Cyber Intelligence Sharing and Protection Act - (Sec. 2) Directs the federal government to conduct cybersecurity activities to provide shared situational awareness enabling integrated operational actions to protect, prevent, mitigate, respond to, and recover from cyber incidents.
Defines "shared situational awareness" as an environment where cyber threat information is shared in real time between all designated federal cyber operations centers to provide actionable information about all known cyber threats.
Directs the President, with respect to information shared by a cybersecurity provider (a non-federal entity that provides goods or services intended to be used for cybersecurity purposes) or self-protected entity (an entity that provides goods or services for cybersecurity purposes to itself), to designate: (1) an entity within the Department of Homeland Security (DHS) as the civilian federal entity to receive cyber threat information under prescribed procedures and subject to specified exceptions, and (2) an entity within the Department of Justice (DOJ) as the civilian federal entity to receive information related to cybersecurity crimes.
Requires federal agencies receiving shared cyber threat information to establish procedures to: (1) ensure that specified information is also shared in real time with appropriate federal agencies with a national security mission; (2) ensure real-time information distribution to other federal agencies; and (3) facilitate information sharing, interaction, and collaboration among and between federal, state, local, tribal, and territorial governments, cybersecurity providers, and self-protected entities.
Directs the DHS, Attorney General, Director of National Intelligence (DNI), and Department of Defense (DOD) to jointly establish and periodically review policies and procedures governing the receipt, retention, use, and disclosure of non-publicly available cyber threat information shared with the federal government. Requires such procedures, consistent with the need to protect against and mitigate cyber threats in a timely manner, to: (1) minimize the impact on privacy and civil liberties; (2) reasonably limit the receipt, retention, use, and disclosure of cyber threat information associated with specific persons that is unnecessary to protect against or mitigate cyber threats in a timely manner; (3) include requirements to safeguard non-publicly available cyber threat information that may be used to identify specific persons from unauthorized access or acquisition; (4) protect the confidentiality of cyber threat information associated with specific persons; and (5) not delay or impede the flow of cyber threat information necessary to defend against or mitigate a cyber threat.
Instructs: (1) the DHS, Attorney General, DNI, and DOD to submit such procedures to Congress and establish a program to monitor and oversee the compliance of federal agencies; and (2) federal agencies to implement such procedures and notify such officials and Congress of any significant violations.
Prohibits such procedures from being construed to prohibit any federal agency from engaging in technical discussions regarding cyber threat information with a cybersecurity provider or self-protected entity or from providing technical assistance to address vulnerabilities or mitigate threats at their request. Requires any such activity to be coordinated with DHS and other agencies.
Directs the President's designated DHS entity to share with all appropriate federal agencies all significant information resulting from: (1) technical discussions with a cybersecurity provider or self-protected entity about cyber threat information, or (2) any technical assistance it provides to such cybersecurity provider or such self-protected entity to address vulnerabilities or mitigate threats.
Directs the DHS Inspector General to submit annually to Congress a review of the use of such information shared with the federal government, as well as recommendations for improvements and modifications to address privacy and civil liberties concerns.
Requires the DHS Officer for Civil Rights and Civil Liberties to submit to Congress an annual report assessing the privacy and civil liberties impact of the federal government's cyber threat information sharing activities.
(Sec. 3) Amends the National Security Act of 1947 to add provisions concerning cyber threat intelligence and information sharing. Defines "cyber threat intelligence" as intelligence in the possession of an element of the intelligence community directly pertaining to: (1) a vulnerability of a system or network of a government or private entity or utility; (2) a threat to the integrity, confidentiality, or availability of such a system or network or any information stored on, processed on, or transiting such a system or network; (3) efforts to deny access to or degrade, disrupt, or destroy such a system or network; or (4) efforts to gain unauthorized access to such a system or network, including for the purpose of exfiltrating information. Excludes intelligence pertaining to efforts to gain unauthorized access to such a system or network that solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access.
