not fewer than five years of demonstrated experience in efforts to foster coordination and collaboration between the Federal Government, the private sector, and other entities on issues related to cybersecurity, infrastructure security, or security risk management.
(B) Specified areas The areas specified in this subparagraph are the following: Cybersecurity. Infrastructure security. Security risk management. (3) ReferenceAny reference to an Under section 113(a)(1)(H) of this title as in effect on the day before November 16, 2018 , in any law, regulation, map, document, record, or other paper of the United Agency.
(c) Responsibilities The (1) lead cybersecurity and national cybersecurity asset response activities;coordinate with Federal entities, including Sector-Specific Agencies, and non-Federal entities, including international entities, to carry out the cybersecurity and (3)
carry out the responsibilities of the Public Law 114–113)), including by carrying out a periodic strategic assessment of the related programs and activities of the (4)
coordinate a national effort to secure and protect against (5)upon request, provide analyses, expertise, and other technical assistance to departments and agencies;
develop and utilize mechanisms for active and frequent collaboration between the (7)maintain and utilize mechanisms for the regular and ongoing consultation and collaboration among the Divisions of the (8) develop, coordinate, and implement—
comprehensive strategic plans for the activities of the (B) risk assessments by and for the (9) carry out emergency communications responsibilities, in accordance with subchapter XIII;carry out cybersecurity, infrastructure security, and emergency communications stakeholder outreach and engagement and coordinate that outreach and engagement with (11)
provide education, training, and capacity development to Federal and non-Federal entities to enhance the security and resiliency of domestic and global cybersecurity and infrastructure security;
appoint a Cybersecurity section 665c of this title;carry out the duties and authorities relating to the .gov internet domain, as described in section 665 of this title; and
carry out such other duties and powers prescribed by law or delegated by the (d) Deputy Director There shall be in the (1)
assist the Agency; and report to the (e) Cybersecurity and infrastructure security authorities of the Secretary identify and assess the nature and scope of terrorist threats to the (ii) detect and identify threats of terrorism against the United (iii) understand those threats in light of actual and potential vulnerabilities of the (B) To carry out comprehensive assessments of the vulnerabilities of the key resources and (C)To integrate relevant information, analysis, and vulnerability assessments, regardless of whether the information, analysis, or assessments are provided or produced by the (D)
To ensure, pursuant to section 122 of this title, the timely and efficient access by the (E)To develop, in coordination with the Sector-Specific Agencies with available expertise, a comprehensive national plan for securing the key resources and assets that support those systems.
To recommend measures necessary to protect the key resources and (G)To review, analyze, and make recommendations for improvements to the policies and procedures governing the (H)
To disseminate, as appropriate, information analyzed by the States. To consult with terrorism against the United States.To ensure that any material received pursuant to this chapter is protected from unauthorized disclosure and handled and used only for the performance of official duties.
To request additional information from other Federal Government agencies, terrorism in the United (L)
To establish and utilize, in conjunction with the Chief Information Officer of the (M) To coordinate training and other support to the elements and personnel of the Department. To coordinate with Federal, (O)To exercise the authorities and oversight of the functions, personnel, assets, and liabilities of those components transferred to the section 121(g) of this title.
To carry out the functions of the national cybersecurity and communications integration center under section 659 of this title.
To carry out the requirements of the Chemical Facility Anti-Terrorism Standards Program established under subchapter XVI and the secure handling of ammonium nitrate program established under part J of subchapter VIII, or any successor programs.
(R) To encourage and build cybersecurity awareness and competency across the United (i)overseeing elementary and secondary cybersecurity education and awareness related programs at the (ii)
leading efforts to develop, attract, and retain the cybersecurity workforce necessary for the cybersecurity related missions of the (iii)
encouraging and building cybersecurity awareness and competency across the United (iv) carrying out cybersecurity related workforce development activities, including through—
increasing the pipeline of future cybersecurity professionals through programs focused on elementary and secondary education , postsecondary education , and workforce development; and
building awareness of and competency in cybersecurity across the civilian Federal Government workforce.
(2) ReallocationThe functions specified in sections 653(b) and 654(b) of this title, consistent with the responsibilities provided in paragraph (1), upon certifying to and briefing the appropriate congressional committees, and making available to the public, at least 60 days prior to the reallocation that the reallocation is necessary for carrying out the activities of the Agency.
(A) In generalAnalysts under this subsection may include analysts from the private sector.
(C) Security clearancesAnalysts under this subsection shall possess security clearances appropriate for their work under this section.
(4) Detail of personnel (A) In generalIn order to assist the personnel of the Federal agencies described in subparagraph (B) may be detailed to the functions and related duties.
