Phone 202 839-5563 

email sustainable@rightexposure.com

cybersecurity infrastructure security agency act

H.R.3359

One Hundred Fifteenth Congress of the United States of America

An Act: To amend the Homeland Security Act of 2002 to authorize the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the “Cybersecurity and Infrastructure

Security Agency Act of 2018”.

SEC. 2. CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY.

    (a) In General.–The Homeland Security Act of 2002 (6 U.S.C. 101 et seq.) is amended by adding at the end the following:

     “TITLE XXII–CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

        “Subtitle A–Cybersecurity and Infrastructure Security

“SEC. 2201. DEFINITIONS.

    “In this subtitle:

        “(1) Critical infrastructure information.–The term `critical

    infrastructure information’ has the meaning given the term in

    section 2222.

        “(2) Cybersecurity risk.–The term `cybersecurity risk’ has

    the meaning given the term in section 2209.

        “(3) Cybersecurity threat.–The term `cybersecurity threat’

    has the meaning given the term in section 102(5) of the

    Cybersecurity Act of 2015 (contained in division N of the

    Consolidated Appropriations Act, 2016 (Public Law 114-113; 6 U.S.C.

    1501)).

        “(4) National cybersecurity asset response activities.–The

    term `national cybersecurity asset response activities’ means–

            “(A) furnishing cybersecurity technical assistance to

        entities affected by cybersecurity risks to protect assets,

        mitigate vulnerabilities, and reduce impacts of cyber

        incidents;

            “(B) identifying other entities that may be at risk of an

        incident and assessing risk to the same or similar

        vulnerabilities;

            “(C) assessing potential cybersecurity risks to a sector

        or region, including potential cascading effects, and

        developing courses of action to mitigate such risks;

            “(D) facilitating information sharing and operational

        coordination with threat response; and

            “(E) providing guidance on how best to utilize Federal

        resources and capabilities in a timely, effective manner to

        speed recovery from cybersecurity risks.

        “(5) Sector-specific agency.–The term `Sector-Specific

    Agency’ means a Federal department or agency, designated by law or

    presidential directive, with responsibility for providing

    institutional knowledge and specialized expertise of a sector, as

    well as leading, facilitating, or supporting programs and

    associated activities of its designated critical infrastructure

    sector in the all hazards environment in coordination with the

    Department.

        “(6) Sharing.–The term `sharing’ has the meaning given the

    term in section 2209.

“SEC. 2202. CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY.

    “(a) Redesignation.–

        “(1) In general.–The National Protection and Programs

    Directorate of the Department shall, on and after the date of the

    enactment of this subtitle, be known as the `Cybersecurity and

    Infrastructure Security Agency’ (in this subtitle referred to as

    the `Agency’).

        “(2) References.–Any reference to the National Protection and

    Programs Directorate of the Department in any law, regulation, map,

    document, record, or other paper of the United States shall be

    deemed to be a reference to the Cybersecurity and Infrastructure

    Security Agency of the Department.

    “(b) Director.–

        “(1) In general.–The Agency shall be headed by a Director of

    Cybersecurity and Infrastructure Security (in this subtitle

    referred to as the `Director’), who shall report to the Secretary.

        “(2) Reference.–Any reference to an Under Secretary

    responsible for overseeing critical infrastructure protection,

    cybersecurity, and any other related program of the Department as

    described in section 103(a)(1)(H) as in effect on the day before

    the date of enactment of this subtitle in any law, regulation, map,

    document, record, or other paper of the United States shall be

    deemed to be a reference to the Director of Cybersecurity and

    Infrastructure Security of the Department.

    “(c) Responsibilities.–The Director shall–

        “(1) lead cybersecurity and critical infrastructure security

    programs, operations, and associated policy for the Agency,

    including national cybersecurity asset response activities;

        “(2) coordinate with Federal entities, including Sector-

    Specific Agencies, and non-Federal entities, including

    international entities, to carry out the cybersecurity and critical

    infrastructure activities of the Agency, as appropriate;

        “(3) carry out the responsibilities of the Secretary to secure

    Federal information and information systems consistent with law,

    including subchapter II of chapter 35 of title 44, United States

    Code, and the Cybersecurity Act of 2015 (contained in division N of

    the Consolidated Appropriations Act, 2016 (Public Law 114-113));

        “(4) coordinate a national effort to secure and protect

    against critical infrastructure risks, consistent with subsection

    (e)(1)(E);

        “(5) upon request, provide analyses, expertise, and other

    technical assistance to critical infrastructure owners and

    operators and, where appropriate, provide those analyses,

    expertise, and other technical assistance in coordination with

    Sector-Specific Agencies and other Federal departments and

    agencies;

        “(6) develop and utilize mechanisms for active and frequent

    collaboration between the Agency and Sector-Specific Agencies to

    ensure appropriate coordination, situational awareness, and

    communications with Sector-Specific Agencies;

        “(7) maintain and utilize mechanisms for the regular and

    ongoing consultation and collaboration among the Divisions of the

    Agency to further operational coordination, integrated situational

    awareness, and improved integration across the Agency in accordance

    with this Act;

        “(8) develop, coordinate, and implement–

            “(A) comprehensive strategic plans for the activities of

        the Agency; and

            “(B) risk assessments by and for the Agency;

        “(9) carry out emergency communications responsibilities, in

    accordance with title XVIII;

        “(10) carry out cybersecurity, infrastructure security, and

    emergency communications stakeholder outreach and engagement and

    coordinate that outreach and engagement with critical

    infrastructure Sector-Specific Agencies, as appropriate; and

        “(11) carry out such other duties and powers prescribed by law

    or delegated by the Secretary.

    “(d) Deputy Director.–There shall be in the Agency a Deputy

Director of Cybersecurity and Infrastructure Security who shall–

        “(1) assist the Director in the management of the Agency; and

        “(2) report to the Director.