Requires the DNI to: (1) establish procedures to allow intelligence community elements to share cyber threat intelligence with private-sector entities and utilities, and (2) encourage the sharing of such intelligence.
Requires the procedures established to ensure that such intelligence is only: (1) shared with certified entities or a person with an appropriate security clearance; (2) shared consistent with the need to protect U.S. national security; (3) used in a manner that protects such intelligence from unauthorized disclosure; and (4) used, retained, or further disclosed by a certified entity for cybersecurity purposes. Provides guidelines for the granting of security clearance approvals to certified entities or officers, employees, or independent contractors of such entities. Prohibits a certified entity receiving such intelligence from further disclosing the information to any entity other than another certified entity or a federal agency authorized to receive such intelligence.
Authorizes a cybersecurity provider, with the express consent of a protected entity (an entity that contracts with a cybersecurity provider), to: (1) use cybersecurity systems to identify and obtain cyber threat information in order to protect the rights and property of the protected entity; and (2) share cyber threat information with any other entity designated by the protected entity, including, if specifically designated, the DHS and DOJ entities designated by the President. Provides cybersecurity system use and threat information sharing authority to self-protected entities.
Sets forth requirements with respect to the use and protection of shared information, including anonymization or minimization of such information and prohibiting the use of such information to gain a competitive advantage and, if shared with the federal government, exempts such information from public disclosure and prohibits the use of such information for regulatory purposes. Specifies that a non-federal recipient may only use such information for a cybersecurity purpose.
Prohibits a civil or criminal cause of action against a protected entity, a self-protected entity, or a cybersecurity provider acting in good faith under the above circumstances.
Prohibits such shared information requirements from being construed to provide new authority to: (1) a cybersecurity provider to use a cybersecurity system to identify or obtain cyber threat information from a system or network other than a system or network owned or operated by a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, or (2) a self-protected entity to use a cybersecurity system to identify or obtain cyber threat information from a system or network other than a system or network owned or operated by such self-protected entity.
Allows the federal government to use shared cyber threat information for: (1) cybersecurity purposes to ensure the integrity, confidentiality, availability, or safeguarding of a system or network; (2) the investigation of cybersecurity crimes; or (3) the protection of individuals from the danger of death or serious bodily harm and the prosecution of crimes involving such dangers (including the protection of minors from child pornography, sexual exploitation, kidnapping, and trafficking). Prohibits the federal government from affirmatively searching such information for any other purpose.
Prohibits the federal government from using certain personally identifiable information shared from sensitive personal documents such as library records, firearms sales records, educational records, tax returns, and medical records. Requires a federal agency receiving information that is not cyber threat information to so notify the entity or provider of such information. Prohibits federal agencies from retaining shared information for any unauthorized use.
Outlines federal government liability for violations of restrictions on the disclosure, use, and protection of voluntarily shared information.
Preempts any state statute that restricts or otherwise regulates specified activity authorized by this Act.
States that nothing in this section shall be construed to: (1) provide additional authority to, or modify existing authority of, any element of the intelligence community to control or direct the cybersecurity efforts of a private-sector entity or a component of the federal government or a state, local, or tribal government; (2) limit or affect existing information sharing relationships of the federal government; (3) preclude the federal government from requiring an entity to report significant cyber incidents under another provision of law; or (4) provide additional authority to, or modify existing authority of, any entity to use a cybersecurity system owned or controlled by the federal government on a private-sector system or network to protect the latter system or network.
Prohibits this section from being construed to authorize the DOD, National Security Agency (NSA), or any other intelligence community element to target a U.S. person for surveillance.
(Sec. 4) Repeals amendments made by this Act five years after enactment of this Act.
(Sec. 5) Expresses the sense of Congress that international cooperation with regard to cybersecurity should be encouraged wherever possible.
(Sec. 6) Prohibits this Act from being construed to provide new or alter any existing authority for an entity to sell personal information of a consumer to another entity for marketing purposes.
(Sec. 7) Prohibits this Act from being construed to authorize a federal agency to require a federally contracted cybersecurity provider to provide information about cybersecurity incidents that do not pose a threat to the federal government's information.
