§ 1501. Definitions

In this subchapter:

• (1) The term “agency” has the meaning given the term in section 3502 of title 44 .
• (2) The term “antitrust laws”—
  • (A) has the meaning given the term in section 12 of title 15 ;
  • (B) includes section 45 of title 15 to the extent that section 45 of title 15 applies to unfair methods of competition; and
  • (C) includes any State antitrust law, but only to the extent that such law is consistent with the law referred to in subparagraph (A) or the law referred to in subparagraph (B).
• (3) The term “appropriate Federal entities” means the following:
  • (A) The Department of Commerce.
  • (B) The Department of Defense.
  • (C) The Department of Energy.
  • (D) The Department of Homeland Security.
  • (E) The Department of Justice.
  • (F) The Department of the Treasury.
  • (G) The Office of the Director of National Intelligence.
• (4) The term “cybersecurity purpose” means the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.
• (5)
  • (A) Except as provided in subparagraph (B), the term “cybersecurity threat” means an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.
  • (B) The term “cybersecurity threat” does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement.
• (6) The term “cyber threat indicator” means information that is necessary to describe or identify—
  • (A) malicious reconnaissance, including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability;
  • (B) a method of defeating a security control or exploitation of a security vulnerability;
  • (C) a security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability;
  • (D) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;
  • (E) malicious cyber command and control;
  • (F) the actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat;
  • (G) any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or
  • (H) any combination thereof.
• (7)
  • (A) Except as provided in subparagraph (B), the term “defensive measure” means an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.
  • (B) The term “defensive measure” does not include a measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information system or information stored on, processed by, or transiting such information system not owned by—
    • (i) the private entity operating the measure; or
    • (ii) another entity or Federal entity that is authorized to provide consent and has provided consent to that private entity for operation of such measure.
• (8) The term “Federal entity” means a department or agency of the United States or any component of such department or agency.
• (9) The term “information system”—
  • (A) has the meaning given the term in section 3502 of title 44 ; and
  • (B) includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers.
• (10) The term “local government” means any borough, city, county, parish, town, township, village, or other political subdivision of a State.
• (11) The term “malicious cyber command and control” means a method for unauthorized remote identification of, access to, or use of, an information system or information that is stored on, processed by, or transiting an information system.
• (12) The term “malicious reconnaissance” means a method for actively probing or passively monitoring an information system for the purpose of discerning security vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat.
• (13) The term “monitor” means to acquire, identify, or scan, or to possess, information that is stored on, processed by, or transiting an information system.
• (14)
  • (A) Except as otherwise provided in this paragraph, the term “non-Federal entity” means any private entity, non-Federal government agency or department, or State, tribal, or local government (including a political subdivision, department, or component thereof).
  • (B) The term “non-Federal entity” includes a government agency or department of the District of Columbia, the Commonwealth of Puerto Rico, the United States Virgin Islands, Guam, American Samoa, the Northern Mariana Islands, and any other territory or possession of the United States.
  • (C) The term “non-Federal entity” does not include a foreign power as defined in section 1801 of title 50 .
• (15)
  • (A) Except as otherwise provided in this paragraph, the term “private entity” means any person or private group, organization, proprietorship, partnership, trust, cooperative, corporation, or other commercial or nonprofit entity, including an officer, employee, or agent thereof.
  • (B) The term “private entity” includes a State, tribal, or local government performing utility services, such as electric, natural gas, or water services.
  • (C) The term “private entity” does not include a foreign power as defined in section 1801 of title 50 .
• (16) The term “security control” means the management, operational, and technical controls used to protect against an unauthorized effort to adversely affect the confidentiality, integrity, and availability of an information system or its information.
• (17) The term “security vulnerability” means any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control.
• (18) The term “tribal” has the meaning given the term “Indian tribe” in section 5304 of title 25 .

§ 1502. Sharing of information by the Federal Government

• (a) Consistent with the protection of classified information, intelligence sources and methods, and privacy and civil liberties, the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General, in consultation with the heads of the appropriate Federal entities, shall jointly develop and issue procedures to facilitate and promote—
  • (1) the timely sharing of classified cyber threat indicators and defensive measures in the possession of the Federal Government with representatives of relevant Federal entities and non-Federal entities that have appropriate security clearances;
  • (2) the timely sharing with relevant Federal entities and non-Federal entities of cyber threat indicators, defensive measures, and information relating to cybersecurity threats or authorized uses under this subchapter, in the possession of the Federal Government that may be declassified and shared at an unclassified level;
  • (3) the timely sharing with relevant Federal entities and non-Federal entities, or the public if appropriate, of unclassified, including controlled unclassified, cyber threat indicators and defensive measures in the possession of the Federal Government;
  • (4) the timely sharing with Federal entities and non-Federal entities, if appropriate, of information relating to cybersecurity threats or authorized uses under this subchapter, in the possession of the Federal Government about cybersecurity threats to such entities to prevent or mitigate adverse effects from such cybersecurity threats; and
  • (5) the periodic sharing, through publication and targeted outreach, of cybersecurity best practices that are developed based on ongoing analyses of cyber threat indicators, defensive measures, and information relating to cybersecurity threats or authorized uses under this subchapter, in the possession of the Federal Government, with attention to accessibility and implementation challenges faced by small business concerns (as defined in section 632 of title 15 ).
• (b)
  • (1) The procedures developed under subsection (a) shall—
    • (A) ensure the Federal Government has and maintains the capability to share cyber threat indicators and defensive measures in real time consistent with the protection of classified information;
    • (B) incorporate, to the greatest extent practicable, existing processes and existing roles and responsibilities of Federal entities and non-Federal entities for information sharing by the Federal Government, including sector specific information sharing and analysis centers;
    • (C) include procedures for notifying, in a timely manner, Federal entities and non-Federal entities that have received a cyber threat indicator or defensive measure from a Federal entity under this subchapter that is known or determined to be in error or in contravention of the requirements of this subchapter or another provision of Federal law or policy of such error or contravention;
    • (D) include requirements for Federal entities sharing cyber threat indicators or defensive measures to implement and utilize security controls to protect against unauthorized access to or acquisition of such cyber threat indicators or defensive measures;
    • (E) include procedures that require a Federal entity, prior to the sharing of a cyber threat indicator—
      • (i) to review such cyber threat indicator to assess whether such cyber threat indicator contains any information not directly related to a cybersecurity threat that such Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual and remove such information; or
      • (ii) to implement and utilize a technical capability configured to remove any information not directly related to a cybersecurity threat that the Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual; and
    • (F) include procedures for notifying, in a timely manner, any United States person whose personal information is known or determined to have been shared by a Federal entity in violation of this subchapter.
  • (2) In developing the procedures required under this section, the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General shall consult with appropriate Federal entities, including the Small Business Administration and the National Laboratories (as defined in section 15801 of title 42 ), to ensure that effective protocols are implemented that will facilitate and promote the sharing of cyber threat indicators by the Federal Government in a timely manner.
• (c) Not later than 60 days after December 18, 2015 , the Director of National Intelligence, in consultation with the heads of the appropriate Federal entities, shall submit to Congress the procedures required by subsection (a).

