Sec. 6. Ransomware operation reporting capabilities
1,490 words·~7 min read·
/bill/117/s/2666/is/section-6A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Title XXII of the Homeland Security Act of 2002 ( 6 U.S.C. 651 et seq. ), as amended by section 2(a), is amended by adding at the end the following: In this subtitle: The definitions in section 2201 shall apply to this subtitle, except as otherwise provided. The term Agency means the Cybersecurity and Infrastructure Security Agency. The term appropriate congressional committees means— the Committee on Homeland Security and Governmental Affairs of the Senate; the Select Committee on Intelligence of the Senate; the Committee on the Judiciary of the Senate; the Committee on Homeland Security of the House of Representatives; the Permanent Select Committee on Intelligence of the House of Representatives; and the Committee on the Judiciary of the House of Representatives.
The term covered entity means— a Federal contractor; an owner or operator of critical infrastructure; a non-government entity that provides cybersecurity incident response services; and any other entity determined appropriate by the Secretary, in coordination with the head of any other appropriate department or agency. The term critical function means any action or operation that is necessary to maintain critical infrastructure. The term Director means the Director of the Cybersecurity and Infrastructure Security Agency.
The term Federal agency has the meaning given the term agency in section 3502 of title 44, United States Code. The term Federal contractor — means a contractor or subcontractor (at any tier) of the United States Government; and does not include a contractor or subcontractor that is a party only to— a service contract to provide housekeeping or custodial services; or a contract to provide products or services unrelated to information technology that is below the micro-purchase threshold (as defined in section 2.101 of title 48, Code of Federal Regulations, or any successor thereto).
The term information technology has the meaning given the term in section 11101 of title 40, United States Code. The term ransomware means any type of malicious software that— prevents the legitimate owner or operator of an information system or network from accessing electronic data, files, systems, or networks; and demands the payment of a ransom for the return of access to the electronic data, files, systems, or networks described in subparagraph (A). The term ransomware notification means a notification of a ransomware operation.
The term ransomware operation means a specific instance in which ransomware affects the information systems or networks owned or operated by— a covered entity; or a Federal agency. The term System means the ransomware operation reporting capabilities established under section 2242(b). The Agency shall be the designated agency within the Federal Government to receive ransomware operation notifications from other Federal agencies and covered entities in accordance with this subtitle.
Not later than 180 days after the date of enactment of this subtitle, the Director shall establish ransomware operation reporting capabilities to facilitate the submission of timely, secure, and confidential ransomware notifications by Federal agencies and covered entities to the Agency. The Director shall— assess the security of the System not less frequently than once every 2 years; and as soon as is practicable after conducting an assessment under paragraph (1), make any necessary corrective measures to the System.
The System shall have the ability— to accept classified submissions and notifications; and to accept a ransomware notification from any entity, regardless of whether the entity is a covered entity. Any ransomware notification submitted to the System— shall be exempt from disclosure under— section 552 of title 5, United States Code (commonly referred to as the “Freedom of Information Act”), in accordance with subsection (b)(3)(B) of such section 552; and any State, Tribal, or local law requiring the disclosure of information or records; and may not be— admitted as evidence in any civil or criminal action brought against the victim of the ransomware operation; or subject to a subpoena, unless the subpoena is issued by Congress for congressional oversight purposes.
