6 U.S. Code § 652 - Cybersecurity and Infrastructure Security Agency

not fewer than five years of demonstrated experience in efforts to foster coordination and collaboration between the Federal Government, the private sector, and other entities on issues related to cybersecurity, infrastructure security, or security risk management.

Any reference to an Under section 113(a)(1)(H) of this title as in effect on the day before November 16, 2018 , in any law, regulation, map, document, record, or other paper of the United Agency.

coordinate with Federal entities, including Sector-Specific Agencies, and non-Federal entities, including international entities, to carry out the cybersecurity and (3)

carry out the responsibilities of the Public Law 114–113)), including by carrying out a periodic strategic assessment of the related programs and activities of the (4)

upon request, provide analyses, expertise, and other technical assistance to departments and agencies;

maintain and utilize mechanisms for the regular and ongoing consultation and collaboration among the Divisions of the (8) develop, coordinate, and implement—

carry out cybersecurity, infrastructure security, and emergency communications stakeholder outreach and engagement and coordinate that outreach and engagement with (11)

provide education, training, and capacity development to Federal and non-Federal entities to enhance the security and resiliency of domestic and global cybersecurity and infrastructure security;

carry out the duties and authorities relating to the .gov internet domain, as described in section 665 of this title; and

carry out such other duties and powers prescribed by law or delegated by the (d) Deputy Director There shall be in the (1)

To integrate relevant information, analysis, and vulnerability assessments, regardless of whether the information, analysis, or assessments are provided or produced by the (D)

To develop, in coordination with the Sector-Specific Agencies with available expertise, a comprehensive national plan for securing the key resources and assets that support those systems.

To review, analyze, and make recommendations for improvements to the policies and procedures governing the (H)

To ensure that any material received pursuant to this chapter is protected from unauthorized disclosure and handled and used only for the performance of official duties.

To request additional information from other Federal Government agencies, terrorism in the United (L)

To exercise the authorities and oversight of the functions, personnel, assets, and liabilities of those components transferred to the section 121(g) of this title.

To carry out the functions of the national cybersecurity and communications integration center under section 659 of this title.

To carry out the requirements of the Chemical Facility Anti-Terrorism Standards Program established under subchapter XVI and the secure handling of ammonium nitrate program established under part J of subchapter VIII, or any successor programs.

overseeing elementary and secondary cybersecurity education and awareness related programs at the (ii)

leading efforts to develop, attract, and retain the cybersecurity workforce necessary for the cybersecurity related missions of the (iii)

encouraging and building cybersecurity awareness and competency across the United (iv) carrying out cybersecurity related workforce development activities, including through—

increasing the pipeline of future cybersecurity professionals through programs focused on elementary and secondary education , postsecondary education , and workforce development; and

building awareness of and competency in cybersecurity across the civilian Federal Government workforce.

The functions specified in sections 653(b) and 654(b) of this title, consistent with the responsibilities provided in paragraph (1), upon certifying to and briefing the appropriate congressional committees, and making available to the public, at least 60 days prior to the reallocation that the reallocation is necessary for carrying out the activities of the Agency.

Analysts under this subsection may include analysts from the private sector.

Analysts under this subsection shall possess security clearances appropriate for their work under this section.

In order to assist the personnel of the Federal agencies described in subparagraph (B) may be detailed to the functions and related duties.

The personnel under this paragraph.

The detail of personnel under this paragraph may be on a reimbursable or non-reimbursable basis.

The Emergency Communications Division under subchapter XIII, headed by an Executive Assistant (g) Co-location

To the maximum extent practicable, the (2) Coordination

When establishing the central locations described in paragraph (1), the (h) Privacy

assuring that personal information contained in systems of records of the section 552a of title 5 (commonly known as the “Privacy Act of 1974”);

evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the (D)

Nothing in this subchapter may be construed as affecting in any manner the authority, existing on the day before November 16, 2018 , of any other component of theRisk Management Agency specified in section 61003(c) of division F of the Fixing America’s Surface Transportation Act (6 U.S.C. 121 note; Public Law 114–94).

The Cybersecurity Act of 2015, referred to in subsec. (c)(3), is div. N of Pub. L. 114–113, Dec. 18, 2015 , 129 Stat. 2935. For complete classification of this Act to the Code, see Short Title note set out under section 1501 of this title and Tables.

This chapter, referred to in subsecs. (c)(7) and (e)(1)(J), was in the original “this Act”, meaning Pub. L. 107–296, Nov. 25, 2002 , 116 Stat. 2135, known as the Homeland Security Act of 2002, which is classified principally to this chapter. For complete classification of this Act to the Code, see Short Title note set out under section 101 of this title and Tables.

2022—Pub. L. 117–263, § 7143(a)(1), made amendment identical to that made by Pub. L. 117–81, § 1547(b)(1)(B). See 2021 Amendment note below.