§ 1503. Authorizations for preventing, detecting, analyzing, and mitigating cybersecurity threats

• (a)
  • (1) Notwithstanding any other provision of law, a private entity may, for cybersecurity purposes, monitor—
    • (A) an information system of such private entity;
    • (B) an information system of another non-Federal entity, upon the authorization and written consent of such other entity;
    • (C) an information system of a Federal entity, upon the authorization and written consent of an authorized representative of the Federal entity; and
    • (D) information that is stored on, processed by, or transiting an information system monitored by the private entity under this paragraph.
  • (2) Nothing in this subsection shall be construed—
    • (A) to authorize the monitoring of an information system, or the use of any information obtained through such monitoring, other than as provided in this subchapter; or
    • (B) to limit otherwise lawful activity.
• (b)
  • (1) Notwithstanding any other provision of law, a private entity may, for cybersecurity purposes, operate a defensive measure that is applied to—
    • (A) an information system of such private entity in order to protect the rights or property of the private entity;
    • (B) an information system of another non-Federal entity upon written consent of such entity for operation of such defensive measure to protect the rights or property of such entity; and
    • (C) an information system of a Federal entity upon written consent of an authorized representative of such Federal entity for operation of such defensive measure to protect the rights or property of the Federal Government.
  • (2) Nothing in this subsection shall be construed—
    • (A) to authorize the use of a defensive measure other than as provided in this subsection; or
    • (B) to limit otherwise lawful activity.
• (c)
  • (1) Except as provided in paragraph (2) and notwithstanding any other provision of law, a non-Federal entity may, for a cybersecurity purpose and consistent with the protection of classified information, share with, or receive from, any other non-Federal entity or the Federal Government a cyber threat indicator or defensive measure.
  • (2) A non-Federal entity receiving a cyber threat indicator or defensive measure from another non-Federal entity or a Federal entity shall comply with otherwise lawful restrictions placed on the sharing or use of such cyber threat indicator or defensive measure by the sharing non-Federal entity or Federal entity.
  • (3) Nothing in this subsection shall be construed—
    • (A) to authorize the sharing or receiving of a cyber threat indicator or defensive measure other than as provided in this subsection; or
    • (B) to limit otherwise lawful activity.
• (d)
  • (1) A non-Federal entity monitoring an information system, operating a defensive measure, or providing or receiving a cyber threat indicator or defensive measure under this section shall implement and utilize a security control to protect against unauthorized access to or acquisition of such cyber threat indicator or defensive measure.
  • (2) A non-Federal entity sharing a cyber threat indicator pursuant to this subchapter shall, prior to such sharing—
    • (A) review such cyber threat indicator to assess whether such cyber threat indicator contains any information not directly related to a cybersecurity threat that the non-Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual and remove such information; or
    • (B) implement and utilize a technical capability configured to remove any information not directly related to a cybersecurity threat that the non-Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual.
  • (3)
    • (A) Consistent with this subchapter, a cyber threat indicator or defensive measure shared or received under this section may, for cybersecurity purposes—
      • (i) be used by a non-Federal entity to monitor or operate a defensive measure that is applied to—
        • (I) an information system of the non-Federal entity; or
        • (II) an information system of another non-Federal entity or a Federal entity upon the written consent of that other non-Federal entity or that Federal entity; and
      • (ii) be otherwise used, retained, and further shared by a non-Federal entity subject to—
        • (I) an otherwise lawful restriction placed by the sharing non-Federal entity or Federal entity on such cyber threat indicator or defensive measure; or
        • (II) an otherwise applicable provision of law.
    • (B) Nothing in this paragraph shall be construed to authorize the use of a cyber threat indicator or defensive measure other than as provided in this section.
  • (4)
    • (A) A State, tribal, or local government that receives a cyber threat indicator or defensive measure under this subchapter may use such cyber threat indicator or defensive measure for the purposes described in section 1504(d)(5)(A) of this title .
    • (B) A cyber threat indicator or defensive measure shared by or with a State, tribal, or local government, including a component of a State, tribal, or local government that is a private entity, under this section shall be—
      • (i) deemed voluntarily shared information; and
      • (ii) exempt from disclosure under any provision of State, tribal, or local freedom of information law, open government law, open meetings law, open records law, sunshine law, or similar law requiring disclosure of information or records.
    • (C)
      • (i) Except as provided in clause (ii), a cyber threat indicator or defensive measure shared with a State, tribal, or local government under this subchapter shall not be used by any State, tribal, or local government to regulate, including an enforcement action, the lawful activity of any non-Federal entity or any activity taken by a non-Federal entity pursuant to mandatory standards, including an activity relating to monitoring, operating a defensive measure, or sharing of a cyber threat indicator.
      • (ii) A cyber threat indicator or defensive measure shared as described in clause (i) may, consistent with a State, tribal, or local government regulatory authority specifically relating to the prevention or mitigation of cybersecurity threats to information systems, inform the development or implementation of a regulation relating to such information systems.
• (e)
  • (1) Except as provided in section 1507(e) of this title , it shall not be considered a violation of any provision of antitrust laws for 2 or more private entities to exchange or provide a cyber threat indicator or defensive measure, or assistance relating to the prevention, investigation, or mitigation of a cybersecurity threat, for cybersecurity purposes under this subchapter.
  • (2) Paragraph (1) shall apply only to information that is exchanged or assistance provided in order to assist with—
    • (A) facilitating the prevention, investigation, or mitigation of a cybersecurity threat to an information system or information that is stored on, processed by, or transiting an information system; or
    • (B) communicating or disclosing a cyber threat indicator to help prevent, investigate, or mitigate the effect of a cybersecurity threat to an information system or information that is stored on, processed by, or transiting an information system.
• (f) The sharing of a cyber threat indicator or defensive measure with a non-Federal entity under this subchapter shall not create a right or benefit to similar information by such non-Federal entity or any other non-Federal entity.

§ 1504. Sharing of cyber threat indicators and defensive measures with the Federal Government