(B) Agencies The Federal agencies described in this subparagraph are— the Department of State ; the Central Intelligence Agency ; the Federal Bureau of Investigation ; the National Security (v) the National Geospatial-Intelligence Agency ; the Defense Intelligence Agency ; Sector-Specific Agencies; andThe personnel under this paragraph.
The detail of personnel under this paragraph may be on a reimbursable or non-reimbursable basis.
(f) Composition The (1) The Cybersecurity Division, headed by an Executive Assistant (2) The Infrastructure Security Division, headed by an Executive Assistant (3)The Emergency Communications Division under subchapter XIII, headed by an Executive Assistant (g) Co-location
(1) In generalTo the maximum extent practicable, the (2) Coordination
When establishing the central locations described in paragraph (1), the (h) Privacy
(1) In general assuring that the use of technologies by the (B)assuring that personal information contained in systems of records of the section 552a of title 5 (commonly known as the “Privacy Act of 1974”);
evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the (D)
conducting a privacy impact assessment of proposed rules of the (i) SavingsNothing in this subchapter may be construed as affecting in any manner the authority, existing on the day before November 16, 2018 , of any other component of theRisk Management Agency specified in section 61003(c) of division F of the Fixing America’s Surface Transportation Act (6 U.S.C. 121 note; Public Law 114–94).
Editorial Notes References in TextThe Cybersecurity Act of 2015, referred to in subsec. (c)(3), is div. N of Pub. L. 114–113, Dec. 18, 2015 , 129 Stat. 2935. For complete classification of this Act to the Code, see Short Title note set out under section 1501 of this title and Tables.
This chapter, referred to in subsecs. (c)(7) and (e)(1)(J), was in the original “this Act”, meaning Pub. L. 107–296, Nov. 25, 2002 , 116 Stat. 2135, known as the Homeland Security Act of 2002, which is classified principally to this chapter. For complete classification of this Act to the Code, see Short Title note set out under section 101 of this title and Tables.
Amendments2022—Pub. L. 117–263, § 7143(a)(1), made amendment identical to that made by Pub. L. 117–81, § 1547(b)(1)(B). See 2021 Amendment note below.
Subsec. (a)(1). Pub. L. 117–263, § 7143(b)(2)(C)(i), which directed striking out “(in this part referred to as theCongress .
Subsec. (b)(2), (3). Pub. L. 116–283, § 9001(a), added par. (2) and redesignated former par. (2) as (3).
Subsec. (c)(3). Pub. L. 117–81, § 1549(a), substituted “, including by carrying out a periodic strategic assessment of the related programs and activities of thePub. L. 116–283, §§ 1717(a)(1)(A)(i), 1719(b)(1), which directed identical amendments of par. (10) by striking out “and” at end, could not be executed because the word “and” did not appear at end after amendment by Pub. L. 116–260, § 904(b)(1)(A)(i). See 2020 Amendment note below.
Subsec. (c)(11). Pub. L. 117–81, § 1547(b)(1)(A)(i)(I), struck out “and” after the semicolon.
Pub. L. 116–283, § 1719(b)(3), added par. (11) relating to providing education, training, and capacity development to Federal and non-Federal entities. Former par. (11), relating to appointment of a CybersecurityPub. L. 116–283, § 1717(a)(1)(A)(iii), added par. (11) relating to appointment of a CybersecurityPub. L. 117–81, § 1547(b)(1)(A)(i)(II), struck out “and” at end and made technical amendment to reference in original Act which appears in text as reference to section 665c of this title.
Pub. L. 116–283, § 1719(b)(2), redesignated par. (11) relating to appointment of a CybersecurityPub. L. 116–283, § 1717(a)(1)(A)(ii), redesignated par. (11) relating to the .gov internet domain as (12).
Subsec. (c)(13). Pub. L. 117–81, § 1547(b)(1)(A)(i)(III), redesignated par. (12) relating to the .gov internet domain as (13).
Subsec. (c)(14). Pub. L. 117–81, § 1547(b)(1)(A)(i)(IV), redesignated par. (12) relating to carrying out such other duties and powers as (14).
Subsec. (i). Pub. L. 116–283, § 9002(c)(2)(D), substituted “Sector Risk Management Agency ” for “Sector-SpecificPub. L. 116–260, § 904(b)(1)(A)(i), as amended by Pub. L. 117–81, § 1547(b)(1)(B), struck out “and” at end.
Subsec. (c)(11), (12). Pub. L. 116–260, § 904(b)(1)(A)(ii), (iii), as amended by Pub. L. 117–81, § 1547(b)(1)(B), added par. (11) relating to the .gov internet domain and redesignated former par. (11) relating to carrying out such other duties and powers as (12).
