H. Rept. 114-63 - PROTECTING CYBER NETWORKS ACT114th Congress (2015-2016)
Committee Report
| Report Type: | House Report |
|---|---|
| Accompanies: | H.R.1560 |
| Committees: |
H. Rept. 114-63 - 114th Congress (2015-2016)
Report text available as:
- TXT
Formatting necessary for an accurate reading of this legislative text may be shown by tags (e.g., <DELETED> or <BOLD>) or may be missing from this TXT display. For complete and accurate display of this text, see the PDF.
House Report 114-63 - PROTECTING CYBER NETWORKS ACT
[House Report 114-63]
[From the U.S. Government Publishing Office]
114th Congress } { Report
HOUSE OF REPRESENTATIVES
1st Session } { 114-63
======================================================================
PROTECTING CYBER NETWORKS ACT
_______
April 13, 2015.--Committed to the Committee of the Whole House on the
State of the Union and ordered to be printed
_______
Mr. Nunes, from the Permanent Select Committee on Intelligence,
submitted the following
R E P O R T
[To accompany H.R. 1560]
[Including cost estimate of the Congressional Budget Office]
The Committee on Permanent Select Committee on
Intelligence, to whom was referred the bill (H.R. 1560) to
improve cybersecurity in the United States through enhanced
sharing of information about cybersecurity threats, and for
other purposes, having considered the same, report favorably
thereon with an amendment and recommend that the bill as
amended do pass.
The amendment is as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Protecting Cyber
Networks Act''.
(b) Table of Contents.--The table of contents of this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Sharing of cyber threat indicators and defensive measures by
the Federal Government with non-Federal entities.
Sec. 3. Authorizations for preventing, detecting, analyzing, and
mitigating cybersecurity threats.
Sec. 4. Sharing of cyber threat indicators and defensive measures with
appropriate Federal entities other than the Department of Defense or
the National Security Agency.
Sec. 5. Federal Government liability for violations of privacy or civil
liberties.
Sec. 6. Protection from liability.
Sec. 7. Oversight of Government activities.
Sec. 8. Report on cybersecurity threats.
Sec. 9. Construction and preemption.
Sec. 10. Conforming amendments.
Sec. 11. Definitions.
SEC. 2. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE MEASURES BY
THE FEDERAL GOVERNMENT WITH NON-FEDERAL ENTITIES.
(a) In General.--Title I of the National Security Act of 1947 (50
U.S.C. 3021 et seq.) is amended by inserting after section 110 (50
U.S.C. 3045) the following new section:
``SEC. 111. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE MEASURES
BY THE FEDERAL GOVERNMENT WITH NON-FEDERAL
ENTITIES.
``(a) Sharing by the Federal Government.--
``(1) In general.--Consistent with the protection of
classified information, intelligence sources and methods, and
privacy and civil liberties, the Director of National
Intelligence, in consultation with the heads of the other
appropriate Federal entities, shall develop and promulgate
procedures to facilitate and promote--
``(A) the timely sharing of classified cyber threat
indicators in the possession of the Federal Government
with representatives of relevant non-Federal entities
with appropriate security clearances;
``(B) the timely sharing with relevant non-Federal
entities of cyber threat indicators in the possession
of the Federal Government that may be declassified and
shared at an unclassified level; and
``(C) the sharing with non-Federal entities, if
appropriate, of information in the possession of the
Federal Government about imminent or ongoing
cybersecurity threats to such entities to prevent or
mitigate adverse impacts from such cybersecurity
threats.
``(2) Development of procedures.--The procedures developed
and promulgated under paragraph (1) shall--
``(A) ensure the Federal Government has and maintains
the capability to share cyber threat indicators in real
time consistent with the protection of classified
information;
``(B) incorporate, to the greatest extent
practicable, existing processes and existing roles and
responsibilities of Federal and non-Federal entities
for information sharing by the Federal Government,
including sector-specific information sharing and
analysis centers;
``(C) include procedures for notifying non-Federal
entities that have received a cyber threat indicator
from a Federal entity in accordance with this Act that
is known or determined to be in error or in
contravention of the requirements of this section, the
Protecting Cyber Networks Act, or the amendments made
by such Act or another provision of Federal law or
policy of such error or contravention;
``(D) include requirements for Federal entities
receiving a cyber threat indicator or defensive measure
to implement appropriate security controls to protect
against unauthorized access to, or acquisition of, such
cyber threat indicator or defensive measure;
``(E) include procedures that require Federal
entities, prior to the sharing of a cyber threat
indicator, to--
``(i) review such cyber threat indicator to
assess whether such cyber threat indicator, in
contravention of the requirement under section
3(d)(2) of the Protecting Cyber Networks Act,
contains any information that such Federal
entity knows at the time of sharing to be
personal information of or information
identifying a specific person not directly
related to a cybersecurity threat and remove
such information; or
``(ii) implement a technical capability
configured to remove or exclude any personal
information of or information identifying a
specific person not directly related to a
cybersecurity threat; and
``(F) include procedures to promote the efficient
granting of security clearances to appropriate
representatives of non-Federal entities.
``(b) Definitions.--In this section, the terms `appropriate Federal
entities', `cyber threat indicator', `defensive measure', `Federal
entity', and `non-Federal entity' have the meaning given such terms in
section 11 of the Protecting Cyber Networks Act.''.
(b) Submittal to Congress.--Not later than 90 days after the date of
the enactment of this Act, the Director of National Intelligence, in
consultation with the heads of the other appropriate Federal entities,
shall submit to Congress the procedures required by section 111(a) of
the National Security Act of 1947, as inserted by subsection (a) of
this section.
(c) Table of Contents Amendment.--The table of contents in the first
section of the National Security Act of 1947 is amended by inserting
after the item relating to section 110 the following new item:
``Sec. 111. Sharing of cyber threat indicators and defensive measures
by the Federal Government with non-Federal entities.''.
SEC. 3. AUTHORIZATIONS FOR PREVENTING, DETECTING, ANALYZING, AND
MITIGATING CYBERSECURITY THREATS.
(a) Authorization for Private-sector Defensive Monitoring.--
(1) In general.--Notwithstanding any other provision of law,
a private entity may, for a cybersecurity purpose, monitor--
(A) an information system of such private entity;
(B) an information system of a non-Federal entity or
a Federal entity, upon the written authorization of
such non-Federal entity or such Federal entity; and
(C) information that is stored on, processed by, or
transiting an information system monitored by the
private entity under this paragraph.
(2) Construction.--Nothing in this subsection shall be
construed to--
(A) authorize the monitoring of an information
system, or the use of any information obtained through
such monitoring, other than as provided in this Act;
(B) authorize the Federal Government to conduct
surveillance of any person; or
(C) limit otherwise lawful activity.
(b) Authorization for Operation of Defensive Measures.--
(1) In general.--Except as provided in paragraph (2) and
notwithstanding any other provision of law, a private entity
may, for a cybersecurity purpose, operate a defensive measure
that is operated on and is limited to--
(A) an information system of such private entity to
protect the rights or property of the private entity;
and
(B) an information system of a non-Federal entity or
a Federal entity upon written authorization of such
non-Federal entity or such Federal entity for operation
of such defensive measure to protect the rights or
property of such private entity, such non-Federal
entity, or such Federal entity.
(2) Limitation.--The authority provided in paragraph (1) does
not include the intentional or reckless operation of any
defensive measure that destroys, renders unusable or
inaccessible (in whole or in part), substantially harms, or
initiates a new action, process, or procedure on an information
system or information stored on, processed by, or transiting
such information system not owned by--
(A) the private entity operating such defensive
measure; or
(B) a non-Federal entity or a Federal entity that has
provided written authorization to that private entity
for operation of such defensive measure on the
information system or information of the entity in
accordance with this subsection.
(3) Construction.--Nothing in this subsection shall be
construed--
(A) to authorize the use of a defensive measure other
than as provided in this subsection; or
(B) to limit otherwise lawful activity.
(c) Authorization for Sharing or Receiving Cyber Threat Indicators or
Defensive Measures.--
(1) In general.--Except as provided in paragraph (2) and
notwithstanding any other provision of law, a non-Federal
entity may, for a cybersecurity purpose and consistent with the
requirement under subsection (d)(2) to remove personal
information of or information identifying a specific person not
directly related to a cybersecurity threat and the protection
of classified information--
(A) share a lawfully obtained cyber threat indicator
or defensive measure with any other non-Federal entity
or an appropriate Federal entity (other than the
Department of Defense or any component of the
Department, including the National Security Agency);
and
(B) receive a cyber threat indicator or defensive
measure from any other non-Federal entity or an
appropriate Federal entity.
(2) Lawful restriction.--A non-Federal entity receiving a
cyber threat indicator or defensive measure from another non-
Federal entity or a Federal entity shall comply with otherwise
lawful restrictions placed on the sharing or use of such cyber
threat indicator or defensive measure by the sharing non-
Federal entity or Federal entity.
(3) Construction.--Nothing in this subsection shall be
construed to--
(A) authorize the sharing or receiving of a cyber
threat indicator or defensive measure other than as
provided in this subsection;
(B) authorize the sharing or receiving of classified
information by or with any person not authorized to
access such classified information;
(C) prohibit any Federal entity from engaging in
formal or informal technical discussion regarding cyber
threat indicators or defensive measures with a non-
Federal entity or from providing technical assistance
to address vulnerabilities or mitigate threats at the
request of such an entity;
(D) limit otherwise lawful activity;
(E) prohibit a non-Federal entity, if authorized by
applicable law or regulation other than this Act, from
sharing a cyber threat indicator or defensive measure
with the Department of Defense or any component of the
Department, including the National Security Agency; or
(F) authorize the Federal Government to conduct
surveillance of any person.
(d) Protection and Use of Information.--
(1) Security of information.--A non-Federal entity monitoring
an information system, operating a defensive measure, or
providing or receiving a cyber threat indicator or defensive
measure under this section shall implement an appropriate
security control to protect against unauthorized access to, or
acquisition of, such cyber threat indicator or defensive
measure.
(2) Removal of certain personal information.--A non-Federal
entity sharing a cyber threat indicator pursuant to this Act
shall, prior to such sharing, take reasonable efforts to--
(A) review such cyber threat indicator to assess
whether such cyber threat indicator contains any
information that the non-Federal entity reasonably
believes at the time of sharing to be personal
information of or information identifying a specific
person not directly related to a cybersecurity threat
and remove such information; or
(B) implement a technical capability configured to
remove any information contained within such indicator
that the non-Federal entity reasonably believes at the
time of sharing to be personal information of or
information identifying a specific person not directly
related to a cybersecurity threat.
(3) Use of cyber threat indicators and defensive measures by
non-federal entities.--A non-Federal entity may, for a
cybersecurity purpose--
(A) use a cyber threat indicator or defensive measure
shared or received under this section to monitor or
operate a defensive measure on--
(i) an information system of such non-Federal
entity; or
(ii) an information system of another non-
Federal entity or a Federal entity upon the
written authorization of that other non-Federal
entity or that Federal entity; and
(B) otherwise use, retain, and further share such
cyber threat indicator or defensive measure subject
to--
(i) an otherwise lawful restriction placed by
the sharing non-Federal entity or Federal
entity on such cyber threat indicator or
defensive measure; or
(ii) an otherwise applicable provision of
law.
(4) Use of cyber threat indicators by state, tribal, or local
government.--
(A) Law enforcement use.--A State, tribal, or local
government may use a cyber threat indicator shared with
such State, tribal, or local government for the
purposes described in clauses (i), (ii), and (iii) of
section 4(d)(5)(A).
(B) Exemption from disclosure.--A cyber threat
indicator shared with a State, tribal, or local
government under this section shall be--
(i) deemed voluntarily shared information;
and
(ii) exempt from disclosure under any State,
tribal, or local law requiring disclosure of
information or records, except as otherwise
required by applicable State, tribal, or local
law requiring disclosure in any criminal
prosecution.
(e) No Right or Benefit.--The sharing of a cyber threat indicator
with a non-Federal entity under this Act shall not create a right or
benefit to similar information by such non-Federal entity or any other
non-Federal entity.
SEC. 4. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE MEASURES WITH
APPROPRIATE FEDERAL ENTITIES OTHER THAN THE
DEPARTMENT OF DEFENSE OR THE NATIONAL SECURITY
AGENCY.
(a) Requirement for Policies and Procedures.--
(1) In general.--Section 111 of the National Security Act of
1947, as inserted by section 2 of this Act, is amended--
(A) by redesignating subsection (b) as subsection
(c); and
(B) by inserting after subsection (a) the following
new subsection:
``(b) Policies and Procedures for Sharing With the Appropriate
Federal Entities Other Than the Department of Defense or the National
Security Agency.--
``(1) Establishment.--The President shall develop and submit
to Congress policies and procedures relating to the receipt of
cyber threat indicators and defensive measures by the Federal
Government.
``(2) Requirements concerning policies and procedures.--The
policies and procedures required under paragraph (1) shall--
``(A) be developed in accordance with the privacy and
civil liberties guidelines required under section 4(b)
of the Protecting Cyber Networks Act;
``(B) ensure that--
``(i) a cyber threat indicator shared by a
non-Federal entity with an appropriate Federal
entity (other than the Department of Defense or
any component of the Department, including the
National Security Agency) pursuant to section 3
of such Act is shared in real-time with all of
the appropriate Federal entities (including all
relevant components thereof);
``(ii) the sharing of such cyber threat
indicator with appropriate Federal entities is
not subject to any delay, modification, or any
other action without good cause that could
impede receipt by all of the appropriate
Federal entities; and
``(iii) such cyber threat indicator is
provided to each other Federal entity to which
such cyber threat indicator is relevant; and
``(C) ensure there--
``(i) is an audit capability; and
``(ii) are appropriate sanctions in place for
officers, employees, or agents of a Federal
entity who knowingly and willfully use a cyber
threat indicator or defense measure shared with
the Federal Government by a non-Federal entity
under the Protecting Cyber Networks Act other
than in accordance with this section and such
Act.''.
(2) Submission.--The President shall submit to Congress--
(A) not later than 90 days after the date of the
enactment of this Act, interim policies and procedures
required under section 111(b)(1) of the National
Security Act of 1947, as inserted by paragraph (1) of
this section; and
(B) not later than 180 days after such date, final
policies and procedures required under such section
111(b)(1).
(b) Privacy and Civil Liberties.--
(1) Guidelines of attorney general.--The Attorney General, in
consultation with the heads of the other appropriate Federal
agencies and with officers designated under section 1062 of the
Intelligence Reform and Terrorism Prevention Act of 2004 (42
U.S.C. 2000ee-1), shall develop and periodically review
guidelines relating to privacy and civil liberties that govern
the receipt, retention, use, and dissemination of cyber threat
indicators by a Federal entity obtained in accordance with this
Act and the amendments made by this Act.
(2) Content.--The guidelines developed and reviewed under
paragraph (1) shall, consistent with the need to protect
information systems from cybersecurity threats and mitigate
cybersecurity threats--
(A) limit the impact on privacy and civil liberties
of activities by the Federal Government under this Act,
including guidelines to ensure that personal
information of or information identifying specific
persons is properly removed from information received,
retained, used, or disseminated by a Federal entity in
accordance with this Act or the amendments made by this
Act;
(B) limit the receipt, retention, use, and
dissemination of cyber threat indicators containing
personal information of or information identifying
specific persons, including by establishing--
(i) a process for the prompt destruction of
such information that is known not to be
directly related to a use for a cybersecurity
purpose;
(ii) specific limitations on the length of
any period in which a cyber threat indicator
may be retained; and
(iii) a process to inform recipients that
such indicators may only be used for a
cybersecurity purpose;
(C) include requirements to safeguard cyber threat
indicators containing personal information of or
identifying specific persons from unauthorized access
or acquisition, including appropriate sanctions for
activities by officers, employees, or agents of the
Federal Government in contravention of such guidelines;
(D) include procedures for notifying non-Federal
entities and Federal entities if information received
pursuant to this section is known or determined by a
Federal entity receiving such information not to
constitute a cyber threat indicator;
(E) be consistent with any other applicable
provisions of law and the fair information practice
principles set forth in appendix A of the document
entitled ``National Strategy for Trusted Identities in
Cyberspace'' and published by the President in April,
2011; and
(F) include steps that may be needed so that
dissemination of cyber threat indicators is consistent
with the protection of classified information and other
sensitive national security information.