• (a)
  • (1) Not later than 60 days after December 18, 2015 , the Attorney General and the Secretary of Homeland Security shall, in consultation with the heads of the appropriate Federal entities, jointly develop and submit to Congress interim policies and procedures relating to the receipt of cyber threat indicators and defensive measures by the Federal Government.
  • (2) Not later than 180 days after December 18, 2015 , the Attorney General and the Secretary of Homeland Security shall, in consultation with the heads of the appropriate Federal entities, jointly issue and make publicly available final policies and procedures relating to the receipt of cyber threat indicators and defensive measures by the Federal Government.
  • (3) Consistent with the guidelines required by subsection (b), the policies and procedures developed or issued under this subsection shall—
    • (A) ensure that cyber threat indicators shared with the Federal Government by any non-Federal entity pursuant to section 1503(c) of this title through the real-time process described in subsection (c) of this section—
      • (i) are shared in an automated manner with all of the appropriate Federal entities;
      • (ii) are only subject to a delay, modification, or other action due to controls established for such real-time process that could impede real-time receipt by all of the appropriate Federal entities when the delay, modification, or other action is due to controls—
        • (I) agreed upon unanimously by all of the heads of the appropriate Federal entities;
        • (II) carried out before any of the appropriate Federal entities retains or uses the cyber threat indicators or defensive measures; and
        • (III) uniformly applied such that each of the appropriate Federal entities is subject to the same delay, modification, or other action; and
      • (iii) may be provided to other Federal entities;
    • (B) ensure that cyber threat indicators shared with the Federal Government by any non-Federal entity pursuant to section 1503 of this title in a manner other than the real-time process described in subsection (c) of this section—
      • (i) are shared as quickly as operationally practicable with all of the appropriate Federal entities;
      • (ii) are not subject to any unnecessary delay, interference, or any other action that could impede receipt by all of the appropriate Federal entities; and
      • (iii) may be provided to other Federal entities; and
    • (C) ensure there are—
      • (i) audit capabilities; and
      • (ii) appropriate sanctions in place for officers, employees, or agents of a Federal entity who knowingly and willfully conduct activities under this subchapter in an unauthorized manner.
  • (4)
    • (A) Not later than 60 days after December 18, 2015 , the Attorney General and the Secretary of Homeland Security shall jointly develop and make publicly available guidance to assist entities and promote sharing of cyber threat indicators with Federal entities under this subchapter.
    • (B) The guidelines developed and made publicly available under subparagraph (A) shall include guidance on the following:
      • (i) Identification of types of information that would qualify as a cyber threat indicator under this subchapter that would be unlikely to include information that—
        • (I) is not directly related to a cybersecurity threat; and
        • (II) is personal information of a specific individual or information that identifies a specific individual.
      • (ii) Identification of types of information protected under otherwise applicable privacy laws that are unlikely to be directly related to a cybersecurity threat.
      • (iii) Such other matters as the Attorney General and the Secretary of Homeland Security consider appropriate for entities sharing cyber threat indicators with Federal entities under this subchapter.
• (b)
  • (1) Not later than 60 days after December 18, 2015 , the Attorney General and the Secretary of Homeland Security shall, in consultation with heads of the appropriate Federal entities and in consultation with officers designated under section 2000ee–1 of title 42 , jointly develop, submit to Congress, and make available to the public interim guidelines relating to privacy and civil liberties which shall govern the receipt, retention, use, and dissemination of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this subchapter.
  • (2)
    • (A) Not later than 180 days after December 18, 2015 , the Attorney General and the Secretary of Homeland Security shall, in coordination with heads of the appropriate Federal entities and in consultation with officers designated under section 2000ee–1 of title 42 and such private entities with industry expertise as the Attorney General and the Secretary consider relevant, jointly issue and make publicly available final guidelines relating to privacy and civil liberties which shall govern the receipt, retention, use, and dissemination of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this subchapter.
    • (B) The Attorney General and the Secretary of Homeland Security shall, in coordination with heads of the appropriate Federal entities and in consultation with officers and private entities described in subparagraph (A), periodically, but not less frequently than once every 2 years, jointly review the guidelines issued under subparagraph (A).
  • (3) The guidelines required by paragraphs (1) and (2) shall, consistent with the need to protect information systems from cybersecurity threats and mitigate cybersecurity threats—
    • (A) limit the effect on privacy and civil liberties of activities by the Federal Government under this subchapter;
    • (B) limit the receipt, retention, use, and dissemination of cyber threat indicators containing personal information of specific individuals or information that identifies specific individuals, including by establishing—
      • (i) a process for the timely destruction of such information that is known not to be directly related to uses authorized under this subchapter; and
      • (ii) specific limitations on the length of any period in which a cyber threat indicator may be retained;
    • (C) include requirements to safeguard cyber threat indicators containing personal information of specific individuals or information that identifies specific individuals from unauthorized access or acquisition, including appropriate sanctions for activities by officers, employees, or agents of the Federal Government in contravention of such guidelines;
    • (D) consistent with this subchapter, any other applicable provisions of law, and the fair information practice principles set forth in appendix A of the document entitled “National Strategy for Trusted Identities in Cyberspace” and published by the President in April 2011, govern the retention, use, and dissemination by the Federal Government of cyber threat indicators shared with the Federal Government under this subchapter, including the extent, if any, to which such cyber threat indicators may be used by the Federal Government;
    • (E) include procedures for notifying entities and Federal entities if information received pursuant to this section is known or determined by a Federal entity receiving such information not to constitute a cyber threat indicator;
    • (F) protect the confidentiality of cyber threat indicators containing personal information of specific individuals or information that identifies specific individuals to the greatest extent practicable and require recipients to be informed that such indicators may only be used for purposes authorized under this subchapter; and
    • (G) include steps that may be needed so that dissemination of cyber threat indicators is consistent with the protection of classified and other sensitive national security information.
• (c)
  • (1) Not later than 90 days after December 18, 2015 , the Secretary of Homeland Security, in coordination with the heads of the appropriate Federal entities, shall develop and implement a capability and process within the Department of Homeland Security that—
    • (A) shall accept from any non-Federal entity in real time cyber threat indicators and defensive measures, pursuant to this section;
    • (B) shall, upon submittal of the certification under paragraph (2) that such capability and process fully and effectively operates as described in such paragraph, be the process by which the Federal Government receives cyber threat indicators and defensive measures under this subchapter that are shared by a non-Federal entity with the Federal Government through electronic mail or media, an interactive form on an Internet website, or a real time, automated process between information systems except—
      • (i) consistent with section 1503 of this title , communications between a Federal entity and a non-Federal entity regarding a previously shared cyber threat indicator to describe the relevant cybersecurity threat or develop a defensive measure based on such cyber threat indicator; and
      • (ii) communications by a regulated non-Federal entity with such entity’s Federal regulatory authority regarding a cybersecurity threat;
    • (C) ensures that all of the appropriate Federal entities receive in an automated manner such cyber threat indicators and defensive measures shared through the real-time process within the Department of Homeland Security;
    • (D) is in compliance with the policies, procedures, and guidelines required by this section; and
    • (E) does not limit or prohibit otherwise lawful disclosures of communications, records, or other information, including—
      • (i) reporting of known or suspected criminal activity, by a non-Federal entity to any other non-Federal entity or a Federal entity, including cyber threat indicators or defensive measures shared with a Federal entity in furtherance of opening a Federal law enforcement investigation;
      • (ii) voluntary or legally compelled participation in a Federal investigation; and
      • (iii) providing cyber threat indicators or defensive measures as part of a statutory or authorized contractual requirement.
  • (2)
    • (A) Not later than 90 days after December 18, 2015 , the Secretary of Homeland Security shall, in consultation with the heads of the appropriate Federal entities, submit to Congress a certification as to whether the capability and process required by paragraph (1) fully and effectively operates—
      • (i) as the process by which the Federal Government receives from any non-Federal entity a cyber threat indicator or defensive measure under this subchapter; and
      • (ii) in accordance with the interim policies, procedures, and guidelines developed under this subchapter.
    • (B)
      • (i) At any time after certification is submitted under subparagraph (A), the President may designate an appropriate Federal entity, other than the Department of Defense (including the National Security Agency), to develop and implement a capability and process as described in paragraph (1) in addition to the capability and process developed under such paragraph by the Secretary of Homeland Security, if, not fewer than 30 days before making such designation, the President submits to Congress a certification and explanation that—
        • (I) such designation is necessary to ensure that full, effective, and secure operation of a capability and process for the Federal Government to receive from any non-Federal entity cyber threat indicators or defensive measures under this subchapter;
        • (II) the designated appropriate Federal entity will receive and share cyber threat indicators and defensive measures in accordance with the policies, procedures, and guidelines developed under this subchapter, including subsection (a)(3)(A); and
        • (III) such designation is consistent with the mission of such appropriate Federal entity and improves the ability of the Federal Government to receive, share, and use cyber threat indicators and defensive measures as authorized under this subchapter.
      • (ii) If the President designates an appropriate Federal entity to develop and implement a capability and process under clause (i), the provisions of this subchapter that apply to the capability and process required by paragraph (1) shall also be construed to apply to the capability and process developed and implemented under clause (i).
  • (3) The Secretary of Homeland Security shall ensure there is public notice of, and access to, the capability and process developed and implemented under paragraph (1) so that—
    • (A) any non-Federal entity may share cyber threat indicators and defensive measures through such process with the Federal Government; and
    • (B) all of the appropriate Federal entities receive such cyber threat indicators and defensive measures in real time with receipt through the process within the Department of Homeland Security consistent with the policies and procedures issued under subsection (a).
  • (4) The process developed and implemented under paragraph (1) shall ensure that other Federal entities receive in a timely manner any cyber threat indicators and defensive measures shared with the Federal Government through such process.
• (d)
  • (1) The provision of cyber threat indicators and defensive measures to the Federal Government under this subchapter shall not constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection.
  • (2) Consistent with section 1503(c)(2) of this title and any other applicable provision of law, a cyber threat indicator or defensive measure provided by a non-Federal entity to the Federal Government under this subchapter shall be considered the commercial, financial, and proprietary information of such non-Federal entity when so designated by the originating non-Federal entity or a third party acting in accordance with the written authorization of the originating non-Federal entity.
  • (3) A cyber threat indicator or defensive measure shared with the Federal Government under this subchapter shall be—
    • (A) deemed voluntarily shared information and exempt from disclosure under section 552 of title 5 and any State, tribal, or local provision of law requiring disclosure of information or records; and
    • (B) withheld, without discretion, from the public under section 552(b)(3)(B) of title 5 and any State, tribal, or local provision of law requiring disclosure of information or records.
  • (4) The provision of a cyber threat indicator or defensive measure to the Federal Government under this subchapter shall not be subject to a rule of any Federal agency or department or any judicial doctrine regarding ex parte communications with a decision-making official.
  • (5)
    • (A) Cyber threat indicators and defensive measures provided to the Federal Government under this subchapter may be disclosed to, retained by, and used by, consistent with otherwise applicable provisions of Federal law, any Federal agency or department, component, officer, employee, or agent of the Federal Government solely for—
      • (i) a cybersecurity purpose;
      • (ii) the purpose of identifying—
        • (I) a cybersecurity threat, including the source of such cybersecurity threat; or
        • (II) a security vulnerability;
      • (iii) the purpose of responding to, or otherwise preventing or mitigating, a specific threat of death, a specific threat of serious bodily harm, or a specific threat of serious economic harm, including a terrorist act or a use of a weapon of mass destruction;
      • (iv) the purpose of responding to, investigating, prosecuting, or otherwise preventing or mitigating, a serious threat to a minor, including sexual exploitation and threats to physical safety; or
      • (v) the purpose of preventing, investigating, disrupting, or prosecuting an offense arising out of a threat described in clause (iii) or any of the offenses listed in—
        • (I) sections 1028 through 1030 of title 18 (relating to fraud and identity theft);
        • (II) chapter 37 of such title (relating to espionage and censorship); and
        • (III) chapter 90 of such title (relating to protection of trade secrets).
    • (B) Cyber threat indicators and defensive measures provided to the Federal Government under this subchapter shall not be disclosed to, retained by, or used by any Federal agency or department for any use not permitted under subparagraph (A).
    • (C) Cyber threat indicators and defensive measures provided to the Federal Government under this subchapter shall be retained, used, and disseminated by the Federal Government—
      • (i) in accordance with the policies, procedures, and guidelines required by subsections (a) and (b);
      • (ii) in a manner that protects from unauthorized use or disclosure any cyber threat indicators that may contain—
        • (I) personal information of a specific individual; or
        • (II) information that identifies a specific individual; and
      • (iii) in a manner that protects the confidentiality of cyber threat indicators containing—
        • (I) personal information of a specific individual; or
        • (II) information that identifies a specific individual.
    • (D)
      • (i) Except as provided in clause (ii), cyber threat indicators and defensive measures provided to the Federal Government under this subchapter shall not be used by any Federal, State, tribal, or local government to regulate, including an enforcement action, the lawful activities of any non-Federal entity or any activities taken by a non-Federal entity pursuant to mandatory standards, including activities relating to monitoring, operating defensive measures, or sharing cyber threat indicators.
      • (ii)
        • (I) Cyber threat indicators and defensive measures provided to the Federal Government under this subchapter may, consistent with Federal or State regulatory authority specifically relating to the prevention or mitigation of cybersecurity threats to information systems, inform the development or implementation of regulations relating to such information systems.
        • (II) Clause (i) shall not apply to procedures developed and implemented under this subchapter.

