HOMELAND SECURITY ACT OF 2002
Mr. ARMEY. Mr. Speaker, pursuant to House Resolution 600, I call up
the bill (H.R. 5710) to establish the Department of Homeland Security,
and for other purposes, and ask for its immediate consideration.
The Clerk read the title of the bill.
The text of H.R. 5710 is as follows:
H.R. 5710
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the "Homeland
Security Act of 2002".
(b) Table of Contents.--The table of contents for this Act
is as follows:
[...]
TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION
Subtitle A--Directorate for Information Analysis and Infrastructure
Protection; Access to Information
Sec. 201. Directorate for Information Analysis and Infrastructure
Protection.
Sec. 202. Access to information.
Subtitle B--Critical Infrastructure Information
Sec. 211. Short title.
Sec. 212. Definitions.
Sec. 213. Designation of critical infrastructure protection program.
Sec. 214. Protection of voluntarily shared critical infrastructure
information.
Sec. 215. No private right of action.
Subtitle C--Information Security
Sec. 221. Procedures for sharing information.
Sec. 222. Privacy Officer.
Sec. 223. Enhancement of non-Federal cybersecurity.
Sec. 224. Net guard.
Sec. 225. Cyber Security Enhancement Act of 2002.
[...]
TITLE III--SCIENCE AND TECHNOLOGY IN SUPPORT OF HOMELAND SECURITY
Sec. 301. Under Secretary for Science and Technology.
Sec. 302. Responsibilities and authorities of the Under Secretary for
Science and Technology.
Sec. 303. Functions transferred.
Sec. 304. Conduct of certain public health-related activities.
Sec. 305. Federally funded research and development centers.
Sec. 306. Miscellaneous provisions.
Sec. 307. Homeland Security Advanced Research Projects Agency.
Sec. 308. