[115th Congress Public Law 278]
[From the U.S. Government Publishing Office]
[[Page 4167]]
CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY ACT OF 2018
[[Page 132 STAT. 4168]]
Public Law 115-278
115th Congress
An Act
To amend the Homeland Security Act of 2002 to authorize the
Cybersecurity and Infrastructure Security Agency of the Department of
Homeland Security, and for other purposes. <<NOTE: Nov. 16,
2018 - [H.R. 3359]>>
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled, <<NOTE: Cybersecurity
and Infrastructure Security Agency Act of 2018.>>
SECTION 1. <<NOTE: 6 USC 101 note.>> SHORT TITLE.
This Act may be cited as the ``Cybersecurity and Infrastructure
Security Agency Act of 2018''.
SEC. 2. CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY.
(a) In General.--The Homeland Security Act of 2002 (6 U.S.C. 101 et
seq.) is amended by adding at the end the following:
``TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY
``Subtitle A--Cybersecurity and Infrastructure Security
``SEC. 2201. <<NOTE: 6 USC 651.>> DEFINITIONS.
``In this subtitle:
``(1) Critical infrastructure information.--The term
`critical infrastructure information' has the meaning given the
term in section 2222.
``(2) Cybersecurity risk.--The term `cybersecurity risk' has
the meaning given the term in section 2209.
``(3) Cybersecurity threat.--The term `cybersecurity threat'
has the meaning given the term in section 102(5) of the
Cybersecurity Act of 2015 (contained in division N of the
Consolidated Appropriations Act, 2016 (Public Law 114-113; 6
U.S.C. 1501)).
``(4) National cybersecurity asset response activities.--The
term `national cybersecurity asset response activities' means--
``(A) furnishing cybersecurity technical assistance
to entities affected by cybersecurity risks to protect
assets, mitigate vulnerabilities, and reduce impacts of
cyber incidents;
``(B) identifying other entities that may be at risk
of an incident and assessing risk to the same or similar
vulnerabilities;
[[Page 132 STAT. 4169]]
``(C) assessing potential cybersecurity risks to a
sector or region, including potential cascading effects,
and developing courses of action to mitigate such risks;
``(D) facilitating information sharing and
operational coordination with threat response; and
``(E) providing guidance on how best to utilize
Federal resources and capabilities in a timely,
effective manner to speed recovery from cybersecurity
risks.
``(5) Sector-specific agency.--The term `Sector-Specific
Agency' means a Federal department or agency, designated by law
or presidential directive, with responsibility for providing
institutional knowledge and specialized expertise of a sector,
as well as leading, facilitating, or supporting programs and
associated activities of its designated critical infrastructure
sector in the all hazards environment in coordination with the
Department.
``(6) Sharing.--The term `sharing' has the meaning given the
term in section 2209.
``SEC. 2202. <<NOTE: 6 USC 652.>> CYBERSECURITY AND
INFRASTRUCTURE SECURITY AGENCY.
``(a) Redesignation.--
``(1) In general.--The National Protection and Programs
Directorate of the Department shall, on and after the date of
the enactment of this subtitle, be known as the `Cybersecurity
and Infrastructure Security Agency' (in this subtitle referred
to as the `Agency').
``(2) References.--Any reference to the National Protection
and Programs Directorate of the Department in any law,
regulation, map, document, record, or other paper of the United
States shall be deemed to be a reference to the Cybersecurity
and Infrastructure Security Agency of the Department.
``(b) Director.--
``(1) In general.--The Agency shall be headed by a Director
of Cybersecurity and Infrastructure Security (in this subtitle
referred to as the `Director'), who shall report to the
Secretary.
``(2) Reference.--Any reference to an Under Secretary
responsible for overseeing critical infrastructure protection,
cybersecurity, and any other related program of the Department
as described in section 103(a)(1)(H) as in effect on the day
before the date of enactment of this subtitle in any law,
regulation, map, document, record, or other paper of the United
States shall be deemed to be a reference to the Director of
Cybersecurity and Infrastructure Security of the Department.
``(c) Responsibilities <<NOTE: Coordination.>> .--The Director
shall--
``(1) lead cybersecurity and critical infrastructure
security programs, operations, and associated policy for the
Agency, including national cybersecurity asset response
activities;
``(2) coordinate with Federal entities, including Sector-
Specific Agencies, and non-Federal entities, including
international entities, to carry out the cybersecurity and
critical infrastructure activities of the Agency, as
appropriate;
``(3) carry out the responsibilities of the Secretary to
secure Federal information and information systems consistent
with law, including subchapter II of chapter 35 of title 44,
United States Code, and the Cybersecurity Act of 2015 (contained
[[Page 132 STAT. 4170]]
in division N of the Consolidated Appropriations Act, 2016
(Public Law 114-113));
``(4) coordinate a national effort to secure and protect
against critical infrastructure risks, consistent with
subsection (e)(1)(E);
``(5) upon request, provide analyses, expertise, and other
technical assistance to critical infrastructure owners and
operators and, where appropriate, provide those analyses,
expertise, and other technical assistance in coordination with
Sector-Specific Agencies and other Federal departments and
agencies;
``(6) <<NOTE: Collaboration.>> develop and utilize
mechanisms for active and frequent collaboration between the
Agency and Sector-Specific Agencies to ensure appropriate
coordination, situational awareness, and communications with
Sector-Specific Agencies;
``(7) <<NOTE: Consultation. Collaboration.>> maintain and
utilize mechanisms for the regular and ongoing consultation and
collaboration among the Divisions of the Agency to further
operational coordination, integrated situational awareness, and
improved integration across the Agency in accordance with this
Act;
``(8) develop, coordinate, and implement--
``(A) <<NOTE: Strategic plans.>> comprehensive
strategic plans for the activities of the Agency; and
``(B) <<NOTE: Risk assessments.>> risk assessments
by and for the Agency;
``(9) carry out emergency communications responsibilities,
in accordance with title XVIII;
``(10) carry out cybersecurity, infrastructure security, and
emergency communications stakeholder outreach and engagement and
coordinate that outreach and engagement with critical
infrastructure Sector-Specific Agencies, as appropriate; and
``(11) carry out such other duties and powers prescribed by
law or delegated by the Secretary.
