Collapse to view only § 658. Cybersecurity recruitment and retention
- § 651. Definition
- § 652. Cybersecurity and Infrastructure Security Agency
- § 652a. Sector Risk Management Agencies
- § 653. Cybersecurity Division
- § 654. Infrastructure Security Division
- § 655. Enhancement of Federal and non-Federal cybersecurity
- § 656. NET Guard
- § 657. Cyber Security Enhancement Act of 2002
- § 658. Cybersecurity recruitment and retention
- § 659. National cybersecurity and communications integration center
- § 660. Cybersecurity plans
- § 661. Cybersecurity strategy
- § 662. Clearances
- § 663. Federal intrusion detection and prevention system
- § 664. National asset database
- § 665. Duties and authorities relating to .gov internet domain
- § 665a. Intelligence and cybersecurity diversity fellowship program
- § 665b. Joint cyber planning office
- § 665c. Cybersecurity State Coordinator
- § 665d. Sector Risk Management Agencies
- § 665e. Cybersecurity Advisory Committee
- § 665f. Cybersecurity education and training programs
- § 665g. State and Local Cybersecurity Grant Program
- § 665h. National Cyber Exercise Program
- § 665i. CyberSentry program
- § 665j. Ransomware threat mitigation activities
- § 665k. Federal Clearinghouse on School Safety Evidence-based Practices
- § 665l. School and daycare protection
- § 665m. President’s Cup Cybersecurity Competition
- § 665n. Industrial Control Systems Cybersecurity Training Initiative
§ 651. Definition
In this part, the term “Cybersecurity Advisory Committee” means the advisory committee established under section 665e(a) of this title.
(Pub. L. 107–296, title XXII, § 2201, as added Pub. L. 115–278, § 2(a), Nov. 16, 2018, 132 Stat. 4168; amended Pub. L. 116–283, div. H, title XC, § 9002(c)(2)(C), Jan. 1, 2021, 134 Stat. 4772; Pub. L. 117–150, § 2(1), June 21, 2022, 136 Stat. 1295; Pub. L. 117–263, div. G, title LXXI, § 7143(b)(2)(B), Dec. 23, 2022, 136 Stat. 3659.)
§ 652. Cybersecurity and Infrastructure Security Agency
(a) Redesignation
(1) In general
(2) References
(b) Director
(1) In general
(2) Qualifications
(A) In generalThe Director shall be appointed from among individuals who have—
(i) extensive knowledge in at least two of the areas specified in subparagraph (B); and
(ii) not fewer than five years of demonstrated experience in efforts to foster coordination and collaboration between the Federal Government, the private sector, and other entities on issues related to cybersecurity, infrastructure security, or security risk management.
(B) Specified areasThe areas specified in this subparagraph are the following:
(i) Cybersecurity.
(ii) Infrastructure security.
(iii) Security risk management.
(3) Reference
(c) ResponsibilitiesThe Director shall—
(1) lead cybersecurity and critical infrastructure security programs, operations, and associated policy for the Agency, including national cybersecurity asset response activities;
(2) coordinate with Federal entities, including Sector-Specific Agencies, and non-Federal entities, including international entities, to carry out the cybersecurity and critical infrastructure activities of the Agency, as appropriate;
(3) carry out the responsibilities of the Secretary to secure Federal information and information systems consistent with law, including subchapter II of chapter 35 of title 44 and the Cybersecurity Act of 2015 (contained in division N of the Consolidated Appropriations Act, 2016 (Public Law 114–113)), including by carrying out a periodic strategic assessment of the related programs and activities of the Agency to ensure such programs and activities contemplate the innovation of information systems and changes in cybersecurity risks and cybersecurity threats;
(4) coordinate a national effort to secure and protect against critical infrastructure risks, consistent with subsection (e)(1)(E);
(5) upon request, provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators and, where appropriate, provide those analyses, expertise, and other technical assistance in coordination with Sector-Specific Agencies and other Federal departments and agencies;
(6) develop and utilize mechanisms for active and frequent collaboration between the Agency and Sector-Specific Agencies to ensure appropriate coordination, situational awareness, and communications with Sector-Specific Agencies;
(7) maintain and utilize mechanisms for the regular and ongoing consultation and collaboration among the Divisions of the Agency to further operational coordination, integrated situational awareness, and improved integration across the Agency in accordance with this chapter;
(8) develop, coordinate, and implement—
(A) comprehensive strategic plans for the activities of the Agency; and
(B) risk assessments by and for the Agency;
(9) carry out emergency communications responsibilities, in accordance with subchapter XIII;
(10) carry out cybersecurity, infrastructure security, and emergency communications stakeholder outreach and engagement and coordinate that outreach and engagement with critical infrastructure Sector-Specific Agencies, as appropriate;
(11) provide education, training, and capacity development to Federal and non-Federal entities to enhance the security and resiliency of domestic and global cybersecurity and infrastructure security;
(12) appoint a Cybersecurity State Coordinator in each State, as described in section 665c of this title;
(13) carry out the duties and authorities relating to the .gov internet domain, as described in section 665 of this title; and
(14) carry out such other duties and powers prescribed by law or delegated by the Secretary.
(d) Deputy DirectorThere shall be in the Agency a Deputy Director of the Cybersecurity and Infrastructure Security Agency who shall—
(1) assist the Director in the management of the Agency; and
(2) report to the Director.
(e) Cybersecurity and infrastructure security authorities of the Secretary
(1) In generalThe responsibilities of the Secretary relating to cybersecurity and infrastructure security shall include the following:
(A) To access, receive, and analyze law enforcement information, intelligence information, and other information from Federal Government agencies, State, local, tribal, and territorial government agencies, including law enforcement agencies, and private sector entities, and to integrate that information, in support of the mission responsibilities of the Department, in order to—
(i) identify and assess the nature and scope of terrorist threats to the homeland;
(ii) detect and identify threats of terrorism against the United States; and
(iii) understand those threats in light of actual and potential vulnerabilities of the homeland.
(B) To carry out comprehensive assessments of the vulnerabilities of the key resources and critical infrastructure of the United States, including the performance of risk assessments to determine the risks posed by particular types of terrorist attacks within the United States, including an assessment of the probability of success of those attacks and the feasibility and potential efficacy of various countermeasures to those attacks. At the discretion of the Secretary, such assessments may be carried out in coordination with Sector-Specific Agencies.
(C) To integrate relevant information, analysis, and vulnerability assessments, regardless of whether the information, analysis, or assessments are provided or produced by the Department, in order to make recommendations, including prioritization, for protective and support measures by the Department, other Federal Government agencies, State, local, tribal, and territorial government agencies and authorities, the private sector, and other entities regarding terrorist and other threats to homeland security.
(D) To ensure, pursuant to section 122 of this title, the timely and efficient access by the Department to all information necessary to discharge the responsibilities under this subchapter, including obtaining that information from other Federal Government agencies.
(E) To develop, in coordination with the Sector-Specific Agencies with available expertise, a comprehensive national plan for securing the key resources and critical infrastructure of the United States, including power production, generation, and distribution systems, information technology and telecommunications systems (including satellites), electronic financial and property record storage and transmission systems, emergency communications systems, and the physical and technological assets that support those systems.
(F) To recommend measures necessary to protect the key resources and critical infrastructure of the United States in coordination with other Federal Government agencies, including Sector-Specific Agencies, and in cooperation with State, local, tribal, and territorial government agencies and authorities, the private sector, and other entities.
(G) To review, analyze, and make recommendations for improvements to the policies and procedures governing the sharing of information relating to homeland security within the Federal Government and between Federal Government agencies and State, local, tribal, and territorial government agencies and authorities.
(H) To disseminate, as appropriate, information analyzed by the Department within the Department to other Federal Government agencies with responsibilities relating to homeland security and to State, local, tribal, and territorial government agencies and private sector entities with those responsibilities in order to assist in the deterrence, prevention, or preemption of, or response to, terrorist attacks against the United States.
(I) To consult with State, local, tribal, and territorial government agencies and private sector entities to ensure appropriate exchanges of information, including law enforcement-related information, relating to threats of terrorism against the United States.
(J) To ensure that any material received pursuant to this chapter is protected from unauthorized disclosure and handled and used only for the performance of official duties.
(K) To request additional information from other Federal Government agencies, State, local, tribal, and territorial government agencies, and the private sector relating to threats of terrorism in the United States, or relating to other areas of responsibility assigned by the Secretary, including the entry into cooperative agreements through the Secretary to obtain such information.
(L) To establish and utilize, in conjunction with the Chief Information Officer of the Department, a secure communications and information technology infrastructure, including data-mining and other advanced analytical tools, in order to access, receive, and analyze data and information in furtherance of the responsibilities under this section, and to disseminate information acquired and analyzed by the Department, as appropriate.
(M) To coordinate training and other support to the elements and personnel of the Department, other Federal Government agencies, and State, local, tribal, and territorial government agencies that provide information to the Department, or are consumers of information provided by the Department, in order to facilitate the identification and sharing of information revealed in their ordinary duties and the optimal utilization of information received from the Department.
(N) To coordinate with Federal, State, local, tribal, and territorial law enforcement agencies, and the private sector, as appropriate.
(O) To exercise the authorities and oversight of the functions, personnel, assets, and liabilities of those components transferred to the Department pursuant to section 121(g) of this title.
(P) To carry out the functions of the national cybersecurity and communications integration center under section 659 of this title.
(Q) To carry out the requirements of the Chemical Facility Anti-Terrorism Standards Program established under subchapter XVI and the secure handling of ammonium nitrate program established under part J of subchapter VIII, or any successor programs.
(R) To encourage and build cybersecurity awareness and competency across the United States and to develop, attract, and retain the cybersecurity workforce necessary for the cybersecurity related missions of the Department, including by—
(i) overseeing elementary and secondary cybersecurity education and awareness related programs at the Agency;
(ii) leading efforts to develop, attract, and retain the cybersecurity workforce necessary for the cybersecurity related missions of the Department;
(iii) encouraging and building cybersecurity awareness and competency across the United States; and
(iv) carrying out cybersecurity related workforce development activities, including through—(I) increasing the pipeline of future cybersecurity professionals through programs focused on elementary and secondary education, postsecondary education, and workforce development; and(II) building awareness of and competency in cybersecurity across the civilian Federal Government workforce.
(2) Reallocation
(3) Staff
(A) In general
(B) Private sector analysts
(C) Security clearances
(4) Detail of personnel
(A) In general
(B) AgenciesThe Federal agencies described in this subparagraph are—
(i) the Department of State;
(ii) the Central Intelligence Agency;
(iii) the Federal Bureau of Investigation;
(iv) the National Security Agency;
(v) the National Geospatial-Intelligence Agency;
(vi) the Defense Intelligence Agency;
(vii) Sector-Specific Agencies; and
(viii) any other agency of the Federal Government that the President considers appropriate.
(C) Interagency agreements
(D) Basis
(f) CompositionThe Agency shall be composed of the following divisions:
(1) The Cybersecurity Division, headed by an Executive Assistant Director.
(2) The Infrastructure Security Division, headed by an Executive Assistant Director.
(3) The Emergency Communications Division under subchapter XIII, headed by an Executive Assistant Director.
(g) Co-location
(1) In general
(2) Coordination
(h) Privacy
(1) In general
(2) ResponsibilitiesThe responsibilities of the Privacy Officer of the Agency shall include—
(A) assuring that the use of technologies by the Agency sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information;
(B) assuring that personal information contained in systems of records of the Agency is handled in full compliance as specified in section 552a of title 5 (commonly known as the “Privacy Act of 1974”);
(C) evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Agency; and
(D) conducting a privacy impact assessment of proposed rules of the Agency on the privacy of personal information, including the type of personal information collected and the number of people affected.
(i) Savings
(Pub. L. 107–296, title XXII, § 2202, as added Pub. L. 115–278, § 2(a), Nov. 16, 2018, 132 Stat. 4169; amended Pub. L. 116–260, div. U, title IX, § 904(b)(1)(A), Dec. 27, 2020, 134 Stat. 2298; Pub. L. 116–283, div. A, title XVII, §§ 1717(a)(1)(A), 1719(a), (b), div. H, title XC, §§ 9001(a), 9002(c)(2)(D), Jan. 1, 2021, 134 Stat. 4099, 4105, 4766, 4773; Pub. L. 117–81, div. A, title XV, §§ 1547(b)(1)(A)(i), (B), 1549(a), Dec. 27, 2021, 135 Stat. 2060, 2061, 2063; Pub. L. 117–263, div. G, title LXXI, § 7143(a)(1), (b)(2)(C), (c)(5), Dec. 23, 2022, 136 Stat. 3654, 3659, 3663.)
§ 652a. Sector Risk Management Agencies
(a) DefinitionsIn this section:
(1) Appropriate congressional committeesThe term “appropriate congressional committees” means—
(A) the Committee on Homeland Security and the Committee on Armed Services in the House of Representatives; and
(B) the Committee on Homeland Security and Governmental Affairs and the Committee on Armed Services in the Senate.
(2) Critical infrastructure
(3) Department
(4) Director
(5) Secretary
(7)1
1 So in original. Probably should be “(6)”.
Sector Risk Management Agency(b) Critical infrastructure sector designation
(1) Initial reviewNot later than 180 days after January 1, 2021, the Secretary, in consultation with the heads of Sector Risk Management Agencies, shall—
(A) review the current framework for securing critical infrastructure, as described in section 652(c)(4) of this title and Presidential Policy Directive 21; and
(B) submit to the President and appropriate congressional committees a report that includes—
(i) information relating to—(I) the analysis framework or methodology used to—(aa) evaluate the current framework for securing critical infrastructure referred to in subparagraph (A); and(bb) develop recommendations to—(AA) revise the current list of critical infrastructure sectors designated pursuant to Presidential Policy Directive 21, any successor or related document, or policy; or(BB) identify and designate any subsectors of such sectors;(II) the data, metrics, and other information used to develop the recommendations required under clause (ii); and
(ii) recommendations relating to—(I) revising—(aa) the current framework for securing critical infrastructure referred to in subparagraph (A);(bb) the current list of critical infrastructure sectors designated pursuant to Presidential Policy Directive 21, any successor or related document, or policy; or(cc) the identification and designation of any subsectors of such sectors; and(II) any revisions to the list of designated Federal departments or agencies that serve as the Sector Risk Management Agency for a sector or subsector of such section, necessary to comply with paragraph (3)(B).
