Calendar No. 207 115th CONGRESS 1st Session S. 1761 To authorize appropriations for fiscal year 2018 for intelligence and intelligence-related activities of the United States Government, the Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes. _______________________________________________________________________ IN THE SENATE OF THE UNITED STATES August 18, 2017 Mr. Burr, from the Select Committee on Intelligence of the Senate, reported, under authority of the order of the Senate of August 3, 2017, the following original bill; which was read twice and placed on the calendar _______________________________________________________________________ A BILL To authorize appropriations for fiscal year 2018 for intelligence and intelligence-related activities of the United States Government, the Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) Short Title.--This Act may be cited as the ``Intelligence Authorization Act for Fiscal Year 2018''. (b) Table of Contents.--The table of contents for this Act is as follows: Sec. 1. Short title; table of contents. Sec. 2. Definitions. TITLE I--INTELLIGENCE ACTIVITIES Sec. 101. Authorization of appropriations. Sec. 102. Classified Schedule of Authorizations. Sec. 103. Personnel ceiling adjustments. Sec. 104. Intelligence Community Management Account. TITLE II--CENTRAL INTELLIGENCE AGENCY RETIREMENT AND DISABILITY SYSTEM Sec. 201. Authorization of appropriations. TITLE III--GENERAL INTELLIGENCE COMMUNITY MATTERS Sec. 301. Restriction on conduct of intelligence activities. Sec. 302. Increase in employee compensation and benefits authorized by law. Sec. 303. Modification of special pay authority for science, technology, engineering, or mathematics positions and addition of special pay authority for cyber positions. Sec. 304. Director of National Intelligence review of placement of positions within the intelligence community on the Executive Schedule. Sec. 305. Modification of appointment of Chief Information Officer of the Intelligence Community. Sec. 306. Supply Chain and Counterintelligence Risk Management Task Force. Sec. 307. Inspector General of the Intelligence Community auditing authority. Sec. 308. Inspectors General studies on classification. TITLE IV--MATTERS RELATING TO ELEMENTS OF THE INTELLIGENCE COMMUNITY Subtitle A--Office of the Director of National Intelligence Sec. 401. Authority for the protection of current and former employees of the Office of the Director of National Intelligence. Sec. 402. Information sharing with State election officials. Sec. 403. Technical modification to the Executive Schedule. Sec. 404. Modification to the designation of the program manager- information sharing environment. Subtitle B--Central Intelligence Agency Sec. 411. Repeal of foreign language proficiency requirement for certain senior level positions in the Central Intelligence Agency. Subtitle C--Other Elements Sec. 421. Designation of the Counterintelligence Directorate of the Defense Security Service as an element of the intelligence community. TITLE V--SECURING ENERGY INFRASTRUCTURE Sec. 501. Short title. Sec. 502. Definitions. Sec. 503. Pilot program for securing energy infrastructure. Sec. 504. Working group to evaluate program standards and develop strategy. Sec. 505. Reports on the Program. Sec. 506. No new regulatory authority for Federal agencies. Sec. 507. Exemption from disclosure. Sec. 508. Protection from liability. Sec. 509. Authorization of appropriations. TITLE VI--REPORTS AND OTHER MATTERS Sec. 601. Technical correction to Inspector General study. Sec. 602. Governance for security clearance, suitability and fitness for employment, and credentialing. Sec. 603. Process for security clearances. Sec. 604. Reports on the vulnerabilities equities policy and process of the Federal Government. Sec. 605. Bug bounty programs. Sec. 606. Report on cyber attacks by foreign governments against United States election infrastructure. Sec. 607. Review of intelligence community's posture to collect against and analyze Russian efforts to influence the presidential election. Sec. 608. Assessment of foreign intelligence threats to Federal elections. Sec. 609. Strategy for countering Russian cyber threats to United States elections. Sec. 610. Limitation relating to establishment or support of cyber security unit with the Government of Russia. Sec. 611. Report on returning Russian compounds. Sec. 612. Intelligence community assessment on threat of Russian money laundering to the United States. Sec. 613. Notification of an active measures campaign. Sec. 614. Notification of travel by accredited diplomatic and consular personnel of the Russian Federation in the United States. Sec. 615. Modification of certain reporting requirement on travel of foreign diplomats. Sec. 616. Semiannual report on referrals to Department of Justice by elements of the intelligence community regarding unauthorized disclosure of classified information. Sec. 617. Notifications of designation of an intelligence officer as a persona non grata. Sec. 618. Biennial report on foreign investment risks. Sec. 619. Report on surveillance by foreign governments against United States telecommunications networks. Sec. 620. Reports on authorities of the Chief Intelligence Officer of the Department of Homeland Security. Sec. 621. Report on geospatial commercial activities for basic and applied research and development. Sec. 622. Technical amendments related to the Department of Energy. Sec. 623. Sense of Congress on WikiLeaks. SEC. 2. DEFINITIONS. In this Act: (1) Congressional intelligence committees.--The term ``congressional intelligence committees'' means-- (A) the Select Committee on Intelligence of the Senate; and (B) the Permanent Select Committee on Intelligence of the House of Representatives. (2) Intelligence community.--The term ``intelligence community'' has the meaning given that term in section 3 of the National Security Act of 1947 (50 U.S.C. 3003). TITLE I--INTELLIGENCE ACTIVITIES SEC. 101. AUTHORIZATION OF APPROPRIATIONS. Funds are hereby authorized to be appropriated for fiscal year 2018 for the conduct of the intelligence and intelligence-related activities of the following elements of the United States Government: (1) The Office of the Director of National Intelligence. (2) The Central Intelligence Agency. (3) The Department of Defense. (4) The Defense Intelligence Agency. (5) The National Security Agency. (6) The Department of the Army, the Department of the Navy, and the Department of the Air Force. (7) The Coast Guard. (8) The Department of State. (9) The Department of the Treasury. (10) The Department of Energy. (11) The Department of Justice. (12) The Federal Bureau of Investigation. (13) The Drug Enforcement Administration. (14) The National Reconnaissance Office. (15) The National Geospatial-Intelligence Agency. (16) The Department of Homeland Security. SEC. 102. CLASSIFIED SCHEDULE OF AUTHORIZATIONS. (a) Specifications of Amounts.--The amounts authorized to be appropriated under section 101 and, subject to section 103, the authorized personnel ceilings as of September 30, 2018, for the conduct of the intelligence activities of the elements listed in paragraphs (1) through (16) of section 101, are those specified in the classified Schedule of Authorizations prepared to accompany this Act. (b) Availability of Classified Schedule of Authorizations.-- (1) Availability.--The classified Schedule of Authorizations referred to in subsection (a) shall be made available to the Committee on Appropriations of the Senate, the Committee on Appropriations of the House of Representatives, and the President. (2) Distribution by the president.--Subject to paragraph (3), the President shall provide for suitable distribution of the classified Schedule of Authorizations referred to in subsection (a), or of appropriate portions of such Schedule, within the executive branch. (3) Limits on disclosure.--The President shall not publicly disclose the classified Schedule of Authorizations or any portion of such Schedule except-- (A) as provided in section 601(a) of the Implementing Recommendations of the 9/11 Commission Act of 2007 (50 U.S.C. 3306(a)); (B) to the extent necessary to implement the budget; or (C) as otherwise required by law. SEC. 103. PERSONNEL CEILING ADJUSTMENTS. (a) Authority for Increases.--The Director of National Intelligence may authorize employment of civilian personnel in excess of the number authorized for fiscal year 2018 by the classified Schedule of Authorizations referred to in section 102(a) if the Director of National Intelligence determines that such action is necessary to the performance of important intelligence functions, except that the number of personnel employed in excess of the number authorized under such section may not, for any element of the intelligence community, exceed-- (1) 3 percent of the number of civilian personnel authorized under such schedule for such element; or (2) 10 percent of the number of civilian personnel authorized under such schedule for such element for the purposes of converting the performance of any function by contractors to performance by civilian personnel. (b) Treatment of Certain Personnel.--The Director of National Intelligence shall establish guidelines that govern, for each element of the intelligence community, the treatment under the personnel levels authorized under section 102(a), including any exemption from such personnel levels, of employment or assignment in-- (1) a student program, trainee program, or similar program; (2) a reserve corps or as a reemployed annuitant; or (3) details, joint duty, or long-term, full-time training. (c) Notice to Congressional Intelligence Committees.--Not later than 15 days prior to the exercise of an authority described in subsection (a), the Director of National Intelligence shall submit to the congressional intelligence committees-- (1) a written notice of the exercise of such authority; and (2) in the case of an exercise of such authority subject to the limitation in subsection (a)(2), a written justification for the contractor conversion that includes a comparison of whole of government costs. SEC. 104. INTELLIGENCE COMMUNITY MANAGEMENT ACCOUNT. (a) Authorization of Appropriations.