Sec. 3. Cyber incident reporting

5,920 words·~27 min read·/bill/117/s/2875/is/section-3

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Section 2201 of the Homeland Security Act of 2002 ( 6 U.S.C. 651 ) is amended— by redesignating paragraphs (1), (2), (3), (4), (5), and

(6)as paragraphs (2), (4), (5), (7), (10), and (11), respectively; by inserting before paragraph (2), as so redesignated, the following: The term cloud service provider means an entity offering products or services related to cloud computing, as defined by the National Institutes of Standards and Technology in NIST Special Publication 800–145 and any amendatory or superseding document relating thereto. ; by inserting after paragraph (2), as so redesignated, the following: The term cyber attack means the use of unauthorized or malicious code on an information system, or the use of another digital mechanism such as a denial of service attack, to interrupt or disrupt the operations of an information system or compromise the confidentiality, availability, or integrity of electronic data stored on, processed by, or transiting an information system. ; by inserting after paragraph (5), as so redesignated, the following: The term managed service provider means an entity that delivers services, such as network, application, infrastructure, or security services, via ongoing and regular support and active administration on the premises of a customer, in the data center of the entity (such as hosting), or in a third-party data center. ; by inserting after paragraph (7), as so redesignated, the following: The term ransom payment means the transmission of any money or other property or asset, including virtual currency, or any portion thereof, which has at any time been delivered as ransom in connection with a ransomware attack. The term ransomware attack — means a cyber attack that includes the threat of use of unauthorized or malicious code on an information system, or the threat of use of another digital mechanism such as a denial of service attack, to interrupt or disrupt the operations of an information system or compromise the confidentiality, availability, or integrity of electronic data stored on, processed by, or transiting an information system to extort a demand for a ransom payment; and does not include any such event where the demand for payment is made by a Federal Government entity, good-faith security research, or in response to an invitation by the owner or operator of the information system for third parties to identify vulnerabilities in the information system. ; and by adding at the end the following: The term supply chain compromise means a cyber attack that allows an adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (such as information technology products), or services at any point during the life cycle. The term virtual currency means the digital representation of value that functions as a medium of exchange, a unit of account, or a store of value. The term virtual currency address means a unique public cryptographic key identifying the location to which a virtual currency payment can be made. . Section 9002(A)(7) of the William M.

(Mac)Thornberry National Defense Authorization Act for Fiscal Year 2021 ( 6 U.S.C. 652a(a)(7) ) is amended to read as follows: The term Sector Risk Management Agency has the meaning given the term in section 2201 of the Homeland Security Act of 2002 ( 6 U.S.C. 651 ). . Title XXII of the Homeland Security Act of 2002 ( 6 U.S.C. 651 et seq. ) is amended by adding at the end the following: Except as provided in subsection (b), the definitions under section 2201 shall apply to this subtitle. In this subtitle: The term Council means the Cyber Incident Reporting Council described in section 1752(c)(1)(H) of the William M.

(Mac)Thornberry National Defense Authorization Act for Fiscal Year 2021 ( 6 U.S.C. 1500(c)(1)(H) ). The term covered cyber incident means a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the Director in the interim final rule and final rule issued pursuant to section 2232. The term covered entity means an entity that owns or operates critical infrastructure that satisfies the definition established by the Director in the interim final rule and final rule issued pursuant to section 2232. The term cyber incident has the meaning given the term incident in section 2209(a). The term cyber threat — has the meaning given the term cybersecurity threat in section 102 of the Cybersecurity Act of 2015 ( 6 U.S.C. 1501 ); and does not include any activity related to good faith security research, including participation in a bug-bounty program or a vulnerability disclosure program. The terms cyber threat indicator , cybersecurity purpose , defensive measure , Federal entity , information system , security control , and security vulnerability have the meanings given those terms in section 102 of the Cybersecurity Act of 2015 ( 6 U.S.C. 1501 ). The term small business — means a business with fewer than 50 employees (determined on a full-time equivalent basis); and does not include— a business that is a covered entity; or a business that holds a government contract, unless that contractor is a party only to— a service contract to provide housekeeping or custodial services; or a contract to provide products or services unrelated to information technology that is below the micro-purchase threshold, as defined in section 2.101 of title 48, Code of Federal Regulations, or any successor regulation. There is established in the Agency a Cyber Incident Review Office (in this section referred to as the Office ) to receive, aggregate, and analyze reports related to covered cyber incidents submitted by covered entities in furtherance of the activities specified in subsection

