Sec. 203. INFORMATION SHARING STRUCTURE AND PROCESSES
1,802 words·~8 min read·
/statute-compilations/comps-13909/sec-203A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
## SEC. 203 INFORMATION SHARING STRUCTURE AND PROCESSES **[**[6 U.S.C. 148](/us/usc/t6/s148)**]** Section 227 of the Homeland Security Act of 2002, as so redesignated by section 223(a)(3) of this division, is amended— ####
(1)in subsection (a)— #####
(A)by redesignating paragraphs
(3)and
(4)as paragraphs
(4)and (5), respectively; #####
(B)by striking paragraphs
(1)and
(2)and inserting the following: > > #### “(1) > > the term ‘cybersecurity risk’— > > > ##### “(A) > > means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism; and > > > ##### “(B) > > does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement; > > > #### “(2) > > the terms ‘cyber threat indicator’ and ‘defensive measure’ have the meanings given those terms in section 102 of the Cybersecurity Act of 2015; > > > #### “(3) > > the term ‘incident’ means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system;” > ; #####
(C)in paragraph (4), as so redesignated, by striking “and” at the end; #####
(D)in paragraph (5), as so redesignated, by striking the period at the end and inserting “; and”; and #####
(E)by adding at the end the following: > > #### “(6) > > the term ‘sharing’ (including all conjugations thereof) means providing, receiving, and disseminating (including all conjugations of each of such terms).” > ; ####
(2)in subsection (c)— #####
(A)in paragraph (1)— ######
(i)by inserting “, including the implementation of title I of the Cybersecurity Act of 2015” before the semicolon at the end; and ######
(ii)by inserting “cyber threat indicators, defensive measures,” before “cybersecurity risks”; #####
(B)in paragraph (3), by striking “cybersecurity risks” and inserting “cyber threat indicators, defensive measures, cybersecurity risks,”; #####
(C)in paragraph (5)(A), by striking “cybersecurity risks” and inserting “cyber threat indicators, defensive measures, cybersecurity risks,”; #####
(D)in paragraph (6)— ######
(i)by striking “cybersecurity risks” and inserting “cyber threat indicators, defensive measures, cybersecurity risks,”; and ######
(ii)by striking “and” at the end; #####
(E)in paragraph (7)— ######
(i)in subparagraph (A), by striking “and” at the end; ######
(ii)in subparagraph (B), by striking the period at the end and inserting “; and”; and ######
(iii)by adding at the end the following: > > ##### “(C) > > sharing cyber threat indicators and defensive measures;” > ; and #####
(F)by adding at the end the following: > > #### “(8) > > engaging with international partners, in consultation with other appropriate agencies, to— > > > ##### “(A) > > collaborate on cyber threat indicators, defensive measures, and information related to cybersecurity risks and incidents; and > > > ##### “(B) > > enhance the security and resilience of global cybersecurity; > > > #### “(9) > > sharing cyber threat indicators, defensive measures, and other information related to cybersecurity risks and incidents with Federal and non-Federal entities, including across sectors of critical infrastructure and with State and major urban area fusion centers, as appropriate; > > > #### “(10) > > participating, as appropriate, in national exercises run by the Department; and > > > #### “(11) > > in coordination with the Office of Emergency Communications of the Department, assessing and evaluating consequence, vulnerability, and threat information regarding cyber incidents to public safety communications to help facilitate continuous improvements to the security and resiliency of such communications.” > ; ####
(3)in subsection (d)(1)— #####
(A)in subparagraph (B)— ######
(i)in clause (i), by striking “and local” and inserting “, local, and tribal”; ######
(ii)in clause (ii), by striking “; and” and inserting “, including information sharing and analysis centers;”; ######
(iii)in clause (iii), by adding “and” at the end; and ######
(iv)by adding at the end the following: > > ###### “(iv) > > private entities;” > . #####
(B)in subparagraph (D), by striking “and” at the end; #####
(C)by redesignating subparagraph
(E)as subparagraph (F); and #####
(D)by inserting after subparagraph
(D)the following: > > ##### “(E) > > an entity that collaborates with State and local governments on cybersecurity risks and incidents, and has entered into a voluntary information sharing relationship with the Center; and” > ; ####
(4)in subsection (e)— #####
(A)in paragraph (1)— ######
(i)in subparagraph (A), by inserting “cyber threat indicators, defensive measures, and” before “information”; ######
(ii)in subparagraph (B), by inserting “cyber threat indicators, defensive measures, and” before “information related”; ######
(iii)in subparagraph (F)— ######
(I)by striking “cybersecurity risks” and inserting “cyber threat indicators, defensive measures, cybersecurity risks,”; and ######
(II)by striking “and” at the end; ######
(iv)in subparagraph (G), by striking “cybersecurity risks and incidents” and inserting “cyber threat indicators, defensive measures, cybersecurity risks, and incidents; and”; and ######
(v)by adding at the end the following: > > ##### “(H) > > the Center designates an agency contact for non-Federal entities;” > ; #####
(B)in paragraph (2)— ######
(i)by striking “cybersecurity risks” and inserting “cyber threat indicators, defensive measures, cybersecurity risks,”; and ######
(ii)by inserting “or disclosure” after “access”; and #####