[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[H.R. 624 Introduced in House (IH)]
113th CONGRESS
1st Session
H. R. 624
To provide for the sharing of certain cyber threat intelligence and
cyber threat information between the intelligence community and
cybersecurity entities, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
February 13, 2013
Mr. Rogers of Michigan (for himself and Mr. Ruppersberger) introduced
the following bill; which was referred to the Select Committee on
Intelligence (Permanent Select)
_______________________________________________________________________
A BILL
To provide for the sharing of certain cyber threat intelligence and
cyber threat information between the intelligence community and
cybersecurity entities, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Cyber Intelligence Sharing and
Protection Act''.
SEC. 2. CYBER THREAT INTELLIGENCE AND INFORMATION SHARING.
(a) In General.--Title XI of the National Security Act of 1947 (50
U.S.C. 442 et seq.) is amended by adding at the end the following new
section:
``cyber threat intelligence and information sharing
``Sec. 1104. (a) Intelligence Community Sharing of Cyber Threat
Intelligence With Private Sector and Utilities.--
``(1) In general.--The Director of National Intelligence
shall establish procedures to allow elements of the
intelligence community to share cyber threat intelligence with
private-sector entities and utilities and to encourage the
sharing of such intelligence.
``(2) Sharing and use of classified intelligence.--The
procedures established under paragraph (1) shall provide that
classified cyber threat intelligence may only be--
``(A) shared by an element of the intelligence
community with--
``(i) a certified entity; or
``(ii) a person with an appropriate
security clearance to receive such cyber threat
intelligence;
``(B) shared consistent with the need to protect
the national security of the United States; and
``(C) used by a certified entity in a manner which
protects such cyber threat intelligence from
unauthorized disclosure.
``(3) Security clearance approvals.--The Director of
National Intelligence shall issue guidelines providing that the
head of an element of the intelligence community may, as the
head of such element considers necessary to carry out this
subsection--
``(A) grant a security clearance on a temporary or
permanent basis to an employee or officer of a
certified entity;
``(B) grant a security clearance on a temporary or
permanent basis to a certified entity and approval to
use appropriate facilities; and
``(C) expedite the security clearance process for a
person or entity as the head of such element considers
necessary, consistent with the need to protect the
national security of the United States.
``(4) No right or benefit.--The provision of information to
a private-sector entity or a utility under this subsection
shall not create a right or benefit to similar information by
such entity or such utility or any other private-sector entity
or utility.
``(5) Restriction on disclosure of cyber threat
intelligence.--Notwithstanding any other provision of law, a
certified entity receiving cyber threat intelligence pursuant
to this subsection shall not further disclose such cyber threat
intelligence to another entity, other than to a certified
entity or other appropriate agency or department of the Federal
Government authorized to receive such cyber threat
intelligence.
``(b) Use of Cybersecurity Systems and Sharing of Cyber Threat
Information.--
``(1) In general.--
``(A) Cybersecurity providers.--Notwithstanding any
other provision of law, a cybersecurity provider, with
the express consent of a protected entity for which
such cybersecurity provider is providing goods or
services for cybersecurity purposes, may, for
cybersecurity purposes--
``(i) use cybersecurity systems to identify
and obtain cyber threat information to protect
the rights and property of such protected
entity; and
``(ii) share such cyber threat information
with any other entity designated by such
protected entity, including, if specifically
designated, the Federal Government.
``(B) Self-protected entities.--Notwithstanding any
other provision of law, a self-protected entity may,
for cybersecurity purposes--
``(i) use cybersecurity systems to identify
and obtain cyber threat information to protect
the rights and property of such self-protected
entity; and
``(ii) share such cyber threat information
with any other entity, including the Federal
Government.
``(2) Sharing with the federal government.--
``(A) Information shared with the national
cybersecurity and communications integration center of
the department of homeland security.--Subject to the
use and protection of information requirements under
paragraph (3), the head of a department or agency of
the Federal Government receiving cyber threat
information in accordance with paragraph (1) shall
provide such cyber threat information to the National
Cybersecurity and Communications Integration Center of
the Department of Homeland Security.
