§ 652. Cybersecurity and Infrastructure Security Agency
6,791 words·~31 min read·
/usc/title-6/section-652A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
(a)Redesignation
(1)In general The National Protection and Programs Directorate of the Department shall, on and after November 16, 2018, be known as the “Cybersecurity and Infrastructure Security Agency”.
(2)References Any reference to the National Protection and Programs Directorate of the Department in any law, regulation, map, document, record, or other paper of the United States shall be deemed to be a reference to the Cybersecurity and Infrastructure Security Agency of the Department.
(b)Director
(1)In general The Agency shall be headed by the Director, who shall report to the Secretary.
(2)Qualifications
(A)In general The Director shall be appointed from among individuals who have—
(i)extensive knowledge in at least two of the areas specified in subparagraph (B); and
(ii)not fewer than five years of demonstrated experience in efforts to foster coordination and collaboration between the Federal Government, the private sector, and other entities on issues related to cybersecurity, infrastructure security, or security risk management.
(B)Specified areas The areas specified in this subparagraph are the following:
(i)Cybersecurity.
(ii)Infrastructure security.
(iii)Security risk management.
(3)Reference Any reference to an Under Secretary responsible for overseeing critical infrastructure protection, cybersecurity, and any other related program of the Department as described in section 113(a)(1)(H) of this title as in effect on the day before November 16, 2018, in any law, regulation, map, document, record, or other paper of the United States shall be deemed to be a reference to the Director of the Cybersecurity and Infrastructure Security Agency.
(c)Responsibilities The Director shall—
(1)lead cybersecurity and critical infrastructure security programs, operations, and associated policy for the Agency, including national cybersecurity asset response activities;
(2)coordinate with Federal entities, including Sector-Specific Agencies, and non-Federal entities, including international entities, to carry out the cybersecurity and critical infrastructure activities of the Agency, as appropriate;
(3)carry out the responsibilities of the Secretary to secure Federal information and information systems consistent with law, including subchapter II of chapter 35 of title 44 and the Cybersecurity Act of 2015 (contained in division N of the Consolidated Appropriations Act, 2016 (Public Law 114–113)), including by carrying out a periodic strategic assessment of the related programs and activities of the Agency to ensure such programs and activities contemplate the innovation of information systems and changes in cybersecurity risks and cybersecurity threats;
(4)coordinate a national effort to secure and protect against critical infrastructure risks, consistent with subsection (e)(1)(E);
(5)upon request, provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators and, where appropriate, provide those analyses, expertise, and other technical assistance in coordination with Sector-Specific Agencies and other Federal departments and agencies;
(6)develop and utilize mechanisms for active and frequent collaboration between the Agency and Sector-Specific Agencies to ensure appropriate coordination, situational awareness, and communications with Sector-Specific Agencies;
(7)maintain and utilize mechanisms for the regular and ongoing consultation and collaboration among the Divisions of the Agency to further operational coordination, integrated situational awareness, and improved integration across the Agency in accordance with this chapter;
(8)develop, coordinate, and implement—
(A)comprehensive strategic plans for the activities of the Agency; and
(B)risk assessments by and for the Agency;
(9)carry out emergency communications responsibilities, in accordance with subchapter XIII;
(10)carry out cybersecurity, infrastructure security, and emergency communications stakeholder outreach and engagement and coordinate that outreach and engagement with critical infrastructure Sector-Specific Agencies, as appropriate;
(11)provide education, training, and capacity development to Federal and non-Federal entities to enhance the security and resiliency of domestic and global cybersecurity and infrastructure security;
(12)appoint a Cybersecurity State Coordinator in each State, as described in section 665c of this title;
(13)carry out the duties and authorities relating to the .gov internet domain, as described in section 665 of this title; and
(14)carry out such other duties and powers prescribed by law or delegated by the Secretary.
(d)Deputy Director There shall be in the Agency a Deputy Director of the Cybersecurity and Infrastructure Security Agency who shall—
(1)assist the Director in the management of the Agency; and
(2)report to the Director.