(2) Periodic evaluation by the SecretaryAt least once every five years, the Secretary, in consultation with the Director and the heads of Sector Risk Management Agencies, shall—
(A) evaluate the current list of designated critical infrastructure sectors and subsectors of such sectors and the appropriateness of Sector Risk Management Agency designations, as set forth in Presidential Policy Directive 21, any successor or related document, or policy; and
(B) recommend, as appropriate, to the President—
(i) revisions to the current list of designated critical infrastructure sectors or subsectors of such sectors; and
(ii) revisions to the designation of any Federal department or agency designated as the Sector Risk Management Agency for a sector or subsector of such sector.
(3) Review and revision by the President
(A) review the recommendation and revise, as appropriate, the designation of a critical infrastructure sector or subsector or the designation of a Sector Risk Management Agency; and
(B) submit to the appropriate congressional committees, the Majority and Minority Leaders of the Senate, and the Speaker and Minority Leader of the House of Representatives, a report that includes—
(i) an explanation with respect to the basis for accepting or rejecting the recommendations of the Secretary; and
(ii) information relating to the analysis framework, methodology, metrics, and data used to—(I) evaluate the current framework for securing critical infrastructure referred to in paragraph (1)(A); and(II) develop—(aa) recommendations to revise—(AA) the list of critical infrastructure sectors designated pursuant to Presidential Policy Directive 21, any successor or related document, or policy; or(BB) the designation of any subsectors of such sectors; and(bb) the recommendations of the Secretary.
(4) Publication
(c) Sector Risk Management Agencies
(1) Omitted
(2) Omitted
(3) ReferencesAny reference to a Sector Specific Agency (including any permutations or conjugations thereof) in any law, regulation, map, document, record, or other paper of the United States shall be deemed to—
(A) be a reference to the Sector Risk Management Agency of the relevant critical infrastructure sector; and
(B) have the meaning given such term in section 650 of this title.
(4) Omitted
(d) Report and auditing
(Pub. L. 116–283, div. H, title XC, § 9002, Jan. 1, 2021, 134 Stat. 4768; Pub. L. 117–263, div. G, title LXXI, § 7143(d)(5), Dec. 23, 2022, 136 Stat. 3663.)
§ 653. Cybersecurity Division
(a) Establishment
(1) In general
(2) Executive Assistant Director
The Cybersecurity Division shall be headed by an Executive Assistant Director for Cybersecurity (in this section referred to as “the Executive Assistant Director”), who shall—
(A) be at the level of Assistant Secretary within the Department;
(B) be appointed by the President without the advice and consent of the Senate; and
(C) report to the Director.
(3) Reference
(b) Functions
The Executive Assistant Director shall—
(1) direct the cybersecurity efforts of the Agency;
(2) carry out activities, at the direction of the Director, related to the security of Federal information and Federal information systems consistent with law, including subchapter II of chapter 35 of title 44 and the Cybersecurity Act of 2015 (contained in division N of the Consolidated Appropriations Act, 2016 (Public Law 114–113));
(3) fully participate in the mechanisms required under section 652(c)(7) of this title; and
(4) carry out such other duties and powers as prescribed by the Director.
(Pub. L. 107–296, title XXII, § 2203, as added Pub. L. 115–278, § 2(a), Nov. 16, 2018, 132 Stat. 4174; amended Pub. L. 116–283, div. H, title XC, § 9001(c)(1), Jan. 1, 2021, 134 Stat. 4766.)
§ 654. Infrastructure Security Division
(a) Establishment
(1) In general
(2) Executive Assistant Director
The Infrastructure Security Division shall be headed by an Executive Assistant Director for Infrastructure Security (in this section referred to as “the Executive Assistant Director”), who shall—
(A) be at the level of Assistant Secretary within the Department;
(B) be appointed by the President without the advice and consent of the Senate; and
(C) report to the Director.
(3) Reference
(b) Functions
The Executive Assistant Director shall—
(1) direct the critical infrastructure security efforts of the Agency;
(2) carry out, at the direction of the Director, the Chemical Facilities Anti-Terrorism Standards Program established under subchapter XVI and the secure handling of ammonium nitrate program established under part J of subchapter VIII, or any successor programs;
(3) fully participate in the mechanisms required under section 652(c)(7) of this title; and
(4) carry out such other duties and powers as prescribed by the Director.
(Pub. L. 107–296, title XXII, § 2204, as added Pub. L. 115–278, § 2(a), Nov. 16, 2018, 132 Stat. 4174; amended Pub. L. 116–283, div. H, title XC, § 9001(d)(1), Jan. 1, 2021, 134 Stat. 4767.)
§ 655. Enhancement of Federal and non-Federal cybersecurityIn carrying out the responsibilities under section 652 of this title, the Director of the Cybersecurity and Infrastructure Security Agency shall—
(1) as appropriate, provide to State and local government entities, and upon request to private entities that own or operate critical information systems—
(A) analysis and warnings related to threats to, and vulnerabilities of, critical information systems; and
(B) in coordination with the Under Secretary for Emergency Preparedness and Response, crisis management support in response to threats to, or attacks on, critical information systems;
(2) as appropriate, provide technical assistance, upon request, to the private sector and other government entities, in coordination with the Under Secretary for Emergency Preparedness and Response, with respect to emergency recovery plans to respond to major failures of critical information systems; and
(3) fulfill the responsibilities of the Secretary to protect Federal information systems under subchapter II of chapter 35 of title 44.
(Pub. L. 107–296, title XXII, § 2205, formerly title II, § 223, Nov. 25, 2002, 116 Stat. 2156; Pub. L. 110–53, title V, § 531(b)(1)(A), Aug. 3, 2007, 121 Stat. 334; Pub. L. 113–283, § 2(e)(3)(A), Dec. 18, 2014, 128 Stat. 3086; renumbered title XXII, § 2205, and amended Pub. L. 115–278, § 2(g)(2)(I), (9)(A)(i), Nov. 16, 2018, 132 Stat. 4178, 4180; Pub. L. 117–263, div. G, title LXXI, § 7143(c)(6), Dec. 23, 2022, 136 Stat. 3663.)
§ 656. NET Guard
The Director of the Cybersecurity and Infrastructure Security Agency may establish a national technology guard, to be known as “NET Guard”, comprised of local teams of volunteers with expertise in relevant areas of science and technology, to assist local communities to respond and recover from attacks on information systems and communications networks.
(Pub. L. 107–296, title XXII, § 2206, formerly title II, § 224, Nov. 25, 2002, 116 Stat. 2156; Pub. L. 110–53, title V, § 531(b)(1)(B), Aug. 3, 2007, 121 Stat. 334; renumbered title XXII, § 2206, and amended Pub. L. 115–278, § 2(g)(2)(I), (9)(A)(ii), Nov. 16, 2018, 132 Stat. 4178, 4180; Pub. L. 117–263, div. G, title LXXI, § 7143(c)(7), Dec. 23, 2022, 136 Stat. 3663.)
§ 657. Cyber Security Enhancement Act of 2002
(a) Short title
(b) Amendment of sentencing guidelines relating to certain computer crimes
(1) Directive to the United States Sentencing Commission
(2) RequirementsIn carrying out this subsection, the Sentencing Commission shall—
(A) ensure that the sentencing guidelines and policy statements reflect the serious nature of the offenses described in paragraph (1), the growing incidence of such offenses, and the need for an effective deterrent and appropriate punishment to prevent such offenses;
(B) consider the following factors and the extent to which the guidelines may or may not account for them—
(i) the potential and actual loss resulting from the offense;
(ii) the level of sophistication and planning involved in the offense;
(iii) whether the offense was committed for purposes of commercial advantage or private financial benefit;
(iv) whether the defendant acted with malicious intent to cause harm in committing the offense;
(v) the extent to which the offense violated the privacy rights of individuals harmed;
(vi) whether the offense involved a computer used by the government in furtherance of national defense, national security, or the administration of justice;
(vii) whether the violation was intended to or had the effect of significantly interfering with or disrupting a critical infrastructure; and
(viii) whether the violation was intended to or had the effect of creating a threat to public health or safety, or injury to any person;
(C) assure reasonable consistency with other relevant directives and with other sentencing guidelines;
(D) account for any additional aggravating or mitigating circumstances that might justify exceptions to the generally applicable sentencing ranges;
(E) make any necessary conforming changes to the sentencing guidelines; and
(F) assure that the guidelines adequately meet the purposes of sentencing as set forth in section 3553(a)(2) of title 18.
(c) Study and report on computer crimes
(d) Emergency disclosure exception
(1) Omitted
(2) Reporting of disclosures
(Pub. L. 107–296, title XXII, § 2207, formerly title II, § 225, Nov. 25, 2002, 116 Stat. 2156; renumbered title XXII, § 2207, Pub. L. 115–278, § 2(g)(2)(I), Nov. 16, 2018, 132 Stat. 4178.)
§ 658. Cybersecurity recruitment and retention
(a) DefinitionsIn this section:
(1) Appropriate committees of Congress
(2) Collective bargaining agreement
(3) Excepted service
(4) Preference eligible
(5) Qualified position
(6) Senior Executive Service
(b) General authority
(1) Establish positions, appoint personnel, and fix rates of pay
(A) General authorityThe Secretary may—
(i) establish, as positions in the excepted service, such qualified positions in the Department as the Secretary determines necessary to carry out the responsibilities of the Department relating to cybersecurity, including positions formerly identified as—(I) senior level positions designated under section 5376 of title 5; and(II) positions in the Senior Executive Service;
(ii) appoint an individual to a qualified position (after taking into consideration the availability of preference eligibles for appointment to the position); and
(iii) subject to the requirements of paragraphs (2) and (3), fix the compensation of an individual for service in a qualified position.
(B) Construction with other laws
(2) Basic pay
(A) Authority to fix rates of basic pay
(B) Prevailing rate systems
(3) Additional compensation, incentives, and allowances
(A) Additional compensation based on title 5 authorities
(B) Allowances in nonforeign areas
(4) Plan for execution of authorities
(5) Collective bargaining agreements
(6) Required regulations
(c) Annual reportNot later than 1 year after December 18, 2014, and every year thereafter for 4 years, the Secretary shall submit to the appropriate committees of Congress a detailed report that—
(1) discusses the process used by the Secretary in accepting applications, assessing candidates, ensuring adherence to veterans’ preference, and selecting applicants for vacancies to be filled by an individual for a qualified position;
(2) describes—
(A) how the Secretary plans to fulfill the critical need of the Department to recruit and retain employees in qualified positions;
(B) the measures that will be used to measure progress; and
(C) any actions taken during the reporting period to fulfill such critical need;
(3) discusses how the planning and actions taken under paragraph (2) are integrated into the strategic workforce planning of the Department;
(4) provides metrics on actions occurring during the reporting period, including—
(A) the number of employees in qualified positions hired by occupation and grade and level or pay band;
(B) the placement of employees in qualified positions by directorate and office within the Department;
(C) the total number of veterans hired;
(D) the number of separations of employees in qualified positions by occupation and grade and level or pay band;
(E) the number of retirements of employees in qualified positions by occupation and grade and level or pay band; and
(F) the number and amounts of recruitment, relocation, and retention incentives paid to employees in qualified positions by occupation and grade and level or pay band; and
(5) describes the training provided to supervisors of employees in qualified positions at the Department on the use of the new authorities.
(d) Three-year probationary period
(e) Incumbents of existing competitive service positions
(1) In general
(2) Subsequent conversion
(f) Study and reportNot later than 120 days after December 18, 2014, the National Protection and Programs Directorate shall submit a report regarding the availability of, and benefits (including cost savings and security) of using, cybersecurity personnel and facilities outside of the National Capital Region (as defined in section 2674 of title 10) to serve the Federal and national need to—
(1) the Subcommittee on Homeland Security of the Committee on Appropriations and the Committee on Homeland Security and Governmental Affairs of the Senate; and
(2) the Subcommittee on Homeland Security of the Committee on Appropriations and the Committee on Homeland Security of the House of Representatives.
(Pub. L. 107–296, title XXII, § 2208, formerly title II, § 226, as added Pub. L. 113–277, § 3(a), Dec. 18, 2014, 128 Stat. 3005; renumbered title XXII, § 2208, Pub. L. 115–278, § 2(g)(2)(I), Nov. 16, 2018, 132 Stat. 4178.)
§ 659. National cybersecurity and communications integration center
(a) Definition
(b) Center
(c) FunctionsThe cybersecurity functions of the Center shall include—
(1) being a Federal civilian interface for the multi-directional and cross-sector sharing of information related to cyber threat indicators, defensive measures, cybersecurity risks, incidents, analysis, and warnings for Federal and non-Federal entities, including the implementation of title I of the Cybersecurity Act of 2015 [6 U.S.C. 1501 et seq.];
(2) providing shared situational awareness to enable real-time, integrated, and operational actions across the Federal Government and non-Federal entities to address cybersecurity risks and incidents to Federal and non-Federal entities;
(3) coordinating the sharing of information related to cyber threat indicators, defensive measures, cybersecurity risks, and incidents across the Federal Government;
(4) facilitating cross-sector coordination to address cybersecurity risks and incidents, including cybersecurity risks and incidents that may be related or could have consequential impacts across multiple sectors;
(5)
(A) conducting integration and analysis, including cross-sector integration and analysis, of cyber threat indicators, defensive measures, cybersecurity risks, and incidents;
(B) sharing mitigation protocols to counter cybersecurity vulnerabilities pursuant to subsection (n), as appropriate; and
(C) sharing the analysis conducted under subparagraph (A) and mitigation protocols to counter cybersecurity vulnerabilities in accordance with subparagraph (B), as appropriate, with Federal and non-Federal entities;
(6) upon request, providing operational and timely technical assistance, risk management support, and incident response capabilities to Federal and non-Federal entities with respect to cyber threat indicators, defensive measures, cybersecurity risks, and incidents, which may include attribution, mitigation, and remediation, which may take the form of continuous monitoring and detection of cybersecurity risks to critical infrastructure entities that own or operate industrial control systems that support national critical functions;
(7) providing information and recommendations on security and resilience measures to Federal and non-Federal entities, including information and recommendations to—
(A) facilitate information security;
(B) strengthen information systems against cybersecurity risks and incidents; and
(C) share cyber threat indicators and defensive measures;
(8) engaging with international partners, in consultation with other appropriate agencies, to—
(A) collaborate on cyber threat indicators, defensive measures, and information related to cybersecurity risks and incidents; and
(B) enhance the security and resilience of global cybersecurity;
(9) sharing cyber threat indicators, defensive measures, mitigation protocols to counter cybersecurity vulnerabilities, as appropriate, and other information related to cybersecurity risks and incidents with Federal and non-Federal entities, including across sectors of critical infrastructure and with State and major urban area fusion centers, as appropriate;
(10) participating, as appropriate, in national exercises run by the Department;
(11) in coordination with the Emergency Communications Division of the Department, assessing and evaluating consequence, vulnerability, and threat information regarding cyber incidents to public safety communications to help facilitate continuous improvements to the security and resiliency of such communications;
(12) detecting, identifying, and receiving information for a cybersecurity purpose about security vulnerabilities relating to critical infrastructure in information systems and devices; and
(13) receiving, aggregating, and analyzing reports related to covered cyber incidents (as defined in section 681 of this title) submitted by covered entities (as defined in section 681 of this title) and reports related to ransom payments (as defined in section 681 of this title) submitted by covered entities (as defined in section 681 of this title) in furtherance of the activities specified in sections 652(e), 653, and 681a of this title, this subsection, and any other authorized activity of the Director, to enhance the situational awareness of cybersecurity threats across critical infrastructure sectors.