(3) Submission.--The Attorney General shall submit to
Congress--
(A) not later than 90 days after the date of the
enactment of this Act, interim guidelines required
under paragraph (1); and
(B) not later than 180 days after such date, final
guidelines required under such paragraph.
(c) National Cyber Threat Intelligence Integration Center.--
(1) Establishment.--Title I of the National Security Act of
1947 (50 U.S.C. 3021 et seq.), as amended by section 2 of this
Act, is further amended--
(A) by redesignating section 119B as section 119C;
and
(B) by inserting after section 119A the following new
section:
``SEC. 119B. CYBER THREAT INTELLIGENCE INTEGRATION CENTER.
``(a) Establishment.--There is within the Office of the Director of
National Intelligence a Cyber Threat Intelligence Integration Center.
``(b) Director.--There is a Director of the Cyber Threat Intelligence
Integration Center, who shall be the head of the Cyber Threat
Intelligence Integration Center, and who shall be appointed by the
Director of National Intelligence.
``(c) Primary Missions.--The Cyber Threat Intelligence Integration
Center shall--
``(1) serve as the primary organization within the Federal
Government for analyzing and integrating all intelligence
possessed or acquired by the United States pertaining to cyber
threats;
``(2) ensure that appropriate departments and agencies have
full access to and receive all-source intelligence support
needed to execute the cyber threat intelligence activities of
such agencies and to perform independent, alternative analyses;
``(3) disseminate cyber threat analysis to the President, the
appropriate departments and agencies of the Federal Government,
and the appropriate committees of Congress;
``(4) coordinate cyber threat intelligence activities of the
departments and agencies of the Federal Government; and
``(5) conduct strategic cyber threat intelligence planning
for the Federal Government.
``(d) Limitations.--The Cyber Threat Intelligence Integration Center
shall--
``(1) have not more than 50 permanent positions;
``(2) in carrying out the primary missions of the Center
described in subsection (c), may not augment staffing through
detailees, assignees, or core contractor personnel or enter
into any personal services contracts to exceed the limitation
under paragraph (1); and
``(3) be located in a building owned or operated by an
element of the intelligence community as of the date of the
enactment of this section.''.
(2) Table of contents amendments.--The table of contents in
the first section of the National Security Act of 1947, as
amended by section 2 of this Act, is further amended by
striking the item relating to section 119B and inserting the
following new items:
``Sec. 119B. Cyber Threat Intelligence Integration Center.
``Sec. 119C. National intelligence centers.''.
(d) Information Shared With or Provided to the Federal Government.--
(1) No waiver of privilege or protection.--The provision of a
cyber threat indicator or defensive measure to the Federal
Government under this Act shall not constitute a waiver of any
applicable privilege or protection provided by law, including
trade secret protection.
(2) Proprietary information.--Consistent with section
3(c)(2), a cyber threat indicator or defensive measure provided
by a non-Federal entity to the Federal Government under this
Act shall be considered the commercial, financial, and
proprietary information of the non-Federal entity that is the
originator of such cyber threat indicator or defensive measure
when so designated by such non-Federal entity or a non-Federal
entity acting in accordance with the written authorization of
the non-Federal entity that is the originator of such cyber
threat indicator or defensive measure.
(3) Exemption from disclosure.--A cyber threat indicator or
defensive measure provided to the Federal Government under this
Act shall be--
(A) deemed voluntarily shared information and exempt
from disclosure under section 552 of title 5, United
States Code, and any State, tribal, or local law
requiring disclosure of information or records; and
(B) withheld, without discretion, from the public
under section 552(b)(3)(B) of title 5, United States
Code, and any State, tribal, or local provision of law
requiring disclosure of information or records, except
as otherwise required by applicable Federal, State,
tribal, or local law requiring disclosure in any
criminal prosecution.
(4) Ex parte communications.--The provision of a cyber threat
indicator or defensive measure to the Federal Government under
this Act shall not be subject to a rule of any Federal
department or agency or any judicial doctrine regarding ex
parte communications with a decision-making official.
(5) Disclosure, retention, and use.--
(A) Authorized activities.--A cyber threat indicator
or defensive measure provided to the Federal Government
under this Act may be disclosed to, retained by, and
used by, consistent with otherwise applicable
provisions of Federal law, any department, agency,
component, officer, employee, or agent of the Federal
Government solely for--
(i) a cybersecurity purpose;
(ii) the purpose of responding to,
prosecuting, or otherwise preventing or
mitigating a threat of death or serious bodily
harm or an offense arising out of such a
threat;
(iii) the purpose of responding to, or
otherwise preventing or mitigating, a serious
threat to a minor, including sexual
exploitation and threats to physical safety; or
(iv) the purpose of preventing,
investigating, disrupting, or prosecuting any
of the offenses listed in sections 1028, 1029,
1030, and 3559(c)(2)(F) and chapters 37 and 90
of title 18, United States Code.
(B) Prohibited activities.--A cyber threat indicator
or defensive measure provided to the Federal Government
under this Act shall not be disclosed to, retained by,
or used by any Federal department or agency for any use
not permitted under subparagraph (A).
(C) Privacy and civil liberties.--A cyber threat
indicator or defensive measure provided to the Federal
Government under this Act shall be retained, used, and
disseminated by the Federal Government in accordance
with--
(i) the policies and procedures relating to
the receipt of cyber threat indicators and
defensive measures by the Federal Government
required by subsection (b) of section 111 of
the National Security Act of 1947, as added by
subsection (a) of this section; and
(ii) the privacy and civil liberties
guidelines required by subsection (b).
SEC. 5. FEDERAL GOVERNMENT LIABILITY FOR VIOLATIONS OF PRIVACY OR CIVIL
LIBERTIES.
(a) In General.--If a department or agency of the Federal Government
intentionally or willfully violates the privacy and civil liberties
guidelines issued by the Attorney General under section 4(b), the
United States shall be liable to a person injured by such violation in
an amount equal to the sum of--
(1) the actual damages sustained by the person as a result of
the violation or $1,000, whichever is greater; and
(2) reasonable attorney fees as determined by the court and
other litigation costs reasonably incurred in any case under
this subsection in which the complainant has substantially
prevailed.
(b) Venue.--An action to enforce liability created under this section
may be brought in the district court of the United States in--
(1) the district in which the complainant resides;
(2) the district in which the principal place of business of
the complainant is located;
(3) the district in which the department or agency of the
Federal Government that violated such privacy and civil
liberties guidelines is located; or
(4) the District of Columbia.
(c) Statute of Limitations.--No action shall lie under this
subsection unless such action is commenced not later than two years
after the date of the violation of the privacy and civil liberties
guidelines issued by the Attorney General under section 4(b) that is
the basis for the action.
(d) Exclusive Cause of Action.--A cause of action under this
subsection shall be the exclusive means available to a complainant
seeking a remedy for a violation by a department or agency of the
Federal Government under this Act.
SEC. 6. PROTECTION FROM LIABILITY.
(a) Monitoring of Information Systems.--No cause of action shall lie
or be maintained in any court against any private entity, and such
action shall be promptly dismissed, for the monitoring of an
information system and information under section 3(a) that is conducted
in good faith in accordance with this Act and the amendments made by
this Act.
(b) Sharing or Receipt of Cyber Threat Indicators.--No cause of
action shall lie or be maintained in any court against any non-Federal
entity, and such action shall be promptly dismissed, for the sharing or
receipt of a cyber threat indicator or defensive measure under section
3(c), or a good faith failure to act based on such sharing or receipt,
if such sharing or receipt is conducted in good faith in accordance
with this Act and the amendments made by this Act.
(c) Willful Misconduct.--
(1) Rule of construction.--Nothing in this section shall be
construed--
(A) to require dismissal of a cause of action against
a non-Federal entity (including a private entity) that
has engaged in willful misconduct in the course of
conducting activities authorized by this Act or the
amendments made by this Act; or
(B) to undermine or limit the availability of
otherwise applicable common law or statutory defenses.
(2) Proof of willful misconduct.--In any action claiming that
subsection (a) or (b) does not apply due to willful misconduct
described in paragraph (1), the plaintiff shall have the burden
of proving by clear and convincing evidence the willful
misconduct by each non-Federal entity subject to such claim and
that such willful misconduct proximately caused injury to the
plaintiff.
(3) Willful misconduct defined.--In this subsection, the term
``willful misconduct'' means an act or omission that is taken--
(A) intentionally to achieve a wrongful purpose;
(B) knowingly without legal or factual justification;
and
(C) in disregard of a known or obvious risk that is
so great as to make it highly probable that the harm
will outweigh the benefit.
SEC. 7. OVERSIGHT OF GOVERNMENT ACTIVITIES.
(a) Biennial Report on Implementation.--
(1) In general.--Section 111 of the National Security Act of
1947, as added by section 2(a) and amended by section 4(a) of
this Act, is further amended--
(A) by redesignating subsection (c) (as redesignated
by such section 4(a)) as subsection (d); and
(B) by inserting after subsection (b) (as inserted by
such section 4(a)) the following new subsection:
``(c) Biennial Report on Implementation.--
``(1) In general.--Not less frequently than once every two
years, the Director of National Intelligence, in consultation
with the heads of the other appropriate Federal entities, shall
submit to Congress a report concerning the implementation of
this section and the Protecting Cyber Networks Act.
``(2) Contents.--Each report submitted under paragraph (1)
shall include the following:
``(A) An assessment of the sufficiency of the
policies, procedures, and guidelines required by this
section and section 4 of the Protecting Cyber Networks
Act in ensuring that cyber threat indicators are shared
effectively and responsibly within the Federal
Government.
``(B) An assessment of whether the procedures
developed under section 3 of such Act comply with the
goals described in subparagraphs (A), (B), and (C) of
subsection (a)(1).
``(C) An assessment of whether cyber threat
indicators have been properly classified and an
accounting of the number of security clearances
authorized by the Federal Government for the purposes
of this section and such Act.
``(D) A review of the type of cyber threat indicators
shared with the Federal Government under this section
and such Act, including the following:
``(i) The degree to which such information
may impact the privacy and civil liberties of
specific persons.
``(ii) A quantitative and qualitative
assessment of the impact of the sharing of such
cyber threat indicators with the Federal
Government on privacy and civil liberties of
specific persons.
``(iii) The adequacy of any steps taken by
the Federal Government to reduce such impact.
``(E) A review of actions taken by the Federal
Government based on cyber threat indicators shared with
the Federal Government under this section or such Act,
including the appropriateness of any subsequent use or
dissemination of such cyber threat indicators by a
Federal entity under this section or section 4 of such
Act.
``(F) A description of any significant violations of
the requirements of this section or such Act by the
Federal Government--
``(i) an assessment of all reports of
officers, employees, and agents of the Federal
Government misusing information provided to the
Federal Government under the Protecting Cyber
Networks Act or this section, without regard to
whether the misuse was knowing or wilful; and
``(ii) an assessment of all disciplinary
actions taken against such officers, employees,
and agents.
``(G) A summary of the number and type of non-Federal
entities that received classified cyber threat
indicators from the Federal Government under this
section or such Act and an evaluation of the risks and
benefits of sharing such cyber threat indicators.
``(H) An assessment of any personal information of or
information identifying a specific person not directly
related to a cybersecurity threat that--
``(i) was shared by a non-Federal entity with
the Federal Government under this Act in
contravention of section 3(d)(2); or
``(ii) was shared within the Federal
Government under this Act in contravention of
the guidelines required by section 4(b).
``(3) Recommendations.--Each report submitted under paragraph
(1) may include such recommendations as the heads of the
appropriate Federal entities may have for improvements or
modifications to the authorities and processes under this
section or such Act.
``(4) Form of report.--Each report required by paragraph (1)
shall be submitted in unclassified form, but may include a
classified annex.
``(5) Public availability of reports.--The Director of
National Intelligence shall make publicly available the
unclassified portion of each report required by paragraph
(1).''.
(2) Initial report.--The first report required under
subsection (c) of section 111 of the National Security Act of
1947, as inserted by paragraph (1) of this subsection, shall be
submitted not later than one year after the date of the
enactment of this Act.
(b) Reports on Privacy and Civil Liberties.--
(1) Biennial report from privacy and civil liberties
oversight board.--
(A) In general.--Section 1061(e) of the Intelligence
Reform and Terrorism Prevention Act of 2004 (42 U.S.C.
2000ee(e)) is amended by adding at the end the
following new paragraph:
``(3) Biennial report on certain cyber activities.--
``(A) Report required.--The Privacy and Civil
Liberties Oversight Board shall biennially submit to
Congress and the President a report containing--
``(i) an assessment of the privacy and civil
liberties impact of the activities carried out
under the Protecting Cyber Networks Act and the
amendments made by such Act; and
``(ii) an assessment of the sufficiency of
the policies, procedures, and guidelines
established pursuant to section 4 of the
Protecting Cyber Networks Act and the
amendments made by such section 4 in addressing
privacy and civil liberties concerns.
``(B) Recommendations.--Each report submitted under
this paragraph may include such recommendations as the
Privacy and Civil Liberties Oversight Board may have
for improvements or modifications to the authorities
under the Protecting Cyber Networks Act or the
amendments made by such Act.
``(C) Form.--Each report required under this
paragraph shall be submitted in unclassified form, but
may include a classified annex.
``(D) Public availability of reports.--The Privacy
and Civil Liberties Oversight Board shall make publicly
available the unclassified portion of each report
required by subparagraph (A).''.
(B) Initial report.--The first report required under
paragraph (3) of section 1061(e) of the Intelligence
Reform and Terrorism Prevention Act of 2004 (42 U.S.C.
2000ee(e)), as added by subparagraph (A) of this
paragraph, shall be submitted not later than 2 years
after the date of the enactment of this Act.
(2) Biennial report of inspectors general.--
(A) In general.--Not later than 2 years after the
date of the enactment of this Act and not less
frequently than once every 2 years thereafter, the
Inspector General of the Department of Homeland
Security, the Inspector General of the Intelligence
Community, the Inspector General of the Department of
Justice, and the Inspector General of the Department of
Defense, in consultation with the Council of Inspectors
General on Financial Oversight, shall jointly submit to
Congress a report on the receipt, use, and
dissemination of cyber threat indicators and defensive
measures that have been shared with Federal entities
under this Act and the amendments made by this Act.
(B) Contents.--Each report submitted under
subparagraph (A) shall include the following:
(i) A review of the types of cyber threat
indicators shared with Federal entities.
(ii) A review of the actions taken by Federal
entities as a result of the receipt of such
cyber threat indicators.
(iii) A list of Federal entities receiving
such cyber threat indicators.
(iv) A review of the sharing of such cyber
threat indicators among Federal entities to
identify inappropriate barriers to sharing
information.
(C) Recommendations.--Each report submitted under
this paragraph may include such recommendations as the
Inspectors General referred to in subparagraph (A) may
have for improvements or modifications to the
authorities under this Act or the amendments made by
this Act.
(D) Form.--Each report required under this paragraph
shall be submitted in unclassified form, but may
include a classified annex.
(E) Public availability of reports.--The Inspector
General of the Department of Homeland Security, the
Inspector General of the Intelligence Community, the
Inspector General of the Department of Justice, and the
Inspector General of the Department of Defense shall
make publicly available the unclassified portion of
each report required under subparagraph (A).
SEC. 8. REPORT ON CYBERSECURITY THREATS.
(a) Report Required.--Not later than 180 days after the date of the
enactment of this Act, the Director of National Intelligence, in
consultation with the heads of other appropriate elements of the
intelligence community, shall submit to the Select Committee on
Intelligence of the Senate and the Permanent Select Committee on
Intelligence of the House of Representatives a report on cybersecurity
threats, including cyber attacks, theft, and data breaches.
(b) Contents.--The report required by subsection (a) shall include
the following:
(1) An assessment of--
(A) the current intelligence sharing and cooperation
relationships of the United States with other countries
regarding cybersecurity threats (including cyber
attacks, theft, and data breaches) directed against the
United States that threaten the United States national
security interests, economy, and intellectual property;
and
(B) the relative utility of such relationships, which
elements of the intelligence community participate in
such relationships, and whether and how such
relationships could be improved.
(2) A list and an assessment of the countries and non-state
actors that are the primary threats of carrying out a
cybersecurity threat (including a cyber attack, theft, or data
breach) against the United States and that threaten the United
States national security, economy, and intellectual property.
