Sec. 2. Reauthorization of Cybersecurity Act of 2015

1,683 words·~8 min read·/bill/119/hr/5079/ih/section-2

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

The Cybersecurity Act of 2015 ( 6 U.S.C. 1501 et seq. ; enacted as division N of the Consolidated Appropriations Act, 2016; Public Law 114–113 ) is amended— in section 102 ( 6 U.S.C. 1501 ; relating to definitions)— by redesignating paragraphs (4), (5), (6), (7), (8), (9), (10), (11), (12), (13), (14), (15), (16), (17), and

(18)as paragraphs (6), (7), (8), (9), (10), (11), (12), (13), (14), (15), (16), (17), (19), (20), and (21), respectively; by inserting after paragraph

(3)the following new paragraphs: The term artificial intelligence has the meaning given such term in section 5002 of the National Artificial Intelligence Initiative Act of 2020 ( 15 U.S.C. 9401 ). The term critical infrastructure has the meaning given such term in section 1016(e) of Public Law 107–56 ( 42 U.S.C. 5195c(e) ). ; and by inserting after paragraph (17), as so redesignated, the following new paragraph: The term Sector Risk Management Agency has the meaning given such term in section 2200 of the Homeland Security Act of 2002 ( 6 U.S.C. 650 ). ; in section 103 ( 6 U.S.C. 1502 ; relating to sharing of information by the Federal Government)— in subsection (a), in the matter preceding paragraph (1), by striking develop and issue and inserting develop, issue, and, as appropriate, update ; in subsection (b)— in paragraph (1)— in the matter preceding subparagraph (A), by inserting and, as appropriate, updated, after developed ; by amending subparagraph

(A)to read as follows: ensure the Federal Government maintains the capability to provide technical assistance, on a voluntary basis, to non-Federal entities in utilizing cyber threat indicators and defensive measures for cybersecurity purposes; ; in subparagraph (E)(ii), by striking and after the semicolon; in subparagraph (F), by striking the period and inserting ; and ; and by adding at the end the following new subparagraph: pursuant to section 2212 of the Homeland Security Act of 2002 ( 6 U.S.C. 662 ), provide one-time read-ins, as appropriate, to select individuals identified by non-Federal entities that own or operate critical infrastructure; ; and in paragraph (2)— by inserting and, as appropriate, updating, after developing ; and by inserting and defensive measures after promote the sharing of cyber threat indicators ; and in subsection (c)— by inserting and not later than 60 days after any update, as appropriate, of procedures required by subsection (a), after Act, ; and by inserting (or update, as appropriate) after procedures ; in section 104 ( 6 U.S.C. 1503 ; relating to authorizations for preventing, detecting, analyzing, and mitigating cybersecurity threats)— in subsection (c)— in paragraph (1), by inserting , including Sector Risk Management Agencies that are agencies and the majority of the systems of which are not covered under subsection

(d)or

(e)of section 3553 of title 44, United States Code, after Federal Government ; in paragraph (3)— in the matter preceding subparagraph (A), by striking shall be and inserting may be ; in subparagraph (A), by striking or after the semicolon; in subparagraph (B), by striking the period and inserting ; or ; and by adding at the end the following new subparagraph: to preclude the use of artificial intelligence that is developed or strictly deployed for cybersecurity purposes in carrying out the activities authorized under paragraph (1). ; and in subparagraph

(B)of subsection (d)(2), by inserting , which may utilize artificial intelligence that is developed or strictly deployed for cybersecurity purposes, after technical capability ; in section 105 ( 6 U.S.C. 1504 ); relating to sharing of cyber threat indicators and defensive measures with the Federal Government— in subsection (a)— in paragraph (2), by adding at the end the following new sentences: As appropriate, the Attorney General and the Secretary of Homeland Security shall, in consultation with the heads of the appropriate Federal entities, jointly update such policies and procedures, and issue and make publicly available such updated policies and procedures. Such updates shall prioritize rapid dissemination to State, local, Tribal, and territorial governments and owners and operators of non-Federal critical infrastructure of relevant and actionable cyber threat indicators and defensive measures. ; in paragraph (3), in the matter preceding subparagraph (A), by striking developed or issued and inserting developed, issued, or, as appropriate, updated, ; and in paragraph (4)— in subparagraph (A), by adding at the end the following new sentence: As appropriate, the Attorney General and the Secretary of Homeland Security shall jointly update and make publicly available such guidance to so assist entities and promote such sharing of cyber threat indicators and defensive measures with such Federal entities under this title. ; and in subparagraph (B), in the matter preceding clause (i), by inserting and, as appropriate, updated, after developed ; in subsection (b)— in paragraph (2)(B), by inserting , and, as appropriate, update, after review ; and in paragraph (3), in the matter preceding subparagraph (A), by inserting and, as appropriate, updated, after required ; in subsection (c)— in paragraph (1)(D), by inserting , including if such capability and process employs artificial intelligence before the semicolon; in paragraph (2), by adding at the end the following new subparagraph: Not later than 90 days after the date of the enactment of this subparagraph, the Secretary of Homeland Security shall develop and continuously implement an outreach plan, including targeted engagement, to ensure Federal and non-Federal entities, particularly small or rural owners or operators of critical infrastructure which often lack dedicated cybersecurity staff but remain vital to national security— are aware of the capability and process required by paragraph