(d) Composition
(1) In generalThe Center shall be composed of—
(A) appropriate representatives of Federal entities, such as—
(i) sector-specific agencies;
(ii) civilian and law enforcement agencies; and
(iii) elements of the intelligence community;
(B) appropriate representatives of non-Federal entities, such as—
(i) State, local, and tribal governments;
(ii) Information Sharing and Analysis Organizations, including information sharing and analysis centers;
(iii) owners and operators of critical information systems; and
(iv) private entities, including cybersecurity specialists;
(C) components within the Center that carry out cybersecurity and communications activities;
(D) a designated Federal official for operational coordination with and across each sector;
(E) an entity that collaborates with State and local governments, including an entity that collaborates with election officials, on cybersecurity risks and incidents, and has entered into a voluntary information sharing relationship with the Center; and
(F) other appropriate representatives or entities, as determined by the Secretary.
(2) Incidents
(e) PrinciplesIn carrying out the functions under subsection (c), the Center shall ensure—
(1) to the extent practicable, that—
(A) timely, actionable, and relevant cyber threat indicators, defensive measures, and information related to cybersecurity risks, incidents, and analysis is shared;
(B) when appropriate, cyber threat indicators, defensive measures, and information related to cybersecurity risks, incidents, and analysis is integrated with other relevant information and tailored to the specific characteristics of a sector;
(C) activities are prioritized and conducted based on the level of risk;
(D) industry sector-specific, academic, and national laboratory expertise is sought and receives appropriate consideration;
(E) continuous, collaborative, and inclusive coordination occurs—
(i) across sectors; and
(ii) with—(I) sector coordinating councils;(II) Information Sharing and Analysis Organizations; and(III) other appropriate non-Federal partners;
(F) as appropriate, the Center works to develop and use mechanisms for sharing information related to cyber threat indicators, defensive measures, cybersecurity risks, and incidents that are technology-neutral, interoperable, real-time, cost-effective, and resilient;
(G) the Center works with other agencies to reduce unnecessarily duplicative sharing of information related to cyber threat indicators, defensive measures, cybersecurity risks, and incidents;
(H) the Center designates an agency contact for non-Federal entities; and
(I) activities of the Center address the security of both information technology and operational technology, including industrial control systems;
(2) that information related to cyber threat indicators, defensive measures, cybersecurity risks, and incidents is appropriately safeguarded against unauthorized access or disclosure; and
(3) that activities conducted by the Center comply with all policies, regulations, and laws that protect the privacy and civil liberties of United States persons, including by working with the Privacy Officer appointed under section 142 of this title to ensure that the Center follows the policies and procedures specified in subsections (b) and (d)(5)(C) of section 105 of the Cybersecurity Act of 2015 [6 U.S.C. 1504].
(f) Cyber hunt and incident response teams
(1) In generalThe Center shall maintain cyber hunt and incident response teams for the purpose of leading Federal asset response activities and providing timely technical assistance to Federal and non-Federal entities, including across all critical infrastructure sectors, regarding actual or potential security incidents, as appropriate and upon request, including—
(A) assistance to asset owners and operators in restoring services following a cyber incident;
(B) identification and analysis of cybersecurity risk and unauthorized cyber activity;
(C) mitigation strategies to prevent, deter, and protect against cybersecurity risks;
(D) recommendations to asset owners and operators for improving overall network and control systems security to lower cybersecurity risks, and other recommendations, as appropriate; and
(E) such other capabilities as the Secretary determines appropriate.
(2) Associated metricsThe Center shall—
(A) define the goals and desired outcomes for each cyber hunt and incident response team; and
(B) develop metrics—
(i) to measure the effectiveness and efficiency of each cyber hunt and incident response team in achieving the goals and desired outcomes defined under subparagraph (A); and
(ii) that—(I) are quantifiable and actionable; and(II) the Center shall use to improve the effectiveness and accountability of, and service delivery by, cyber hunt and incident response teams.
(3) Cybersecurity specialists
(g) No right or benefit
(1) In general
(2) Certain assistance or information
(h) Automated information sharing
(1) In general
(2) Annual report
(i) Voluntary information sharing procedures
(1) Procedures
(A) In general
(B) National security
(2) Voluntary information sharing relationshipsA voluntary information sharing relationship under this subsection may be characterized as an agreement described in this paragraph.
(A) Standard agreement
(B) Negotiated agreement
(C) Existing agreements
(j) Direct reporting
(k) Reports on international cooperation
(l) OutreachNot later than 60 days after December 18, 2015, the Secretary, acting through the Director, shall—
(1) disseminate to the public information about how to voluntarily share cyber threat indicators and defensive measures with the Center; and
(2) enhance outreach to critical infrastructure owners and operators for purposes of such sharing.
(m) Cybersecurity outreach
(1) In general
(2) Definitions
(n) Coordinated vulnerability disclosure
(o) Protocols to counter certain cybersecurity vulnerabilities
(p) Subpoena authority
(1) DefinitionIn this subsection, the term “covered device or system”—
(A) means a device or system commonly used to perform industrial, commercial, scientific, or governmental functions or processes that relate to critical infrastructure, including operational and industrial control systems, distributed control systems, and programmable logic controllers; and
(B) does not include personal devices and systems, such as consumer mobile devices, home computers, residential wireless routers, or residential internet enabled consumer devices.
(2) Authority
(A) In general
(B) Limit on informationA subpoena issued pursuant to subparagraph (A) may seek information—
(i) only in the categories set forth in subparagraphs (A), (B), (D), and (E) of section 2703(c)(2) of title 18; and
(ii) for not more than 20 covered devices or systems.
(C) Liability protections for disclosing providers
(3) Coordination
(A) In general
(B) ContentsThe inter-agency procedures developed under this paragraph shall provide that a subpoena issued by the Director under this subsection shall be—
(i) issued to carry out a function described in subsection (c)(12); and
(ii) subject to the limitations specified in this subsection.
(4) Noncompliance
(5) Notice
(6) Authentication
(A) In general
(B) Invalid if not authenticated
(7) ProceduresNot later than 90 days after January 1, 2021, the Director shall establish internal procedures and associated training, applicable to employees and operations of the Agency, regarding subpoenas issued pursuant to this subsection, which shall address the following:
(A) The protection of and restriction on dissemination of nonpublic information obtained through such a subpoena, including a requirement that the Agency not disseminate nonpublic information obtained through such a subpoena that identifies the party that is subject to such subpoena or the entity at risk identified by information obtained, except that the Agency may share the nonpublic information with the Department of Justice for the purpose of enforcing such subpoena in accordance with paragraph (4), and may share with a Federal agency the nonpublic information of the entity at risk if—
(i) the Agency identifies or is notified of a cybersecurity incident involving such entity, which relates to the vulnerability which led to the issuance of such subpoena;
(ii) the Director determines that sharing the nonpublic information with another Federal department or agency is necessary to allow such department or agency to take a law enforcement or national security action, consistent with the interagency procedures under paragraph (3)(A), or actions related to mitigating or otherwise resolving such incident;
(iii) the entity to which the information pertains is notified of the Director’s determination, to the extent practicable consistent with national security or law enforcement interests, consistent with such interagency procedures; and
(iv) the entity consents, except that the entity’s consent shall not be required if another Federal department or agency identifies the entity to the Agency in connection with a suspected cybersecurity incident.
(B) The restriction on the use of information obtained through such a subpoena for a cybersecurity purpose.
(C) The retention and destruction of nonpublic information obtained through such a subpoena, including—
(i) destruction of such information that the Director determines is unrelated to critical infrastructure immediately upon providing notice to the entity pursuant to paragraph (5); and
(ii) destruction of any personally identifiable information not later than 6 months after the date on which the Director receives information obtained through such a subpoena, unless otherwise agreed to by the individual identified by the subpoena respondent.
(D) The processes for providing notice to each party that is subject to such a subpoena and each entity identified by information obtained under such a subpoena.
(E) The processes and criteria for conducting critical infrastructure security risk assessments to determine whether a subpoena is necessary prior to being issued pursuant to this subsection.
(F) The information to be provided to an entity at risk at the time of the notice of the vulnerability, which shall include—
(i) a discussion or statement that responding to, or subsequent engagement with, the Agency, is voluntary; and
(ii) to the extent practicable, information regarding the process through which the Director identifies security vulnerabilities.
(8) Limitation on procedures
(9) Review of proceduresNot later than 1 year after January 1, 2021, the Privacy Officer of the Agency shall—
(A) review the internal procedures established pursuant to paragraph (7) to ensure that—
(i) such procedures are consistent with fair information practices; and
(ii) the operations of the Agency comply with such procedures; and
(B) notify the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives of the results of the review under subparagraph (A).
(10) Publication of informationNot later than 120 days after establishing the internal procedures under paragraph (7), the Director shall publish information on the website of the Agency regarding the subpoena process under this subsection, including information regarding the following:
(A) Such internal procedures.
(B) The purpose for subpoenas issued pursuant to this subsection.
(C) The subpoena process.
(D) The criteria for the critical infrastructure security risk assessment conducted prior to issuing a subpoena.
(E) Policies and procedures on retention and sharing of data obtained by subpoenas.
(F) Guidelines on how entities contacted by the Director may respond to notice of a subpoena.
(11) Annual reportsThe Director shall annually submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report (which may include a classified annex but with the presumption of declassification) on the use of subpoenas issued pursuant to this subsection, which shall include the following:
(A) A discussion of the following:
(i) The effectiveness of the use of such subpoenas to mitigate critical infrastructure security vulnerabilities.
(ii) The critical infrastructure security risk assessment process conducted for subpoenas issued under this subsection.
(iii) The number of subpoenas so issued during the preceding year.
(iv) To the extent practicable, the number of vulnerable covered devices or systems mitigated under this subsection by the Agency during the preceding year.
(v) The number of entities notified by the Director under this subsection, and their responses, during the preceding year.
(B) For each subpoena issued pursuant to this subsection, the following:
(i) Information relating to the source of the security vulnerability detected, identified, or received by the Director.
(ii) Information relating to the steps taken to identify the entity at risk prior to issuing the subpoena.
(iii) A description of the outcome of the subpoena, including discussion on the resolution or mitigation of the critical infrastructure security vulnerability.
(12) Publication of the annual reports
(13) Prohibition on use of information for unauthorized purposes
(q) Industrial control systemsThe Director shall maintain capabilities to identify and address threats and vulnerabilities to products and technologies intended for use in the automated control of critical infrastructure processes. In carrying out this subsection, the Director shall—
(1) lead Federal Government efforts, in consultation with Sector Risk Management Agencies, as appropriate, to identify and mitigate cybersecurity threats to industrial control systems, including supervisory control and data acquisition systems;
(2) maintain threat hunting and incident response capabilities to respond to industrial control system cybersecurity risks and incidents;
(3) provide cybersecurity technical assistance to industry end-users, product manufacturers, Sector Risk Management Agencies, other Federal agencies, and other industrial control system stakeholders to identify, evaluate, assess, and mitigate vulnerabilities;
(4) collect, coordinate, and provide vulnerability information to the industrial control systems community by, as appropriate, working closely with security researchers, industry end-users, product manufacturers, Sector Risk Management Agencies, other Federal agencies, and other industrial control systems stakeholders; and
(5) conduct such other efforts and assistance as the Secretary determines appropriate.
(r) Coordination on cybersecurity for SLTT entities
(1)1
1 So in original. There is no par. (2).
CoordinationThe Center shall, upon request and to the extent practicable, and in coordination as appropriate with Federal and non-Federal entities, such as the Multi-State Information Sharing and Analysis Center—(A) conduct exercises with SLTT entities;
(B) provide operational and technical cybersecurity training to SLTT entities to address cybersecurity risks or incidents, with or without reimbursement, related to—
(i) cyber threat indicators;
(ii) defensive measures;
(iii) cybersecurity risks;
(iv) vulnerabilities; and
(v) incident response and management;
(C) in order to increase situational awareness and help prevent incidents, assist SLTT entities in sharing, in real time, with the Federal Government as well as among SLTT entities, actionable—
(i) cyber threat indicators;
(ii) defensive measures;
(iii) information about cybersecurity risks; and
(iv) information about incidents;
(D) provide SLTT entities notifications containing specific incident and malware information that may affect them or their residents;
(E) provide to, and periodically update, SLTT entities via an easily accessible platform and other means—
(i) information about tools;
(ii) information about products;
(iii) resources;
(iv) policies;
(v) guidelines;
(vi) controls; and
(vii) other cybersecurity standards and best practices and procedures related to information security, including, as appropriate, information produced by other Federal agencies;
(F) work with senior SLTT entity officials, including chief information officers and senior election officials and through national associations, to coordinate the effective implementation by SLTT entities of tools, products, resources, policies, guidelines, controls, and procedures related to information security to secure the information systems, including election systems, of SLTT entities;
(G) provide operational and technical assistance to SLTT entities to implement tools, products, resources, policies, guidelines, controls, and procedures on information security;
(H) assist SLTT entities in developing policies and procedures for coordinating vulnerability disclosures consistent with international and national standards in the information technology industry; and
(I) promote cybersecurity education and awareness through engagements with Federal agencies and non-Federal entities.