``(B) Request to share with another department or
agency of the federal government.--An entity sharing
cyber threat information that is provided to the
National Cybersecurity and Communications Integration
Center of the Department of Homeland Security under
subparagraph (A) or paragraph (1) may request the head
of such Center to, and the head of such Center may,
provide such information to another department or
agency of the Federal Government.
``(3) Use and protection of information.--Cyber threat
information shared in accordance with paragraph (1)--
``(A) shall only be shared in accordance with any
restrictions placed on the sharing of such information
by the protected entity or self-protected entity
authorizing such sharing, including appropriate
anonymization or minimization of such information;
``(B) may not be used by an entity to gain an
unfair competitive advantage to the detriment of the
protected entity or the self-protected entity
authorizing the sharing of information;
``(C) if shared with the Federal Government--
``(i) shall be exempt from disclosure under
section 552 of title 5, United States Code
(commonly known as the `Freedom of Information
Act');
``(ii) shall be considered proprietary
information and shall not be disclosed to an
entity outside of the Federal Government except
as authorized by the entity sharing such
information;
``(iii) shall not be used by the Federal
Government for regulatory purposes;
``(iv) shall not be provided by the
department or agency of the Federal Government
receiving such cyber threat information to
another department or agency of the Federal
Government under paragraph (2)(A) if--
``(I) the entity providing such
information determines that the
provision of such information will
undermine the purpose for which such
information is shared; or
``(II) unless otherwise directed by
the President, the head of the
department or agency of the Federal
Government receiving such cyber threat
information determines that the
provision of such information will
undermine the purpose for which such
information is shared; and
``(v) shall be handled by the Federal
Government consistent with the need to protect
sources and methods and the national security
of the United States; and
``(D) shall be exempt from disclosure under a
State, local, or tribal law or regulation that requires
public disclosure of information by a public or quasi-
public entity.
``(4) Exemption from liability.--No civil or criminal cause
of action shall lie or be maintained in Federal or State court
against a protected entity, self-protected entity,
cybersecurity provider, or an officer, employee, or agent of a
protected entity, self-protected entity, or cybersecurity
provider, acting in good faith--
``(A) for using cybersecurity systems to identify
or obtain cyber threat information or for sharing such
information in accordance with this section; or
``(B) for decisions made based on cyber threat
information identified, obtained, or shared under this
section.
``(5) Relationship to other laws requiring the disclosure
of information.--The submission of information under this
subsection to the Federal Government shall not satisfy or
affect--
``(A) any requirement under any other provision of
law for a person or entity to provide information to
the Federal Government; or
``(B) the applicability of other provisions of law,
including section 552 of title 5, United States Code
(commonly known as the `Freedom of Information Act'),
with respect to information required to be provided to
the Federal Government under such other provision of
law.
``(c) Federal Government Use of Information.--
``(1) Limitation.--The Federal Government may use cyber
threat information shared with the Federal Government in
accordance with subsection (b)--
``(A) for cybersecurity purposes;
``(B) for the investigation and prosecution of
cybersecurity crimes;
``(C) for the protection of individuals from the
danger of death or serious bodily harm and the
investigation and prosecution of crimes involving such
danger of death or serious bodily harm;
``(D) for the protection of minors from child
pornography, any risk of sexual exploitation, and
serious threats to the physical safety of minors,
including kidnapping and trafficking and the
investigation and prosecution of crimes involving child
pornography, any risk of sexual exploitation, and
serious threats to the physical safety of minors,
including kidnapping and trafficking, and any crime
referred to in section 2258A(a)(2) of title 18, United
States Code; or
``(E) to protect the national security of the
United States.
``(2) Affirmative search restriction.--The Federal
Government may not affirmatively search cyber threat
information shared with the Federal Government under subsection
(b) for a purpose other than a purpose referred to in paragraph
(1)(B).