--There is authorized to be appropriated for the Intelligence Community Management Account of the Director of National Intelligence for fiscal year 2018 the sum of $550,200,000. Within such amount, funds identified in the classified Schedule of Authorizations referred to in section 102(a) for advanced research and development shall remain available until September 30, 2019. (b) Authorized Personnel Levels.--The elements within the Intelligence Community Management Account of the Director of National Intelligence are authorized 797 positions as of September 30, 2018. Personnel serving in such elements may be permanent employees of the Office of the Director of National Intelligence or personnel detailed from other elements of the United States Government. (c) Classified Authorizations.-- (1) Authorization of appropriations.--In addition to amounts authorized to be appropriated for the Intelligence Community Management Account by subsection (a), there are authorized to be appropriated for the Intelligence Community Management Account for fiscal year 2018 such additional amounts as are specified in the classified Schedule of Authorizations referred to in section 102(a). Such additional amounts made available for advanced research and development shall remain available until September 30, 2019. (2) Authorization of personnel.--In addition to the personnel authorized by subsection (b) for elements of the Intelligence Community Management Account as of September 30, 2018, there are authorized such additional personnel for the Community Management Account as of that date as are specified in the classified Schedule of Authorizations referred to in section 102(a). TITLE II--CENTRAL INTELLIGENCE AGENCY RETIREMENT AND DISABILITY SYSTEM SEC. 201. AUTHORIZATION OF APPROPRIATIONS. There is authorized to be appropriated for the Central Intelligence Agency Retirement and Disability Fund for fiscal year 2018 the sum of $514,000,000. TITLE III--GENERAL INTELLIGENCE COMMUNITY MATTERS SEC. 301. RESTRICTION ON CONDUCT OF INTELLIGENCE ACTIVITIES. The authorization of appropriations by this Act shall not be deemed to constitute authority for the conduct of any intelligence activity which is not otherwise authorized by the Constitution or the laws of the United States. SEC. 302. INCREASE IN EMPLOYEE COMPENSATION AND BENEFITS AUTHORIZED BY LAW. Appropriations authorized by this Act for salary, pay, retirement, and other benefits for Federal employees may be increased by such additional or supplemental amounts as may be necessary for increases in such compensation or benefits authorized by law. SEC. 303. MODIFICATION OF SPECIAL PAY AUTHORITY FOR SCIENCE, TECHNOLOGY, ENGINEERING, OR MATHEMATICS POSITIONS AND ADDITION OF SPECIAL PAY AUTHORITY FOR CYBER POSITIONS. (a) In General.--Section 113B of the National Security Act of 1947 (50 U.S.C. 3049a) is amended-- (1) by amending subsection (a) to read as follows: ``(a) Special Rates of Pay for Positions Requiring Expertise in Science, Technology, Engineering, or Mathematics.-- ``(1) In general.--Notwithstanding part III of title 5, United States Code, the head of each element of the intelligence community may, for 1 or more categories of positions in such element that require expertise in science, technology, engineering, or mathematics (STEM)-- ``(A) establish higher minimum rates of pay; and ``(B) make corresponding increases in all rates of pay of the pay range for each grade or level, subject to subsection (b) or (c), as applicable. ``(2) Treatment.--The special rate supplements resulting from the establishment of higher rates under paragraph (1) shall be basic pay for the same or similar purposes as those specified in section 5305(j) of title 5, United States Code.''; (2) by striking subsection (f); (3) by redesignating subsections (b) through (e) as subsections (c) through (f), respectively; (4) by inserting after subsection (a) the following: ``(b) Special Rates of Pay for Cyber Positions.-- ``(1) In general.--Notwithstanding subsection (c), the Director of the National Security Agency may establish a special rate of pay-- ``(A) not to exceed the rate of basic pay payable for level II of the Executive Schedule under section 5313 of title 5, United States Code, if the Director certifies to the Under Secretary of Defense for Intelligence, in consultation with the Under Secretary of Defense for Personnel and Readiness, that the rate of pay is for positions that perform functions that execute the cyber mission of the Agency; or ``(B) not to exceed the rate of basic pay payable for the Vice President of the United States under section 104 of title 3, United States Code, if the Director certifies to the Secretary of Defense, by name, individuals that have advanced skills and competencies and that perform critical functions that execute the cyber mission of the Agency. ``(2) Pay limitation.--Employees receiving a special rate under paragraph (1) shall be subject to an aggregate pay limitation that parallels the limitation established in section 5307 of title 5, United States Code, except that-- ``(A) any allowance, differential, bonus, award, or other similar cash payment in addition to basic pay that is authorized under title 10, United States Code, (or any other applicable law in addition to title 5 of such Code, excluding the Fair Labor Standards Act) shall also be counted as part of aggregate compensation; and ``(B) aggregate compensation may not exceed the rate established for the Vice President of the United States under section 104 of title 3, United States Code. ``(3) Limitation on number of recipients.--The number of individuals who receive basic pay established under paragraph (1)(B) may not exceed 100 at any time. ``(4) Limitation on use as comparative reference.-- Notwithstanding any other provision of law, special rates of pay and the limitation established under paragraph (1)(B) may not be used as comparative references for the purpose of fixing the rates of basic pay or maximum pay limitations of qualified positions under section 1599f of title 10, United States Code, or section 226 of the Homeland Security Act of 2002 (6 U.S.C. 147).''; and (5) in subsection (c), as redesignated by paragraph (3), by striking ``A minimum'' and inserting ``Except as provided in subsection (b), a minimum''. (b) Special Rates for Cyber Employees Under Title 5.--Section 5305 of title 5, United States Code, is amended-- (1) in subsection (g)(1), by striking ``subsection (h)'' and inserting ``subsections (h) and (k)''; and (2) by adding at the end the following subsections: ``(k)(1) Notwithstanding the rate limitations set forth in subsections (a)(1) and (g)(2), the Office of Personnel Management may establish under this section a rate of pay that does not exceed the rate of basic pay payable for level II of the Executive Schedule under section 5313 for employees in positions that perform functions that execute a cyber mission and who are certified to have specified skills and competencies. ``(2) Payments under subsection (g)(1) may not be made to an employee receiving a rate of pay established under this section and described in paragraph (1) of this subsection if, or to the extent that, when added to basic pay otherwise payable, such payments would cause the total to exceed the rate of basic pay payable for level II of the Executive Schedule under section 5313. ``(l) An employee who is subject to a reduction or termination of a special rate of pay established under this section due to not maintaining a required skill or competency certification, or due to not obtaining a revised skill or competency certification, shall not be entitled to pay retention under section 5363 based on any resulting reduction in pay.''. SEC. 304. DIRECTOR OF NATIONAL INTELLIGENCE REVIEW OF PLACEMENT OF POSITIONS WITHIN THE INTELLIGENCE COMMUNITY ON THE EXECUTIVE SCHEDULE. The Director of National Intelligence shall conduct a review of positions within the intelligence community regarding the placement of such positions on the Executive Schedule under subchapter II of chapter 53 of title 5, United States Code. In carrying out such review, the Director shall determine-- (1) which positions should or should not be on the Executive Schedule; and (2) for those positions that should be on the Executive Schedule, the level of the Executive Schedule at which such positions should be placed. SEC. 305. MODIFICATION OF APPOINTMENT OF CHIEF INFORMATION OFFICER OF THE INTELLIGENCE COMMUNITY. Section 103G(a) of the National Security Act of 1947 (50 U.S.C. 3032(a)) is amended by striking ``President'' and inserting ``Director''. SEC. 306. SUPPLY CHAIN AND COUNTERINTELLIGENCE RISK MANAGEMENT TASK FORCE. (a) Requirement to Establish.--The Director of National Intelligence shall establish a Supply Chain and Counterintelligence Risk Management Task Force to standardize information sharing between the intelligence community and the acquisition community of the Government of the United States with respect to the supply chain and counterintelligence risks. (b) Members.--The Supply Chain and Counterintelligence Risk Management Task Force shall be composed of-- (1) a representative of the Defense Security Service; (2) a representative of the General Services Administration; (3) a representative of the Office of Federal Procurement Policy of the Office of Management and Budget; and (4) any other members the Director of National Intelligence determines appropriate. (c) Security Clearances.--Each member of the Supply Chain and Counterintelligence Risk Management Task Force shall have a security clearance at the Top Secret and Sensitive Compartmented Information level. (d) Annual Report.