Subsec. (a)(1). Pub. L. 117–263, § 7143(b)(2)(C)(i), which directed striking out “(in this part referred to as theCongress .

Subsec. (b)(2), (3). Pub. L. 116–283, § 9001(a), added par. (2) and redesignated former par. (2) as (3).

Subsec. (c)(3). Pub. L. 117–81, § 1549(a), substituted “, including by carrying out a periodic strategic assessment of the related programs and activities of thePub. L. 116–283, §§ 1717(a)(1)(A)(i), 1719(b)(1), which directed identical amendments of par. (10) by striking out “and” at end, could not be executed because the word “and” did not appear at end after amendment by Pub. L. 116–260, § 904(b)(1)(A)(i). See 2020 Amendment note below.

Subsec. (c)(11). Pub. L. 117–81, § 1547(b)(1)(A)(i)(I), struck out “and” after the semicolon.

Pub. L. 116–283, § 1719(b)(3), added par. (11) relating to providing education, training, and capacity development to Federal and non-Federal entities. Former par. (11), relating to appointment of a CybersecurityPub. L. 116–283, § 1717(a)(1)(A)(iii), added par. (11) relating to appointment of a CybersecurityPub. L. 117–81, § 1547(b)(1)(A)(i)(II), struck out “and” at end and made technical amendment to reference in original Act which appears in text as reference to section 665c of this title.

Pub. L. 116–283, § 1719(b)(2), redesignated par. (11) relating to appointment of a CybersecurityPub. L. 116–283, § 1717(a)(1)(A)(ii), redesignated par. (11) relating to the .gov internet domain as (12).

Subsec. (c)(13). Pub. L. 117–81, § 1547(b)(1)(A)(i)(III), redesignated par. (12) relating to the .gov internet domain as (13).

Subsec. (c)(14). Pub. L. 117–81, § 1547(b)(1)(A)(i)(IV), redesignated par. (12) relating to carrying out such other duties and powers as (14).

Subsec. (i). Pub. L. 116–283, § 9002(c)(2)(D), substituted “Sector Risk Management Agency ” for “Sector-SpecificPub. L. 116–260, § 904(b)(1)(A)(i), as amended by Pub. L. 117–81, § 1547(b)(1)(B), struck out “and” at end.

Subsec. (c)(11), (12). Pub. L. 116–260, § 904(b)(1)(A)(ii), (iii), as amended by Pub. L. 117–81, § 1547(b)(1)(B), added par. (11) relating to the .gov internet domain and redesignated former par. (11) relating to carrying out such other duties and powers as (12).

“The amendment made by paragraph (1) [amending this section and section 665 of this title] shall take effect as if enacted as part of the DOTGOV Act of 2020 (title IX of division U of Public Law 116–260).”

Nothing in amendment made by Pub. L. 117–263 to be construed to alter the authorities, responsibilities,44 U.S.C. 3502) or officer or employee of the UnitedDec. 23, 2022 , see section 7143(f)(1) of Pub. L. 117–263, set out as a note under section 650 of this title.

Amendment by section 1717(a)(1)(A) of Pub. L. 116–283 not to be construed to affect or otherwise modify the authority of Federal law enforcement agencies with respect to investigations relating to cybersecuritysection 1717(a)(4) of Pub. L. 116–283, set out as a note under section 665c of this title.

“This Act may be cited as the ‘National Cybersecurity Preparedness Consortium Act of 2021’.

develop and update a curriculum utilizing existing training and educational programs and models in accordance with section 2209 of the Homeland Security Act of 2002 (6 U.S.C. 659), for “(3)

provide technical assistance services, training, and educational programs to build and sustain capabilities in support of preparedness for and response to “(4)

conduct cross-sector cybersecurity training, education, and simulation exercises for entities, including Homeland Security Act of 2002 (6 U.S.C. 660(c));

Geographic diversity of the members of any such consortium so as to maximize coverage of the different regions of the United “(3)

The participation in such consortium of one or more historically Black colleges and universities, Hispanic-serving institutions, Tribal Colleges and Universities, other minority-serving institutions, and community colleges that participate in the National Centers of Excellence in Cybersecurity program, as carried out by the Department of Homeland Security .

Nothing in this section may be construed to authorize a consortium to control or direct any law enforcement “(g) Definitions.— In this section—

the term ‘community college’ has the meaning given the term ‘junior or community college’ in section 312 of the Higher Education Act of 1965 (20 U.S.C. 1058);

the term ‘consortium’ means a group primarily composed of nonprofit entities, including academic institutions, that develop, update, and deliver cybersecurity training and education in support of “(3)

the term ‘Hispanic-serving institution’ has the meaning given the term in section 502 of the Higher Education Act of 1965 (20 U.S.C. 1101a);

the term ‘historically Black college and university’ has the meaning given the term ‘part B institution’ in section 322 of the Higher Education Act of 1965 (20 U.S.C. 1061);

the term ‘minority-serving institution’ means an institution of higher education described in section 371(a) of the Higher Education Act of 1965 (20 U.S.C. 1067q(a));

the term ‘Tribal Colleges and Universities’ has the meaning given the term in section 316 of the Higher Education Act of 1965 (20 U.S.C. 1059c); and

the term ‘Tribal organization’ has the meaning given the term in section 4(e) of the Indian Self-Determination and Education Assistance Act (25 U.S.C. 5304(e)).”