``(d) Deputy Director.--There shall be in the Agency a Deputy
Director of Cybersecurity and Infrastructure Security who shall--
``(1) assist the Director in the management of the Agency;
and
``(2) report to the Director.
``(e) Cybersecurity and Infrastructure Security Authorities of the
Secretary.--
``(1) In general.--The responsibilities of the Secretary
relating to cybersecurity and infrastructure security shall
include the following:
``(A) To access, receive, and analyze law
enforcement information, intelligence information, and
other information from Federal Government agencies,
State, local, tribal, and territorial government
agencies, including law enforcement agencies, and
private sector entities, and to integrate that
information, in support of the mission responsibilities
of the Department, in order to--
``(i) identify and assess the nature and scope
of terrorist threats to the homeland;
``(ii) detect and identify threats of
terrorism against the United States; and
``(iii) understand those threats in light of
actual and potential vulnerabilities of the
homeland.
``(B) <<NOTE: Assessments.>> To carry out
comprehensive assessments of the vulnerabilities of the
key resources and critical infrastructure of the United
States, including the performance of
[[Page 132 STAT. 4171]]
risk assessments to determine the risks posed by
particular types of terrorist attacks within the United
States, including an assessment of the probability of
success of those attacks and the feasibility and
potential efficacy of various countermeasures to those
attacks. At the discretion of the Secretary, such
assessments may be carried out in coordination with
Sector-Specific Agencies.
``(C) <<NOTE: Recommenda- tions.>> To integrate
relevant information, analysis, and vulnerability
assessments, regardless of whether the information,
analysis, or assessments are provided or produced by the
Department, in order to make recommendations, including
prioritization, for protective and support measures by
the Department, other Federal Government agencies,
State, local, tribal, and territorial government
agencies and authorities, the private sector, and other
entities regarding terrorist and other threats to
homeland security.
``(D) To ensure, pursuant to section 202, the timely
and efficient access by the Department to all
information necessary to discharge the responsibilities
under this title, including obtaining that information
from other Federal Government agencies.
``(E) <<NOTE: Coordination. Plan.>> To develop, in
coordination with the Sector-Specific Agencies with
available expertise, a comprehensive national plan for
securing the key resources and critical infrastructure
of the United States, including power production,
generation, and distribution systems, information
technology and telecommunications systems (including
satellites), electronic financial and property record
storage and transmission systems, emergency
communications systems, and the physical and
technological assets that support those systems.
``(F) <<NOTE: Recommenda- tions.>> To recommend
measures necessary to protect the key resources and
critical infrastructure of the United States in
coordination with other Federal Government agencies,
including Sector-Specific Agencies, and in cooperation
with State, local, tribal, and territorial government
agencies and authorities, the private sector, and other
entities.
``(G) <<NOTE: Review. Analysis. Recommenda-
tions.>> To review, analyze, and make recommendations
for improvements to the policies and procedures
governing the sharing of information relating to
homeland security within the Federal Government and
between Federal Government agencies and State, local,
tribal, and territorial government agencies and
authorities.
``(H) To disseminate, as appropriate, information
analyzed by the Department within the Department to
other Federal Government agencies with responsibilities
relating to homeland security and to State, local,
tribal, and territorial government agencies and private
sector entities with those responsibilities in order to
assist in the deterrence, prevention, or preemption of,
or response to, terrorist attacks against the United
States.
``(I) <<NOTE: Consultation.>> To consult with
State, local, tribal, and territorial government
agencies and private sector entities to ensure
appropriate exchanges of information, including law
[[Page 132 STAT. 4172]]
enforcement-related information, relating to threats of
terrorism against the United States.
``(J) To ensure that any material received pursuant
to this Act is protected from unauthorized disclosure
and handled and used only for the performance of
official duties.
``(K) To request additional information from other
Federal Government agencies, State, local, tribal, and
territorial government agencies, and the private sector
relating to threats of terrorism in the United States,
or relating to other areas of responsibility assigned by
the Secretary, including the entry into cooperative
agreements through the Secretary to obtain such
information.
``(L) To establish and utilize, in conjunction with
the Chief Information Officer of the Department, a
secure communications and information technology
infrastructure, including data-mining and other advanced
analytical tools, in order to access, receive, and
analyze data and information in furtherance of the
responsibilities under this section, and to disseminate
information acquired and analyzed by the Department, as
appropriate.
``(M) <<NOTE: Coordination.>> To coordinate
training and other support to the elements and personnel
of the Department, other Federal Government agencies,
and State, local, tribal, and territorial government
agencies that provide information to the Department, or
are consumers of information provided by the Department,
in order to facilitate the identification and sharing of
information revealed in their ordinary duties and the
optimal utilization of information received from the
Department.
``(N) <<NOTE: Coordination.>> To coordinate with
Federal, State, local, tribal, and territorial law
enforcement agencies, and the private sector, as
appropriate.
``(O) To exercise the authorities and oversight of
the functions, personnel, assets, and liabilities of
those components transferred to the Department pursuant
to section 201(g).
``(P) To carry out the functions of the national
cybersecurity and communications integration center
under section 2209.
``(Q) To carry out the requirements of the Chemical
Facility Anti-Terrorism Standards Program established
under title XXI and the secure handling of ammonium
nitrate program established under subtitle J of title
VIII, or any successor programs.
``(2) <<NOTE: Certification. Briefing. Public
information. Time period.>> Reallocation.--The Secretary may
reallocate within the Agency the functions specified in sections
2203(b) and 2204(b), consistent with the responsibilities
provided in paragraph (1), upon certifying to and briefing the
appropriate congressional committees, and making available to
the public, at least 60 days prior to the reallocation that the
reallocation is necessary for carrying out the activities of the
Agency.
``(3) Staff.--
``(A) In general.--The Secretary shall provide the
Agency with a staff of analysts having appropriate
expertise and experience to assist the Agency in
discharging the responsibilities of the Agency under
this section.