Not later than the date on which the Director establishes the System, Director shall adopt privacy and protection procedures for any information submitted to the System that, at the time of the submission, is known to contain— the personal information of a specific individual; or information that identifies a specific individual that is not directly related to a ransomware operation. The Director shall base the privacy and protection procedures adopted under paragraph
(1)on the privacy and protection procedures developed for information received and shared pursuant to the Cybersecurity Information Sharing Act of 2015 ( 6 U.S.C. 1501 et seq. ). Not later than 1 year after the date on which the System is established and once each year thereafter, the Director shall submit to the appropriate congressional committees a report on the System, which shall include, with respect to the 1-year period preceding the report— the number of notifications received through the System; and the actions taken in connection with the notifications described in subparagraph (A). Not later than 1 year after the date on which the System is established, and once each year thereafter, the Secretary shall submit to the appropriate congressional committees a report on the types of ransomware operation information and incidents in which ransom is requested that are required to be submitted as a ransomware notification, noting any changes from the previous submission. Any report required under this subsection may be submitted in a classified form, if necessary. Not later than 24 hours after the discovery of a ransomware operation that compromises, is reasonably likely to compromise, or otherwise materially affects the performance of a critical function by a Federal agency or covered entity, the Federal agency or covered entity that discovered the ransomware operation shall submit a ransomware notification to the System. A Federal agency or covered entity shall submit a ransomware notification under paragraph
(1)of a ransomware operation discovered by the Federal agency or covered entity even if the ransomware operation does not occur on a system of the Federal agency or covered entity. A Federal agency or covered entity that submits a ransomware notification under subsection
(a)shall, upon discovery of new information and not less frequently than once every 5 days until the date on which the ransomware operation is mitigated and any follow-up investigation is completed, submit updated ransomware threat information to the System. Not later than 24 hours after a Federal agency or covered entity issues a ransom payment relating to a ransomware operation, the Federal agency or covered entity shall submit to the System details of the ransom payment, including— the method of payment; the amount of the payment; and the recipient of the payment. Notwithstanding any provision of this title that may limit or restrict the promulgation of rules, not later than 180 days after the date of enactment of this subtitle, the Secretary, acting through the Director, in coordination with the Director of National Intelligence and the Attorney General, without regard to the notice and comment rule making requirements under section 553 of title 5, United States Code, and accepting comments after the effective date, shall promulgate interim final rules that define— the conditions under which a ransomware notification is required to be submitted under subsection (a)(1); the ransomware operation information that shall be included in a ransomware notification required under this section; and the information that shall be included in a ransom payment disclosure required under subsection (c). The Secretary, in coordination with the head of each Sector Risk Management Agency, shall— establish a set of reporting criteria for Sector Risk Management Agencies to submit ransomware notifications to the System; and take steps to harmonize the criteria described in paragraph
(1)with the regulatory reporting requirements in effect on the date of enactment of this subtitle. Section 106 of the Cybersecurity Act of 2015 ( 6 U.S.C. 1505 ) shall apply to a Federal agency or covered entity required to submit a ransomware notification to the System. If a covered entity violates the requirements of this subtitle, the covered entity shall be subject to penalties determined by the Administrator of the General Services Administration, which may include removal from the Federal Contracting Schedules. If a Federal agency violates the requirements of this subtitle, the violation shall be referred to the inspector general for the agency, and shall be treated as a matter of urgent concern. . The table of contents in section 1(b) of the Homeland Security Act of 2002 ( Public Law 107–296 ; 116 Stat. 2135), as amended by section 2(b), is further amended by adding at the end the following: Subtitle D—Ransomware Operation Reporting Capabilities Sec. 2241. Definitions. Sec. 2242. Establishment of ransomware operation reporting system. Sec. 2243. Required notifications. . Section 2202(c) of the Homeland Security Act of 2002 ( 6 U.S.C. 652(c) ) is amended— by redesignating the second and third paragraphs
(12)as paragraphs
(14)and (15), respectively; and by inserting before paragraph (14), as so redesignated, the following: carry out the responsibilities described in subtitle D relating to the ransomware operation reporting system; .
Connectionstraces to 4
Traces to 4 documents
2 references not yet in our index
- Pub. L. 107-296
- 116 Stat. 2135
Citation graph
cites case law
Sec. 6
Ransomware operation reporting capabilities
Pub. L.Pub. L. 107-296
Stat.116 Stat. 2135
Cites 6Cited by 0 across 0 sources