Cybersecurity Vulnerability Identification and Notification Act of 2020
This bill authorizes the Department of Homeland Security (DHS) to issue a subpoena for the production of information to identify and notify an entity that is put at risk by cybersecurity vulnerabilities.
Specifically, the bill requires the DHS Cybersecurity and Infrastructure Security Agency (CISA) to detect, identify, and receive information about security vulnerabilities relating to critical infrastructure in the information systems and devices of public and private entities. To do this, the bill authorizes CISA, upon identification of a system determined to have such a security vulnerability, to issue a subpoena for the production of information that is necessary to identify and notify the at-risk entity.
[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5680 Introduced in House (IH)]
<DOC>
116th CONGRESS
2d Session
H. R. 5680
To amend the Homeland Security Act of 2002 to protect United States
critical infrastructure by ensuring that the Cybersecurity and
Infrastructure Security Agency of the Department of Homeland Security
has necessary legal tools to notify entities at risk of cybersecurity
vulnerabilities in the enterprise devices or systems that control
critical assets of the United States, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
January 27, 2020
Mr. Langevin (for himself, Mr. Katko, Mr. Richmond, Mr. Thompson of
Mississippi, and Ms. Jackson Lee) introduced the following bill; which
was referred to the Committee on Homeland Security
_______________________________________________________________________
A BILL
To amend the Homeland Security Act of 2002 to protect United States
critical infrastructure by ensuring that the Cybersecurity and
Infrastructure Security Agency of the Department of Homeland Security
has necessary legal tools to notify entities at risk of cybersecurity
vulnerabilities in the enterprise devices or systems that control
critical assets of the United States, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Cybersecurity Vulnerability
Identification and Notification Act of 2020''.
SEC. 2. SUBPOENA AUTHORITY.
(a) In General.--Section 2209 of the Homeland Security Act of 2002
(6 U.S.C. 659) is amended--
(1) in subsection (a)--
(A) in this subsection, by inserting ``,
`cybersecurity purpose','' after ```cyber threat
indicator''';
(B) by redesignating paragraphs (3) through (6) as
paragraphs (4) through (7), respectively;
(C) by inserting after this subsection the
following new paragraph:
``(3) the term `enterprise device or system'--
``(A) means a device or information system commonly
used to perform industrial, commercial, scientific, or
governmental functions or processes that relate to
critical infrastructure, including operational and
industrial control systems, distributed control
systems, and programmable logic controllers; and
``(B) does not include personal devices and
systems, such as consumer mobile devices, home
computers, residential wireless routers, or residential
internet-enabled consumer devices;''; and
(D) in paragraph (6), as so redesignated, by
striking ``term `information system' has the meaning
given that term in section 3502(8) of title 44; and''
and inserting ``terms `information system' and
`security vulnerability' have the meanings given those
terms in section 102 of the Cybersecurity Information
Sharing Act of 2015 (6 U.S.C. 1501);'';
(2) in subsection (c)--
(A) in paragraph (8)(C), by striking ``sharing''
and inserting ``share'';
(B) in paragraph (10), by striking ``and'' after
the semicolon at the end;
(C) in paragraph (11), by striking the period at
the end and inserting ``; and''; and
(D) by adding at the end the following new
paragraph:
``(12) detecting, identifying, and receiving information
about security vulnerabilities relating to information systems
for a cybersecurity purpose.''; and
(3) by adding at the end the following new subsection:
``(n) Subpoena Authority.--
``(1) In general.--If the Director identifies an
information system connected to the internet with a specific
security vulnerability and has reason to believe that the
security vulnerability relates to critical infrastructure and
affects an enterprise device or system of an entity, and the
Director made reasonable efforts to identify the entity at risk
but was unable to do so, the Director may issue a subpoena for
the production of information necessary to identify and notify
the entity at risk, in order to carry out a cybersecurity
purpose.
``(2) Limit on information.--A subpoena issued under this
subsection may only seek information in the categories set
forth in subparagraphs (A), (B), (D), and (E) of section
2703(c)(2) of title 18, United States Code.
