SEC. 108. CONSTRUCTION AND PREEMPTION.
       (a) Otherwise Lawful Disclosures.--Nothing in this title 
     shall be construed--
       (1) to limit or prohibit otherwise lawful disclosures of 
     communications, records, or other information, including 
     reporting of known or suspected criminal activity, by an 
     entity to any other entity or the Federal Government under 
     this title; or
       (2) to limit or prohibit otherwise lawful use of such 
     disclosures by any Federal entity, even when such otherwise 
     lawful disclosures duplicate or replicate disclosures made 
     under this title.
       (b) Whistle Blower Protections.--Nothing in this title 
     shall be construed to prohibit or limit the disclosure of 
     information protected under section 2302(b)(8) of title 5, 
     United States Code (governing disclosures of illegality, 
     waste, fraud, abuse, or public health or safety threats), 
     section 7211 of title 5, United States Code (governing 
     disclosures to Congress), section 1034 of title 10, United 
     States Code (governing disclosure to Congress by members of 
     the military), section 1104 of the National Security Act of 
     1947 (50 U.S.C. 3234) (governing disclosure by employees of 
     elements of the intelligence community), or any similar 
     provision of Federal or State law.
       (c) Protection of Sources and Methods.--Nothing in this 
     title shall be construed--
       (1) as creating any immunity against, or otherwise 
     affecting, any action brought by the Federal Government, or 
     any agency or department thereof, to enforce any law, 
     executive order, or procedure governing the appropriate 
     handling, disclosure, or use of classified information;
       (2) to affect the conduct of authorized law enforcement or 
     intelligence activities; or
       (3) to modify the authority of a department or agency of 
     the Federal Government to protect classified information and 
     sources and methods and the national security of the United 
     States.
       (d) Relationship to Other Laws.--Nothing in this title 
     shall be construed to affect any requirement under any other 
     provision of law for an entity to provide information to the 
     Federal Government.
       (e) Prohibited Conduct.--Nothing in this title shall be 
     construed to permit price-fixing, allocating a market between 
     competitors, monopolizing or attempting to monopolize a 
     market, boycotting, or exchanges of price or cost 
     information, customer lists, or information regarding future 
     competitive planning.
       (f) Information Sharing Relationships.--Nothing in this 
     title shall be construed--
       (1) to limit or modify an existing information sharing 
     relationship;
       (2) to prohibit a new information sharing relationship;
       (3) to require a new information sharing relationship 
     between any entity and another entity or a Federal entity; or
       (4) to require the use of the capability and process within 
     the Department of Homeland Security developed under section 
     105(c).
       (g) Preservation of Contractual Obligations and Rights.--
     Nothing in this title shall be construed--
       (1) to amend, repeal, or supersede any current or future 
     contractual agreement, terms of service agreement, or other 
     contractual relationship between any entities, or between any 
     entity and a Federal entity; or
       (2) to abrogate trade secret or intellectual property 
     rights of any entity or Federal entity.
       (h) Anti-tasking Restriction.--Nothing in this title shall 
     be construed to permit a Federal entity--
       (1) to require an entity to provide information to a 
     Federal entity or another entity;
       (2) to condition the sharing of cyber threat indicators 
     with an entity on such entity's provision of cyber threat 
     indicators to a Federal entity or another entity; or
       (3) to condition the award of any Federal grant, contract, 
     or purchase on the provision of a cyber threat indicator to a 
     Federal entity or another entity.
       (i) No Liability for Non-participation.--Nothing in this 
     title shall be construed to subject any entity to liability 
     for choosing not to engage in the voluntary activities 
     authorized in this title.
       (j) Use and Retention of Information.--Nothing in this 
     title shall be construed to authorize, or to modify any 
     existing authority of, a department or agency of the Federal 
     Government to retain or use any information shared under this 
     title for any use other than permitted in this title.
       (k) Federal Preemption.--
       (1) In general.--This title supersedes any statute or other 
     provision of law of a State or political subdivision of a 
     State that restricts or otherwise expressly regulates an 
     activity authorized under this title.
       (2) State law enforcement.--Nothing in this title shall be 
     construed to supersede any statute or other provision of law 
     of a State or political subdivision of a State concerning the 
     use of authorized law enforcement practices and procedures.
       (l) Regulatory Authority.--Nothing in this title shall be 
     construed--
       (1) to authorize the promulgation of any regulations not 
     specifically authorized by this title;
       (2) to establish or limit any regulatory authority not 
     specifically established or limited under this title; or
       (3) to authorize regulatory actions that would duplicate or 
     conflict with regulatory requirements, mandatory standards, 
     or related processes under another provision of Federal law.
       (m) Authority of Secretary of Defense To Respond to Cyber 
     Attacks.--Nothing in this title shall be construed to limit 
     the authority of the Secretary of Defense to develop, 
     prepare, coordinate, or, when authorized by the President to 
     do so, conduct a military cyber operation in response to a 
     malicious cyber activity carried out against the United 
     States or a United States person by a foreign government or 
     an organization sponsored by a foreign government or a 
     terrorist organization.

     SEC. 109. REPORT ON CYBERSECURITY THREATS.

       (a) Report Required.--Not later than 180 days after the 
     date of the enactment of this Act, the Director of National 
     Intelligence, in coordination with the heads of other 
     appropriate elements of the intelligence community, shall 
     submit to the Select Committee on Intelligence of the Senate 
     and the Permanent Select Committee on Intelligence of the 
     House of Representatives a report on cybersecurity threats, 
     including cyber attacks, theft, and data breaches.
       (b) Contents.--The report required by subsection (a) shall 
     include the following:
       (1) An assessment of the current intelligence sharing and 
     cooperation relationships of the United States with other 
     countries regarding cybersecurity threats, including cyber 
     attacks, theft, and data breaches, directed against the 
     United States and which threaten the United States national 
     security interests and economy and intellectual property, 
     specifically identifying the relative utility of such 
     relationships, which elements of the intelligence community 
     participate in such relationships, and whether and how such 
     relationships could be improved.
       (2) A list and an assessment of the countries and nonstate 
     actors that are the primary threats of carrying out a 
     cybersecurity threat, including a cyber attack, theft, or 
     data breach, against the United States and which threaten the 
     United States national security, economy, and intellectual 
     property.
       (3) A description of the extent to which the capabilities 
     of the United States Government to respond to or prevent 
     cybersecurity threats, including cyber attacks, theft, or 
     data breaches, directed against the United States private 
     sector are degraded by a delay in the prompt notification by 
     private entities of such threats or cyber attacks, theft, and 
     breaches.
       (4) An assessment of additional technologies or 
     capabilities that would enhance the ability of the United 
     States to prevent and to respond to cybersecurity threats, 
     including cyber attacks, theft, and data breaches.
       (5) An assessment of any technologies or practices utilized 
     by the private sector that could be rapidly fielded to assist 
     the intelligence community in preventing and responding to 
     cybersecurity threats.
       (c) Additional Report.--At the time the report required by 
     subsection (a) is submitted, the Director of National 
     Intelligence shall submit to the Committee on Foreign 
     Relations of the Senate and the Committee on Foreign Affairs 
     of the House of Representatives a report containing the 
     information required by subsection (b)(2).
       (d) Form of Report.--The report required by subsection (a) 
     shall be made available in classified and unclassified forms.
       (e) Intelligence Community Defined.--In this section, the 
     term ``intelligence community'' has the meaning given that 
     term in section 3 of the National Security Act of 1947 (50 
     U.S.C. 3003).

     SEC. 110. CONFORMING AMENDMENT.

       Section 941(c)(3) of the National Defense Authorization Act 
     for Fiscal Year 2013 (Public Law 112-239; 10 U.S.C. 2224 
     note) is amended by inserting at the end the following: ``The 
     Secretary may share such information with other Federal 
     entities if such information consists of cyber threat 
     indicators and defensive measures and such information is 
     shared consistent with the policies and procedures 
     promulgated by the Attorney General and the Secretary of 
     Homeland Security under section 105 of the Cybersecurity 
     Information Sharing Act of 2015.''.

              TITLE II--FEDERAL CYBERSECURITY ENHANCEMENT

     SEC. 201. SHORT TITLE.