If the Homeland Security Act of 2002 (6 U.S.C. 659) to identify and notify the entity at risk pursuant to the procedures under that section.

A notification made under paragraph (1) shall include information on the identified “(d) Prioritization of Notifications.—

No procedure, notification, or other authorities utilized in the execution of the pilot program established under subsection (a) shall require an owner or operator of a vulnerable “(f) Rule of Construction.—

Nothing in this section shall be construed to provide additional authorities to the “(g) Termination.—

The pilot program established under subsection (a) shall terminate on the date that is 4 years after the date of enactment of this Act.”

[For definitions of terms used in section 105 of div. Y of Pub. L. 117–103, set out above, see section 681 of this title, as made applicable by section 102(1) of div. Y of Pub. L. 117–103, which is set out as a note under section 665j of this title, and see section 650 of this title, as made applicable by section 7143(f)(2) of div. G of Pub. L. 117–263, which is set out as a note under section 650 of this title.]

Pilot Program on Public-Private Partnerships With Internet Ecosystem Companies To Detect and Disrupt Adversary Cyber Operations

Participation by an internet ecosystem company in a public-private partnership under the pilot program, including in any activity described in subsection (c), shall be voluntary.

No funds appropriated by any Act may be used to direct, pressure, coerce, or otherwise require that any internet ecosystem company take any action on their platforms, systems, services, or infrastructure as part of the pilot program.

provide assistance to a participating internet ecosystem company to develop effective know-your-customer processes and requirements;

provide information, analytics, and technical assistance to improve the ability of participating companies to detect and prevent illicit or suspicious procurement, payment, and account creation on their own platforms, systems, services, or infrastructure;

provide to participating internet ecosystem companies actionable, timely, and relevant information, such as information about ongoing operations and infrastructure, threats, tactics, and procedures, and indicators of compromise, to enable such companies to detect and disrupt the use by malicious cyber actors of the platforms, systems, services, or infrastructure of such companies;

provide recommendations for (but not design, develop, install, operate, or maintain) operational workflows, assessment and compliance practices, and training that participating internet ecosystem companies can implement to reliably detect and disrupt the use by malicious cyber actors of the platforms, systems, services, or infrastructure of such companies;

provide recommendations for accelerating, to the greatest extent practicable, the automation of existing or implemented operational workflows to operate at line-rate in order to enable real-time mitigation without the need for manual review or action;

provide recommendations for (but not design, develop, install, operate, or maintain) technical capabilities to enable participating internet ecosystem companies to collect and analyze data on malicious activities occurring on the platforms, systems, services, or infrastructure of such companies to detect and disrupt operations of malicious cyber actors; and

provide recommendations regarding relevant mitigations for suspected or discovered malicious cyber activity and thresholds for action.

The Secretary of Defense shall provide support and resources to the pilot program, including the provision of technical and operational expertise drawn from appropriate and relevant officials and components of the Department of Defense , including the National SecuritySecretary of Defense , militaryDefense Advanced Research Projects Agency .

The Joint Cyber Defense Collaborative of the Cybersecurity and Infrastructure Security Department of Homeland Security .

The Cybersecurity Collaboration Center and Enduring Security Framework of the National Security “(i) Rules of Construction.—

Nothing in this section may be construed to permit or require disclosure by a provider of a remote computing service or a provider of an electronic communication service to the public of information not otherwise permitted or required to be disclosed under chapter 121 of title 18, United “(3) Third party customers.—

Nothing in this section may be construed to require a third party, such as a customer or “(j) Briefings.—

Identification of any potential challenges in standing up the pilot program or impediments, such as a lack of liability protection, to private sector participation in the pilot program.

A description of the roles and responsibilities in the pilot program of each participating Federal entity.

Not later than two years after the date of the enactment of this Act and annually thereafter for three years, the Secretary of Defense and the National CyberCongress on the progress of the pilot program required under subsection (a).

Recommendations for addressing relevant policy, budgetary, and legislative gaps to increase the effectiveness of the pilot program.

Recommendations, such as providing liability protection, for increasing private sector participation in the pilot program.

A description of the challenges encountered in carrying out the pilot program, including any concerns expressed by internet ecosystem companies regarding participation in the pilot program.

The pilot program required under subsection (a) shall terminate on the date that is five years after the date of the enactment of this Act [ Dec. 27, 2021 ].