(3) A description of the extent to which the capabilities of
the United States Government to respond to or prevent
cybersecurity threats (including cyber attacks, theft, or data
breaches) directed against the United States private sector are
degraded by a delay in the prompt notification by private
entities of such threats or cyber attacks, theft, and breaches.
(4) An assessment of additional technologies or capabilities
that would enhance the ability of the United States to prevent
and to respond to cybersecurity threats (including cyber
attacks, theft, and data breaches).
(5) An assessment of any technologies or practices utilized
by the private sector that could be rapidly fielded to assist
the intelligence community in preventing and responding to
cybersecurity threats.
(c) Form of Report.--The report required by subsection (a) shall be
submitted in unclassified form, but may include a classified annex.
(d) Public Availability of Report.--The Director of National
Intelligence shall make publicly available the unclassified portion of
the report required by subsection (a).
(e) Intelligence Community Defined.--In this section, the term
``intelligence community'' has the meaning given that term in section 3
of the National Security Act of 1947 (50 U.S.C. 3003).
SEC. 9. CONSTRUCTION AND PREEMPTION.
(a) Prohibition of Surveillance.--Nothing in this Act or the
amendments made by this Act shall be construed to authorize the
Department of Defense or the National Security Agency or any other
element of the intelligence community to target a person for
surveillance.
(b) Otherwise Lawful Disclosures.--Nothing in this Act or the
amendments made by this Act shall be construed to limit or prohibit--
(1) otherwise lawful disclosures of communications, records,
or other information, including reporting of known or suspected
criminal activity, by a non-Federal entity to any other non-
Federal entity or the Federal Government; or
(2) any otherwise lawful use of such disclosures by any
entity of the Federal government, without regard to whether
such otherwise lawful disclosures duplicate or replicate
disclosures made under this Act.
(c) Whistle Blower Protections.--Nothing in this Act or the
amendments made by this Act shall be construed to prohibit or limit the
disclosure of information protected under section 2302(b)(8) of title
5, United States Code (governing disclosures of illegality, waste,
fraud, abuse, or public health or safety threats), section 7211 of
title 5, United States Code (governing disclosures to Congress),
section 1034 of title 10, United States Code (governing disclosure to
Congress by members of the military), or any similar provision of
Federal or State law..
(d) Protection of Sources and Methods.--Nothing in this Act or the
amendments made by this Act shall be construed--
(1) as creating any immunity against, or otherwise affecting,
any action brought by the Federal Government, or any department
or agency thereof, to enforce any law, executive order, or
procedure governing the appropriate handling, disclosure, or
use of classified information;
(2) to affect the conduct of authorized law enforcement or
intelligence activities; or
(3) to modify the authority of the President or a department
or agency of the Federal Government to protect and control the
dissemination of classified information, intelligence sources
and methods, and the national security of the United States.
(e) Relationship to Other Laws.--Nothing in this Act or the
amendments made by this Act shall be construed to affect any
requirement under any other provision of law for a non-Federal entity
to provide information to the Federal Government.
(f) Information Sharing Relationships.--Nothing in this Act or the
amendments made by this Act shall be construed--
(1) to limit or modify an existing information-sharing
relationship;
(2) to prohibit a new information-sharing relationship; or
(3) to require a new information-sharing relationship between
any non-Federal entity and the Federal Government.
(g) Preservation of Contractual Obligations and Rights.--Nothing in
this Act or the amendments made by this Act shall be construed--
(1) to amend, repeal, or supersede any current or future
contractual agreement, terms of service agreement, or other
contractual relationship between any non-Federal entities, or
between any non-Federal entity and a Federal entity; or
(2) to abrogate trade secret or intellectual property rights
of any non-Federal entity or Federal entity.
(h) Anti-tasking Restriction.--Nothing in this Act or the amendments
made by this Act shall be construed to permit the Federal Government--
(1) to require a non-Federal entity to provide information to
the Federal Government;
(2) to condition the sharing of a cyber threat indicator with
a non-Federal entity on such non-Federal entity's provision of
a cyber threat indicator to the Federal Government; or
(3) to condition the award of any Federal grant, contract, or
purchase on the provision of a cyber threat indicator to a
Federal entity.
(i) No Liability for Non-participation.--Nothing in this Act or the
amendments made by this Act shall be construed to subject any non-
Federal entity to liability for choosing not to engage in a voluntary
activiy authorized in this Act and the amendments made by this Act.
(j) Use and Retention of Information.--Nothing in this Act or the
amendments made by this Act shall be construed to authorize, or to
modify any existing authority of, a department or agency of the Federal
Government to retain or use any information shared under this Act or
the amendments made by this Act for any use other than permitted in
this Act or the amendments made by this Act.
(k) Federal Preemption.--
(1) In general.--This Act and the amendments made by this Act
supersede any statute or other provision of law of a State or
political subdivision of a State that restricts or otherwise
expressly regulates an activity authorized under this Act or
the amendments made by this Act.
(2) State law enforcement.--Nothing in this Act or the
amendments made by this Act shall be construed to supersede any
statute or other provision of law of a State or political
subdivision of a State concerning the use of authorized law
enforcement practices and procedures.
(l) Regulatory Authority.--Nothing in this Act or the amendments made
by this Act shall be construed--
(1) to authorize the promulgation of any regulations not
specifically authorized by this Act or the amendments made by
this Act;
(2) to establish any regulatory authority not specifically
established under this Act or the amendments made by this Act;
or
(3) to authorize regulatory actions that would duplicate or
conflict with regulatory requirements, mandatory standards, or
related processes under another provision of Federal law.
SEC. 10. CONFORMING AMENDMENTS.
Section 552(b) of title 5, United States Code, is amended--
(1) in paragraph (8), by striking ``or'' at the end;
(2) in paragraph (9), by striking ``wells.'' and inserting
``wells; or''; and
(3) by inserting after paragraph (9) the following:
``(10) information shared with or provided to the Federal
Government pursuant to the Protecting Cyber Networks Act or the
amendments made by such Act.''.
SEC. 11. DEFINITIONS.
In this Act:
(1) Agency.--The term ``agency'' has the meaning given the
term in section 3502 of title 44, United States Code.
(2) Appropriate federal entities.--The term ``appropriate
Federal entities'' means the following:
(A) The Department of Commerce.
(B) The Department of Defense.
(C) The Department of Energy.
(D) The Department of Homeland Security.
(E) The Department of Justice.
(F) The Department of the Treasury.
(G) The Office of the Director of National
Intelligence.
(3) Cybersecurity purpose.--The term ``cybersecurity
purpose'' means the purpose of protecting (including through
the use of a defensive measure) an information system or
information that is stored on, processed by, or transiting an
information system from a cybersecurity threat or security
vulnerability or identifying the source of a cybersecurity
threat.
(4) Cybersecurity threat.--
(A) In general.--Except as provided in subparagraph
(B), the term ``cybersecurity threat'' means an action,
not protected by the first amendment to the
Constitution of the United States, on or through an
information system that may result in an unauthorized
effort to adversely impact the security,
confidentiality, integrity, or availability of an
information system or information that is stored on,
processed by, or transiting an information system.
(B) Exclusion.--The term ``cybersecurity threat''
does not include any action that solely involves a
violation of a consumer term of service or a consumer
licensing agreement.
(5) Cyber threat indicator.--The term ``cyber threat
indicator'' means information or a physical object that is
necessary to describe or identify--
(A) malicious reconnaissance, including anomalous
patterns of communications that appear to be
transmitted for the purpose of gathering technical
information related to a cybersecurity threat or
security vulnerability;
(B) a method of defeating a security control or
exploitation of a security vulnerability;
(C) a security vulnerability, including anomalous
activity that appears to indicate the existence of a
security vulnerability;
(D) a method of causing a user with legitimate access
to an information system or information that is stored
on, processed by, or transiting an information system
to unwittingly enable the defeat of a security control
or exploitation of a security vulnerability;
(E) malicious cyber command and control;
(F) the actual or potential harm caused by an
incident, including a description of the information
exfiltrated as a result of a particular cybersecurity
threat; or
(G) any other attribute of a cybersecurity threat, if
disclosure of such attribute is not otherwise
prohibited by law.
(6) Defensive measure.--The term ``defensive measure'' means
an action, device, procedure, technique, or other measure
executed on an information system or information that is stored
on, processed by, or transiting an information system that
prevents or mitigates a known or suspected cybersecurity threat
or security vulnerability.
(7) Federal entity.--The term ``Federal entity'' means a
department or agency of the United States or any component of
such department or agency.
(8) Information system.--The term ``information system''--
(A) has the meaning given the term in section 3502 of
title 44, United States Code; and
(B) includes industrial control systems, such as
supervisory control and data acquisition systems,
distributed control systems, and programmable logic
controllers.
(9) Local government.--The term ``local government'' means
any borough, city, county, parish, town, township, village, or
other political subdivision of a State.
(10) Malicious cyber command and control.--The term
``malicious cyber command and control'' means a method for
unauthorized remote identification of, access to, or use of, an
information system or information that is stored on, processed
by, or transiting an information system.
(11) Malicious reconnaissance.--The term ``malicious
reconnaissance'' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning security vulnerabilities of the information system,
if such method is associated with a known or suspected
cybersecurity threat.
(12) Monitor.--The term ``monitor'' means to acquire,
identify, scan, or otherwise possess information that is stored
on, processed by, or transiting an information system.
(13) Non-federal entity.--
(A) In general.--Except as otherwise provided in this
paragraph, the term ``non-Federal entity'' means any
private entity, non-Federal government department or
agency, or State, tribal, or local government
(including a political subdivision, department,
officer, employee, or agent thereof).
(B) Inclusions.--The term ``non-Federal entity''
includes a government department or agency (including
an officer, employee, or agent thereof) of the District
of Columbia, the Commonwealth of Puerto Rico, the
Virgin Islands, Guam, American Samoa, the Northern
Mariana Islands, and any other territory or possession
of the United States.
(C) Exclusion.--The term ``non-Federal entity'' does
not include a foreign power or known agent of a foreign
power, as both terms are defined in section 101 of the
Foreign Intelligence Surveillance Act of 1978 (50
U.S.C. 1801).
(14) Private entity.--
(A) In general.--Except as otherwise provided in this
paragraph, the term ``private entity'' means any person
or private group, organization, proprietorship,
partnership, trust, cooperative, corporation, or other
commercial or nonprofit entity, including an officer,
employee, or agent thereof.
(B) Inclusion.--The term ``private entity'' includes
a component of a State, tribal, or local government
performing electric utility services.
(C) Exclusion.--The term ``private entity'' does not
include a foreign power as defined in section 101 of
the Foreign Intelligence Surveillance Act of 1978 (50
U.S.C. 1801).
(15) Real time; real-time.--The terms ``real time'' and
``real-time'' mean a process by which an automated, machine-to-
machine system processes cyber threat indicators such that the
time in which the occurrence of an event and the reporting or
recording of it are as simultaneous as technologically and
operationally practicable.
(16) Security control.--The term ``security control'' means
the management, operational, and technical controls used to
protect against an unauthorized effort to adversely impact the
security, confidentiality, integrity, and availability of an
information system or its information.
(17) Security vulnerability.--The term ``security
vulnerability'' means any attribute of hardware, software,
process, or procedure that could enable or facilitate the
defeat of a security control.
(18) Tribal.--The term ``tribal'' has the meaning given the
term ``Indian tribe'' in section 4 of the Indian Self-
Determination and Education Assistance Act (25 U.S.C. 450b).
Purpose
The purpose of H.R. 1560 is to improve cybersecurity in the
United States by enhancing the sharing of information about
cybersecurity threats.
Background and Need for Legislation
Four years ago, when this Committee first considered
cybersecurity legislation, few Americans understood the threat
our Nation faced from cyberattacks by foreign militaries,
intelligence services, and criminal organizations. Even fewer
understood that, as citizens and consumers, those same attacks
could endanger their health records, financial data, and other
sensitive personal information.
Today, hardly a day goes by without news of a cyberattack
on an American business or government agency. High-profile
attacks are commonplace. Both in the boardroom and around the
kitchen table, Americans suffer the impact of cyberattacks.
Whether carried out by foreign governments or criminals, these
attacks steal Americans' identities, credit card information,
tax refunds, and countless other kinds of private information.
In just the past year, attackers have shown they can adeptly
carry out criminal activity, including theft and espionage, on
computer networks inside the United States. These attacks
violate Americans' privacy on a massive scale and cost
thousands of American jobs.
Some cyberattacks are sponsored by foreign governments.
China, Russia, North Korea, and Iran have created highly
skilled cyberwarfare units that directly target American
businesses for their most valuable intellectual property.
Corporate research and development forms the lifeblood of the
American economy, and China, in particular, engages in daily
assaults that pillage American innovation. In May 2014, for
instance, federal prosecutors charged five military officers
from Unit 61398 of the Third Department of the Chinese People's
Liberation Army with computer hacking and economic espionage
against the U.S. nuclear power, metals, and solar products
industries. They were not the first and will not be the last
foreign military officers who launch cyberattacks on American
industry. The sheer number of attacks against American
companies--at least thousands each day--harms our economy and
thus our national security.
Other attacks are carried out by criminal organizations. A
recent Washington Post report suggested that more than 3,000
companies were alerted to cyberattacks by federal agents in
2013. And that number represents only the number of cases in
which the federal government learned that an attack occurred.
We cannot expect the private sector to defend itself against
unrelenting assaults of foreign governments without federal
assistance.
There is no silver bullet to end cyberattacks. Thousands of
attacks occur each day and will continue after this bill
becomes law. Companies must defend their networks around the
clock on all fronts, but an attacker only needs to succeed once
to cause tremendous amounts of damage. No piece of legislation
can wholly prevent this devastating hacking. However, the
ability to share cyber threat information and solutions will
significantly help security officials throughout both the
private sector and the government defend their networks, and
thereby defend Americans' most private information and most
valuable intellectual property.
The government already provides significant support and
assistance to private companies to address cyberattacks, but
more can--and should--be done. Real and perceived legal
barriers to cybersecurity monitoring and information sharing
constrain companies with even the best of intentions. After
hundreds of conversations with companies in virtually every
sector of the economy, the executive branch, and privacy and
civil liberties advocates, it is clear to the Committee that
American businesses need positive legal authority to monitor
their networks and to share and receive cyber threat indicators
and defensive measures. Voluntary information sharing between
companies helps businesses defend themselves against
cyberattacks, and voluntary, two-way information sharing with
the federal government can help the government disseminate
cyber threat information with greater speed and accuracy. The
positive authorization contained in this bill is important to
encourage this sharing and to help businesses improve their
defenses against cyberattacks. As a result, this bill helps
protect Americans' privacy.
In each of the past two Congresses, the Committee adopted
cybersecurity information sharing legislation that passed the
House with bipartisan support. Then-Chairman Rogers and Ranking
Member Ruppersberger made great strides in educating the
American people about the cybersecurity threat and the need for
information sharing legislation. Even so, in both of the past
two Congresses, the Senate failed to act.
Building on those past efforts, Chairman Nunes and Ranking
Member Schiff led a bipartisan effort to advance cyber
legislation in the 114th Congress. The result of their efforts,
the Protecting Cyber Networks Act, enables private companies to
monitor their networks and to voluntarily share cyber threat
indicators with one another and with the federal government,
all while providing strong protections for privacy and civil
liberties.
Scope of Committee Review
On March 19, 2015, the Committee held an open hearing, The
Growing Cyber Threat and Its Impact on American Business. At
that hearing, the Committee heard testimony from Governor Tim
Pawlenty, the former governor of Minnesota and current Chief
Executive Officer of the Financial Services Roundtable; Mr.
Andrew Tannenbaum, cybersecurity counsel for IBM; Mr. John
Latimer, Chief Risk and Compliance Officer for Total Systems
Services, Inc.; and Mr. Richard Bejtlich, Chief Security
Strategist for FireEye, Inc. The hearing focused on the state
of cybersecurity information sharing between the federal
government and the private sector, as well as information
sharing within the private sector.