       This title may be cited as the ``Federal Cybersecurity 
     Enhancement Act of 2015''.

     SEC. 202. DEFINITIONS.

       In this title--
       (1) the term ``agency'' has the meaning given the term in 
     section 3502 of title 44, United States Code;
       (2) the term ``agency information system'' has the meaning 
     given the term in section 228 of the Homeland Security Act of 
     2002, as added by section 203(a);
       (3) the term ``appropriate congressional committees'' 
     means--
       (A) the Committee on Homeland Security and Governmental 
     Affairs of the Senate; and
       (B) the Committee on Homeland Security of the House of 
     Representatives;
       (4) the terms ``cybersecurity risk'' and ``information 
     system'' have the meanings given those terms in section 227 
     of the Homeland Security Act of 2002, as so redesignated by 
     section 203(a);
       (5) the term ``Director'' means the Director of the Office 
     of Management and Budget;
       (6) the term ``intelligence community'' has the meaning 
     given the term in section 3(4) of the National Security Act 
     of 1947 (50 U.S.C. 3003(4));

[[Page S7528]]

       (7) the term ``national security system'' has the meaning 
     given the term in section 11103 of title 40, United States 
     Code; and
       (8) the term ``Secretary'' means the Secretary of Homeland 
     Security.

     SEC. 203. IMPROVED FEDERAL NETWORK SECURITY.

       (a) In General.--Subtitle C of title II of the Homeland 
     Security Act of 2002 (6 U.S.C. 141 et seq.) is amended--
       (1) by redesignating section 228 as section 229;
       (2) by redesignating section 227 as subsection (c) of 
     section 228, as added by paragraph (4), and adjusting the 
     margins accordingly;
       (3) by redesignating the second section designated as 
     section 226 (relating to the national cybersecurity and 
     communications integration center) as section 227;
       (4) by inserting after section 227, as so redesignated, the 
     following:

     ``SEC. 228. CYBERSECURITY PLANS.

       ``(a) Definitions.--In this section--
       ``(1) the term `agency information system' means an 
     information system used or operated by an agency or by 
     another entity on behalf of an agency;
       ``(2) the terms `cybersecurity risk' and `information 
     system' have the meanings given those terms in section 227;
       ``(3) the term `intelligence community' has the meaning 
     given the term in section 3(4) of the National Security Act 
     of 1947 (50 U.S.C. 3003(4)); and
       ``(4) the term `national security system' has the meaning 
     given the term in section 11103 of title 40, United States 
     Code.
       ``(b) Intrusion Assessment Plan.--
       ``(1) Requirement.--The Secretary, in coordination with the 
     Director of the Office of Management and Budget, shall 
     develop and implement an intrusion assessment plan to 
     identify and remove intruders in agency information systems.
       ``(2) Exception.--The intrusion assessment plan required 
     under paragraph (1) shall not apply to the Department of 
     Defense, a national security system, or an element of the 
     intelligence community.'';
       (5) in section 228(c), as so redesignated, by striking 
     ``section 226'' and inserting ``section 227''; and
       (6) by inserting after section 229, as so redesignated, the 
     following:

     ``SEC. 230. FEDERAL INTRUSION DETECTION AND PREVENTION 
                   SYSTEM.

       ``(a) Definitions.--In this section--
       ``(1) the term `agency' has the meaning given that term in 
     section 3502 of title 44, United States Code;
       ``(2) the term `agency information' means information 
     collected or maintained by or on behalf of an agency;
       ``(3) the term `agency information system' has the meaning 
     given the term in section 228; and
       ``(4) the terms `cybersecurity risk' and `information 
     system' have the meanings given those terms in section 227.
       ``(b) Requirement.--
       ``(1) In general.--Not later than 1 year after the date of 
     enactment of this section, the Secretary shall deploy, 
     operate, and maintain, to make available for use by any 
     agency, with or without reimbursement--
       ``(A) a capability to detect cybersecurity risks in network 
     traffic transiting or traveling to or from an agency 
     information system; and
       ``(B) a capability to prevent network traffic associated 
     with such cybersecurity risks from transiting or traveling to 
     or from an agency information system or modify such network 
     traffic to remove the cybersecurity risk.
       ``(2) Regular improvement.--The Secretary shall regularly 
     deploy new technologies and modify existing technologies to 
     the intrusion detection and prevention capabilities described 
     in paragraph (1) as appropriate to improve the intrusion 
     detection and prevention capabilities.
       ``(c) Activities.--In carrying out subsection (b), the 
     Secretary--
       ``(1) may access, and the head of an agency may disclose to 
     the Secretary or a private entity providing assistance to the 
     Secretary under paragraph (2), information transiting or 
     traveling to or from an agency information system, regardless 
     of the location from which the Secretary or a private entity 
     providing assistance to the Secretary under paragraph (2) 
     accesses such information, notwithstanding any other 
     provision of law that would otherwise restrict or prevent the 
     head of an agency from disclosing such information to the 
     Secretary or a private entity providing assistance to the 
     Secretary under paragraph (2);
       ``(2) may enter into contracts or other agreements with, or 
     otherwise request and obtain the assistance of, private 
     entities to deploy and operate technologies in accordance 
     with subsection (b);
       ``(3) may retain, use, and disclose information obtained 
     through the conduct of activities authorized under this 
     section only to protect information and information systems 
     from cybersecurity risks;
       ``(4) shall regularly assess through operational test and 
     evaluation in real world or simulated environments available 
     advanced protective technologies to improve detection and 
     prevention capabilities, including commercial and non-
     commercial technologies and detection technologies beyond 
     signature-based detection, and utilize such technologies when 
     appropriate;
       ``(5) shall establish a pilot to acquire, test, and deploy, 
     as rapidly as possible, technologies described in paragraph 
     (4);
       ``(6) shall periodically update the privacy impact 
     assessment required under section 208(b) of the E-Government 
     Act of 2002 (44 U.S.C. 3501 note); and
       ``(7) shall ensure that--
       ``(A) activities carried out under this section are 
     reasonably necessary for the purpose of protecting agency 
     information and agency information systems from a 
     cybersecurity risk;
       ``(B) information accessed by the Secretary will be 
     retained no longer than reasonably necessary for the purpose 
     of protecting agency information and agency information 
     systems from a cybersecurity risk;
       ``(C) notice has been provided to users of an agency 
     information system concerning access to communications of 
     users of the agency information system for the purpose of 
     protecting agency information and the agency information 
     system; and
       ``(D) the activities are implemented pursuant to policies 
     and procedures governing the operation of the intrusion 
     detection and prevention capabilities.
       ``(d) Private Entities.--
       ``(1) Conditions.--A private entity described in subsection 
     (c)(2) may not--
       ``(A) disclose any network traffic transiting or traveling 
     to or from an agency information system to any entity without 
     the consent of the Department or the agency that disclosed 
     the information under subsection (c)(1); or
       ``(B) use any network traffic transiting or traveling to or 
     from an agency information system to which the private entity 
     gains access in accordance with this section for any purpose 
     other than to protect agency information and agency 
     information systems against cybersecurity risks or to 
     administer a contract or other agreement entered into 
     pursuant to subsection (c)(2) or as part of another contract 
     with the Secretary.
       ``(2) Limitation on liability.--No cause of action shall 
     lie in any court against a private entity for assistance 
     provided to the Secretary in accordance with this section and 
     any contract or agreement entered into pursuant to subsection 
     (c)(2).
       ``(3) Rule of construction.--Nothing in paragraph (2) shall 
     be construed to authorize an Internet service provider to 
     break a user agreement with a customer without the consent of 
     the customer.
       ``(e) Attorney General Review.--Not later than 1 year after 
     the date of enactment of this section, the Attorney General 
     shall review the policies and guidelines for the program 
     carried out under this section to ensure that the policies 
     and guidelines are consistent with applicable law governing 
     the acquisition, interception, retention, use, and disclosure 
     of communications.''.
       (b) Prioritizing Advanced Security Tools.--The Director and 
     the Secretary, in consultation with appropriate agencies, 
     shall--
       (1) review and update governmentwide policies and programs 
     to ensure appropriate prioritization and use of network 
     security monitoring tools within agency networks; and
       (2) brief appropriate congressional committees on such 
     prioritization and use.
       (c) Agency Responsibilities.--
       (1) In general.--Except as provided in paragraph (2)--
       (A) not later than 1 year after the date of enactment of 
     this Act or 2 months after the date on which the Secretary 
     makes available the intrusion detection and prevention 
     capabilities under section 230(b)(1) of the Homeland Security 
     Act of 2002, as added by subsection (a), whichever is later, 
     the head of each agency shall apply and continue to utilize 
     the capabilities to all information traveling between an 
     agency information system and any information system other 
     than an agency information system; and
       (B) not later than 6 months after the date on which the 
     Secretary makes available improvements to the intrusion 
     detection and prevention capabilities pursuant to section 
     230(b)(2) of the Homeland Security Act of 2002, as added by 
     subsection (a), the head of each agency shall apply and 
     continue to utilize the improved intrusion detection and 
     prevention capabilities.
       (2) Exception.--The requirements under paragraph (1) shall 
     not apply to the Department of Defense, a national security 
     system, or an element of the intelligence community.
       (3) Definition.--In this subsection only, the term ``agency 
     information system'' means an information system owned or 
     operated by an agency.
       (4) Rule of construction.--Nothing in this subsection shall 
     be construed to limit an agency from applying the intrusion 
     detection and prevention capabilities under section 230(b)(1) 
     of the Homeland Security Act of 2002, as added by subsection 
     (a), at the discretion of the head of the agency or as 
     provided in relevant policies, directives, and guidelines.
       (d) Table of Contents Amendment.--The table of contents in 
     section 1(b) of the Homeland Security Act of 2002 (6 U.S.C. 
     101 note) is amended by striking the items relating to the 
     first section designated as section 226, the second section 
     designated as section 226 (relating to the national 
     cybersecurity and communications integration center), section 
     227, and section 228 and inserting the following:

