H. Rept. 115-777 - DHS INDUSTRIAL CONTROL SYSTEMS CAPABILITIES ENHANCEMENT ACT OF 2018115th Congress (2017-2018)
Committee Report
Hide OverviewReport Type: | House Report |
---|---|
Accompanies: | H.R.5733 |
Committees: |
|
Report text available as:
- TXT
- PDF (PDF provides a complete and accurate display of this text.) Tip ?
115th Congress } { Report HOUSE OF REPRESENTATIVES 2d Session } { 115-777 ====================================================================== DHS INDUSTRIAL CONTROL SYSTEMS CAPABILITIES ENHANCEMENT ACT OF 2018 _______ June 22, 2018.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. McCaul, from the Committee on Homeland Security, submitted the following R E P O R T [To accompany H.R. 5733] [Including cost estimate of the Congressional Budget Office] The Committee on Homeland Security, to whom was referred the bill (H.R. 5733) to amend the Homeland Security Act of 2002 to provide for the responsibility of the National Cybersecurity and Communications Integration Center to maintain capabilities to identify threats to industrial control systems, and for other purposes, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass. CONTENTS Page Purpose and Summary.............................................. 2 Background and Need for Legislation.............................. 3 Hearings......................................................... 3 Committee Consideration.......................................... 4 Committee Votes.................................................. 4 Committee Oversight Findings..................................... 4 New Budget Authority, Entitlement Authority, and Tax Expenditures 4 Congressional Budget Office Estimate............................. 5 Statement of General Performance Goals and Objectives............ 6 Duplicative Federal Programs..................................... 6 Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits....................................................... 6 Federal Mandates Statement....................................... 6 Preemption Clarification......................................... 6 Disclosure of Directed Rule Makings.............................. 6 Advisory Committee Statement..................................... 6 Applicability to Legislative Branch.............................. 6 Section-by-Section Analysis of the Legislation................... 7 Changes in Existing Law Made by the Bill, as Reported............ 7 The amendment is as follows: Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE. This Act may be cited as the ``DHS Industrial Control Systems Capabilities Enhancement Act of 2018''. SEC. 2. CAPABILITIES OF NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER TO IDENTIFY THREATS TO INDUSTRIAL CONTROL SYSTEMS. (a) In General.--Section 227 of the Homeland Security Act of 2002 (6 U.S.C. 148) is amended-- (1) in subsection (e)(1)-- (A) in subparagraph (G), by striking ``and'' after the semicolon; (B) in subparagraph (H), by inserting ``and'' after the semicolon; and (C) by adding at the end the following new subparagraph: ``(I) activities of the Center address the security of both information technology and operational technology, including industrial control systems;''; (2) by redesignating subsections (f) through (m) as subsections (g) through (n), respectively; and (3) by inserting after subsection (e) the following new subsection: ``(f) Industrial Control Systems.--The Center shall maintain capabilities to identify and address threats and vulnerabilities to products and technologies intended for use in the automated control of critical infrastructure processes. In carrying out this subsection, the Center shall-- ``(1) lead, in coordination with relevant sector specific agencies, Federal Government efforts to identify and mitigate cybersecurity threats to industrial control systems, including supervisory control and data acquisition systems; ``(2) maintain cross-sector incident response capabilities to respond to industrial control system cybersecurity incidents; ``(3) provide cybersecurity technical assistance to industry end-users, product manufacturers, and other industrial control system stakeholders to identify and mitigate vulnerabilities; ``(4) collect, coordinate, and provide vulnerability information to the industrial control systems community by, as appropriate, working closely with security researchers, industry end-users, product manufacturers, and other industrial control systems stakeholders; and ``(5) conduct such other efforts and assistance as the Secretary determines appropriate.''. (b) Report to Congress.--Not later than 180 days after the date of the enactment of this Act, and every 6 months thereafter during the subsequent four-year period, the National Cybersecurity and Communications Integration Center shall provide to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a briefing on the industrial control systems capabilities of the Center under subsection (f) of section 227 of the Homeland Security Act of 2002 (6 U.S.C. 148), as added by subsection (a). Purpose and Summary The purpose of H.R. 5733 is to amend the Homeland Security Act of 2002 (Pub. L. 107-296) to provide for the responsibility of the National Cybersecurity and Communications Integration Center to maintain capabilities to identify threats to industrial control systems, and for other purposes. The DHS Industrial Control Systems Capabilities Enhancement Act of 2018 codifies the role of the Department of Homeland Security's (DHS) National Cybersecurity and Communications Integration Center (NCCIC) in addressing the security of both information technology and operational technology for industrial control systems. NCCIC will maintain capabilities to identify and address threats and vulnerabilities to products and technologies intended for use in the automated control of critical infrastructure processes. NCCIC will lead Federal Government efforts to mitigate cybersecurity threats to industrial control systems (ICS), and maintain cross-sector incident response capabilities to respond to ICS cybersecurity incidents. NCCIC can provide cybersecurity technical assistance to ICS end users, product manufacturers and other stakeholders to mitigate and identify vulnerabilities. As part of this legislation, DHS is directed to periodically provide to the House Committee on Homeland Security and the Senate Homeland Security and Government Affairs Committee regarding the industrial control systems capabilities at NCCIC. Background and Need for Legislation Much of our Nation's critical infrastructure is dependent on industrial control systems to monitor, control, and safeguard operational processes. ICS are common systems and devices that can be found across all sixteen critical infrastructure sectors and are not unique to any one sector. ICS perform critical functions in managing the operation of critical infrastructure such as electric power generators, dams, water treatment facilities, medical devices, nuclear power plants, and natural gas pipelines. ICS are the operational technology that include Supervisory Control and Data Acquisition (SCADA) systems, Process Control Systems (PCS), and Distributed Control Systems (DCS). DHS's NCCIC currently works with ICS operators and manufacturers in several ways: NCICC's ICS cybersecurity capabilities include malware and vulnerability analysis; an operational watch floor to monitor, track, and investigate cyber incidents; incident response; international stakeholder coordination; and creation and dissemination of threat briefings, security bulletins, and notices related to emerging threats and vulnerabilities. DHS operates a central hub for ICS information exchange, technical expertise, operational partnerships, and ICS-focused cybersecurity capabilities. H.R. 5733 will codify the work NCCIC already performs regarding identifying and mitigating ICS vulnerabilities while ensuring that private industry has a centralized and permanent place for assistance with addressing cybersecurity risk to industrial control systems. Hearings No hearings were held on H.R.5733 in the 115th Congress. However the Committee held the following oversight hearings which informed the legilsation. On March 9, 2017, the Subcommittee on Cybersecurity and Infrastructure Protection held a hearing entitled ``The Current State of DHS Private Sector Engagement for Cybersecurity.'' The Subcommittee received testimony from Mr. Daniel Nutkis, Chief Executive Officer, HITRUST Alliance; Mr. Scott Montgomery, Vice President and Chief Technical Strategist, Intel Security Group, Intel Corporation; Mr. Jeffrey Greene, Senior Director, Global Government Affairs and Policy Symantec; Mr. Ryan M Gillis, Vice President of Cybersecurity Strategy and Global Policy, Palo Alto Networks; and Ms. Robyn Greene, Policy Counsel and Government Affairs Lead, Open Technology Institute, New America. On March 22, 2017, the Committee held a hearing entitled ``A Borderless Battle: Defending Against Cyber Threats.'' The Committee received testimony from GEN Keith B. Alexander (Ret. USA), President and Chief Executive Officer, IronNet Cybersecurity; Mr. Michael Daniel, President, Cyber Threat Alliance; Mr. Frank J. Cilluffo, Director, Center for Cyber and Homeland Security, George Washington University; and Mr. Bruce W. McConnell, Global Vice President, EastWest Institute. On October 3, 2017, the Subcommittee on Cybersecurity and Infrastructure Protection held a hearing entitled ``Examining DHS's Cybersecurity Mission.'' The Subcommittee received testimony from Mr. Christopher Krebs, Senior Official Performing the Duties of the Under Secretary, National Protection and Programs Directorate, U.S. Department of Homeland Security; Ms. Jeanette Manfra, Assistant Secretary for Cybersecurity and Communications, National Protection and Programs Directorate, U.S. Department of Homeland Security; and Ms. Patricia Hoffman, Acting Assistant Secretary, Office of Electricity Delivery and Energy Reliability, U.S. Department of Energy. Committee Consideration The Committee met on June 6, 2018, to consider H.R. 5733, and ordered the measure to be reported to the House with a favorable recommendation, as amended, by unanimous consent. The Committee took the following actions: The following amendments were offered: An amendment offered by Mr. Langevin (#1); was AGREED TO by unanimous consent. Page 3, line 14, strike ``; and'' and insert a semicolon. Page 3, after line 14, insert the following: ``(4) collect, coordinate, and provide vulnerability information to the industrial control systems community by, as appropriate, working closely with security researchers, industry end-users, product manufacturers, and other industrial control systems stakeholders; and''. Page 3, line 15, strike ``(4)'' and insert ``(5)''. Committee Votes Clause 3(b) of Rule XIII of the Rules of the House of Representatives requires the Committee to list the recorded votes on the motion to report legislation and amendments thereto. No