Calendar No. 28
114th CONGRESS
1st Session
S. 754
To improve cybersecurity in the United States through enhanced sharing
of information about cybersecurity threats, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
March 17, 2015
Mr. Burr, from the Select Committee on Intelligence, reported the
following original bill; which was read twice and placed on the
calendar
_______________________________________________________________________
A BILL
To improve cybersecurity in the United States through enhanced sharing
of information about cybersecurity threats, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Cybersecurity
Information Sharing Act of 2015''.
(b) Table of Contents.--The table of contents of this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. Sharing of information by the Federal Government.
Sec. 4. Authorizations for preventing, detecting, analyzing, and
mitigating cybersecurity threats.
Sec. 5. Sharing of cyber threat indicators and defensive measures with
the Federal Government.
Sec. 6. Protection from liability.
Sec. 7. Oversight of Government activities.
Sec. 8. Construction and preemption.
Sec. 9. Report on cybersecurity threats.
Sec. 10. Conforming amendments.
SEC. 2. DEFINITIONS.
In this Act:
(1) Agency.--The term ``agency'' has the meaning given the
term in section 3502 of title 44, United States Code.
(2) Antitrust laws.--The term ``antitrust laws''--
(A) has the meaning given the term in section 1 of
the Clayton Act (15 U.S.C. 12);
(B) includes section 5 of the Federal Trade
Commission Act (15 U.S.C. 45) to the extent that
section 5 of that Act applies to unfair methods of
competition; and
(C) includes any State law that has the same intent
and effect as the laws under subparagraphs (A) and (B).
(3) Appropriate federal entities.--The term ``appropriate
Federal entities'' means the following:
(A) The Department of Commerce.
(B) The Department of Defense.
(C) The Department of Energy.
(D) The Department of Homeland Security.
(E) The Department of Justice.
(F) The Department of the Treasury.
(G) The Office of the Director of National
Intelligence.
(4) Cybersecurity purpose.--The term ``cybersecurity
purpose'' means the purpose of protecting an information system
or information that is stored on, processed by, or transiting
an information system from a cybersecurity threat or security
vulnerability.
(5) Cybersecurity threat.--
(A) In general.--Except as provided in subparagraph
(B), the term ``cybersecurity threat'' means an action,
not protected by the First Amendment to the
Constitution of the United States, on or through an
information system that may result in an unauthorized
effort to adversely impact the security, availability,
confidentiality, or integrity of an information system
or information that is stored on, processed by, or
transiting an information system.
(B) Exclusion.--The term ``cybersecurity threat''
does not include any action that solely involves a
violation of a consumer term of service or a consumer
licensing agreement.
(6) Cyber threat indicator.--The term ``cyber threat
indicator'' means information that is necessary to describe or
identify--
(A) malicious reconnaissance, including anomalous
patterns of communications that appear to be
transmitted for the purpose of gathering technical
information related to a cybersecurity threat or
security vulnerability;
(B) a method of defeating a security control or
exploitation of a security vulnerability;
(C) a security vulnerability, including anomalous
activity that appears to indicate the existence of a
security vulnerability;
(D) a method of causing a user with legitimate
access to an information system or information that is
stored on, processed by, or transiting an information
system to unwittingly enable the defeat of a security
control or exploitation of a security vulnerability;
(E) malicious cyber command and control;
(F) the actual or potential harm caused by an
incident, including a description of the information
exfiltrated as a result of a particular cybersecurity
threat;
(G) any other attribute of a cybersecurity threat,
if disclosure of such attribute is not otherwise
prohibited by law; or
(H) any combination thereof.
(7) Defensive measure.--
(A) In general.--Except as provided in subparagraph
(B), the term ``defensive measure'' means an action,
device, procedure, signature, technique, or other
measure applied to an information system or information
that is stored on, processed by, or transiting an
information system that detects, prevents, or mitigates
a known or suspected cybersecurity threat or security
vulnerability.
(B) Exclusion.--The term ``defensive measure'' does
not include a measure that destroys, renders unusable,
or substantially harms an information system or data on
an information system not belonging to--
(i) the private entity operating the
measure; or
(ii) another entity or Federal entity that
is authorized to provide consent and has
provided consent to that private entity for
operation of such measure.
(8) Entity.--
(A) In general.--Except as otherwise provided in
this paragraph, the term ``entity'' means any private
entity, non-Federal government agency or department, or
State, tribal, or local government (including a
political subdivision, department, or component
thereof).
(B) Inclusions.--The term ``entity'' includes a
government agency or department of the District of
Columbia, the Commonwealth of Puerto Rico, the Virgin
Islands, Guam, American Samoa, the Northern Mariana
Islands, and any other territory or possession of the
United States.
(C) Exclusion.--The term ``entity'' does not
include a foreign power as defined in section 101 of
the Foreign Intelligence Surveillance Act of 1978 (50
U.S.C. 1801).
(9) Federal entity.--The term ``Federal entity'' means a
department or agency of the United States or any component of
such department or agency.
(10) Information system.--The term ``information system''--
(A) has the meaning given the term in section 3502
of title 44, United States Code; and
(B) includes industrial control systems, such as
supervisory control and data acquisition systems,
distributed control systems, and programmable logic
controllers.
(11) Local government.--The term ``local government'' means
any borough, city, county, parish, town, township, village, or
other political subdivision of a State.