(C)in paragraph (3), by inserting before the period at the end the following: “, including by working with the Privacy Officer appointed under section 222 to ensure that the Center follows the policies and procedures specified in subsections
(b)and (d)(5)(C) of section 105 of the Cybersecurity Act of 2015”; and ####
(5)by adding at the end the following: > > ### “(g) Automated Information Sharing > > > #### “(1) In general > > The Under Secretary appointed under section 103(a)(1)(H), in coordination with industry and other stakeholders, shall develop capabilities making use of existing information technology industry standards and best practices, as appropriate, that support and rapidly advance the development, adoption, and implementation of automated mechanisms for the sharing of cyber threat indicators and defensive measures in accordance with title I of the Cybersecurity Act of 2015. > > > #### “(2) Annual Report > > The Under Secretary appointed under section 103(a)(1)(H) shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives an annual report on the status and progress of the development of the capabilities described in paragraph (1). Such reports shall be required until such capabilities are fully implemented. > > > ### “(h) Voluntary Information Sharing Procedures > > > #### “(1) Procedures > > > ##### “(A) In general > > The Center may enter into a voluntary information sharing relationship with any consenting non-Federal entity for the sharing of cyber threat indicators and defensive measures for cybersecurity purposes in accordance with this section. Nothing in this subsection may be construed to require any non-Federal entity to enter into any such information sharing relationship with the Center or any other entity. The Center may terminate a voluntary information sharing relationship under this subsection, at the sole and unreviewable discretion of the Secretary, acting through the Under Secretary appointed under section 103(a)(1)(H), for any reason, including if the Center determines that the non-Federal entity with which the Center has entered into such a relationship has violated the terms of this subsection. > > > ##### “(B) National security > > The Secretary may decline to enter into a voluntary information sharing relationship under this subsection, at the sole and unreviewable discretion of the Secretary, acting through the Under Secretary appointed under section 103(a)(1)(H), for any reason, including if the Secretary determines that such is appropriate for national security. > > > #### “(2) Voluntary information sharing relationships > > A voluntary information sharing relationship under this subsection may be characterized as an agreement described in this paragraph. > > > ##### “(A) Standard agreement > > For the use of a non-Federal entity, the Center shall make available a standard agreement, consistent with this section, on the Department’s website. > > > ##### “(B) Negotiated agreement > > At the request of a non-Federal entity, and if determined appropriate by the Center, at the sole and unreviewable discretion of the Secretary, acting through the Under Secretary appointed under section 103(a)(1)(H), the Department shall negotiate a non-standard agreement, consistent with this section. > > > ##### “(C) Existing agreements > > An agreement between the Center and a non-Federal entity that is entered into before the date of enactment of this subsection, or such an agreement that is in effect before such date, shall be deemed in compliance with the requirements of this subsection, notwithstanding any other provision or requirement of this subsection. An agreement under this subsection shall include the relevant privacy protections as in effect under the Cooperative Research and Development Agreement for Cybersecurity Information Sharing and Collaboration, as of December 31, 2014. Nothing in this subsection may be construed to require a non-Federal entity to enter into either a standard or negotiated agreement to be in compliance with this subsection. > > > ### “(i) Direct Reporting > > The Secretary shall develop policies and procedures for direct reporting to the Secretary by the Director of the Center regarding significant cybersecurity risks and incidents. > > > ### “(j) Reports on International Cooperation > > Not later than 180 days after the date of enactment of this subsection, and periodically thereafter, the Secretary of Homeland Security shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the range of efforts underway to bolster cybersecurity collaboration with relevant international partners in accordance with subsection (c)(8). > > > ### “(k) Outreach > > Not later than 60 days after the date of enactment of this subsection, the Secretary, acting through the Under Secretary appointed under section 103(a)(1)(H), shall— > > > #### “(1) > > disseminate to the public information about how to voluntarily share cyber threat indicators and defensive measures with the Center; and > > > #### “(2) > > enhance outreach to critical infrastructure owners and operators for purposes of such sharing. > > > ### “(l) Coordinated Vulnerability Disclosure > > The Secretary, in coordination with industry and other stakeholders, may develop and adhere to Department policies and procedures for coordinating vulnerability disclosures.” > .
Connections1 off-index
1 reference not yet in our index
- 6 USC 148
Citation graph
cites case law
Sec. 203
INFORMATION SHARING STRUCTURE AND PROCESSES
Cite6 USC 148
Cites 1Cited by 0 across 0 sources