    “(e) Cybersecurity and Infrastructure Security Authorities of the

Secretary.–

        “(1) In general.–The responsibilities of the Secretary

    relating to cybersecurity and infrastructure security shall include

    the following:

            “(A) To access, receive, and analyze law enforcement

        information, intelligence information, and other information

        from Federal Government agencies, State, local, tribal, and

        territorial government agencies, including law enforcement

        agencies, and private sector entities, and to integrate that

        information, in support of the mission responsibilities of the

        Department, in order to–

                “(i) identify and assess the nature and scope of

            terrorist threats to the homeland;

                “(ii) detect and identify threats of terrorism against

            the United States; and

                “(iii) understand those threats in light of actual and

            potential vulnerabilities of the homeland.

            “(B) To carry out comprehensive assessments of the

        vulnerabilities of the key resources and critical

        infrastructure of the United States, including the performance

        of risk assessments to determine the risks posed by particular

        types of terrorist attacks within the United States, including

        an assessment of the probability of success of those attacks

        and the feasibility and potential efficacy of various

        countermeasures to those attacks. At the discretion of the

        Secretary, such assessments may be carried out in coordination

        with Sector-Specific Agencies.

            “(C) To integrate relevant information, analysis, and

        vulnerability assessments, regardless of whether the

        information, analysis, or assessments are provided or produced

        by the Department, in order to make recommendations, including

        prioritization, for protective and support measures by the

        Department, other Federal Government agencies, State, local,

        tribal, and territorial government agencies and authorities,

        the private sector, and other entities regarding terrorist and

        other threats to homeland security.

            “(D) To ensure, pursuant to section 202, the timely and

        efficient access by the Department to all information necessary

        to discharge the responsibilities under this title, including

        obtaining that information from other Federal Government

        agencies.

            “(E) To develop, in coordination with the Sector-Specific

        Agencies with available expertise, a comprehensive national

        plan for securing the key resources and critical infrastructure

        of the United States, including power production, generation,

        and distribution systems, information technology and

        telecommunications systems (including satellites), electronic

        financial and property record storage and transmission systems,

        emergency communications systems, and the physical and

        technological assets that support those systems.

            “(F) To recommend measures necessary to protect the key

        resources and critical infrastructure of the United States in

        coordination with other Federal Government agencies, including

        Sector-Specific Agencies, and in cooperation with State, local,

        tribal, and territorial government agencies and authorities,

        the private sector, and other entities.

            “(G) To review, analyze, and make recommendations for

        improvements to the policies and procedures governing the

        sharing of information relating to homeland security within the

        Federal Government and between Federal Government agencies and

        State, local, tribal, and territorial government agencies and

        authorities.

            “(H) To disseminate, as appropriate, information analyzed

        by the Department within the Department to other Federal

        Government agencies with responsibilities relating to homeland

        security and to State, local, tribal, and territorial

        government agencies and private sector entities with those

        responsibilities in order to assist in the deterrence,

        prevention, or preemption of, or response to, terrorist attacks

        against the United States.

            “(I) To consult with State, local, tribal, and territorial

        government agencies and private sector entities to ensure

        appropriate exchanges of information, including law

        enforcement-related information, relating to threats of

        terrorism against the United States.

            “(J) To ensure that any material received pursuant to this

        Act is protected from unauthorized disclosure and handled and

        used only for the performance of official duties.

            “(K) To request additional information from other Federal

        Government agencies, State, local, tribal, and territorial

        government agencies, and the private sector relating to threats

        of terrorism in the United States, or relating to other areas

        of responsibility assigned by the Secretary, including the

        entry into cooperative agreements through the Secretary to

        obtain such information.

            “(L) To establish and utilize, in conjunction with the

        Chief Information Officer of the Department, a secure

        communications and information technology infrastructure,

        including data-mining and other advanced analytical tools, in

        order to access, receive, and analyze data and information in

        furtherance of the responsibilities under this section, and to

        disseminate information acquired and analyzed by the

        Department, as appropriate.

            “(M) To coordinate training and other support to the

        elements and personnel of the Department, other Federal

        Government agencies, and State, local, tribal, and territorial

        government agencies that provide information to the Department,

        or are consumers of information provided by the Department, in

        order to facilitate the identification and sharing of

        information revealed in their ordinary duties and the optimal

        utilization of information received from the Department.

            “(N) To coordinate with Federal, State, local, tribal, and

        territorial law enforcement agencies, and the private sector,

        as appropriate.

            “(O) To exercise the authorities and oversight of the

        functions, personnel, assets, and liabilities of those

        components transferred to the Department pursuant to section

        201(g).

            “(P) To carry out the functions of the national

        cybersecurity and communications integration center under

        section 2209.

            “(Q) To carry out the requirements of the Chemical

        Facility Anti-Terrorism Standards Program established under

        title XXI and the secure handling of ammonium nitrate program

        established under subtitle J of title VIII, or any successor

        programs.

        “(2) Reallocation.–The Secretary may reallocate within the

    Agency the functions specified in sections 2203(b) and 2204(b),

    consistent with the responsibilities provided in paragraph (1),

    upon certifying to and briefing the appropriate congressional

    committees, and making available to the public, at least 60 days

    prior to the reallocation that the reallocation is necessary for

    carrying out the activities of the Agency.

        “(3) Staff.–

            “(A) In general.–The Secretary shall provide the Agency

        with a staff of analysts having appropriate expertise and

        experience to assist the Agency in discharging the

        responsibilities of the Agency under this section.

            “(B) Private sector analysts.–Analysts under this

        subsection may include analysts from the private sector.

            “(C) Security clearances.–Analysts under this subsection

        shall possess security clearances appropriate for their work

        under this section.