``(3) Liability protections for disclosing providers.--The
provisions of section 2703(e) of title 18, United States Code,
shall apply to any subpoena issued under this subsection.
``(4) Coordination.--
``(A) In general.--Not later than 60 days after the
date of the enactment of this subsection, the Director,
in coordination with the Attorney General, shall
develop inter-agency procedures regarding the issuance
of subpoenas under this subsection in order to avoid
interference with ongoing law enforcement
investigations. To the extent practicable, the Director
shall coordinate such issuances with the Department of
Justice, including the Federal Bureau of Investigation,
pursuant to such procedures.
``(B) Contents.--The inter-agency procedures
developed under this paragraph shall provide that a
subpoena issued by the Director under this subsection
shall be--
``(i) issued solely in order to carry out a
cybersecurity purpose; and
``(ii) subject to the limitations under
this subsection.
``(5) Noncompliance.--If any person, partnership,
corporation, association, or entity fails to comply with any
duly served subpoena issued under this subsection, the Director
may request that the Attorney General seek enforcement of the
subpoena in any judicial district in which such person,
partnership, corporation, association, or entity resides, is
found, or transacts business.
``(6) Notice.--Not later than seven days after the date on
which the Director receives information obtained through a
subpoena issued under this subsection, the Director shall
notify the entity at risk identified by information obtained
under the subpoena regarding the subpoena and the identified
security vulnerability.
``(7) Authentication.--Any subpoena issued by the Director
under this subsection shall be authenticated by the electronic
signature of an authorized representative of the Agency or
other comparable symbol or process identifying the Agency as
the source of the subpoena.
``(8) Procedures.--
``(A) In general.--Not later than 90 days after the
date of enactment of this subsection, the Director
shall establish internal procedures and associated
training, applicable to employees and operations of the
Agency, regarding subpoenas issued under this
subsection, which shall address the following:
``(i) The protection of and restriction on
dissemination of nonpublic information obtained
through such a subpoena, including a
requirement that the Agency may not disseminate
nonpublic information obtained through such a
subpoena that identifies the party that is
subject to such a subpoena or the entity at
risk identified by information obtained as a
result of such a subpoena, unless--
``(I) the party or entity consents;
or
``(II) the Agency identifies or is
notified of a cybersecurity incident
involving the party or entity, which
relates to the security vulnerability
which led to the issuance of such a
subpoena.
``(ii) The restriction on the use of
information obtained through the subpoena for a
cybersecurity purpose.
``(iii) The retention and destruction of
nonpublic information obtained through such a
subpoena, including the following:
``(I) Immediate destruction of
information obtained through such a
subpoena that the Director determines
is unrelated to critical
infrastructure.
``(II) Destruction of any
personally identifiable information not
later than six months after the date on
which the Director receives information
obtained through such a subpoena,
unless otherwise agreed to by the
individual so identified.
``(iv) The process for recordkeeping
regarding efforts referred to in paragraph (1)
undertaken prior to the issuance of such a
subpoena.
``(v) The process for tracking engagement
with each party that is subject to such a
subpoena and the entity at risk identified by
information obtained pursuant to such a
subpoena.
``(vi) The process for providing notice to
each party that is subject to such a subpoena
and each entity at risk identified by
information obtained pursuant to such a
subpoena.
``(vii) The process and criteria for
conducting critical infrastructure security
risk assessments to determine whether a
subpoena is necessary prior to being so issued.
``(B) Congressional notification.--The Director
shall brief the Committee on Homeland Security of the
House of Representatives and the Committee on Homeland
Security and Governmental Affairs of the Senate upon
establishment of internal procedures and associated
training required under this subsection.