[[Page 132 STAT. 4173]]
``(B) Private sector analysts.--Analysts under this
subsection may include analysts from the private sector.
``(C) Security clearances.--Analysts under this
subsection shall possess security clearances appropriate
for their work under this section.
``(4) Detail of personnel.--
``(A) In general.--In order to assist the Agency in
discharging the responsibilities of the Agency under
this section, personnel of the Federal agencies
described in subparagraph (B) may be detailed to the
Agency for the performance of analytic functions and
related duties.
``(B) Agencies.--The Federal agencies described in
this subparagraph are--
``(i) the Department of State;
``(ii) the Central Intelligence Agency;
``(iii) the Federal Bureau of Investigation;
``(iv) the National Security Agency;
``(v) the National Geospatial-Intelligence
Agency;
``(vi) the Defense Intelligence Agency;
``(vii) Sector-Specific Agencies; and
``(viii) any other agency of the Federal
Government that the President considers
appropriate.
``(C) Interagency agreements.--The Secretary and the
head of a Federal agency described in subparagraph (B)
may enter into agreements for the purpose of detailing
personnel under this paragraph.
``(D) Basis.--The detail of personnel under this
paragraph may be on a reimbursable or non-reimbursable
basis.
``(f) Composition.--The Agency shall be composed of the following
divisions:
``(1) The Cybersecurity Division, headed by an Assistant
Director.
``(2) The Infrastructure Security Division, headed by an
Assistant Director.
``(3) The Emergency Communications Division under title
XVIII, headed by an Assistant Director.
``(g) Co-location.--
``(1) In general.--To the maximum extent practicable, the
Director shall examine the establishment of central locations in
geographical regions with a significant Agency presence.
``(2) Coordination.--When establishing the central locations
described in paragraph (1), the Director shall coordinate with
component heads and the Under Secretary for Management to co-
locate or partner on any new real property leases, renewing any
occupancy agreements for existing leases, or agreeing to extend
or newly occupy any Federal space or new construction.
``(h) Privacy.--
``(1) In general.--There shall be a Privacy Officer of the
Agency with primary responsibility for privacy policy and
compliance for the Agency.
``(2) Responsibilities <<NOTE: Personal information.>> .--
The responsibilities of the Privacy Officer of the Agency shall
include--
``(A) assuring that the use of technologies by the
Agency sustain, and do not erode, privacy protections
relating to the use, collection, and disclosure of
personal information;
[[Page 132 STAT. 4174]]
``(B) assuring that personal information contained
in systems of records of the Agency is handled in full
compliance as specified in section 552a of title 5,
United States Code (commonly known as the `Privacy Act
of 1974');
``(C) <<NOTE: Evaluation.>> evaluating legislative
and regulatory proposals involving collection, use, and
disclosure of personal information by the Agency; and
``(D) <<NOTE: Assessment.>> conducting a privacy
impact assessment of proposed rules of the Agency on the
privacy of personal information, including the type of
personal information collected and the number of people
affected.
``(i) Savings.--Nothing in this title may be construed as affecting
in any manner the authority, existing on the day before the date of
enactment of this title, of any other component of the Department or any
other Federal department or agency, including the authority provided to
the Sector-Specific Agency specified in section 61003(c) of division F
of the Fixing America's Surface Transportation Act (6 U.S.C. 121 note;
Public Law 114-94).
``SEC. 2203. <<NOTE: 6 USC 653.>> CYBERSECURITY DIVISION.
``(a) Establishment.--
``(1) In general.--There is established in the Agency a
Cybersecurity Division.
``(2) Assistant director.--The Cybersecurity Division shall
be headed by an Assistant Director for Cybersecurity (in this
section referred to as the `Assistant Director'), who shall--
``(A) be at the level of Assistant Secretary within
the Department;
``(B) <<NOTE: Appointment. President.>> be
appointed by the President without the advice and
consent of the Senate; and
``(C) report to the Director.
``(3) Reference.--Any reference to the Assistant Secretary
for Cybersecurity and Communications in any law, regulation,
map, document, record, or other paper of the United States shall
be deemed to be a reference to the Assistant Director for
Cybersecurity.
``(b) Functions.--The Assistant Director shall--
``(1) direct the cybersecurity efforts of the Agency;
``(2) carry out activities, at the direction of the
Director, related to the security of Federal information and
Federal information systems consistent with law, including
subchapter II of chapter 35 of title 44, United States Code, and
the Cybersecurity Act of 2015 (contained in division N of the
Consolidated Appropriations Act, 2016 (Public Law 114-113));
``(3) fully participate in the mechanisms required under
section 2202(c)(7); and
``(4) carry out such other duties and powers as prescribed
by the Director.
``SEC. 2204. <<NOTE: 6 USC 654.>> INFRASTRUCTURE SECURITY
DIVISION.
``(a) Establishment.--
``(1) In general.--There is established in the Agency an
Infrastructure Security Division.
``(2) Assistant director.--The Infrastructure Security
Division shall be headed by an Assistant Director for
Infrastructure Security (in this section referred to as the
`Assistant Director'), who shall--
[[Page 132 STAT. 4175]]
``(A) be at the level of Assistant Secretary within
the Department;
``(B) <<NOTE: Appointment. President.>> be
appointed by the President without the advice and
consent of the Senate; and
``(C) report to the Director.
``(3) Reference.--Any reference to the Assistant Secretary
for Infrastructure Protection in any law, regulation, map,
document, record, or other paper of the United States shall be
deemed to be a reference to the Assistant Director for
Infrastructure Security.
``(b) Functions.--The Assistant Director shall--
``(1) direct the critical infrastructure security efforts of
the Agency;
``(2) carry out, at the direction of the Director, the
Chemical Facilities Anti-Terrorism Standards Program established
under title XXI and the secure handling of ammonium nitrate
program established under subtitle J of title VIII, or any
successor programs;
``(3) fully participate in the mechanisms required under
section 2202(c)(7); and
``(4) carry out such other duties and powers as prescribed
by the Director.''.