(s) Report
(Pub. L. 107–296, title XXII, § 2209, formerly title II, § 227, formerly § 226, as added Pub. L. 113–282, § 3(a), Dec. 18, 2014, 128 Stat. 3066; renumbered § 227 and amended Pub. L. 114–113, div. N, title II, §§ 203, 223(a)(3), Dec. 18, 2015, 129 Stat. 2957, 2963; Pub. L. 114–328, div. A, title XVIII, § 1841(b), Dec. 23, 2016, 130 Stat. 2663; renumbered title XXII, § 2209, and amended Pub. L. 115–278, § 2(g)(2)(I), (9)(A)(iii), Nov. 16, 2018, 132 Stat. 4178, 4180; Pub. L. 116–94, div. L, § 102(a), Dec. 20, 2019, 133 Stat. 3089; Pub. L. 116–283, div. A, title XVII, § 1716(a), Jan. 1, 2021, 134 Stat. 4094; Pub. L. 117–81, div. A, title XV, §§ 1541(a), 1542, 1548(c), Dec. 27, 2021, 135 Stat. 2054, 2056, 2063; Pub. L. 117–103, div. Y, § 103(a)(1), Mar. 15, 2022, 136 Stat. 1038; Pub. L. 117–150, § 2(2), June 21, 2022, 136 Stat. 1295; Pub. L. 117–263, div. G, title LXXI, § 7143(b)(2)(D), Dec. 23, 2022, 136 Stat. 3659.)
§ 660. Cybersecurity plans
(a) Definitions
(b) Intrusion assessment plan
(1) RequirementThe Secretary, in coordination with the Director of the Office of Management and Budget, shall—
(A) develop and implement an intrusion assessment plan to proactively detect, identify, and remove intruders in agency information systems on a routine basis; and
(B) update such plan as necessary.
(2) Exception
(c) Cyber incident response plan
(d) National Response Framework
(e) Homeland Security Strategy to Improve the Cybersecurity of State, Local, Tribal, and Territorial Governments
(1) In general
(A) Requirement
(B) Recommendations and requirements
(2) ContentsThe strategy required under paragraph (1) shall—
(A) identify capability gaps in the ability of State, local, Tribal, and territorial governments to identify, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, incidents, and ransomware incidents;
(B) identify Federal resources and capabilities that are available or could be made available to State, local, Tribal, and territorial governments to help those governments identify, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, incidents, and ransomware incidents;
(C) identify and assess the limitations of Federal resources and capabilities available to State, local, Tribal, and territorial governments to help those governments identify, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, incidents, and ransomware incidents and make recommendations to address such limitations;
(D) identify opportunities to improve the coordination of the Agency with Federal and non-Federal entities, such as the Multi-State Information Sharing and Analysis Center, to improve—
(i) incident exercises, information sharing and incident notification procedures;
(ii) the ability for State, local, Tribal, and territorial governments to voluntarily adapt and implement guidance in Federal binding operational directives; and
(iii) opportunities to leverage Federal schedules for cybersecurity investments under section 502 of title 40;
(E) recommend new initiatives the Federal Government should undertake to improve the ability of State, local, Tribal, and territorial governments to identify, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, incidents, and ransomware incidents;
(F) set short-term and long-term goals that will improve the ability of State, local, Tribal, and territorial governments to identify, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, incidents, and ransomware incidents; and
(G) set dates, including interim benchmarks, as appropriate for State, local, Tribal, and territorial governments to establish baseline capabilities to identify, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, incidents, and ransomware incidents.
(3) ConsiderationsIn developing the strategy required under paragraph (1), the Director, in coordination with the heads of appropriate Federal agencies, State, local, Tribal, and territorial governments, and other stakeholders, as appropriate, shall consider—
(A) lessons learned from incidents that have affected State, local, Tribal, and territorial governments, and exercises with Federal and non-Federal entities;
(B) the impact of incidents that have affected State, local, Tribal, and territorial governments, including the resulting costs to such governments;
(C) the information related to the interest and ability of state and non-state threat actors to compromise information systems owned or operated by State, local, Tribal, and territorial governments; and
(D) emerging cybersecurity risks and cybersecurity threats to State, local, Tribal, and territorial governments resulting from the deployment of new technologies.
(4) Exemption
(Pub. L. 107–296, title XXII, § 2210, formerly title II, § 228, as added and amended Pub. L. 114–113, div. N, title II, §§ 205, 223(a)(2), (4), (5), Dec. 18, 2015, 129 Stat. 2961, 2963, 2964; renumbered title XXII, § 2210, and amended Pub. L. 115–278, § 2(g)(2)(I), (9)(A)(iv), Nov. 16, 2018, 132 Stat. 4178, 4181; Pub. L. 117–81, div. A, title XV, §§ 1545, 1546, Dec. 27, 2021, 135 Stat. 2057, 2059; Pub. L. 117–263, div. G, title LXXI, § 7143(b)(2)(E), (c)(8), Dec. 23, 2022, 136 Stat. 3660, 3663.)
§ 661. Cybersecurity strategy
(a) In general
(b) ContentsThe strategy required under subsection (a) shall include the following:
(1) Strategic and operational goals and priorities to successfully execute the full range of the Secretary’s cybersecurity responsibilities.
(2) Information on the programs, policies, and activities that are required to successfully execute the full range of the Secretary’s cybersecurity responsibilities, including programs, policies, and activities in furtherance of the following:
(A) Cybersecurity functions set forth in section 659 of this title (relating to the national cybersecurity and communications integration center).
(B) Cybersecurity investigations capabilities.
(C) Cybersecurity research and development.
(D) Engagement with international cybersecurity partners.
(c) ConsiderationsIn developing the strategy required under subsection (a), the Secretary shall—
(1) consider—
(A) the cybersecurity strategy for the Homeland Security Enterprise published by the Secretary in November 2011;
(B) the Department of Homeland Security Fiscal Years 2014–2018 Strategic Plan; and
(C) the most recent Quadrennial Homeland Security Review issued pursuant to section 347 of this title; and
(2) include information on the roles and responsibilities of components and offices of the Department, to the extent practicable, to carry out such strategy.
(d) Implementation planNot later than 90 days after the development of the strategy required under subsection (a), the Secretary shall issue an implementation plan for the strategy that includes the following:
(1) Strategic objectives and corresponding tasks.
(2) Projected timelines and costs for such tasks.
(3) Metrics to evaluate performance of such tasks.
(e) Congressional oversightThe Secretary shall submit to Congress for assessment the following:
(1) A copy of the strategy required under subsection (a) upon issuance.
(2) A copy of the implementation plan required under subsection (d) upon issuance, together with detailed information on any associated legislative or budgetary proposals.
(f) Classified information
(g) Rule of construction
(Pub. L. 107–296, title XXII, § 2211, formerly title II, § 228A, as added Pub. L. 114–328, div. A, title XIX, § 1912(a), Dec. 23, 2016, 130 Stat. 2683; renumbered title XXII, § 2211, and amended Pub. L. 115–278, § 2(g)(2)(I), (9)(A)(v), Nov. 16, 2018, 132 Stat. 4178, 4181; Pub. L. 117–263, div. G, title LXXI, § 7143(b)(2)(F), Dec. 23, 2022, 136 Stat. 3660.)
§ 662. Clearances
The Secretary shall make available the process of application for security clearances under Executive Order 13549 (75 Fed. Reg. 162; 1
1 So in original. Probably should be “51609;”.
relating to a classified national security information program) or any successor Executive Order to appropriate representatives of sector coordinating councils, sector Information Sharing and Analysis Organizations, owners and operators of critical infrastructure, and any other person that the Secretary determines appropriate.(Pub. L. 107–296, title XXII, § 2212, formerly title II, § 229, formerly § 228, as added Pub. L. 113–282, § 7(a), Dec. 18, 2014, 128 Stat. 3070; renumbered § 229, Pub. L. 114–113, div. N, title II, § 223(a)(1), Dec. 18, 2015, 129 Stat. 2963; renumbered title XXII, § 2212, and amended Pub. L. 115–278, § 2(g)(2)(I), (9)(A)(vi), Nov. 16, 2018, 132 Stat. 4178, 4181; Pub. L. 117–263, div. G, title LXXI, § 7143(b)(2)(G), Dec. 23, 2022, 136 Stat. 3660.)
§ 663. Federal intrusion detection and prevention system
(a) Definitions
In this section—
(1) the term “agency” has the meaning given the term in section 3502 of title 44;
(2) the term “agency information” means information collected or maintained by or on behalf of an agency; 1
1 So in original. Probably should be followed by “and”.
(3) the term “agency information system” has the meaning given the term in section 660 of this title; and 2
2 So in original. The “; and” probably should be a period.
(b) Requirement
(1) In general
Not later than 1 year after December 18, 2015, the Secretary shall deploy, operate, and maintain, to make available for use by any agency, with or without reimbursement—
(A) a capability to detect cybersecurity risks in network traffic transiting or traveling to or from an agency information system; and
(B) a capability to prevent network traffic associated with such cybersecurity risks from transiting or traveling to or from an agency information system or modify such network traffic to remove the cybersecurity risk.
(2) Regular improvement
(c) Activities
In carrying out subsection (b), the Secretary—
(1) may access, and the head of an agency may disclose to the Secretary or a private entity providing assistance to the Secretary under paragraph (2), information transiting or traveling to or from an agency information system, regardless of the location from which the Secretary or a private entity providing assistance to the Secretary under paragraph (2) accesses such information, notwithstanding any other provision of law that would otherwise restrict or prevent the head of an agency from disclosing such information to the Secretary or a private entity providing assistance to the Secretary under paragraph (2);
(2) may enter into contracts or other agreements with, or otherwise request and obtain the assistance of, private entities to deploy, operate, and maintain technologies in accordance with subsection (b);
(3) may retain, use, and disclose information obtained through the conduct of activities authorized under this section only to protect information and information systems from cybersecurity risks;
(4) shall regularly assess through operational test and evaluation in real world or simulated environments available advanced protective technologies to improve detection and prevention capabilities, including commercial and noncommercial technologies and detection technologies beyond signature-based detection, and acquire, test, and deploy such technologies when appropriate;
(5) shall establish a pilot through which the Secretary may acquire, test, and deploy, as rapidly as possible, technologies described in paragraph (4); and
(6) shall periodically update the privacy impact assessment required under section 208(b) of the E-Government Act of 2002 (44 U.S.C. 3501 note).
(d) Principles
In carrying out subsection (b), the Secretary shall ensure that—
(1) activities carried out under this section are reasonably necessary for the purpose of protecting agency information and agency information systems from a cybersecurity risk;
(2) information accessed by the Secretary will be retained no longer than reasonably necessary for the purpose of protecting agency information and agency information systems from a cybersecurity risk;
(3) notice has been provided to users of an agency information system concerning access to communications of users of the agency information system for the purpose of protecting agency information and the agency information system; and
(4) the activities are implemented pursuant to policies and procedures governing the operation of the intrusion detection and prevention capabilities.
(e) Private entities
(1) Conditions
A private entity described in subsection (c)(2) may not—
(A) disclose any network traffic transiting or traveling to or from an agency information system to any entity other than the Department or the agency that disclosed the information under subsection (c)(1), including personal information of a specific individual or information that identifies a specific individual not directly related to a cybersecurity risk; or
(B) use any network traffic transiting or traveling to or from an agency information system to which the private entity gains access in accordance with this section for any purpose other than to protect agency information and agency information systems against cybersecurity risks or to administer a contract or other agreement entered into pursuant to subsection (c)(2) or as part of another contract with the Secretary.
(2) Limitation on liability
(3) Rule of construction
(f) Privacy Officer review
(Pub. L. 107–296, title XXII, § 2213, formerly title II, § 230, as added Pub. L. 114–113, div. N, title II, § 223(a)(6), Dec. 18, 2015, 129 Stat. 2964; renumbered title XXII, § 2213, and amended Pub. L. 115–278, § 2(g)(2)(I), (9)(A)(vii), Nov. 16, 2018, 132 Stat. 4178, 4181; Pub. L. 117–263, div. G, title LXXI, § 7143(b)(2)(H), Dec. 23, 2022, 136 Stat. 3660.)
§ 664. National asset database
(a) Establishment
(1) National asset database
The Secretary shall establish and maintain a national database of each system or asset that—
(A) the Secretary, in consultation with appropriate homeland security officials of the States, determines to be vital and the loss, interruption, incapacity, or destruction of which would have a negative or debilitating effect on the economic security, public health, or safety of the United States, any State, or any local government; or
(B) the Secretary determines is appropriate for inclusion in the database.
(2) Prioritized critical infrastructure list
(b) Use of database
(c) Maintenance of database
(1) In general
The Secretary shall maintain and annually update the database established under subsection (a)(1) and the list established under subsection (a)(2), including—
(A) establishing data collection guidelines and providing such guidelines to the appropriate homeland security official of each State;
(B) regularly reviewing the guidelines established under subparagraph (A), including by consulting with the appropriate homeland security officials of States, to solicit feedback about the guidelines, as appropriate;
(C) after providing the homeland security official of a State with the guidelines under subparagraph (A), allowing the official a reasonable amount of time to submit to the Secretary any data submissions recommended by the official for inclusion in the database established under subsection (a)(1);
(D) examining the contents and identifying any submissions made by such an official that are described incorrectly or that do not meet the guidelines established under subparagraph (A); and
(E) providing to the appropriate homeland security official of each relevant State a list of submissions identified under subparagraph (D) for review and possible correction before the Secretary finalizes the decision of which submissions will be included in the database established under subsection (a)(1).