--The Supply Chain and Counterintelligence Risk Management Task Force shall submit to the congressional intelligence committees an annual report that describes the activities of the Task Force during the previous year, including identification of the supply chain and counterintelligence risks shared with the acquisition community of the Government of the United States by the intelligence community. SEC. 307. INSPECTOR GENERAL OF THE INTELLIGENCE COMMUNITY AUDITING AUTHORITY. Section 103H(j)(2)(A) of the National Security Act of 1947 (50 U.S.C. 3033(j)(2)(A)) is amended-- (1) by striking ``law and the policies of the Director of National Intelligence,'' and inserting ``law,''; and (2) by striking ``General.'' and inserting ``General and is authorized to obtain the temporary or intermittent services of experts or consultants or an organization thereof.''. SEC. 308. INSPECTORS GENERAL STUDIES ON CLASSIFICATION. (a) Requirement for Study.--Not later than October 1, 2019, each Inspector General listed in subsection (b) shall carry out and submit to the congressional intelligence committees a report on the following: (1) A study of the application of classification and handling markers on a representative sample of finished reports, including compartments. (2) A study analyzing compliance with declassification procedures. (3) A study on reviewing processes for identifying topics of public or historical importance that merit prioritization for a declassification review. (b) Inspectors General.--The Inspectors General listed in this subsection are as follows: (1) The Inspector General of the Intelligence Community. (2) The Inspector General of the Central Intelligence Agency. (3) The Inspector General of the National Security Agency. (4) The Inspector General of the Defense Intelligence Agency. (5) The Inspector General of the National Reconnaissance Office. (6) The Inspector General of the National Geospatial- Intelligence Agency. TITLE IV--MATTERS RELATING TO ELEMENTS OF THE INTELLIGENCE COMMUNITY Subtitle A--Office of the Director of National Intelligence SEC. 401. AUTHORITY FOR THE PROTECTION OF CURRENT AND FORMER EMPLOYEES OF THE OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE. Section 5(a)(4) of the Central Intelligence Agency Act of 1949 (50 U.S.C. 3506(a)(4)) is amended by striking ``such personnel of the Office of the Director of National Intelligence as the Director of National Intelligence may designate;'' and inserting ``current and former personnel of the Office of the Director of National Intelligence and their immediate families as the Director of National Intelligence may designate;''. SEC. 402. INFORMATION SHARING WITH STATE ELECTION OFFICIALS. (a) Security Clearances.-- (1) In general.--Not later than 30 days after the date of the enactment of this Act, the Director of National Intelligence shall sponsor a security clearance up to the top secret level for each eligible chief election official of a State or the District of Columbia, and up to one eligible designee of such an election official, at the time that he or she assumes such position. (2) Determination of levels.-- (A) In general.--The Director shall determine the level of clearances for the positions described in paragraph (1). (B) Interim clearances.--The Director may issue interim clearances, for a period to be determined by the Director, to a chief election official as described in paragraph (1) and up to one designee of such official under such paragraph. (b) Information Sharing.-- (1) In general.--The Director shall share appropriate classified information related to threats to election systems and to the integrity of the election process with chief election officials and such designees who have received a security clearance under subsection (a). (2) Reports.--The Director shall transmit reports on such information sharing to the respective affected Secretary of State or States. (c) State Defined.--In this section, the term ``State'' means any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, and any territory or possession of the United States. SEC. 403. TECHNICAL MODIFICATION TO THE EXECUTIVE SCHEDULE. Section 5313 of title 5, United States Code, is amended by adding at the end the following: ``Director of the National Counterintelligence and Security Center.''. SEC. 404. MODIFICATION TO THE DESIGNATION OF THE PROGRAM MANAGER- INFORMATION SHARING ENVIRONMENT. (a) Information Sharing Environment.--Section 1016(b) of the Intelligence Reform and Terrorism Prevention Act of 2004 (6 U.S.C. 485(b)) is amended-- (1) in paragraph (1), by striking ``President'' and inserting ``Director of National Intelligence''; and (2) in paragraph (2), by striking ``President'' both places that term appears and inserting ``Director of National Intelligence''. (b) Program Manager.--Section 1016(f) of the Intelligence Reform and Terrorism Prevention Act of 2004 (6 U.S.C. 485(f)) is amended by striking ``The individual designated as the program manager shall serve as program manager until removed from service or replaced by the President (at the President's sole discretion).'' and inserting ``Beginning on the date of the enactment of the Intelligence Authorization Act for Fiscal Year 2018, each individual designated as the program manager shall be appointed by the Director of National Intelligence.''. Subtitle B--Central Intelligence Agency SEC. 411. REPEAL OF FOREIGN LANGUAGE PROFICIENCY REQUIREMENT FOR CERTAIN SENIOR LEVEL POSITIONS IN THE CENTRAL INTELLIGENCE AGENCY. (a) Repeal of Foreign Language Proficiency Requirement.--Section 104A of the National Security Act of 1947 (50 U.S.C. 3036) is amended by striking subsection (g). (b) Conforming Repeal of Report Requirement.--Section 611 of the Intelligence Authorization Act for Fiscal Year 2005 (Public Law 108- 487) is amended by striking subsection (c). Subtitle C--Other Elements SEC. 421. DESIGNATION OF THE COUNTERINTELLIGENCE DIRECTORATE OF THE DEFENSE SECURITY SERVICE AS AN ELEMENT OF THE INTELLIGENCE COMMUNITY. (a) Designation.--Paragraph (4) of section 3 of the National Security Act of 1947 (50 U.S.C. 3003(4)) is amended-- (1) by redesignating subparagraphs (H) through (L) as subparagraphs (I) through (M), respectively; and (2) by inserting after subparagraph (G) the following: ``(H) The Counterintelligence Directorate of the Defense Security Service of the Department of Defense.''. (b) Application of Laws, Regulations, Rules, and Policies.-- Beginning on the date of the enactment of this Act, any law, regulation, rule, or policy that applies to the elements of the intelligence community, as defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3303), shall apply to the Counterintelligence Directorate of the Defense Security Service of the Department of Defense. TITLE V--SECURING ENERGY INFRASTRUCTURE SEC. 501. SHORT TITLE. This title may be cited as the ``Securing Energy Infrastructure Act of 2017''. SEC. 502. DEFINITIONS. In this title: (1) Covered entity.--The term ``covered entity'' means an entity identified pursuant to section 9(a) of Executive Order 13636 of February 12, 2013 (78 Fed. Reg. 11742) relating to identification of critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security. (2) Director.--Except as otherwise specifically provided, the term ``Director'' means the Director of Intelligence and Counterintelligence of the Department of Energy. (3) Exploit.--The term ``exploit'' means a software tool designed to take advantage of a security vulnerability. (4) Industrial control system.-- (A) In general.--The term ``industrial control system'' means an operational technology used to measure, control, or manage industrial functions. (B) Inclusions.--The term ``industrial control system'' includes supervisory control and data acquisition systems, distributed control systems, and programmable logic or embedded controllers. (5) National laboratory.--The term ``National Laboratory'' has the meaning given the term in section 2 of the Energy Policy Act of 2005 (42 U.S.C. 15801). (6) Program.--The term ``Program'' means the pilot program established under section 503. (7) Security vulnerability.--The term ``security vulnerability'' means any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control. SEC. 503. PILOT PROGRAM FOR SECURING ENERGY INFRASTRUCTURE. Not later than 180 days after the date of enactment of this title, the Director shall establish a 2-year control systems implementation pilot program within the National Laboratories for the purposes of-- (1) partnering with covered entities in the energy sector (including critical component manufacturers in the supply chain) that voluntarily participate in the Program to identify new classes of security vulnerabilities of the covered entities; and (2) researching, developing, testing, and implementing technology platforms and standards, in partnership with covered entities, to isolate and defend industrial control systems of covered entities from security vulnerabilities and exploits in the most critical systems of the covered entities, including-- (A) analog and nondigital control systems; (B) purpose-built control systems; and (C) physical controls. SEC. 504. WORKING GROUP TO EVALUATE PROGRAM STANDARDS AND DEVELOP STRATEGY. (a) Establishment.--The Director shall establish a working group-- (1) to evaluate the technology platforms and standards used in the Program under section 503(2); and (2) to develop a national cyber-informed engineering strategy to isolate and defend covered entities from security vulnerabilities and exploits in the most critical systems of the covered entities. (b) Membership.