(12) Malicious cyber command and control.--The term
``malicious cyber command and control'' means a method for
unauthorized remote identification of, access to, or use of, an
information system or information that is stored on, processed
by, or transiting an information system.
(13) Malicious reconnaissance.--The term ``malicious
reconnaissance'' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning security vulnerabilities of the information system,
if such method is associated with a known or suspected
cybersecurity threat.
(14) Monitor.--The term ``monitor'' means to acquire,
identify, or scan, or to possess, information that is stored
on, processed by, or transiting an information system.
(15) Private entity.--
(A) In general.--Except as otherwise provided in
this paragraph, the term ``private entity'' means any
person or private group, organization, proprietorship,
partnership, trust, cooperative, corporation, or other
commercial or nonprofit entity, including an officer,
employee, or agent thereof.
(B) Inclusion.--The term ``private entity''
includes a State, tribal, or local government
performing electric utility services.
(C) Exclusion.--The term ``private entity'' does
not include a foreign power as defined in section 101
of the Foreign Intelligence Surveillance Act of 1978
(50 U.S.C. 1801).
(16) Security control.--The term ``security control'' means
the management, operational, and technical controls used to
protect against an unauthorized effort to adversely affect the
confidentiality, integrity, and availability of an information
system or its information.
(17) Security vulnerability.--The term ``security
vulnerability'' means any attribute of hardware, software,
process, or procedure that could enable or facilitate the
defeat of a security control.
(18) Tribal.--The term ``tribal'' has the meaning given the
term ``Indian tribe'' in section 4 of the Indian Self-
Determination and Education Assistance Act (25 U.S.C. 450b).
SEC. 3. SHARING OF INFORMATION BY THE FEDERAL GOVERNMENT.
(a) In General.--Consistent with the protection of classified
information, intelligence sources and methods, and privacy and civil
liberties, the Director of National Intelligence, the Secretary of
Homeland Security, the Secretary of Defense, and the Attorney General,
in consultation with the heads of the appropriate Federal entities,
shall develop and promulgate procedures to facilitate and promote--
(1) the timely sharing of classified cyber threat
indicators in the possession of the Federal Government with
cleared representatives of relevant entities;
(2) the timely sharing with relevant entities of cyber
threat indicators or information in the possession of the
Federal Government that may be declassified and shared at an
unclassified level;
(3) the sharing with relevant entities, or the public if
appropriate, of unclassified, including controlled
unclassified, cyber threat indicators in the possession of the
Federal Government; and
(4) the sharing with entities, if appropriate, of
information in the possession of the Federal Government about
cybersecurity threats to such entities to prevent or mitigate
adverse effects from such cybersecurity threats.
(b) Development of Procedures.--
(1) In general.--The procedures developed and promulgated
under subsection (a) shall--
(A) ensure the Federal Government has and maintains
the capability to share cyber threat indicators in real
time consistent with the protection of classified
information;
(B) incorporate, to the greatest extent
practicable, existing processes and existing roles and
responsibilities of Federal and non-Federal entities
for information sharing by the Federal Government,
including sector specific information sharing and
analysis centers;
(C) include procedures for notifying entities that
have received a cyber threat indicator from a Federal
entity under this Act that is known or determined to be
in error or in contravention of the requirements of
this Act or another provision of Federal law or policy
of such error or contravention;
(D) include requirements for Federal entities
receiving cyber threat indicators or defensive measures
to implement and utilize security controls to protect
against unauthorized access to or acquisition of such
cyber threat indicators or defensive measures; and
(E) include procedures that require a Federal
entity, prior to the sharing of a cyber threat
indicator--
(i) to review such cyber threat indicator
to assess whether such cyber threat indicator
contains any information that such Federal
entity knows at the time of sharing to be
personal information of or identifying a
specific person not directly related to a
cybersecurity threat and remove such
information; or
(ii) to implement and utilize a technical
capability configured to remove any personal
information of or identifying a specific person
not directly related to a cybersecurity threat.
(2) Coordination.--In developing the procedures required
under this section, the Director of National Intelligence, the
Secretary of Homeland Security, the Secretary of Defense, and
the Attorney General shall coordinate with appropriate Federal
entities, including the National Laboratories (as defined in
section 2 of the Energy Policy Act of 2005 (42 U.S.C. 15801)),
to ensure that effective protocols are implemented that will
facilitate and promote the sharing of cyber threat indicators
by the Federal Government in a timely manner.
(c) Submittal to Congress.--Not later than 60 days after the date
of the enactment of this Act, the Director of National Intelligence, in
consultation with the heads of the appropriate Federal entities, shall
submit to Congress the procedures required by subsection (a).
SEC. 4. AUTHORIZATIONS FOR PREVENTING, DETECTING, ANALYZING, AND
MITIGATING CYBERSECURITY THREATS.
(a) Authorization for Monitoring.--
(1) In general.--Notwithstanding any other provision of
law, a private entity may, for cybersecurity purposes,
monitor--
(A) an information system of such private entity;
(B) an information system of another entity, upon
the authorization and written consent of such other
entity;
(C) an information system of a Federal entity, upon
the authorization and written consent of an authorized
representative of the Federal entity; and
(D) information that is stored on, processed by, or
transiting an information system monitored by the
private entity under this paragraph.
(2) Construction.--Nothing in this subsection shall be
construed--
(A) to authorize the monitoring of an information
system, or the use of any information obtained through
such monitoring, other than as provided in this Act; or
(B) to limit otherwise lawful activity.