Before and after the open hearing, Committee staff met with
representatives from the White House, the Department of
Justice, the Department of Defense, the Federal Bureau of
Investigation, the Department of Treasury, the Department of
Homeland Security, and the National Security Agency in the
course of developing this legislation. Committee staff also
held numerous meetings with private sector companies and trade
groups in the telecommunications, technology, financial
services, utilities, retail, defense, and internet security
industries, and several meetings with representatives of
privacy groups including, among others, the Center for
Democracy and Technology, the American Civil Liberties Union,
and the Open Technology Institute.
Lastly, as part of its regular oversight responsibilities,
the Committee held numerous classified briefings and meetings
about cyberattacks and the serious threat they pose to our
national security.
Committee Statement and Views
The Protecting Cyber Networks Act tears down legal barriers
to improved cybersecurity. The bill authorizes companies to
monitor their own networks and the networks of other consenting
private parties for cybersecurity threats. It also authorizes
companies to use and share defensive measures--techniques that
prevent or mitigate cybersecurity threats--on their own
networks and on the networks of other consenting private
parties. And most importantly, notwithstanding any other
federal or state law, the bill authorizes and provides
liability protection for the sharing and receipt of cyber
threat indicators and defensive measures. The bill encourages
sharing of cyber threat indicators and defensive measures along
three axes: between private companies; from private companies
to the federal government; and from the federal government to
private companies. Because of the real and perceived legal
barriers to information sharing, the bill provides strong
liability protection for sharing through its procedures. Any
company that shares cyber threat indicators or defensive
measures in good faith compliance with the bill--including the
requirement to strip out private information unrelated to the
cyber threat--will receive immunity from lawsuits. This
immunity includes, among other things, immunity from liability
under the antitrust laws. The bill also prohibits the federal
government from penalizing companies for sharing cyber threat
information pursuant to the Act. As Section 9(l) makes clear,
nothing in the bill allows the government to establish
regulations or regulatory authority based on the cybersecurity
information companies share.
The bill also provides companies with the flexibility that
will encourage information sharing. Compared to previous
legislative efforts, the bill gives companies the flexibility
to choose to share cyber threat indicators or defensive
measures with a number of different government agencies.
Companies receive authorization and liability protection for
sharing with the Department of Justice (including the Federal
Bureau of Investigation), the Department of Commerce, the
Department of the Treasury, the Office of the Director of
National Intelligence, the Department of Homeland Security, and
the Department of Energy. Some companies may be more
comfortable sharing different kinds of cyber threat indicators
with different agencies that possess different expertise. Under
this bill, banks can share cyber threat information with the
Department of the Treasury; power plants can share with the
Department of Energy; and victims of crime can share with
federal law enforcement agencies. After any federal agency
receives a cyber threat indicator or defensive measure from the
private sector, it must share that indicator or defensive
measure in real-time, that is, by an automated machine-to-
machine process, with all other appropriate federal agencies,
including the Department of Defense and the National Security
Agency.
Although the bill does not grant any new authorization or
liability protection for companies to share cyber threat
indicators or defensive measures with the Department of Defense
or the National Security Agency, companies may choose to share
cyber threat indicators or defensive measures with the
Department of Defense or the National Security Agency outside
of the bill. The Committee understands the critical importance
of cybersecurity to the Department of Defense's missions, many
of which rely on private sector partnerships with the Defense
Industrial Base. The bill's lack of authorization for companies
to share with the Department of Defense or the National
Security Agency is not a prohibition on sharing with those
agencies if doing so is otherwise lawful. Section 3(c)(3)(E)
expressly states that nothing in the bill should be construed
to prohibit private companies from sharing cyber threat
indicators with the Department of Defense or the National
Security Agency when that sharing is authorized by another law
or regulation, and Section 9(f) makes clear that nothing in the
bill limits or modifies any existing information sharing
relationship or prohibits a new information sharing
relationship outside of the Act. The bill also does not
supersede any private contract, including any contractual
obligation for a company to report a cyber intrusion to the
Department of Defense or to any other federal agency.
At the same time, the bill contains strong privacy
protections, far in excess of previous legislative efforts.
First, the bill only authorizes the sharing of cyber threat
indicators. The bill contains a narrow definition of cyber
threat indicator that does not include personal information
unrelated to cybersecurity. Thus, the sharing of personal
information that is not directly related to a cybersecurity
threat is not authorized by the bill. Companies will not
receive any liability protection for such sharing.
Second, even if personal information constitutes a cyber
threat indicator, companies may only share the information for
a cybersecurity purpose. This restriction ensures that
companies do not improperly share personal information for
reasons outside the scope of the bill.
Third, the liability protections of the bill are only
available if a company sharing information takes reasonable
efforts to remove irrelevant personally identifiable
information before sharing. If a company fails to take such
efforts, it will not receive the liability protections of the
bill. The bill's description of personally identifiable
information is intended to match the description contained in
the Cybersecurity Information Sharing Act, S. 754, as reported
favorably by the Senate Select Committee on Intelligence on
March 17, 2015.
Fourth, if the federal government receives cyber threat
indicators, the bill obligates the government to search for and
remove or exclude any residual, irrelevant personally
identifiable information that it may have received. This dual
privacy scrub will drastically minimize the sharing or
dissemination of any personally identifiable information,
protecting privacy while also ensuring that companies are able
to take needed actions to address cyber threats.
Fifth, the bill imposes strict limitations on the use and
retention of any data voluntarily shared by the private sector
with the government. The government may use the information it
receives for cybersecurity purposes because it must be able to
protect itself from cybersecurity threats that exist in the
private sector, as well as provide the information to others to
fulfill its duties to protect the Nation from cybersecurity
threats. The government may also use the information to respond
to specific dangerous crimes. These include the sexual abuse of
minors, threats of death and serious bodily harm, and other
violent felonies. Companies cannot share cyber threat
information with the government for the purpose of stopping
crimes, but when companies share these cyber threat indicators
for a cybersecurity purpose, and that information also contains
information related to these kinds of crimes, the government
should not sit on its hands and ignore violent felonies and
child sex offenses.
Sixth, the bill provides for strong public and
congressional oversight by requiring a detailed biennial
Inspectors General report of appropriate federal entities of
the government's receipt, use, and dissemination of cyber
threat indicators. Additionally, the Privacy and Civil
Liberties Oversight Board must produce a biennial report on the
privacy and civil liberties impact of the Act.
Finally, the bill expressly states that it provides no
authority for the U.S. government to conduct any surveillance.
The bill authorizes the sharing of cyber threat indicators and
defensive measures, not surveillance.
Committee Consideration and Roll Call Votes
On March 26, 2015, the Committee met in open session to
consider H.R. 1560, the Protecting Cyber Networks Act. The
section-by-section analysis details the contents of H.R. 1560.
Chairman Nunes and Ranking Member Schiff offered an
amendment to clarify that the bill does not impact any existing
information sharing relationships between the private sector
and the Department of Defense, including the National Security
Agency. The amendment made several other technical changes and
incorporated privacy-enhancing proposals by Ms. Speier, Mr.
Carson, and Mr. Swalwell. The amendment was agreed to by a
voice vote.
Mr. Swalwell offered an amendment to the bill's liability
provision, which he subsequently withdrew.
The Committee then adopted a motion by Chairman Nunes to
favorably report the bill H.R. 1560 to the House, as amended.
The motion was agreed to by a voice vote.
Section-by-Section Analysis
Section 1: Short title; Table of contents
The short title of the Act is the Protecting Cyber Networks
Act.
Section 2: Sharing of Cyber Threat Indicators and Defensive Measures by
the Federal Government with Non-Federal Entities
This section of the Act amends Title I of the National
Security Act by adding a new section, Section 111. Under this
new section, the Director of National Intelligence, in
consultation with the heads of the Departments of Homeland
Security, Treasury, Justice, Commerce, and Defense (hereinafter
the ``appropriate Federal entities''), should create procedures
to facilitate and promote the timely sharing of cyber threat
indicators with the private sector. The procedures would
promote the sharing of: classified cyber threat indicators with
representatives of the private sector with appropriate security
clearances; classified cyber threat indicators that may be
declassified and shared at an unclassified level; and any
information in the possession of the Federal Government about
imminent or ongoing cyber threats that may allow private
companies to prevent or mitigate those threats.
The procedures must also ensure the Federal Government
creates and maintains the capability to share cyber threat
indicators in real time with the private sector, consistent
with the protection of classified information.
Additionally, the procedures drafted by the Director of
National Intelligence will require federal agencies to perform
a review of cyber threat indicators they receive from the
private sector before the agencies share those indicators
within the Federal Government. In that review, the receiving
agencies will assess whether--despite the private sector's own
requirement to conduct a similar review--the cyber threat
indicators contain any personal information or information
identifying a specific person that does not directly relate to
a cyber threat. If so, the Federal Government must remove that
information. The Federal Government must implement a technical
capability configured to remove or exclude the information.
Section 3: Authorizations for preventing, detecting, analyzing, and
mitigating cybersecurity threats
Subsection (a)
Subsection (a) of this section authorizes private entities
to engage in defensive monitoring of their own networks and the
networks of non-Federal entities that have consented to
monitoring. Subsection (a) does not authorize the Federal
Government to conduct surveillance of any person.
Subsection (b)
Subsection (b) of this section authorizes private entities
to operate defensive measures on their own networks and the
networks of non-Federal entities that have consented to the
operation of defensive measures. Subsection (b) does not
authorize non-Federal entities to intentionally or recklessly
operate any defensive measure that destroys, render unusable or
inaccessible (in whole or in part), substantially harms, or
initiates a new action, process, or procedure on any network
that does not belong to them or to a non-Federal entity that
has not consented to the operation of those defensive measures.
As a result, subsection (b) does not authorize ``hacking back''
or any other form of cyber operation that takes place on
computers or networks without the consent of the owner of those
computers or networks.
Subsection (c)
Subsection (c) of this section authorizes non-Federal
entities, notwithstanding any other provision of law, to share
or receive cyber threat indicators or defensive measures for
cybersecurity purposes with other non-Federal entities. This
subsection also authorizes non-Federal entities to share or
receive cyber threat indicators or defensive measures with
appropriate Federal entities other than the Department of
Defense and the National Security Agency. Even so, subsection
(c) expressly states that companies may share cyber threat
information or defensive measures with the Department of
Defense and the National Security Agency if they are authorized
to do so by another applicable law or regulation.
Subsection (d)
Before sharing, non-Federal entities must, under the
requirements of subsection (d), take reasonable efforts to
review cyber threat indicators and defensive measures for any
personal information or information identifying a specific
person that does not directly relate to a cyber threat. If
cyber threat indicators or defensive measures contain that kind
of information, non-Federal entities must take reasonable
efforts to remove the information before sharing. Subsection
(d) also permits non-Federal entities to use cyber threat
indicators and defensive measures to monitor or operate
defensive measures on their own networks and the networks of
other non-Federal entities that have consented to the operation
of the defensive measures.
In addition, subsection (d) permits state and local
governments to use cyber threat indicators for certain law
enforcement purposes; the subsection also exempts those shared
cyber threat indicators from state and local disclosure laws.
Section 4: Sharing of cyber threat indicators and defensive measures
with appropriate Federal entities other than the Department of
Defense or the National Security Agency
Subsection (a)
Subsection (a) of this section amends Title I of the
National Security Act of 1947, as amended by Section 2 of the
Act, to add a subsection (b) to the newly created Section 111.
The new subsection requires the President to develop and submit
to Congress policies and procedures for the receipt of cyber
threat indicators and defensive measures by the Federal
Government. Those policies and procedures must ensure that,
when an appropriate Federal entity other than the Department of
Defense or the National Security Agency receives a cyber threat
indicator under Section 3 of the Act, that Federal entity
shares the cyber threat indicator in real time with all other
appropriate Federal entities, including all relevant components
of those other appropriate Federal entities. Among other
things, the procedures must also ensure that additional Federal
entities beyond the appropriate Federal entities receive cyber
threat indicators when those indicators are relevant.
Subsection (b)
Subsection (b) of this section requires the Attorney
General, in consultation with the heads of other appropriate
Federal entities, to develop and periodically review privacy
and civil liberties guidelines. The Attorney General guidelines
will govern the receipt, retention, use, and dissemination of
cyber threat indicators obtained by the Federal Government
under the Act. The guidelines must also establish, among other
things: a process for the prompt destruction of any personal
information or information identifying a specific person that
does not directly relate to a cyber threat; specific
limitations on the length of time for which a cyber threat
indicator can be retained; and a process to inform recipients
of cyber threat indicators that the indicators may only be used
for cybersecurity purposes. The Attorney General must submit an
interim version of the guidelines to Congress within 90 days of
the enactment of the Act and a final version within 180 days.
Subsection (c)
Subsection (c) of this section further amends Title I of
the National Security Act of 1947 by inserting a new Section
119B. That new section establishes the Cyber Threat
Intelligence Integration Center (CTIIC) within the Office of
the Director of National Intelligence. Section 119B also lays
out the missions of the CTIIC and imposes certain limitations
regarding the center's personnel and location.
Subsection (d)
Subsection (d) of this section states that the act of
sharing a cyber threat indicator with the Federal Government
does not constitute a waiver of any applicable privilege or
protection provided by law. The subsection also establishes
that cyber threat indicators shared with the Federal Government
remain the proprietary information of the sharing non-Federal
entity, are exempt from federal disclosure laws, and do not
constitute ex parte communications in a judicial or regulatory
proceeding.
Additionally, subsection (d) lays out the purposes for
which the Federal Government may use a cyber threat indicator
it receives from a non-Federal entity under the Act. The
Federal Government may use shared cyber threat indicators
solely for: a cybersecurity purpose; preventing or prosecuting
a threat of death or seriously bodily harm or an offense
arising out of such a threat; preventing or prosecuting a
serious threat to a minor, including sexual exploitation; or
preventing or prosecuting espionage, economic espionage,
serious violent felonies, and violations of the Computer Fraud
and Abuse Act.
Section 5: Federal Government liability for violations of privacy and
civil liberties
Section 5 creates a private cause of action against the
Federal Government if a department or agency intentionally or
willfully violates the privacy and civil liberties guidelines
issued by the Attorney General under Section 4(b) of the Act.
The section also establishes statutory damages for a violation
of the Attorney General guidelines, provides for reasonable
attorney fees for injured persons, specifies the possible
venues for an action, and creates a statute of limitations for
the new cause of action. Lastly, Section 5 clarifies that this
cause of action is the exclusive means available to a
complainant seeking a remedy for a violation of the Act by a
department or agency of the Federal Government.
Section 6: Protection from liability
This section states that no cause of action shall lie or be
maintained in any court against any private entity acting in
good faith for the monitoring of an information system or
information under Section 3(a) of the Act or for the sharing or
receipt of cyber threat indicators or defensive measures under
Section 3(c) of the Act. Section 6 nonetheless states that
nothing shall be construed to require the dismissal of a cause
of action against a non-Federal entity that has engaged in
willful misconduct in the course of conducting activities
authorized by the Act. Section 6 also defines the term
``willful misconduct'' for the purposes of the section and
establishes the standard by which a plaintiff may prove willful
misconduct.
Section 7: Oversight of Government activities
Subsection (a) of this section further amends Section 111
of the National Security Act of 1947, as created by the Act, to
require a biennial report by the Director of National
Intelligence, in consultation with the heads of other
appropriate Federal entities, on the implementation of the Act.
Subsection (b) of this section requires two reports on
privacy liberties. First, subsection (b) requires the Privacy
and Civil Liberties Oversight Board to submit to Congress a
biennial report on the privacy and civil liberties impact of
the Act. Second, subsection (b) requires the Inspectors General
of certain appropriate Federal entities, in consultation with
the Council of Inspectors General on Financial Oversight, to
jointly submit a biennial report to Congress on the receipt,
use, and dissemination of cyber threat indicators shared with
the Federal Government under the Act.
Both these reports would be made publicly available.
Section 8: Report on cybersecurity threats
This section requires the Director of National
Intelligence, in consultation with the heads of appropriate
elements of the Intelligence Community, to submit a report to
the congressional intelligence committees on cybersecurity
threats, including cyberattacks, theft, and data breaches. The
report shall be submitted in unclassified form, and must be
made publicly available, but may contain a classified annex.
Section 9: Construction and preemption
Section 9 contains a variety of construction and preemption
provisions to clarify the scope of the Act. Among other things,
these provisions make clear that nothing in the Act authorizes
the Department of Defense or any element of the Intelligence
Community, including the National Security Agency, to target a
person for surveillance. The provisions also state that nothing
in the Act shall be construed to limit or modify any existing
information-sharing relationships outside of the Act or
prohibit any new information-sharing relationships outside of
the Act.