``Sec. 226. Cybersecurity recruitment and retention.
``Sec. 227. National cybersecurity and communications integration 
              center.

[[Page S7529]]

``Sec. 228. Cybersecurity plans.
``Sec. 229. Clearances.
``Sec. 230. Federal intrusion detection and prevention system.''.


     SEC. 204. ADVANCED INTERNAL DEFENSES.

       (a) Advanced Network Security Tools.--
       (1) In general.--The Secretary shall include in the 
     Continuous Diagnostics and Mitigation Program advanced 
     network security tools to improve visibility of network 
     activity, including through the use of commercial and free or 
     open source tools, to detect and mitigate intrusions and 
     anomalous activity.
       (2) Development of plan.--The Director shall develop and 
     implement a plan to ensure that each agency utilizes advanced 
     network security tools, including those described in 
     paragraph (1), to detect and mitigate intrusions and 
     anomalous activity.
       (b) Improved Metrics.--The Secretary, in collaboration with 
     the Director, shall review and update the metrics used to 
     measure security under section 3554 of title 44, United 
     States Code, to include measures of intrusion and incident 
     detection and response times.
       (c) Transparency and Accountability.--The Director, in 
     consultation with the Secretary, shall increase transparency 
     to the public on agency cybersecurity posture, including by 
     increasing the number of metrics available on Federal 
     Government performance websites and, to the greatest extent 
     practicable, displaying metrics for department components, 
     small agencies, and micro agencies.
       (d) Maintenance of Technologies.--Section 3553(b)(6)(B) of 
     title 44, United States Code, is amended by inserting ``, 
     operating, and maintaining'' after ``deploying''.
       (e) Exception.--The requirements under this section shall 
     not apply to the Department of Defense, a national security 
     system, or an element of the intelligence community.

     SEC. 205. FEDERAL CYBERSECURITY REQUIREMENTS.

       (a) Implementation of Federal Cybersecurity Standards.--
     Consistent with section 3553 of title 44, United States Code, 
     the Secretary, in consultation with the Director, shall 
     exercise the authority to issue binding operational 
     directives to assist the Director in ensuring timely agency 
     adoption of and compliance with policies and standards 
     promulgated under section 11331 of title 40, United States 
     Code, for securing agency information systems.
       (b) Cybersecurity Requirements at Agencies.--
       (1) In general.--Consistent with policies, standards, 
     guidelines, and directives on information security under 
     subchapter II of chapter 35 of title 44, United States Code, 
     and the standards and guidelines promulgated under section 
     11331 of title 40, United States Code, and except as provided 
     in paragraph (2), not later than 1 year after the date of the 
     enactment of this Act, the head of each agency shall--
       (A) identify sensitive and mission critical data stored by 
     the agency consistent with the inventory required under the 
     first subsection (c) (relating to the inventory of major 
     information systems) and the second subsection (c) (relating 
     to the inventory of information systems) of section 3505 of 
     title 44, United States Code;
       (B) assess access controls to the data described in 
     subparagraph (A), the need for readily accessible storage of 
     the data, and individuals' need to access the data;
       (C) encrypt or otherwise render indecipherable to 
     unauthorized users the data described in subparagraph (A) 
     that is stored on or transiting agency information systems;
       (D) implement a single sign-on trusted identity platform 
     for individuals accessing each public website of the agency 
     that requires user authentication, as developed by the 
     Administrator of General Services in collaboration with the 
     Secretary; and
       (E) implement identity management consistent with section 
     504 of the Cybersecurity Enhancement Act of 2014 (Public Law 
     113-274; 15 U.S.C. 7464), including multi-factor 
     authentication, for--
       (i) remote access to an agency information system; and
       (ii) each user account with elevated privileges on an 
     agency information system.
       (2) Exception.--The requirements under paragraph (1) shall 
     not apply to an agency information system for which--
       (A) the head of the agency has personally certified to the 
     Director with particularity that--
       (i) operational requirements articulated in the 
     certification and related to the agency information system 
     would make it excessively burdensome to implement the 
     cybersecurity requirement;
       (ii) the cybersecurity requirement is not necessary to 
     secure the agency information system or agency information 
     stored on or transiting it; and
       (iii) the agency has taken all necessary steps to secure 
     the agency information system and agency information stored 
     on or transiting it; and
       (B) the head of the agency or the designee of the head of 
     the agency has submitted the certification described in 
     subparagraph (A) to the appropriate congressional committees 
     and the agency's authorizing committees.
       (3) Construction.--Nothing in this section shall be 
     construed to alter the authority of the Secretary, the 
     Director, or the Director of the National Institute of 
     Standards and Technology in implementing subchapter II of 
     chapter 35 of title 44, United States Code. Nothing in this 
     section shall be construed to affect the National Institute 
     of Standards and Technology standards process or the 
     requirement under section 3553(a)(4) of such title or to 
     discourage continued improvements and advancements in the 
     technology, standards, policies, and guidelines used to 
     promote Federal information security.
       (c) Exception.--The requirements under this section shall 
     not apply to the Department of Defense, a national security 
     system, or an element of the intelligence community.

     SEC. 206. ASSESSMENT; REPORTS.