(b) Authorization for Operation of Defensive Measures.--
(1) In general.--Notwithstanding any other provision of
law, a private entity may, for cybersecurity purposes, operate
a defensive measure that is applied to--
(A) an information system of such private entity in
order to protect the rights or property of the private
entity;
(B) an information system of another entity upon
written consent of such entity for operation of such
defensive measure to protect the rights or property of
such entity; and
(C) an information system of a Federal entity upon
written consent of an authorized representative of such
Federal entity for operation of such defensive measure
to protect the rights or property of the Federal
Government.
(2) Construction.--Nothing in this subsection shall be
construed--
(A) to authorize the use of a defensive measure
other than as provided in this subsection; or
(B) to limit otherwise lawful activity.
(c) Authorization for Sharing or Receiving Cyber Threat Indicators
or Defensive Measures.--
(1) In general.--Except as provided in paragraph (2) and
notwithstanding any other provision of law, an entity may, for
the purposes permitted under this Act and consistent with the
protection of classified information, share with, or receive
from, any other entity or the Federal Government a cyber threat
indicator or defensive measure.
(2) Lawful restriction.--An entity receiving a cyber threat
indicator or defensive measure from another entity or Federal
entity shall comply with otherwise lawful restrictions placed
on the sharing or use of such cyber threat indicator or
defensive measure by the sharing entity or Federal entity.
(3) Construction.--Nothing in this subsection shall be
construed--
(A) to authorize the sharing or receiving of a
cyber threat indicator or defensive measure other than
as provided in this subsection; or
(B) to limit otherwise lawful activity.
(d) Protection and Use of Information.--
(1) Security of information.--An entity monitoring an
information system, operating a defensive measure, or providing
or receiving a cyber threat indicator or defensive measure
under this section shall implement and utilize a security
control to protect against unauthorized access to or
acquisition of such cyber threat indicator or defensive
measure.
(2) Removal of certain personal information.--An entity
sharing a cyber threat indicator pursuant to this Act shall,
prior to such sharing--
(A) review such cyber threat indicator to assess
whether such cyber threat indicator contains any
information that the entity knows at the time of
sharing to be personal information of or identifying a
specific person not directly related to a cybersecurity
threat and remove such information; or
(B) implement and utilize a technical capability
configured to remove any information contained within
such indicator that the entity knows at the time of
sharing to be personal information of or identifying a
specific person not directly related to a cybersecurity
threat.
(3) Use of cyber threat indicators and defensive measures
by entities.--
(A) In general.--Consistent with this Act, a cyber
threat indicator or defensive measure shared or
received under this section may, for cybersecurity
purposes--
(i) be used by an entity to monitor or
operate a defensive measure on--
(I) an information system of the
entity; or
(II) an information system of
another entity or a Federal entity upon
the written consent of that other
entity or that Federal entity; and
(ii) be otherwise used, retained, and
further shared by an entity subject to--
(I) an otherwise lawful restriction
placed by the sharing entity or Federal
entity on such cyber threat indicator
or defensive measure; or
(II) an otherwise applicable
provision of law.
(B) Construction.--Nothing in this paragraph shall
be construed to authorize the use of a cyber threat
indicator or defensive measure other than as provided
in this section.
(4) Use of cyber threat indicators by state, tribal, or
local government.--
(A) Law enforcement use.--
(i) Prior written consent.--Except as
provided in clause (ii), a cyber threat
indicator shared with a State, tribal, or local
government under this section may, with the
prior written consent of the entity sharing
such indicator, be used by a State, tribal, or
local government for the purpose of preventing,
investigating, or prosecuting any of the
offenses described in section 5(d)(5)(A)(vi).
(ii) Oral consent.--If exigent
circumstances prevent obtaining written consent
under clause (i), such consent may be provided
orally with subsequent documentation of the
consent.
(B) Exemption from disclosure.--A cyber threat
indicator shared with a State, tribal, or local
government under this section shall be--
(i) deemed voluntarily shared information;
and
(ii) exempt from disclosure under any
State, tribal, or local law requiring
disclosure of information or records.
(C) State, tribal, and local regulatory
authority.--
(i) In general.--Except as provided in
clause (ii), a cyber threat indicator or
defensive measure shared with a State, tribal,
or local government under this Act shall not be
directly used by any State, tribal, or local
government to regulate, including an
enforcement action, the lawful activity of any
entity, including an activity relating to
monitoring, operating a defensive measure, or
sharing of a cyber threat indicator.
(ii) Regulatory authority specifically
relating to prevention or mitigation of
cybersecurity threats.--A cyber threat
indicator or defensive measures shared as
described in clause (i) may, consistent with a
State, tribal, or local government regulatory
authority specifically relating to the
prevention or mitigation of cybersecurity
threats to information systems, inform the
development or implementation of a regulation
relating to such information systems.
(e) Antitrust Exemption.--
(1) In general.--Except as provided in section 8(e), it
shall not be considered a violation of any provision of
antitrust laws for 2 or more private entities to exchange or
provide a cyber threat indicator, or assistance relating to the
prevention, investigation, or mitigation of a cybersecurity
threat, for cybersecurity purposes under this Act.
(2) Applicability.--Paragraph (1) shall apply only to
information that is exchanged or assistance provided in order
to assist with--
(A) facilitating the prevention, investigation, or
mitigation of a cybersecurity threat to an information
system or information that is stored on, processed by,
or transiting an information system; or
(B) communicating or disclosing a cyber threat
indicator to help prevent, investigate, or mitigate the
effect of a cybersecurity threat to an information
system or information that is stored on, processed by,
or transiting an information system.
