Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 114th Congress · S. 1869 (Reported in Senate) — To improve Federal network security and authorize and enhance an existing intrusion detection and prevention system f... · Sec. 3

Sec. 3. Improved Federal network security

1,299 words·~6 min read·/bill/114/s/1869/rs/section-3

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Subtitle C of title II of the Homeland Security Act of 2002 ( 6 U.S.C. 141 et seq. ) is amended— by redesignating section 228 as section 229; by redesignating section 227 as subsection
(c)of section 228, as added by paragraph (4), and adjusting the margins accordingly; by redesignating the second section designated as section 226 (relating to the national cybersecurity and communications integration center) as section 227; by inserting after section 227, as so redesignated, the following: In this section— the term agency information system means an information system used or operated by an agency, by a contractor of an agency, or by another entity on behalf of an agency; the terms cybersecurity risk and information system have the meanings given those terms in section 227; and the term information sharing and analysis organization has the meaning given the term in section 212(5); and 4 3 ) the term intelligence community has the meaning given the term in section 3(4) of the National Security Act of 1947 ( 50 U.S.C. 3003(4) ). The Secretary, in coordination with the Director of the Office of Management and Budget, shall develop and implement an intrusion assessment plan to identify and remove intruders in agency information systems. The intrusion assessment plan required under paragraph
(1)shall not apply to the Department of Defense or an element of the intelligence community. ; in section 228(c), as so redesignated, by striking section 226 and inserting section 227 ; and by inserting after section 229, as so redesignated, the following: In this section— the term agency has the meaning given that term in section 3502 of title 44, United States Code; the term agency information means information collected or maintained by or on behalf of an agency; the term agency information system has the meaning given the term in section 228; and the terms cybersecurity risk and information system have the meanings given those terms in section 227. Not later than 1 year after the date of enactment of this section, the Secretary shall deploy, operate, and maintain, to make available for use by any agency, with or without reimbursement— a capability to detect cybersecurity risks in network traffic transiting or traveling to or from an agency information system; and a capability to prevent network traffic associated with such cybersecurity risks from transiting or traveling to or from an agency information system or modify such network traffic to remove the cybersecurity risk. The Secretary shall regularly deploy new technologies and modify existing technologies to the intrusion detection and prevention capabilities described in paragraph
(1)as appropriate to improve the intrusion detection and prevention capabilities. In carrying out subsection (b), the Secretary— may access, and the head of an agency may disclose to the Secretary or a private entity providing assistance to the Secretary under paragraph (2), information transiting or traveling to or from an agency information system, regardless of the location from which the Secretary or a private entity providing assistance to the Secretary under paragraph
(2)accesses such information, notwithstanding any other provision of law that would otherwise restrict or prevent the head of an agency from disclosing such information to the Secretary or a private entity providing assistance to the Secretary under paragraph (2); may enter into contracts or other agreements with, or otherwise request and obtain the assistance of, private entities to deploy and operate technologies in accordance with subsection (b); may retain, use, and disclose information obtained through the conduct of activities authorized under this section only to protect information and information systems from cybersecurity risks; shall regularly assess through operational test and evaluation in real world or simulated environments available advanced protective technologies to improve detection and prevention capabilities, including commercial and non-commercial technologies and detection technologies beyond signature-based detection, and utilize such technologies when appropriate; shall establish a pilot to acquire, test, and deploy, as rapidly as possible, technologies described in paragraph (4); and shall periodically update the privacy impact assessment required under section 208(b) of the E-Government Act of 2002 ( 44 U.S.C. 3501 note) . ; and shall ensure that— activities carried out under this section are reasonably necessary for the purpose of protecting agency information and agency information systems from a cybersecurity risk; information accessed by the Secretary will be retained no longer than reasonably necessary for the purpose of protecting agency information and agency information systems from a cybersecurity risk; notice has been provided to users of an agency information system concerning access to communications of users of the agency information system for the purpose of protecting agency information and the agency information system; and the activities are implemented pursuant to policies and procedures governing the operation of the intrusion detection and prevention capabilities. A private entity described in subsection (c)(2) may not— disclose any network traffic transiting or traveling to or from an agency information system to any entity other than the Department or the agency that disclosed the information under subsection (c)(1); or use any network traffic transiting or traveling to or from an agency information system to which the private entity gains access in accordance with this section for any purpose other than to protect agency information and agency information systems against cybersecurity risks or to administer a contract or other agreement entered into pursuant to subsection (c)(2) or as part of another contract with the Secretary. No cause of action shall lie in any court against a private entity for assistance provided to the Secretary in accordance with this section and any contract or agreement entered into pursuant to subsection (c)(2). Nothing in paragraph
(2)shall be construed to authorize an Internet service provider to break a user agreement with a customer. Not later than 1 year after the date of enactment of this section, the Attorney General shall review the policies and guidelines for the program carried out under this section to ensure that the policies and guidelines are consistent with applicable law governing the acquisition, interception, retention, use, and disclosure of communications. . The Director and the Secretary, in consultation with appropriate agencies, shall— review and update Governmentwide policies and programs to ensure appropriate prioritization and use of network security monitoring tools within agency networks; and brief appropriate congressional committees on such prioritization and use. Except as provided in paragraph (2)— not later than 1 year after the date of enactment of this Act or 2 months after the date on which the Secretary makes available the intrusion detection and prevention capabilities under section 230(b)(1) of the Homeland Security Act of 2002, as added by subsection (a), whichever is later, the head of each agency shall apply and continue to utilize the capabilities to all information traveling between an agency information system and any information system other than an agency information system; and not later than 6 months after the date on which the Secretary makes available improvements to the intrusion detection and prevention capabilities pursuant to section 230(b)(2) of the Homeland Security Act of 2002, as added by subsection (a), the head of each agency shall apply and continue to utilize the improved intrusion detection and prevention capabilities. The requirements under paragraph
(1)shall not apply to the Department of Defense or an element of the intelligence community. The table of contents in section 1(b) of the Homeland Security Act of 2002 ( 6 U.S.C. 101 note) is amended by striking the items relating to the first section designated as section 226, the second section designated as section 226 (relating to the national cybersecurity and communications integration center), section 227, and section 228 and inserting the following: Sec. 226. Cybersecurity recruitment and retention. Sec. 227. National cybersecurity and communications integration center. Sec. 228. Cybersecurity plans. Sec. 229. Clearances. Sec. 230. Federal intrusion detection and prevention system. .
Connectionstraces to 4
Citation graph
cites case law
Sec. 3
Improved Federal network security
U.S.C.§ 141
U.S.C.§ 3003
U.S.C.§ 3501
U.S.C.§ 101
Cites 4Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.