Statutory Notes and Related Subsidiaries Effective Date of 2022 Amendment“The amendment made by paragraph (1) [amending this section and section 665 of this title] shall take effect as if enacted as part of the DOTGOV Act of 2020 (title IX of division U of Public Law 116–260).”
Rule of ConstructionNothing in amendment made by Pub. L. 117–263 to be construed to alter the authorities, responsibilities,44 U.S.C. 3502) or officer or employee of the UnitedDec. 23, 2022 , see section 7143(f)(1) of Pub. L. 117–263, set out as a note under section 650 of this title.
Construction of 2021 AmendmentAmendment by section 1717(a)(1)(A) of Pub. L. 116–283 not to be construed to affect or otherwise modify the authority of Federal law enforcement agencies with respect to investigations relating to cybersecuritysection 1717(a)(4) of Pub. L. 116–283, set out as a note under section 665c of this title.
National Cybersecurity Preparedness Consortium “SECTION 1. SHORT TITLE.“This Act may be cited as the ‘National Cybersecurity Preparedness Consortium Act of 2021’.
“SEC. 2. NATIONAL CYBERSECURITY PREPAREDNESS CONSORTIUM. “(a) In General.— provide training and education to “(2)develop and update a curriculum utilizing existing training and educational programs and models in accordance with section 2209 of the Homeland Security Act of 2002 (6 U.S.C. 659), for “(3)
provide technical assistance services, training, and educational programs to build and sustain capabilities in support of preparedness for and response to “(4)
conduct cross-sector cybersecurity training, education, and simulation exercises for entities, including Homeland Security Act of 2002 (6 U.S.C. 660(c));
help Homeland Security Act of 2002 (6 U.S.C. 659), for the dissemination of “(6) help incorporate “(7) Prior experience conducting cybersecurity training, education, and exercises for “(2)Geographic diversity of the members of any such consortium so as to maximize coverage of the different regions of the United “(3)
The participation in such consortium of one or more historically Black colleges and universities, Hispanic-serving institutions, Tribal Colleges and Universities, other minority-serving institutions, and community colleges that participate in the National Centers of Excellence in Cybersecurity program, as carried out by the Department of Homeland Security .
Nothing in this section may be construed to authorize a consortium to control or direct any law enforcement “(g) Definitions.— In this section—
the term ‘community college’ has the meaning given the term ‘junior or community college’ in section 312 of the Higher Education Act of 1965 (20 U.S.C. 1058);
the term ‘consortium’ means a group primarily composed of nonprofit entities, including academic institutions, that develop, update, and deliver cybersecurity training and education in support of “(3)
the terms ‘Homeland Security Act of 2002 (6 U.S.C. 659(a)) [see 6 U.S.C. 650(7), (12)];the term ‘Hispanic-serving institution’ has the meaning given the term in section 502 of the Higher Education Act of 1965 (20 U.S.C. 1101a);
the term ‘historically Black college and university’ has the meaning given the term ‘part B institution’ in section 322 of the Higher Education Act of 1965 (20 U.S.C. 1061);
the term ‘minority-serving institution’ means an institution of higher education described in section 371(a) of the Higher Education Act of 1965 (20 U.S.C. 1067q(a));
The term ‘Rico, the United “(10)the term ‘Tribal Colleges and Universities’ has the meaning given the term in section 316 of the Higher Education Act of 1965 (20 U.S.C. 1059c); and
the term ‘Tribal organization’ has the meaning given the term in section 4(e) of the Indian Self-Determination and Education Assistance Act (25 U.S.C. 5304(e)).”
Ransomware Vulnerability Warning Pilot Program identify the most common security vulnerabilities utilized in “(2) utilize existing authorities to identify “(c) Entity Notification.— “(1) Identification.—If the Homeland Security Act of 2002 (6 U.S.C. 659) to identify and notify the entity at risk pursuant to the procedures under that section.
“(3) Required information.—A notification made under paragraph (1) shall include information on the identified “(d) Prioritization of Notifications.—
To the extent practicable, the “(e) Limitation on Procedures.—No procedure, notification, or other authorities utilized in the execution of the pilot program established under subsection (a) shall require an owner or operator of a vulnerable “(f) Rule of Construction.—
Nothing in this section shall be construed to provide additional authorities to the “(g) Termination.—
The pilot program established under subsection (a) shall terminate on the date that is 4 years after the date of enactment of this Act.”