(f) No Right or Benefit.--The sharing of a cyber threat indicator
with an entity under this Act shall not create a right or benefit to
similar information by such entity or any other entity.
SEC. 5. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE MEASURES WITH
THE FEDERAL GOVERNMENT.
(a) Requirement for Policies and Procedures.--
(1) Interim policies and procedures.--Not later than 60
days after the date of the enactment of this Act, the Attorney
General, in coordination with the heads of the appropriate
Federal entities, shall develop and submit to Congress interim
policies and procedures relating to the receipt of cyber threat
indicators and defensive measures by the Federal Government.
(2) Final policies and procedures.--Not later than 180 days
after the date of the enactment of this Act, the Attorney
General shall, in coordination with the heads of the
appropriate Federal entities, promulgate final policies and
procedures relating to the receipt of cyber threat indicators
and defensive measures by the Federal Government.
(3) Requirements concerning policies and procedures.--
Consistent with the guidelines required by subsection (b), the
policies and procedures developed and promulgated under this
subsection shall--
(A) ensure that cyber threat indicators are shared
with the Federal Government by any entity pursuant to
section 4(c) through the real-time process described in
subsection (c) of this section--
(i) are shared in an automated manner with
all of the appropriate Federal entities;
(ii) are not subject to any delay,
modification, or any other action that could
impede real-time receipt by all of the
appropriate Federal entities; and
(iii) may be provided to other Federal
entities;
(B) ensure that cyber threat indicators shared with
the Federal Government by any entity pursuant to
section 4 in a manner other than the real-time process
described in subsection (c) of this section--
(i) are shared as quickly as operationally
practicable with all of the appropriate Federal
entities;
(ii) are not subject to any unnecessary
delay, interference, or any other action that
could impede receipt by all of the appropriate
Federal entities; and
(iii) may be provided to other Federal
entities;
(C) consistent with this Act, any other applicable
provisions of law, and the fair information practice
principles set forth in appendix A of the document
entitled ``National Strategy for Trusted Identities in
Cyberspace'' and published by the President in April
2011, govern the retention, use, and dissemination by
the Federal Government of cyber threat indicators
shared with the Federal Government under this Act,
including the extent, if any, to which such cyber
threat indicators may be used by the Federal
Government; and
(D) ensure there is--
(i) an audit capability; and
(ii) appropriate sanctions in place for
officers, employees, or agents of a Federal
entity who knowingly and willfully conduct
activities under this Act in an unauthorized
manner.
(4) Guidelines for entities sharing cyber threat indicators
with federal government.--
(A) In general.--Not later than 60 days after the
date of the enactment of this Act, the Attorney General
shall develop and make publicly available guidance to
assist entities and promote sharing of cyber threat
indicators with Federal entities under this Act.
(B) Contents.--The guidelines developed and made
publicly available under subparagraph (A) shall include
guidance on the following:
(i) Identification of types of information
that would qualify as a cyber threat indicator
under this Act that would be unlikely to
include personal information of or identifying
a specific person not directly related to a
cyber security threat.
(ii) Identification of types of information
protected under otherwise applicable privacy
laws that are unlikely to be directly related
to a cybersecurity threat.
(iii) Such other matters as the Attorney
General considers appropriate for entities
sharing cyber threat indicators with Federal
entities under this Act.
(b) Privacy and Civil Liberties.--
(1) Guidelines of attorney general.--Not later than 60 days
after the date of the enactment of this Act, the Attorney
General shall, in coordination with heads of the appropriate
Federal entities and in consultation with officers designated
under section 1062 of the National Security Intelligence Reform
Act of 2004 (42 U.S.C. 2000ee-1), develop, submit to Congress,
and make available to the public interim guidelines relating to
privacy and civil liberties which shall govern the receipt,
retention, use, and dissemination of cyber threat indicators by
a Federal entity obtained in connection with activities
authorized in this Act.
(2) Final guidelines.--
(A) In general.--Not later than 180 days after the
date of the enactment of this Act, the Attorney General
shall, in coordination with heads of the appropriate
Federal entities and in consultation with officers
designated under section 1062 of the National Security
Intelligence Reform Act of 2004 (42 U.S.C. 2000ee-1)
and such private entities with industry expertise as
the Attorney General considers relevant, promulgate
final guidelines relating to privacy and civil
liberties which shall govern the receipt, retention,
use, and dissemination of cyber threat indicators by a
Federal entity obtained in connection with activities
authorized in this Act.
(B) Periodic review.--The Attorney General shall,
in coordination with heads of the appropriate Federal
entities and in consultation with officers and private
entities described in subparagraph (A), periodically
review the guidelines promulgated under subparagraph
(A).