The preemption provision of Section 9 expressly supersedes
any provision of state or local law that may restrict or
otherwise expressly regulate an activity authorized under the
Act. The intent of this provision is to preempt state and local
laws or regulations that may restrict the sharing of cyber
threat indicators as authorized by the Act. The provision is
not intended to preempt state and local laws that may encourage
or require sharing outside of the Act, including state and
local regulations and rules protecting critical infrastructure
information or risk assessments concerning critical
infrastructure.
Section 10: Conforming amendments
This section contains conforming amendments to Section
552(b) of title 5, United States Code.
Section 11: Definitions
Section 11 provides definitions for a number of key terms
used in the Act. These definitions--in particular, the
definitions of the terms ``cybersecurity purpose,'' ``cyber
threat,'' ``cyber threat indicator,'' and ``defensive
measure''--narrowly cabin the scope and breadth of the Act.
Oversight Findings and Recommendations
With respect to clause 3(c)(1) of rule XIII of the Rules of
the House of Representatives, the Committee held multiple
closed hearings and briefings on the classified intelligence
programs affected by H.R. 1560. The Committee also held an open
hearing on March 19, 2015, ``The Growing Cyber Threat and its
Impact on American Business.''
In previous Congresses, the Committee also held numerous
closed hearings and briefings on cyber threats. In addition,
the Committee held several open hearings on cyber threats in
past Congresses, including, ``Cybersecurity Threats: The Way
Forward,'' on November 20, 2014, and ``Advanced Cyber Threats
Facing Our Nation,'' on February 14, 2013.
The bill, as reported by the Committee, reflects
conclusions reached by the Committee in light of this oversight
activity.
General Performance Goals and Objectives
The goal and objective of H.R. 1560 is to improve
cybersecurity in the United States by providing clear legal
authority for the sharing of information about cybersecurity
threats between and among non-Federal entities and the Federal
Government.
Unfunded Mandate Statement
Section 423 of the Congressional Budget and Impoundment
Control Act (as amended by Section 101(a)(2) of the Unfunded
Mandates Reform Act, P.L. 104-4) requires a statement of
whether the provisions of the reported bill include unfunded
mandates. In compliance with this requirement, the Committee
has received a letter from the Congressional Budget Office
included herein.
Statement on Congressional Earmarks
Pursuant to clause 9 of rule XXI of the Rules of the House
of Representatives, the Committee states that the bill as
reported contains no congressional earmarks, limited tax
benefits, or limited tariff benefits.
Budget Authority and Congressional Budget Office Cost Estimate
With respect to clause 3(c)(2) of rule XIII of the Rules of
the House of Representatives and section 402 of the
Congressional Budget Act of 1974, the Committee has received
the following cost estimate for H.R. 1560 from the Director of
the Congressional Budget Office.
U.S. Congress,
Congressional Budget Office,
Washington, DC, April 13, 2015.
Hon. Devin Nunes,
Chairman, Permanent Select Committee on Intelligence,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 1560, the
Protecting Cyber Networks Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Jason
Wheelock.
Sincerely,
Keith Hall,
Director.
Enclosure.
H.R. 1560--Protecting Cyber Networks Act
Summary: H.R. 1560 would establish within the Office of the
Director of National Intelligence (ODNI) a center that would be
responsible for analyzing and integrating information from the
intelligence community related to cyber threats. In addition,
the bill would require the government to establish procedures
for sharing information and data on cyber threats between the
federal government and nonfederal entities. CBO estimates that
implementing the bill would cost $186 million over the 2016-
2020 period, assuming appropriation of the estimated amounts.
In addition, the bill would allow information shared with
the government to be used in certain criminal prosecutions,
which could increase federal revenues from fines as well as
direct spending from the Crime Victims Fund. However, CBO
anticipates that the number of cases that could be affected
would be small and that any additional revenues and spending
would be insignificant. Finally, section 5 of H.R. 1560 would
make the government liable if an agency or department were to
violate the privacy and civil liberty guidelines required by
the bill. While such liability could result in additional
direct spending, CBO does not have sufficient basis to estimate
the type or frequency of violations or budgetary impact that
might occur if the legislation was enacted. Because the bill
would affect direct spending and revenues, pay-as-you-go
procedure apply.
H.R. 1560 would impose intergovernmental and private-sector
mandates, as defined in the Unfunded Mandates Reform Act
(UMRA), by extending civil and criminal liability protection to
cybersecurity providers and other entities that monitor, share,
or use cyber threat information. Doing so would prevent public
and private entities from seeking compensation for damages from
those protected entities if they share or use cybersecurity
information. The bill also would impose additional
intergovernmental mandates on state and local governments by
preempting disclosure and liability laws and by preempting any
laws that restrict activities authorized by the bill.
Because of uncertainty about the number of cases that would
be limited and any foregone compensation that would result from
compensatory damages that might otherwise go to private-sector
entities, CBO cannot determine whether the costs of the mandate
would exceed the annual thresholds established in UMRA for
private-sector mandates ($154 million in 2015, adjusted
annually for inflation). The amount of cybersecurity
information shared by state, local, and tribal governments is
much smaller than that shared by the private sector, and public
entities are much less likely to bring lawsuits as plaintiffs
in such cases. Consequently, CBO estimates that the aggregate
costs of the mandates on public entities would fall below the
threshold for intergovernmental mandates ($77 million in 2015,
adjusted annually for inflation).
Estimated cost to the Federal Government: The estimated
budgetary effect of H.R. 1560 is shown in the following table.
The costs of this legislation fall within budget function 050
(national defense).
----------------------------------------------------------------------------------------------------------------
By fiscal year, in millions of dollars--
-------------------------------------------------------
2016 2017 2018 2019 2020 2016-2020
----------------------------------------------------------------------------------------------------------------
National Cyber Threat Intelligence and Integration
Center:
Estimated Authorization Level....................... 35 36 37 38 39 185
Estimated Outlays................................... 23 33 35 37 38 166
Oversight, Administration, and Reporting:
Estimated Authorization Level....................... 4 4 4 4 4 20
Estimated Outlays................................... 4 4 4 4 4 20
Total Changes:
Estimated Authorization Level................... 39 40 41 42 43 205
Estimated Outlays............................... 27 37 39 41 42 186
----------------------------------------------------------------------------------------------------------------
Basis of estimate: For this estimate, CBO assumes that the
legislation will be enacted near the end of fiscal year 2015,
and that outlays will be similar to historical spending
patterns for similar activities.
National Cyber Threat Intelligence and Integration Center
The bill would establish a National Cyber Threat
Intelligence Integration Center (CTIIC) that would be
responsible for analyzing, integrating, and disseminating
intelligence on cyber threats within the federal government. In
February, based on authority in current law to establish
intelligence centers, the President announced his intention to
establish a CTIIC within the ODNI; however, the process for
establishing and creating an operational center has not been
completed. H.R. 1560 would require such a center to have a
maximum of 50 permanent positions. CBO estimates, based on
publicly available information regarding the planned center,
the personnel ceiling in H.R. 1560, and budget data from the
Office of Management and Budget (OMB), that implementing this
provision would cost approximately $166 million over the 2016-
2020 period, assuming appropriation of the estimated amounts.
Oversight, administration, and reporting
H.R. 1560 also would require the government to establish
procedures to be followed when information on cyber threats is
shared between the government and nonfederal entities, such as
requiring personal data to be expunged from shared information.
The bill also would require the government to audit the process
for sharing information with nonfederal entities and would
require additional reports to the Congress on cyber
intelligence sharing. CBO anticipates that approximately 20
additional personnel would be needed to administer the program,
prepare the required reports, and manage the exchange of
information between the government and nonfederal entities
(such as state, local, and tribal governments and private
companies). Based on information from the Department of
Homeland Security, OMB, and other cybersecurity experts, CBO
estimates that the requirements imposed by H.R. 1560 would cost
approximately $20 million over the 2016-2020 period, assuming
appropriation of the estimated amounts.
Pay-As-You-Go considerations: The Statutory Pay-As-You-Go
Act of 2010 establishes budget-reporting and enforcement
procedures for legislation affecting direct spending or
revenues. Enacting H.R. 1560 would affect direct spending and
revenues because the bill would allow information shared with
the government to be used in investigating and prosecuting
certain violent crimes. Any additional convictions that result
could increase the collection of fines. Criminal fines are
recorded as revenues, deposited in the Crime Victims Fund, and
later spent. CBO expects that additional revenues and direct
spending would not be significant because of the small number
of cases likely to be effected.
In addition, section 5 of H.R. 1560 would allow a person to
collect damages and attorney's fees if a federal agency or
department violates the privacy and civil liberty guidelines
required to be issued under the bill. Any costs to the federal
government for such cases would constitute direct spending.
However, because the types of violations and the frequency with
which they might occur would depend on guidelines that have not
yet been established, CBO does not have a sufficient basis to
estimate the effect of this provision.
Intergovernmental and private-sector impact: H.R. 1560
would impose intergovernmental and private-sector mandates as
defined in UMRA, by extending civil and criminal liability
protection to cybersecurity providers and other entities that
monitor, share, or use cyber threat information. Doing so would
prevent public and private entities from seeking compensation
for damages from those protected entities for sharing or using
cybersecurity information. The bill also would impose
additional intergovernmental mandates on state and local
governments by preempting disclosure and liability laws and by
preempting any laws that restrict the cybersecurity monitoring,
sharing, and countermeasure activities authorized by the bill.
Because of uncertainty about the number of cases that would
be limited and any foregone compensation that would result from
compensatory damages that might otherwise go to private-sector
entities, CBO cannot determine whether the costs of the mandate
would exceed the annual thresholds established in UMRA for
private-sector mandates ($154 million in 2015, adjusted
annually for inflation). The amount of cybersecurity
information shared by state, local, and tribal governments is
much smaller than that shared by the private sector, and public
entities are much less likely to bring lawsuits as plaintiffs
in such cases. Consequently, CBO estimates that the aggregate
costs of the mandates on public entities would fall below the
threshold for intergovernmental mandates ($77 million in 2015,
adjusted annually for inflation).
Estimate prepared by: Federal costs: Jason Wheelock; Impact
on state, local, and tribal governments: Jon Sperl; Impact on
the Private Sector: Paige Piper/Bach.
Estimate approved by: Theresa Gullo, Assistant Director for
Budget Analysis.
Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
matter is printed in italic, and existing law in which no
change is proposed is shown in roman):
NATIONAL SECURITY ACT OF 1947
short title
That this Act may be cited as the ``National Security Act of
1947''.
TABLE OF CONTENTS
* * * * * * *
Title I--Coordination for National Security
* * * * * * *
Sec. 111. Sharing of cyber threat indicators and defensive measures by
the Federal Government with non-Federal entities.
* * * * * * *
[Sec. 119B. National intelligence centers.]
Sec. 119B. Cyber Threat Intelligence Integration Center.
Sec. 119C. National intelligence centers.
* * * * * * *
TITLE I--COORDINATION FOR NATIONAL SECURITY
* * * * * * *
SEC. 111. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE MEASURES BY
THE FEDERAL GOVERNMENT WITH NON-FEDERAL ENTITIES.
(a) Sharing by the Federal Government.--
(1) In general.--Consistent with the protection of
classified information, intelligence sources and
methods, and privacy and civil liberties, the Director
of National Intelligence, in consultation with the
heads of the other appropriate Federal entities, shall
develop and promulgate procedures to facilitate and
promote--
(A) the timely sharing of classified cyber
threat indicators in the possession of the
Federal Government with representatives of
relevant non-Federal entities with appropriate
security clearances;
(B) the timely sharing with relevant non-
Federal entities of cyber threat indicators or
information in the possession of the Federal
Government that may be declassified and shared
at an unclassified level; and
(C) the sharing with non-Federal entities, if
appropriate, of information in the possession
of the Federal Government about imminent or
ongoing cybersecurity threats to such entities
to prevent or mitigate adverse impacts from
such cybersecurity threats.
(2) Development of procedures.--The procedures
developed and promulgated under paragraph (1) shall--
(A) ensure the Federal Government has and
maintains the capability to share cyber threat
indicators in real time consistent with the
protection of classified information;
(B) incorporate, to the greatest extent
practicable, existing processes and existing
roles and responsibilities of Federal and non-
Federal entities for information sharing by the
Federal Government, including sector-specific
information sharing and analysis centers;
(C) include procedures for notifying non-
Federal entities that have received a cyber
threat indicator from a Federal entity in
accordance with this Act that is known or
determined to be in error or in contravention
of the requirements of this section, the
Protecting Cyber Networks Act, or the
amendments made by such Act or another
provision of Federal law or policy of such
error or contravention;
(D) include requirements for Federal entities
receiving a cyber threat indicator or defensive
measure to implement appropriate security
controls to protect against unauthorized access
to, or acquisition of, such cyber threat
indicator or defensive measure;
(E) include procedures that require Federal
entities, prior to the sharing of a cyber
threat indicator, to--
(i) review such cyber threat
indicator to assess whether such cyber
threat indicator, in contravention of
the requirement under section 3(d)(2)
of the Protecting Cyber Networks Act,
contains any information that such
Federal entity knows at the time of
sharing to be personal information of
or information identifying a specific
person not directly related to a
cybersecurity threat and remove such
information; or
(ii) implement a technical capability
configured to remove or exclude any
personal information of or information
identifying a specific person not
directly related to a cybersecurity
threat; and
(F) include procedures to promote the
efficient granting of security clearances to
appropriate representatives of non-Federal
entities.
(b) Policies and Procedures for Sharing With the Appropriate
Federal Entities Other Than the Department of Defense or the
National Security Agency.--
(1) Establishment.--The President shall develop and
submit to Congress policies and procedures relating to
the receipt of cyber threat indicators and defensive
measures by the Federal Government.
(2) Requirements concerning policies and
procedures.--The policies and procedures required under
paragraph (1) shall--
(A) be developed in accordance with the
privacy and civil liberties guidelines required
under section 4(b) of the Protecting Cyber
Networks Act;
(B) ensure that--
(i) a cyber threat indicator shared
by a non-Federal entity with an
appropriate Federal entity (other than
the Department of Defense or any
component of the Department, including
the National Security Agency) pursuant
to section 3 of such Act is shared in
real-time with all of the appropriate
Federal entities (including all
relevant components thereof);
(ii) the sharing of such cyber threat
indicator with appropriate Federal
entities is not subject to any delay,
modification, or any other action
without good cause that could impede
receipt by all of the appropriate
Federal entities; and
(iii) such cyber threat indicator is
provided to each other Federal entity
to which such cyber threat indicator is
relevant; and
(C) ensure there--
(i) is an audit capability; and
(ii) are appropriate sanctions in
place for officers, employees, or
agents of a Federal entity who
knowingly and willfully use a cyber
threat indicator or defense measure
shared with the Federal Government by a
non-Federal entity under the Protecting
Cyber Networks Act other than in
accordance with this section and such
Act.
(c) Biennial Report on Implementation.--
(1) In general.--Not less frequently than once every
two years, the Director of National Intelligence, in
consultation with the heads of the other appropriate
Federal entities, shall submit to Congress a report
concerning the implementation of this section and the
Protecting Cyber Networks Act.
(2) Contents.--Each report submitted under paragraph
(1) shall include the following:
(A) An assessment of the sufficiency of the
policies, procedures, and guidelines required
by this section and section 4 of the Protecting
Cyber Networks Act in ensuring that cyber
threat indicators are shared effectively and
responsibly within the Federal Government.
(B) An assessment of whether the procedures
developed under section 3 of such Act comply
with the goals described in subparagraphs (A),
(B), and (C) of subsection (a)(1).
(C) An assessment of whether cyber threat
indicators have been properly classified and an
accounting of the number of security clearances
authorized by the Federal Government for the
purposes of this section and such Act.
(D) A review of the type of cyber threat
indicators shared with the Federal Government
under this section and such Act, including the
following:
(i) The degree to which such
information may impact the privacy and
civil liberties of specific persons.
(ii) A quantitative and qualitative
assessment of the impact of the sharing
of such cyber threat indicators with
the Federal Government on privacy and
civil liberties of specific persons.