(2) Organization of information in database
The Secretary shall organize the contents of the database established under subsection (a)(1) and the list established under subsection (a)(2) as the Secretary determines is appropriate. Any organizational structure of such contents shall include the categorization of the contents—
(A) according to the sectors listed in National Infrastructure Protection Plan developed pursuant to Homeland Security Presidential Directive–7; and
(B) by the State and county of their location.
(3) Private sector integration
(4) Retention of classification
(d) Reports
(1) Report required
(2) Contents of report
Each such report shall include the following:
(A) The name, location, and sector classification of each of the systems and assets on the list established under subsection (a)(2).
(B) The name, location, and sector classification of each of the systems and assets on such list that are determined by the Secretary to be most at risk to terrorism.
(C) Any significant challenges in compiling the list of the systems and assets included on such list or in the database established under subsection (a)(1).
(D) Any significant changes from the preceding report in the systems and assets included on such list or in such database.
(E) If appropriate, the extent to which such database and such list have been used, individually or jointly, for allocating funds by the Federal Government to prevent, reduce, mitigate, or respond to acts of terrorism.
(F) The amount of coordination between the Department and the private sector, through any entity of the Department that meets with representatives of private sector industries for purposes of such coordination, for the purpose of ensuring the accuracy of such database and such list.
(G) Any other information the Secretary deems relevant.
(3) Classified information
(e) National Infrastructure Protection Consortium
The Secretary may establish a consortium to be known as the “National Infrastructure Protection Consortium”. The Consortium may advise the Secretary on the best way to identify, generate, organize, and maintain any database or list of systems and assets established by the Secretary, including the database established under subsection (a)(1) and the list established under subsection (a)(2). If the Secretary establishes the National Infrastructure Protection Consortium, the Consortium may—
(1) be composed of national laboratories, Federal agencies, State and local homeland security organizations, academic institutions, or national Centers of Excellence that have demonstrated experience working with and identifying critical infrastructure and key resources; and
(2) provide input to the Secretary on any request pertaining to the contents of such database or such list.
(Pub. L. 107–296, title XXII, § 2214, formerly title II, § 210E, as added Pub. L. 110–53, title X, § 1001(a), Aug. 3, 2007, 121 Stat. 372; renumbered title XXII, § 2214, and amended Pub. L. 115–278, § 2(g)(2)(G), (9)(A)(viii), Nov. 16, 2018, 132 Stat. 4178, 4181; Pub. L. 116–283, div. H, title XC, § 9002(c)(2)(E), Jan. 1, 2021, 134 Stat. 4773.)
§ 665. Duties and authorities relating to .gov internet domain
(a) Definition
(b) Availability of .gov internet domainThe Director shall make .gov internet domain name registration services, as well as any supporting services described in subsection (e), generally available—
(1) to any Federal, State, local, or territorial government entity, or other publicly controlled entity, including any Tribal government recognized by the Federal Government or a State government, that complies with the requirements for registration developed by the Director as described in subsection (c);
(2) without conditioning registration on the sharing of any information with the Director or any other Federal entity, other than the information required to meet the requirements described in subsection (c); and
(3) without conditioning registration on participation in any separate service offered by the Director or any other Federal entity.
(c) RequirementsThe Director, with the approval of the Director of the Office of Management and Budget for agency .gov internet domain requirements and in consultation with the Director of the Office of Management and Budget for .gov internet domain requirements for entities that are not agencies, shall establish and publish on a publicly available website requirements for the registration and operation of .gov internet domains sufficient to—
(1) minimize the risk of .gov internet domains whose names could mislead or confuse users;
(2) establish that .gov internet domains may not be used for commercial or political campaign purposes;
(3) ensure that domains are registered and maintained only by authorized individuals; and
(4) limit the sharing or use of any information obtained through the administration of the .gov internet domain with any other Department component or any other agency for any purpose other than the administration of the .gov internet domain, the services described in subsection (e), and the requirements for establishing a .gov inventory described in subsection (h).
(d) Executive branch
(1) In general
(2) Approval required
(3) Compliance
(e) Supporting services
(1) In general
(2) Rule of constructionNothing in paragraph (1) shall be construed to—
(A) limit other authorities of the Director to provide services or technical assistance to an entity described in subsection (b)(1); or
(B) establish new authority for services other than those the purpose of which expressly supports the operation of .gov internet domains and the needs of .gov internet domain registrants.
(f) Fees
(1) In general
(2) Limitation
(g) Consultation
(h) .gov inventory
(1) In generalThe Director shall, on a continuous basis—
(A) inventory all hostnames and services in active use within the .gov internet domain; and
(B) provide the data described in subparagraph (A) to domain registrants at no cost.
(2) RequirementsIn carrying out paragraph (1)—
(A) data may be collected through analysis of public and non-public sources, including commercial data sets;
(B) the Director shall share with Federal and non-Federal domain registrants all unique hostnames and services discovered within the zone of their registered domain;
(C) the Director shall share any data or information collected or used in the management of the .gov internet domain name registration services relating to Federal executive branch registrants with the Director of the Office of Management and Budget for the purpose of fulfilling the duties of the Director of the Office of Management and Budget under section 3553 of title 44;
(D) the Director shall publish on a publicly available website discovered hostnames that describe publicly accessible agency websites, to the extent consistent with the security of Federal information systems but with the presumption of disclosure;
(E) the Director may publish on a publicly available website any analysis conducted and data collected relating to compliance with Federal mandates and industry best practices, to the extent consistent with the security of Federal information systems but with the presumption of disclosure; and
(F) the Director shall—
(i) collect information on the use of non-.gov internet domain suffixes by agencies for their official online services;
(ii) collect information on the use of non-.gov internet domain suffixes by State, local, Tribal, and territorial governments; and
(iii) publish the information collected under clause (i) on a publicly available website to the extent consistent with the security of the Federal information systems, but with the presumption of disclosure.
(3) National security coordination
(A) In general
(B) LimitationThe Director may not inventory, collect, or publish hostnames or services under this subsection if the Director, in coordination with other heads of agencies, as appropriate, determines that the collection or publication would—
(i) disrupt a law enforcement investigation;
(ii) endanger national security or intelligence activities;
(iii) impede national defense activities or military operations; or
(iv) hamper security remediation actions.
(4) Strategy
(Pub. L. 107–296, title XXII, § 2215, as added Pub. L. 116–260, div. U, title IX, § 904(b)(1)(B), Dec. 27, 2020, 134 Stat. 2298; Pub. L. 117–81, div. A, title XV, § 1547(b)(1)(A)(ii), (B), Dec. 27, 2021, 135 Stat. 2060, 2061; Pub. L. 117–263, div. G, title LXXI, § 7143(a)(1), Dec. 23, 2022, 136 Stat. 3654.)
§ 665a. Intelligence and cybersecurity diversity fellowship program
(a) DefinitionsIn this section:
(1) Appropriate committees of CongressThe term “appropriate committees of Congress” means—
(A) the Committee on Homeland Security and Governmental Affairs and the Select Committee on Intelligence of the Senate; and
(B) the Committee on Homeland Security and the Permanent Select Committee on Intelligence of the House of Representatives.
(2) Excepted service
(3) Historically Black college or university
(4) Institution of higher education
(5) Minority-serving institution
(b) ProgramThe Secretary shall carry out an intelligence and cybersecurity diversity fellowship program (in this section referred to as the “Program”) under which an eligible individual may—
(1) participate in a paid internship at the Department that relates to intelligence, cybersecurity, or some combination thereof;
(2) receive tuition assistance from the Secretary; and
(3) upon graduation from an institution of higher education and successful completion of the Program (as defined by the Secretary), receive an offer of employment to work in an intelligence or cybersecurity position of the Department that is in the excepted service.
(c) EligibilityTo be eligible to participate in the Program, an individual shall—
(1) be a citizen of the United States; and
(2) as of the date of submitting the application to participate in the Program—
(A) have a cumulative grade point average of at least 3.2 on a 4.0 scale;
(B) be a socially disadvantaged individual (as that term in 1
1 So in original. Probably should be “is”.
defined in section 124.103 of title 13, Code of Federal Regulations, or successor regulation); and(C) be a sophomore, junior, or senior at an institution of higher education.
(d) Direct hire authority
(e) Reports
(1) Reports
(2) MattersEach report under paragraph (1) shall include, with respect to the most recent year, the following:
(A) A description of outreach efforts by the Secretary to raise awareness of the Program among institutions of higher education in which eligible individuals are enrolled.
(B) Information on specific recruiting efforts conducted by the Secretary to increase participation in the Program.
(C) The number of individuals participating in the Program, listed by the institution of higher education in which the individual is enrolled at the time of participation, and information on the nature of such participation, including on whether the duties of the individual under the Program relate primarily to intelligence or to cybersecurity.
(D) The number of individuals who accepted an offer of employment under the Program and an identification of the element within the Department to which each individual was appointed.
(Pub. L. 107–296, title XIII, § 1333, as added Pub. L. 116–260, div. W, title IV, § 404(a), Dec. 27, 2020, 134 Stat. 2378.)
§ 665b. Joint cyber planning office
(a) Establishment of Office
(b) Planning and executionIn leading the development of plans for cyber defense operations pursuant to subsection (a), the head of the Office shall—
(1) coordinate with relevant Federal departments and agencies to establish processes and procedures necessary to develop and maintain ongoing coordinated plans for cyber defense operations;
(2) leverage cyber capabilities and authorities of participating Federal departments and agencies, as appropriate, in furtherance of plans for cyber defense operations;
(3) ensure that plans for cyber defense operations are, to the greatest extent practicable, developed in collaboration with relevant private sector entities, particularly in areas in which such entities have comparative advantages in limiting, mitigating, or defending against a cybersecurity risk or incident or coordinated, malicious cyber operation;
(4) ensure that plans for cyber defense operations, as appropriate, are responsive to potential adversary activity conducted in response to United States offensive cyber operations;
(5) facilitate the exercise of plans for cyber defense operations, including by developing and modeling scenarios based on an understanding of adversary threats to, vulnerability of, and potential consequences of disruption or compromise of critical infrastructure;
(6) coordinate with and, as necessary, support relevant Federal departments and agencies in the establishment of procedures, development of additional plans, including for offensive and intelligence activities in support of cyber defense operations, and creation of agreements necessary for the rapid execution of plans for cyber defense operations when a cybersecurity risk or incident or malicious cyber operation has been identified; and
(7) support public and private sector entities, as appropriate, in the execution of plans developed pursuant to this section.
(c) CompositionThe Office shall be composed of—
(1) a central planning staff; and
(2) appropriate representatives of Federal departments and agencies, including—
(A) the Department;
(B) United States Cyber Command;
(C) the National Security Agency;
(D) the Federal Bureau of Investigation;
(E) the Department of Justice; and
(F) the Office of the Director of National Intelligence.
(d) ConsultationIn carrying out its responsibilities described in subsection (b), the Office shall regularly consult with appropriate representatives of non-Federal entities, such as—
(1) State, local, federally-recognized Tribal, and territorial governments;
(2) Information Sharing and Analysis Organizations, including information sharing and analysis centers;
(3) owners and operators of critical information systems;
(4) private entities; and
(5) other appropriate representatives or entities, as determined by the Secretary.
(e) Interagency agreements
(f) Definitions
(Pub. L. 107–296, title XXII, § 2216, formerly § 2215, as added Pub. L. 116–283, div. A, title XVII, § 1715(a), Jan. 1, 2021, 134 Stat. 4092; renumbered § 2216 and amended Pub. L. 117–81, div. A, title XV, § 1547(b)(1)(A)(iii), Dec. 27, 2021, 135 Stat. 2061; Pub. L. 117–263, div. G, title LXXI, § 7143(b)(2)(I), Dec. 23, 2022, 136 Stat. 3660.)
§ 665c. Cybersecurity State Coordinator
(a) Appointment
(b) Duties
The duties of a Cybersecurity State Coordinator appointed under subsection (a) shall include—
(1) building strategic public and, on a voluntary basis, private sector relationships, including by advising on establishing governance structures to facilitate the development and maintenance of secure and resilient infrastructure;
(2) serving as the Federal cybersecurity risk advisor and supporting preparation, response, and remediation efforts relating to cybersecurity risks and incidents;
(3) facilitating the sharing of cyber threat information to improve understanding of cybersecurity risks and situational awareness of cybersecurity incidents;
(4) raising awareness of the financial, technical, and operational resources available from the Federal Government to non-Federal entities to increase resilience against cyber threats;
(5) supporting training, exercises, and planning for continuity of operations to expedite recovery from cybersecurity incidents, including ransomware;
(6) serving as a principal point of contact for non-Federal entities to engage, on a voluntary basis, with the Federal Government on preparing, managing, and responding to cybersecurity incidents;
(7) assisting non-Federal entities in developing and coordinating vulnerability disclosure programs consistent with Federal and information security industry standards;
(8) assisting State, local, Tribal, and territorial governments, on a voluntary basis, in the development of State cybersecurity plans;
(9) coordinating with appropriate officials within the Agency; and
(10) performing such other duties as determined necessary by the Director to achieve the goal of managing cybersecurity risks in the United States and reducing the impact of cyber threats to non-Federal entities.
(c) Feedback
(Pub. L. 107–296, title XXII, § 2217, formerly § 2215, as added Pub. L. 116–283, div. A, title XVII, § 1717(a)(1)(B), Jan. 1, 2021, 134 Stat. 4099; renumbered § 2217 and amended Pub. L. 117–81, div. A, title XV, § 1547(b)(1)(A)(iv), Dec. 27, 2021, 135 Stat. 2061.)
§ 665d. Sector Risk Management Agencies
(a) In generalConsistent with applicable law, Presidential directives, Federal regulations, and strategic guidance from the Secretary, each Sector Risk Management Agency, in coordination with the Director, shall—
(1) provide specialized sector-specific expertise to critical infrastructure owners and operators within its designated critical infrastructure sector or subsector of such sector; and
(2) support programs and associated activities of such sector or subsector of such sector.
(b) ImplementationIn carrying out this section, Sector Risk Management Agencies shall—
(1) coordinate with the Department and, as appropriate, other relevant Federal departments and agencies;
(2) collaborate with critical infrastructure owners and operators within the designated critical infrastructure sector or subsector of such sector; and
(3) coordinate with independent regulatory agencies, and State, local, Tribal, and territorial entities, as appropriate.