(b) Treatment of Certain Positions.--
(1) Under secretary <<NOTE: 6 USC 652 note.>> .--The
individual serving as the Under Secretary appointed pursuant to
section 103(a)(1)(H) of the Homeland Security Act of 2002 (6
U.S.C. 113(a)(1)(H)) of the Department of Homeland Security on
the day before the date of enactment of this Act may continue to
serve as the Director of Cybersecurity and Infrastructure
Security of the Department on and after such date.
(2) Director for emergency <<NOTE: 6 USC 571
note.>> communications.--The individual serving as the Director
for Emergency Communications of the Department of Homeland
Security on the day before the date of enactment of this Act may
continue to serve as the Assistant Director for Emergency
Communications of the Department on and after such date.
(3) Assistant secretary for cybersecurity and
communications <<NOTE: 6 USC 653 note.>> .--The individual
serving as the Assistant Secretary for Cybersecurity and
Communications on the day before the date of enactment of this
Act may continue to serve as the Assistant Director for
Cybersecurity on and after such date.
(4) Assistant secretary for infrastructure
protection <<NOTE: 6 USC 654 note.>> .--The individual serving
as the Assistant Secretary for Infrastructure Protection on the
day before the date of enactment of this Act may continue to
serve as the Assistant Director for Infrastructure Security on
and after such date.
(c) Reference <<NOTE: 6 USC 571 note.>> .--Any reference to--
(1) the Office of Emergency Communications in any law,
regulation, map, document, record, or other paper of the United
States shall be deemed to be a reference to the Emergency
Communications Division; and
(2) the Director for Emergency Communications in any law,
regulation, map, document, record, or other paper of the United
States shall be deemed to be a reference to the Assistant
Director for Emergency Communications.
(d) Oversight <<NOTE: Deadlines.>> .--The Director of Cybersecurity
and Infrastructure Security of the Department of Homeland Security shall
provide
[[Page 132 STAT. 4176]]
to Congress, in accordance with the deadlines specified in paragraphs
(1) through (6), information on the following:
(1) <<NOTE: Briefing.>> Not later than 60 days after the
date of enactment of this Act, a briefing on the activities of
the Agency relating to the development and use of the mechanisms
required pursuant to section 2202(c)(6) of the Homeland Security
Act of 2002 (as added by subsection (a)).
(2) <<NOTE: Briefing.>> Not later than 1 year after the
date of the enactment of this Act, a briefing on the activities
of the Agency relating to the use and improvement by the Agency
of the mechanisms required pursuant to section 2202(c)(6) of the
Homeland Security Act of 2002 and how such activities have
impacted coordination, situational awareness, and communications
with Sector-Specific Agencies.
(3) Not later than 90 days after the date of the enactment
of this Act, information on the mechanisms of the Agency for
regular and ongoing consultation and collaboration, as required
pursuant to section 2202(c)(7) of the Homeland Security Act of
2002 (as added by subsection (a)).
(4) Not later than 1 year after the date of the enactment of
this Act, information on the activities of the consultation and
collaboration mechanisms of the Agency as required pursuant to
section 2202(c)(7) of the Homeland Security Act of 2002, and how
such mechanisms have impacted operational coordination,
situational awareness, and integration across the Agency.
(5) Not later than 180 days after the date of enactment of
this Act, information, which shall be made publicly available
and updated as appropriate, on the mechanisms and structures of
the Agency responsible for stakeholder outreach and engagement,
as required under section 2202(c)(10) of the Homeland Security
Act of 2002 (as added by subsection (a)).
(e) Cyber Workforce <<NOTE: Coordination. Reports.>> .--Not later
than 90 days after the date of enactment of this Act, the Director of
the Cybersecurity and Infrastructure Security Agency of the Department
of Homeland Security, in coordination with the Director of the Office of
Personnel Management, shall submit to Congress a report detailing how
the Agency is meeting legislative requirements under the Cybersecurity
Workforce Assessment Act (Public Law 113-246; 128 Stat. 2880) and the
Homeland Security Cybersecurity Workforce Assessment Act (enacted as
section 4 of the Border Patrol Agent Pay Reform Act of 2014; Public Law
113-277) to address cyber workforce needs.
(f) Facility <<NOTE: Reports.>> .--Not later than 180 days after the
date of enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency of the Department of Homeland Security
shall report to Congress on the most efficient and effective methods of
consolidating Agency facilities, personnel, and programs to most
effectively carry out the Agency's mission.
(g) Technical and Conforming Amendments to the Homeland Security Act
of 2002.--The Homeland Security Act of 2002 (6 U.S.C. 101 et seq.) is
amended--
(1) by amending section 103(a)(1)(H) (6 U.S.C. 113(a)(1)(H))
to read as follows:
``(H) A Director of the Cybersecurity and
Infrastructure Security Agency.'';
(2) in title II (6 U.S.C. 121 et seq.)--
(A) in the title heading, by striking ``AND
INFRASTRUCTURE PROTECTION'';
[[Page 132 STAT. 4177]]
(B) in the subtitle A heading, by striking ``and
Infrastructure Protection'';
(C) in section 201 (6 U.S.C. 121)--
(i) in the section heading, by striking ``and
infrastructure protection'';
(ii) in subsection (a)--
(I) in the subsection heading, by
striking ``and Infrastructure
Protection''; and
(II) by striking ``and an Office of
Infrastructure Protection'';
(iii) in subsection (b)--
(I) in the subsection heading, by
striking ``and Assistant Secretary for
Infrastructure Protection''; and
(II) by striking paragraph (3);
(iv) in subsection (c)--
(I) by striking ``and infrastructure
protection''; and
(II) by striking ``or the Assistant
Secretary for Infrastructure Protection,
as appropriate'';
(v) in subsection (d)--
(I) in the subsection heading, by
striking ``and Infrastructure
Protection'';
(II) in the matter preceding
paragraph (1), by striking ``and
infrastructure protection'';
(III) by striking paragraphs (5),
(6), and (25);
(IV) by redesignating paragraphs (7)
through (24) as paragraphs (5) through
(22), respectively;
(V) by redesignating paragraph (26)
as paragraph (23); and
(VI) in paragraph (23)(B)(i), as so
redesignated, by striking ``section
319'' and inserting ``section 320'';
(vi) in subsection (e)(1), by striking ``and
the Office of Infrastructure Protection''; and
(vii) in subsection (f)(1), by striking ``and
the Office of Infrastructure Protection'';
(D) in section 202 (6 U.S.C. 122)--
(i) in subsection (c), in the matter preceding
paragraph (1), by striking ``Director of Central
Intelligence'' and inserting ``Director of
National Intelligence''; and
(ii) in subsection (d)(2), by striking
``Director of Central Intelligence'' and inserting
``Director of National Intelligence'';
(E) in section 204 (6 U.S.C. 124a)--
(i) in subsection (c)(1), in the matter
preceding subparagraph (A), by striking
``Assistant Secretary for Infrastructure
Protection'' and inserting ``Director of the
Cybersecurity and Infrastructure Security
Agency''; and
(ii) in subsection (d)(1), in the matter
preceding subparagraph (A), by striking
``Assistant Secretary for Infrastructure
Protection'' and inserting ``Director of the
Cybersecurity and Infrastructure Security
Agency'';
(F) in section 210A(c)(2)(B) (6 U.S.C.