--The working group established under subsection (a) shall be composed of not fewer than 10 members, to be appointed by the Director, at least 1 member of which shall represent each of the following: (1) The Department of Energy. (2) The energy industry, including electric utilities and manufacturers recommended by the Energy Sector coordinating councils. (3)(A) The Department of Homeland Security; or (B) the Industrial Control Systems Cyber Emergency Response Team. (4) The North American Electric Reliability Corporation. (5) The Nuclear Regulatory Commission. (6)(A) The Office of the Director of National Intelligence; or (B) the intelligence community (as defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003)). (7)(A) The Department of Defense; or (B) the Assistant Secretary of Defense for Homeland Security and America's Security Affairs. (8) A State or regional energy agency. (9) A national research body or academic institution. (10) The National Laboratories. SEC. 505. REPORTS ON THE PROGRAM. (a) Interim Report.--Not later than 180 days after the date on which funds are first disbursed under the Program, the Director shall submit to the appropriate committees of Congress an interim report that-- (1) describes the results of the Program; (2) includes an analysis of the feasibility of each method studied under the Program; and (3) describes the results of the evaluations conducted by the working group established under section 504(a). (b) Final Report.--Not later than 2 years after the date on which funds are first disbursed under the Program, the Director shall submit to the appropriate committees of Congress a final report that-- (1) describes the results of the Program; (2) includes an analysis of the feasibility of each method studied under the Program; and (3) describes the results of the evaluations conducted by the working group established under section 504(a). (c) Appropriate Committees of Congress Defined.--In this section, the term ``appropriate committees of Congress'' means-- (1) the congressional intelligence committees; (2) the Committee on Energy and Natural Resources of the Senate; and (3) the Committee on Energy and Commerce of the House of Representatives. SEC. 506. NO NEW REGULATORY AUTHORITY FOR FEDERAL AGENCIES. Nothing in this title authorizes the Director or the head of any other Federal agency to issue new regulations. SEC. 507. EXEMPTION FROM DISCLOSURE. Information shared by or with the Federal Government or a State, tribal, or local government under this title shall be-- (1) deemed to be voluntarily shared information; and (2) exempt from disclosure under any provision of Federal, State, tribal, or local freedom of information law, open government law, open meetings law, open records law, sunshine law, or similar law requiring the disclosure of information or records. SEC. 508. PROTECTION FROM LIABILITY. (a) In General.--A cause of action against a covered entity for engaging in the voluntary activities authorized under section 503-- (1) shall not lie or be maintained in any court; and (2) shall be promptly dismissed by the applicable court. (b) Voluntary Activities.--Nothing in this title subjects any covered entity to liability for not engaging in the voluntary activities authorized under section 503. SEC. 509. AUTHORIZATION OF APPROPRIATIONS. (a) Pilot Program.--There is authorized to be appropriated $10,000,000 to carry out section 503. (b) Working Group and Report.--There is authorized to be appropriated $1,500,000 to carry out sections 504 and 505. (c) Availability.--Amounts made available under subsections (a) and (b) shall remain available until expended. TITLE VI--REPORTS AND OTHER MATTERS SEC. 601. TECHNICAL CORRECTION TO INSPECTOR GENERAL STUDY. Section 11001(d) of title 5, United States Code, is amended-- (1) in the subsection heading, by striking ``Audit'' and inserting ``Review''; (2) in paragraph (1), by striking ``audit'' and inserting ``review''; and (3) in paragraph (2), by striking ``audit'' and inserting ``review''. SEC. 602. GOVERNANCE FOR SECURITY CLEARANCE, SUITABILITY AND FITNESS FOR EMPLOYMENT, AND CREDENTIALING. (a) Governance Council for Suitability, Credentialing, and Security.-- (1) Establishment.--There is an interagency Security, Suitability, and Credentialing Council (in this section the ``Council''). The Council shall be accountable to the President and to Congress to achieve the goals of the executive branch vetting enterprise. (2) Membership.-- (A) Composition.--The Council shall be composed for the following: (i) One individual who shall be appointed by the Director of the Office of Management and Budget. (ii) The individual serving as the Suitability Executive Agent and the Credentialing Executive Agent pursuant to subsections (b) and (c), respectively. (iii) The individual serving as the Security Executive Agent pursuant to subsection (d)(1). (iv) The Under Secretary of Defense for Intelligence. (v) The Director of the National Background Investigations Bureau. (B) Chairperson.--The Chairperson of the Council shall be the individual appointed under subparagraph (A)(i). The Chairperson shall have authority, direction, and control over the functions of the Council. (3) Functions.--The functions of the Council are as follows: (A) Ensuring enterprise-wide alignment of suitability, security, credentialing, and as appropriate, fitness processes. (B) Holding agencies accountable for the implementation of suitability, security, fitness, and credentialing processes and procedures. (C) Defining requirements for enterprise-wide reciprocity management information technology, and develop standards for enterprise-wide information technology. (D) Working with agencies-- (i) to implement continuous performance improvement programs, policies, and procedures; (ii) to establish annual goals and progress metrics; and (iii) to prepare annual reports on results. (E) Ensuring and overseeing the development of tools and techniques for enhancing background investigations and adjudications. (F) Enabling discussion and consensus resolution of differences in processes, policies, and procedures among the members of the Council, and other agencies as appropriate. (G) Sharing best practices. (H) Advise the Suitability Executive Agent, the Credentialing Executive Agent, and the Security Executive Agent on policies affecting the alignment of investigations and adjudications. (I) Working with agencies to develop agency policies and procedures to enable sharing of vetting information consistent with the law and the protection of privacy and civil liberties and to the extent necessary for enterprise-wide efficiency, effectiveness, and security. (J) Monitoring performance to identify and drive enterprise-level process enhancements, and make recommendations for changes to executive branch-wide guidance and authorities to resolve overlaps or close policy gaps where they may exist. (K) Promoting data-driven, transparent, and expeditious policy-making processes. (L) Developing and continuously reevaluating and revising outcome-based metrics that measure the quality, efficiency and effectiveness of the vetting enterprise. (4) Subordinate bodies.--The Chairperson may establish subordinate entities, mechanisms, and policies to support and assist the Council in carrying out the functions of the Council. (b) Suitability Executive Agent.-- (1) In general.--The Director of the Office of Personnel Management shall serve as the Suitability Executive Agent. (2) Duties.--The duties of the Suitability Executive Agent are as follows: (A) Pursuant to sections 1103 and 1104 of title 5, United States Code, and the Civil Service Rules, to be responsible for suitability and fitness by-- (i) prescribing suitability standards and minimum standards of fitness for employment; (ii) prescribing position designation requirements with regard to the risk to the efficiency and integrity of the service; (iii) prescribing applicable investigative standards, policies, and procedures for suitability and fitness; (iv) prescribing suitability and fitness reciprocity standards; (v) making suitability determinations; and (vi) taking suitability actions. (B) To issue regulations, guidance, and standards to fulfill the Director's responsibilities related to suitability and fitness under Executive Order 13488 of January 16, 2009, as amended. (C) To promote reciprocal recognition of suitability or fitness determinations among the agencies, including acting as the final authority to arbitrate and resolve disputes among the agencies involving the reciprocity of investigations and adjudications of suitability and fitness. (D) To continue to initially approve, and periodically review for renewal, agencies' requests to administer polygraphs in connection with appointment in the competitive service, in consultation with the Security Executive Agent as appropriate. (E) To make a continuing review of agency programs for suitability and fitness vetting to determine whether they are being implemented according to this section. (F) Shall, pursuant to section 1104 of title 5, United States Code, prescribe performance standards and a system of oversight for any suitability or fitness function delegated by the Director to the head of another agency, including uniform and consistent policies and procedures to ensure the effective, efficient, timely, and secure completion of delegated functions. (3) Guidelines and instructions.--The Suitability Executive Agent may issue guidelines and instructions to the heads of agencies to promote appropriate uniformity, centralization, efficiency, effectiveness, reciprocity, timeliness, and security in processes relating to determining suitability or fitness. (c) Credentialing Executive Agent.-- (1) In general.--In addition to serving as the Suitability Executive Agent, the Director of the Office of Personnel Management shall also serve as the Credentialing Executive Agent. (2) Duties.--The duties of the Credentialing Executive Agent are as follows: (A) To develop standards for investigations, reinvestigations, and continuous vetting for a covered individual's eligibility for a PIV credential. (B) To develop adjudicative guidelines for a covered individual's eligibility for a PIV credential. (C) To develop guidelines on reporting and recording determinations of eligibility for a PIV credential. (D) To develop standards for unfavorable determinations of eligibility for a PIV credential, including procedures for denying and revoking the eligibility for a PIV credential, for reconsideration of unfavorable determinations, and for rendering the PIV credential inoperable. (E) To develop standards and procedures for suspending eligibility for a PIV credential when there is a reasonable basis to believe there may be an unacceptable risk pending an inquiry or investigation, including special standards and procedures for imminent risk. (F) To develop uniform and consistent policies and procedures to ensure the effective, efficient, timely, and secure completion of investigations and adjudications relating to eligibility for a PIV credential. (G) To monitor and make a continuing review of agency programs for determining eligibility for a PIV credential to determine whether they are being implemented according to this section. (H) To consult to the extent practicable with other agencies with responsibilities related to PIV credentials to ensure that policies and procedures are consistent with law. (3) Guidelines and instructions.--The Credentialing Executive Agent may develop guidelines and instructions to the heads of agencies as necessary to ensure appropriate uniformity, centralization, efficiency, effectiveness, and timeliness in processes relating to eligibility for a PIV credential. (4) PIV credential defined.--In this subsection, the term ``PIV credential'' means a personal identity verification credential permitting logical and physical access to Federally controlled facilities and Federally controlled information systems. (d) Security Executive Agent.-- (1) In general.--The Director of National Intelligence shall serve as the Security Executive Agent. (2) Duties.--The duties of the Security Executive Agent are as follows: (A) To direct the oversight of investigations, reinvestigations, adjudications, and, as applicable, polygraphs for eligibility for access to classified information or eligibility to hold a sensitive position made by any agency. (B) To make a continuing review of agencies' national security background investigation and adjudication programs to determine whether they are being implemented according to this section. (C) To develop and issue uniform and consistent policies and procedures to ensure the effective, efficient, timely, and secure completion of investigations, polygraphs, and adjudications relating to determinations of eligibility for access to classified information or eligibility to hold a sensitive position. (D) To serve as the final authority to designate an agency or agencies, to the extent that it is not practicable to use the National Background Investigations Bureau, to conduct investigations of persons who are proposed for access to classified information or for eligibility to hold a sensitive position to ascertain whether such persons satisfy the criteria for obtaining and retaining access to classified information or eligibility to hold a sensitive position. (E) To serve as the final authority to designate an agency or agencies to determine eligibility for access to classified information or eligibility to hold a sensitive position in accordance with Executive Order 12968 of August 2, 1995, as amended. (F) To ensure reciprocal recognition of eligibility for access to classified information or eligibility to hold a sensitive position among the agencies, including acting as the final authority to arbitrate and resolve disputes among the agencies involving the reciprocity of investigations and adjudications of eligibility. (3) Authorities.--The Security Executive Agent may-- (A) issue guidelines and instructions to the heads of agencies to ensure appropriate uniformity, centralization, efficiency, effectiveness, timeliness, and security in processes relating to determinations by agencies of eligibility for access to classified information or eligibility to hold a sensitive position, including such matters as investigations, polygraphs, adjudications, and reciprocity; (B) if consistent with the national security, authorize exceptions to or waivers of national security investigative requirements, and may issue implementing or clarifying guidance as necessary; (C) assign, in whole or in part, to the head of any agency (solely or jointly) any of the duties of the Security Executive Agent under paragraph (2) or the authorities in subparagraphs (A) and (B) of this paragraph, with the agency's exercise of such assigned duties or authorities to be subject to the Security Executive Agent's oversight and with such terms and conditions (including approval by the Security Executive Agent) as the Security Executive Agent determines appropriate; and (D) define and set standards for continuous evaluation for continued access to classified information. (e) Preservation of Authority.--Nothing in this section shall be construed to limit the authorities of the Director of the Office of Personnel Management, the Director of National Intelligence, or the Secretary of Defense under any provision of law. SEC. 603. PROCESS FOR SECURITY CLEARANCES. (a) Reviews.--Not later than 180 days after the date of the enactment of this Act, the Director of National Intelligence, acting as the Security Executive Agent in accordance with subsection (d) of section 602, in coordination with the Suitability Executive Agent and the Credentialing Executive Agent who are serving in accordance with subsections (b) and (c) of such section, shall submit to the congressional intelligence committees a report that includes the following: (1) Review and assessment of standards.-- (A) In general.--A review of the relationship among the information requested by the Questionnaire for National Security Positions (Standard Form 86), the application of the Federal Investigative Standards prescribed by the Office of Personnel Management and the Office of the Director of National Intelligence, and the application of the adjudicative guidelines under Security Executive Agent Directive 4 (``National Security Adjudicative Guidelines''). (B) Assessment.--An assessment of whether such Questionnaire, Standards, and guidelines should be revised to account for the prospect of a holder of a security clearance becoming an insider threat. (2) Recommendations to improve background investigations.-- Recommendations to improve the background investigation process, including recommendations-- (A) to simplify the Questionnaire for National Security Positions (Standard Form 86) and increase customer support to applicants completing such Questionnaire; (B) to use remote and virtual techniques and centralized locations during field investigation work; (C) to utilize secure and reliable digitization of information obtained during the clearance process; and (D) to build the capacity of the background investigation labor sector. (3) Review of schedules.--A review of whether the schedule for processing security clearances included in section 3001 of the Intelligence Reform and Terrorism Prevention Act of 2004 (50 U.S.C. 3341) should be modified. (4) Evaluation of splitting the background investigation function.-- (A) In general.--An evaluation of the impact on costs, quality, and timeliness of security clearance background investigations associated with transferring to the Secretary of Defense responsibility for conducting background investigations for-- (i) personnel of the Department of Defense; or (ii) all contractors to and personnel of the United States Government. (B) Analysis.--An analysis of-- (i) the time required for the Secretary of Defense to gain sufficient institutional capacity and capability to perform the investigations described in clauses (i) and (ii) of subparagraph (A); (ii) past experience with agencies and departments of the United States having responsibility for conducting background investigations, including the transfer to the Office of Personnel Management of background investigations for personnel of the Department of Defense during 2003, 2004, and 2005; and (iii) the mobility of the workforce who perform background investigations between government agencies and contractors. (b) Policy, Strategy, and Implementation.--Not later than 90 days after the date of the enactment of this Act, the Director of National Intelligence, acting as the Security Executive Agent in accordance with section 602(d), shall establish the following: (1) Policy and implementation plan for interim security clearances.--A policy and implementation plan for the issuance of interim security clearances. (2) Policy on consistent treatment of government and contractor personnel.--A policy and implementation plan to ensure contractors are treated consistently in the security clearance process across agencies and departments of the United States and as compared to employees of such agencies and departments. Such policy shall address-- (A) prioritization of processing security clearances based on the mission the contractors will be performing; (B) standardization of how requests for clearance sponsorship are issued; (C) digitization of background investigation- related forms; (D) use of the polygraph; (E) the application of the adjudicative guidelines under Security Executive Agent Directive 4 (``National Security Adjudicative Guidelines''); (F) reciprocal recognition of clearances across agencies and departments of the United States, regardless of status of periodic reinvestigation; (G) tracking of clearance files as individuals move from employment with an agency or department of the United States to employment in the private sector; and (H) reporting on security incidents and performance. (3) Strategy and implementation for periodic reinvestigations.-- (A) Strategy and implementation plan.--A strategy and implementation plan to conduct periodic reinvestigations as part of a security clearance determination exclusively on an as-needed, risk-based basis. Such plan shall include actions to assess the extent to which automated records checks and other continuous evaluation methods may be used to expedite or focus reinvestigations. (B) Exception.