``(3) Anti-tasking restriction.--Nothing in this section
shall be construed to permit the Federal Government to--
``(A) require a private-sector entity to share
information with the Federal Government; or
``(B) condition the sharing of cyber threat
intelligence with a private-sector entity on the
provision of cyber threat information to the Federal
Government.
``(4) Protection of sensitive personal documents.--The
Federal Government may not use the following information,
containing information that identifies a person, shared with
the Federal Government in accordance with subsection (b):
``(A) Library circulation records.
``(B) Library patron lists.
``(C) Book sales records.
``(D) Book customer lists.
``(E) Firearms sales records.
``(F) Tax return records.
``(G) Educational records.
``(H) Medical records.
``(5) Notification of non-cyber threat information.--If a
department or agency of the Federal Government receiving
information pursuant to subsection (b)(1) determines that such
information is not cyber threat information, such department or
agency shall notify the entity or provider sharing such
information pursuant to subsection (b)(1).
``(6) Retention and use of cyber threat information.--No
department or agency of the Federal Government shall retain or
use information shared pursuant to subsection (b)(1) for any
use other than a use permitted under subsection (c)(1).
``(7) Protection of individual information.--The Federal
Government may, consistent with the need to protect Federal
systems and critical information infrastructure from
cybersecurity threats and to mitigate such threats, undertake
reasonable efforts to limit the impact on privacy and civil
liberties of the sharing of cyber threat information with the
Federal Government pursuant to this subsection.
``(d) Federal Government Liability for Violations of Restrictions
on the Disclosure, Use, and Protection of Voluntarily Shared
Information.--
``(1) In general.--If a department or agency of the Federal
Government intentionally or willfully violates subsection
(b)(3)(C) or subsection (c) with respect to the disclosure,
use, or protection of voluntarily shared cyber threat
information shared under this section, the United States shall
be liable to a person adversely affected by such violation in
an amount equal to the sum of--
``(A) the actual damages sustained by the person as
a result of the violation or $1,000, whichever is
greater; and
``(B) the costs of the action together with
reasonable attorney fees as determined by the court.
``(2) Venue.--An action to enforce liability created under
this subsection may be brought in the district court of the
United States in--
``(A) the district in which the complainant
resides;
``(B) the district in which the principal place of
business of the complainant is located;
``(C) the district in which the department or
agency of the Federal Government that disclosed the
information is located; or
``(D) the District of Columbia.
``(3) Statute of limitations.--No action shall lie under
this subsection unless such action is commenced not later than
two years after the date of the violation of subsection
(b)(3)(C) or subsection (c) that is the basis for the action.
``(4) Exclusive cause of action.--A cause of action under
this subsection shall be the exclusive means available to a
complainant seeking a remedy for a violation of subsection
(b)(3)(C) or subsection (c).
``(e) Report on Information Sharing.--
``(1) Report.--The Inspector General of the Intelligence
Community shall annually submit to the congressional
intelligence committees a report containing a review of the use
of information shared with the Federal Government under this
section, including--
``(A) a review of the use by the Federal Government
of such information for a purpose other than a
cybersecurity purpose;
``(B) a review of the type of information shared
with the Federal Government under this section;
``(C) a review of the actions taken by the Federal
Government based on such information;
``(D) appropriate metrics to determine the impact
of the sharing of such information with the Federal
Government on privacy and civil liberties, if any;
``(E) a list of the departments or agencies
receiving such information;
``(F) a review of the sharing of such information
within the Federal Government to identify inappropriate
stovepiping of shared information; and
``(G) any recommendations of the Inspector General
for improvements or modifications to the authorities
under this section.
``(2) Form.--Each report required under paragraph (1) shall
be submitted in unclassified form, but may include a classified
annex.
``(f) Federal Preemption.--This section supersedes any statute of a
State or political subdivision of a State that restricts or otherwise
expressly regulates an activity authorized under subsection (b).