        “(4) Detail of personnel.–

            “(A) In general.–In order to assist the Agency in

        discharging the responsibilities of the Agency under this

        section, personnel of the Federal agencies described in

        subparagraph (B) may be detailed to the Agency for the

        performance of analytic functions and related duties.

            “(B) Agencies.–The Federal agencies described in this

        subparagraph are–

                “(i) the Department of State;

                “(ii) the Central Intelligence Agency;

                “(iii) the Federal Bureau of Investigation;

                “(iv) the National Security Agency;

                “(v) the National Geospatial-Intelligence Agency;

                “(vi) the Defense Intelligence Agency;

                “(vii) Sector-Specific Agencies; and

                “(viii) any other agency of the Federal Government

            that the President considers appropriate.

            “(C) Interagency agreements.–The Secretary and the head

        of a Federal agency described in subparagraph (B) may enter

        into agreements for the purpose of detailing personnel under

        this paragraph.

            “(D) Basis.–The detail of personnel under this paragraph

        may be on a reimbursable or non-reimbursable basis.

    “(f) Composition.–The Agency shall be composed of the following

divisions:

        “(1) The Cybersecurity Division, headed by an Assistant

    Director.

        “(2) The Infrastructure Security Division, headed by an

    Assistant Director.

        “(3) The Emergency Communications Division under title XVIII,

    headed by an Assistant Director.

    “(g) Co-location.–

        “(1) In general.–To the maximum extent practicable, the

    Director shall examine the establishment of central locations in

    geographical regions with a significant Agency presence.

        “(2) Coordination.–When establishing the central locations

    described in paragraph (1), the Director shall coordinate with

    component heads and the Under Secretary for Management to co-locate

    or partner on any new real property leases, renewing any occupancy

    agreements for existing leases, or agreeing to extend or newly

    occupy any Federal space or new construction.

    “(h) Privacy.–

        “(1) In general.–There shall be a Privacy Officer of the

    Agency with primary responsibility for privacy policy and

    compliance for the Agency.

        “(2) Responsibilities.–The responsibilities of the Privacy

    Officer of the Agency shall include–

            “(A) assuring that the use of technologies by the Agency

        sustain, and do not erode, privacy protections relating to the

        use, collection, and disclosure of personal information;

            “(B) assuring that personal information contained in

        systems of records of the Agency is handled in full compliance

        as specified in section 552a of title 5, United States Code

        (commonly known as the `Privacy Act of 1974′);

            “(C) evaluating legislative and regulatory proposals

        involving collection, use, and disclosure of personal

        information by the Agency; and

            “(D) conducting a privacy impact assessment of proposed

        rules of the Agency on the privacy of personal information,

        including the type of personal information collected and the

        number of people affected.

    “(i) Savings.–Nothing in this title may be construed as affecting

in any manner the authority, existing on the day before the date of

enactment of this title, of any other component of the Department or

any other Federal department or agency, including the authority

provided to the Sector-Specific Agency specified in section 61003(c) of

division F of the Fixing America’s Surface Transportation Act (6 U.S.C.

121 note; Public Law 114-94).

“SEC. 2203. CYBERSECURITY DIVISION.

    “(a) Establishment.–

        “(1) In general.–There is established in the Agency a

    Cybersecurity Division.

        “(2) Assistant director.–The Cybersecurity Division shall be

    headed by an Assistant Director for Cybersecurity (in this section

    referred to as the `Assistant Director’), who shall–

            “(A) be at the level of Assistant Secretary within the

        Department;

            “(B) be appointed by the President without the advice and

        consent of the Senate; and

            “(C) report to the Director.

        “(3) Reference.–Any reference to the Assistant Secretary for

    Cybersecurity and Communications in any law, regulation, map,

    document, record, or other paper of the United States shall be

    deemed to be a reference to the Assistant Director for

    Cybersecurity.

    “(b) Functions.–The Assistant Director shall–

        “(1) direct the cybersecurity efforts of the Agency;

        “(2) carry out activities, at the direction of the Director,

    related to the security of Federal information and Federal

    information systems consistent with law, including subchapter II of

    chapter 35 of title 44, United States Code, and the Cybersecurity

    Act of 2015 (contained in division N of the Consolidated

    Appropriations Act, 2016 (Public Law 114-113));

        “(3) fully participate in the mechanisms required under

    section 2202(c)(7); and

        “(4) carry out such other duties and powers as prescribed by

    the Director.

“SEC. 2204. INFRASTRUCTURE SECURITY DIVISION.

    “(a) Establishment.–

        “(1) In general.–There is established in the Agency an

    Infrastructure Security Division.

        “(2) Assistant director.–The Infrastructure Security Division

    shall be headed by an Assistant Director for Infrastructure

    Security (in this section referred to as the `Assistant Director’),

    who shall–

            “(A) be at the level of Assistant Secretary within the

        Department;

            “(B) be appointed by the President without the advice and

        consent of the Senate; and

            “(C) report to the Director.

        “(3) Reference.–Any reference to the Assistant Secretary for

    Infrastructure Protection in any law, regulation, map, document,

    record, or other paper of the United States shall be deemed to be a

    reference to the Assistant Director for Infrastructure Security.

    “(b) Functions.–The Assistant Director shall–

        “(1) direct the critical infrastructure security efforts of

    the Agency;

        “(2) carry out, at the direction of the Director, the Chemical

    Facilities Anti-Terrorism Standards Program established under title

    XXI and the secure handling of ammonium nitrate program established

    under subtitle J of title VIII, or any successor programs;

        “(3) fully participate in the mechanisms required under

    section 2202(c)(7); and

        “(4) carry out such other duties and powers as prescribed by

    the Director.”.

    (b) Treatment of Certain Positions.–

        (1) Under secretary.–The individual serving as the Under

    Secretary appointed pursuant to section 103(a)(1)(H) of the

    Homeland Security Act of 2002 (6 U.S.C. 113(a)(1)(H)) of the

    Department of Homeland Security on the day before the date of

    enactment of this Act may continue to serve as the Director of

    Cybersecurity and Infrastructure Security of the Department on and

    after such date.