(c) ResponsibilitiesConsistent with applicable law, Presidential directives, Federal regulations, and strategic guidance from the Secretary, each Sector Risk Management Agency shall utilize its specialized expertise regarding its designated critical infrastructure sector or subsector of such sector and authorities under applicable law to—
(1) support sector risk management, in coordination with the Director, including—
(A) establishing and carrying out programs to assist critical infrastructure owners and operators within the designated sector or subsector of such sector in identifying, understanding, and mitigating threats, vulnerabilities, and risks to their systems or assets, or within a region, sector, or subsector of such sector; and
(B) recommending security measures to mitigate the consequences of destruction, compromise, and disruption of systems and assets;
(2) assess sector risk, in coordination with the Director, including—
(A) identifying, assessing, and prioritizing risks within the designated sector or subsector of such sector, considering physical security and cybersecurity threats, vulnerabilities, and consequences; and
(B) supporting national risk assessment efforts led by the Department;
(3) sector coordination, including—
(A) serving as a day-to-day Federal interface for the prioritization and coordination of sector-specific activities and responsibilities under this title;
(B) serving as the Federal Government coordinating council chair for the designated sector or subsector of such sector; and
(C) participating in cross-sector coordinating councils, as appropriate;
(4) facilitating, in coordination with the Director, the sharing with the Department and other appropriate Federal department of information regarding physical security and cybersecurity threats within the designated sector or subsector of such sector, including—
(A) facilitating, in coordination with the Director, access to, and exchange of, information and intelligence necessary to strengthen the security of critical infrastructure, including through Information Sharing and Analysis Organizations and the national cybersecurity and communications integration center established pursuant to section 659 of this title;
(B) facilitating the identification of intelligence needs and priorities of critical infrastructure owners and operators in the designated sector or subsector of such sector, in coordination with the Director of National Intelligence and the heads of other Federal departments and agencies, as appropriate;
(C) providing the Director, and facilitating awareness within the designated sector or subsector of such sector, of ongoing, and where possible, real-time awareness of identified threats, vulnerabilities, mitigations, and other actions related to the security of such sector or subsector of such sector; and
(D) supporting the reporting requirements of the Department under applicable law by providing, on an annual basis, sector-specific critical infrastructure information;
(5) supporting incident management, including—
(A) supporting, in coordination with the Director, incident management and restoration efforts during or following a security incident; and
(B) supporting the Director, upon request, in national cybersecurity asset response activities for critical infrastructure; and
(6) contributing to emergency preparedness efforts, including—
(A) coordinating with critical infrastructure owners and operators within the designated sector or subsector of such sector and the Director in the development of planning documents for coordinated action in the event of a natural disaster, act of terrorism, or other man-made disaster or emergency;
(B) participating in and, in coordination with the Director, conducting or facilitating, exercises and simulations of potential natural disasters, acts of terrorism, or other man-made disasters or emergencies within the designated sector or subsector of such sector; and
(C) supporting the Department and other Federal departments or agencies in developing planning documents or conducting exercises or simulations when relevant to the designated sector or subsector or such sector.
(Pub. L. 107–296, title XXII, § 2218, formerly § 2215, as added Pub. L. 116–283, div. H, title XC, § 9002(c)(1), Jan. 1, 2021, 134 Stat. 4770; renumbered § 2218 and amended Pub. L. 117–81, div. A, title XV, § 1547(b)(1)(A)(v), Dec. 27, 2021, 135 Stat. 2061; Pub. L. 117–263, div. G, title LXXI, § 7143(b)(2)(J), Dec. 23, 2022, 136 Stat. 3660.)
§ 665e. Cybersecurity Advisory Committee
(a) Establishment
(b) Duties
(1) In general
(2) Recommendations
(A) In general
(B) Recommendations of subcommittees
(3) Periodic reportsThe Advisory Committee shall periodically submit to the Director—
(A) reports on matters identified by the Director; and
(B) reports on other matters identified by a majority of the members of the Advisory Committee.
(4) Annual report
(A) In general
(B) Publication
(5) FeedbackNot later than 90 days after receiving any recommendation submitted by the Advisory Committee under paragraph (2), (3), or (4), the Director shall respond in writing to the Advisory Committee with feedback on the recommendation. Such a response shall include—
(A) with respect to any recommendation with which the Director concurs, an action plan to implement the recommendation; and
(B) with respect to any recommendation with which the Director does not concur, a justification for why the Director does not plan to implement the recommendation.
(6) Congressional notification
(7) Governance rules
(c) Membership
(1) Appointment
(A) In general
(B) Composition
(C) Representation
(i) In generalThe membership of the Advisory Committee shall satisfy the following criteria:(I) Consist of subject matter experts.(II) Be geographically balanced.(III) Include representatives of State, local, and Tribal governments and of a broad range of industries, which may include the following:(aa) Defense.(bb) Education.(cc) Financial services and insurance.(dd) Healthcare.(ee) Manufacturing.(ff) Media and entertainment.(gg) Chemicals.(hh) Retail.(ii) Transportation.(jj) Energy.(kk) Information Technology.(ll) Communications.(mm) Other relevant fields identified by the Director.
(ii) Prohibition
(iii) Publication of membership list
(2) Term of office
(A) Terms
(B) Removal
(C) Reappointment
(3) Prohibition on compensation
(4) Meetings
(A) In general
(B) Public meetings
(C) Attendance
(5) Member access to classified information
(A) In general
(B) Access
(C) Protections
(D) Rule of construction
(6) ChairpersonThe Advisory Committee shall select, from among the members of the Advisory Committee—
(A) a member to serve as chairperson of the Advisory Committee; and
(B) a member to serve as chairperson of each subcommittee of the Advisory Committee established under subsection (d).
(d) Subcommittees
(1) In generalThe Director shall establish subcommittees within the Advisory Committee to address cybersecurity issues, which may include the following:
(A) Information exchange.
(B) Critical infrastructure.
(C) Risk management.
(D) Public and private partnerships.
(2) Meetings and reporting
(3) Subject matter experts
(Pub. L. 107–296, title XXII, § 2219, formerly § 2216, as added Pub. L. 116–283, div. A, title XVII, § 1718(a), Jan. 1, 2021, 134 Stat. 4102; renumbered § 2219 and amended Pub. L. 117–81, div. A, title XV, § 1547(b)(1)(A)(vi), Dec. 27, 2021, 135 Stat. 2061.)
§ 665f. Cybersecurity education and training programs
(a) Establishment
(1) In general
(2) PurposeThe purpose of CETAP shall be to support the effort of the Agency in building and strengthening a national cybersecurity workforce pipeline capacity through enabling elementary and secondary cybersecurity education, including by—
(A) providing foundational cybersecurity awareness and literacy;
(B) encouraging cybersecurity career exploration; and
(C) supporting the teaching of cybersecurity skills at the elementary and secondary education levels.
(b) RequirementsIn carrying out CETAP, the Director shall—
(1) ensure that the program—
(A) creates and disseminates cybersecurity-focused curricula and career awareness materials appropriate for use at the elementary and secondary education levels;
(B) conducts professional development sessions for teachers;
(C) develops resources for the teaching of cybersecurity-focused curricula described in subparagraph (A);
(D) provides direct student engagement opportunities through camps and other programming;
(E) engages with State educational agencies and local educational agencies to promote awareness of the program and ensure that offerings align with State and local curricula;
(F) integrates with existing post-secondary education and workforce development programs at the Department;
(G) promotes and supports national standards for elementary and secondary cyber education;
(H) partners with cybersecurity and education stakeholder groups to expand outreach; and
(I) any other activity the Director determines necessary to meet the purpose described in subsection (a)(2); and
(2) enable the deployment of CETAP nationwide, with special consideration for underserved populations or communities.
(c) Briefings
(1) In general
(2) ContentsEach briefing conducted under paragraph (1) shall include—
(A) estimated figures on the number of students reached and teachers engaged;
(B) information on outreach and engagement efforts, including the activities described in subsection (b)(1)(E);
(C) information on any grants or cooperative agreements made pursuant to subsection (e), including how any such grants or cooperative agreements are being used to enhance cybersecurity education for underserved populations or communities;
(D) information on new curricula offerings and teacher training platforms; and
(E) information on coordination with post-secondary education and workforce development programs at the Department.
(d) Mission promotion
(e) Grants and cooperative agreementsThe Director may award financial assistance in the form of grants or cooperative agreements to States, local governments, institutions of higher education (as such term is defined in section 1001 of title 20), nonprofit organizations, and other non-Federal entities as determined appropriate by the Director for the purpose of funding cybersecurity and infrastructure security education and training programs and initiatives to—
(1) carry out the purposes of CETAP; and
(2) enhance CETAP to address the national shortfall of cybersecurity professionals.
(Pub. L. 107–296, title XXII, § 2220, formerly § 2217, as added Pub. L. 116–283, div. A, title XVII, § 1719(c), Jan. 1, 2021, 134 Stat. 4106; renumbered § 2220 and amended Pub. L. 117–81, div. A, title XV, § 1547(b)(1)(A)(vii), Dec. 27, 2021, 135 Stat. 2061; Pub. L. 117–263, div. G, title LXXI, § 7104, Dec. 23, 2022, 136 Stat. 3622.)
§ 665g. State and Local Cybersecurity Grant Program
(a) DefinitionsIn this section:
(1) Cybersecurity Plan
(2) Eligible entityThe term “eligible entity” means a—
(A) State; or
(B) Tribal government.
(3) Multi-entity group
(4) Online service
(5) Rural area
(6) State and Local Cybersecurity Grant Program
(7) Tribal government
(b) Establishment
(1) In general
(2) Application
(c) Administration
(d) Use of fundsAn eligible entity that receives a grant under this section and a local government that receives funds from a grant under this section, as appropriate, shall use the grant to—
(1) implement the Cybersecurity Plan of the eligible entity;
(2) develop or revise the Cybersecurity Plan of the eligible entity;
(3) pay expenses directly relating to the administration of the grant, which shall not exceed 5 percent of the amount of the grant;
(4) assist with activities that address imminent cybersecurity threats, as confirmed by the Secretary, acting through the Director, to the information systems owned or operated by, or on behalf of, the eligible entity or a local government within the jurisdiction of the eligible entity; or
(5) fund any other appropriate activity determined by the Secretary, acting through the Director.
(e) Cybersecurity plans
(1) In general
(2) Required elementsA Cybersecurity Plan of an eligible entity shall—
(A) incorporate, to the extent practicable—
(i) any existing plans of the eligible entity to protect against cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, State, local, or Tribal governments; and
(ii) if the eligible entity is a State, consultation and feedback from local governments and associations of local governments within the jurisdiction of the eligible entity;
(B) describe, to the extent practicable, how the eligible entity will—
(i) manage, monitor, and track information systems, applications, and user accounts owned or operated by, or on behalf of, the eligible entity or, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, and the information technology deployed on those information systems, including legacy information systems and information technology that are no longer supported by the manufacturer of the systems or technology;
(ii) monitor, audit, and,1
1 So in original. The comma probably should not appear.
track network traffic and activity transiting or traveling to or from information systems, applications, and user accounts owned or operated by, or on behalf of, the eligible entity or, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity;(iii) enhance the preparation, response, and resiliency of information systems, applications, and user accounts owned or operated by, or on behalf of, the eligible entity or, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, against cybersecurity risks and cybersecurity threats;
(iv) implement a process of continuous cybersecurity vulnerability assessments and threat mitigation practices prioritized by degree of risk to address cybersecurity risks and cybersecurity threats on information systems, applications, and user accounts owned or operated by, or on behalf of, the eligible entity or, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity;
(v) ensure that the eligible entity and, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, adopt and use best practices and methodologies to enhance cybersecurity, such as—(I) the practices set forth in the cybersecurity framework developed by the National Institute of Standards and Technology;(II) cyber chain supply chain risk management best practices identified by the National Institute of Standards and Technology; and(III) knowledge bases of adversary tools and tactics;
(vi) promote the delivery of safe, recognizable, and trustworthy online services by the eligible entity and, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, including through the use of the .gov internet domain;
(vii) ensure continuity of operations of the eligible entity and, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, in the event of a cybersecurity incident, including by conducting exercises to practice responding to a cybersecurity incident;
(viii) use the National Initiative for Cybersecurity Education Workforce Framework for Cybersecurity developed by the National Institute of Standards and Technology to identify and mitigate any gaps in the cybersecurity workforces of the eligible entity and, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, enhance recruitment and retention efforts for those workforces, and bolster the knowledge, skills, and abilities of personnel of the eligible entity and, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, to address cybersecurity risks and cybersecurity threats, such as through cybersecurity hygiene training;
(ix) if the eligible entity is a State, ensure continuity of communications and data networks within the jurisdiction of the eligible entity between the eligible entity and local governments within the jurisdiction of the eligible entity in the event of an incident involving those communications or data networks;
(x) assess and mitigate, to the greatest degree possible, cybersecurity risks and cybersecurity threats relating to critical infrastructure and key resources, the degradation of which may impact the performance of information systems within the jurisdiction of the eligible entity;
(xi) enhance capabilities to share cyber threat indicators and related information between the eligible entity and—(I) if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, including by expanding information sharing agreements with the Department; and(II) the Department;
(xii) leverage cybersecurity services offered by the Department;
(xiii) implement an information technology and operational technology modernization cybersecurity review process that ensures alignment between information technology and operational technology cybersecurity objectives;
(xiv) develop and coordinate strategies to address cybersecurity risks and cybersecurity threats in consultation with—(I) if the eligible entity is a State, local governments and associations of local governments within the jurisdiction of the eligible entity; and(II) as applicable—(aa) eligible entities that neighbor the jurisdiction of the eligible entity or, as appropriate, members of an Information Sharing and Analysis Organization; and(bb) countries that neighbor the jurisdiction of the eligible entity;
(xv) ensure adequate access to, and participation in, the services and programs described in this subparagraph by rural areas within the jurisdiction of the eligible entity; and
(xvi) distribute funds, items, services, capabilities, or activities to local governments under subsection (n)(2)(A), including the fraction of that distribution the eligible entity plans to distribute to rural areas under subsection (n)(2)(B);
(C) assess the capabilities of the eligible entity relating to the actions described in subparagraph (B);
(D) describe, as appropriate and to the extent practicable, the individual responsibilities of the eligible entity and local governments within the jurisdiction of the eligible entity in implementing the plan;
(E) outline, to the extent practicable, the necessary resources and a timeline for implementing the plan; and
(F) describe the metrics the eligible entity will use to measure progress towards—
(i) implementing the plan; and
(ii) reducing cybersecurity risks to, and identifying, responding to, and recovering from cybersecurity threats to, information systems owned or operated by, or on behalf of, the eligible entity or, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity.