``(g) Savings Clauses.--
``(1) Existing authorities.--Nothing in this section shall
be construed to limit any other authority to use a
cybersecurity system or to identify, obtain, or share cyber
threat intelligence or cyber threat information.
``(2) Limitation on military and intelligence community
involvement in private and public sector cybersecurity
efforts.--Nothing in this section shall be construed to provide
additional authority to, or modify an existing authority of,
the Department of Defense or the National Security Agency or
any other element of the intelligence community to control,
modify, require, or otherwise direct the cybersecurity efforts
of a private-sector entity or a component of the Federal
Government or a State, local, or tribal government.
``(3) Information sharing relationships.--Nothing in this
section shall be construed to--
``(A) limit or modify an existing information
sharing relationship;
``(B) prohibit a new information sharing
relationship;
``(C) require a new information sharing
relationship between the Federal Government and a
private-sector entity; or
``(D) modify the authority of a department or
agency of the Federal Government to protect sources and
methods and the national security of the United States.
``(4) Limitation on federal government use of cybersecurity
systems.--Nothing in this section shall be construed to provide
additional authority to, or modify an existing authority of,
any entity to use a cybersecurity system owned or controlled by
the Federal Government on a private-sector system or network to
protect such private-sector system or network.
``(5) No liability for non-participation.--Nothing in this
section shall be construed to subject a protected entity, self-
protected entity, cyber security provider, or an officer,
employee, or agent of a protected entity, self-protected
entity, or cybersecurity provider, to liability for choosing
not to engage in the voluntary activities authorized under this
section.
``(6) Use and retention of information.--Nothing in this
section shall be construed to authorize, or to modify any
existing authority of, a department or agency of the Federal
Government to retain or use information shared pursuant to
subsection (b)(1) for any use other than a use permitted under
subsection (c)(1).
``(h) Definitions.--In this section:
``(1) Availability.--The term `availability' means ensuring
timely and reliable access to and use of information.
``(2) Certified entity.--The term `certified entity' means
a protected entity, self-protected entity, or cybersecurity
provider that--
``(A) possesses or is eligible to obtain a security
clearance, as determined by the Director of National
Intelligence; and
``(B) is able to demonstrate to the Director of
National Intelligence that such provider or such entity
can appropriately protect classified cyber threat
intelligence.
``(3) Confidentiality.--The term `confidentiality' means
preserving authorized restrictions on access and disclosure,
including means for protecting personal privacy and proprietary
information.
``(4) Cyber threat information.--
``(A) In general.--The term `cyber threat
information' means information directly pertaining to--
``(i) a vulnerability of a system or
network of a government or private entity;
``(ii) a threat to the integrity,
confidentiality, or availability of a system or
network of a government or private entity or
any information stored on, processed on, or
transiting such a system or network;
``(iii) efforts to deny access to or
degrade, disrupt, or destroy a system or
network of a government or private entity; or
``(iv) efforts to gain unauthorized access
to a system or network of a government or
private entity, including to gain such
unauthorized access for the purpose of
exfiltrating information stored on, processed
on, or transiting a system or network of a
government or private entity.
``(B) Exclusion.-- Such term does not include
information pertaining to efforts to gain unauthorized
access to a system or network of a government or
private entity that solely involve violations of
consumer terms of service or consumer licensing
agreements and do not otherwise constitute unauthorized
access.
``(5) Cyber threat intelligence.--
``(A) In general.--The term `cyber threat
intelligence' means intelligence in the possession of
an element of the intelligence community directly
pertaining to--
``(i) a vulnerability of a system or
network of a government or private entity;
``(ii) a threat to the integrity,
confidentiality, or availability of a system or
network of a government or private entity or
any information stored on, processed on, or
transiting such a system or network;
``(iii) efforts to deny access to or
degrade, disrupt, or destroy a system or
network of a government or private entity; or
``(iv) efforts to gain unauthorized access
to a system or network of a government or
private entity, including to gain such
unauthorized access for the purpose of
exfiltrating information stored on, processed
on, or transiting a system or network of a
government or private entity.