(c)of this section and sections 2202(e), 2203, and 2209(c) and any other authorized activity of the Director to enhance the situational awareness of cyber threats across critical infrastructure sectors. The Office shall, in furtherance of the activities specified in sections 2202(e), 2203, and 2209(c)— receive, aggregate, analyze, and secure, consistent with the requirements under the Cybersecurity Information Sharing Act of 2015 ( 6 U.S.C. 1501 et seq. ) reports from covered entities related to a covered cyber incident to assess the effectiveness of security controls and identify tactics, techniques, and procedures adversaries use to overcome those controls; receive, aggregate, analyze, and secure reports related to ransom payments to identify tactics, techniques, and procedures, including identifying and tracking ransom payments utilizing virtual currencies, adversaries use to perpetuate ransomware attacks and facilitate ransom payments; leverage information gathered about cybersecurity incidents to— enhance the quality and effectiveness of information sharing and coordination efforts with appropriate entities, including agencies, sector coordinating councils, information sharing and analysis organizations, technology providers, cybersecurity and incident response firms, and security researchers; and provide appropriate entities, including agencies, sector coordinating councils, information sharing and analysis organizations, technology providers, cybersecurity and incident response firms, and security researchers, with timely, actionable, and anonymized reports of cyber attack campaigns and trends, including, to the maximum extent practicable, related contextual information, cyber threat indicators, and defensive measures; establish mechanisms to receive feedback from stakeholders on how the Agency can most effectively receive covered cyber incident reports, ransom payment reports, and other voluntarily provided information; facilitate the timely sharing, on a voluntary basis, between relevant critical infrastructure owners and operators of information relating to covered cyber incidents and ransom payments, particularly with respect to ongoing cyber threats or security vulnerabilities and identify and disseminate ways to prevent or mitigate similar incidents in the future; for a covered cyber incident, including a ransomware attack, that also satisfies the definition of a substantial cyber incident, or is part of a group of related cyber incidents that together satisfy such definition, conduct a review of the details surrounding the covered cyber incident or group of those incidents and identify and disseminate ways to prevent or mitigate similar incidents in the future; with respect to covered cyber incident reports under subsection