(3) Discretionary elementsIn drafting a Cybersecurity Plan, an eligible entity may—
(A) consult with the Multi-State Information Sharing and Analysis Center;
(B) include a description of cooperative programs developed by groups of local governments within the jurisdiction of the eligible entity to address cybersecurity risks and cybersecurity threats; and
(C) include a description of programs provided by the eligible entity to support local governments and owners and operators of critical infrastructure to address cybersecurity risks and cybersecurity threats.
(f) Multi-entity grants
(1) In general
(2) Satisfaction of other requirementsIn order to be eligible for a multi-entity grant under this subsection, each eligible entity that comprises a multi-entity group shall have—
(A) a Cybersecurity Plan that has been reviewed by the Secretary in accordance with subsection (i); and
(B) a cybersecurity planning committee established in accordance with subsection (g).
(3) Application
(A) In general
(B) Multi-entity project planAn application for a grant under this section of a multi-entity group under subparagraph (A) shall include a plan describing—
(i) the division of responsibilities among the eligible entities that comprise the multi-entity group;
(ii) the distribution of funding from the grant among the eligible entities that comprise the multi-entity group; and
(iii) how the eligible entities that comprise the multi-entity group will work together to implement the Cybersecurity Plan of each of those eligible entities.
(g) Planning committees
(1) In generalAn eligible entity that receives a grant under this section shall establish a cybersecurity planning committee to—
(A) assist with the development, implementation, and revision of the Cybersecurity Plan of the eligible entity;
(B) approve the Cybersecurity Plan of the eligible entity; and
(C) assist with the determination of effective funding priorities for a grant under this section in accordance with subsections (d) and (j).
(2) CompositionA committee of an eligible entity established under paragraph (1) shall—
(A) be comprised of representatives from—
(i) the eligible entity;
(ii) if the eligible entity is a State, counties, cities, and towns within the jurisdiction of the eligible entity; and
(iii) institutions of public education and health within the jurisdiction of the eligible entity; and
(B) include, as appropriate, representatives of rural, suburban, and high-population jurisdictions.
(3) Cybersecurity expertise
(4) Rule of construction regarding existing planning committeesNothing in this subsection shall be construed to require an eligible entity to establish a cybersecurity planning committee if the eligible entity has established and uses a multijurisdictional planning committee or commission that—
(A) meets the requirements of this subsection; or
(B) may be expanded or leveraged to meet the requirements of this subsection, including through the formation of a cybersecurity planning subcommittee.
(5) Rule of construction regarding control of information systems of eligible entities
(h) Special rule for Tribal governments
(i) Review of plans
(1) Review as condition of grant
(A) In generalSubject to paragraph (3), before an eligible entity may receive a grant under this section, the Secretary, acting through the Director, shall—
(i) review the Cybersecurity Plan of the eligible entity, including any revised Cybersecurity Plans of the eligible entity; and
(ii) determine that the Cybersecurity Plan reviewed under clause (i) satisfies the requirements under paragraph (2).
(B) Duration of determination
(C) Annual renewalNot later than 2 years after the date on which the Secretary determines under subparagraph (A)(ii) that a Cybersecurity Plan satisfies the requirements under paragraph (2), and annually thereafter, the Secretary, acting through the Director, shall—
(i) determine whether the Cybersecurity Plan and any revisions continue to meet the criteria described in paragraph (2); and
(ii) renew the determination if the Secretary, acting through the Director, makes a positive determination under clause (i).
(2) Plan requirementsIn reviewing a Cybersecurity Plan of an eligible entity under this subsection, the Secretary, acting through the Director, shall ensure that the Cybersecurity Plan—
(A) satisfies the requirements of subsection (e)(2); and
(B) has been approved by—
(i) the cybersecurity planning committee of the eligible entity established under subsection (g); and
(ii) the Chief Information Officer, the Chief Information Security Officer, or an equivalent official of the eligible entity.
(3) ExceptionNotwithstanding subsection (e) and paragraph (1) of this subsection, the Secretary may award a grant under this section to an eligible entity that does not submit a Cybersecurity Plan to the Secretary for review before September 30, 2023, if the eligible entity certifies to the Secretary that—
(A) the activities that will be supported by the grant are—
(i) integral to the development of the Cybersecurity Plan of the eligible entity; or
(ii) necessary to assist with activities described in subsection (d)(4), as confirmed by the Director; and
(B) the eligible entity will submit to the Secretary a Cybersecurity Plan for review under this subsection by September 30, 2023.
(4) Rule of constructionNothing in this subsection shall be construed to provide authority to the Secretary to—
(A) regulate the manner by which an eligible entity or local government improves the cybersecurity of the information systems owned or operated by, or on behalf of, the eligible entity or local government; or
(B) condition the receipt of grants under this section on—
(i) participation in a particular Federal program; or
(ii) the use of a specific product or technology.
(j) Limitations on uses of funds
(1) In generalAny entity that receives funds from a grant under this section may not use the grant—
(A) to supplant State or local funds;
(B) for any recipient cost-sharing contribution;
(C) to pay a ransom;
(D) for recreational or social purposes; or
(E) for any purpose that does not address cybersecurity risks or cybersecurity threats on information systems owned or operated by, or on behalf of, the eligible entity that receives the grant or a local government within the jurisdiction of the eligible entity.
(2) Compliance oversight
(3) Rule of construction
(k) Opportunity to amend applications
(l) ApportionmentFor fiscal year 2022 and each fiscal year thereafter, the Secretary shall apportion amounts appropriated to carry out this section among eligible entities as follows:
(1) Baseline amountThe Secretary shall first apportion—
(A) 0.25 percent of such amounts to each of American Samoa, the Commonwealth of the Northern Mariana Islands, Guam, and the United States Virgin Islands;
(B) 1 percent of such amounts to each of the remaining States; and
(C) 3 percent of such amounts to Tribal governments.
(2) RemainderThe Secretary shall apportion the remainder of such amounts to States as follows:
(A) 50 percent of such remainder in the ratio that the population of each State, bears to the population of all States; and
(B) 50 percent of such remainder in the ratio that the population of each State that resides in rural areas, bears to the population of all States that resides in rural areas.
(3) Apportionment among Tribal governments
(4) Multi-entity grants
(m) Federal share
(1) In generalThe Federal share of the cost of an activity carried out using funds made available with a grant under this section may not exceed—
(A) in the case of a grant to an eligible entity—
(i) for fiscal year 2022, 90 percent;
(ii) for fiscal year 2023, 80 percent;
(iii) for fiscal year 2024, 70 percent; and
(iv) for fiscal year 2025, 60 percent; and
(B) in the case of a grant to a multi-entity group—
(i) for fiscal year 2022, 100 percent;
(ii) for fiscal year 2023, 90 percent;
(iii) for fiscal year 2024, 80 percent; and
(iv) for fiscal year 2025, 70 percent.
(2) Waiver
(A) In general
(B) Guidelines
(C) ConsiderationsIn developing guidelines under subparagraph (B), the Secretary shall consider, with respect to the jurisdiction of an eligible entity—
(i) changes in rates of unemployment in the jurisdiction from previous years;
(ii) changes in the percentage of individuals who are eligible to receive benefits under the supplemental nutrition assistance program established under the Food and Nutrition Act of 2008 (7 U.S.C. 2011 et seq.) from previous years; and
(iii) any other factors the Secretary considers appropriate.
(3) Waiver for Tribal governments
(n) Responsibilities of grantees
(1) CertificationEach eligible entity or multi-entity group that receives a grant under this section shall certify to the Secretary that the grant will be used—
(A) for the purpose for which the grant is awarded; and
(B) in compliance with subsections (d) and (j).
(2) Availability of funds to local governments and rural areas
(A) In generalSubject to subparagraph (C), not later than 45 days after the date on which an eligible entity or multi-entity group receives a grant under this section, the eligible entity or multi-entity group shall, without imposing unreasonable or unduly burdensome requirements as a condition of receipt, obligate or otherwise make available to local governments within the jurisdiction of the eligible entity or the eligible entities that comprise the multi-entity group, consistent with the Cybersecurity Plan of the eligible entity or the Cybersecurity Plans of the eligible entities that comprise the multi-entity group—
(i) not less than 80 percent of funds available under the grant;
(ii) with the consent of the local governments, items, services, capabilities, or activities having a value of not less than 80 percent of the amount of the grant; or
(iii) with the consent of the local governments, grant funds combined with other items, services, capabilities, or activities having the total value of not less than 80 percent of the amount of the grant.
(B) Availability to rural areasIn obligating funds, items, services, capabilities, or activities to local governments under subparagraph (A), the eligible entity or eligible entities that comprise the multi-entity group shall ensure that rural areas within the jurisdiction of the eligible entity or the eligible entities that comprise the multi-entity group receive not less than—
(i) 25 percent of the amount of the grant awarded to the eligible entity;
(ii) items, services, capabilities, or activities having a value of not less than 25 percent of the amount of the grant awarded to the eligible entity; or
(iii) grant funds combined with other items, services, capabilities, or activities having the total value of not less than 25 percent of the grant awarded to the eligible entity.
(C) ExceptionsThis paragraph shall not apply to—
(i) any grant awarded under this section that solely supports activities that are integral to the development or revision of the Cybersecurity Plan of the eligible entity; or
(ii) the District of Columbia, the Commonwealth of Puerto Rico, American Samoa, the Commonwealth of the Northern Mariana Islands, Guam, the United States Virgin Islands, or a Tribal government.
(3) Certifications regarding distribution of grant funds to local governments
(4) Extension of period
(A) In general
(B) Approval
(5) Direct funding
(6) Limitation on construction
(7) Consultation in allocating funds
(8) PenaltiesIn addition to other remedies available to the Secretary, if an eligible entity violates a requirement of this subsection, the Secretary may—
(A) terminate or reduce the amount of a grant awarded under this section to the eligible entity; or
(B) distribute grant funds previously awarded to the eligible entity—
(i) in the case of an eligible entity that is a State, directly to the appropriate local government as a replacement grant in an amount determined by the Secretary; or
(ii) in the case of an eligible entity that is a Tribal government, to another Tribal government or Tribal governments as a replacement grant in an amount determined by the Secretary.
(o) Consultation with State, local, and Tribal representativesIn carrying out this section, the Secretary shall consult with State, local, and Tribal representatives with professional experience relating to cybersecurity, including representatives of associations representing State, local, and Tribal governments, to inform—
(1) guidance for applicants for grants under this section, including guidance for Cybersecurity Plans;
(2) the study of risk-based formulas required under subsection (q)(4);
(3) the development of guidelines required under subsection (m)(2)(B); and
(4) any modifications described in subsection (q)(2)(D).
(p) Notification to Congress
(q) Reports, study, and review
(1) Annual reports by grant recipients
(A) In generalNot later than 1 year after the date on which an eligible entity receives a grant under this section for the purpose of implementing the Cybersecurity Plan of the eligible entity, including an eligible entity that comprises a multi-entity group that receives a grant for that purpose, and annually thereafter until 1 year after the date on which funds from the grant are expended or returned, the eligible entity shall submit to the Secretary a report that, using the metrics described in the Cybersecurity Plan of the eligible entity, describes the progress of the eligible entity in—
(i) implementing the Cybersecurity Plan of the eligible entity; and
(ii) reducing cybersecurity risks to, and identifying, responding to, and recovering from cybersecurity threats to, information systems owned or operated by, or on behalf of, the eligible entity or, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity.
(B) Absence of planNot later than 1 year after the date on which an eligible entity that does not have a Cybersecurity Plan receives funds under this section, and annually thereafter until 1 year after the date on which funds from the grant are expended or returned, the eligible entity shall submit to the Secretary a report describing how the eligible entity obligated and expended grant funds to—
(i) develop or revise a Cybersecurity Plan; or
(ii) assist with the activities described in subsection (d)(4).
(2) Annual reports to CongressNot less frequently than annually, the Secretary, acting through the Director, shall submit to Congress a report on—
(A) the use of grants awarded under this section;
(B) the proportion of grants used to support cybersecurity in rural areas;
(C) the effectiveness of the State and Local Cybersecurity Grant Program;
(D) any necessary modifications to the State and Local Cybersecurity Grant Program; and
(E) any progress made toward—
(i) developing, implementing, or revising Cybersecurity Plans; and
(ii) reducing cybersecurity risks to, and identifying, responding to, and recovering from cybersecurity threats to, information systems owned or operated by, or on behalf of, State, local, or Tribal governments as a result of the award of grants under this section.
(3) Public availability
(A) In general
(B) Redactions
(4) Study of risk-based formulas
(A) In generalNot later than September 30, 2024, the Secretary, acting through the Director, shall submit to the appropriate congressional committees a study and legislative recommendations on the potential use of a risk-based formula for apportioning funds under this section, including—
(i) potential components that could be included in a risk-based formula, including the potential impact of those components on support for rural areas under this section;
(ii) potential sources of data and information necessary for the implementation of a risk-based formula;
(iii) any obstacles to implementing a risk-based formula, including obstacles that require a legislative solution;
(iv) if a risk-based formula were to be implemented for fiscal year 2026, a recommended risk-based formula for the State and Local Cybersecurity Grant Program; and
(v) any other information that the Secretary, acting through the Director, determines necessary to help Congress understand the progress towards, and obstacles to, implementing a risk-based formula.
(B) Inapplicability of Paperwork Reduction Act
(5) Tribal cybersecurity needs reportNot later than 2 years after November 15, 2021, the Secretary, acting through the Director, shall submit to Congress a report that—
(A) describes the cybersecurity needs of Tribal governments, which shall be determined in consultation with the Secretary of the Interior and Tribal governments; and
(B) includes any recommendations for addressing the cybersecurity needs of Tribal governments, including any necessary modifications to the State and Local Cybersecurity Grant Program to better serve Tribal governments.