--The Security Executive Agent may provide justification if certain populations are determined to require periodic reinvestigations at regular intervals. (4) Policy for automated records checks.--A policy and implementation plan for agencies and departments of the United States Government, as a part of the security clearance process, to accept automated records checks generated pursuant to a security clearance applicant's employment with a prior employer. (5) Policy and implementation for sharing of background investigation data.--A policy and implementation plan for sharing information between and among agencies or departments of the United States and private entities that is relevant to decisions about granting or renewing security clearances. Such information shall-- (A) pertain to security and human resources matters; and (B) be treated in a manner consistent with privacy concerns. SEC. 604. REPORTS ON THE VULNERABILITIES EQUITIES POLICY AND PROCESS OF THE FEDERAL GOVERNMENT. (a) Report Policy and Process.-- (1) In general.--Not later than 90 days after the date of the enactment of this Act and not later than 30 days after any substantive change in policy, the head of each element of the intelligence community shall submit to the congressional intelligence committees a report detailing the process and criteria the head uses for determining whether to submit a vulnerability for review under the vulnerabilities equities policy and process of the Federal Government. (2) Form.--Each report submitted under paragraph (1) shall be submitted in unclassified form, but may include a classified annex. (b) Annual Report on Vulnerabilities.-- (1) In general.--Not less frequently than once each year, the Director of National Intelligence shall submit to the congressional intelligence committees a report on-- (A) how many vulnerabilities the intelligence community has submitted for review during the previous calendar year; (B) how many of such vulnerabilities were ultimately disclosed to the vendor responsible for correcting the vulnerability during the previous calendar year; and (C) vulnerabilities disclosed since the previous report that have either-- (i) been patched or mitigated by the responsible vendor; or (ii) have not been patched or mitigated by the responsible vendor and more than 180 days have elapsed since the vulnerability was disclosed. (2) Contents.--Each report submitted under paragraph (1) shall include the following: (A) The date the vulnerability was disclosed to the responsible vendor. (B) The date the patch or mitigation for the vulnerability was made publicly available by the responsible vendor. (C) An unclassified appendix that includes-- (i) a top-line summary of the aggregate number of vulnerabilities disclosed to vendors, how many have been patched, and the average time between disclosure of the vulnerability and the patching of the vulnerability; and (ii) the aggregate number of vulnerabilities disclosed to each responsible vendor, delineated by the amount of time required to patch or mitigate the vulnerability, as defined by thirty day increments. (3) Form.--Each report submitted under paragraph (1) shall be in classified form. (c) Vulnerabilities Equities Policy and Process of the Federal Government Defined.--In this section, the term ``vulnerabilities equities policy and process of the Federal Government'' means the policy and process established by the National Security Council for the Federal Government, or successor set of policies and processes, establishing policy and responsibilities for disseminating information about vulnerabilities discovered by the Federal Government or its contractors, or disclosed to the Federal Government by the private sector in government off-the-shelf (GOTS), commercial off-the-shelf (COTS), or other commercial information technology or industrial control products or systems (including both hardware and software). SEC. 605. BUG BOUNTY PROGRAMS. (a) Definitions.--In this section: (1) Bug bounty program.--The term ``bug bounty program'' means a program under which an approved computer security specialist or security researcher is temporarily authorized to identify and report vulnerabilities within an information system in exchange for payment. (2) Information system.--The term ``information system'' has the meaning given that term in section 3502 of title 44, United States Code. (b) Bug Bounty Program Plan.-- (1) Requirement.--Not later than 180 days after the date of the enactment of this Act, the Under Secretary for Intelligence and Analysis of the Department of Homeland Security shall submit to the congressional intelligence committees a strategic plan to implement bug bounty programs at appropriate agencies and departments of the United States. (2) Contents.--The plan required by paragraph (1) shall include-- (A) an assessment of-- (i) the effectiveness of the ``Hack the Pentagon'' pilot program carried out by the Department of Defense in 2016 and subsequent bug bounty programs in identifying and reporting vulnerabilities within the information systems of the Department of Defense; and (ii) private sector bug bounty programs, including such programs implemented by leading technology companies in the United States; and (B) recommendations on the feasibility of initiating bug bounty programs at appropriate agencies and departments of the United States. SEC. 606. REPORT ON CYBER ATTACKS BY FOREIGN GOVERNMENTS AGAINST UNITED STATES ELECTION INFRASTRUCTURE. (a) Report Required.--Not later than 60 days after the date of the enactment of this Act, the Under Secretary of Homeland Security for Intelligence and Analysis shall submit to congressional leadership and the congressional intelligence committees a report on cyber attacks and attempted cyber attacks by foreign governments on United States election infrastructure in States and localities in connection with the 2016 presidential election in the United States and such cyber attacks or attempted cyber attacks as the Under Secretary anticipates against such infrastructure. Such report shall identify the States and localities affected and shall include cyber attacks and attempted cyber attacks against voter registration databases, voting machines, voting- related computer networks, and the networks of secretaries of State and other election officials. (b) Form.--The report submitted under subsection (a) shall be submitted in unclassified form, but may include a classified annex. (c) Definitions.--In this section: (1) Congressional leadership.--The term ``congressional leadership'' includes the following: (A) The majority leader of the Senate. (B) The minority leader of the Senate. (C) The Speaker of the House of Representatives. (D) The minority leader of the House of Representatives. (2) State.--The term ``State'' means any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, and any territory or possession of the United States. SEC. 607. REVIEW OF INTELLIGENCE COMMUNITY'S POSTURE TO COLLECT AGAINST AND ANALYZE RUSSIAN EFFORTS TO INFLUENCE THE PRESIDENTIAL ELECTION. (a) Assessment Required.--Not later than one year after the date of the enactment of this Act, the Director of National Intelligence shall-- (1) complete an after action review of the intelligence community's posture to collect against and analyze efforts of the Government of Russia to interfere in the 2016 presidential election in the United States; and (2) submit to the congressional intelligence committees a report on the findings of the Director with respect to such review. (b) Elements.--The review required by subsection (a) shall include, with respect to the posture and efforts described in paragraph (1) of such subsection, the following: (1) An assessment of whether the resources of the intelligence community were properly aligned to detect and respond to the efforts described in subsection (a)(1). (2) An assessment of the information sharing that occurred within elements of the intelligence community. (3) An assessment of the information sharing that occurred between elements of the intelligence community. (4) An assessment of applicable authorities necessary to collect on any such efforts and any deficiencies in those authorities. (5) A review of the use of open source material to inform analysis and warning of such efforts. (6) A review of the use of alternative and predictive analysis. (c) Form of Report.--The report required by subsection (a)(2) shall be submitted to the congressional intelligence committees in a classified form. SEC. 608. ASSESSMENT OF FOREIGN INTELLIGENCE THREATS TO FEDERAL ELECTIONS. (a) In General.--The Director of National Intelligence, in coordination with the Director of the Central Intelligence Agency, the Director of the National Security Agency, the Director of the Federal Bureau of Investigation, the Secretary of Homeland Security, and the heads of other relevant elements of the intelligence community, shall-- (1) commence not later than 1 year before any regularly scheduled Federal election and complete not later than 180 days before such election, an assessment of security vulnerabilities of State election systems; and (2) not later than 180 days before any regularly scheduled Federal election, submit a report on such security vulnerabilities and an assessment of foreign intelligence threats to the election to-- (A) congressional leadership; and (B) the congressional intelligence committees. (b) Update.--Not later than 90 days before any regularly scheduled Federal election, the Director of National Intelligence shall-- (1) update the assessment of foreign intelligence threats to that election; and (2) submit the updated assessment to-- (A) congressional leadership; and (B) the congressional intelligence committees. (c) Definitions.--In this section: (1) Congressional leadership.