(c)involving an ongoing cyber threat or security vulnerability, immediately review those reports for cyber threat indicators that can be anonymized and disseminated, with defensive measures, to appropriate stakeholders, in coordination with other divisions within the Agency, as appropriate; publish quarterly unclassified, public reports that may be based on the unclassified information contained in the reports required under subsection (c); proactively identify opportunities and perform analyses, consistent with the protections in section 2235, to leverage and utilize data on ransom attacks to support law enforcement operations to identify, track, and seize ransom payments utilizing virtual currencies, to the greatest extent practicable; proactively identify opportunities, consistent with the protections in section 2235, to leverage and utilize data on cyber incidents in a manner that enables and strengthens cybersecurity research carried out by academic institutions and other private sector organizations, to the greatest extent practicable; on a not less frequently than annual basis, analyze public disclosures made pursuant to parts 229 and 249 of title 17, Code of Federal Regulations, or any subsequent document submitted to the Securities and Exchange Commission by entities experiencing cyber incidents and compare such disclosures to reports received by the Office; and in accordance with section 2235, not later than 24 hours after receiving a covered cyber incident report or ransom payment report, share the reported information with appropriate Sector Risk Management Agencies and other appropriate agencies as determined by the Director of Office Management and Budget, in consultation with the Director and the National Cyber Director. Not later than 60 days after the effective date of the interim final rule required under section 2232(b)(1), and on the first day of each month thereafter, the Director, in consultation with the Attorney General and the Director of National Intelligence, shall submit to the National Cyber Director, the majority leader of the Senate, the minority leader of the Senate, the Speaker of the House of Representatives, the minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a report that characterizes the cyber threat facing Federal agencies and covered entities, including applicable intelligence and law enforcement information, covered cyber incidents, and ransomware attacks, as of the date of the report, which shall— include the total number of reports submitted under sections 2232 and 2233 during the preceding month, including a breakdown of required and voluntary reports; include any identified trends in covered cyber incidents and ransomware attacks over the course of the preceding month and as compared to previous reports, including any trends related to the information collected in the reports submitted under sections 2232 and 2233, including— the infrastructure, tactics, and techniques malicious cyber actors commonly use; and intelligence gaps that have, or currently are, impeding the ability to counter covered cyber incidents and ransomware threats; include a summary of the known uses of the information in reports submitted under sections 2232 and 2233; and be unclassified, but may include a classified annex. The Director may organize the Office within the Agency as the Director deems appropriate, including harmonizing the functions of the Office with other authorized activities. A covered entity shall report a covered cyber incident to the Director not later than 72 hours after the covered entity reasonably believes that a covered cyber incident has occurred. An entity, including a covered entity and except for an individual or a small business, that makes a ransom payment as the result of a ransomware attack against the entity shall report the payment to the Director not later than 24 hours after the ransom payment has been made. A covered entity shall promptly submit to the Director an update or supplement to a previously submitted covered cyber incident report if new or different information becomes available or if the covered entity makes a ransom payment after submitting a covered cyber incident report required under paragraph (1). Any entity subject to requirements of paragraph (1), (2), or

(3)shall preserve data relevant to the covered cyber incident or ransom payment in accordance with procedures established in the interim final rule and final rule issued pursuant to subsection (b). If a covered cyber incident includes a ransom payment such that the reporting requirements under paragraphs

(1)and

(2)apply, the covered entity may submit a single report to satisfy the requirements of both paragraphs in accordance with procedures established in the interim final rule and final rule issued pursuant to subsection (b). The requirements under paragraphs (1), (2), and

(3)shall not apply to an entity required by law, regulation, or contract to report substantially similar information to another Federal agency within a substantially similar timeframe. Reports made under paragraphs (1), (2), and

(3)shall be made in the manner and form, and within the time period in the case of reports made under paragraph (3), prescribed according to the interim final rule and final rule issued pursuant to subsection (b). Paragraphs

(1)through

(4)shall take effect on the dates prescribed in the interim final rule and the final rule issued pursuant to subsection (b), except that the requirements of paragraph

(1)through

(4)shall not be effective for a period for more than 18 months after the effective date of the interim final rule if the Director has not issued a final rule pursuant to subsection (b)(2). Not later than 270 days after the date of enactment of this section, and after a 60-day consultative period, followed by a 90-day comment period with appropriate stakeholders, the Director, in consultation with Sector Risk Management Agencies and the heads of other Federal agencies, shall publish in the Federal Register an interim final rule to implement subsection (a). Not later than 1 year after publication of the interim final rule under paragraph (1), the Director shall publish a final rule to implement subsection (a). Any rule to implement subsection

(a)issued after publication of the final rule under paragraph (2), including a rule to amend or revise the final rule issued under paragraph (2), shall comply with the requirements under chapter 5 of title 5, United States Code, including the issuance of a notice of proposed rulemaking under section 553 of such title. The interim final rule and final rule issued pursuant to subsection

(b)shall be composed of the following elements: A clear description of the types of entities that constitute covered entities, based on— the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety; the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country; and the extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure. A clear description of the types of substantial cyber incidents that constitute covered cyber incidents, which shall— at a minimum, require the occurrence of— the unauthorized access to an information system or network with a substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes; a disruption of business or industrial operations due to a cyber incident; or an occurrence described in clause