(6) GAO reviewNot later than 3 years after November 15, 2021, the Comptroller General of the United States shall conduct a review of the State and Local Cybersecurity Grant Program, including—
(A) the grant selection process of the Secretary; and
(B) a sample of grants awarded under this section.
(r) Authorization of appropriations
(1) In generalThere are authorized to be appropriated for activities under this section—
(A) for fiscal year 2022, $200,000,000;
(B) for fiscal year 2023, $400,000,000;
(C) for fiscal year 2024, $300,000,000; and
(D) for fiscal year 2025, $100,000,000.
(2) Transfers authorized
(A) In general
(B) Additional appropriations
(s) Termination
(1) In general
(2) Exception
(Pub. L. 107–296, title XXII, § 2220A, formerly § 2218, as added Pub. L. 117–58, div. G, title VI, § 70612(a), Nov. 15, 2021, 135 Stat. 1272; renumbered § 2220A and amended Pub. L. 117–81, div. A, title XV, § 1547(b)(1)(A)(viii), Dec. 27, 2021, 135 Stat. 2061; Pub. L. 117–263, div. G, title LXXI, § 7143(b)(2)(K), Dec. 23, 2022, 136 Stat. 3660.)
§ 665h. National Cyber Exercise Program
(a) Establishment of program
(1) In general
(2) Requirements
(A) In generalThe Exercise Program shall be—
(i) based on current risk assessments, including credible threats, vulnerabilities, and consequences;
(ii) designed, to the extent practicable, to simulate the partial or complete incapacitation of a government or critical infrastructure network resulting from a cyber incident;
(iii) designed to provide for the systematic evaluation of cyber readiness and enhance operational understanding of the cyber incident response system and relevant information sharing agreements; and
(iv) designed to promptly develop after-action reports and plans that can quickly incorporate lessons learned into future operations.
(B) Model exercise selectionThe Exercise Program shall—
(i) include a selection of model exercises that government and private entities can readily adapt for use; and
(ii) aid such governments and private entities with the design, implementation, and evaluation of exercises that—(I) conform to the requirements described in subparagraph (A);(II) are consistent with any applicable national, State, local, or Tribal strategy or plan; and(III) provide for systematic evaluation of readiness.
(3) Consultation
(b) DefinitionsIn this section:
(1) State
(2) Private entity
(c) Rule of construction
(Pub. L. 107–296, title XXII, § 2220B, as added Pub. L. 117–81, div. A, title XV, § 1547(a), Dec. 27, 2021, 135 Stat. 2059.)
§ 665i. CyberSentry program
(a) Establishment
(b) Activities
The Director, through CyberSentry, shall—
(1) enter into strategic partnerships with critical infrastructure owners and operators that, in the determination of the Director and subject to the availability of resources, own or operate regionally or nationally significant industrial control systems that support national critical functions, in order to provide technical assistance in the form of continuous monitoring of industrial control systems and the information systems that support such systems and detection of cybersecurity risks to such industrial control systems and other cybersecurity services, as appropriate, based on and subject to the agreement and consent of such owner or operator;
(2) leverage sensitive or classified intelligence about cybersecurity risks regarding particular sectors, particular adversaries, and trends in tactics, techniques, and procedures to advise critical infrastructure owners and operators regarding mitigation measures and share information as appropriate;
(3) identify cybersecurity risks in the information technology and information systems that support industrial control systems which could be exploited by adversaries attempting to gain access to such industrial control systems, and work with owners and operators to remediate such vulnerabilities;
(4) produce aggregated, anonymized analytic products, based on threat hunting and continuous monitoring and detection activities and partnerships, with findings and recommendations that can be disseminated to critical infrastructure owners and operators; and
(5) support activities authorized in accordance with section 1501 of the National Defense Authorization Act for Fiscal Year 2022.
(c) Privacy review
Not later than 180 days after December 27, 2021, the Privacy Officer of the Agency under section 652(h) of this title shall—
(1) review the policies, guidelines, and activities of CyberSentry for compliance with all applicable privacy laws, including such laws governing the acquisition, interception, retention, use, and disclosure of communities; and
(2) submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report certifying compliance with all applicable privacy laws as referred to in paragraph (1), or identifying any instances of noncompliance with such privacy laws.
(d) Report to Congress
(e) Savings
(f) Definition
(g) Termination
(Pub. L. 107–296, title XXII, § 2220C, as added Pub. L. 117–81, div. A, title XV, § 1548(a), Dec. 27, 2021, 135 Stat. 2061; amended Pub. L. 117–263, div. G, title LXXI, § 7143(b)(2)(L), Dec. 23, 2022, 136 Stat. 3661.)
§ 665j. Ransomware threat mitigation activities
(a) Joint Ransomware Task Force
(1) In general
(2) Composition
(3) ResponsibilitiesThe Joint Ransomware Task Force, utilizing only existing authorities of each participating Federal agency, shall coordinate across the Federal Government the following activities:
(A) Prioritization of intelligence-driven operations to disrupt specific ransomware actors.
(B) Consult with relevant private sector, State, local, Tribal, and territorial governments and international stakeholders to identify needs and establish mechanisms for providing input into the Joint Ransomware Task Force.
(C) Identifying, in consultation with relevant entities, a list of highest threat ransomware entities updated on an ongoing basis, in order to facilitate—
(i) prioritization for Federal action by appropriate Federal agencies; and
(ii) identify 1
1 So in original.
metrics for success of said actions.(D) Disrupting ransomware criminal actors, associated infrastructure, and their finances.
(E) Facilitating coordination and collaboration between Federal entities and relevant entities, including the private sector, to improve Federal actions against ransomware threats.
(F) Collection, sharing, and analysis of ransomware trends to inform Federal actions.
(G) Creation of after-action reports and other lessons learned from Federal actions that identify successes and failures to improve subsequent actions.
(H) Any other activities determined appropriate by the Joint Ransomware Task Force to mitigate the threat of ransomware attacks.
(b) Rule of construction
(Pub. L. 117–103, div. Y, § 106, Mar. 15, 2022, 136 Stat. 1056.)
§ 665k. Federal Clearinghouse on School Safety Evidence-based Practices
(a) Establishment
(1) In general
(2) Purpose
(3) Personnel
(A) Assignments
(B) Detailees
(4) Exemptions
(A) Paperwork Reduction Act
(B) Federal Advisory Committee Act
(b) Clearinghouse contents
(1) ConsultationIn identifying the evidence-based practices and recommendations for the Clearinghouse, the Secretary shall—
(A) consult with appropriate Federal, State, local, Tribal, private sector, and nongovernmental organizations, including civil rights and disability rights organizations; and
(B) consult with the Secretary of Education to ensure that evidence-based practices published by the Clearinghouse are aligned with evidence-based practices to support a positive and safe learning environment for all students.
(2) Criteria for evidence-based practices and recommendationsThe evidence-based practices and recommendations of the Clearinghouse shall—
(A) include comprehensive evidence-based school safety measures;
(B) include the evidence or research rationale supporting the determination of the Clearinghouse that the evidence-based practice or recommendation under subparagraph (A) has been shown to have a significant effect on improving the health, safety, and welfare of persons in school settings, including—
(i) relevant research that is evidence-based, as defined in section 7801 of title 20, supporting the evidence-based practice or recommendation;
(ii) findings and data from previous Federal or State commissions recommending improvements to the safety posture of a school; or
(iii) other supportive evidence or findings relied upon by the Clearinghouse in determining evidence-based practices and recommendations, as determined in consultation with the officers described in subsection (a)(3)(B);
(C) include information on Federal programs for which implementation of each evidence-based practice or recommendation is an eligible use for the program;
(D) be consistent with Federal civil rights laws, including title II of the Americans with Disabilities Act of 1990 (42 U.S.C. 12131 et seq.), the Rehabilitation Act of 1973 (29 U.S.C. 701 et seq.), and title VI of the Civil Rights Act of 1964 (42 U.S.C. 2000d et seq.); and
(E) include options for developmentally appropriate recommendations for use in educational settings with respect to children’s ages and physical, social, sensory, and emotionally developmental statuses.
(3) Past commission recommendations
(c) Assistance and training
(d) Continuous improvementThe Secretary shall—
(1) collect for the purpose of continuous improvement of the Clearinghouse—
(A) Clearinghouse data analytics;
(B) user feedback on the implementation of resources, evidence-based practices, and recommendations identified by the Clearinghouse; and
(C) any evaluations conducted on implementation of the evidence-based practices and recommendations of the Clearinghouse; and
(2) in coordination with the Secretary of Education, the Secretary of Health and Human Services, and the Attorney General—
(A) regularly assess and identify Clearinghouse evidence-based practices and recommendations for which there are no resources available through Federal Government programs for implementation; and
(B) establish an external advisory board, which shall be comprised of appropriate State, local, Tribal, private sector, and nongovernmental organizations, including organizations representing parents of elementary and secondary school students, representative 2
2 So in original. Probably should be “representatives”.
from civil rights organizations, representatives of disability rights organizations, representatives of educators, representatives of law enforcement, and nonprofit school safety and security organizations, to—(i) provide feedback on the implementation of evidence-based practices and recommendations of the Clearinghouse; and
(ii) propose additional recommendations for evidence-based practices for inclusion in the Clearinghouse that meet the requirements described in subsection (b)(2)(B).
(e) Parental assistance
(Pub. L. 107–296, title XXII, § 2220D, as added Pub. L. 117–159, div. A, title III, § 13302(a), June 25, 2022, 136 Stat. 1334.)
§ 665l. School and daycare protection
(a) In general
Not later than 180 days after December 23, 2022, and annually thereafter, the Secretary of Homeland Security shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report regarding the following:
(1) The Department of Homeland Security’s activities, policies, and plans to enhance the security of early childhood education programs, elementary schools, and secondary schools during the preceding year that includes information on the Department’s activities through the Federal School Safety Clearinghouse.
(2) Information on all structures or efforts within the Department intended to bolster coordination among departmental components and offices involved in carrying out paragraph (1) and, with respect to each structure or effort, specificity on which components and offices are involved and which component or office leads such structure or effort.
(3) A detailed description of the measures used to ensure privacy rights, civil rights, and civil liberties protections in carrying out these activities.
(b) Briefing
(c) Definitions
(Pub. L. 117–263, div. G, title LXXI, § 7103, Dec. 23, 2022, 136 Stat. 3621.)
§ 665m. President’s Cup Cybersecurity Competition
(a) In general
(b) Eligibility
(c) Competition administration
(d) Competition parameters
Each competition shall incorporate the following elements:
(1) Cybersecurity skills outlined in the National Initiative for Cybersecurity Education Framework, or any successor framework.
(2) Individual and team events.
(3) Categories demonstrating offensive and defensive cyber operations, such as software reverse engineering and exploitation, network operations, forensics, big data analysis, cyber analysis, cyber defense, cyber exploitation, secure programming, obfuscated coding, or cyber-physical systems.
(4) Any other elements related to paragraphs (1), (2), or (3), as determined necessary by the Director.
(e) Use of funds
(1) In general
In order to further the goals and objectives of the competition, the Director may use amounts made available to the Director for the competition for reasonable expenses for the following:
(A) Advertising, marketing, and promoting the competition.
(B) Meals for participants and organizers of the competition if attendance at the meal during the competition is necessary to maintain the integrity of the competition.
(C) Promotional items, including merchandise and apparel.
(D) Consistent with section 4503 of title 5, necessary expenses for the honorary recognition of competition participants, including members of the uniformed services.
(E) Monetary and nonmonetary awards for competition participants, including members of the uniformed services, subject to subsection (f).
(2) Application
(f) Prize limitation
(1) Awards by the Director
(2) Awards by the Secretary of Homeland Security
(3) Regular pay
(4) Overall yearly award limit
(g) Reporting requirements
The Director shall annually provide to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report that includes the following with respect to each competition conducted in the preceding year:
(1) A description of available amounts.
(2) A description of authorized expenditures.
(3) Information relating to participation.
(4) Information relating to lessons learned, and how such lessons may be applied to improve cybersecurity operations and recruitment of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security.
(Pub. L. 117–263, div. G, title LXXI, § 7121, Dec. 23, 2022, 136 Stat. 3638.)
§ 665n. Industrial Control Systems Cybersecurity Training Initiative
(a) Establishment
(1) In general
(2) Purpose
(b) RequirementsIn carrying out the Initiative, the Director shall—
(1) ensure the Initiative includes—
(A) virtual and in-person trainings and courses provided at no cost to participants;
(B) trainings and courses available at different skill levels, including introductory level courses;
(C) trainings and courses that cover cyber defense strategies for industrial control systems, including an understanding of the unique cyber threats facing industrial control systems and the mitigation of security vulnerabilities in industrial control systems technology; and
(D) appropriate consideration regarding the availability of trainings and courses in different regions of the United States; and 1
1 So in original. The word “and” probably should not appear.
(2) engage in—
(A) collaboration with the National Laboratories of the Department of Energy in accordance with section 189 of this title;
(B) consultation with Sector Risk Management Agencies;2
2 So in original. Probably should be followed by “and”.
(C) as appropriate, consultation with private sector entities with relevant expertise, such as vendors of industrial control systems technologies; and
(3) consult, to the maximum extent practicable, with commercial training providers and academia to minimize the potential for duplication of other training opportunities.
(c) Reports
(1) In general
(2) ContentsEach report submitted under paragraph (1) shall include the following:
(A) A description of the courses provided under the Initiative.
(B) A description of outreach efforts to raise awareness of the availability of such courses.
(C) The number of participants in each course.
(D) Voluntarily provided information on the demographics of participants in such courses, including by sex, race, and place of residence.
(E) Information on the participation in such courses of workers from each critical infrastructure sector.
(F) Plans for expanding access to industrial control systems education and training, including expanding access to women and underrepresented populations, and expanding access to different regions of the United States.
(G) Recommendations regarding how to strengthen the state of industrial control systems cybersecurity education and training.
(Pub. L. 107–296, title XXII, § 2220E, as added Pub. L. 117–263, div. G, title LXXI, § 7122(a), Dec. 23, 2022, 136 Stat. 3640.)