124h(c)(2)(B)), by striking ``Office of Infrastructure
Protection'' and
[[Page 132 STAT. 4178]]
inserting ``Cybersecurity and Infrastructure Security
Agency'';
(G) by redesignating section 210E (6 U.S.C. 124l) as
section 2214 <<NOTE: 6 USC 664.>> and transferring such
section to appear after section 2213 (as redesignated by
subparagraph (I));
(H) <<NOTE: 6 USC 671-674.>> in subtitle B, by
redesignating sections 211 through 215 (6 U.S.C. 101
note, and 131 through 134) as sections 2221 through
2225, respectively, and transferring such subtitle,
including the enumerator and heading of subtitle B and
such sections, to appear after section 2214 (as
redesignated by subparagraph (G));
(I) <<NOTE: 6 USC 655-663.>> by redesignating
sections 223 through 230 (6 U.S.C. 143 through 151) as
sections 2205 through 2213, respectively, and
transferring such sections to appear after section 2204,
as added by this Act;
(J) <<NOTE: 6 USC 124m.>> by redesignating section
210F as section 210E; and
(K) by redesignating subtitles C and D as subtitles
B and C, respectively;
(3) in title III (6 U.S.C. 181 et seq.)--
(A) in section 302 (6 U.S.C. 182)--
(i) by striking ``biological,,'' each place
that term appears and inserting ``biological,'';
and
(ii) in paragraph (3), by striking ``Assistant
Secretary for Infrastructure Protection'' and
inserting ``Director of the Cybersecurity and
Infrastructure Security Agency'';
(B) by redesignating the second section 319 (6
U.S.C. 195f) (relating to EMP and GMD mitigation
research and development) as section 320; and
(C) in section 320(c)(1), as so redesignated, by
striking ``Section 214'' and inserting ``Section 2224'';
(4) in title V (6 U.S.C. 311 et seq.)--
(A) in section 508(d)(2)(D) (6 U.S.C. 318(d)(2)(D)),
by striking ``The Director of the Office of Emergency
Communications of the Department of Homeland Security''
and inserting ``The Assistant Director for Emergency
Communications'';
(B) in section 514 (6 U.S.C. 321c)--
(i) by striking subsection (b); and
(ii) by redesignating subsection (c) as
subsection (b); and
(C) in section 523 (6 U.S.C. 321l)--
(i) in subsection (a), in the matter preceding
paragraph (1), by striking ``Assistant Secretary
for Infrastructure Protection'' and inserting
``Director of Cybersecurity and Infrastructure
Security''; and
(ii) in subsection (c), by striking
``Assistant Secretary for Infrastructure
Protection'' and inserting ``Director of
Cybersecurity and Infrastructure Security'';
(5) in title VIII (6 U.S.C. 361 et seq.)--
(A) in section 884(d)(4)(A)(ii) (6 U.S.C.
464(d)(4)(A)(ii)), by striking ``Under Secretary
responsible for overseeing critical infrastructure
protection, cybersecurity, and other related programs of
the Department'' and inserting ``Director of
Cybersecurity and Infrastructure Security''; and
[[Page 132 STAT. 4179]]
(B) in section 899B(a) (6 U.S.C. 488a(a)), by adding
at the end the following: ``Such regulations shall be
carried out by the Cybersecurity and Infrastructure
Security Agency.'';
(6) in title XVIII (6 U.S.C. 571 et seq.)--
(A) in section 1801 (6 U.S.C. 571)--
(i) in the section heading, by striking
``office of emergency communications'' and
inserting ``emergency communications division'';
(ii) in subsection (a)--
(I) by striking ``Office of
Emergency Communications'' and inserting
``Emergency Communications Division'';
and
(II) by adding at the end the
following: ``The Division shall be
located in the Cybersecurity and
Infrastructure Security Agency.'';
(iii) by amending subsection (b) to read as
follows:
``(b) Assistant Director.--The head of the Division shall be the
Assistant Director for Emergency Communications. The Assistant Director
shall report to the Director of Cybersecurity and Infrastructure
Security. All decisions of the Assistant Director that entail the
exercise of significant authority shall be subject to the approval of
the Director of Cybersecurity and Infrastructure Security.'';
(iv) in subsection (c)--
(I) in the matter preceding
paragraph (1), by inserting
``Assistant'' before ``Director'';
(II) in paragraph (14), by striking
``and'' at the end;
(III) in paragraph (15), by striking
the period at the end and inserting ``;
and''; and
(IV) by inserting after paragraph
(15) the following:
``(16) fully participate in the mechanisms required under
section 2202(c)(7).'';
(v) in subsection (d), in the matter preceding
paragraph (1), by inserting ``Assistant'' before
``Director''; and
(vi) in subsection (e), in the matter
preceding paragraph (1), by inserting
``Assistant'' before ``Director'';
(B) in sections 1802 through 1805 (6 U.S.C. 572
through 575), by striking ``Director for Emergency
Communications'' each place that term appears and
inserting ``Assistant Director for Emergency
Communications'';
(C) in section 1809 (6 U.S.C. 579)--
(i) by striking ``Director of Emergency
Communications'' each place that term appears and
inserting ``Assistant Director for Emergency
Communications'';
(ii) in subsection (b)--
(I) by striking ``Director for