(i)or

(ii)due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise; consider— the sophistication or novelty of the tactics used to perpetrate such an incident, as well as the type, volume, and sensitivity of the data at issue; the number of individuals directly or indirectly affected or potentially affected by such an incident; and potential impacts on industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers; and exclude— any event where the cyber incident is perpetuated by a United States Government entity, good-faith security research, or in response to an invitation by the owner or operator of the information system for third parties to find vulnerabilities in the information system, such as through a vulnerability disclosure program or the use of authorized penetration testing services; and the threat of disruption as extortion, as described in section 2201(8)(B). A requirement that, if a covered cyber incident or a ransom payment occurs following an exempted threat described in paragraph (2)(C)(ii), the entity shall comply with the requirements in this subtitle in reporting the covered cyber incident or ransom payment. A clear description of the specific required contents of a report pursuant to subsection (a)(1), which shall include the following information, to the extent applicable and available, with respect to a covered cyber incident: A description of the covered cyber incident, including— identification and a description of the function of the affected information systems, networks, or devices that were, or are reasonably believed to have been, affected by such incident; a description of the unauthorized access with substantial loss of confidentiality, integrity, or availability of the affected information system or network or disruption of business or industrial operations; the estimated date range of such incident; and the impact to the operations of the covered entity. Where applicable, a description of the vulnerabilities, tactics, techniques, and procedures used to perpetuate the covered cyber incident. Where applicable, any identifying or contact information related to each actor reasonably believed to be responsible for such incident. Where applicable, identification of the category or categories of information that was, or is reasonably believed to have been, accessed or acquired by an unauthorized person. The name and, if applicable, taxpayer identification number or other unique identifier of the entity impacted by the covered cyber incident. Contact information, such as telephone number or electronic mail address, that the Office may use to contact the covered entity or an authorized agent of such covered entity, or, where applicable, the service provider of such covered entity acting with the express permission, and at the direction, of the covered entity to assist with compliance with the requirements of this subtitle. A clear description of the specific required contents of a report pursuant to subsection (a)(2), which shall be the following information, to the extent applicable and available, with respect to a ransom payment: A description of the ransomware attack, including the estimated date range of the attack. Where applicable, a description of the vulnerabilities, tactics, techniques, and procedures used to perpetuate the ransomware attack. Where applicable, any identifying or contact information related to the actor or actors reasonably believed to be responsible for the ransomware attack. The name and, if applicable, taxpayer identification number or other unique identifier of the entity that made the ransom payment. Contact information, such as telephone number or electronic mail address, that the Office may use to contact the entity that made the ransom payment or an authorized agent of such covered entity, or, where applicable, the service provider of such covered entity acting with the express permission, and at the direction of, that entity to assist with compliance with the requirements of this subtitle. The date of the ransom payment. The ransom payment demand, including the type of virtual currency or other commodity requested, if applicable. The ransom payment instructions, including information regarding where to send the payment, such as the virtual currency address or physical address the funds were requested to be sent to, if applicable. The amount of the ransom payment. A summary of the due diligence review required under subsection (e). A clear description of the types of data required to be preserved pursuant to subsection (a)(4) and the period of time for which the data is required to be preserved. Deadlines for submitting reports to the Director required under subsection (a)(3), which shall— be established by the Director in consultation with the Council; consider any existing regulatory reporting requirements similar in scope, purpose, and timing to the reporting requirements to which such a covered entity may also be subject, and make efforts to harmonize the timing and contents of any such reports to the maximum extent practicable; and balance the need for situational awareness with the ability of the covered entity to conduct incident response and investigations. Procedures for— entities to submit reports required by paragraphs (1), (2), and

(3)of subsection (a), which shall include, at a minimum, a concise, user-friendly web-based form; the Office to carry out the enforcement provisions of section 2233, including with respect to the issuance of subpoenas and other aspects of noncompliance; implementing the exceptions provided in subparagraphs (A), (B), and