(3) Content.--The guidelines required by paragraphs (1) and
(2) shall, consistent with the need to protect information
systems from cybersecurity threats and mitigate cybersecurity
threats--
(A) limit the impact on privacy and civil liberties
of activities by the Federal Government under this Act;
(B) limit the receipt, retention, use, and
dissemination of cyber threat indicators containing
personal information of or identifying specific
persons, including by establishing--
(i) a process for the timely destruction of
such information that is known not to be
directly related to uses authorized under this
Act; and
(ii) specific limitations on the length of
any period in which a cyber threat indicator
may be retained;
(C) include requirements to safeguard cyber threat
indicators containing personal information of or
identifying specific persons from unauthorized access
or acquisition, including appropriate sanctions for
activities by officers, employees, or agents of the
Federal Government in contravention of such guidelines;
(D) include procedures for notifying entities and
Federal entities if information received pursuant to
this section is known or determined by a Federal entity
receiving such information not to constitute a cyber
threat indicator;
(E) protect the confidentiality of cyber threat
indicators containing personal information of or
identifying specific persons to the greatest extent
practicable and require recipients to be informed that
such indicators may only be used for purposes
authorized under this Act; and
(F) include steps that may be needed so that
dissemination of cyber threat indicators is consistent
with the protection of classified and other sensitive
national security information.
(c) Capability and Process Within the Department of Homeland
Security.--
(1) In general.--Not later than 90 days after the date of
the enactment of this Act, the Secretary of Homeland Security,
in coordination with the heads of the appropriate Federal
entities, shall develop and implement a capability and process
within the Department of Homeland Security that--
(A) shall accept from any entity in real time cyber
threat indicators and defensive measures, pursuant to
this section;
(B) shall, upon submittal of the certification
under paragraph (2) that such capability and process
fully and effectively operates as described in such
paragraph, be the process by which the Federal
Government receives cyber threat indicators and
defensive measures under this Act that are shared by a
private entity with the Federal Government through
electronic mail or media, an interactive form on an
Internet website, or a real time, automated process
between information systems except--
(i) communications between a Federal entity
and a private entity regarding a previously
shared cyber threat indicator; and
(ii) communications by a regulated entity
with such entity's Federal regulatory authority
regarding a cybersecurity threat;
(C) ensures that all of the appropriate Federal
entities receive in an automated manner such cyber
threat indicators shared through the real-time process
within the Department of Homeland Security;
(D) is in compliance with the policies, procedures,
and guidelines required by this section; and
(E) does not limit or prohibit otherwise lawful
disclosures of communications, records, or other
information, including--
(i) reporting of known or suspected
criminal activity, by an entity to any other
entity or a Federal entity;
(ii) voluntary or legally compelled
participation in a Federal investigation; and
(iii) providing cyber threat indicators or
defensive measures as part of a statutory or
authorized contractual requirement.
(2) Certification.--Not later than 10 days prior to the
implementation of the capability and process required by
paragraph (1), the Secretary of Homeland Security shall, in
consultation with the heads of the appropriate Federal
entities, certify to Congress whether such capability and
process fully and effectively operates--
(A) as the process by which the Federal Government
receives from any entity a cyber threat indicator or
defensive measure under this Act; and
(B) in accordance with the policies, procedures,
and guidelines developed under this section.
(3) Public notice and access.--The Secretary of Homeland
Security shall ensure there is public notice of, and access to,
the capability and process developed and implemented under
paragraph (1) so that--
(A) any entity may share cyber threat indicators
and defensive measures through such process with the
Federal Government; and
(B) all of the appropriate Federal entities receive
such cyber threat indicators and defensive measures in
real time with receipt through the process within the
Department of Homeland Security.
(4) Other federal entities.--The process developed and
implemented under paragraph (1) shall ensure that other Federal
entities receive in a timely manner any cyber threat indicators
and defensive measures shared with the Federal Government
through such process.
(5) Report on development and implementation.--
(A) In general.--Not later than 60 days after the
date of the enactment of this Act, the Secretary of
Homeland Security shall submit to Congress a report on
the development and implementation of the capability
and process required by paragraph (1), including a
description of such capability and process and the
public notice of, and access to, such process.
(B) Classified annex.--The report required by
subparagraph (A) shall be submitted in unclassified
form, but may include a classified annex.
(d) Information Shared With or Provided to the Federal
Government.--
(1) No waiver of privilege or protection.--The provision of
cyber threat indicators and defensive measures to the Federal
Government under this Act shall not constitute a waiver of any
applicable privilege or protection provided by law, including
trade secret protection.
(2) Proprietary information.--Consistent with section
4(c)(2), a cyber threat indicator or defensive measure provided
by an entity to the Federal Government under this Act shall be
considered the commercial, financial, and proprietary
information of such entity when so designated by the
originating entity or a third party acting in accordance with
the written authorization of the originating entity.
(3) Exemption from disclosure.--Cyber threat indicators and
defensive measures provided to the Federal Government under
this Act shall be--
(A) deemed voluntarily shared information and
exempt from disclosure under section 552 of title 5,
United States Code, and any State, tribal, or local law
requiring disclosure of information or records; and
(B) withheld, without discretion, from the public
under section 552(b)(3)(B) of title 5, United States
Code, and any State, tribal, or local provision of law
requiring disclosure of information or records.
(4) Ex parte communications.--The provision of a cyber
threat indicator or defensive measure to the Federal Government
under this Act shall not be subject to a rule of any Federal
agency or department or any judicial doctrine regarding ex
parte communications with a decisionmaking official.