Emergency Communications'' and inserting
``Assistant Director for Emergency
Communications''; and
(II) by striking ``Office of
Emergency Communications'' and inserting
``Emergency Communications Division'';
(iii) in subsection (e)(3), by striking ``the
Director'' and inserting ``the Assistant
Director''; and
(iv) in subsection (m)(1)--
[[Page 132 STAT. 4180]]
(I) by striking ``The Director'' and
inserting ``The Assistant Director'';
(II) by striking ``the Director
determines'' and inserting ``the
Assistant Director determines''; and
(III) by striking ``Office of
Emergency Communications'' and inserting
``Cybersecurity and Infrastructure
Security Agency'';
(D) in section 1810 (6 U.S.C. 580)--
(i) in subsection (a)(1), by striking
``Director of the Office of Emergency
Communications (referred to in this section as the
`Director')'' and inserting ``Assistant Director
for Emergency Communications (referred to in this
section as the `Assistant Director')'';
(ii) in subsection (c), by striking ``Office
of Emergency Communications'' and inserting
``Emergency Communications Division''; and
(iii) by striking ``Director'' each place that
term appears and inserting ``Assistant Director'';
(7) in title XX (6 U.S.C. 601 et seq.)--
(A) in paragraph (4)(A)(iii)(II) of section 2001 (6
U.S.C. 601), by striking ``section 210E(a)(2)'' and
inserting ``section 2214(a)(2)'';
(B) in section 2008(a)(3) (6 U.S.C. 609(a)(3)), by
striking ``section 210E(a)(2)'' and inserting ``section
2214(a)(2)''; and
(C) in section 2021 (6 U.S.C. 611)--
(i) by striking subsection (c); and
(ii) by redesignating subsection (d) as
subsection (c);
(8) in title XXI (6 U.S.C. 621 et seq.)--
(A) in section 2102(a)(1) (6 U.S.C. 622(a)(1)), by
inserting ``, which shall be located in the
Cybersecurity and Infrastructure Security Agency''
before the period at the end; and
(B) in section 2104(c)(2) (6 U.S.C. 624(c)(2)), by
striking ``Under Secretary responsible for overseeing
critical infrastructure protection, cybersecurity, and
other related programs of the Department appointed under
section 103(a)(1)(H)'' and inserting ``Director of
Cybersecurity and Infrastructure Security''; and
(9) in title XXII, as added by this Act--
(A) in subtitle A--
(i) in section 2205, as so redesignated--
(I) in the matter preceding
paragraph (1)--
(aa) by striking ``section
201'' and inserting ``section
2202''; and
(bb) by striking ``Under
Secretary appointed under
section 103(a)(1)(H)'' and
inserting ``Director of
Cybersecurity and Infrastructure
Security''; and
(II) in paragraph (1)(B), by
striking ``and'' at the end;
(ii) in section 2206, as so redesignated, by
striking ``Assistant Secretary for Infrastructure
Protection'' and inserting ``Director of
Cybersecurity and Infrastructure Security'';
(iii) in section 2209, as so redesignated--
[[Page 132 STAT. 4181]]
(I) by striking ``Under Secretary
appointed under section 103(a)(1)(H)''
each place that term appears and
inserting ``Director'';
(II) in subsection (a)(4), by
striking ``section 212(5)'' and
inserting ``section 2222(5)'';
(III) in subsection (b), by adding
at the end the following: ``The Center
shall be located in the Cybersecurity
and Infrastructure Security Agency. The
head of the Center shall report to the
Assistant Director for Cybersecurity.'';
and
(IV) in subsection (c)(11), by
striking ``Office of Emergency
Communications'' and inserting
``Emergency Communications Division'';
(iv) in section 2210, as so redesignated--
(I) by striking ``section 227'' each
place that term appears and inserting
``section 2209''; and
(II) in subsection (c)--
(aa) by striking ``Under
Secretary appointed under
section 103(a)(1)(H)'' and
inserting ``Director of
Cybersecurity and Infrastructure
Security''; and
(bb) by striking ``section
212(5)'' and inserting ``section
2222(5)'';
(v) in section 2211(b)(2)(A), as so
redesignated, by striking ``the section 227'' and
inserting ``section 2209'';
(vi) in section 2212, as so redesignated, by
striking ``section 212(5)'' and inserting
``section 2222(5)'';
(vii) in section 2213(a), as so redesignated--
(I) in paragraph (3), by striking
``section 228'' and inserting ``section
2210''; and
(II) in paragraph (4), by striking
``section 227'' and inserting ``section
2209''; and
(viii) in section 2214, as so redesignated--
(I) by striking subsection (e); and
(II) by redesignating subsection (f)
as subsection (e); and
(B) in subtitle B--
(i) in section 2222(8), as so redesignated, by
striking ``section 227'' and inserting ``section
2209''; and
(ii) in section 2224(h), as so redesignated,
by striking ``section 213'' and inserting
``section 2223'';
(h) Technical and Conforming Amendments to Other Laws.--
(1) Cybersecurity act of 2015.--The Cybersecurity Act of
2015 (6 U.S.C. 1501 et seq.) is amended--
(A) in section 202(2) (6 U.S.C. 131 note)--
(i) by striking ``section 227'' and inserting
``section 2209''; and
(ii) by striking ``, as so redesignated by
section 223(a)(3) of this division'';
(B) in section 207(2) (Public Law 114-113; 129 Stat.