§ 1505. Protection from liability

• (a) No cause of action shall lie or be maintained in any court against any private entity, and such action shall be promptly dismissed, for the monitoring of an information system and information under section 1503(a) of this title that is conducted in accordance with this subchapter.
• (b) No cause of action shall lie or be maintained in any court against any private entity, and such action shall be promptly dismissed, for the sharing or receipt of a cyber threat indicator or defensive measure under section 1503(c) of this title if—
  • (1) such sharing or receipt is conducted in accordance with this subchapter; and
  • (2) in a case in which a cyber threat indicator or defensive measure is shared with the Federal Government, the cyber threat indicator or defensive measure is shared in a manner that is consistent with section 1504(c)(1)(B) of this title and the sharing or receipt, as the case may be, occurs after the earlier of—
    • (A) the date on which the interim policies and procedures are submitted to Congress under section 1504(a)(1) of this title and guidelines are submitted to Congress under section 1504(b)(1) of this title ; or
    • (B) the date that is 60 days after December 18, 2015 .
• (c) Nothing in this subchapter shall be construed—
  • (1) to create—
    • (A) a duty to share a cyber threat indicator or defensive measure; or
    • (B) a duty to warn or act based on the receipt of a cyber threat indicator or defensive measure; or
  • (2) to undermine or limit the availability of otherwise applicable common law or statutory defenses.