(5) Disclosure, retention, and use.--
(A) Authorized activities.--Cyber threat indicators
and defensive measures provided to the Federal
Government under this Act may be disclosed to, retained
by, and used by, consistent with otherwise applicable
provisions of Federal law, any Federal agency or
department, component, officer, employee, or agent of
the Federal Government solely for--
(i) a cybersecurity purpose;
(ii) the purpose of identifying a
cybersecurity threat, including the source of
such cybersecurity threat, or a security
vulnerability;
(iii) the purpose of identifying a
cybersecurity threat involving the use of an
information system by a foreign adversary or
terrorist;
(iv) the purpose of responding to, or
otherwise preventing or mitigating, an imminent
threat of death, serious bodily harm, or
serious economic harm, including a terrorist
act or a use of a weapon of mass destruction;
(v) the purpose of responding to, or
otherwise preventing or mitigating, a serious
threat to a minor, including sexual
exploitation and threats to physical safety; or
(vi) the purpose of preventing,
investigating, disrupting, or prosecuting an
offense arising out of a threat described in
clause (iv) or any of the offenses listed in--
(I) section 3559(c)(2)(F) of title
18, United States Code (relating to
serious violent felonies);
(II) sections 1028 through 1030 of
such title (relating to fraud and
identity theft);
(III) chapter 37 of such title
(relating to espionage and censorship);
and
(IV) chapter 90 of such title
(relating to protection of trade
secrets).
(B) Prohibited activities.--Cyber threat indicators
and defensive measures provided to the Federal
Government under this Act shall not be disclosed to,
retained by, or used by any Federal agency or
department for any use not permitted under subparagraph
(A).
(C) Privacy and civil liberties.--Cyber threat
indicators and defensive measures provided to the
Federal Government under this Act shall be retained,
used, and disseminated by the Federal Government--
(i) in accordance with the policies,
procedures, and guidelines required by
subsections (a) and (b);
(ii) in a manner that protects from
unauthorized use or disclosure any cyber threat
indicators that may contain personal
information of or identifying specific persons;
and
(iii) in a manner that protects the
confidentiality of cyber threat indicators
containing personal information of or
identifying a specific person.
(D) Federal regulatory authority.--
(i) In general.--Except as provided in
clause (ii), cyber threat indicators and
defensive measures provided to the Federal
Government under this Act shall not be directly
used by any Federal, State, tribal, or local
government to regulate, including an
enforcement action, the lawful activities of
any entity, including activities relating to
monitoring, operating defensive measures, or
sharing cyber threat indicators.
(ii) Exceptions.--
(I) Regulatory authority
specifically relating to prevention or
mitigation of cybersecurity threats.--
Cyber threat indicators and defensive
measures provided to the Federal
Government under this Act may,
consistent with Federal or State
regulatory authority specifically
relating to the prevention or
mitigation of cybersecurity threats to
information systems, inform the
development or implementation of
regulations relating to such
information systems.
(II) Procedures developed and
implemented under this act.--Clause (i)
shall not apply to procedures developed
and implemented under this Act.
SEC. 6. PROTECTION FROM LIABILITY.
(a) Monitoring of Information Systems.--No cause of action shall
lie or be maintained in any court against any private entity, and such
action shall be promptly dismissed, for the monitoring of information
systems and information under section 4(a) that is conducted in
accordance with this Act.
(b) Sharing or Receipt of Cyber Threat Indicators.--No cause of
action shall lie or be maintained in any court against any entity, and
such action shall be promptly dismissed, for the sharing or receipt of
cyber threat indicators or defensive measures under section 4(c) if--
(1) such sharing or receipt is conducted in accordance with
this Act; and
(2) in a case in which a cyber threat indicator or
defensive measure is shared with the Federal Government, the
cyber threat indicator or defensive measure is shared in a
manner that is consistent with section 5(c)(1)(B) and the
sharing or receipt, as the case may be, occurs after the
earlier of--
(A) the date on which the interim policies and
procedures are submitted to Congress under section
5(a)(1); or
(B) the date that is 60 days after the date of the
enactment of this Act.
(c) Construction.--Nothing in this section shall be construed--
(1) to require dismissal of a cause of action against an
entity that has engaged in gross negligence or willful
misconduct in the course of conducting activities authorized by
this Act; or
(2) to undermine or limit the availability of otherwise
applicable common law or statutory defenses.
SEC. 7. OVERSIGHT OF GOVERNMENT ACTIVITIES.
(a) Biennial Report on Implementation.--
(1) In general.--Not later than 1 year after the date of
the enactment of this Act, and not less frequently than once
every 2 years thereafter, the heads of the appropriate Federal
entities shall jointly submit and the Inspector General of the
Department of Homeland Security, the Inspector General of the
Intelligence Community, the Inspector General of the Department
of Justice, the Inspector General of the Department of Defense,
and the Inspector General of the Department of Energy, in
consultation with the Council of Inspectors General on
Financial Oversight, shall jointly submit to Congress a
detailed report concerning the implementation of this Act.
(2) Contents.--Each report submitted under paragraph (1)
shall include the following:
(A) An assessment of the sufficiency of the
policies, procedures, and guidelines required by
section 5 in ensuring that cyber threat indicators are
shared effectively and responsibly within the Federal
Government.
(B) An evaluation of the effectiveness of real-time
information sharing through the capability and process
developed under section 5(c), including any impediments
to such real-time sharing.
(C) An assessment of the sufficiency of the
procedures developed under section 3 in ensuring that
cyber threat indicators in the possession of the
Federal Government are shared in a timely and adequate
manner with appropriate entities, or, if appropriate,
are made publicly available.
(D) An assessment of whether cyber threat
indicators have been properly classified and an
accounting of the number of security clearances
authorized by the Federal Government for the purposes
of this Act.
(E) A review of the type of cyber threat indicators
shared with the Federal Government under this Act,
including the following:
(i) The degree to which such information
may impact the privacy and civil liberties of
specific persons.