2962)--
(i) by striking ``section 227'' and inserting
``section 2209''; and
(ii) by striking ``, as redesignated by
section 223(a) of this division,'';
[[Page 132 STAT. 4182]]
(C) in section 208 (Public Law 114-113; 129 Stat.
2962), by striking ``Under Secretary appointed under
section 103(a)(1)(H) of the Homeland Security Act of
2002 (6 U.S.C. 113(a)(1)(H))'' and inserting ``Director
of Cybersecurity and Infrastructure Security of the
Department'';
(D) in section 222 (6 U.S.C. 1521)--
(i) in paragraph (2)--
(I) by striking ``section 228'' and
inserting ``section 2210''; and
(II) by striking ``, as added by
section 223(a)(4) of this division'';
and
(ii) in paragraph (4)--
(I) by striking ``section 227'' and
inserting ``section 2209''; and
(II) by striking ``, as so
redesignated by section 223(a)(3) of
this division'';
(E) in section 223(b) (6 U.S.C. 151 note)--
(i) by striking ``section 230(b)(1) of the
Homeland Security Act of 2002, as added by
subsection (a)'' each place that term appears and
inserting ``section 2213(b)(1) of the Homeland
Security Act of 2002''; and
(ii) in paragraph (1)(B), by striking
``section 230(b)(2) of the Homeland Security Act
of 2002, as added by subsection (a)'' and
inserting ``section 2213(b)(2) of the Homeland
Security Act of 2002'';
(F) in section 226 (6 U.S.C. 1524)--
(i) in subsection (a)--
(I) in paragraph (1)--
(aa) by striking ``section
230'' and inserting ``section
2213''; and
(bb) by striking ``, as
added by section 223(a)(6) of
this division'';
(II) in paragraph (4)--
(aa) by striking ``section
228(b)(1)'' and inserting
``section 2210(b)(1)''; and
(bb) by striking ``, as
added by section 223(a)(4) of
this division''; and
(III) in paragraph (5)--
(aa) by striking ``section
230(b)'' and inserting ``section
2213(b)''; and
(bb) by striking ``, as
added by section 223(a)(6) of
this division''; and
(ii) in subsection (c)(1)(A)(vi)--
(I) by striking ``section
230(c)(5)'' and inserting ``section
2213(c)(5)''; and
(II) by striking ``, as added by
section 223(a)(6) of this division'';
(G) in section 227 (6 U.S.C. 1525)--
(i) in subsection (a)--
(I) by striking ``section 230'' and
inserting ``section 2213''; and
(II) by striking ``, as added by
section 223(a)(6) of this division,'';
and
(ii) in subsection (b)--
(I) by striking ``section
230(d)(2)'' and inserting ``section
2213(d)(2)''; and
[[Page 132 STAT. 4183]]
(II) by striking ``, as added by
section 223(a)(6) of this division,'';
and
(H) in section 404 (6 U.S.C. 1532)--
(i) by striking ``Director for Emergency
Communications'' each place that term appears and
inserting ``Assistant Director for Emergency
Communications''; and
(ii) in subsection (a)--
(I) by striking ``section 227'' and
inserting ``section 2209''; and
(II) by striking ``, as redesignated
by section 223(a)(3) of this
division,''.
(2) Small business act.--Section 21(a)(8)(B) of the Small
Business Act (15 U.S.C. 648(a)(8)(B)) is amended by striking
``section 227(a) of the Homeland Security Act of 2002 (6 U.S.C.
148(a))'' and inserting ``section 2209(a) of the Homeland
Security Act of 2002''.
(3) Title 5.--Subchapter II of chapter 53 of title 5, United
States Code, is amended--
(A) in section 5314, by inserting after ``Under
Secretaries, Department of Homeland Security.'' the
following:
``Director, Cybersecurity and Infrastructure Security
Agency.''; and
(B) in section 5315, by inserting after ``Assistant
Secretaries, Department of Homeland Security.'' the
following:
``Assistant Director for Cybersecurity, Cybersecurity and
Infrastructure Security Agency.
``Assistant Director for Infrastructure Security,
Cybersecurity and Infrastructure Security Agency.''.
(i) Table of Contents Amendments.--The table of contents in section
1(b) of the Homeland Security Act of 2002 (Public Law 107-296; 116 Stat.
2135) is amended--
(1) by striking the item relating to title II and inserting
the following:
``TITLE II--INFORMATION ANALYSIS'';
(2) by striking the item relating to subtitle A of title II
and inserting the following:
``Subtitle A--Information and Analysis; Access to Information'';
(3) by striking the item relating to section 201 and
inserting the following:
``Sec. 201. Information and analysis.'';
(4) by striking the items relating to sections 210E and 210F
and inserting the following:
``Sec. 210E. Classified Information Advisory Officer.'';
(5) by striking the items relating to subtitle B of title II
and sections 211 through 215;
(6) by striking the items relating to section 223 through
section 230;
(7) by striking the item relating to subtitle C and
inserting the following:
[[Page 132 STAT. 4184]]
``Subtitle B--Information Security'';
(8) by striking the item relating to subtitle D and
inserting the following:
``Subtitle C--Office of Science and Technology'';
(9) by striking the items relating to sections 317, 319,
318, and 319 and inserting the following:
``Sec. 317. Promoting antiterrorism through international cooperation
program.
``Sec. 318. Social media working group.
``Sec. 319. Transparency in research and development.
``Sec. 320. EMP and GMD mitigation research and development.'';
(10) by striking the item relating to section 1801 and
inserting the following:
``Sec. 1801. Emergency Communications Division.''; and
(11) by adding at the end the following:
``TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY
``Subtitle A--Cybersecurity and Infrastructure Security
``Sec. 2201. Definitions.
``Sec. 2202. Cybersecurity and Infrastructure Security Agency.
``Sec. 2203. Cybersecurity Division.
``Sec. 2204. Infrastructure Security Division.
``Sec. 2205. Enhancement of Federal and non-Federal cybersecurity.
``Sec. 2206. Net guard.
``Sec. 2207. Cyber Security Enhancement Act of 2002.