(D)of subsection (a)(5); and anonymizing and safeguarding information received and disclosed through covered cyber incident reports and ransom payment reports that is known to be personal information of a specific individual or information that identifies a specific individual that is not directly related to a cybersecurity threat. An entity, including a covered entity, that is required to submit a covered cyber incident report or a ransom payment report may use a third party, such as an incident response company, insurance provider, service provider, information sharing and analysis organization, or law firm, to submit the required report under subsection (a). If an entity impacted by a ransomware attack uses a third party to make a ransom payment, the third party shall not be required to submit a ransom payment report for itself under subsection (a)(2). Third-party reporting under this subparagraph does not relieve a covered entity or an entity that makes a ransom payment from the duty to comply with the requirements for covered cyber incident report or ransom payment report submission. Any third party used by an entity that knowingly makes a ransom payment on behalf of an entity impacted by a ransomware attack shall advise the impacted entity of the responsibilities of the impacted entity regarding a due diligence review under subsection

(e)and reporting ransom payments under this section. Before the date on which a covered entity, or an entity that would be required to submit a ransom payment report under this section if that entity makes a ransom payment, makes a ransom payment relating to a ransomware attack, the covered entity or entity shall conduct a due diligence review of alternatives to making the ransom payment, including an analysis of whether the covered entity or entity can recover from the ransomware attack through other means. The Director shall conduct an outreach and education campaign to inform likely covered entities, entities that offer or advertise as a service to customers to make or facilitate ransom payments on behalf of entities impacted by ransomware attacks, potential ransomware attack victims, and other appropriate entities of the requirements of paragraphs (1), (2), and

(3)of subsection (a). The outreach and education campaign under paragraph

(1)shall include the following: An overview of the interim final rule and final rule issued pursuant to subsection (b). An overview of mechanisms to submit to the Office covered cyber incident reports and information relating to the disclosure, retention, and use of incident reports under this section. An overview of the protections afforded to covered entities for complying with the requirements under paragraphs (1), (2), and

(3)of subsection (a). An overview of the steps taken under section 2234 when a covered entity is not in compliance with the reporting requirements under subsection (a). Specific outreach to cybersecurity vendors, incident response providers, cybersecurity insurance entities, and other entities that may support covered entities or ransomware attack victims. An overview of the privacy and civil liberties requirements in this subtitle. In conducting the outreach and education campaign required under paragraph (1), the Director may coordinate with— the Critical Infrastructure Partnership Advisory Council established under section 871; information sharing and analysis organizations; trade associations; information sharing and analysis centers; sector coordinating councils; and any other entity as determined appropriate by the Director. Before issuing the final rule pursuant to subsection (b)(2), the Director shall review the data collected by the Office, and in consultation with other appropriate entities, assess the effectiveness of the rule with respect to— the number of reports received; the utility of the reports received; the number of supplemental reports required to be submitted; and any other factor determined appropriate by the Director. The Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives the results of the evaluation described in paragraph

(1)and may thereafter, in accordance with the requirements under subsection (b), publish in the Federal Register a final rule implementing this section. Notwithstanding chapter 35 of title 44, United States Code (commonly known as the Paperwork Reduction Act ), the Director may reorganize and reformat the means by which covered cyber incident reports, ransom payment reports, and any other voluntarily offered information is submitted to the Office. Entities may voluntarily report incidents or ransom payments to the Director that are not required under paragraph (1), (2), or

(3)of section 2232(a), but may enhance the situational awareness of cyber threats. Entities may voluntarily include in reports required under paragraph (1), (2), or

(3)of section 2232(a) information that is not required to be included, but may enhance the situational awareness of cyber threats. The protections under section 2235 applicable to covered cyber incident reports shall apply in the same manner and to the same extent to reports and information submitted under subsections