``(B) Exclusion.-- Such term does not include
intelligence pertaining to efforts to gain unauthorized
access to a system or network of a government or
private entity that solely involve violations of
consumer terms of service or consumer licensing
agreements and do not otherwise constitute unauthorized
access.
``(6) Cybersecurity crime.--The term `cybersecurity crime'
means--
``(A) a crime under a Federal or State law that
involves--
``(i) efforts to deny access to or degrade,
disrupt, or destroy a system or network;
``(ii) efforts to gain unauthorized access
to a system or network; or
``(iii) efforts to exfiltrate information
from a system or network without authorization;
or
``(B) the violation of a provision of Federal law
relating to computer crimes, including a violation of
any provision of title 18, United States Code, created
or amended by the Computer Fraud and Abuse Act of 1986
(Public Law 99-474).
``(7) Cybersecurity provider.--The term `cybersecurity
provider' means a non-governmental entity that provides goods
or services intended to be used for cybersecurity purposes.
``(8) Cybersecurity purpose.--
``(A) In general.--The term `cybersecurity purpose'
means the purpose of ensuring the integrity,
confidentiality, or availability of, or safeguarding, a
system or network, including protecting a system or
network from--
``(i) a vulnerability of a system or
network;
``(ii) a threat to the integrity,
confidentiality, or availability of a system or
network or any information stored on, processed
on, or transiting such a system or network;
``(iii) efforts to deny access to or
degrade, disrupt, or destroy a system or
network; or
``(iv) efforts to gain unauthorized access
to a system or network, including to gain such
unauthorized access for the purpose of
exfiltrating information stored on, processed
on, or transiting a system or network.
``(B) Exclusion.-- Such term does not include the
purpose of protecting a system or network from efforts
to gain unauthorized access to such system or network
that solely involve violations of consumer terms of
service or consumer licensing agreements and do not
otherwise constitute unauthorized access.
``(9) Cybersecurity system.--
``(A) In general.--The term `cybersecurity system'
means a system designed or employed to ensure the
integrity, confidentiality, or availability of, or
safeguard, a system or network, including protecting a
system or network from--
``(i) a vulnerability of a system or
network;
``(ii) a threat to the integrity,
confidentiality, or availability of a system or
network or any information stored on, processed
on, or transiting such a system or network;
``(iii) efforts to deny access to or
degrade, disrupt, or destroy a system or
network; or
``(iv) efforts to gain unauthorized access
to a system or network, including to gain such
unauthorized access for the purpose of
exfiltrating information stored on, processed
on, or transiting a system or network.
``(B) Exclusion.-- Such term does not include a
system designed or employed to protect a system or
network from efforts to gain unauthorized access to
such system or network that solely involve violations
of consumer terms of service or consumer licensing
agreements and do not otherwise constitute unauthorized
access.
``(10) Integrity.--The term `integrity' means guarding
against improper information modification or destruction,
including ensuring information nonrepudiation and authenticity.
``(11) Protected entity.--The term `protected entity' means
an entity, other than an individual, that contracts with a
cybersecurity provider for goods or services to be used for
cybersecurity purposes.
``(12) Self-protected entity.--The term `self-protected
entity' means an entity, other than an individual, that
provides goods or services for cybersecurity purposes to
itself.
``(13) Utility.--The term `utility' means an entity
providing essential services (other than law enforcement or
regulatory services), including electricity, natural gas,
propane, telecommunications, transportation, water, or
wastewater services.''.
(b) Procedures and Guidelines.--The Director of National
Intelligence shall--
(1) not later than 60 days after the date of the enactment
of this Act, establish procedures under paragraph (1) of
section 1104(a) of the National Security Act of 1947, as added
by subsection (a) of this section, and issue guidelines under
paragraph (3) of such section 1104(a);
(2) in establishing such procedures and issuing such
guidelines, consult with the Secretary of Homeland Security to
ensure that such procedures and such guidelines permit the
owners and operators of critical infrastructure to receive all
appropriate cyber threat intelligence (as defined in section
1104(h)(3) of such Act, as added by subsection (a)) in the
possession of the Federal Government; and
(3) following the establishment of such procedures and the
issuance of such guidelines, expeditiously distribute such
procedures and such guidelines to appropriate departments and
agencies of the Federal Government, private-sector entities,
and utilities (as defined in section 1104(h)(9) of such Act, as
added by subsection (a)).