§ 1506. Oversight of government activities

• (a)
  • (1) Not later than 1 year after December 18, 2015 , the heads of the appropriate Federal entities shall jointly submit to Congress a detailed report concerning the implementation of this subchapter.
  • (2) The report required by paragraph (1) may include such recommendations as the heads of the appropriate Federal entities may have for improvements or modifications to the authorities, policies, procedures, and guidelines under this subchapter and shall include the following:
    • (A) An evaluation of the effectiveness of real-time information sharing through the capability and process developed under section 1504(c) of this title , including any impediments to such real-time sharing.
    • (B) An assessment of whether cyber threat indicators or defensive measures have been properly classified and an accounting of the number of security clearances authorized by the Federal Government for the purpose of sharing cyber threat indicators or defensive measures with the private sector.
    • (C) The number of cyber threat indicators or defensive measures received through the capability and process developed under section 1504(c) of this title .
    • (D) A list of Federal entities that have received cyber threat indicators or defensive measures under this subchapter.
• (b)
  • (1) Not later than 2 years after December 18, 2015 and not less frequently than once every 2 years thereafter, the inspectors general of the appropriate Federal entities, in consultation with the Inspector General of the Intelligence Community and the Council of Inspectors General on Financial Oversight, shall jointly submit to Congress an interagency report on the actions of the executive branch of the Federal Government to carry out this subchapter during the most recent 2-year period.
  • (2) Each report submitted under paragraph (1) shall include, for the period covered by the report, the following:
    • (A) An assessment of the sufficiency of the policies, procedures, and guidelines relating to the sharing of cyber threat indicators within the Federal Government, including those policies, procedures, and guidelines relating to the removal of information not directly related to a cybersecurity threat that is personal information of a specific individual or information that identifies a specific individual.
    • (B) An assessment of whether cyber threat indicators or defensive measures have been properly classified and an accounting of the number of security clearances authorized by the Federal Government for the purpose of sharing cyber threat indicators or defensive measures with the private sector.
    • (C) A review of the actions taken by the Federal Government based on cyber threat indicators or defensive measures shared with the Federal Government under this subchapter, including a review of the following:
      • (i) The appropriateness of subsequent uses and disseminations of cyber threat indicators or defensive measures.
      • (ii) Whether cyber threat indicators or defensive measures were shared in a timely and adequate manner with appropriate entities, or, if appropriate, were made publicly available.
    • (D) An assessment of the cyber threat indicators or defensive measures shared with the appropriate Federal entities under this subchapter, including the following:
      • (i) The number of cyber threat indicators or defensive measures shared through the capability and process developed under section 1504(c) of this title .
      • (ii) An assessment of any information not directly related to a cybersecurity threat that is personal information of a specific individual or information identifying a specific individual and was shared by a non-Federal government 1 1 So in original. Probably should be capitalized. entity with the Federal government 1 in contravention of this subchapter, or was shared within the Federal Government in contravention of the guidelines required by this subchapter, including a description of any significant violation of this subchapter.
      • (iii) The number of times, according to the Attorney General, that information shared under this subchapter was used by a Federal entity to prosecute an offense listed in section 1504(d)(5)(A) of this title .
      • (iv) A quantitative and qualitative assessment of the effect of the sharing of cyber threat indicators or defensive measures with the Federal Government on privacy and civil liberties of specific individuals, including the number of notices that were issued with respect to a failure to remove information not directly related to a cybersecurity threat that was personal information of a specific individual or information that identified a specific individual in accordance with the procedures required by section 1504(b)(3)(E) of this title .
      • (v) The adequacy of any steps taken by the Federal Government to reduce any adverse effect from activities carried out under this subchapter on the privacy and civil liberties of United States persons.
    • (E) An assessment of the sharing of cyber threat indicators or defensive measures among Federal entities to identify inappropriate barriers to sharing information.
  • (3) Each report submitted under this subsection may include such recommendations as the inspectors general may have for improvements or modifications to the authorities and processes under this subchapter.
• (c) Not later than 3 years after December 18, 2015 , the Comptroller General of the United States shall submit to Congress a report on the actions taken by the Federal Government to remove personal information from cyber threat indicators or defensive measures pursuant to this subchapter. Such report shall include an assessment of the sufficiency of the policies, procedures, and guidelines established under this subchapter in addressing concerns relating to privacy and civil liberties.
• (d) Each report required under this section shall be submitted in an unclassified form, but may include a classified annex.
• (e) The unclassified portions of the reports required under this section shall be made available to the public.

§ 1507. Construction and preemption

• (a) Nothing in this subchapter shall be construed—
  • (1) to limit or prohibit otherwise lawful disclosures of communications, records, or other information, including reporting of known or suspected criminal activity, by a non-Federal entity to any other non-Federal entity or the Federal Government under this subchapter; or
  • (2) to limit or prohibit otherwise lawful use of such disclosures by any Federal entity, even when such otherwise lawful disclosures duplicate or replicate disclosures made under this subchapter.
• (b) Nothing in this subchapter shall be construed to prohibit or limit the disclosure of information protected under section 2302(b)(8) of title 5 (governing disclosures of illegality, waste, fraud, abuse, or public health or safety threats), section 7211 of title 5 (governing disclosures to Congress), section 1034 of title 10 (governing disclosure to Congress by members of the military), section 3234 of title 50 (governing disclosure by employees of elements of the intelligence community), or any similar provision of Federal or State law.
• (c) Nothing in this subchapter shall be construed—
  • (1) as creating any immunity against, or otherwise affecting, any action brought by the Federal Government, or any agency or department thereof, to enforce any law, executive order, or procedure governing the appropriate handling, disclosure, or use of classified information;
  • (2) to affect the conduct of authorized law enforcement or intelligence activities; or
  • (3) to modify the authority of a department or agency of the Federal Government to protect classified information and sources and methods and the national security of the United States.
• (d) Nothing in this subchapter shall be construed to affect any requirement under any other provision of law for a non-Federal entity to provide information to the Federal Government.
• (e) Nothing in this subchapter shall be construed to permit price-fixing, allocating a market between competitors, monopolizing or attempting to monopolize a market, boycotting, or exchanges of price or cost information, customer lists, or information regarding future competitive planning.
• (f) Nothing in this subchapter shall be construed—
  • (1) to limit or modify an existing information sharing relationship;
  • (2) to prohibit a new information sharing relationship;
  • (3) to require a new information sharing relationship between any non-Federal entity and a Federal entity or another non-Federal entity; or
  • (4) to require the use of the capability and process within the Department of Homeland Security developed under section 1504(c) of this title .
• (g) Nothing in this subchapter shall be construed—
  • (1) to amend, repeal, or supersede any current or future contractual agreement, terms of service agreement, or other contractual relationship between any non-Federal entities, or between any non-Federal entity and a Federal entity; or
  • (2) to abrogate trade secret or intellectual property rights of any non-Federal entity or Federal entity.
• (h) Nothing in this subchapter shall be construed to permit a Federal entity—
  • (1) to require a non-Federal entity to provide information to a Federal entity or another non-Federal entity;
  • (2) to condition the sharing of cyber threat indicators with a non-Federal entity on such entity’s provision of cyber threat indicators to a Federal entity or another non-Federal entity; or
  • (3) to condition the award of any Federal grant, contract, or purchase on the provision of a cyber threat indicator to a Federal entity or another non-Federal entity.
• (i) Nothing in this subchapter shall be construed to subject any entity to liability for choosing not to engage in the voluntary activities authorized in this subchapter.
• (j) Nothing in this subchapter shall be construed to authorize, or to modify any existing authority of, a department or agency of the Federal Government to retain or use any information shared under this subchapter for any use other than permitted in this subchapter.
• (k)
  • (1) This subchapter supersedes any statute or other provision of law of a State or political subdivision of a State that restricts or otherwise expressly regulates an activity authorized under this subchapter.
  • (2) Nothing in this subchapter shall be construed to supersede any statute or other provision of law of a State or political subdivision of a State concerning the use of authorized law enforcement practices and procedures.
• (l) Nothing in this subchapter shall be construed—
  • (1) to authorize the promulgation of any regulations not specifically authorized to be issued under this subchapter;
  • (2) to establish or limit any regulatory authority not specifically established or limited under this subchapter; or
  • (3) to authorize regulatory actions that would duplicate or conflict with regulatory requirements, mandatory standards, or related processes under another provision of Federal law.
• (m) Nothing in this subchapter shall be construed to limit the authority of the Secretary of Defense under section 394 of title 10 .
• (n) Nothing in this subchapter shall be construed to prevent the disclosure of a cyber threat indicator or defensive measure shared under this subchapter in a case of criminal prosecution, when an applicable provision of Federal, State, tribal, or local law requires disclosure in such case.