recorded votes were requested during consideration of H.R.5733. Committee Oversight Findings Pursuant to clause 3(c)(1) of Rule XIII of the Rules of the House of Representatives, the Committee has held oversight hearings and made findings that are reflected in this report. New Budget Authority, Entitlement Authority, and Tax Expenditures In compliance with clause 3(c)(2) of Rule XIII of the Rules of the House of Representatives, the Committee finds that H.R. 5733, the DHS Industrial Control Systems Capabilities Enhancement Act of 2018, would result in no new or increased budget authority, entitlement authority, or tax expenditures or revenues. Congressional Budget Office Estimate The Committee adopts as its own the cost estimate prepared by the Director of the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974. U.S. Congress, Congressional Budget Office, Washington, DC, June 21, 2018. Hon. Michael McCaul, Chairman, Committee on Homeland Security, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for H.R. 5733, the DHS Industrial Control Systems Capabilities Enhancement Act of 2018. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is William Ma. Sincerely, Keith Hall, Director. Enclosure. H.R. 5733--DHS Industrial Control Systems Capabilities Enhancement Act of 2018 H.R. 5733 would require the National Cybersecurity and Communications Integration Center (NCCIC) in the Department of Homeland Security (DHS) to develop and maintain capabilities to identify and mitigate threats and vulnerabilities to products and technologies used in the automated control of critical infrastructure processes. The bill also would require DHS to provide briefings to the Congress on those capabilities not later than six months after the bill's enactment and every six months thereafter over the next four years. On the basis of information from DHS, CBO has concluded that the NCCIC already provides assistance to owners and operators of critical infrastructure and control systems vendors to identify and mitigate security vulnerabilities to their industrial control systems. The bill would codify those responsibilities but would not impose any new operating requirements on the department. Thus, we estimate that implementing H.R. 5733 would cost less than $500,000 over the 2019-2023 period to prepare and deliver the required briefings; such spending would be subject to the availability of appropriated funds. Enacting H.R. 5733 would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply. CBO estimates that enacting H.R. 5733 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2029. H.R. 5733 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act. The CBO staff contact for this estimate is William Ma. The estimate was reviewed by Leo Lex, Deputy Assistant Director for Budget Analysis. Statement of General Performance Goals and Objectives Pursuant to clause 3(c)(4) of Rule XIII of the Rules of the House of Representatives, H.R. 5733 contains the following general performance goals and objectives, including outcome related goals and objectives authorized. H.R. 5733 requires the NCCIC to provide the appropriate House and Senate Committees a briefing every six months, for the subsequent four years, on the industrial control capabiliites of the Center. Duplicative Federal Programs Pursuant to clause 3(c) of Rule XIII, the Committee finds that H.R. 4911 does not contain any provision that establishes or reauthorizes a program known to be duplicative of another Federal program. Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits In compliance with Rule XXI of the Rules of the House of Representatives, this bill, as reported, contains no congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9(e), 9(f), or 9(g) of the Rule XXI. Federal Mandates Statement The Committee adopts as its own the estimate of Federal mandates prepared by the Director of the Congressional Budget Office pursuant to section 423 of the Unfunded Mandates Reform Act. Preemption Clarification In compliance with section 423 of the Congressional Budget Act of 1974, requiring the report of any Committee on a bill or joint resolution to include a statement on the extent to which the bill or joint resolution is intended to preempt State, local, or Tribal law, the Committee finds that H.R. 5733 does not preempt any State, local, or Tribal law. Disclosure of Directed Rule Makings The Committee estimates that H.R. 5733 would require no directed rule makings. Advisory Committee Statement No advisory committees within the meaning of section 5(b) of the Federal Advisory Committee Act were created by this legislation. Applicability to Legislative Branch The Committee finds that the legislation does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act. Section-by-Section Analysis of the Legislation Section 1. Short Title. This section provides that this bill may be cited as the ``DHS Industrial Control Systems Capabilities Enhancement Act of 2018''. Sec. 2. Capabilities of National Cybersecurity and Communications Integration Center to Identify Threats to Industrial Control Systems. This section amends the second section 227 of the Homeland Security Act (HSA). This section formally codifies the NCCIC's role in addressing the security of both information technology and operational technology, including industrial control systems. This section indicates that the NCCIC will maintain capabilities to identify and address threats and vulnerabilities to products and technologies intended for