(e)Cybersecurity and infrastructure security authorities of the Secretary
(1)In general The responsibilities of the Secretary relating to cybersecurity and infrastructure security shall include the following:
(A)To access, receive, and analyze law enforcement information, intelligence information, and other information from Federal Government agencies, State, local, tribal, and territorial government agencies, including law enforcement agencies, and private sector entities, and to integrate that information, in support of the mission responsibilities of the Department, in order to—
(i)identify and assess the nature and scope of terrorist threats to the homeland;
(ii)detect and identify threats of terrorism against the United States; and
(iii)understand those threats in light of actual and potential vulnerabilities of the homeland.
(B)To carry out comprehensive assessments of the vulnerabilities of the key resources and critical infrastructure of the United States, including the performance of risk assessments to determine the risks posed by particular types of terrorist attacks within the United States, including an assessment of the probability of success of those attacks and the feasibility and potential efficacy of various countermeasures to those attacks. At the discretion of the Secretary, such assessments may be carried out in coordination with Sector-Specific Agencies.
(C)To integrate relevant information, analysis, and vulnerability assessments, regardless of whether the information, analysis, or assessments are provided or produced by the Department, in order to make recommendations, including prioritization, for protective and support measures by the Department, other Federal Government agencies, State, local, tribal, and territorial government agencies and authorities, the private sector, and other entities regarding terrorist and other threats to homeland security.
(D)To ensure, pursuant to section 122 of this title, the timely and efficient access by the Department to all information necessary to discharge the responsibilities under this subchapter, including obtaining that information from other Federal Government agencies.
(E)To develop, in coordination with the Sector-Specific Agencies with available expertise, a comprehensive national plan for securing the key resources and critical infrastructure of the United States, including power production, generation, and distribution systems, information technology and telecommunications systems (including satellites), electronic financial and property record storage and transmission systems, emergency communications systems, and the physical and technological assets that support those systems.
(F)To recommend measures necessary to protect the key resources and critical infrastructure of the United States in coordination with other Federal Government agencies, including Sector-Specific Agencies, and in cooperation with State, local, tribal, and territorial government agencies and authorities, the private sector, and other entities.
(G)To review, analyze, and make recommendations for improvements to the policies and procedures governing the sharing of information relating to homeland security within the Federal Government and between Federal Government agencies and State, local, tribal, and territorial government agencies and authorities.
(H)To disseminate, as appropriate, information analyzed by the Department within the Department to other Federal Government agencies with responsibilities relating to homeland security and to State, local, tribal, and territorial government agencies and private sector entities with those responsibilities in order to assist in the deterrence, prevention, or preemption of, or response to, terrorist attacks against the United States.
(I)To consult with State, local, tribal, and territorial government agencies and private sector entities to ensure appropriate exchanges of information, including law enforcement-related information, relating to threats of terrorism against the United States.
(J)To ensure that any material received pursuant to this chapter is protected from unauthorized disclosure and handled and used only for the performance of official duties.
(K)To request additional information from other Federal Government agencies, State, local, tribal, and territorial government agencies, and the private sector relating to threats of terrorism in the United States, or relating to other areas of responsibility assigned by the Secretary, including the entry into cooperative agreements through the Secretary to obtain such information.
(L)To establish and utilize, in conjunction with the Chief Information Officer of the Department, a secure communications and information technology infrastructure, including data-mining and other advanced analytical tools, in order to access, receive, and analyze data and information in furtherance of the responsibilities under this section, and to disseminate information acquired and analyzed by the Department, as appropriate.
(M)To coordinate training and other support to the elements and personnel of the Department, other Federal Government agencies, and State, local, tribal, and territorial government agencies that provide information to the Department, or are consumers of information provided by the Department, in order to facilitate the identification and sharing of information revealed in their ordinary duties and the optimal utilization of information received from the Department.
(N)To coordinate with Federal, State, local, tribal, and territorial law enforcement agencies, and the private sector, as appropriate.
(O)To exercise the authorities and oversight of the functions, personnel, assets, and liabilities of those components transferred to the Department pursuant to section 121(g) of this title.
(P)To carry out the functions of the national cybersecurity and communications integration center under section 659 of this title.