§ 1508. Report on cybersecurity threats

• (a) Not later than 180 days after December 18, 2015 , the Director of National Intelligence, in coordination with the heads of other appropriate elements of the intelligence community, shall submit to the Select Committee on Intelligence of the Senate and the Permanent Select Committee on Intelligence of the House of Representatives a report on cybersecurity threats, including cyber attacks, theft, and data breaches.
• (b) The report required by subsection (a) shall include the following:
  • (1) An assessment of the current intelligence sharing and cooperation relationships of the United States with other countries regarding cybersecurity threats, including cyber attacks, theft, and data breaches, directed against the United States and which threaten the United States national security interests and economy and intellectual property, specifically identifying the relative utility of such relationships, which elements of the intelligence community participate in such relationships, and whether and how such relationships could be improved.
  • (2) A list and an assessment of the countries and nonstate actors that are the primary threats of carrying out a cybersecurity threat, including a cyber attack, theft, or data breach, against the United States and which threaten the United States national security, economy, and intellectual property.
  • (3) A description of the extent to which the capabilities of the United States Government to respond to or prevent cybersecurity threats, including cyber attacks, theft, or data breaches, directed against the United States private sector are degraded by a delay in the prompt notification by private entities of such threats or cyber attacks, theft, and data breaches.
  • (4) An assessment of additional technologies or capabilities that would enhance the ability of the United States to prevent and to respond to cybersecurity threats, including cyber attacks, theft, and data breaches.
  • (5) An assessment of any technologies or practices utilized by the private sector that could be rapidly fielded to assist the intelligence community in preventing and responding to cybersecurity threats.
• (c) The report required by subsection (a) shall be made available in classified and unclassified forms.
• (d) In this section, the term “intelligence community” has the meaning given that term in section 3003 of title 50 .

§ 1509. Exception to limitation on authority of Secretary of Defense to disseminate certain information

Notwithstanding subsection (c)(3) of section 393 of title 10 , the Secretary of Defense may authorize the sharing of cyber threat indicators and defensive measures pursuant to the policies, procedures, and guidelines developed or issued under this subchapter.

§ 1510. Effective period

• (a) Except as provided in subsection (b), this subchapter and the amendments made by this subchapter shall be effective during the period beginning on December 18, 2015 and ending on September 30, 2025 .
• (b) With respect to any action authorized by this subchapter or information obtained pursuant to an action authorized by this subchapter, which occurred before the date on which the provisions referred to in subsection (a) cease to have effect, the provisions of this subchapter shall continue in effect.

§ 1521. Definitions

In this subchapter:

• (1) The term “agency” has the meaning given the term in section 3502 of title 44 .
• (2) The term “agency information system” has the meaning given the term in section 660 of this title .
• (3) The term “appropriate congressional committees” means—
  • (A) the Committee on Homeland Security and Governmental Affairs of the Senate; and
  • (B) the Committee on Homeland Security of the House of Representatives.
• (4) The terms “cybersecurity risk” and “information system” have the meanings given those terms in section 659 of this title .
• (5) The term “Director” means the Director of the Office of Management and Budget.
• (6) The term “intelligence community” has the meaning given the term in section 3003(4) of title 50 .
• (7) The term “national security system” has the meaning given the term in section 11103 of title 40 .
• (8) The term “Secretary” means the Secretary of Homeland Security.

§ 1522. Advanced internal defenses

• (a)
  • (1) The Secretary shall include, in the efforts of the Department to continuously diagnose and mitigate cybersecurity risks, advanced network security tools to improve visibility of network activity, including through the use of commercial and free or open source tools, and to detect and mitigate intrusions and anomalous activity.
  • (2) The Director shall develop and the Secretary shall implement a plan to ensure that each agency utilizes advanced network security tools, including those described in paragraph (1), to detect and mitigate intrusions and anomalous activity.
• (b) The Director and the Secretary, in consultation with appropriate agencies, shall—
  • (1) review and update Government-wide policies and programs to ensure appropriate prioritization and use of network security monitoring tools within agency networks; and
  • (2) brief appropriate congressional committees on such prioritization and use.
• (c) The Secretary, in collaboration with the Director, shall review and update the metrics used to measure security under section 3554 of title 44 to include measures of intrusion and incident detection and response times.
• (d) The Director, in consultation with the Secretary, shall increase transparency to the public on agency cybersecurity posture, including by increasing the number of metrics available on Federal Government performance websites and, to the greatest extent practicable, displaying metrics for department components, small agencies, and micro-agencies.
• (e)
• (f) The requirements under this section shall not apply to the Department of Defense, a national security system, or an element of the intelligence community.

§ 1523. Federal cybersecurity requirements

• (a) Consistent with section 3553 of title 44 , the Secretary, in consultation with the Director, shall exercise the authority to issue binding operational directives to assist the Director in ensuring timely agency adoption of and compliance with policies and standards promulgated under section 11331 of title 40 for securing agency information systems.
• (b)
  • (1) Consistent with policies, standards, guidelines, and directives on information security under subchapter II of chapter 35 of title 44 and the standards and guidelines promulgated under section 11331 of title 40 and except as provided in paragraph (2), not later than 1 year after December 18, 2015 , the head of each agency shall—
    • (A) identify sensitive and mission critical data stored by the agency consistent with the inventory required under the first subsection (c) (relating to the inventory of major information systems) and the second subsection (c) (relating to the inventory of information systems) of section 3505 of title 44 ;
    • (B) assess access controls to the data described in subparagraph (A), the need for readily accessible storage of the data, and individuals’ need to access the data;
    • (C) encrypt or otherwise render indecipherable to unauthorized users the data described in subparagraph (A) that is stored on or transiting agency information systems;
    • (D) implement a single sign-on trusted identity platform for individuals accessing each public website of the agency that requires user authentication, as developed by the Administrator of General Services in collaboration with the Secretary; and
    • (E) implement identity management consistent with section 7464 of title 15 , including multi-factor authentication, for—
      • (i) remote access to an agency information system; and
      • (ii) each user account with elevated privileges on an agency information system.
  • (2) The requirements under paragraph (1) shall not apply to an agency information system for which—
    • (A) the head of the agency has personally certified to the Director with particularity that—
      • (i) operational requirements articulated in the certification and related to the agency information system would make it excessively burdensome to implement the cybersecurity requirement;
      • (ii) the cybersecurity requirement is not necessary to secure the agency information system or agency information stored on or transiting it; and
      • (iii) the agency has taken all necessary steps to secure the agency information system and agency information stored on or transiting it; and
    • (B) the head of the agency or the designee of the head of the agency has submitted the certification described in subparagraph (A) to the appropriate congressional committees and the agency’s authorizing committees.
  • (3) Nothing in this section shall be construed to alter the authority of the Secretary, the Director, or the Director of the National Institute of Standards and Technology in implementing subchapter II of chapter 35 of title 44. Nothing in this section shall be construed to affect the National Institute of Standards and Technology standards process or the requirement under section 3553(a)(4) of such title or to discourage continued improvements and advancements in the technology, standards, policies, and guidelines used to promote Federal information security.
• (c) The requirements under this section shall not apply to the Department of Defense, a national security system, or an element of the intelligence community.