(iii) The adequacy of any steps taken
by the Federal Government to reduce
such impact.
(E) A review of actions taken by the Federal
Government based on cyber threat indicators
shared with the Federal Government under this
section or such Act, including the
appropriateness of any subsequent use or
dissemination of such cyber threat indicators
by a Federal entity under this section or
section 4 of such Act.
(F) A description of any significant
violations of the requirements of this section
or such Act by the Federal Government--
(i) an assessment of all reports of
officers, employees, and agents of the
Federal Government misusing information
provided to the Federal Government
under the Protecting Cyber Networks Act
or this section, without regard to
whether the misuse was knowing or
wilful; and
(ii) an assessment of all
disciplinary actions taken against such
officers, employees, and agents.
(G) A summary of the number and type of non-
Federal entities that received classified cyber
threat indicators from the Federal Government
under this section or such Act and an
evaluation of the risks and benefits of sharing
such cyber threat indicators.
(H) An assessment of any personal information
of or information identifying a specific person
not directly related to a cybersecurity threat
that--
(i) was shared by a non-Federal
entity with the Federal Government
under this Act in contravention of
section 3(d)(2); or
(ii) was shared within the Federal
Government under this Act in
contravention of the guidelines
required by section 4(b).
(3) Recommendations.--Each report submitted under
paragraph (1) may include such recommendations as the
heads of the appropriate Federal entities may have for
improvements or modifications to the authorities and
processes under this section or such Act.
(4) Form of report.--Each report required by
paragraph (1) shall be submitted in unclassified form,
but may include a classified annex.
(5) Public availability of reports.--The Director of
National Intelligence shall make publicly available the
unclassified portion of each report required by
paragraph (1).
(d) Definitions.--In this section, the terms ``appropriate
Federal entities'', ``cyber threat indicator'', ``defensive
measure'', ``Federal entity'', and ``non-Federal entity'' have
the meaning given such terms in section 11 of the Protecting
Cyber Networks Act.
* * * * * * *
SEC. 119B. CYBER THREAT INTELLIGENCE INTEGRATION CENTER.
(a) Establishment.--There is within the Office of the
Director of National Intelligence a Cyber Threat Intelligence
Integration Center.
(b) Director.--There is a Director of the Cyber Threat
Intelligence Integration Center, who shall be the head of the
Cyber Threat Intelligence Integration Center, and who shall be
appointed by the Director of National Intelligence.
(c) Primary Missions.--The Cyber Threat Intelligence
Integration Center shall--
(1) serve as the primary organization within the
Federal Government for analyzing and integrating all
intelligence possessed or acquired by the United States
pertaining to cyber threats;
(2) ensure that appropriate departments and agencies
have full access to and receive all-source intelligence
support needed to execute the cyber threat intelligence
activities of such agencies and to perform independent,
alternative analyses;
(3) disseminate cyber threat analysis to the
President, the appropriate departments and agencies of
the Federal Government, and the appropriate committees
of Congress;
(4) coordinate cyber threat intelligence activities
of the departments and agencies of the Federal
Government; and
(5) conduct strategic cyber threat intelligence
planning for the Federal Government.
(d) Limitations.--The Cyber Threat Intelligence Integration
Center shall--
(1) have not more than 50 permanent positions;
(2) in carrying out the primary missions of the
Center described in subsection (c), may not augment
staffing through detailees, assignees, or core
contractor personnel or enter into any personal
services contracts to exceed the limitation under
paragraph (1); and
(3) be located in a building owned or operated by an
element of the intelligence community as of the date of
the enactment of this section.
national intelligence centers
Sec. [119B.] 119C. (a) Authority To Establish.--The Director
of National Intelligence may establish one or more national
intelligence centers to address intelligence priorities,
including, but not limited to, regional issues.
(b) Resources of Directors of Centers.--(1) The Director of
National Intelligence shall ensure that the head of each
national intelligence center under subsection (a) has
appropriate authority, direction, and control of such center,
and of the personnel assigned to such center, to carry out the
assigned mission of such center.
(2) The Director of National Intelligence shall ensure that
each national intelligence center has appropriate personnel to
accomplish effectively the mission of such center.
(c) Information Sharing.--The Director of National
Intelligence shall, to the extent appropriate and practicable,
ensure that each national intelligence center under subsection
(a) and the other elements of the intelligence community share
information in order to facilitate the mission of such center.
(d) Mission of Centers.--Pursuant to the direction of the
Director of National Intelligence, each national intelligence
center under subsection (a) may, in the area of intelligence
responsibility assigned to such center--
(1) have primary responsibility for providing all-
source analysis of intelligence based upon intelligence
gathered both domestically and abroad;
(2) have primary responsibility for identifying and
proposing to the Director of National Intelligence
intelligence collection and analysis and production
requirements; and
(3) perform such other duties as the Director of
National Intelligence shall specify.
(e) Review and Modification of Centers.--The Director of
National Intelligence shall determine on a regular basis
whether--
(1) the area of intelligence responsibility assigned
to each national intelligence center under subsection
(a) continues to meet appropriate intelligence
priorities; and
(2) the staffing and management of such center
remains appropriate for the accomplishment of the
mission of such center.
(f) Termination.--The Director of National Intelligence may
terminate any national intelligence center under subsection
(a).
(g) Separate Budget Account.--The Director of National
Intelligence shall, as appropriate, include in the National
Intelligence Program budget a separate line item for each
national intelligence center under subsection (a).
* * * * * * *
----------
INTELLIGENCE REFORM AND TERRORISM PREVENTION ACT OF 2004
* * * * * * *
TITLE I--REFORM OF THE INTELLIGENCE COMMUNITY
* * * * * * *
Subtitle F--Privacy and Civil Liberties
SEC. 1061. PRIVACY AND CIVIL LIBERTIES OVERSIGHT BOARD.
(a) In General.--There is established as an independent
agency within the executive branch a Privacy and Civil
Liberties Oversight Board (referred to in this section as the
``Board'').
(b) Findings.--Consistent with the report of the National
Commission on Terrorist Attacks Upon the United States,
Congress makes the following findings:
(1) In conducting the war on terrorism, the
Government may need additional powers and may need to
enhance the use of its existing powers.
(2) This shift of power and authority to the
Government calls for an enhanced system of checks and
balances to protect the precious liberties that are
vital to our way of life and to ensure that the
Government uses its powers for the purposes for which
the powers were given.
(3) The National Commission on Terrorist Attacks Upon
the United States correctly concluded that ``The choice
between security and liberty is a false choice, as
nothing is more likely to endanger America's liberties
than the success of a terrorist attack at home. Our
history has shown us that insecurity threatens liberty.
Yet, if our liberties are curtailed, we lose the values
that we are struggling to defend.''.
(c) Purpose.--The Board shall--
(1) analyze and review actions the executive branch
takes to protect the Nation from terrorism, ensuring
that the need for such actions is balanced with the
need to protect privacy and civil liberties; and
(2) ensure that liberty concerns are appropriately
considered in the development and implementation of
laws, regulations, and policies related to efforts to
protect the Nation against terrorism.
(d) Functions.--
(1) Advice and counsel on policy development and
implementation.--The Board shall--
(A) review proposed legislation, regulations,
and policies related to efforts to protect the
Nation from terrorism, including the
development and adoption of information sharing
guidelines under subsections (d) and (f) of
section 1016;
(B) review the implementation of new and
existing legislation, regulations, and policies
related to efforts to protect the Nation from
terrorism, including the implementation of
information sharing guidelines under
subsections (d) and (f) of section 1016;
(C) advise the President and the departments,
agencies, and elements of the executive branch
to ensure that privacy and civil liberties are
appropriately considered in the development and
implementation of such legislation,
regulations, policies, and guidelines; and
(D) in providing advice on proposals to
retain or enhance a particular governmental
power, consider whether the department, agency,
or element of the executive branch has
established--
(i) that the need for the power is
balanced with the need to protect
privacy and civil liberties;
(ii) that there is adequate
supervision of the use by the executive
branch of the power to ensure
protection of privacy and civil
liberties; and
(iii) that there are adequate
guidelines and oversight to properly
confine its use.
(2) Oversight.--The Board shall continually review--
(A) the regulations, policies, and
procedures, and the implementation of the
regulations, policies, and procedures, of the
departments, agencies, and elements of the
executive branch relating to efforts to protect
the Nation from terrorism to ensure that
privacy and civil liberties are protected;
(B) the information sharing practices of the
departments, agencies, and elements of the
executive branch relating to efforts to protect
the Nation from terrorism to determine whether
they appropriately protect privacy and civil
liberties and adhere to the information sharing
guidelines issued or developed under
subsections (d) and (f) of section 1016 and to
other governing laws, regulations, and policies
regarding privacy and civil liberties; and
(C) other actions by the executive branch
relating to efforts to protect the Nation from
terrorism to determine whether such actions--
(i) appropriately protect privacy and
civil liberties; and
(ii) are consistent with governing
laws, regulations, and policies
regarding privacy and civil liberties.
(3) Relationship with privacy and civil liberties
officers.--The Board shall--
(A) receive and review reports and other
information from privacy officers and civil
liberties officers under section 1062;
(B) when appropriate, make recommendations to
such privacy officers and civil liberties
officers regarding their activities; and
(C) when appropriate, coordinate the
activities of such privacy officers and civil
liberties officers on relevant interagency
matters.
(4) Testimony.--The members of the Board shall appear
and testify before Congress upon request.
(e) Reports.--
(1) In general.--The Board shall--
(A) receive and review reports from privacy
officers and civil liberties officers under
section 1062; and
(B) periodically submit, not less than
semiannually, reports--
(i)(I) to the appropriate committees
of Congress, including the Committee on
the Judiciary of the Senate, the
Committee on the Judiciary of the House
of Representatives, the Committee on
Homeland Security and Governmental
Affairs of the Senate, the Committee on
Homeland Security of the House of
Representatives, the Committee on
Oversight and Government Reform of the
House of Representatives, the Select
Committee on Intelligence of the
Senate, and the Permanent Select
Committee on Intelligence of the House
of Representatives; and
(II) to the President; and
(ii) which shall be in unclassified
form to the greatest extent possible,
with a classified annex where
necessary.
(2) Contents.--Not less than 2 reports submitted each
year under paragraph (1)(B) shall include--
(A) a description of the major activities of
the Board during the preceding period;
(B) information on the findings, conclusions,
and recommendations of the Board resulting from
its advice and oversight functions under
subsection (d);
(C) the minority views on any findings,
conclusions, and recommendations of the Board
resulting from its advice and oversight
functions under subsection (d);
(D) each proposal reviewed by the Board under
subsection (d)(1) that--
(i) the Board advised against
implementation; and
(ii) notwithstanding such advice,
actions were taken to implement; and
(E) for the preceding period, any requests
submitted under subsection (g)(1)(D) for the
issuance of subpoenas that were modified or
denied by the Attorney General.
(3) Biennial report on certain cyber activities.--
(A) Report required.--The Privacy and Civil
Liberties Oversight Board shall biennially
submit to Congress and the President a report
containing--
(i) an assessment of the privacy and
civil liberties impact of the
activities carried out under the
Protecting Cyber Networks Act and the
amendments made by such Act; and
(ii) an assessment of the sufficiency
of the policies, procedures, and
guidelines established pursuant to
section 4 of the Protecting Cyber
Networks Act and the amendments made by
such section 4 in addressing privacy
and civil liberties concerns.
(B) Recommendations.--Each report submitted
under this paragraph may include such
recommendations as the Privacy and Civil
Liberties Oversight Board may have for
improvements or modifications to the
authorities under the Protecting Cyber Networks
Act or the amendments made by such Act.
(C) Form.--Each report required under this
paragraph shall be submitted in unclassified
form, but may include a classified annex.
(D) Public availability of reports.--The
Privacy and Civil Liberties Oversight Board
shall make publicly available the unclassified
portion of each report required by subparagraph
(A).
(f) Informing the Public.--The Board shall--
(1) make its reports, including its reports to
Congress, available to the public to the greatest
extent that is consistent with the protection of
classified information and applicable law; and
(2) hold public hearings and otherwise inform the
public of its activities, as appropriate and in a
manner consistent with the protection of classified
information and applicable law.
(g) Access to Information.--
(1) Authorization.--If determined by the Board to be
necessary to carry out its responsibilities under this
section, the Board is authorized to--
(A) have access from any department, agency,
or element of the executive branch, or any
Federal officer or employee of any such
department, agency, or element, to all relevant
records, reports, audits, reviews, documents,
papers, recommendations, or other relevant
material, including classified information
consistent with applicable law;
(B) interview, take statements from, or take
public testimony from personnel of any
department, agency, or element of the executive
branch, or any Federal officer or employee of
any such department, agency, or element;
(C) request information or assistance from
any State, tribal, or local government; and
(D) at the direction of a majority of the
members of the Board, submit a written request
to the Attorney General of the United States
that the Attorney General require, by subpoena,
persons (other than departments, agencies, and
elements of the executive branch) to produce
any relevant information, documents, reports,
answers, records, accounts, papers, and other
documentary or testimonial evidence.
(2) Review of subpoena request.--
(A) In general.--Not later than 30 days after
the date of receipt of a request by the Board
under paragraph (1)(D), the Attorney General
shall--
(i) issue the subpoena as requested;
or
(ii) provide the Board, in writing,
with an explanation of the grounds on
which the subpoena request has been
modified or denied.
(B) Notification.--If a subpoena request is
modified or denied under subparagraph (A)(ii),
the Attorney General shall, not later than 30
days after the date of that modification or
denial, notify the Committee on the Judiciary
of the Senate and the Committee on the
Judiciary of the House of Representatives.
(3) Enforcement of subpoena.--In the case of
contumacy or failure to obey a subpoena issued pursuant
to paragraph (1)(D), the United States district court
for the judicial district in which the subpoenaed
person resides, is served, or may be found may issue an
order requiring such person to produce the evidence
required by such subpoena.
(4) Agency cooperation.--Whenever information or
assistance requested under subparagraph (A) or (B) of
paragraph (1) is, in the judgment of the Board,
unreasonably refused or not provided, the Board shall
report the circumstances to the head of the department,
agency, or element concerned without delay. The head of
the department, agency, or element concerned shall
ensure that the Board is given access to the
information, assistance, material, or personnel the
Board determines to be necessary to carry out its
functions.
(h) Membership.--
(1) Members.--The Board shall be composed of a full-
time chairman and 4 additional members, who shall be
appointed by the President, by and with the advice and
consent of the Senate.
(2) Qualifications.--Members of the Board shall be
selected solely on the basis of their professional
qualifications, achievements, public stature, expertise
in civil liberties and privacy, and relevant
experience, and without regard to political
affiliation, but in no event shall more than 3 members
of the Board be members of the same political party.
The President shall, before appointing an individual
who is not a member of the same political party as the
President, consult with the leadership of that party,
if any, in the Senate and House of Representatives.
(3) Incompatible office.--An individual appointed to
the Board may not, while serving on the Board, be an
elected official, officer, or employee of the Federal
Government, other than in the capacity as a member of
the Board.
(4) Term.--Each member of the Board shall serve a
term of 6 years, except that--
(A) a member appointed to a term of office
after the commencement of such term may serve
under such appointment only for the remainder
of such term; and
(B) upon the expiration of the term of office
of a member, the member shall continue to serve
until the member's successor has been appointed
and qualified, except that no member may serve
under this subparagraph--
(i) for more than 60 days when
Congress is in session unless a
nomination to fill the vacancy shall
have been submitted to the Senate; or
(ii) after the adjournment sine die
of the session of the Senate in which
such nomination is submitted.
(5) Quorum and meetings.--The Board shall meet upon
the call of the chairman or a majority of its members.
Three members of the Board shall constitute a quorum.
(i) Compensation and Travel Expenses.--
(1) Compensation.--
(A) Chairman.--The chairman of the Board
shall be compensated at the rate of pay payable
for a position at level III of the Executive
Schedule under section 5314 of title 5, United
States Code.
(B) Members.--Each member of the Board shall
be compensated at a rate of pay payable for a
position at level IV of the Executive Schedule
under section 5315 of title 5, United States
Code, for each day during which that member is
engaged in the actual performance of the duties
of the Board.
(2) Travel expenses.--Members of the Board shall be
allowed travel expenses, including per diem in lieu of
subsistence, at rates authorized for persons employed
intermittently by the Government under section 5703(b)
of title 5, United States Code, while away from their
homes or regular places of business in the performance
of services for the Board.