       (a) Definitions.--In this section--
       (1) the term ``intrusion assessments'' means actions taken 
     under the intrusion assessment plan to identify and remove 
     intruders in agency information systems;
       (2) the term ``intrusion assessment plan'' means the plan 
     required under section 228(b)(1) of the Homeland Security Act 
     of 2002, as added by section 203(a) of this Act; and
       (3) the term ``intrusion detection and prevention 
     capabilities'' means the capabilities required under section 
     230(b) of the Homeland Security Act of 2002, as added by 
     section 203(a) of this Act.
       (b) Third Party Assessment.--Not later than 3 years after 
     the date of enactment of this Act, the Government 
     Accountability Office shall conduct a study and publish a 
     report on the effectiveness of the approach and strategy of 
     the Federal Government to securing agency information 
     systems, including the intrusion detection and prevention 
     capabilities and the intrusion assessment plan.
       (c) Reports to Congress.--
       (1) Intrusion detection and prevention capabilities.--
       (A) Secretary of homeland security report.--Not later than 
     6 months after the date of enactment of this Act, and 
     annually thereafter, the Secretary shall submit to the 
     appropriate congressional committees a report on the status 
     of implementation of the intrusion detection and prevention 
     capabilities, including--
       (i) a description of privacy controls;
       (ii) a description of the technologies and capabilities 
     utilized to detect cybersecurity risks in network traffic, 
     including the extent to which those technologies and 
     capabilities include existing commercial and non-commercial 
     technologies;
       (iii) a description of the technologies and capabilities 
     utilized to prevent network traffic associated with 
     cybersecurity risks from transiting or traveling to or from 
     agency information systems, including the extent to which 
     those technologies and capabilities include existing 
     commercial and non-commercial technologies;
       (iv) a list of the types of indicators or other identifiers 
     or techniques used to detect cybersecurity risks in network 
     traffic transiting or traveling to or from agency information 
     systems on each iteration of the intrusion detection and 
     prevention capabilities and the number of each such type of 
     indicator, identifier, and technique;
       (v) the number of instances in which the intrusion 
     detection and prevention capabilities detected a 
     cybersecurity risk in network traffic transiting or traveling 
     to or from agency information systems and the number of times 
     the intrusion detection and prevention capabilities blocked 
     network traffic associated with cybersecurity risk; and
       (vi) a description of the pilot established under section 
     230(c)(5) of the Homeland Security Act of 2002, as added by 
     section 203(a) of this Act, including the number of new 
     technologies tested and the number of participating agencies.
       (B) OMB report.--Not later than 18 months after the date of 
     enactment of this Act, and annually thereafter, the Director 
     shall submit to Congress, as part of the report required 
     under section 3553(c) of title 44, United States Code, an 
     analysis of agency application of the intrusion detection and 
     prevention capabilities, including--
       (i) a list of each agency and the degree to which each 
     agency has applied the intrusion detection and prevention 
     capabilities to an agency information system; and
       (ii) a list by agency of--

       (I) the number of instances in which the intrusion 
     detection and prevention capabilities detected a 
     cybersecurity risk in network traffic transiting or traveling 
     to or from an agency information system and the types of 
     indicators, identifiers, and techniques used to detect such 
     cybersecurity risks; and
       (II) the number of instances in which the intrusion 
     detection and prevention capabilities prevented network 
     traffic associated with a cybersecurity risk from transiting 
     or traveling to or from an agency information system and the 
     types of indicators, identifiers, and techniques used to 
     detect such agency information systems.

       (2) OMB report on development and implementation of 
     intrusion assessment plan, advanced internal defenses, and 
     federal cybersecurity best practices.--The Director shall--
       (A) not later than 6 months after the date of enactment of 
     this Act, and 30 days after any update thereto, submit the 
     intrusion assessment plan to the appropriate congressional 
     committees;
       (B) not later than 1 year after the date of enactment of 
     this Act, and annually thereafter, submit to Congress, as 
     part of the report required under section 3553(c) of title 
     44, United States Code--

[[Page S7530]]

       (i) a description of the implementation of the intrusion 
     assessment plan;
       (ii) the findings of the intrusion assessments conducted 
     pursuant to the intrusion assessment plan;
       (iii) advanced network security tools included in the 
     Continuous Diagnostics and Mitigation Program pursuant to 
     section 204(a)(1);
       (iv) the results of the assessment of the Secretary of best 
     practices for Federal cybersecurity pursuant to section 
     205(a); and
       (v) a list by agency of compliance with the requirements of 
     section 205(b); and
       (C) not later than 1 year after the date of enactment of 
     this Act, submit to the appropriate congressional 
     committees--
       (i) a copy of the plan developed pursuant to section 
     204(a)(2); and
       (ii) the improved metrics developed pursuant to section 
     204(b).

     SEC. 207. TERMINATION.

       (a) In General.--The authority provided under section 230 
     of the Homeland Security Act of 2002, as added by section 
     203(a) of this Act, and the reporting requirements under 
     section 206(c) shall terminate on the date that is 7 years 
     after the date of enactment of this Act.
       (b) Rule of Construction.--Nothing in subsection (a) shall 
     be construed to affect the limitation of liability of a 
     private entity for assistance provided to the Secretary under 
     section 230(d)(2) of the Homeland Security Act of 2002, as 
     added by section 203(a) of this Act, if such assistance was 
     rendered before the termination date under subsection (a) or 
     otherwise during a period in which the assistance was 
     authorized.

     SEC. 208. IDENTIFICATION OF INFORMATION SYSTEMS RELATING TO 
                   NATIONAL SECURITY.

       (a) In General.--Except as provided in subsection (c), not 
     later than 180 days after the date of enactment of this Act--
       (1) the Director of National Intelligence and the Director 
     of the Office of Management and Budget, in coordination with 
     the heads of other agencies, shall--
       (A) identify all unclassified information systems that 
     provide access to information that may provide an adversary 
     with the ability to derive information that would otherwise 
     be considered classified;
       (B) assess the risks that would result from the breach of 
     each unclassified information system identified in 
     subparagraph (A); and
       (C) assess the cost and impact on the mission carried out 
     by each agency that owns an unclassified information system 
     identified in subparagraph (A) if the system were to be 
     subsequently designated as a national security system; and
       (2) the Director of National Intelligence and the Director 
     of the Office of Management and Budget shall submit to the 
     appropriate congressional committees, the Select Committee on 
     Intelligence of the Senate, and the Permanent Select 
     Committee on Intelligence of the House of Representatives a 
     report that includes the findings under paragraph (1).
       (b) Form.--The report submitted under subsection (a)(2) 
     shall be in unclassified form, and shall include a classified 
     annex.
       (c) Exception.--The requirements under subsection (a)(1) 
     shall not apply to the Department of Defense, a national 
     security system, or an element of the intelligence community.
       (d) Rule of Construction.--Nothing in this section shall be 
     construed to designate an information system as a national 
     security system.

     SEC. 209. DIRECTION TO AGENCIES.

       (a) In General.--Section 3553 of title 44, United States 
     Code, is amended by adding at the end the following:
       ``(h) Direction to Agencies.--
       ``(1) Authority.--
       ``(A) In general.--Subject to subparagraph (B), in response 
     to a known or reasonably suspected information security 
     threat, vulnerability, or incident that represents a 
     substantial threat to the information security of an agency, 
     the Secretary may issue an emergency directive to the head of 
     an agency to take any lawful action with respect to the 
     operation of the information system, including such systems 
     used or operated by another entity on behalf of an agency, 
     that collects, processes, stores, transmits, disseminates, or 
     otherwise maintains agency information, for the purpose of 
     protecting the information system from, or mitigating, an 
     information security threat.
       ``(B) Exception.--The authorities of the Secretary under 
     this subsection shall not apply to a system described 
     subsection (d) or to a system described in paragraph (2) or 
     (3) of subsection (e).
       ``(2) Procedures for use of authority.--The Secretary 
     shall--
       ``(A) in coordination with the Director, establish 
     procedures governing the circumstances under which a 
     directive may be issued under this subsection, which shall 
     include--
       ``(i) thresholds and other criteria;
       ``(ii) privacy and civil liberties protections; and
       ``(iii) providing notice to potentially affected third 
     parties;
       ``(B) specify the reasons for the required action and the 
     duration of the directive;
       ``(C) minimize the impact of a directive under this 
     subsection by--
       ``(i) adopting the least intrusive means possible under the 
     circumstances to secure the agency information systems; and
       ``(ii) limiting directives to the shortest period 
     practicable;
       ``(D) notify the Director and the head of any affected 
     agency immediately upon the issuance of a directive under 
     this subsection;
       ``(E) consult with the Director of the National Institute 
     of Standards and Technology regarding any directive under 
     this subsection that implements standards and guidelines 
     developed by the National Institute of Standards and 
     Technology;
       ``(F) ensure that directives issued under this subsection 
     do not conflict with the standards and guidelines issued 
     under section 11331 of title 40;
       ``(G) consider any applicable standards or guidelines 
     developed by the National Institute of Standards and issued 
     by the Secretary of Commerce under section 11331 of title 40; 
     and
       ``(H) not later than February 1 of each year, submit to the 
     appropriate congressional committees a report regarding the 
     specific actions the Secretary has taken pursuant to 
     paragraph (1)(A).
       ``(3) Imminent threats.--
       ``(A) In general.--Notwithstanding section 3554, the 
     Secretary may authorize the intrusion detection and 
     prevention capabilities under section 230(b)(1) of the 
     Homeland Security Act of 2002 for the purpose of ensuring the 
     security of agency information systems, if--
       ``(i) the Secretary determines there is an imminent threat 
     to agency information systems;
       ``(ii) the Secretary determines a directive under 
     subsection (b)(2)(C) or paragraph (1)(A) is not reasonably 
     likely to result in a timely response to the threat;
       ``(iii) the Secretary determines the risk posed by the 
     imminent threat outweighs any adverse consequences reasonably 
     expected to result from the use of protective capabilities 
     under the control of the Secretary;
       ``(iv) the Secretary provides prior notice to the Director, 
     and the head and chief information officer (or equivalent 
     official) of each agency to which specific actions will be 
     taken pursuant to subparagraph (A), and notifies the 
     appropriate congressional committees and authorizing 
     committees of each such agencies within seven days of taking 
     an action under this subsection of--

       ``(I) any action taken under this subsection; and
       ``(II) the reasons for and duration and nature of the 
     action;

       ``(v) the action of the Secretary is consistent with 
     applicable law; and
       ``(vi) the Secretary authorizes the use of protective 
     capabilities in accordance with the advance procedures 
     established under subparagraph (C).
       ``(B) Limitation on delegation.--The authority under this 
     subsection may not be delegated by the Secretary.
       ``(C) Advance procedures.--The Secretary shall, in 
     coordination with the Director, and in consultation with the 
     heads of Federal agencies, establish procedures governing the 
     circumstances under which the Secretary may authorize the use 
     of protective capabilities subparagraph (A). The Secretary 
     shall submit the procedures to Congress.
       ``(4) Limitation.--The Secretary may direct or authorize 
     lawful action or protective capability under this subsection 
     only to--
       ``(A) protect agency information from unauthorized access, 
     use, disclosure, disruption, modification, or destruction; or
       ``(B) require the remediation of or protect against 
     identified information security risks with respect to--
       ``(i) information collected or maintained by or on behalf 
     of an agency; or
       ``(ii) that portion of an information system used or 
     operated by an agency or by a contractor of an agency or 
     other organization on behalf of an agency.
       ``(i) Annual Report to Congress.--Not later than February 1 
     of each year, the Director shall submit to the appropriate 
     congressional committees a report regarding the specific 
     actions the Director has taken pursuant to subsection (a)(5), 
     including any actions taken pursuant to section 11303(b)(5) 
     of title 40.
       ``(j) Appropriate Congressional Committees Defined.--In 
     this section, the term `appropriate congressional committees' 
     means--
       ``(1) the Committee on Appropriations and the Committee on 
     Homeland Security and Governmental Affairs of the Senate; and
       ``(2) the Committee on Appropriations, the Committee on 
     Homeland Security, the Committee on Oversight and Government 
     Reform, and the Committee on Science, Space, and Technology 
     of the House of Representatives.''.
       (b) Conforming Amendment.--Section 3554(a)(1)(B) of title 
     44, United States Code, is amended--
       (1) in clause (iii), by striking ``and'' at the end; and
       (2) by adding at the end the following:
       ``(v) emergency directives issued by the Secretary under 
     section 3553(h); and''.

         TITLE III--FEDERAL CYBERSECURITY WORKFORCE ASSESSMENT

     SEC. 301. SHORT TITLE.

       This title may be cited as the ``Federal Cybersecurity 
     Workforce Assessment Act of 2015''.

     SEC. 302. DEFINITIONS.

       In this title:
       (1) Appropriate congressional committees.--The term 
     ``appropriate congressional committees'' means--
       (A) the Committee on Armed Services of the Senate;

[[Page S7531]]

       (B) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       (C) the Select Committee on Intelligence of the Senate;
       (D) the Committee on Commerce, Science, and Transportation 
     of the Senate;
       (E) the Committee on Armed Services in the House of 
     Representatives;
       (F) the Committee on Homeland Security of the House of 
     Representatives;
       (G) the Committee on Oversight and Government Reform of the 
     House of Representatives; and
       (H) the Permanent Select Committee on Intelligence of the 
     House of Representatives.
       (2) Director.--The term ``Director'' means the Director of 
     the Office of Personnel Management.
       (3) Roles.--The term ``roles'' has the meaning given the 
     term in the National Initiative for Cybersecurity Education's 
     Cybersecurity Workforce Framework.

     SEC. 303. NATIONAL CYBERSECURITY WORKFORCE MEASUREMENT 
                   INITIATIVE.

       (a) In General.--The head of each Federal agency shall--
       (1) identify all positions within the agency that require 
     the performance of cybersecurity or other cyber-related 
     functions; and
       (2) assign the corresponding employment code, which shall 
     be added to the National Initiative for Cybersecurity 
     Education's National Cybersecurity Workforce Framework, in 
     accordance with subsection (b).
       (b) Employment Codes.--
       (1) Procedures.--
       (A) Coding structure.--Not later than 180 days after the 
     date of the enactment of this Act, the Secretary of Commerce, 
     acting through the National Institute of Standards and 
     Technology, shall update the National Initiative for 
     Cybersecurity Education's Cybersecurity Workforce Framework 
     to include a corresponding coding structure.
       (B) Identification of civilian cyber personnel.--Not later 
     than 9 months after the date of enactment of this Act, the 
     Director, in coordination with the Director of the National 
     Institute of Standards and Technology and the Director of 
     National Intelligence, shall establish procedures to 
     implement the National Initiative for Cybersecurity 
     Education's coding structure to identify all Federal civilian 
     positions that require the performance of information 
     technology, cybersecurity, or other cyber-related functions.
       (C) Identification of noncivilian cyber personnel.--Not 
     later than 18 months after the date of enactment of this Act, 
     the Secretary of Defense shall establish procedures to 
     implement the National Initiative for Cybersecurity 
     Education's coding structure to identify all Federal 
     noncivilian positions that require the performance of 
     information technology, cybersecurity, or other cyber-related 
     functions.
       (D) Baseline assessment of existing cybersecurity 
     workforce.--Not later than 3 months after the date on which 
     the procedures are developed under subparagraphs (B) and (C), 
     respectively, the head of each Federal agency shall submit to 
     the appropriate congressional committees of jurisdiction a 
     report that identifies--
       (i) the percentage of personnel with information 
     technology, cybersecurity, or other cyber-related job 
     functions who currently hold the appropriate industry-
     recognized certifications as identified in the National 
     Initiative for Cybersecurity Education's Cybersecurity 
     Workforce Framework;
       (ii) the level of preparedness of other civilian and 
     noncivilian cyber personnel without existing credentials to 
     take certification exams; and
       (iii) a strategy for mitigating any gaps identified in 
     clause (i) or (ii) with the appropriate training and 
     certification for existing personnel.
       (E) Procedures for assigning codes.--Not later than 3 
     months after the date on which the procedures are developed 
     under subparagraphs (B) and (C), respectively, the head of 
     each Federal agency shall establish procedures--
       (i) to identify all encumbered and vacant positions with 
     information technology, cybersecurity, or other cyber-related 
     functions (as defined in the National Initiative for 
     Cybersecurity Education's coding structure); and
       (ii) to assign the appropriate employment code to each such 
     position, using agreed standards and definitions.
       (2) Code assignments.--Not later than 1 year after the date 
     after the procedures are established under paragraph (1)(E), 
     the head of each Federal agency shall complete assignment of 
     the appropriate employment code to each position within the 
     agency with information technology, cybersecurity, or other 
     cyber-related functions.
       (c) Progress Report.--Not later than 180 days after the 
     date of enactment of this Act, the Director shall submit a 
     progress report on the implementation of this section to the 
     appropriate congressional committees.

     SEC. 304. IDENTIFICATION OF CYBER-RELATED ROLES OF CRITICAL 
                   NEED.