use in the automated control of critical infrastructure processes by leading Federal Government efforts to mitigate cybersecurity threats to industrial control systems (ICS), and maintaining cross-sector incident response capabilities to respond to ICS cybersecurity incidents. NCCIC can provide cybersecurity technical assistance to ICS end users, product manufacturers and other stakeholders to mitigate and identify vulnerabilities. This section includes an amendment to ensure NCCIC also collects, coordinates and provides vulnerability information to the ICS community. The Committee intends for DHS to continue training and outreach efforts to the private sector so that the mutual exchange with ICS industry stakeholders allows both the public and private sectors to be fully aware of the cyber threat landscape. This section requires the NCCIC to brief the U.S. House of Representatives Committee on Homeland Security and U.S. Senate Committee on Homeland Security and Governmental Affairs, for the first four years after the enactment of this bill, on the industrial control systems capabilities at NCCIC. Changes in Existing Law Made by the Bill, as Reported In compliance with clause 3(e) of rule XIII of the Rules of the House of Representatives, changes in existing law made by the bill, as reported, are shown as follows (existing law proposed to be omitted is enclosed in black brackets, new matter is printed in italic, and existing law in which no change is proposed is shown in roman): HOMELAND SECURITY ACT OF 2002 * * * * * * * TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION * * * * * * * Subtitle C--Information Security * * * * * * * SEC. 227. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER. (a) Definitions.--In this section-- (1) the term ``cybersecurity risk''-- (A) means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism; and (B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement; (2) the terms ``cyber threat indicator'' and ``defensive measure'' have the meanings given those terms in section 102 of the Cybersecurity Act of 2015; (3) the term ``incident'' means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system; (4) the term ``information sharing and analysis organization'' has the meaning given that term in section 212(5); (5) the term ``information system'' has the meaning given that term in section 3502(8) of title 44, United States Code; and (6) the term ``sharing'' (including all conjugations thereof) means providing, receiving, and disseminating (including all conjugations of each of such terms). (b) Center.--There is in the Department a national cybersecurity and communications integration center (referred to in this section as the ``Center'') to carry out certain responsibilities of the Under Secretary appointed under section 103(a)(1)(H). (c) Functions.--The cybersecurity functions of the Center shall include-- (1) being a Federal civilian interface for the multi- directional and cross-sector sharing of information related to cyber threat indicators, defensivemeasures, cybersecurity risks, incidents, analysis, and warnings for Federal and non-Federal entities, including the implementationof title I of the Cybersecurity Act of 2015; (2) providing shared situational awareness to enable real-time, integrated, and operational actions across the Federal Government and non-Federal entities to address cybersecurity risks and incidents to Federal and non-Federal entities; (3) coordinating the sharing of information related to cyber threat indicators, defensive measures,cybersecurity risks, and incidents across the Federal Government; (4) facilitating cross-sector coordination to address cybersecurity risks and incidents, including cybersecurity risks and incidents that may be related or could have consequential impacts across multiple sectors; (5)(A) conducting integration and analysis, including cross-sector integration and analysis, of cyber threat indicators, defensivemeasures, cybersecurity risks, and incidents; and (B) sharing the analysis conducted under subparagraph (A) with Federal and non-Federal entities; (6) upon request, providing timely technical assistance, risk management support, and incident response capabilities to Federal and non-Federal entities with respect to cyber threat indicators, defensive measures, cybersecurityrisks, and incidents, which may include attribution, mitigation, and remediation; (7) providing information and recommendations on security and resilience measures to Federal and non- Federal entities, including information and recommendations to-- (A) facilitate information security; (B) strengthen information systems against cybersecurity risks and incidents; and (C) sharing cyber threat indicators and defensive measures; (8) engaging with international partners, in consultation with other appropriate agencies, to-- (A) collaborate on cyber threat indicators, defensive measures, and information related to cybersecurity risks and incidents; and (B) enhance the security and resilience of global cybersecurity; (9) sharing cyber threat indicators, defensive measures, and other information related to cybersecurity risks and incidents with Federal and non- Federal entities, including across sectors of critical infrastructure and with State and major urban area fusion centers, as appropriate; (10) participating, as appropriate, in national exercises run by the Department; and (11) in coordination with the Office of Emergency Communications of the Department, assessing and evaluating consequence, vulnerability, and threat information regarding cyber incidents to public safety communications to help facilitate continuous improvements to the security and resiliency of such communications. (d) Composition.