec. 2207. Cyber Security Enhancement Act of 2002. Sec. 2208. Cybersecurity recruitment and retention. Sec. 2209. National cybersecurity and communications integration center. Sec. 2210. Cybersecurity plans. Sec. 2211. Clearances. Sec. 2212. Federal intrusion detection and prevention system. Sec. 2213. National Asset Database. Subtitle B—Critical Infrastructure Information Sec. 2214. Short title. Sec. 2215. Definitions. Sec. 2216. Designation of critical infrastructure protection program. Sec. 2217. Protection of voluntarily shared critical infrastructure information. Sec. 2218. No private right of action. .
Connectionstraces to 11
4 references not yet in our index
  • 6 USC 143–151
  • 6 USC 621
  • 6 USC 622(a)
  • 6 USC 624(c)
Citation graph
cites case law
Sec. 601
Cybersecurity and Infrastructure Protection Agency
Pub. L.Public Law 114-113
U.S.C.§ 1501
U.S.C.§ 3003
U.S.C.§ 113
U.S.C.§ 121
U.S.C.§ 124
U.S.C.§ 101
U.S.C.§ 571
U.S.C.§ 575
Cite6 USC 143–151
Cite6 USC 621
Cite6 USC 622(a)
Cites 15 · showing 12Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.