       (a) In General.--Beginning not later than 1 year after the 
     date on which the employment codes are assigned to employees 
     pursuant to section 203(b)(2), and annually through 2022, the 
     head of each Federal agency, in consultation with the 
     Director, the Director of the National Institute of Standards 
     and Technology, and the Secretary of Homeland Security, 
     shall--
       (1) identify information technology, cybersecurity, or 
     other cyber-related roles of critical need in the agency's 
     workforce; and
       (2) submit a report to the Director that--
       (A) describes the information technology, cybersecurity, or 
     other cyber-related roles identified under paragraph (1); and
       (B) substantiates the critical need designations.
       (b) Guidance.--The Director shall provide Federal agencies 
     with timely guidance for identifying information technology, 
     cybersecurity, or other cyber-related roles of critical need, 
     including--
       (1) current information technology, cybersecurity, and 
     other cyber-related roles with acute skill shortages; and
       (2) information technology, cybersecurity, or other cyber-
     related roles with emerging skill shortages.
       (c) Cybersecurity Needs Report.--Not later than 2 years 
     after the date of the enactment of this Act, the Director, in 
     consultation with the Secretary of Homeland Security, shall--
       (1) identify critical needs for information technology, 
     cybersecurity, or other cyber-related workforce across all 
     Federal agencies; and
       (2) submit a progress report on the implementation of this 
     section to the appropriate congressional committees.

     SEC. 305. GOVERNMENT ACCOUNTABILITY OFFICE STATUS REPORTS.

       The Comptroller General of the United States shall--
       (1) analyze and monitor the implementation of sections 303 
     and 304; and
       (2) not later than 3 years after the date of the enactment 
     of this Act, submit a report to the appropriate congressional 
     committees that describes the status of such implementation.	  

                     TITLE IV--OTHER CYBER MATTERS

     SEC. 401. STUDY ON MOBILE DEVICE SECURITY.

       (a) In General.--Not later than 1 year after the date of 
     the enactment of this Act, the Secretary of Homeland 
     Security, in consultation with the Director of the National 
     Institute of Standards and Technology, shall--
       (1) complete a study on threats relating to the security of 
     the mobile devices of the Federal Government; and
       (2) submit an unclassified report to Congress, with a 
     classified annex if necessary, that contains the findings of 
     such study, the recommendations developed under paragraph (3) 
     of subsection (b), the deficiencies, if any, identified under 
     (4) of such subsection, and the plan developed under 
     paragraph (5) of such subsection.
       (b) Matters Studied.--In carrying out the study under 
     subsection (a)(1), the Secretary, in consultation with the 
     Director of the National Institute of Standards and 
     Technology, shall--
       (1) assess the evolution of mobile security techniques from 
     a desktop-centric approach, and whether such techniques are 
     adequate to meet current mobile security challenges;
       (2) assess the effect such threats may have on the 
     cybersecurity of the information systems and networks of the 
     Federal Government (except for national security systems or 
     the information systems and networks of the Department of 
     Defense and the intelligence community);
       (3) develop recommendations for addressing such threats 
     based on industry standards and best practices;
       (4) identify any deficiencies in the current authorities of 
     the Secretary that may inhibit the ability of the Secretary 
     to address mobile device security throughout the Federal 
     Government (except for national security systems and the 
     information systems and networks of the Department of Defense 
     and intelligence community); and
       (5) develop a plan for accelerated adoption of secure 
     mobile device technology by the Department of Homeland 
     Security.
       (c) Intelligence Community Defined.--In this section, the 
     term ``intelligence community'' has the meaning given such 
     term in section 3 of the National Security Act of 1947 (50 
     U.S.C. 3003).

     SEC. 402. DEPARTMENT OF STATE INTERNATIONAL CYBERSPACE POLICY 
                   STRATEGY.

       (a) In General.--Not later than 90 days after the date of 
     the enactment of this Act, the Secretary of State shall 
     produce a comprehensive strategy relating to United States 
     international policy with regard to cyberspace.
       (b) Elements.--The strategy required by subsection (a) 
     shall include the following:
       (1) A review of actions and activities undertaken by the 
     Secretary of State to date to support the goal of the 
     President's International Strategy for Cyberspace, released 
     in May 2011, to ``work internationally to promote an open, 
     interoperable, secure, and reliable information and 
     communications infrastructure that supports international 
     trade and commerce, strengthens international security, and 
     fosters free expression and innovation.''.
       (2) A plan of action to guide the diplomacy of the 
     Secretary of State, with regard to foreign countries, 
     including conducting bilateral and multilateral activities to 
     develop the norms of responsible international behavior in 
     cyberspace, and status review of existing discussions in 
     multilateral fora to obtain agreements on international norms 
     in cyberspace.
       (3) A review of the alternative concepts with regard to 
     international norms in cyberspace offered by foreign 
     countries that are prominent actors, including China, Russia, 
     Brazil, and India.

[[Page S7532]]

       (4) A detailed description of threats to United States 
     national security in cyberspace from foreign countries, 
     state-sponsored actors, and private actors to Federal and 
     private sector infrastructure of the United States, 
     intellectual property in the United States, and the privacy 
     of citizens of the United States.
       (5) A review of policy tools available to the President to 
     deter foreign countries, state-sponsored actors, and private 
     actors, including those outlined in Executive Order 13694, 
     released on April 1, 2015.
       (6) A review of resources required by the Secretary, 
     including the Office of the Coordinator for Cyber Issues, to 
     conduct activities to build responsible norms of 
     international cyber behavior.
       (c) Consultation.--In preparing the strategy required by 
     subsection (a), the Secretary of State shall consult, as 
     appropriate, with other agencies and departments of the 
     United States and the private sector and nongovernmental 
     organizations in the United States with recognized 
     credentials and expertise in foreign policy, national 
     security, and cybersecurity.
       (d) Form of Strategy.--The strategy required by subsection 
     (a) shall be in unclassified form, but may include a 
     classified annex.
       (e) Availability of Information.--The Secretary of State 
     shall--
       (1) make the strategy required in subsection (a) available 
     the public; and
       (2) brief the Committee on Foreign Relations of the Senate 
     and the Committee on Foreign Affairs of the House of 
     Representatives on the strategy, including any material 
     contained in a classified annex.

     SEC. 403. APPREHENSION AND PROSECUTION OF INTERNATIONAL CYBER 
                   CRIMINALS.

       (a) International Cyber Criminal Defined.--In this section, 
     the term ``international cyber criminal'' means an 
     individual--
       (1) who is believed to have committed a cybercrime or 
     intellectual property crime against the interests of the 
     United States or the citizens of the United States; and
       (2) for whom--
       (A) an arrest warrant has been issued by a judge in the 
     United States; or
       (B) an international wanted notice (commonly referred to as 
     a ``Red Notice'') has been circulated by Interpol.
       (b) Consultations for Noncooperation.--The Secretary of 
     State, or designee, shall consult with the appropriate 
     government official of each country from which extradition is 
     not likely due to the lack of an extradition treaty with the 
     United States or other reasons, in which one or more 
     international cyber criminals are physically present, to 
     determine what actions the government of such country has 
     taken--
       (1) to apprehend and prosecute such criminals; and
       (2) to prevent such criminals from carrying out cybercrimes 
     or intellectual property crimes against the interests of the 
     United States or its citizens.
       (c) Annual Report.--
       (1) In general.--The Secretary of State shall submit to the 
     appropriate congressional committees an annual report that 
     includes--
       (A) the number of international cyber criminals located in 
     other countries, disaggregated by country, and indicating 
     from which countries extradition is not likely due to the 
     lack of an extradition treaty with the United States or other 
     reasons;
       (B) the nature and number of significant discussions by an 
     official of the Department of State on ways to thwart or 
     prosecute international cyber criminals with an official of 
     another country, including the name of each such country; and
       (C) for each international cyber criminal who was 
     extradited to the United States during the most recently 
     completed calendar year--
       (i) his or her name;
       (ii) the crimes for which he or she was charged;
       (iii) his or her previous country of residence; and
       (iv) the country from which he or she was extradited into 
     the United States.
       (2) Form.--The report required by this subsection shall be 
     in unclassified form to the maximum extent possible, but may 
     include a classified annex.
       (3) Appropriate congressional committees.--For purposes of 
     this subsection, the term ``appropriate congressional 
     committees'' means--
       (A) the Committee on Foreign Relations, the Committee on 
     Appropriations, the Committee on Homeland Security and 
     Governmental Affairs, the Committee on Banking, Housing, and 
     Urban Affairs, the Select Committee on Intelligence, and the 
     Committee on the Judiciary of the Senate; and
       (B) the Committee on Foreign Affairs, the Committee on 
     Appropriations, the Committee on Homeland Security, the 
     Committee on Financial Services, the Permanent Select 
     Committee on Intelligence, and the Committee on the Judiciary 
     of the House of Representatives.