``Sec. 2208. Cybersecurity recruitment and retention.
``Sec. 2209. National cybersecurity and communications integration
center.
``Sec. 2210. Cybersecurity plans.
``Sec. 2211. Cybersecurity strategy.
``Sec. 2212. Clearances.
``Sec. 2213. Federal intrusion detection and prevention system.
``Sec. 2214. National Asset Database.
``Subtitle B--Critical Infrastructure Information
``Sec. 2221. Short title.
``Sec. 2222. Definitions.
``Sec. 2223. Designation of critical infrastructure protection program.
``Sec. 2224. Protection of voluntarily shared critical infrastructure
information.
``Sec. 2225. No private right of action.''.
SEC. 3. <<NOTE: 6 USC 452 note.>> TRANSFER OF OTHER ENTITIES.
(a) <<NOTE: Effective date.>> Office of Biometric Identity
Management.--The Office of Biometric Identity Management of the
Department of Homeland Security located in the National Protection and
Programs Directorate of the Department of Homeland Security on the day
before the date of enactment of this Act is hereby transferred to the
Management Directorate of the Department.
(b) Federal Protective Service.--
(1) In general <<NOTE: Deadline. Determination.>> .--Not
later than 90 days after the completion of the Government
Accountability Office review of the organizational placement of
the Federal Protective Service (authorized under section 1315 of
title 40, United States Code), the Secretary of Homeland
Security shall determine the appropriate placement of the
Service within the Department of Homeland Security and commence
the transfer of the Service to such component, directorate, or
other office of the Department that the Secretary so determines
appropriate.
(2) Exception. <<NOTE: Determination. Deadlines.>> --If the
Secretary of Homeland Security determines pursuant to paragraph
(1) that no component, directorate, or other office of the
Department of Homeland Security
[[Page 132 STAT. 4185]]
is an appropriate placement for the Federal Protective Service,
the Secretary shall--
(A) provide to the Committee on Homeland Security
and the Committee on Transportation and Infrastructure
of the House of Representatives and the Committee on
Homeland Security and Governmental Affairs of the Senate
and the Office of Management and Budget a detailed
explanation, in writing, of the reason for such
determination that includes--
(i) information on how the Department
considered the Government Accountability Office
review described in such paragraph;
(ii) <<NOTE: Lists.>> a list of the
components, directorates, or other offices of the
Department that were considered for such
placement; and
(iii) information on why each such component,
directorate, or other office of the Department was
determined to not be an appropriate placement for
the Service;
(B) <<NOTE: Coordination plan. Determination.>> not
later than 120 days after the completion of the
Government Accountability Office review described in
such paragraph, develop and submit to the committees
specified in subparagraph (A) and the Office of
Management and Budget a plan to coordinate with other
appropriate Federal agencies, including the General
Services Administration, to determine a more appropriate
placement for the Service; and
(C) <<NOTE: Recommenda- tions.>> not later than 180
days after the completion of such Government
Accountability Office review, submit to such committees
and the Office of Management and Budget a recommendation
regarding the appropriate placement of the Service
within the executive branch of the Federal Government.
SEC. 4. DHS REPORT ON CLOUD-BASED CYBERSECURITY.
(a) Definition.--In this section, the term ``Department'' means the
Department of Homeland Security.
(b) <<NOTE: Coordination.>> Report.--Not later than 120 days after
the date of enactment of this Act, the Secretary of Homeland Security,
in coordination with the Director of the Office of Management and Budget
and the Administrator of General Services, shall submit to the Committee
on Homeland Security and Governmental Affairs of the Senate and the
Committee on Oversight and Government Reform and the Committee on
Homeland Security of the House of Representatives a report on the
leadership role of the Department in cloud-based cybersecurity
deployments for civilian Federal departments and agencies, which shall
include--
(1) information on the plan of the Department for ensuring
access to a security operations center as a service capability
in accordance with the December 19, 2017 Report to the President
on Federal IT Modernization issued by the American Technology
Council;
(2) information on what service capabilities under paragraph
(1) the Department will prioritize, including--
(A) <<NOTE: Criteria.>> criteria the Department
will use to evaluate capabilities offered by the private
sector; and
[[Page 132 STAT. 4186]]
(B) how Federal government- and private sector-
provided capabilities will be integrated to enable
visibility and consistency of such capabilities across
all cloud and on premise environments, as called for in
the report described in paragraph (1); and
(3) information on how the Department will adapt the current
capabilities of, and future enhancements to, the intrusion
detection and prevention system of the Department and the
Continuous Diagnostics and Mitigation Program of the Department
to secure civilian Federal government networks in a cloud
environment.
SEC. 5. <<NOTE: 6 USC 651 note.>> RULE OF CONSTRUCTION.
Nothing in this Act or an amendment made by this Act may be
construed as--
(1) conferring new authorities to the Secretary of Homeland
Security, including programmatic, regulatory, or enforcement
authorities, outside of the authorities in existence on the day
before the date of enactment of this Act;
(2) reducing or limiting the programmatic, regulatory, or
enforcement authority vested in any other Federal agency by
statute; or
(3) affecting in any manner the authority, existing on the
day before the date of enactment of this Act, of any other
Federal agency or component of the Department of Homeland
Security.
SEC. 6. PROHIBITION ON ADDITIONAL FUNDING.
No additional funds are authorized to be appropriated to carry out
this Act or the amendments made by this Act. This Act and the amendments
made by this Act shall be carried out using amounts otherwise
authorized.
Approved November 16, 2018.
LEGISLATIVE HISTORY--H.R. 3359:
---------------------------------------------------------------------------
HOUSE REPORTS: No. 115-454, Pt. 1 (Comm. on Homeland Security).
CONGRESSIONAL RECORD:
Vol. 163 (2017):
Dec. 11, considered and passed
House.
Vol. 164 (2018):
Oct. 3, considered and passed
Senate, amended.
Nov. 13, House concurred in Senate
amendment.
DAILY COMPILATION OF PRESIDENTIAL DOCUMENTS (2018):
Nov. 16, Presidential remarks.
<all>