(a)and (b). In the event that an entity that is required to submit a report under section 2232(a) fails to comply with the requirement to report, the Director may obtain information about the incident or ransom payment by engaging the entity directly to request information about the incident or ransom payment, and if the Director is unable to obtain information through such engagement, by issuing a subpoena to the entity, pursuant to subsection (c), to gather information sufficient to determine whether a covered cyber incident or ransom payment has occurred, and, if so, whether additional action is warranted pursuant to subsection (d). If the Director has reason to believe, whether through public reporting or other information in the possession of the Federal Government, including through analysis performed pursuant to paragraph

(1)or

(2)of section 2231(b), that an entity has experienced a covered cyber incident or made a ransom payment but failed to report such incident or payment to the Office within 72 hours in accordance to section 2232(a), the Director shall request additional information from the entity to confirm whether or not a covered cyber incident or ransom payment has occurred. Information provided to the Office in response to a request under paragraph

(1)shall be treated as if it was submitted through the reporting procedures established in section 2232. If, after the date that is 72 hours from the date on which the Director made the request for information in subsection (b), the Director has received no response from the entity from which such information was requested, or received an inadequate response, the Director may issue to such entity a subpoena to compel disclosure of information the Director deems necessary to determine whether a covered cyber incident or ransom payment has occurred. If an entity fails to comply with a subpoena, the Director may refer the matter to the Attorney General to bring a civil action in a district court of the United States to enforce such subpoena. An action under this paragraph may be brought in the judicial district in which the entity against which the action is brought resides, is found, or does business. A court may punish a failure to comply with a subpoena issued under this subsection as a contempt of court. The authority of the Director to issue a subpoena under this subsection may not be delegated. If a covered entity with a Federal Government contract, grant, or cooperative agreement fails to comply with a subpoena issued under this subsection— the Director may refer the matter to the Administrator of General Services; and upon receiving a referral from the Director, the Administrator of General Services may impose additional available penalties, including suspension or debarment. Notwithstanding section 2235(a) and subsection (b)(2) of this section, if the Director determines, based on the information provided in response to the subpoena issued pursuant to subsection (c), that the facts relating to the covered cyber incident or ransom payment at issue may constitute grounds for a regulatory enforcement action or criminal prosecution, the Director may provide that information to the Attorney General or the appropriate regulator, who may use that information for a regulatory enforcement action or criminal prosecution. A covered cyber incident or ransom payment report submitted to the Office by an entity that makes a ransom payment or third party under section 2232 shall not be used by any Federal, State, Tribal, or local government to investigate or take another law enforcement action against the entity that makes a ransom payment or third party. Nothing in this subtitle shall be construed to provide an entity that submits a covered cyber incident report or ransom payment report under section 2232 any immunity from law enforcement action for making a ransom payment otherwise prohibited by law. When determining whether to exercise the authorities provided under this section, the Director shall take into consideration— the size and complexity of the entity; the complexity in determining if a covered cyber incident has occurred; prior interaction with the Agency or awareness of the entity of the policies and procedures of the Agency for reporting covered cyber incidents and ransom payments; and for non-covered entities required to submit a ransom payment report, the ability of the entity to perform a due diligence review pursuant to section 2232(e). This section shall not apply to a State, local, Tribal, or territorial government entity. The Director shall submit to Congress an annual report on the number of times the Director— issued an initial request for information pursuant to subsection (b); issued a subpoena pursuant to subsection (c); brought a civil action pursuant to subsection (c)(2); or conducted additional actions pursuant to subsection (d). Information provided to the Office or Agency pursuant to section 2232 may be disclosed to, retained by, and used by, consistent with otherwise applicable provisions of Federal law, any Federal agency or department, component, officer, employee, or agent of the Federal Government solely for— a cybersecurity purpose; the purpose of identifying— a cyber threat, including the source of the cyber threat; or a security vulnerability; the purpose of responding to, or otherwise preventing or mitigating, a specific threat