        (2) Director for emergency communications.–The individual

    serving as the Director for Emergency Communications of the

    Department of Homeland Security on the day before the date of

    enactment of this Act may continue to serve as the Assistant

    Director for Emergency Communications of the Department on and

    after such date.

        (3) Assistant secretary for cybersecurity and communications.–

    The individual serving as the Assistant Secretary for Cybersecurity

    and Communications on the day before the date of enactment of this

    Act may continue to serve as the Assistant Director for

    Cybersecurity on and after such date.

        (4) Assistant secretary for infrastructure protection.–The

    individual serving as the Assistant Secretary for Infrastructure

    Protection on the day before the date of enactment of this Act may

    continue to serve as the Assistant Director for Infrastructure

    Security on and after such date.

    (c) Reference.–Any reference to–

        (1) the Office of Emergency Communications in any law,

    regulation, map, document, record, or other paper of the United

    States shall be deemed to be a reference to the Emergency

    Communications Division; and

        (2) the Director for Emergency Communications in any law,

    regulation, map, document, record, or other paper of the United

    States shall be deemed to be a reference to the Assistant Director

    for Emergency Communications.

    (d) Oversight.–The Director of Cybersecurity and Infrastructure

Security of the Department of Homeland Security shall provide to

Congress, in accordance with the deadlines specified in paragraphs (1)

through (6), information on the following:

        (1) Not later than 60 days after the date of enactment of this

    Act, a briefing on the activities of the Agency relating to the

    development and use of the mechanisms required pursuant to section

    2202(c)(6) of the Homeland Security Act of 2002 (as added by

    subsection (a)).

        (2) Not later than 1 year after the date of the enactment of

    this Act, a briefing on the activities of the Agency relating to

    the use and improvement by the Agency of the mechanisms required

    pursuant to section 2202(c)(6) of the Homeland Security Act of 2002

    and how such activities have impacted coordination, situational

    awareness, and communications with Sector-Specific Agencies.

        (3) Not later than 90 days after the date of the enactment of

    this Act, information on the mechanisms of the Agency for regular

    and ongoing consultation and collaboration, as required pursuant to

    section 2202(c)(7) of the Homeland Security Act of 2002 (as added

    by subsection (a)).

        (4) Not later than 1 year after the date of the enactment of

    this Act, information on the activities of the consultation and

    collaboration mechanisms of the Agency as required pursuant to

    section 2202(c)(7) of the Homeland Security Act of 2002, and how

    such mechanisms have impacted operational coordination, situational

    awareness, and integration across the Agency.

        (5) Not later than 180 days after the date of enactment of this

    Act, information, which shall be made publicly available and

    updated as appropriate, on the mechanisms and structures of the

    Agency responsible for stakeholder outreach and engagement, as

    required under section 2202(c)(10) of the Homeland Security Act of

    2002 (as added by subsection (a)).

    (e) Cyber Workforce.–Not later than 90 days after the date of

enactment of this Act, the Director of the Cybersecurity and

Infrastructure Security Agency of the Department of Homeland Security,

in coordination with the Director of the Office of Personnel

Management, shall submit to Congress a report detailing how the Agency

is meeting legislative requirements under the Cybersecurity Workforce

Assessment Act (Public Law 113-246; 128 Stat. 2880) and the Homeland

Security Cybersecurity Workforce Assessment Act (enacted as section 4

of the Border Patrol Agent Pay Reform Act of 2014; Public Law 113-277)

to address cyber workforce needs.

    (f) Facility.–Not later than 180 days after the date of enactment

of this Act, the Director of the Cybersecurity and Infrastructure

Security Agency of the Department of Homeland Security shall report to

Congress on the most efficient and effective methods of consolidating

Agency facilities, personnel, and programs to most effectively carry

out the Agency’s mission.

    (g) Technical and Conforming Amendments to the Homeland Security

Act of 2002.–The Homeland Security Act of 2002 (6 U.S.C. 101 et seq.)

is amended–

        (1) by amending section 103(a)(1)(H) (6 U.S.C. 113(a)(1)(H)) to

    read as follows:

            “(H) A Director of the Cybersecurity and Infrastructure

        Security Agency.”;

        (2) in title II (6 U.S.C. 121 et seq.)–

            (A) in the title heading, by striking “AND INFRASTRUCTURE

        PROTECTION”;

            (B) in the subtitle A heading, by striking “and

        Infrastructure Protection”;

            (C) in section 201 (6 U.S.C. 121)–

                (i) in the section heading, by striking “and

            infrastructure protection”;

                (ii) in subsection (a)–

 

                    (I) in the subsection heading, by striking “and

                Infrastructure Protection”; and

                    (II) by striking “and an Office of Infrastructure

                Protection”;

 

                (iii) in subsection (b)–

 

                    (I) in the subsection heading, by striking “and

                Assistant Secretary for Infrastructure Protection”;

                and

                    (II) by striking paragraph (3);

 

                (iv) in subsection (c)–

 

                    (I) by striking “and infrastructure protection”;

                and

                    (II) by striking “or the Assistant Secretary for

                Infrastructure Protection, as appropriate”;

 

                (v) in subsection (d)–

 

                    (I) in the subsection heading, by striking “and

                Infrastructure Protection”;

                    (II) in the matter preceding paragraph (1), by

                striking “and infrastructure protection”;

                    (III) by striking paragraphs (5), (6), and (25);

                    (IV) by redesignating paragraphs (7) through (24)

                as paragraphs (5) through (22), respectively;

                    (V) by redesignating paragraph (26) as paragraph

                (23); and

                    (VI) in paragraph (23)(B)(i), as so redesignated,

                by striking “section 319” and inserting “section

                320”;