(Q)To carry out the requirements of the Chemical Facility Anti-Terrorism Standards Program established under subchapter XVI and the secure handling of ammonium nitrate program established under part J of subchapter VIII, or any successor programs.
(R)To encourage and build cybersecurity awareness and competency across the United States and to develop, attract, and retain the cybersecurity workforce necessary for the cybersecurity related missions of the Department, including by—
(i)overseeing elementary and secondary cybersecurity education and awareness related programs at the Agency;
(ii)leading efforts to develop, attract, and retain the cybersecurity workforce necessary for the cybersecurity related missions of the Department;
(iii)encouraging and building cybersecurity awareness and competency across the United States; and
(iv)carrying out cybersecurity related workforce development activities, including through—
(I)increasing the pipeline of future cybersecurity professionals through programs focused on elementary and secondary education, postsecondary education, and workforce development; and
(II)building awareness of and competency in cybersecurity across the civilian Federal Government workforce.
(2)Reallocation The Secretary may reallocate within the Agency the functions specified in sections 653(b) and 654(b) of this title, consistent with the responsibilities provided in paragraph (1), upon certifying to and briefing the appropriate congressional committees, and making available to the public, at least 60 days prior to the reallocation that the reallocation is necessary for carrying out the activities of the Agency.
(3)Staff
(A)In general The Secretary shall provide the Agency with a staff of analysts having appropriate expertise and experience to assist the Agency in discharging the responsibilities of the Agency under this section.
(B)Private sector analysts Analysts under this subsection may include analysts from the private sector.
(C)Security clearances Analysts under this subsection shall possess security clearances appropriate for their work under this section.
(4)Detail of personnel
(A)In general In order to assist the Agency in discharging the responsibilities of the Agency under this section, personnel of the Federal agencies described in subparagraph
(B)may be detailed to the Agency for the performance of analytic functions and related duties.
(B)Agencies The Federal agencies described in this subparagraph are—
(i)the Department of State;
(ii)the Central Intelligence Agency;
(iii)the Federal Bureau of Investigation;
(iv)the National Security Agency;
(v)the National Geospatial-Intelligence Agency;
(vi)the Defense Intelligence Agency;
(vii)Sector-Specific Agencies; and
(viii)any other agency of the Federal Government that the President considers appropriate.
(C)Interagency agreements The Secretary and the head of a Federal agency described in subparagraph
(B)may enter into agreements for the purpose of detailing personnel under this paragraph.
(D)Basis The detail of personnel under this paragraph may be on a reimbursable or non-reimbursable basis.
(f)Composition The Agency shall be composed of the following divisions:
(1)The Cybersecurity Division, headed by an Executive Assistant Director.
(2)The Infrastructure Security Division, headed by an Executive Assistant Director.
(3)The Emergency Communications Division under subchapter XIII, headed by an Executive Assistant Director.
(g)Co-location
(1)In general To the maximum extent practicable, the Director shall examine the establishment of central locations in geographical regions with a significant Agency presence.
(2)Coordination When establishing the central locations described in paragraph (1), the Director shall coordinate with component heads and the Under Secretary for Management to co-locate or partner on any new real property leases, renewing any occupancy agreements for existing leases, or agreeing to extend or newly occupy any Federal space or new construction.
(h)Privacy
(1)In general There shall be a Privacy Officer of the Agency with primary responsibility for privacy policy and compliance for the Agency.
(2)Responsibilities The responsibilities of the Privacy Officer of the Agency shall include—
(A)assuring that the use of technologies by the Agency sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information;
(B)assuring that personal information contained in systems of records of the Agency is handled in full compliance as specified in section 552a of title 5 (commonly known as the “Privacy Act of 1974”);
(C)evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Agency; and
(D)conducting a privacy impact assessment of proposed rules of the Agency on the privacy of personal information, including the type of personal information collected and the number of people affected.
(i)Savings Nothing in this subchapter may be construed as affecting in any manner the authority, existing on the day before November 16, 2018, of any other component of the Department or any other Federal department or agency, including the authority provided to the Sector Risk Management Agency specified in section 61003(c) of division F of the Fixing America’s Surface Transportation Act (6 U.S.C. 121 note; Public Law 114–94).