[For definitions of terms used in section 105 of div. Y of Pub. L. 117–103, set out above, see section 681 of this title, as made applicable by section 102(1) of div. Y of Pub. L. 117–103, which is set out as a note under section 665j of this title, and see section 650 of this title, as made applicable by section 7143(f)(2) of div. G of Pub. L. 117–263, which is set out as a note under section 650 of this title.]
Pilot Program on Public-Private Partnerships With Internet Ecosystem Companies To Detect and Disrupt Adversary Cyber Operations
“(a) Pilot Required.— “(1) In general.— In carrying out the pilot program under subsection (a), the “(2) Voluntary participation.— “(A) In general.—Participation by an internet ecosystem company in a public-private partnership under the pilot program, including in any activity described in subsection (c), shall be voluntary.
“(B) Prohibition.—No funds appropriated by any Act may be used to direct, pressure, coerce, or otherwise require that any internet ecosystem company take any action on their platforms, systems, services, or infrastructure as part of the pilot program.
“(c) Authorized Activities.— In carrying out the pilot program under subsection (a), the “(1)provide assistance to a participating internet ecosystem company to develop effective know-your-customer processes and requirements;
provide information, analytics, and technical assistance to improve the ability of participating companies to detect and prevent illicit or suspicious procurement, payment, and account creation on their own platforms, systems, services, or infrastructure;
develop and socialize best practices for the collection, retention, and “(4)provide to participating internet ecosystem companies actionable, timely, and relevant information, such as information about ongoing operations and infrastructure, threats, tactics, and procedures, and indicators of compromise, to enable such companies to detect and disrupt the use by malicious cyber actors of the platforms, systems, services, or infrastructure of such companies;
provide recommendations for (but not design, develop, install, operate, or maintain) operational workflows, assessment and compliance practices, and training that participating internet ecosystem companies can implement to reliably detect and disrupt the use by malicious cyber actors of the platforms, systems, services, or infrastructure of such companies;
provide recommendations for accelerating, to the greatest extent practicable, the automation of existing or implemented operational workflows to operate at line-rate in order to enable real-time mitigation without the need for manual review or action;
provide recommendations for (but not design, develop, install, operate, or maintain) technical capabilities to enable participating internet ecosystem companies to collect and analyze data on malicious activities occurring on the platforms, systems, services, or infrastructure of such companies to detect and disrupt operations of malicious cyber actors; and
provide recommendations regarding relevant mitigations for suspected or discovered malicious cyber activity and thresholds for action.
“(d) Competition Concerns.— Consistent with section 1905 of title 18, United “(e) Impartiality.— In carrying out the pilot program under subsection (a), the “(f) Responsibilities.— “(1) Secretary of homeland security.— The National Cyber “(3) Secretary of defense.—The Secretary of Defense shall provide support and resources to the pilot program, including the provision of technical and operational expertise drawn from appropriate and relevant officials and components of the Department of Defense , including the National SecuritySecretary of Defense , militaryDefense Advanced Research Projects Agency .
“(g) Participation of Other Federal Government Components.—The Joint Cyber Defense Collaborative of the Cybersecurity and Infrastructure Security Department of Homeland Security .
The Cybersecurity Collaboration Center and Enduring Security Framework of the National Security “(i) Rules of Construction.—
“(1) Limitation on government access to data.— Nothing in this section authorizes “(2) Stored communications act.—Nothing in this section may be construed to permit or require disclosure by a provider of a remote computing service or a provider of an electronic communication service to the public of information not otherwise permitted or required to be disclosed under chapter 121 of title 18, United “(3) Third party customers.—
Nothing in this section may be construed to require a third party, such as a customer or “(j) Briefings.—
“(A) In general.— “(B) Elements.— The briefing required under subparagraph (A) shall include the following: The plans of the “(ii) Identification of key priorities for the pilot program.Identification of any potential challenges in standing up the pilot program or impediments, such as a lack of liability protection, to private sector participation in the pilot program.
A description of the roles and responsibilities in the pilot program of each participating Federal entity.
“(A) In general.—Not later than two years after the date of the enactment of this Act and annually thereafter for three years, the Secretary of Defense and the National CyberCongress on the progress of the pilot program required under subsection (a).
“(B) Elements.— Each briefing required under subparagraph (A) shall include the following:Recommendations for addressing relevant policy, budgetary, and legislative gaps to increase the effectiveness of the pilot program.
Recommendations, such as providing liability protection, for increasing private sector participation in the pilot program.
A description of the challenges encountered in carrying out the pilot program, including any concerns expressed by internet ecosystem companies regarding participation in the pilot program.
The findings of the “(v) Such other matters as the “(k) Termination.—The pilot program required under subsection (a) shall terminate on the date that is five years after the date of the enactment of this Act [ Dec. 27, 2021 ].