 

                (vi) in subsection (e)(1), by striking “and the Office

            of Infrastructure Protection”; and

                (vii) in subsection (f)(1), by striking “and the

            Office of Infrastructure Protection”;

            (D) in section 202 (6 U.S.C. 122)–

                (i) in subsection (c), in the matter preceding

            paragraph (1), by striking “Director of Central

            Intelligence” and inserting “Director of National

            Intelligence”; and

                (ii) in subsection (d)(2), by striking “Director of

            Central Intelligence” and inserting “Director of National

            Intelligence”;

            (E) in section 204 (6 U.S.C. 124a)–

                (i) in subsection (c)(1), in the matter preceding

            subparagraph (A), by striking “Assistant Secretary for

            Infrastructure Protection” and inserting “Director of the

            Cybersecurity and Infrastructure Security Agency”; and

                (ii) in subsection (d)(1), in the matter preceding

            subparagraph (A), by striking “Assistant Secretary for

            Infrastructure Protection” and inserting “Director of the

            Cybersecurity and Infrastructure Security Agency”;

            (F) in section 210A(c)(2)(B) (6 U.S.C. 124h(c)(2)(B)), by

        striking “Office of Infrastructure Protection” and inserting

        “Cybersecurity and Infrastructure Security Agency”;

            (G) by redesignating section 210E (6 U.S.C. 124l) as

        section 2214 and transferring such section to appear after

        section 2213 (as redesignated by subparagraph (I));

            (H) in subtitle B, by redesignating sections 211 through

        215 (6 U.S.C. 101 note, and 131 through 134) as sections 2221

        through 2225, respectively, and transferring such subtitle,

        including the enumerator and heading of subtitle B and such

        sections, to appear after section 2214 (as redesignated by

        subparagraph (G));

            (I) by redesignating sections 223 through 230 (6 U.S.C. 143

        through 151) as sections 2205 through 2213, respectively, and

        transferring such sections to appear after section 2204, as

        added by this Act;

            (J) by redesignating section 210F as section 210E; and

            (K) by redesignating subtitles C and D as subtitles B and

        C, respectively;

        (3) in title III (6 U.S.C. 181 et seq.)–

            (A) in section 302 (6 U.S.C. 182)–

                (i) by striking “biological,,” each place that term

            appears and inserting “biological,”; and

                (ii) in paragraph (3), by striking “Assistant

            Secretary for Infrastructure Protection” and inserting

            “Director of the Cybersecurity and Infrastructure Security

            Agency”;

            (B) by redesignating the second section 319 (6 U.S.C. 195f)

        (relating to EMP and GMD mitigation research and development)

        as section 320; and

            (C) in section 320(c)(1), as so redesignated, by striking

        “Section 214” and inserting “Section 2224”;

        (4) in title V (6 U.S.C. 311 et seq.)–

            (A) in section 508(d)(2)(D) (6 U.S.C. 318(d)(2)(D)), by

        striking “The Director of the Office of Emergency

        Communications of the Department of Homeland Security” and

        inserting “The Assistant Director for Emergency

        Communications”;

            (B) in section 514 (6 U.S.C. 321c)–

                (i) by striking subsection (b); and

                (ii) by redesignating subsection (c) as subsection (b);

            and

            (C) in section 523 (6 U.S.C. 321l)–

                (i) in subsection (a), in the matter preceding

            paragraph (1), by striking “Assistant Secretary for

            Infrastructure Protection” and inserting “Director of

            Cybersecurity and Infrastructure Security”; and

                (ii) in subsection (c), by striking “Assistant

            Secretary for Infrastructure Protection” and inserting

            “Director of Cybersecurity and Infrastructure Security”;

        (5) in title VIII (6 U.S.C. 361 et seq.)–

            (A) in section 884(d)(4)(A)(ii) (6 U.S.C.

        464(d)(4)(A)(ii)), by striking “Under Secretary responsible

        for overseeing critical infrastructure protection,

        cybersecurity, and other related programs of the Department”

        and inserting “Director of Cybersecurity and Infrastructure

        Security”; and

            (B) in section 899B(a) (6 U.S.C. 488a(a)), by adding at the

        end the following: “Such regulations shall be carried out by

        the Cybersecurity and Infrastructure Security Agency.”;

        (6) in title XVIII (6 U.S.C. 571 et seq.)–

            (A) in section 1801 (6 U.S.C. 571)–

                (i) in the section heading, by striking “office of

            emergency communications” and inserting “emergency

            communications division”;

                (ii) in subsection (a)–

 

                    (I) by striking “Office of Emergency

                Communications” and inserting “Emergency

                Communications Division”; and

                    (II) by adding at the end the following: “The

                Division shall be located in the Cybersecurity and

                Infrastructure Security Agency.”;

 

                (iii) by amending subsection (b) to read as follows:

    “(b) Assistant Director.–The head of the Division shall be the

Assistant Director for Emergency Communications. The Assistant Director

shall report to the Director of Cybersecurity and Infrastructure

Security. All decisions of the Assistant Director that entail the

exercise of significant authority shall be subject to the approval of

the Director of Cybersecurity and Infrastructure Security.”;

                (iv) in subsection (c)–

 

                    (I) in the matter preceding paragraph (1), by

                inserting “Assistant” before “Director”;

                    (II) in paragraph (14), by striking “and” at the

                end;

                    (III) in paragraph (15), by striking the period at

                the end and inserting “; and”; and

                    (IV) by inserting after paragraph (15) the

                following:

 

        “(16) fully participate in the mechanisms required under

    section 2202(c)(7).”;

                (v) in subsection (d), in the matter preceding

            paragraph (1), by inserting “Assistant” before

            “Director”; and

                (vi) in subsection (e), in the matter preceding

            paragraph (1), by inserting “Assistant” before

            “Director”;