--The term ``congressional leadership'' includes the following: (A) The majority leader of the Senate. (B) The minority leader of the Senate. (C) The Speaker of the House of Representatives. (D) The minority leader of the House of Representatives. (2) Security vulnerability.--The term ``security vulnerability'' has the meaning given such term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501). SEC. 609. STRATEGY FOR COUNTERING RUSSIAN CYBER THREATS TO UNITED STATES ELECTIONS. (a) Requirement for a Strategy.--Not later than 90 days after the date of the enactment of this Act, the Director of National Intelligence, in coordination with the Secretary of Homeland Security, the Director of the Federal Bureau of Investigation, the Director of the Central Intelligence Agency, the Secretary of State, the Secretary of Defense, and the Secretary of the Treasury, shall develop a whole- of-government strategy for countering the threat of Russian cyber attacks and attempted cyber attacks against electoral systems and processes in the United States, including Federal, State, and local election systems, voter registration databases, voting tabulation equipment, and equipment and processes for the secure transmission of election results. (b) Elements of the Strategy.--The strategy required by subsection (a) shall include the following elements: (1) A whole-of-government approach to protecting United States electoral systems and processes that includes the agencies and departments indicated in subsection (a) as well as any other agencies and departments of the United States, as determined appropriate by the Director of National Intelligence and the Secretary of Homeland Security. (2) Input solicited from Secretaries of State of the various States and the chief election officials of the States. (3) Technical security measures, including auditable paper trails for voting machines, securing wireless and Internet connections, and other technical safeguards. (4) Detection of cyber threats, including attacks and attempted attacks by Russian government or nongovernment cyber threat actors. (5) Improvements in the identification and attribution of Russian government or nongovernment cyber threat actors. (6) Deterrence, including actions and measures that could or should be undertaken against or communicated to the Government of Russia or other entities to deter attacks against, or interference with, United States election systems and processes. (7) Improvements in Federal Government communications with State and local election officials. (8) Public education and communication efforts. (9) Benchmarks and milestones to enable the measurement of concrete steps taken and progress made in the implementation of the strategy. (c) Report to Congress.--Not later than 90 days after the date of the enactment of this Act, the Director of National Intelligence and the Secretary of Homeland Security shall brief the congressional intelligence committees on the strategy developed under subsection (a). SEC. 610. LIMITATION RELATING TO ESTABLISHMENT OR SUPPORT OF CYBER SECURITY UNIT WITH THE GOVERNMENT OF RUSSIA. (a) Limitation.--No amount may be expended by the Federal Government to establish or support a cyber security unit or other cyber agreement that is jointly established or otherwise implemented by the Government of the United States and the Government of Russia unless, at least 30 days prior to the establishment of such agreement, the Director of National Intelligence submits to the congressional intelligence committees a report on such agreement that includes the elements required by subsection (b). (b) Report Elements.--If the Director submits a report under subsection (a), such report shall include a description of each of the following: (1) The purpose of the agreement. (2) The nature of any intelligence to be shared pursuant to the agreement. (3) The expected value to national security resulting from the implementation of the agreement. (4) Such counterintelligence concerns associated with the agreement as the Director may have and such measures as the Director expects to be taken to mitigate such concerns. SEC. 611. REPORT ON RETURNING RUSSIAN COMPOUNDS. (a) Covered Compounds Defined.--In this section, the term ``covered compounds'' means the real property in New York and the real property in Maryland that were under the control of the Government of Russia in 2016 and were removed from such control in response to various transgressions by the Government of Russia, including the interference by the Government of Russia in the 2016 election in the United States. (b) Requirement for Report.--Not later than 180 days after the date of the enactment of this Act, the Director of National Intelligence shall submit to the congressional intelligence committees a report on the intelligence risks of returning the covered compounds to Russian control. (c) Form of Report.--The report required by subsection (b) shall be submitted in classified and unclassified forms. SEC. 612. INTELLIGENCE COMMUNITY ASSESSMENT ON THREAT OF RUSSIAN MONEY LAUNDERING TO THE UNITED STATES. (a) Assessment Required.--Not later than 180 days after the date of the enactment of this Act, the Director of National Intelligence, in coordination with the Secretary of the Treasury, shall submit to the congressional intelligence committees an intelligence community assessment on the threat of Russian money laundering to the United States. The assessment shall be based on all-source intelligence, including from the intelligence community and from all elements of the Department of the Treasury under the Office of Terrorism and Financial Intelligence. (b) Elements.--The assessment required by subsection (a) shall cover the following: (1) Money laundering in the Russian Federation, global nodes of money laundering used by Russian and associated entities, and the entry points of money laundering by Russian and associated entities into the United States. (2) Vulnerabilities to money laundering in the United States financial and legal system, including specific sectors, and ways in which Russian money laundering has exploited those vulnerabilities. (3) Any connections between Russian oligarchs and elements of Russian organized crime involved in money laundering and the Government of Russia. (4) The counterintelligence threat posed by Russian money laundering as well as the threat to the United States financial system and United States efforts to enforce sanctions and combat organized crime. SEC. 613. NOTIFICATION OF AN ACTIVE MEASURES CAMPAIGN. (a) Requirement for Notification.--The Director of National Intelligence, in cooperation with the Director of the Federal Bureau of Investigation and the head of any other relevant agency, shall notify the Chairman and Vice Chairman or Ranking Member of each of the congressional intelligence committees, and of other relevant committees of jurisdiction, each time the Director of National Intelligence determines there is credible information that a foreign power has, is, or will attempt to employ a covert influence or active measures campaign with regard to the modernization, employment, doctrine, or force posture of the nuclear deterrent or missile defense. (b) Content of Notification.--Each notification required by subsection (a) shall include information concerning actions taken by the United States to expose or halt an attempt referred to in subsection (a). SEC. 614. NOTIFICATION OF TRAVEL BY ACCREDITED DIPLOMATIC AND CONSULAR PERSONNEL OF THE RUSSIAN FEDERATION IN THE UNITED STATES. In carrying out the advance notification requirements set out in section 502 of the Intelligence Authorization Act for Fiscal Year 2017 (Division N of Public Law 115-31), the Secretary of State shall-- (1) ensure that the Russian Federation provides notification to the Secretary of State at least 2 business days in advance of all travel by accredited diplomatic and consular personnel of the Russian Federation in the United States, and take necessary action to secure full compliance by Russian personnel and address any noncompliance; and (2) provide notice of travel described in paragraph (1) to the Director of National Intelligence and the Director of the Federal Bureau of Investigation within 1 hour of receiving notice of such travel. SEC. 615. MODIFICATION OF CERTAIN REPORTING REQUIREMENT ON TRAVEL OF FOREIGN DIPLOMATS. Section 502(d)(2) of the Intelligence Authorization Act for Fiscal Year 2017 (Public Law 115-31) is amended by striking ``the number'' and inserting ``a best estimate''. SEC. 616. SEMIANNUAL REPORT ON REFERRALS TO DEPARTMENT OF JUSTICE BY ELEMENTS OF THE INTELLIGENCE COMMUNITY REGARDING UNAUTHORIZED DISCLOSURE OF CLASSIFIED INFORMATION. (a) Reports Required.--Not less frequently than once every 6 months, the Assistant Attorney General for National Security of the Department of Justice, in consultation with the Director of the Federal Bureau of Investigation, shall submit to the congressional intelligence committees a report on the status of each referral made to the Department of Justice from any element of the intelligence community regarding an unauthorized disclosure of classified information made during the most recent 365-day period or any referral that has not yet been closed, regardless of the date the referral was made. (b) Contents.--Each report submitted under subsection (a) shall include, for each referral covered by the report, at a minimum, the following: (1) The date the referral was received. (2) A statement indicating whether the alleged unauthorized disclosure described in the referral was substantiated by the Department of Justice. (3) A statement indicating the highest level of classification of the information that was revealed in the unauthorized disclosure. (4) A statement indicating whether an open criminal investigation related to the referral is active. (5) A statement indicating whether any criminal charges have been filed related to the referral. (6) A statement indicating whether the Department of Justice has been able to attribute the unauthorized disclosure to a particular entity or individual. (c) Form of Report.