(c) Initial Report.--The first report required to be submitted
under subsection (e) of section 1104 of the National Security Act of
1947, as added by subsection (a) of this section, shall be submitted
not later than 1 year after the date of the enactment of this Act.
(d) Table of Contents Amendment.--The table of contents in the
first section of the National Security Act of 1947 is amended by adding
at the end the following new item:
``Sec. 1104. Cyber threat intelligence and information sharing.''.
SEC. 3. SUNSET.
Effective on the date that is 5 years after the date of the
enactment of this Act--
(1) section 1104 of the National Security Act of 1947, as
added by section 2(a) of this Act, is repealed; and
(2) the table of contents in the first section of the
National Security Act of 1947, as amended by section 2(d) of
this Act, is amended by striking the item relating to section
1104, as added by such section 2(d).
<all>
DEBATE - Pursuant to the provisions of H. Res. 164, the Committee of the Whole proceeded with 10 minutes of debate on the McCaul amendment No. 13.
POSTPONED PROCEEDINGS - At the conclusion of debate on the McCaul amendment, the Chair put the question on adoption of the amendment and by voice vote announced that the ayes had prevailed. Mr. McCaul demanded a recorded vote and the Chair postponed further proceedings on the question of adoption of the amendment until later in the legislative day.
Mr. Rogers (MI) moved that the Committee rise.
On motion that the Committee rise Agreed to by voice vote.
Committee of the Whole House on the state of the Union rises leaving H.R. 624 as unfinished business.
Considered as unfinished business. (consideration: CR H2140-2145)
The House resolved into Committee of the Whole House on the state of the Union for further consideration.
UNFINISHED BUSINESS - The Chair announced that the unfinished business was on the adoption of amendments which had been debated earlier and on which further proceedings had been postponed.
The House rose from the Committee of the Whole House on the state of the Union to report H.R. 624.
The previous question was ordered pursuant to the rule. (consideration: CR H2142)
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line
The House adopted the amendment in the nature of a substitute as agreed to by the Committee of the Whole House on the state of the Union.
Mr. Perlmutter moved to recommit with instructions to Intelligence (Permanent). (consideration: CR H2142; text: CR H2142)
DEBATE - The House proceeded with 10 minutes of debate on the Perlmutter motion to recommit with instructions. The instructions contained in the motion seek to require the bill to be reported back to the House with an amendment to prohibit employers, prospective employers, or the Federal Government from requiring the disclosure of social networking or personal account passwords by an employee or job applicant without a court order. The Motion would also prohibit the Federal Government from establishing a mechanism by which it could control citizen's access to the Internet with a national firewall similar to the "Great Internet Firewall of China." Lastly, the Motion would make changes to the McCaul amendment, adding a section that requires reporting of information on the number of Americans who have been forced to disclose passwords and had information released to the Federal government or obtained in connection
The previous question on the motion to recommit with instructions was ordered without objection. (consideration: CR H2143)
On motion to recommit with instructions Failed by recorded vote: 189 - 224 (Roll no. 116). (consideration: CR H2143-2144)
Roll Call #116 (House)Passed/agreed to in House: On passage Passed by the Yeas and Nays: 288 - 127 (Roll no. 117).
Roll Call #117 (House)On passage Passed by the Yeas and Nays: 288 - 127 (Roll no. 117).
Roll Call #117 (House)Motion to reconsider laid on the table Agreed to without objection.
The Clerk was authorized to correct section numbers, punctuation, and cross references, and to make other necessary technical and conforming corrections in the engrossment of H.R. 624.
Received in the Senate and Read twice and referred to the Select Committee on Intelligence.