(j) Staff.--
(1) Appointment and compensation.--The chairman of
the Board, in accordance with rules agreed upon by the
Board, shall appoint and fix the compensation of a
full-time executive director and such other personnel
as may be necessary to enable the Board to carry out
its functions, without regard to the provisions of
title 5, United States Code, governing appointments in
the competitive service, and without regard to the
provisions of chapter 51 and subchapter III of chapter
53 of such title relating to classification and General
Schedule pay rates, except that no rate of pay fixed
under this subsection may exceed the equivalent of that
payable for a position at level V of the Executive
Schedule under section 5316 of title 5, United States
Code.
(2) Detailees.--Any Federal employee may be detailed
to the Board without reimbursement from the Board, and
such detailee shall retain the rights, status, and
privileges of the detailee's regular employment without
interruption.
(3) Consultant services.--The Board may procure the
temporary or intermittent services of experts and
consultants in accordance with section 3109 of title 5,
United States Code, at rates that do not exceed the
daily rate paid a person occupying a position at level
IV of the Executive Schedule under section 5315 of such
title.
(k) Security Clearances.--
(1) In general.--The appropriate departments,
agencies, and elements of the executive branch shall
cooperate with the Board to expeditiously provide the
Board members and staff with appropriate security
clearances to the extent possible under existing
procedures and requirements.
(2) Rules and procedures.--After consultation with
the Secretary of Defense, the Attorney General, and the
Director of National Intelligence, the Board shall
adopt rules and procedures of the Board for physical,
communications, computer, document, personnel, and
other security relating to carrying out the functions
of the Board.
(l) Treatment as Agency, Not as Advisory Committee.--The
Board--
(1) is an agency (as defined in section 551(1) of
title 5, United States Code); and
(2) is not an advisory committee (as defined in
section 3(2) of the Federal Advisory Committee Act (5
U.S.C. App.)).
(m) Authorization of Appropriations.--There are authorized to
be appropriated to carry out this section amounts as follows:
(1) For fiscal year 2008, $5,000,000.
(2) For fiscal year 2009, $6,650,000.
(3) For fiscal year 2010, $8,300,000.
(4) For fiscal year 2011, $10,000,000.
(5) For fiscal year 2012 and each subsequent fiscal
year, such sums as may be necessary.
* * * * * * *
----------
TITLE 5, UNITED STATES CODE
* * * * * * *
PART I--THE AGENCIES GENERALLY
* * * * * * *
CHAPTER 5--ADMINISTRATIVE PROCEDURE
* * * * * * *
Subchapter II--ADMINISTRATIVE PROCEDURE
* * * * * * *
Sec. 552. Public information; agency rules, opinions, orders, records,
and proceedings
(a) Each agency shall make available to the public
information as follows:
(1) Each agency shall separately state and currently publish
in the Federal Register for the guidance of the public--
(A) descriptions of its central and field
organization and the established places at which, the
employees (and in the case of a uniformed service, the
members) from whom, and the methods whereby, the public
may obtain information, make submittals or requests, or
obtain decisions;
(B) statements of the general course and method by
which its functions are channeled and determined,
including the nature and requirements of all formal and
informal procedures available;
(C) rules of procedure, descriptions of forms
available or the places at which forms may be obtained,
and instructions as to the scope and contents of all
papers, reports, or examinations;
(D) substantive rules of general applicability
adopted as authorized by law, and statements of general
policy or interpretations of general applicability
formulated and adopted by the agency; and
(E) each amendment, revision, or repeal of the
foregoing.
Except to the extent that a person has actual and timely notice
of the terms thereof, a person may not in any manner be
required to resort to, or be adversely affected by, a matter
required to be published in the Federal Register and not so
published. For the purpose of this paragraph, matter reasonably
available to the class of persons affected thereby is deemed
published in the Federal Register when incorporated by
reference therein with the approval of the Director of the
Federal Register.
(2) Each agency, in accordance with published rules, shall
make available for public inspection and copying--
(A) final opinions, including concurring and
dissenting opinions, as well as orders, made in the
adjudication of cases;
(B) those statements of policy and interpretations
which have been adopted by the agency and are not
published in the Federal Register;
(C) administrative staff manuals and instructions to
staff that affect a member of the public;
(D) copies of all records, regardless of form or
format, which have been released to any person under
paragraph (3) and which, because of the nature of their
subject matter, the agency determines have become or
are likely to become the subject of subsequent requests
for substantially the same records; and
(E) a general index of the records referred to under
subparagraph (D);
unless the materials are promptly published and copies offered
for sale. For records created on or after November 1, 1996,
within one year after such date, each agency shall make such
records available, including by computer telecommunications or,
if computer telecommunications means have not been established
by the agency, by other electronic means. To the extent
required to prevent a clearly unwarranted invasion of personal
privacy, an agency may delete identifying details when it makes
available or publishes an opinion, statement of policy,
interpretation, staff manual, instruction, or copies of records
referred to in subparagraph (D). However, in each case the
justification for the deletion shall be explained fully in
writing, and the extent of such deletion shall be indicated on
the portion of the record which is made available or published,
unless including that indication would harm an interest
protected by the exemption in subsection (b) under which the
deletion is made. If technically feasible, the extent of the
deletion shall be indicated at the place in the record where
the deletion was made. Each agency shall also maintain and make
available for public inspection and copying current indexes
providing identifying information for the public as to any
matter issued, adopted, or promulgated after July 4, 1967, and
required by this paragraph to be made available or published.
Each agency shall promptly publish, quarterly or more
frequently, and distribute (by sale or otherwise) copies of
each index or supplements thereto unless it determines by order
published in the Federal Register that the publication would be
unnecessary and impracticable, in which case the agency shall
nonetheless provide copies of such index on request at a cost
not to exceed the direct cost of duplication. Each agency shall
make the index referred to in subparagraph (E) available by
computer telecommunications by December 31, 1999. A final
order, opinion, statement of policy, interpretation, or staff
manual or instruction that affects a member of the public may
be relied on, used, or cited as precedent by an agency against
a party other than an agency only if--
(i) it has been indexed and either made available or
published as provided by this paragraph; or
(ii) the party has actual and timely notice of the
terms thereof.
(3)(A) Except with respect to the records made available
under paragraphs (1) and (2) of this subsection, and except as
provided in subparagraph (E), each agency, upon any request for
records which (i) reasonably describes such records and (ii) is
made in accordance with published rules stating the time,
place, fees (if any), and procedures to be followed, shall make
the records promptly available to any person.
(B) In making any record available to a person under this
paragraph, an agency shall provide the record in any form or
format requested by the person if the record is readily
reproducible by the agency in that form or format. Each agency
shall make reasonable efforts to maintain its records in forms
or formats that are reproducible for purposes of this section.
(C) In responding under this paragraph to a request for
records, an agency shall make reasonable efforts to search for
the records in electronic form or format, except when such
efforts would significantly interfere with the operation of the
agency's automated information system.
(D) For purposes of this paragraph, the term ``search'' means
to review, manually or by automated means, agency records for
the purpose of locating those records which are responsive to a
request.
(E) An agency, or part of an agency, that is an element of
the intelligence community (as that term is defined in section
3(4) of the National Security Act of 1947 (50 U.S.C. 401a(4)))
shall not make any record available under this paragraph to--
(i) any government entity, other than a State,
territory, commonwealth, or district of the United
States, or any subdivision thereof; or
(ii) a representative of a government entity
described in clause (i).
(4)(A)(i) In order to carry out the provisions of this
section, each agency shall promulgate regulations, pursuant to
notice and receipt of public comment, specifying the schedule
of fees applicable to the processing of requests under this
section and establishing procedures and guidelines for
determining when such fees should be waived or reduced. Such
schedule shall conform to the guidelines which shall be
promulgated, pursuant to notice and receipt of public comment,
by the Director of the Office of Management and Budget and
which shall provide for a uniform schedule of fees for all
agencies.
(ii) Such agency regulations shall provide that--
(I) fees shall be limited to reasonable standard
charges for document search, duplication, and review,
when records are requested for commercial use;
(II) fees shall be limited to reasonable standard
charges for document duplication when records are not
sought for commercial use and the request is made by an
educational or noncommercial scientific institution,
whose purpose is scholarly or scientific research; or a
representative of the news media; and
(III) for any request not described in (I) or (II),
fees shall be limited to reasonable standard charges
for document search and duplication.
In this clause, the term ``a representative of the news media''
means any person or entity that gathers information of
potential interest to a segment of the public, uses its
editorial skills to turn the raw materials into a distinct
work, and distributes that work to an audience. In this clause,
the term ``news'' means information that is about current
events or that would be of current interest to the public.
Examples of news-media entities are television or radio
stations broadcasting to the public at large and publishers of
periodicals (but only if such entities qualify as disseminators
of ``news'') who make their products available for purchase by
or subscription by or free distribution to the general public.
These examples are not all-inclusive. Moreover, as methods of
news delivery evolve (for example, the adoption of the
electronic dissemination of newspapers through
telecommunications services), such alternative media shall be
considered to be news-media entities. A freelance journalist
shall be regarded as working for a news-media entity if the
journalist can demonstrate a solid basis for expecting
publication through that entity, whether or not the journalist
is actually employed by the entity. A publication contract
would present a solid basis for such an expectation; the
Government may also consider the past publication record of the
requester in making such a determination.
(iii) Documents shall be furnished without any charge or at a
charge reduced below the fees established under clause (ii) if
disclosure of the information is in the public interest because
it is likely to contribute significantly to public
understanding of the operations or activities of the government
and is not primarily in the commercial interest of the
requester.
(iv) Fee schedules shall provide for the recovery of only the
direct costs of search, duplication, or review. Review costs
shall include only the direct costs incurred during the initial
examination of a document for the purposes of determining
whether the documents must be disclosed under this section and
for the purposes of withholding any portions exempt from
disclosure under this section. Review costs may not include any
costs incurred in resolving issues of law or policy that may be
raised in the course of processing a request under this
section. No fee may be charged by any agency under this
section--
(I) if the costs of routine collection and processing
of the fee are likely to equal or exceed the amount of
the fee; or
(II) for any request described in clause (ii) (II) or
(III) of this subparagraph for the first two hours of
search time or for the first one hundred pages of
duplication.
(v) No agency may require advance payment of any fee unless
the requester has previously failed to pay fees in a timely
fashion, or the agency has determined that the fee will exceed
$250.
(vi) Nothing in this subparagraph shall supersede fees
chargeable under a statute specifically providing for setting
the level of fees for particular types of records.
(vii) In any action by a requester regarding the waiver of
fees under this section, the court shall determine the matter
de novo: Provided, That the court's review of the matter shall
be limited to the record before the agency.
(viii) An agency shall not assess search fees (or in the case
of a requester described under clause (ii)(II), duplication
fees) under this subparagraph if the agency fails to comply
with any time limit under paragraph (6), if no unusual or
exceptional circumstances (as those terms are defined for
purposes of paragraphs (6)(B) and (C), respectively) apply to
the processing of the request.
(B) On complaint, the district court of the United States in
the district in which the complainant resides, or has his
principal place of business, or in which the agency records are
situated, or in the District of Columbia, has jurisdiction to
enjoin the agency from withholding agency records and to order
the production of any agency records improperly withheld from
the complainant. In such a case the court shall determine the
matter de novo, and may examine the contents of such agency
records in camera to determine whether such records or any part
thereof shall be withheld under any of the exemptions set forth
in subsection (b) of this section, and the burden is on the
agency to sustain its action. In addition to any other matters
to which a court accords substantial weight, a court shall
accord substantial weight to an affidavit of an agency
concerning the agency's determination as to technical
feasibility under paragraph (2)(C) and subsection (b) and
reproducibility under paragraph (3)(B).
(C) Notwithstanding any other provision of law, the defendant
shall serve an answer or otherwise plead to any complaint made
under this subsection within thirty days after service upon the
defendant of the pleading in which such complaint is made,
unless the court otherwise directs for good cause shown.
(E)(i) The court may assess against the United States
reasonable attorney fees and other litigation costs reasonably
incurred in any case under this section in which the
complainant has substantially prevailed.
(ii) For purposes of this subparagraph, a complainant has
substantially prevailed if the complainant has obtained relief
through either--
(I) a judicial order, or an enforceable written
agreement or consent decree; or
(II) a voluntary or unilateral change in position by
the agency, if the complainant's claim is not
insubstantial.
(F)(i) Whenever the court orders the production of any agency
records improperly withheld from the complainant and assesses
against the United States reasonable attorney fees and other
litigation costs, and the court additionally issues a written
finding that the circumstances surrounding the withholding
raise questions whether agency personnel acted arbitrarily or
capriciously with respect to the withholding, the Special
Counsel shall promptly initiate a proceeding to determine
whether disciplinary action is warranted against the officer or
employee who was primarily responsible for the withholding. The
Special Counsel, after investigation and consideration of the
evidence submitted, shall submit his findings and
recommendations to the administrative authority of the agency
concerned and shall send copies of the findings and
recommendations to the officer or employee or his
representative. The administrative authority shall take the
corrective action that the Special Counsel recommends.
(ii) The Attorney General shall--
(I) notify the Special Counsel of each civil action
described under the first sentence of clause (i); and
(II) annually submit a report to Congress on the
number of such civil actions in the preceding year.
(iii) The Special Counsel shall annually submit a report to
Congress on the actions taken by the Special Counsel under
clause (i).
(G) In the event of noncompliance with the order of the
court, the district court may punish for contempt the
responsible employee, and in the case of a uniformed service,
the responsible member.
(5) Each agency having more than one member shall maintain
and make available for public inspection a record of the final
votes of each member in every agency proceeding.
(6)(A) Each agency, upon any request for records made under
paragraph (1), (2), or (3) of this subsection, shall--
(i) determine within 20 days (excepting Saturdays,
Sundays, and legal public holidays) after the receipt
of any such request whether to comply with such request
and shall immediately notify the person making such
request of such determination and the reasons therefor,
and of the right of such person to appeal to the head
of the agency any adverse determination; and
(ii) make a determination with respect to any appeal
within twenty days (excepting Saturdays, Sundays, and
legal public holidays) after the receipt of such
appeal. If on appeal the denial of the request for
records is in whole or in part upheld, the agency shall
notify the person making such request of the provisions
for judicial review of that determination under
paragraph (4) of this subsection.
The 20-day period under clause (i) shall commence on the date
on which the request is first received by the appropriate
component of the agency, but in any event not later than ten
days after the request is first received by any component of
the agency that is designated in the agency's regulations under
this section to receive requests under this section. The 20-day
period shall not be tolled by the agency except--
(I) that the agency may make one request to the
requester for information and toll the 20-day period
while it is awaiting such information that it has
reasonably requested from the requester under this
section; or
(II) if necessary to clarify with the requester
issues regarding fee assessment. In either case, the
agency's receipt of the requester's response to the
agency's request for information or clarification ends
the tolling period.
(B)(i) In unusual circumstances as specified in this
subparagraph, the time limits prescribed in either clause (i)
or clause (ii) of subparagraph (A) may be extended by written
notice to the person making such request setting forth the
unusual circumstances for such extension and the date on which
a determination is expected to be dispatched. No such notice
shall specify a date that would result in an extension for more
than ten working days, except as provided in clause (ii) of
this subparagraph.
(ii) With respect to a request for which a written notice
under clause (i) extends the time limits prescribed under
clause (i) of subparagraph (A), the agency shall notify the
person making the request if the request cannot be processed
within the time limit specified in that clause and shall
provide the person an opportunity to limit the scope of the
request so that it may be processed within that time limit or
an opportunity to arrange with the agency an alternative time
frame for processing the request or a modified request. Refusal
by the person to reasonably modify the request or arrange such
an alternative time frame shall be considered as a factor in
determining whether exceptional circumstances exist for
purposes of subparagraph (C). To aid the requester, each agency
shall make available its FOIA Public Liaison, who shall assist
in the resolution of any disputes between the requester and the
agency.