     SEC. 404. ENHANCEMENT OF EMERGENCY SERVICES.

       (a) Collection of Data.--Not later than 90 days after the 
     date of enactment of this Act, the Secretary of Homeland 
     Security, acting through the National Cybersecurity and 
     Communications Integration Center, in coordination with 
     appropriate Federal entities and the Director for Emergency 
     Communications, shall establish a process by which a 
     Statewide Interoperability Coordinator may report data on any 
     cybersecurity risk or incident involving any information 
     system or network used by emergency response providers (as 
     defined in section 2 of the Homeland Security Act of 2002 (6 
     U.S.C. 101)) within the State.
       (b) Analysis of Data.--Not later than 1 year after the date 
     of enactment of this Act, the Secretary of Homeland Security, 
     acting through the Director of the National Cybersecurity and 
     Communications Integration Center, in coordination with 
     appropriate entities and the Director for Emergency 
     Communications, and in consultation with the Director of the 
     National Institute of Standards and Technology, shall conduct 
     integration and analysis of the data reported under 
     subsection (a) to develop information and recommendations on 
     security and resilience measures for any information system 
     or network used by State emergency response providers.
       (c) Best Practices.--
       (1) In general.--Using the results of the integration and 
     analysis conducted under subsection (b), and any other 
     relevant information, the Director of the National Institute 
     of Standards and Technology shall, on an ongoing basis, 
     facilitate and support the development of methods for 
     reducing cybersecurity risks to emergency response providers 
     using the process described in section 2(e) of the National 
     Institute of Standards and Technology Act (15 U.S.C. 272(e)).
       (2) Report.--The Director of the National Institute of 
     Standards and Technology shall submit a report to Congress on 
     the methods developed under paragraph (1) and shall make such 
     report publically available on the website of the National 
     Institute of Standards and Technology.
       (d) Rule of Construction.--Nothing in this section shall be 
     construed to--
       (1) require a State to report data under subsection (a); or
       (2) require an entity to--
       (A) adopt a recommended measure developed under subsection 
     (b); or
       (B) follow the best practices developed under subsection 
     (c).

     SEC. 405. IMPROVING CYBERSECURITY IN THE HEALTH CARE 
                   INDUSTRY.

       (a) Definitions.--In this section:
       (1) Business associate.--The term ``business associate'' 
     has the meaning given such term in section 160.103 of title 
     45, Code of Federal Regulations.
       (2) Covered entity.--The term ``covered entity'' has the 
     meaning given such term in section 160.103 of title 45, Code 
     of Federal Regulations.
       (3) Health care clearinghouse; health care provider; health 
     plan.--The terms ``health care clearinghouse'', ``health care 
     provider'', and ``health plan'' have the meanings given the 
     terms in section 160.103 of title 45, Code of Federal 
     Regulations.
       (4) Health care industry stakeholder.--The term ``health 
     care industry stakeholder'' means any--
       (A) health plan, health care clearinghouse, or health care 
     provider;
       (B) patient advocate;
       (C) pharmacist;
       (D) developer of health information technology;
       (E) laboratory;
       (F) pharmaceutical or medical device manufacturer; or
       (G) additional stakeholder the Secretary determines 
     necessary for purposes of subsection (d)(1), (d)(3), or (e).
       (5) Secretary.--The term ``Secretary'' means the Secretary 
     of Health and Human Services.
       (b) Report.--Not later than 1 year after the date of 
     enactment of this Act, the Secretary shall submit, to the 
     Committee on Health, Education, Labor, and Pensions of the 
     Senate and the Committee on Energy and Commerce of the House 
     of Representatives, a report on the preparedness of the 
     health care industry in responding to cybersecurity threats.
       (c) Contents of Report.--With respect to the internal 
     response of the Department of Health and Human Services to 
     emerging cybersecurity threats, the report shall include--
       (1) a clear statement of the official within the Department 
     of Health and Human Services to be responsible for leading 
     and coordinating efforts of the Department regarding 
     cybersecurity threats in the health care industry; and
       (2) a plan from each relevant operating division and 
     subdivision of the Department of Health and Human Services on 
     how such division or subdivision will address cybersecurity 
     threats in the health care industry, including a clear 
     delineation of how each such division or subdivision will 
     divide responsibility among the personnel of such division or 
     subdivision and communicate with other such divisions and 
     subdivisions regarding efforts to address such threats.
       (d) Health Care Industry Cybersecurity Task Force.--
       (1) In general.--Not later than 60 days after the date of 
     enactment of this Act, the Secretary, in consultation with 
     the Director of the National Institute of Standards and 
     Technology and the Secretary of Homeland Security, shall 
     convene health care industry stakeholders, cybersecurity 
     experts, and any Federal agencies or entities the Secretary 
     determines appropriate to establish a task force to--
       (A) analyze how industries, other than the health care 
     industry, have implemented strategies and safeguards for 
     addressing cybersecurity threats within their respective 
     industries;

[[Page S7533]]

       (B) analyze challenges and barriers private entities 
     (notwithstanding section 102(15)(B), excluding any State, 
     tribal, or local government) in the health care industry face 
     securing themselves against cyber attacks;
       (C) review challenges that covered entities and business 
     associates face in securing networked medical devices and 
     other software or systems that connect to an electronic 
     health record;
       (D) provide the Secretary with information to disseminate 
     to health care industry stakeholders for purposes of 
     improving their preparedness for, and response to, 
     cybersecurity threats affecting the health care industry;
       (E) establish a plan for creating a single system for the 
     Federal Government to share information on actionable 
     intelligence regarding cybersecurity threats to the health 
     care industry in near real time, requiring no fee to the 
     recipients of such information, including which Federal 
     agency or other entity may be best suited to be the central 
     conduit to facilitate the sharing of such information; and
       (F) report to Congress on the findings and recommendations 
     of the task force regarding carrying out subparagraphs (A) 
     through (E).
       (2) Termination.--The task force established under this 
     subsection shall terminate on the date that is 1 year after 
     the date of enactment of this Act.
       (3) Dissemination.--Not later than 60 days after the 
     termination of the task force established under this 
     subsection, the Secretary shall disseminate the information 
     described in paragraph (1)(D) to health care industry 
     stakeholders in accordance with such paragraph.
       (4) Rule of construction.--Nothing in this subsection shall 
     be construed to limit the antitrust exemption under section 
     104(e) or the protection from liability under section 106.
       (e) Cybersecurity Framework.--
       (1) In general.--The Secretary shall establish, through a 
     collaborative process with the Secretary of Homeland 
     Security, health care industry stakeholders, the National 
     Institute of Standards and Technology, and any Federal agency 
     or entity the Secretary determines appropriate, a single, 
     voluntary, national health-specific cybersecurity framework 
     that--
       (A) establishes a common set of voluntary, consensus-based, 
     and industry-led standards, security practices, guidelines, 
     methodologies, procedures, and processes that serve as a 
     resource for cost-effectively reducing cybersecurity risks 
     for a range of health care organizations;
       (B) supports voluntary adoption and implementation efforts 
     to improve safeguards to address cybersecurity threats;
       (C) is consistent with the security and privacy regulations 
     promulgated under section 264(c) of the Health Insurance 
     Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2 
     note) and with the Health Information Technology for Economic 
     and Clinical Health Act (title XIII of division A, and title 
     IV of division B, of Public Law 111-5), and the amendments 
     made by such Act; and
       (D) is updated on a regular basis and applicable to the 
     range of health care organizations described in subparagraph 
     (A).
       (2) Limitation.--Nothing in this subsection shall be 
     interpreted as granting the Secretary authority to--
       (A) provide for audits to ensure that health care 
     organizations are in compliance with the voluntary framework 
     under this subsection; or
       (B) mandate, direct, or condition the award of any Federal 
     grant, contract, or purchase on compliance with such 
     voluntary framework.
       (3) No liability for nonparticipation.--Nothing in this 
     title shall be construed to subject a health care 
     organization to liability for choosing not to engage in the 
     voluntary activities authorized under this subsection.