(1)to share cyber threat indicators and defensive measures, including the benefits real-time information sharing provides; understand how to share cyber threat indicators and defensive measures; understand the obligation to remove certain personal information in accordance with section 104(d)(7) prior to sharing a cyber threat indicator; understand how cyber threat indicators and defensive measures are received, processed, used, and protected; understand the protections they are afforded in sharing any cyber threat indicators and defensive measures; and can provide feedback to the Secretary when policies, procedures, and guidelines that are unclear or unintentionally prohibitive to sharing cyber threat indicators and defensive measures. ; and by adding at the end the following new subparagraph: The Secretary of Homeland Security shall annually provide to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a briefing on the implementation of outreach pursuant to subparagraph (B). ; and in subsection (d)— in paragraph (1), by inserting copyright or before trade secret protection ; and in paragraph (5)(A), in clause (iv), by striking or after the semicolon; in clause (v)(III), by striking the period and inserting ; or ; and by adding at the end the following new clause: the purpose of rapidly providing other Federal entities, including Sector Risk Management Agencies, awareness of a cybersecurity threat that may impact the information systems of such Agencies. ; in section 108 ( 6 U.S.C. 1507 ; relating to construction and preemption)— in subsection (c)— in the matter preceding paragraph (1), by striking shall be and inserting may be ; in paragraph (2), by striking or after the semicolon; in paragraph (3), by striking the period and inserting ; or ; and by adding at the end the following new paragraph: to preclude the use of artificial intelligence that is developed or strictly deployed for cybersecurity purposes in carrying out activities authorized by this title. ; and in subsection (f)— in paragraph (3)— by inserting to share cyber threat indicators or defensive measures after relationship ; and by striking or after the semicolon; in paragraph (4), by striking the period and inserting ; or ; and by adding at the end the following new paragraph: to limit or modify, notwithstanding any other provision of law, the authorization to share pursuant to section 104(c)(1) with Sector Risk Management Agencies described in such section. ; in section 109 ( 6 U.S.C. 1508 ; relating to report on cybersecurity threats)— in subsection (a)— by inserting and not later than September 30 of every two years thereafter, after Act, ; by inserting the Secretary of Homeland Security and after in coordination with ; by inserting and the Committee on Homeland Security and Governmental Affairs before of the Senate ; by inserting and the Committee on Homeland Security before of the House ; and by inserting prepositioning activities, ransomware, after attacks, ; and in subsection (b)— in paragraph (1), by inserting prepositioning activities, ransomware, after attacks, ; in paragraph (2), by inserting prepositioning activity, ransomware, after attack, ; in paragraph (3), by inserting prepositioning activities, ransomware, after attacks, each place it appears; and in paragraph (4), by inserting prepositioning activities, ransomware, after attacks, ; and in section 111(a) ( 6 U.S.C. 1510(a) , relating to effective period), by striking 2025 and inserting 2035 . Section 2200 of the Homeland Security Act of 2002 ( 6 U.S.C. 650 ; relating to definitions) is amended— in paragraph (5)— in subparagraph (B), by inserting or compromising after defeating ; in subparagraph (C), by inserting including a security vulnerability affecting an information system or a technology included in the critical and emerging technologies list of the Office of Science and Technology Policy or successor list, such as artificial intelligence (as such term is defined in section 5002 of the National Artificial Intelligence Initiative Act of 2020 ( after 15 U.S.C. 9401 )), which may be in a Federal entity’s or non-Federal entity’s software or hardware supply chain, security vulnerability, ; in subparagraph (D), by inserting or compromise after defeat ; and in subparagraph (F), by inserting or compromised after exfiltrated ; in paragraph (14), by amending subparagraph

(B)to read as follows: includes, in accordance with section 104(d)(2) of the Cybersecurity Sharing Act of 2015 ( 6 U.S.C. 1503(d)(2) )— operational technology, including industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers; edge devices; and internet of things devices, including digital and physical infrastructure impacted by ransomware. ; and in paragraph (25), by inserting or compromise after defeat .

Connectionstraces to 12

Traces to 12 documents

U.S. Code