(iii) As used in this subparagraph, ``unusual circumstances''
means, but only to the extent reasonably necessary to the
proper processing of the particular requests--
(I) the need to search for and collect the requested
records from field facilities or other establishments
that are separate from the office processing the
request;
(II) the need to search for, collect, and
appropriately examine a voluminous amount of separate
and distinct records which are demanded in a single
request; or
(III) the need for consultation, which shall be
conducted with all practicable speed, with another
agency having a substantial interest in the
determination of the request or among two or more
components of the agency having substantial subject-
matter interest therein.
(iv) Each agency may promulgate regulations, pursuant to
notice and receipt of public comment, providing for the
aggregation of certain requests by the same requestor, or by a
group of requestors acting in concert, if the agency reasonably
believes that such requests actually constitute a single
request, which would otherwise satisfy the unusual
circumstances specified in this subparagraph, and the requests
involve clearly related matters. Multiple requests involving
unrelated matters shall not be aggregated.
(C)(i) Any person making a request to any agency for records
under paragraph (1), (2), or (3) of this subsection shall be
deemed to have exhausted his administrative remedies with
respect to such request if the agency fails to comply with the
applicable time limit provisions of this paragraph. If the
Government can show exceptional circumstances exist and that
the agency is exercising due diligence in responding to the
request, the court may retain jurisdiction and allow the agency
additional time to complete its review of the records. Upon any
determination by an agency to comply with a request for
records, the records shall be made promptly available to such
person making such request. Any notification of denial of any
request for records under this subsection shall set forth the
names and titles or positions of each person responsible for
the denial of such request.
(ii) For purposes of this subparagraph, the term
``exceptional circumstances'' does not include a delay that
results from a predictable agency workload of requests under
this section, unless the agency demonstrates reasonable
progress in reducing its backlog of pending requests.
(iii) Refusal by a person to reasonably modify the scope of a
request or arrange an alternative time frame for processing a
request (or a modified request) under clause (ii) after being
given an opportunity to do so by the agency to whom the person
made the request shall be considered as a factor in determining
whether exceptional circumstances exist for purposes of this
subparagraph.
(D)(i) Each agency may promulgate regulations, pursuant to
notice and receipt of public comment, providing for multitrack
processing of requests for records based on the amount of work
or time (or both) involved in processing requests.
(ii) Regulations under this subparagraph may provide a person
making a request that does not qualify for the fastest
multitrack processing an opportunity to limit the scope of the
request in order to qualify for faster processing.
(iii) This subparagraph shall not be considered to affect the
requirement under subparagraph (C) to exercise due diligence.
(E)(i) Each agency shall promulgate regulations, pursuant to
notice and receipt of public comment, providing for expedited
processing of requests for records--
(I) in cases in which the person requesting the
records demonstrates a compelling need; and
(II) in other cases determined by the agency.
(ii) Notwithstanding clause (i), regulations under this
subparagraph must ensure--
(I) that a determination of whether to provide
expedited processing shall be made, and notice of the
determination shall be provided to the person making
the request, within 10 days after the date of the
request; and
(II) expeditious consideration of administrative
appeals of such determinations of whether to provide
expedited processing.
(iii) An agency shall process as soon as practicable any
request for records to which the agency has granted expedited
processing under this subparagraph. Agency action to deny or
affirm denial of a request for expedited processing pursuant to
this subparagraph, and failure by an agency to respond in a
timely manner to such a request shall be subject to judicial
review under paragraph (4), except that the judicial review
shall be based on the record before the agency at the time of
the determination.
(iv) A district court of the United States shall not have
jurisdiction to review an agency denial of expedited processing
of a request for records after the agency has provided a
complete response to the request.
(v) For purposes of this subparagraph, the term ``compelling
need'' means--
(I) that a failure to obtain requested records on an
expedited basis under this paragraph could reasonably
be expected to pose an imminent threat to the life or
physical safety of an individual; or
(II) with respect to a request made by a person
primarily engaged in disseminating information, urgency
to inform the public concerning actual or alleged
Federal Government activity.
(vi) A demonstration of a compelling need by a person making
a request for expedited processing shall be made by a statement
certified by such person to be true and correct to the best of
such person's knowledge and belief.
(F) In denying a request for records, in whole or in part, an
agency shall make a reasonable effort to estimate the volume of
any requested matter the provision of which is denied, and
shall provide any such estimate to the person making the
request, unless providing such estimate would harm an interest
protected by the exemption in subsection (b) pursuant to which
the denial is made.
(7) Each agency shall--
(A) establish a system to assign an individualized
tracking number for each request received that will
take longer than ten days to process and provide to
each person making a request the tracking number
assigned to the request; and
(B) establish a telephone line or Internet service
that provides information about the status of a request
to the person making the request using the assigned
tracking number, including--
(i) the date on which the agency originally
received the request; and
(ii) an estimated date on which the agency
will complete action on the request.
(b) This section does not apply to matters that are--
(1)(A) specifically authorized under criteria
established by an Executive order to be kept secret in
the interest of national defense or foreign policy and
(B) are in fact properly classified pursuant to such
Executive order;
(2) related solely to the internal personnel rules
and practices of an agency;
(3) specifically exempted from disclosure by statute
(other than section 552b of this title), if that
statute--
(A)(i) requires that the matters be withheld
from the public in such a manner as to leave no
discretion on the issue; or
(ii) establishes particular criteria for
withholding or refers to particular types of
matters to be withheld; and
(B) if enacted after the date of enactment of
the OPEN FOIA Act of 2009, specifically cites
to this paragraph.
(4) trade secrets and commercial or financial
information obtained from a person and privileged or
confidential;
(5) inter-agency or intra-agency memorandums or
letters which would not be available by law to a party
other than an agency in litigation with the agency;
(6) personnel and medical files and similar files the
disclosure of which would constitute a clearly
unwarranted invasion of personal privacy;
(7) records or information compiled for law
enforcement purposes, but only to the extent that the
production of such law enforcement records or
information (A) could reasonably be expected to
interfere with enforcement proceedings, (B) would
deprive a person of a right to a fair trial or an
impartial adjudication, (C) could reasonably be
expected to constitute an unwarranted invasion of
personal privacy, (D) could reasonably be expected to
disclose the identity of a confidential source,
including a State, local, or foreign agency or
authority or any private institution which furnished
information on a confidential basis, and, in the case
of a record or information compiled by criminal law
enforcement authority in the course of a criminal
investigation or by an agency conducting a lawful
national security intelligence investigation,
information furnished by a confidential source, (E)
would disclose techniques and procedures for law
enforcement investigations or prosecutions, or would
disclose guidelines for law enforcement investigations
or prosecutions if such disclosure could reasonably be
expected to risk circumvention of the law, or (F) could
reasonably be expected to endanger the life or physical
safety of any individual;
(8) contained in or related to examination,
operating, or condition reports prepared by, on behalf
of, or for the use of an agency responsible for the
regulation or supervision of financial institutions;
[or]
(9) geological and geophysical information and data,
including maps, concerning [wells.] wells; or
(10) information shared with or provided to the
Federal Government pursuant to the Protecting Cyber
Networks Act or the amendments made by such Act.
Any reasonably segregable portion of a record shall be provided
to any person requesting such record after deletion of the
portions which are exempt under this subsection. The amount of
information deleted, and the exemption under which the deletion
is made, shall be indicated on the released portion of the
record, unless including that indication would harm an interest
protected by the exemption in this subsection under which the
deletion is made. If technically feasible, the amount of the
information deleted, and the exemption under which the deletion
is made, shall be indicated at the place in the record where
such deletion is made.
(c)(1) Whenever a request is made which involves access to
records described in subsection (b)(7)(A) and--
(A) the investigation or proceeding involves a
possible violation of criminal law; and
(B) there is reason to believe that (i) the subject
of the investigation or proceeding is not aware of its
pendency, and (ii) disclosure of the existence of the
records could reasonably be expected to interfere with
enforcement proceedings,
the agency may, during only such time as that circumstance
continues, treat the records as not subject to the requirements
of this section.
(2) Whenever informant records maintained by a criminal law
enforcement agency under an informant's name or personal
identifier are requested by a third party according to the
informant's name or personal identifier, the agency may treat
the records as not subject to the requirements of this section
unless the informant's status as an informant has been
officially confirmed.
(3) Whenever a request is made which involves access to
records maintained by the Federal Bureau of Investigation
pertaining to foreign intelligence or counterintelligence, or
international terrorism, and the existence of the records is
classified information as provided in subsection (b)(1), the
Bureau may, as long as the existence of the records remains
classified information, treat the records as not subject to the
requirements of this section.
(d) This section does not authorize withholding of
information or limit the availability of records to the public,
except as specifically stated in this section. This section is
not authority to withhold information from Congress.
(e)(1) On or before February 1 of each year, each agency
shall submit to the Attorney General of the United States a
report which shall cover the preceding fiscal year and which
shall include--
(A) the number of determinations made by the agency
not to comply with requests for records made to such
agency under subsection (a) and the reasons for each
such determination;
(B)(i) the number of appeals made by persons under
subsection (a)(6), the result of such appeals, and the
reason for the action upon each appeal that results in
a denial of information; and
(ii) a complete list of all statutes that the agency
relies upon to authorize the agency to withhold
information under subsection (b)(3), the number of
occasions on which each statute was relied upon, a
description of whether a court has upheld the decision
of the agency to withhold information under each such
statute, and a concise description of the scope of any
information withheld;
(C) the number of requests for records pending before
the agency as of September 30 of the preceding year,
and the median and average number of days that such
requests had been pending before the agency as of that
date;
(D) the number of requests for records received by
the agency and the number of requests which the agency
processed;
(E) the median number of days taken by the agency to
process different types of requests, based on the date
on which the requests were received by the agency;
(F) the average number of days for the agency to
respond to a request beginning on the date on which the
request was received by the agency, the median number
of days for the agency to respond to such requests, and
the range in number of days for the agency to respond
to such requests;
(G) based on the number of business days that have
elapsed since each request was originally received by
the agency--
(i) the number of requests for records to
which the agency has responded with a
determination within a period up to and
including 20 days, and in 20-day increments up
to and including 200 days;
(ii) the number of requests for records to
which the agency has responded with a
determination within a period greater than 200
days and less than 301 days;
(iii) the number of requests for records to
which the agency has responded with a
determination within a period greater than 300
days and less than 401 days; and
(iv) the number of requests for records to
which the agency has responded with a
determination within a period greater than 400
days;
(H) the average number of days for the agency to
provide the granted information beginning on the date
on which the request was originally filed, the median
number of days for the agency to provide the granted
information, and the range in number of days for the
agency to provide the granted information;
(I) the median and average number of days for the
agency to respond to administrative appeals based on
the date on which the appeals originally were received
by the agency, the highest number of business days
taken by the agency to respond to an administrative
appeal, and the lowest number of business days taken by
the agency to respond to an administrative appeal;
(J) data on the 10 active requests with the earliest
filing dates pending at each agency, including the
amount of time that has elapsed since each request was
originally received by the agency;
(K) data on the 10 active administrative appeals with
the earliest filing dates pending before the agency as
of September 30 of the preceding year, including the
number of business days that have elapsed since the
requests were originally received by the agency;
(L) the number of expedited review requests that are
granted and denied, the average and median number of
days for adjudicating expedited review requests, and
the number adjudicated within the required 10 days;
(M) the number of fee waiver requests that are
granted and denied, and the average and median number
of days for adjudicating fee waiver determinations;
(N) the total amount of fees collected by the agency
for processing requests; and
(O) the number of full-time staff of the agency
devoted to processing requests for records under this
section, and the total amount expended by the agency
for processing such requests.
(2) Information in each report submitted under paragraph (1)
shall be expressed in terms of each principal component of the
agency and for the agency overall.
(3) Each agency shall make each such report available to the
public including by computer telecommunications, or if computer
telecommunications means have not been established by the
agency, by other electronic means. In addition, each agency
shall make the raw statistical data used in its reports
available electronically to the public upon request.
(4) The Attorney General of the United States shall make each
report which has been made available by electronic means
available at a single electronic access point. The Attorney
General of the United States shall notify the Chairman and
ranking minority member of the Committee on Government Reform
and Oversight of the House of Representatives and the Chairman
and ranking minority member of the Committees on Governmental
Affairs and the Judiciary of the Senate, no later than April 1
of the year in which each such report is issued, that such
reports are available by electronic means.
(5) The Attorney General of the United States, in
consultation with the Director of the Office of Management and
Budget, shall develop reporting and performance guidelines in
connection with reports required by this subsection by October
1, 1997, and may establish additional requirements for such
reports as the Attorney General determines may be useful.
(6) The Attorney General of the United States shall submit an
annual report on or before April 1 of each calendar year which
shall include for the prior calendar year a listing of the
number of cases arising under this section, the exemption
involved in each case, the disposition of such case, and the
cost, fees, and penalties assessed under subparagraphs (E),
(F), and (G) of subsection (a)(4). Such report shall also
include a description of the efforts undertaken by the
Department of Justice to encourage agency compliance with this
section.
(f) For purposes of this section, the term--
(1) ``agency'' as defined in section 551(1) of this
title includes any executive department, military
department, Government corporation, Government
controlled corporation, or other establishment in the
executive branch of the Government (including the
Executive Office of the President), or any independent
regulatory agency; and
(2) ``record'' and any other term used in this
section in reference to information includes--
(A) any information that would be an agency
record subject to the requirements of this
section when maintained by an agency in any
format, including an electronic format; and
(B) any information described under
subparagraph (A) that is maintained for an
agency by an entity under Government contract,
for the purposes of records management.
(g) The head of each agency shall prepare and make publicly
available upon request, reference material or a guide for
requesting records or information from the agency, subject to
the exemptions in subsection (b), including--
(1) an index of all major information systems of the
agency;
(2) a description of major information and record
locator systems maintained by the agency; and
(3) a handbook for obtaining various types and
categories of public information from the agency
pursuant to chapter 35 of title 44, and under this
section.
(h)(1) There is established the Office of Government
Information Services within the National Archives and Records
Administration.
(2) The Office of Government Information Services shall--
(A) review policies and procedures of administrative
agencies under this section;
(B) review compliance with this section by
administrative agencies; and
(C) recommend policy changes to Congress and the
President to improve the administration of this
section.
(3) The Office of Government Information Services shall offer
mediation services to resolve disputes between persons making
requests under this section and administrative agencies as a
non-exclusive alternative to litigation and, at the discretion
of the Office, may issue advisory opinions if mediation has not
resolved the dispute.
(i) The Government Accountability Office shall conduct audits
of administrative agencies on the implementation of this
section and issue reports detailing the results of such audits.
(j) Each agency shall designate a Chief FOIA Officer who
shall be a senior official of such agency (at the Assistant
Secretary or equivalent level).
(k) The Chief FOIA Officer of each agency shall, subject to
the authority of the head of the agency--
(1) have agency-wide responsibility for efficient and
appropriate compliance with this section;
(2) monitor implementation of this section throughout
the agency and keep the head of the agency, the chief
legal officer of the agency, and the Attorney General
appropriately informed of the agency's performance in
implementing this section;
(3) recommend to the head of the agency such
adjustments to agency practices, policies, personnel,
and funding as may be necessary to improve its
implementation of this section;
(4) review and report to the Attorney General,
through the head of the agency, at such times and in
such formats as the Attorney General may direct, on the
agency's performance in implementing this section;
(5) facilitate public understanding of the purposes
of the statutory exemptions of this section by
including concise descriptions of the exemptions in
both the agency's handbook issued under subsection (g),
and the agency's annual report on this section, and by
providing an overview, where appropriate, of certain
general categories of agency records to which those
exemptions apply; and
(6) designate one or more FOIA Public Liaisons.
(l) FOIA Public Liaisons shall report to the agency Chief
FOIA Officer and shall serve as supervisory officials to whom a
requester under this section can raise concerns about the
service the requester has received from the FOIA Requester
Center, following an initial response from the FOIA Requester
Center Staff. FOIA Public Liaisons shall be responsible for
assisting in reducing delays, increasing transparency and
understanding of the status of requests, and assisting in the
resolution of disputes.
* * * * * * *
Disclosure of Directed Rule Making
H.R. 1560 does not specifically direct any rule makings
within the meaning of 5 U.S.C. 551.
Duplication of Federal Programs
H.R. 1560 does not duplicate or reauthorize an established
program of the Federal Government that was included in any
report from the Government Accountability Office to Congress
pursuant to section 21 of Public Law 111-139, or a program
related to a program identified in the most recent Catalog of
Federal Domestic Assistance.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]