(Pub. L. 107–296, title XXII, § 2202, as added Pub. L. 115–278, § 2(a), Nov. 16, 2018, 132 Stat. 4169; amended Pub. L. 116–260, div. U, title IX, § 904(b)(1)(A), Dec. 27, 2020, 134 Stat. 2298; Pub. L. 116–283, div. A, title XVII, §§ 1717(a)(1)(A), 1719(a), (b), div. H, title XC, §§ 9001(a), 9002(c)(2)(D), Jan. 1, 2021, 134 Stat. 4099, 4105, 4766, 4773; Pub. L. 117–81, div. A, title XV, §§ 1547(b)(1)(A)(i), (B), 1549(a), Dec. 27, 2021, 135 Stat. 2060, 2061, 2063; Pub. L. 117–263, div. G, title LXXI, § 7143(a)(1), (b)(2)(C), (c)(5), Dec. 23, 2022, 136 Stat. 3654, 3659, 3663.)
Connections236 cite this · traces to 34
Cited by 236 sections · top 60
public-private-law
- Public Law 116-260Consolidated Appropriations Act, 2021
- Public Law 116-283William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021
- Public Law 117-263James M. Inhofe National Defense Authorization Act for Fiscal Year 2023
- Public Law 117-81National Defense Authorization Act for Fiscal Year 2022
- Public Law 117-103Consolidated Appropriations Act, 2022
- Public Law 115-278Cybersecurity and Infrastructure Security Agency Act of 2018
- Public Law 117-47K–12 Cybersecurity Act of 2021
- Public Law 117-122National Cybersecurity Preparedness Consortium Act of 2021
U.S. Code
- § 113Other officers
- § 652Cybersecurity and Infrastructure Security Agency
- § 571Emergency Communications Division
- § 665cCybersecurity State Coordinator
- § 665Duties and authorities relating to .gov internet domain
- § 652aSector Risk Management Agencies
- § 658Cybersecurity recruitment and retention
- § 665iCyberSentry program
- § 653Cybersecurity Division
- § 654Infrastructure Security Division
- § 655Enhancement of Federal and non-Federal cybersecurity
register
- NoticesNotice of availability; renewal of the Critical Infrastructure Partnership Advisory Council Charter
- Rules and Regulations30-Day notice and request for comments; revision of information collection
- NoticesNotice of availability; renewal of Critical Infrastructure Partnership Advisory Council Charter
- Notices30-Day Notice and request for comments; New collection (Request for a new OMB Control Number, 1670-NEW
- Notices60-Day notice and request for comments; new collection (request for a new OMB Control Number, 1670-NEW
- Notices30-Day notice and request for comments; renewal of Information Collection Request (ICR): 1670-0015
- NoticesNotice of availability; request for comments
- Notices60-Day notice and request for comments on a new collection
- NoticesAnnouncement of public event
- NoticesNotice of availability; request for comment
- Notices60-Day Notice and request for comments; New collection (Request for a new OMB Control Number, 1670-NEW
- Rules and Regulations60-Day notice and request for comments; revision
- NoticesNotice of availability; extension of comment period
- Notices30-Day notice and request for comments; request for a new OMB control number, 1670-NEW
- Rules and RegulationsNotice of availability; renewal of the Critical Infrastructure Partnership Advisory Council Charter
- Notices60-Day notice and request for comments
- Notices60-Day notice and request for comments; renewal of Information Collection Request (ICR): 1670-0015
- Notices30-Day notice and request for comments; NEW information collection, 1670-NEW
- Rules and RegulationsAnnouncement of meeting
- Rules and Regulations60-Day notice and request for comments; Revision of Information Collection
- NoticesAnnouncement of public event
- NoticesNotice; request for information
- Notices60-Day notice and request for comments; ICR request, 1670-NEW for comment
statutes-at-large
- Public Law 115–278To amend the Homeland Security Act of 2002 to authorize the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, and for other purposes