(ii) A quantitative and qualitative
assessment of the impact of the sharing of such
cyber threat indicators with the Federal
Government on privacy and civil liberties of
specific persons.
(iii) The adequacy of any steps taken by
the Federal Government to reduce such impact.
(F) A review of actions taken by the Federal
Government based on cyber threat indicators shared with
the Federal Government under this Act, including the
appropriateness of any subsequent use or dissemination
of such cyber threat indicators by a Federal entity
under section 5.
(G) A description of any significant violations of
the requirements of this Act by the Federal Government.
(H) A summary of the number and type of entities
that received classified cyber threat indicators from
the Federal Government under this Act and an evaluation
of the risks and benefits of sharing such cyber threat
indicators.
(3) Recommendations.--Each report submitted under paragraph
(1) may include recommendations for improvements or
modifications to the authorities and processes under this Act.
(4) Form of report.--Each report required by paragraph (1)
shall be submitted in unclassified form, but may include a
classified annex.
(b) Reports on Privacy and Civil Liberties.--
(1) Biennial report from privacy and civil liberties
oversight board.--Not later than 2 years after the date of the
enactment of this Act and not less frequently than once every 2
years thereafter, the Privacy and Civil Liberties Oversight
Board shall submit to Congress and the President a report
providing--
(A) an assessment of the effect on privacy and
civil liberties by the type of activities carried out
under this Act; and
(B) an assessment of the sufficiency of the
policies, procedures, and guidelines established
pursuant to section 5 in addressing concerns relating
to privacy and civil liberties.
(2) Biennial report of inspectors general.--
(A) In general.--Not later than 2 years after the
date of the enactment of this Act and not less
frequently than once every 2 years thereafter, the
Inspector General of the Department of Homeland
Security, the Inspector General of the Intelligence
Community, the Inspector General of the Department of
Justice, the Inspector General of the Department of
Defense, and the Inspector General of the Department of
Energy shall, in consultation with the Council of
Inspectors General on Financial Oversight, jointly
submit to Congress a report on the receipt, use, and
dissemination of cyber threat indicators and defensive
measures that have been shared with Federal entities
under this Act.
(B) Contents.--Each report submitted under
subparagraph (A) shall include the following:
(i) A review of the types of cyber threat
indicators shared with Federal entities.
(ii) A review of the actions taken by
Federal entities as a result of the receipt of
such cyber threat indicators.
(iii) A list of Federal entities receiving
such cyber threat indicators.
(iv) A review of the sharing of such cyber
threat indicators among Federal entities to
identify inappropriate barriers to sharing
information.
(3) Recommendations.--Each report submitted under this
subsection may include such recommendations as the Privacy and
Civil Liberties Oversight Board, with respect to a report
submitted under paragraph (1), or the Inspectors General
referred to in paragraph (2)(A), with respect to a report
submitted under paragraph (2), may have for improvements or
modifications to the authorities under this Act.
(4) Form.--Each report required under this subsection shall
be submitted in unclassified form, but may include a classified
annex.
SEC. 8. CONSTRUCTION AND PREEMPTION.
(a) Otherwise Lawful Disclosures.--Nothing in this Act shall be
construed--
(1) to limit or prohibit otherwise lawful disclosures of
communications, records, or other information, including
reporting of known or suspected criminal activity, by an entity
to any other entity or the Federal Government under this Act;
or
(2) to limit or prohibit otherwise lawful use of such
disclosures by any Federal entity, even when such otherwise
lawful disclosures duplicate or replicate disclosures made
under this Act.
(b) Whistle Blower Protections.--Nothing in this Act shall be
construed to prohibit or limit the disclosure of information protected
under section 2302(b)(8) of title 5, United States Code (governing
disclosures of illegality, waste, fraud, abuse, or public health or
safety threats), section 7211 of title 5, United States Code (governing
disclosures to Congress), section 1034 of title 10, United States Code
(governing disclosure to Congress by members of the military), section
1104 of the National Security Act of 1947 (50 U.S.C. 3234) (governing
disclosure by employees of elements of the intelligence community), or
any similar provision of Federal or State law.
(c) Protection of Sources and Methods.--Nothing in this Act shall
be construed--
(1) as creating any immunity against, or otherwise
affecting, any action brought by the Federal Government, or any
agency or department thereof, to enforce any law, executive
order, or procedure governing the appropriate handling,
disclosure, or use of classified information;
(2) to affect the conduct of authorized law enforcement or
intelligence activities; or
(3) to modify the authority of a department or agency of
the Federal Government to protect classified information and
sources and methods and the national security of the United
States.
(d) Relationship to Other Laws.--Nothing in this Act shall be
construed to affect any requirement under any other provision of law
for an entity to provide information to the Federal Government.
(e) Prohibited Conduct.--Nothing in this Act shall be construed to
permit price-fixing, allocating a market between competitors,
monopolizing or attempting to monopolize a market, boycotting, or
exchanges of price or cost information, customer lists, or information
regarding future competitive planning.
(f) Information Sharing Relationships.--Nothing in this Act shall
be construed--
(1) to limit or modify an existing information sharing
relationship;
(2) to prohibit a new information sharing relationship;
(3) to require a new information sharing relationship
between any entity and the Federal Government; or
(4) to require the use of the capability and process within
the Department of Homeland Security developed under section
5(c).