``(9) Review of procedures.--Not later than one year after
the date of enactment of this subsection, the Privacy Officer
of the Agency, in consultation with the Privacy Officer of the
Department, shall--
``(A) review the internal procedures and associated
training established by the Director under paragraph
(8) to ensure that--
``(i) the procedures and training are
consistent with fair information practices; and
``(ii) the operations of the Agency comply
with the procedures and training; and
``(B) notify the Committee on Homeland Security of
the House of Representatives and the Committee on
Homeland Security and Governmental Affairs of the
Senate of the results of such review.
``(10) Resource assessment.--Not later than 120 days after
the date of the enactment of this subsection, the Director
shall submit to the Committee on Homeland Security of the House
of Representatives and the Committee on Homeland Security and
Governmental Affairs of the Senate an assessment regarding
whether additional resources are required to--
``(A)(i) ensure timely notifications to entities at
risk pursuant to paragraph (6); and
``(ii) provide such entities at risk with timely
support to mitigate security vulnerabilities; and
``(B) provide associated training applicable to
employees and operations of the Agency to comply with
internal procedures established pursuant to paragraph
(8).
``(11) Publication of information.--Not later than 120 days
after establishing the internal procedures and policies under
paragraph (8), the Director shall make publicly available,
including on a Department website, information regarding the
subpoena process under this subsection, including regarding the
following:
``(A) The purpose for subpoenas issued under this
subsection.
``(B) The subpoena process.
``(C) The criteria for the critical infrastructure
security risk assessment conducted prior to issuing a
subpoena.
``(D) Policies and procedures on retention and
sharing of data obtained by a subpoena.
``(E) The process for providing notice to each
entity at risk identified by information obtained
pursuant to a subpoena issued under this subsection,
and contact information that such an entity may use to
confirm the authenticity of such notice.
``(F) Guidelines on how entities at risk contacted
by the Director may respond to notice of a subpoena.
``(G) The internal procedures of the Agency
established pursuant to paragraph (8).
``(12) Annual reports.--Not later than six months after the
establishment of the internal procedures and associated
training pursuant to paragraph (8) and annually thereafter, the
Director shall submit to the Committee on Homeland Security and
Governmental Affairs of the Senate and the Committee on
Homeland Security of the House of Representatives a report
(which may include a classified annex but with the presumption
of declassification) on the use of subpoenas under this
subsection by the Director, which shall include the following:
``(A) A discussion of the following:
``(i) The effectiveness of the use of
subpoenas to mitigate security vulnerabilities.
``(ii) The critical infrastructure security
risk assessment process conducted for subpoenas
issued under this subsection.
``(iii) The number of subpoenas issued
under this subsection by the Director during
the preceding year.
``(iv) To the extent practicable, the
number of vulnerable enterprise devices or
systems mitigated under this subsection by the
Agency during the preceding year.
``(v) The number of entities notified by
the Director under this subsection, and their
responses, during the preceding year.
``(B) For each subpoena issued under this
subsection, the following:
``(i) The source of the security
vulnerability at issue detected, identified, or
received by the Director.
``(ii) A description of the efforts
undertaken to identify the entity at risk prior
to issuing each such subpoena.
``(iii) A description of the outcome of
each such subpoena, including discussion
regarding the resolution or mitigation of the
security vulnerability at issue.
``(iv) A description of any additional
support provided by the Director to the entity
at risk.
``(13) Publication of the annual reports.--The Director
shall make publicly available a version of each annual report
required under paragraph (12), which shall at a minimum include
the findings described in clause (iii), (iv), and (v) of this
subsection of such paragraph.
``(14) DHS inspector general report.--Not later than one
year after the date of the enactment of this subsection, the
Inspector General of the Department shall submit to the
Committee on Homeland Security of the House of Representatives
and the Committee on Homeland Security and Governmental Affairs
of the Senate a report evaluating the Agency's compliance with
the following:
``(A) The inter-agency procedures established under
paragraph (4).
``(B) The internal procedures and associated
training established pursuant to paragraph (8).''.
<all>
Introduced in House
Introduced in House
Referred to the House Committee on Homeland Security.
Committee Consideration and Mark-up Session Held.
Ordered to be Reported.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line