            (B) in sections 1802 through 1805 (6 U.S.C. 572 through

        575), by striking “Director for Emergency Communications”

        each place that term appears and inserting “Assistant Director

        for Emergency Communications”;

            (C) in section 1809 (6 U.S.C. 579)–

                (i) by striking “Director of Emergency

            Communications” each place that term appears and inserting

            “Assistant Director for Emergency Communications”;

                (ii) in subsection (b)–

 

                    (I) by striking “Director for Emergency

                Communications” and inserting “Assistant Director for

                Emergency Communications”; and

                    (II) by striking “Office of Emergency

                Communications” and inserting “Emergency

                Communications Division”;

 

                (iii) in subsection (e)(3), by striking “the

            Director” and inserting “the Assistant Director”; and

                (iv) in subsection (m)(1)–

 

                    (I) by striking “The Director” and inserting

                “The Assistant Director”;

                    (II) by striking “the Director determines” and

                inserting “the Assistant Director determines”; and

                    (III) by striking “Office of Emergency

                Communications” and inserting “Cybersecurity and

                Infrastructure Security Agency”;

 

            (D) in section 1810 (6 U.S.C. 580)–

                (i) in subsection (a)(1), by striking “Director of the

            Office of Emergency Communications (referred to in this

            section as the `Director’)” and inserting “Assistant

            Director for Emergency Communications (referred to in this

            section as the `Assistant Director’)”;

                (ii) in subsection (c), by striking “Office of

            Emergency Communications” and inserting “Emergency

            Communications Division”; and

                (iii) by striking “Director” each place that term

            appears and inserting “Assistant Director”;

        (7) in title XX (6 U.S.C. 601 et seq.)–

            (A) in paragraph (4)(A)(iii)(II) of section 2001 (6 U.S.C.

        601), by striking “section 210E(a)(2)” and inserting

        “section 2214(a)(2)”;

            (B) in section 2008(a)(3) (6 U.S.C. 609(a)(3)), by striking

        “section 210E(a)(2)” and inserting “section 2214(a)(2)”;

        and

            (C) in section 2021 (6 U.S.C. 611)–

                (i) by striking subsection (c); and

                (ii) by redesignating subsection (d) as subsection (c);

        (8) in title XXI (6 U.S.C. 621 et seq.)–

            (A) in section 2102(a)(1) (6 U.S.C. 622(a)(1)), by

        inserting “, which shall be located in the Cybersecurity and

        Infrastructure Security Agency” before the period at the end;

        and

            (B) in section 2104(c)(2) (6 U.S.C. 624(c)(2)), by striking

        “Under Secretary responsible for overseeing critical

        infrastructure protection, cybersecurity, and other related

        programs of the Department appointed under section

        103(a)(1)(H)” and inserting “Director of Cybersecurity and

        Infrastructure Security”; and

        (9) in title XXII, as added by this Act–

            (A) in subtitle A–

                (i) in section 2205, as so redesignated–

 

                    (I) in the matter preceding paragraph (1)–

 

                        (aa) by striking “section 201” and inserting

                    “section 2202”; and

                        (bb) by striking “Under Secretary appointed

                    under section 103(a)(1)(H)” and inserting

                    “Director of Cybersecurity and Infrastructure

                    Security”; and

 

                    (II) in paragraph (1)(B), by striking “and” at

                the end;

 

                (ii) in section 2206, as so redesignated, by striking

            “Assistant Secretary for Infrastructure Protection” and

            inserting “Director of Cybersecurity and Infrastructure

            Security”;

                (iii) in section 2209, as so redesignated–

 

                    (I) by striking “Under Secretary appointed under

                section 103(a)(1)(H)” each place that term appears and

                inserting “Director”;

                    (II) in subsection (a)(4), by striking “section

                212(5)” and inserting “section 2222(5)”;

                    (III) in subsection (b), by adding at the end the

                following: “The Center shall be located in the

                Cybersecurity and Infrastructure Security Agency. The

                head of the Center shall report to the Assistant

                Director for Cybersecurity.”; and

                    (IV) in subsection (c)(11), by striking “Office of

                Emergency Communications” and inserting “Emergency

                Communications Division”;

 

                (iv) in section 2210, as so redesignated–

 

                    (I) by striking “section 227” each place that

                term appears and inserting “section 2209”; and

                    (II) in subsection (c)–

 

                        (aa) by striking “Under Secretary appointed

                    under section 103(a)(1)(H)” and inserting

                    “Director of Cybersecurity and Infrastructure

                    Security”; and

                        (bb) by striking “section 212(5)” and

                    inserting “section 2222(5)”;

                (v) in section 2211(b)(2)(A), as so redesignated, by

            striking “the section 227” and inserting “section

            2209”;

                (vi) in section 2212, as so redesignated, by striking

            “section 212(5)” and inserting “section 2222(5)”;

                (vii) in section 2213(a), as so redesignated–

 

                    (I) in paragraph (3), by striking “section 228”

                and inserting “section 2210”; and

                    (II) in paragraph (4), by striking “section 227”

                and inserting “section 2209”; and

 

                (viii) in section 2214, as so redesignated–

 

                    (I) by striking subsection (e); and

                    (II) by redesignating subsection (f) as subsection

                (e); and

 

            (B) in subtitle B–

                (i) in section 2222(8), as so redesignated, by striking

            “section 227” and inserting “section 2209”; and

                (ii) in section 2224(h), as so redesignated, by

            striking “section 213” and inserting “section 2223”;

    (h) Technical and Conforming Amendments to Other Laws.–

        (1) Cybersecurity act of 2015.–The Cybersecurity Act of 2015

    (6 U.S.C. 1501 et seq.) is amended–

            (A) in section 202(2) (6 U.S.C. 131 note)–

                (i) by striking “section 227” and inserting “section

            2209”; and

                (ii) by striking “, as so redesignated by section

            223(a)(3) of this division”;

            (B) in section 207(2) (Public Law 114-113; 129 Stat.