(g) Preservation of Contractual Obligations and Rights.--Nothing in
this Act shall be construed--
(1) to amend, repeal, or supersede any current or future
contractual agreement, terms of service agreement, or other
contractual relationship between any entities, or between any
entity and a Federal entity; or
(2) to abrogate trade secret or intellectual property
rights of any entity or Federal entity.
(h) Anti-Tasking Restriction.--Nothing in this Act shall be
construed to permit the Federal Government--
(1) to require an entity to provide information to the
Federal Government;
(2) to condition the sharing of cyber threat indicators
with an entity on such entity's provision of cyber threat
indicators to the Federal Government; or
(3) to condition the award of any Federal grant, contract,
or purchase on the provision of a cyber threat indicator to a
Federal entity.
(i) No Liability for Non-Participation.--Nothing in this Act shall
be construed to subject any entity to liability for choosing not to
engage in the voluntary activities authorized in this Act.
(j) Use and Retention of Information.--Nothing in this Act shall be
construed to authorize, or to modify any existing authority of, a
department or agency of the Federal Government to retain or use any
information shared under this Act for any use other than permitted in
this Act.
(k) Federal Preemption.--
(1) In general.--This Act supersedes any statute or other
provision of law of a State or political subdivision of a State
that restricts or otherwise expressly regulates an activity
authorized under this Act.
(2) State law enforcement.--Nothing in this Act shall be
construed to supersede any statute or other provision of law of
a State or political subdivision of a State concerning the use
of authorized law enforcement practices and procedures.
(l) Regulatory Authority.--Nothing in this Act shall be construed--
(1) to authorize the promulgation of any regulations not
specifically authorized by this Act;
(2) to establish or limit any regulatory authority not
specifically established or limited under this Act; or
(3) to authorize regulatory actions that would duplicate or
conflict with regulatory requirements, mandatory standards, or
related processes under another provision of Federal law.
(m) Authority of Secretary of Defense To Respond to Cyber
Attacks.--Nothing in this Act shall be construed to limit the authority
of the Secretary of Defense to develop, prepare, coordinate, or, when
authorized by the President to do so, conduct a military cyber
operation in response to a malicious cyber activity carried out against
the United States or a United States person by a foreign government or
an organization sponsored by a foreign government or a terrorist
organization.
SEC. 9. REPORT ON CYBERSECURITY THREATS.
(a) Report Required.--Not later than 180 days after the date of the
enactment of this Act, the Director of National Intelligence, in
coordination with the heads of other appropriate elements of the
intelligence community, shall submit to the Select Committee on
Intelligence of the Senate and the Permanent Select Committee on
Intelligence of the House of Representatives a report on cybersecurity
threats, including cyber attacks, theft, and data breaches.
(b) Contents.--The report required by subsection (a) shall include
the following:
(1) An assessment of the current intelligence sharing and
cooperation relationships of the United States with other
countries regarding cybersecurity threats, including cyber
attacks, theft, and data breaches, directed against the United
States and which threaten the United States national security
interests and economy and intellectual property, specifically
identifying the relative utility of such relationships, which
elements of the intelligence community participate in such
relationships, and whether and how such relationships could be
improved.
(2) A list and an assessment of the countries and nonstate
actors that are the primary threats of carrying out a
cybersecurity threat, including a cyber attack, theft, or data
breach, against the United States and which threaten the United
States national security, economy, and intellectual property.
(3) A description of the extent to which the capabilities
of the United States Government to respond to or prevent
cybersecurity threats, including cyber attacks, theft, or data
breaches, directed against the United States private sector are
degraded by a delay in the prompt notification by private
entities of such threats or cyber attacks, theft, and breaches.
(4) An assessment of additional technologies or
capabilities that would enhance the ability of the United
States to prevent and to respond to cybersecurity threats,
including cyber attacks, theft, and data breaches.
(5) An assessment of any technologies or practices utilized
by the private sector that could be rapidly fielded to assist
the intelligence community in preventing and responding to
cybersecurity threats.
(c) Form of Report.--The report required by subsection (a) shall be
made available in classified and unclassified forms.
(d) Intelligence Community Defined.--In this section, the term
``intelligence community'' has the meaning given that term in section 3
of the National Security Act of 1947 (50 U.S.C. 3003).
SEC. 10. CONFORMING AMENDMENTS.
(a) Public Information.--Section 552(b) of title 5, United States
Code, is amended--
(1) in paragraph (8), by striking ``or'' at the end;
(2) in paragraph (9), by striking ``wells.'' and inserting
``wells; or''; and
(3) by inserting after paragraph (9) the following:
``(10) information shared with or provided to the Federal
Government pursuant to the Cybersecurity Information Sharing
Act of 2015.''.
(b) Modification of Limitation on Dissemination of Certain
Information Concerning Penetrations of Defense Contractor Networks.--
Section 941(c)(3) of the National Defense Authorization Act for Fiscal
Year 2013 (Public Law 112-239; 10 U.S.C. 2224 note) is amended by
inserting at the end the following: ``The Secretary may share such
information with other Federal entities if such information consists of
cyber threat indicators and defensive measures and such information is
shared consistent with the policies and procedures promulgated by the
Attorney General under section 5 of the Cybersecurity Information
Sharing Act of 2015.''.
Calendar No. 28
114th CONGRESS
1st Session
S. 754
_______________________________________________________________________
A BILL
To improve cybersecurity in the United States through enhanced sharing
of information about cybersecurity threats, and for other purposes.
_______________________________________________________________________
March 17, 2015
Read twice and placed on the calendar