of death, a specific threat of serious bodily harm, or a specific threat of serious economic harm, including a terrorist act or a use of a weapon of mass destruction; the purpose of responding to, investigating, prosecuting, or otherwise preventing or mitigating, a serious threat to a minor, including sexual exploitation and threats to physical safety; or the purpose of preventing, investigating, disrupting, or prosecuting an offense arising out of a covered cyber incident or any of the offenses listed in section 105(d)(5)(A)(v) of the Cybersecurity Act of 2015 ( 6 U.S.C. 1504(d)(5)(A)(v) ). Upon receiving a covered cyber incident or ransom payment report submitted pursuant to this section, the Office shall immediately review the report to determine whether the incident that is the subject of the report is connected to an ongoing cyber threat or security vulnerability and where applicable, use such report to identify, develop, and rapidly disseminate to appropriate stakeholders actionable, anonymized cyber threat indicators and defensive measures. With respect to information in a covered cyber incident or ransom payment report regarding a security vulnerability referred to in paragraph (1)(B)(ii), the Director shall develop principles that govern the timing and manner in which information relating to security vulnerabilities may be shared, consistent with common industry best practices and United States and international standards. Information contained in covered cyber incident and ransom payment reports submitted to the Office pursuant to section 2232 shall be retained, used, and disseminated, where permissible and appropriate, by the Federal Government in accordance with processes to be developed for the protection of personal information adopted pursuant to section 105 of the Cybersecurity Act of 2015 ( 6 U.S.C. 1504 ) and in a manner that protects from unauthorized use or disclosure any information that may contain— personal information of a specific individual; or information that identifies a specific individual that is not directly related to a cybersecurity threat. The Office shall ensure that reports submitted to the Office pursuant to section 2232, and any information contained in those reports, are collected, stored, and protected at a minimum in accordance with the requirements for moderate impact Federal information systems, as described in Federal Information Processing Standards Publication 199, or any successor document. A Federal, State, local, or Tribal government shall not use information about a covered cyber incident or ransom payment obtained solely through reporting directly to the Office in accordance with this subtitle to regulate, including through an enforcement action, the lawful activities of any non-Federal entity. The submission of a report under section 2232 to the Office shall not constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection and attorney-client privilege. Information contained in a report submitted to the Office under section 2232 shall be exempt from disclosure under section 552(b)(3)(B) of title 5, United States Code (commonly known as the Freedom of Information Act ) and any State, Tribal, or local provision of law requiring disclosure of information or records. The submission of a report to the Agency under section 2232 shall not be subject to a rule of any Federal agency or department or any judicial doctrine regarding ex parte communications with a decision-making official. No cause of action shall lie or be maintained in any court by any person or entity and any such action shall be promptly dismissed for the submission of a report pursuant to section 2232(a) that is submitted in conformance with this subtitle and the rules promulgated under section 2232(b), except that this subsection shall not apply with regard to an action by the Federal Government pursuant to section 2234(c)(2). The liability protections provided in subsection

(e)shall only apply to or affect litigation that is solely based on the submission of a covered cyber incident report or ransom payment report to the Office, and nothing in this subtitle shall create a defense to a discovery request, or otherwise limit or affect the discovery of information from a cause of action authorized under any Federal, State, local, or Tribal law. The Agency shall anonymize the victim who reported the information when making information provided in reports received under section 2232 available to critical infrastructure owners and operators and the general public. Information contained in a report submitted to the Agency under section 2232 shall be considered the commercial, financial, and proprietary information of the covered entity when so designated by the covered entity. . The table of contents in section 1(b) of the Homeland Security Act of 2002 ( Public Law 107–296 ; 116 Stat. 2135) is amended by inserting after the items relating to subtitle B of title XXII the following: Subtitle C—Cyber Incident Reporting Sec. 2230. Definitions. Sec. 2231. Cyber Incident Review Office. Sec. 2232. Required reporting of certain cyber incidents. Sec. 2233. Voluntary reporting of other cyber incidents. Sec. 2234. Noncompliance with required reporting. Sec. 2235. Information shared with or provided to the Federal Government. .

Connectionstraces to 5

Traces to 5 documents

U.S. Code

2 references not yet in our index