     SEC. 406. FEDERAL COMPUTER SECURITY.

       (a) Definitions.--In this section:
       (1) Covered system.--The term ``covered system'' shall mean 
     a national security system as defined in section 11103 of 
     title 40, United States Code, or a Federal computer system 
     that provides access to personally identifiable information.
       (2) Covered agency.--The term ``covered agency'' means an 
     agency that operates a covered system.
       (3) Logical access control.--The term ``logical access 
     control'' means a process of granting or denying specific 
     requests to obtain and use information and related 
     information processing services.
       (4) Multi-factor logical access controls.--The term 
     ``multi-factor logical access controls'' means a set of not 
     less than 2 of the following logical access controls:
       (A) Information that is known to the user, such as a 
     password or personal identification number.
       (B) An access device that is provided to the user, such as 
     a cryptographic identification device or token.
       (C) A unique biometric characteristic of the user.
       (5) Privileged user.--The term ``privileged user'' means a 
     user who, by virtue of function or seniority, has been 
     allocated powers within a covered system, which are 
     significantly greater than those available to the majority of 
     users.
       (b) Inspector General Reports on Covered Systems.--
       (1) In general.--Not later than 240 days after the date of 
     enactment of this Act, the Inspector General of each covered 
     agency shall submit to the appropriate committees of 
     jurisdiction in the Senate and the House of Representatives a 
     report, which shall include information collected from the 
     covered agency for the contents described in paragraph (2) 
     regarding the Federal computer systems of the covered agency.
       (2) Contents.--The report submitted by each Inspector 
     General of a covered agency under paragraph (1) shall 
     include, with respect to the covered agency, the following:
       (A) A description of the logical access standards used by 
     the covered agency to access a covered system, including--
       (i) in aggregate, a list and description of logical access 
     controls used to access such a covered system; and
       (ii) whether the covered agency is using multi-factor 
     logical access controls to access such a covered system.
       (B) A description of the logical access controls used by 
     the covered agency to govern access to covered systems by 
     privileged users.
       (C) If the covered agency does not use logical access 
     controls or multi-factor logical access controls to access a 
     covered system, a description of the reasons for not using 
     such logical access controls or multi-factor logical access 
     controls.
       (D) A description of the following data security management 
     practices used by the covered agency:
       (i) The policies and procedures followed to conduct 
     inventories of the software present on the covered systems of 
     the covered agency and the licenses associated with such 
     software.
       (ii) What capabilities the covered agency utilizes to 
     monitor and detect exfiltration and other threats, 
     including--

       (I) data loss prevention capabilities; or
       (II) digital rights management capabilities.

       (iii) A description of how the covered agency is using the 
     capabilities described in clause (ii).
       (iv) If the covered agency is not utilizing capabilities 
     described in clause (ii), a description of the reasons for 
     not utilizing such capabilities.
       (E) A description of the policies and procedures of the 
     covered agency with respect to ensuring that entities, 
     including contractors, that provide services to the covered 
     agency are implementing the data security management 
     practices described in subparagraph (D).
       (3) Existing review.--The reports required under this 
     subsection may be based in whole or in part on an audit, 
     evaluation, or report relating to programs or practices of 
     the covered agency, and may be submitted as part of another 
     report, including the report required under section 3555 of 
     title 44, United States Code.
       (4) Classified information.--Reports submitted under this 
     subsection shall be in unclassified form, but may include a 
     classified annex.

     SEC. 407. STRATEGY TO PROTECT CRITICAL INFRASTRUCTURE AT 
                   GREATEST RISK.

       (a) Definitions.--In this section:
       (1) Appropriate agency.--The term ``appropriate agency'' 
     means, with respect to a covered entity--
       (A) except as provided in subparagraph (B), the applicable 
     sector-specific agency; or
       (B) in the case of a covered entity that is regulated by a 
     Federal entity, such Federal entity.
       (2) Appropriate agency head.--The term ``appropriate agency 
     head'' means, with respect to a covered entity, the head of 
     the appropriate agency.
       (3) Covered entity.--The term ``covered entity'' means an 
     entity identified pursuant to section 9(a) of Executive Order 
     13636 of February 12, 2013 (78 Fed. Reg. 11742), relating to 
     identification of critical infrastructure where a 
     cybersecurity incident could reasonably result in 
     catastrophic regional or national effects on public health or 
     safety, economic security, or national security.
       (4) Appropriate congressional committees.--The term 
     ``appropriate congressional committees'' means--
       (A) the Select Committee on Intelligence of the Senate;
       (B) the Permanent Select Committee on Intelligence of the 
     House of Representatives;
       (C) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       (D) the Committee on Homeland Security of the House of 
     Representatives;
       (E) the Committee on Energy and Natural Resources of the 
     Senate;
       (F) the Committee on Energy and Commerce of the House of 
     Representatives; and
       (G) the Committee on Commerce, Science, and Transportation 
     of the Senate.
       (5) Secretary.--The term ``Secretary'' means the Secretary 
     of the Department of Homeland Security.
       (b) Status of Existing Cyber Incident Reporting.--
       (1) In general.--No later than 120 days after the date of 
     the enactment of this Act, the Secretary, in conjunction with 
     the appropriate agency head (as the case may be), shall 
     submit to the appropriate congressional committees describing 
     the extent to which each covered entity reports significant 
     intrusions of information systems essential to the operation 
     of critical infrastructure to the Department of Homeland 
     Security or the appropriate agency head in a timely manner.
       (2) Form.--The report submitted under paragraph (1) may 
     include a classified annex.

[[Page S7534]]

       (c) Mitigation Strategy Required for Critical 
     Infrastructure at Greatest Risk.--
       (1) In general.--No later than 180 days after the date of 
     the enactment of this Act, the Secretary, in conjunction with 
     the appropriate agency head (as the case may be), shall 
     conduct an assessment and develop a strategy that addresses 
     each of the covered entities, to ensure that, to the greatest 
     extent feasible, a cyber security incident affecting such 
     entity would no longer reasonably result in catastrophic 
     regional or national effects on public health or safety, 
     economic security, or national security.
       (2) Elements.--The strategy submitted by the Secretary with 
     respect to a covered entity shall include the following:
       (A) An assessment of whether each entity should be required 
     to report cyber security incidents.
       (B) A description of any identified security gaps that must 
     be addressed.
       (C) Additional statutory authority necessary to reduce the 
     likelihood that a cyber incident could cause catastrophic 
     regional or national effects on public health or safety, 
     economic security, or national security.
       (3) Submittal.--The Secretary shall submit to the 
     appropriate congressional committees the assessment and 
     strategy required by paragraph (1).
       (4) Form.--The assessment and strategy submitted under 
     paragraph (3) may each include a classified annex.

     SEC. 408. STOPPING THE FRAUDULENT SALE OF FINANCIAL 
                   INFORMATION OF PEOPLE OF THE UNITED STATES.

       Section 1029(h) of title 18, United States Code, is amended 
     by striking ``title if--'' and all that follows through 
     ``therefrom.'' and inserting ``title if the offense involves 
     an access device issued, owned, managed, or controlled by a 
     financial institution, account issuer, credit card system 
     member, or other entity organized under the laws of the 
     United States, or any State, the District of Columbia, or 
     other Territory of the United States.''.

     SEC. 409. EFFECTIVE PERIOD.

       (a) In General.--Except as provided in subsection (b), this 
     Act and the amendments made by this Act shall be in effect 
     during the 10-year period beginning on the date of the 
     enactment of this Act.
       (b) Exception.--With respect to any action authorized by 
     this Act or information obtained pursuant to an action 
     authorized by this Act, which occurred before the date on 
     which the provisions referred to in subsection (a) cease to 
     have effect, the provisions of this Act shall continue in 
     effect.

  The PRESIDING OFFICER. The majority leader.