§ 1524. Assessment; reports

• (a) In this section:
  • (1) The term “agency information” has the meaning given the term in section 2213 of the Homeland Security Act of 2002 [ 6 U.S.C. 663 ].
  • (2) The terms “cyber threat indicator” and “defensive measure” have the meanings given those terms in section 1501 of this title .
  • (3) The term “intrusion assessments” means actions taken under the intrusion assessment plan to identify and remove intruders in agency information systems.
  • (4) The term “intrusion assessment plan” means the plan required under section 2210(b)(1) of the Homeland Security Act of 2002 [ 6 U.S.C. 660(b)(1) ].
  • (5) The term “intrusion detection and prevention capabilities” means the capabilities required under section 2213(b) of the Homeland Security Act of 2002 [ 6 U.S.C. 663(b) ].
• (b) Not later than 3 years after December 18, 2015 , the Comptroller General of the United States shall conduct a study and publish a report on the effectiveness of the approach and strategy of the Federal Government to securing agency information systems, including the intrusion detection and prevention capabilities and the intrusion assessment plan.
• (c)
  • (1)
    • (A) Not later than 6 months after December 18, 2015 , and annually thereafter, the Secretary shall submit to the appropriate congressional committees a report on the status of implementation of the intrusion detection and prevention capabilities, including—
      • (i) a description of privacy controls;
      • (ii) a description of the technologies and capabilities utilized to detect cybersecurity risks in network traffic, including the extent to which those technologies and capabilities include existing commercial and noncommercial technologies;
      • (iii) a description of the technologies and capabilities utilized to prevent network traffic associated with cybersecurity risks from transiting or traveling to or from agency information systems, including the extent to which those technologies and capabilities include existing commercial and noncommercial technologies;
      • (iv) a list of the types of indicators or other identifiers or techniques used to detect cybersecurity risks in network traffic transiting or traveling to or from agency information systems on each iteration of the intrusion detection and prevention capabilities and the number of each such type of indicator, identifier, and technique;
      • (v) the number of instances in which the intrusion detection and prevention capabilities detected a cybersecurity risk in network traffic transiting or traveling to or from agency information systems and the number of times the intrusion detection and prevention capabilities blocked network traffic associated with cybersecurity risk; and
      • (vi) a description of the pilot established under section 2213(c)(5) of the Homeland Security Act of 2002 [ 6 U.S.C. 663(c)(5) ], including the number of new technologies tested and the number of participating agencies.
    • (B) Not later than 18 months after December 18, 2015 , and annually thereafter, the Director shall submit to Congress, as part of the report required under section 3553(c) of title 44 , an analysis of agency application of the intrusion detection and prevention capabilities, including—
      • (i) a list of each agency and the degree to which each agency has applied the intrusion detection and prevention capabilities to an agency information system; and
      • (ii) a list by agency of—
        • (I) the number of instances in which the intrusion detection and prevention capabilities detected a cybersecurity risk in network traffic transiting or traveling to or from an agency information system and the types of indicators, identifiers, and techniques used to detect such cybersecurity risks; and
        • (II) the number of instances in which the intrusion detection and prevention capabilities prevented network traffic associated with a cybersecurity risk from transiting or traveling to or from an agency information system and the types of indicators, identifiers, and techniques used to detect such agency information systems.
    • (C) Not earlier than 18 months after December 18, 2015 , and not later than 2 years after December 18, 2015 , the Federal Chief Information Officer shall review and submit to the appropriate congressional committees a report assessing the intrusion detection and intrusion prevention capabilities, including—
      • (i) the effectiveness of the system in detecting, disrupting, and preventing cyber-threat actors, including advanced persistent threats, from accessing agency information and agency information systems;
      • (ii) whether the intrusion detection and prevention capabilities, continuous diagnostics and mitigation, and other systems deployed under subtitle D 1 1 See References in Text note below. of title II of the Homeland Security Act of 2002 ( 6 U.S.C. 231 et seq.) are effective in securing Federal information systems;
      • (iii) the costs and benefits of the intrusion detection and prevention capabilities, including as compared to commercial technologies and tools and including the value of classified cyber threat indicators; and
      • (iv) the capability of agencies to protect sensitive cyber threat indicators and defensive measures if they were shared through unclassified mechanisms for use in commercial technologies and tools.
  • (2) The Director shall—
    • (A) not later than 6 months after December 18, 2015 , and 30 days after any update thereto, submit the intrusion assessment plan to the appropriate congressional committees;
    • (B) not later than 1 year after December 18, 2015 , and annually thereafter, submit to Congress, as part of the report required under section 3553(c) of title 44 —
      • (i) a description of the implementation of the intrusion assessment plan;
      • (ii) the findings of the intrusion assessments conducted pursuant to the intrusion assessment plan;
      • (iii) a description of the advanced network security tools included in the efforts to continuously diagnose and mitigate cybersecurity risks pursuant to section 1522(a)(1) of this title ; and
      • (iv) a list by agency of compliance with the requirements of section 1523(b) of this title ; and
    • (C) not later than 1 year after December 18, 2015 , submit to the appropriate congressional committees—
      • (i) a copy of the plan developed pursuant to section 1522(a)(2) of this title ; and
      • (ii) the improved metrics developed pursuant to section 1522(c) of this title .
• (d) Each report required under this section shall be submitted in unclassified form, but may include a classified annex.

§ 1525. Termination

• (a) The authority provided under section 663 of this title , and the reporting requirements under section 1524(c) of this title shall terminate on the date that is 7 years after December 18, 2015 .
• (b) Nothing in subsection (a) shall be construed to affect the limitation of liability of a private entity for assistance provided to the Secretary under section 663(d)(2) 1 1 So in original. Probably should be “663(c)(2)”. of this title, if such assistance was rendered before the termination date under subsection (a) or otherwise during a period in which the assistance was authorized.

§ 1531. Apprehension and prosecution of international cyber criminals

• (a) In this section, the term “international cyber criminal” means an individual—
  • (1) who is believed to have committed a cybercrime or intellectual property crime against the interests of the United States or the citizens of the United States; and
  • (2) for whom—
    • (A) an arrest warrant has been issued by a judge in the United States; or
    • (B) an international wanted notice (commonly referred to as a “Red Notice”) has been circulated by Interpol.
• (b) The Secretary of State, or designee, shall consult with the appropriate government official of each country from which extradition is not likely due to the lack of an extradition treaty with the United States or other reasons, in which one or more international cyber criminals are physically present, to determine what actions the government of such country has taken—
  • (1) to apprehend and prosecute such criminals; and
  • (2) to prevent such criminals from carrying out cybercrimes or intellectual property crimes against the interests of the United States or its citizens.
• (c)
  • (1) The Secretary of State shall submit to the appropriate congressional committees an annual report that includes—
    • (A) the number of international cyber criminals located in other countries, disaggregated by country, and indicating from which countries extradition is not likely due to the lack of an extradition treaty with the United States or other reasons;
    • (B) the nature and number of significant discussions by an official of the Department of State on ways to thwart or prosecute international cyber criminals with an official of another country, including the name of each such country; and
    • (C) for each international cyber criminal who was extradited to the United States during the most recently completed calendar year—
      • (i) his or her name;
      • (ii) the crimes for which he or she was charged;
      • (iii) his or her previous country of residence; and
      • (iv) the country from which he or she was extradited into the United States.
  • (2) The report required by this subsection shall be in unclassified form to the maximum extent possible, but may include a classified annex.
  • (3) For purposes of this subsection, the term “appropriate congressional committees” means—
    • (A) the Committee on Foreign Relations, the Committee on Appropriations, the Committee on Homeland Security and Governmental Affairs, the Committee on Banking, Housing, and Urban Affairs, the Select Committee on Intelligence, and the Committee on the Judiciary of the Senate; and
    • (B) the Committee on Foreign Affairs, the Committee on Appropriations, the Committee on Homeland Security, the Committee on Financial Services, the Permanent Select Committee on Intelligence, and the Committee on the Judiciary of the House of Representatives.