-- (1) In general.--The Center shall be composed of-- (A) appropriate representatives of Federal entities, such as-- (i) sector-specific agencies; (ii) civilian and law enforcement agencies; and (iii) elements of the intelligence community, as that term is defined under section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)); (B) appropriate representatives of non- Federal entities, such as-- (i) State, local, and tribal governments; (ii) information sharing and analysis organizations, including information sharing and analysis centers; (iii) owners and operators of critical information systems; and (iv) private entities; (C) components within the Center that carry out cybersecurity and communications activities; (D) a designated Federal official for operational coordination with and across each sector; (E) an entity that collaborates with State and local governments on cybersecurity risks and incidents, and has entered into a voluntary information sharing relationship with the Center; and (F) other appropriate representatives or entities, as determined by the Secretary. (2) Incidents.--In the event of an incident, during exigent circumstances the Secretary may grant a Federal or non-Federal entity immediate temporary access to the Center. (e) Principles.--In carrying out the functions under subsection (c), the Center shall ensure-- (1) to the extent practicable, that-- (A) timely, actionable, and relevant cyber threatindicators, defensive measures, and information related to cybersecurity risks, incidents, and analysis is shared; (B) when appropriate, cyber threatindicators, defensive measures, and information related to cybersecurity risks, incidents, and analysis is integrated with other relevant information and tailored to the specific characteristics of a sector; (C) activities are prioritized and conducted based on the level of risk; (D) industry sector-specific, academic, and national laboratory expertise is sought and receives appropriate consideration; (E) continuous, collaborative, and inclusive coordination occurs-- (i) across sectors; and (ii) with-- (I) sector coordinating councils; (II) information sharing and analysis organizations; and (III) other appropriate non- Federal partners; (F) as appropriate, the Center works to develop and use mechanisms for sharing information related to cyber threat indicators, defensive measures,cybersecurity risks, and incidents that are technology-neutral, interoperable, real-time, cost-effective, and resilient; (G) the Center works with other agencies to reduce unnecessarily duplicative sharing of information related to cyber threat indicators,defensive measures, cybersecurity risks, andincidents; [and]; (H) the Center designates an agency contact for non-Federal entities; and (I) activities of the Center address the security of both information technology and operational technology, including industrial control systems; (2) that information related to cyber threat indicators, defensive measures, cybersecurityrisks, and incidents is appropriately safeguarded against unauthorized access or disclosure; and (3) that activities conducted by the Center comply with all policies, regulations, and laws that protect the privacy and civil liberties of United States persons, including by working withthe Privacy Officer appointed under section 222 to ensurethat the Center follows the policies and procedures specifiedin subsections (b) and (d)(5)(C) of section 105 of the CybersecurityAct of 2015. (f) Industrial Control Systems.--The Center shall maintain capabilities to identify and address threats and vulnerabilities to products and technologies intended for use in the automated control of critical infrastructure processes. In carrying out this subsection, the Center shall-- (1) lead, in coordination with relevant sector specific agencies, Federal Government efforts to identify and mitigate cybersecurity threats to industrial control systems, including supervisory control and data acquisition systems; (2) maintain cross-sector incident response capabilities to respond to industrial control system cybersecurity incidents; (3) provide cybersecurity technical assistance to industry end-users, product manufacturers, and other industrial control system stakeholders to identify and mitigate vulnerabilities; (4) collect, coordinate, and provide vulnerability information to the industrial control systems community by, as appropriate, working closely with security researchers, industry end-users, product manufacturers, and other industrial control systems stakeholders; and (5) conduct such other efforts and assistance as the Secretary determines appropriate. [(f)] (g) No Right or Benefit.-- (1) In general.--The provision of assistance or information to, and inclusion in the Center of, governmental or private entities under this section shall be at the sole and unreviewable discretion of the Under Secretary appointed under section 103(a)(1)(H). (2) Certain assistance or information.--The provision of certain assistance or information to, or inclusion in the Center of, one governmental or private entity pursuant to this section shall not create a right or benefit, substantive or procedural, to similar assistance or information for any other governmental or private entity. [(g)] (h) Automated Information Sharing.