- Public Law 117–263To authorize appropriations for fiscal year 2023 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes
- Public Law 117–103Making consolidated appropriations for the fiscal year ending September 30, 2022, and for providing emergency assistance for the situation in Ukraine, and for other purposes
- Public Law 117–47To establish a K–12 education cybersecurity initiative, and for other purposes
- Public Law 116–260Making consolidated appropriations for the fiscal year ending September 30, 2021, providing coronavirus emergency response and relief, and for other purposes
- Public Law 117–122To authorize the Secretary of Homeland Security to work with cybersecurity consortia for training, and for other purposes
- Public Law 110–53To provide for the implementation of the recommendations of the National Commission on Terrorist Attacks Upon the United States
statute-compilations
- Sec. 2NATIONAL CYBERSECURITY PREPAREDNESS CONSORTIUM
- Sec. 9001DEPARTMENT OF HOMELAND SECURITY CISA DIRECTOR
- Sec. 1550PILOT PROGRAM ON PUBLIC-PRIVATE PARTNERSHIPS WITH INTERNET ECOSYSTEM COMPANIES TO DETECT AND DISRUPT ADVERSARY CYBER OPERATIONS
- Sec. 1SHORT TITLE
- Sec. 9002SECTOR RISK MANAGEMENT AGENCIES
- Sec. 1717CYBERSECURITY STATE COORDINATOR
- Sec. 1549STRATEGIC ASSESSMENT RELATING TO INNOVATION OF INFORMATION SYSTEMS AND CYBERSECURITY THREATS
- Sec. 2202CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY
- Sec. 1719CYBERSECURITY EDUCATION AND TRAINING ASSISTANCE PROGRAM
- Sec. 1547NATIONAL CYBER EXERCISE PROGRAM
- Sec. 1SHORT TITLE
Traces to 34 documents
U.S. Code
- Other officers§ 113
- Cybersecurity State Coordinator§ 665c
- Duties and authorities relating to .gov internet domain§ 665
- Access to information§ 122
- Information and Analysis§ 121
- National cybersecurity and communications integration center§ 659
- Records maintained on individuals§ 552a
- Definitions§ 1501
- Definitions§ 101
- Definitions§ 3502
- Definitions§ 650
- Cybersecurity and Infrastructure Security Agency§ 652
- Cybersecurity plans§ 660
- Definitions; eligibility§ 1058
- Definitions; eligibility§ 1101a
- Definitions§ 1061
- Investment in historically Black colleges and universities and other minority-serving institutions§ 1067q
- American Indian tribally controlled colleges and universities§ 1059c
- Definitions§ 5304
- Definitions§ 681
- Ransomware threat mitigation activities§ 665j
- Disclosure of confidential information generally§ 1905
- Definitions§ 7801
- Definitions§ 1001
public-private-law
- Consolidated Appropriations Act, 2016Public Law 114-113
- Fixing America’s Surface Transportation ActPublic Law 114-94
- Cybersecurity and Infrastructure Security Agency Act of 2018Public Law 115-278
- Consolidated Appropriations Act, 2021Public Law 116-260
- William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021Public Law 116-283
- National Defense Authorization Act for Fiscal Year 2022Public Law 117-81
- James M. Inhofe National Defense Authorization Act for Fiscal Year 2023Public Law 117-263
- National Cybersecurity Preparedness Consortium Act of 2021Public Law 117-122
- Consolidated Appropriations Act, 2022Public Law 117-103
- K–12 Cybersecurity Act of 2021Public Law 117-47
14 references not yet in our index
- Pub. L. 107–296, title XXII, § 2202
- 132 Stat. 4169
- 134 Stat. 2298
- 134 Stat. 4099
- 135 Stat. 2060
- 136 Stat. 3654
- 129 Stat. 2935
- Pub. L. 107–296
- 116 Stat. 2135
- 136 Stat. 1193
- 136 Stat. 1055
- 135 Stat. 2064
- 135 Stat. 397
- 132 Stat. 4175
Citation graph
cites case law
§ 652
Cybersecurity and Infrastructure Security Agency
Bills×114
Fed. Reg.×47
Stat.×22
Pub. L.×21
Stat. Comp.×20
U.S.C.×12
Pub. L.Pub. L. 107–296, title XXII, § 2202
Stat.132 Stat. 4169
Stat.134 Stat. 2298
Cites 48 · showing 12Cited by 236 across 6 sources