§ 1532. Enhancement of emergency services

• (a) Not later than 90 days after December 18, 2015 , the Secretary of Homeland Security, acting through the center established under section 659 of this title , in coordination with appropriate Federal entities and the Assistant Director for Emergency Communications, shall establish a process by which a Statewide Interoperability Coordinator may report data on any cybersecurity risk or incident involving any information system or network used by emergency response providers (as defined in section 101 of this title ) within the State.
• (b) Not later than 1 year after December 18, 2015 , the Secretary of Homeland Security, acting through the Director of the National Cybersecurity and Communications Integration Center, in coordination with appropriate entities and the Assistant Director for Emergency Communications, and in consultation with the Secretary of Commerce, acting through the Director of the National Institute of Standards and Technology, shall conduct integration and analysis of the data reported under subsection (a) to develop information and recommendations on security and resilience measures for any information system or network used by State emergency response providers.
• (c)
  • (1) Using the results of the integration and analysis conducted under subsection (b), and any other relevant information, the Director of the National Institute of Standards and Technology shall, on an ongoing basis, facilitate and support the development of methods for reducing cybersecurity risks to emergency response providers using the process described in section 272(e) of title 15 .
  • (2) The Director of the National Institute of Standards and Technology shall submit to Congress a report on the result of the activities of the Director under paragraph (1), including any methods developed by the Director under such paragraph, and shall make such report publicly available on the website of the National Institute of Standards and Technology.
• (d) Nothing in this section shall be construed to—
  • (1) require a State to report data under subsection (a); or
  • (2) require a non-Federal entity (as defined in section 1501 of this title ) to—
    • (A) adopt a recommended measure developed under subsection (b); or
    • (B) follow the result of the activities carried out under subsection (c), including any methods developed under such subsection.

§ 1533. Improving cybersecurity in the health care industry

• (a) In this section:
  • (1) The term “appropriate congressional committees” means—
    • (A) the Committee on Health, Education, Labor, and Pensions, the Committee on Homeland Security and Governmental Affairs, and the Select Committee on Intelligence of the Senate; and
    • (B) the Committee on Energy and Commerce, the Committee on Homeland Security, and the Permanent Select Committee on Intelligence of the House of Representatives.
  • (2) The term “business associate” has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations (as in effect on the day before December 18, 2015 ).
  • (3) The term “covered entity” has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations (as in effect on the day before December 18, 2015 ).
  • (4) The terms “cybersecurity threat”, “cyber threat indicator”, “defensive measure”, “Federal entity”, “non-Federal entity”, and “private entity” have the meanings given such terms in section 1501 of this title .
  • (5) The terms “health care clearinghouse”, “health care provider”, and “health plan” have the meanings given such terms in section 160.103 of title 45, Code of Federal Regulations (as in effect on the day before December 18, 2015 ).
  • (6) The term “health care industry stakeholder” means any—
    • (A) health plan, health care clearinghouse, or health care provider;
    • (B) advocate for patients or consumers;
    • (C) pharmacist;
    • (D) developer or vendor of health information technology;
    • (E) laboratory;
    • (F) pharmaceutical or medical device manufacturer; or
    • (G) additional stakeholder the Secretary determines necessary for purposes of subsection (b)(1), (c)(1), (c)(3), or (d)(1).
  • (7) The term “Secretary” means the Secretary of Health and Human Services.
• (b)
  • (1) Not later than 1 year after December 18, 2015 , the Secretary shall submit to the Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Energy and Commerce of the House of Representatives a report on the preparedness of the Department of Health and Human Services and health care industry stakeholders in responding to cybersecurity threats.
  • (2) With respect to the internal response of the Department of Health and Human Services to emerging cybersecurity threats, the report under paragraph (1) shall include—
    • (A) a clear statement of the official within the Department of Health and Human Services to be responsible for leading and coordinating efforts of the Department regarding cybersecurity threats in the health care industry; and
    • (B) a plan from each relevant operating division and subdivision of the Department of Health and Human Services on how such division or subdivision will address cybersecurity threats in the health care industry, including a clear delineation of how each such division or subdivision will divide responsibility among the personnel of such division or subdivision and communicate with other such divisions and subdivisions regarding efforts to address such threats.
• (c)
  • (1) Not later than 90 days after December 18, 2015 , the Secretary, in consultation with the Director of the National Institute of Standards and Technology and the Secretary of Homeland Security, shall convene health care industry stakeholders, cybersecurity experts, and any Federal agencies or entities the Secretary determines appropriate to establish a task force to—
    • (A) analyze how industries, other than the health care industry, have implemented strategies and safeguards for addressing cybersecurity threats within their respective industries;
    • (B) analyze challenges and barriers private entities (excluding any State, tribal, or local government) in the health care industry face securing themselves against cyber attacks;
    • (C) review challenges that covered entities and business associates face in securing networked medical devices and other software or systems that connect to an electronic health record;
    • (D) provide the Secretary with information to disseminate to health care industry stakeholders of all sizes for purposes of improving their preparedness for, and response to, cybersecurity threats affecting the health care industry;
    • (E) establish a plan for implementing subchapter I of this chapter, so that the Federal Government and health care industry stakeholders may in real time, share actionable cyber threat indicators and defensive measures; and
    • (F) report to the appropriate congressional committees on the findings and recommendations of the task force regarding carrying out subparagraphs (A) through (E).
  • (2) The task force established under this subsection shall terminate on the date that is 1 year after the date on which such task force is established.
  • (3) Not later than 60 days after the termination of the task force established under this subsection, the Secretary shall disseminate the information described in paragraph (1)(D) to health care industry stakeholders in accordance with such paragraph.
• (d)
  • (1) The Secretary shall establish, through a collaborative process with the Secretary of Homeland Security, health care industry stakeholders, the Director of the National Institute of Standards and Technology, and any Federal entity or non-Federal entity the Secretary determines appropriate, a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes that—
    • (A) serve as a resource for cost-effectively reducing cybersecurity risks for a range of health care organizations;
    • (B) support voluntary adoption and implementation efforts to improve safeguards to address cybersecurity threats;
    • (C) are consistent with—
      • (i) the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 272(c)(15) of title 15 ;
      • (ii) the security and privacy regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 ( 42 U.S.C. 1320d–2 note); and
      • (iii) the provisions of the Health Information Technology for Economic and Clinical Health Act (title XIII of division A, and title IV of division B, of Public Law 111–5 ), and the amendments made by such Act; and
    • (D) are updated on a regular basis and applicable to a range of health care organizations.
  • (2) Nothing in this subsection shall be interpreted as granting the Secretary authority to—
    • (A) provide for audits to ensure that health care organizations are in compliance with this subsection; or
    • (B) mandate, direct, or condition the award of any Federal grant, contract, or purchase, on compliance with this subsection.
  • (3) Nothing in this section shall be construed to subject a health care industry stakeholder to liability for choosing not to engage in the voluntary activities authorized or guidelines developed under this subsection.
• (e) In carrying out the activities under this section, the Secretary may incorporate activities that are ongoing as of the day before December 18, 2015 and that are consistent with the objectives of this section.
• (f) Nothing in this section shall be construed to limit the antitrust exemption under section 1503(e) of this title or the protection from liability under section 1505 of this title .