--Each report submitted under subsection (a) shall be submitted in unclassified form, but may have a classified annex. SEC. 617. NOTIFICATIONS OF DESIGNATION OF AN INTELLIGENCE OFFICER AS A PERSONA NON GRATA. (a) Requirement for Reports.--Not later than 72 hours after an intelligence officer is designated as a persona non grata, the Director of National Intelligence, in consultation with the Secretary of State, shall submit to the congressional intelligence committees a notification of that designation. Each such notification shall include-- (1) the date of the designation; (2) the basis for the designation; and (3) a justification for the expulsion. (b) Intelligence Officer Defined.--In this section, the term ``intelligence officer'' means-- (1) a United States intelligence officer serving in a post in a foreign country; or (2) a known or suspected foreign intelligence officer serving in a United States post. SEC. 618. BIENNIAL REPORT ON FOREIGN INVESTMENT RISKS. (a) Intelligence Community Interagency Working Group.-- (1) Requirement to establish.--The Director of National Intelligence shall establish an intelligence community interagency working group to prepare the biennial reports required by subsection (b). (2) Chairperson.--The Director of National Intelligence shall serve as the chairperson of such interagency working group. (3) Membership.--Such interagency working group shall be composed of representatives of each element of the intelligence community that the Director of National Intelligence determines appropriate. (b) Biennial Report on Foreign Investment Risks.-- (1) Requirement.--Not later than 180 days after the date of the enactment of this Act, and biennially thereafter, the Director of National Intelligence shall submit to the congressional intelligence committees a report on foreign investment risks prepared by the interagency working group established under subsection (a). (2) Content.--Each report required by paragraph (1) shall include an identification, analysis, and explanation of the following: (A) Any current or projected major vulnerability to the national security of the United States with respect to foreign investment. (B) Any macro trends in foreign investment of a country that such interagency working group has identified to be a country of special concern. (C) Any strategy used by such a country to exploit a vulnerability identified under subparagraph (A) through the acquisition of critical technologies, critical materials, or critical infrastructure. (D) Any market distortion or unfair competition by a foreign country in the form of market barriers, nonreciprocal investment treatment, subsidies, government corruption, compulsory technology transfer, or theft of intellectual property. SEC. 619. REPORT ON SURVEILLANCE BY FOREIGN GOVERNMENTS AGAINST UNITED STATES TELECOMMUNICATIONS NETWORKS. Not later than 180 days after the date of the enactment of this Act, the Director of National Intelligence shall, in coordination with the Director of the Central Intelligence Agency, the Director of the National Security Agency, the Director of the Federal Bureau of Investigation, and the Secretary of Homeland Security, submit to the congressional intelligence committees a report describing-- (1) any attempts known to the intelligence community by foreign governments to exploit cybersecurity vulnerabilities in United States telecommunications networks (including Signaling System No. 7) to target for surveillance of United States persons, including employees of the Federal Government; and (2) any actions, as of the date of the enactment of this Act, taken by the intelligence community to protect agencies and personnel of the United States Government from surveillance conducted by foreign governments. SEC. 620. REPORTS ON AUTHORITIES OF THE CHIEF INTELLIGENCE OFFICER OF THE DEPARTMENT OF HOMELAND SECURITY. (a) Definitions.--In this section: (1) Department.--The term ``Department'' means the Department of Homeland Security. (2) Homeland security intelligence enterprise.--The term ``Homeland Security Intelligence Enterprise'' has the meaning given such term in Department of Homeland Security Instruction Number 264-01-001, or successor authority. (3) Office.--The term ``Office'' means the Office of Intelligence and Analysis of the Department. (4) Secretary.--The term ``Secretary'' means the Secretary of Homeland Security. (5) Under secretary.--The term ``Under Secretary'' means the Under Secretary for Intelligence and Analysis of the Department. (b) Requirement for Report.--Not later than 120 days after the date of the enactment of this Act, the Secretary, in consultation with the Under Secretary, shall submit to the congressional intelligence committees a report on the authorities of the Under Secretary. (c) Contents.--The report required by subsection (b) shall include the following: (1) An analysis of whether the Under Secretary has the legal and policy authority necessary to organize and lead the Homeland Security Intelligence Enterprise, with respect to intelligence, and, if not, a description of-- (A) the obstacles to exercising the authorities of the Chief Intelligence Officer and the Homeland Security Intelligence Council, over which the Chief Intelligence Officer chairs; and (B) the legal and policy changes necessary to effectively coordinate, organize, and lead intelligence activities of the Department of Homeland Security. (2) A description of the actions that the Secretary has taken to address the inability of the Under Secretary to require components of the Department, other than the Office-- (A) to coordinate intelligence programs; and (B) integrate and standardize intelligence products produced by such other components. SEC. 621. REPORT ON GEOSPATIAL COMMERCIAL ACTIVITIES FOR BASIC AND APPLIED RESEARCH AND DEVELOPMENT. (a) Sense of Congress.--It is the sense of Congress that-- (1) rapid technology change and a significant increase in data collection by the intelligence community has outpaced the ability of the intelligence community to exploit vast quantities of intelligence data; (2) the data collection capabilities of the intelligence community and the Department of Defense have outpaced their ability to exploit vast quantities of data; (3) furthermore, international competitors may be catching up, and in some cases leading, in key technology areas; (4) many United States companies have talent and technological capabilities that the Federal Government could harness; and (5) these companies would be able to more effectively develop automation, artificial intelligence, and associated algorithms if given access to data of the National Geospatial- Intelligence Agency, consistent with the protection of sources and methods. (b) Report.--Not later than 30 days after the date of the enactment of this Act, the Director of the National Geospatial-Intelligence Agency shall submit to the appropriate congressional committees a report on the authorities necessary to conduct commercial activities relating to geospatial intelligence that the Director determines necessary to engage in basic research, applied research, data transfers, and development projects, with respect to automation, artificial intelligence, and associated algorithms, including how the Director would use such authorities, consistent with applicable laws and procedures relating to the protection of sources and methods. (c) Appropriate Congressional Committees Defined.--In this section, the term ``appropriate congressional committees'' means-- (1) the Committee on Armed Services and the Select Committee on Intelligence of the Senate; and (2) the Committee on Armed Services and the Permanent Select Committee on Intelligence of the House of Representatives. SEC. 622. TECHNICAL AMENDMENTS RELATED TO THE DEPARTMENT OF ENERGY. (a) National Nuclear Security Administration Act.-- (1) Clarification of functions of the administrator for nuclear security.--Subsection (b) of section 3212 of the National Nuclear Security Administration Act (50 U.S.C. 2402(b)) is amended-- (A) by striking paragraphs (11) and (12); and (B) by redesignating paragraphs (13) through (19) as paragraphs (11) through (17), respectively. (2) Counterintelligence programs.--Section 3233(b) of the National Nuclear Security Administration Act (50 U.S.C. 2423(b)) is amended-- (A) by striking ``Administration'' and inserting ``Department''; and (B) by inserting ``Intelligence and'' after ``the Office of''. (b) Atomic Energy Defense Act.--Section 4524(b)(2) of the Atomic Energy Defense Act (50 U.S.C. 2674(b)(2)) is amended by inserting ``Intelligence and'' after ``The Director of''. (c) National Security Act of 1947.--Paragraph (2) of section 106(b) of the National Security Act of 1947 (50 U.S.C. 3041(b)(2)) is amended-- (1) in subparagraph (E), by inserting ``and Counterintelligence'' after ``Office of Intelligence''; (2) by striking subparagraph (F); (3) by redesignating subparagraphs (G), (H), and (I) as subparagraphs (F), (G), and (H), respectively; and (4) in subparagraph (I), by realigning the margin of such subparagraph 2 ems to the left. SEC. 623. SENSE OF CONGRESS ON WIKILEAKS. It is the sense of Congress that WikiLeaks and the senior leadership of WikiLeaks resemble a non-state hostile intelligence service often abetted by state actors and should be treated as such a service by the United States. Calendar No. 207 115th CONGRESS 1st Session S. 1761 _______________________________________________________________________ A BILL To authorize appropriations for fiscal year 2018 for intelligence and intelligence-related activities of the United States Government, the Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes. _______________________________________________________________________ August 18, 2017 Read twice and placed on the calendar