        2962)–

                (i) by striking “section 227” and inserting “section

            2209”; and

                (ii) by striking “, as redesignated by section 223(a)

            of this division,”;

            (C) in section 208 (Public Law 114-113; 129 Stat. 2962), by

        striking “Under Secretary appointed under section 103(a)(1)(H)

        of the Homeland Security Act of 2002 (6 U.S.C. 113(a)(1)(H))”

        and inserting “Director of Cybersecurity and Infrastructure

        Security of the Department”;

            (D) in section 222 (6 U.S.C. 1521)–

                (i) in paragraph (2)–

 

                    (I) by striking “section 228” and inserting

                “section 2210”; and

                    (II) by striking “, as added by section 223(a)(4)

                of this division”; and

 

                (ii) in paragraph (4)–

 

                    (I) by striking “section 227” and inserting

                “section 2209”; and

                    (II) by striking “, as so redesignated by section

                223(a)(3) of this division”;

 

            (E) in section 223(b) (6 U.S.C. 151 note)–

                (i) by striking “section 230(b)(1) of the Homeland

            Security Act of 2002, as added by subsection (a)” each

            place that term appears and inserting “section 2213(b)(1)

            of the Homeland Security Act of 2002”; and

                (ii) in paragraph (1)(B), by striking “section

            230(b)(2) of the Homeland Security Act of 2002, as added by

            subsection (a)” and inserting “section 2213(b)(2) of the

            Homeland Security Act of 2002”;

            (F) in section 226 (6 U.S.C. 1524)–

                (i) in subsection (a)–

 

                    (I) in paragraph (1)–

 

                        (aa) by striking “section 230” and inserting

                    “section 2213”; and

                        (bb) by striking “, as added by section

                    223(a)(6) of this division”;

 

                    (II) in paragraph (4)–

 

                        (aa) by striking “section 228(b)(1)” and

                    inserting “section 2210(b)(1)”; and

                        (bb) by striking “, as added by section

                    223(a)(4) of this division”; and

 

                    (III) in paragraph (5)–

 

                        (aa) by striking “section 230(b)” and

                    inserting “section 2213(b)”; and

                        (bb) by striking “, as added by section

                    223(a)(6) of this division”; and

                (ii) in subsection (c)(1)(A)(vi)–

 

                    (I) by striking “section 230(c)(5)” and inserting

                “section 2213(c)(5)”; and

                    (II) by striking “, as added by section 223(a)(6)

                of this division”;

 

            (G) in section 227 (6 U.S.C. 1525)–

                (i) in subsection (a)–

 

                    (I) by striking “section 230” and inserting

                “section 2213”; and

                    (II) by striking “, as added by section 223(a)(6)

                of this division,”; and

 

                (ii) in subsection (b)–

 

                    (I) by striking “section 230(d)(2)” and inserting

                “section 2213(d)(2)”; and

                    (II) by striking “, as added by section 223(a)(6)

                of this division,”; and

 

            (H) in section 404 (6 U.S.C. 1532)–

                (i) by striking “Director for Emergency

            Communications” each place that term appears and inserting

            “Assistant Director for Emergency Communications”; and

                (ii) in subsection (a)–

 

                    (I) by striking “section 227” and inserting

                “section 2209”; and

                    (II) by striking “, as redesignated by section

                223(a)(3) of this division,”.

 

        (2) Small business act.–Section 21(a)(8)(B) of the Small

    Business Act (15 U.S.C. 648(a)(8)(B)) is amended by striking

    “section 227(a) of the Homeland Security Act of 2002 (6 U.S.C.

    148(a))” and inserting “section 2209(a) of the Homeland Security

    Act of 2002”.

        (3) Title 5.–Subchapter II of chapter 53 of title 5, United

    States Code, is amended–

            (A) in section 5314, by inserting after “Under

        Secretaries, Department of Homeland Security.” the following:

        “Director, Cybersecurity and Infrastructure Security

    Agency.”; and

            (B) in section 5315, by inserting after “Assistant

        Secretaries, Department of Homeland Security.” the following:

        “Assistant Director for Cybersecurity, Cybersecurity and

    Infrastructure Security Agency.

        “Assistant Director for Infrastructure Security, Cybersecurity

    and Infrastructure Security Agency.”.

    (i) Table of Contents Amendments.–The table of contents in section

1(b) of the Homeland Security Act of 2002 (Public Law 107-296; 116

Stat. 2135) is amended–

        (1) by striking the item relating to title II and inserting the

    following:

 

                   “TITLE II–INFORMATION ANALYSIS”;

 

        (2) by striking the item relating to subtitle A of title II and

    inserting the following:

 

    “Subtitle A–Information and Analysis; Access to Information”;

 

        (3) by striking the item relating to section 201 and inserting

    the following:

 

“Sec. 201. Information and analysis.”;

 

        (4) by striking the items relating to sections 210E and 210F

    and inserting the following:

 

“Sec. 210E. Classified Information Advisory Officer.”;

 

        (5) by striking the items relating to subtitle B of title II

    and sections 211 through 215;

        (6) by striking the items relating to section 223 through

    section 230;

        (7) by striking the item relating to subtitle C and inserting

    the following:

 

                  “Subtitle B–Information Security”;

 

        (8) by striking the item relating to subtitle D and inserting

    the following:

 

            “Subtitle C–Office of Science and Technology”;

 

        (9) by striking the items relating to sections 317, 319, 318,

    and 319 and inserting the following:

 

“Sec. 317. Promoting antiterrorism through international cooperation

          program.

“Sec. 318. Social media working group.

“Sec. 319. Transparency in research and development.