-- (1) In general.--The Under Secretary appointed under section 103(a)(1)(H), in coordination with industry and other stakeholders, shall develop capabilities making use of existing information technology industry standards and best practices, as appropriate, that support and rapidly advance the development, adoption, and implementation of automated mechanisms for the sharing of cyber threat indicators and defensive measures in accordance with title I of the Cybersecurity Act of 2015. (2) Annual report.--The Under Secretary appointed under section 103(a)(1)(H) shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives an annual report on the status and progress of the development of the capabilities described in paragraph (1). Such reports shall be required until such capabilities are fully implemented. [(h)] (i) Voluntary Information Sharing Procedures.-- (1) Procedures.-- (A) In general.--The Center may enter into a voluntary information sharing relationship with any consenting non-Federal entity for the sharing of cyber threat indicators and defensive measures for cybersecurity purposes in accordance with this section. Nothing in this subsection may be construed to require any non-Federal entity to enter into any such information sharing relationship with the Center or any other entity. The Center may terminate a voluntary information sharing relationship under this subsection, at the sole and unreviewable discretion of the Secretary, acting through the Under Secretary appointed under section 103(a)(1)(H), for any reason, including if the Center determines that the non-Federal entity with which the Center has entered into such a relationship has violated the terms of this subsection. (B) National security.--The Secretary may decline to enter into a voluntary information sharing relationship under this subsection, at the sole and unreviewable discretion of the Secretary, acting through the Under Secretary appointed under section 103(a)(1)(H), for any reason, including if the Secretary determines that such is appropriate for national security. (2) Voluntary information sharing relationships.--A voluntary information sharing relationship under this subsection may be characterized as an agreement described in this paragraph. (A) Standard agreement.--For the use of a non-Federal entity, the Center shall make available a standard agreement, consistent with this section, on the Department's website. (B) Negotiated agreement.--At the request of a non-Federal entity, and if determined appropriate by the Center, at the sole and unreviewable discretion of the Secretary, acting through the Under Secretary appointed under section 103(a)(1)(H), the Department shall negotiate a non-standard agreement, consistent with this section. (C) Existing agreements.--An agreement between the Center and a non-Federal entity that is entered into before the date of enactment of this subsection, or such an agreement that is in effect before such date, shall be deemed in compliance with the requirements of this subsection, notwithstanding any other provision or requirement of this subsection. An agreement under this subsection shall include the relevant privacy protections as in effect under the Cooperative Research and Development Agreement for Cybersecurity Information Sharing and Collaboration, as of December 31, 2014. Nothing in this subsection may be construed to require a non-Federal entity to enter into either a standard or negotiated agreement to be in compliance with this subsection. [(i)] (j) Direct Reporting.--The Secretary shall develop policies and procedures for direct reporting to the Secretary by the Director of the Center regarding significant cybersecurity risks and incidents. [(j)] (k) Reports on International Cooperation.--Not later than 180 days after the date of enactment of this subsection, and periodically thereafter, the Secretary of Homeland Security shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the range of efforts underway to bolster cybersecurity collaboration with relevant international partners in accordance with subsection (c)(8). [(k)] (l) Outreach.--Not later than 60 days after the date of enactment of this subsection, the Secretary, acting through the Under Secretary appointed under section 103(a)(1)(H), shall-- (1) disseminate to the public information about how to voluntarily share cyber threat indicators and defensive measures with the Center; and (2) enhance outreach to critical infrastructure owners and operators for purposes of such sharing. [(l)] (m) Cybersecurity Outreach.-- (1) In general.--The Secretary may leverage small business development centers to provide assistance to small business concerns by disseminating information on cyber threat indicators, defense measures, cybersecurity risks, incidents, analyses, and warnings to help small business concerns in developing or enhancing cybersecurity infrastructure, awareness of cyber threat indicators, and cyber training programs for employees. (2) Definitions.--For purposes of this subsection, the terms ``small business concern'' and ``small business development center'' have the meaning given such terms, respectively, under section 3 of the Small Business Act. [(m)] (n) Coordinated Vulnerability Disclosure.--The Secretary, in coordination with industry and other stakeholders, may develop and adhere to Department policies and procedures for coordinating vulnerability disclosures. * * * * * * * [all]