“Sec. 320. EMP and GMD mitigation research and development.”;

 

        (10) by striking the item relating to section 1801 and

    inserting the following:

 

“Sec. 1801. Emergency Communications Division.”; and

 

        (11) by adding at the end the following:

 

     “TITLE XXII–CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

 

         “Subtitle A–Cybersecurity and Infrastructure Security

 

“Sec. 2201. Definitions.

“Sec. 2202. Cybersecurity and Infrastructure Security Agency.

“Sec. 2203. Cybersecurity Division.

“Sec. 2204. Infrastructure Security Division.

“Sec. 2205. Enhancement of Federal and non-Federal cybersecurity.

“Sec. 2206. Net guard.

“Sec. 2207. Cyber Security Enhancement Act of 2002.

“Sec. 2208. Cybersecurity recruitment and retention.

“Sec. 2209. National cybersecurity and communications integration

          center.

“Sec. 2210. Cybersecurity plans.

“Sec. 2211. Cybersecurity strategy.

“Sec. 2212. Clearances.

“Sec. 2213. Federal intrusion detection and prevention system.

“Sec. 2214. National Asset Database.

 

            “Subtitle B–Critical Infrastructure Information

 

“Sec. 2221. Short title.

“Sec. 2222. Definitions.

“Sec. 2223. Designation of critical infrastructure protection program.

“Sec. 2224. Protection of voluntarily shared critical infrastructure

          information.

“Sec. 2225. No private right of action.”.

SEC. 3. TRANSFER OF OTHER ENTITIES.

    (a) Office of Biometric Identity Management.–The Office of

Biometric Identity Management of the Department of Homeland Security

located in the National Protection and Programs Directorate of the

Department of Homeland Security on the day before the date of enactment

of this Act is hereby transferred to the Management Directorate of the

Department.

    (b) Federal Protective Service.–

        (1) In general.–Not later than 90 days after the completion of

    the Government Accountability Office review of the organizational

    placement of the Federal Protective Service (authorized under

    section 1315 of title 40, United States Code), the Secretary of

    Homeland Security shall determine the appropriate placement of the

    Service within the Department of Homeland Security and commence the

    transfer of the Service to such component, directorate, or other

    office of the Department that the Secretary so determines

    appropriate.

        (2) Exception.–If the Secretary of Homeland Security

    determines pursuant to paragraph (1) that no component,

    directorate, or other office of the Department of Homeland Security

    is an appropriate placement for the Federal Protective Service, the

    Secretary shall–

            (A) provide to the Committee on Homeland Security and the

        Committee on Transportation and Infrastructure of the House of

        Representatives and the Committee on Homeland Security and

        Governmental Affairs of the Senate and the Office of Management

        and Budget a detailed explanation, in writing, of the reason

        for such determination that includes–

                (i) information on how the Department considered the

            Government Accountability Office review described in such

            paragraph;

                (ii) a list of the components, directorates, or other

            offices of the Department that were considered for such

            placement; and

                (iii) information on why each such component,

            directorate, or other office of the Department was

            determined to not be an appropriate placement for the

            Service;

            (B) not later than 120 days after the completion of the

        Government Accountability Office review described in such

        paragraph, develop and submit to the committees specified in

        subparagraph (A) and the Office of Management and Budget a plan

        to coordinate with other appropriate Federal agencies,

        including the General Services Administration, to determine a

        more appropriate placement for the Service; and

            (C) not later than 180 days after the completion of such

        Government Accountability Office review, submit to such

        committees and the Office of Management and Budget a

        recommendation regarding the appropriate placement of the

        Service within the executive branch of the Federal Government.

SEC. 4. DHS REPORT ON CLOUD-BASED CYBERSECURITY.

    (a) Definition.–In this section, the term “Department” means the

Department of Homeland Security.

    (b) Report.–Not later than 120 days after the date of enactment of

this Act, the Secretary of Homeland Security, in coordination with the

Director of the Office of Management and Budget and the Administrator

of General Services, shall submit to the Committee on Homeland Security

and Governmental Affairs of the Senate and the Committee on Oversight

and Government Reform and the Committee on Homeland Security of the

House of Representatives a report on the leadership role of the

Department in cloud-based cybersecurity deployments for civilian

Federal departments and agencies, which shall include–

        (1) information on the plan of the Department for ensuring

    access to a security operations center as a service capability in

    accordance with the December 19, 2017 Report to the President on

    Federal IT Modernization issued by the American Technology Council;

        (2) information on what service capabilities under paragraph

    (1) the Department will prioritize, including–

            (A) criteria the Department will use to evaluate

        capabilities offered by the private sector; and

            (B) how Federal government- and private sector-provided

        capabilities will be integrated to enable visibility and

        consistency of such capabilities across all cloud and on

        premise environments, as called for in the report described in

        paragraph (1); and

        (3) information on how the Department will adapt the current

    capabilities of, and future enhancements to, the intrusion

    detection and prevention system of the Department and the

    Continuous Diagnostics and Mitigation Program of the Department to

    secure civilian Federal government networks in a cloud environment.

SEC. 5. RULE OF CONSTRUCTION.

    Nothing in this Act or an amendment made by this Act may be

construed as–

        (1) conferring new authorities to the Secretary of Homeland

    Security, including programmatic, regulatory, or enforcement

    authorities, outside of the authorities in existence on the day

    before the date of enactment of this Act;

        (2) reducing or limiting the programmatic, regulatory, or

    enforcement authority vested in any other Federal agency by

    statute; or

        (3) affecting in any manner the authority, existing on the day

    before the date of enactment of this Act, of any other Federal

    agency or component of the Department of Homeland Security.

SEC. 6. PROHIBITION ON ADDITIONAL FUNDING.

    No additional funds are authorized to be appropriated to carry out

this Act or the amendments made by this Act. This Act and the

amendments made by this Act shall be carried out using amounts

otherwise authorized.

contact us

We look forward to connecting!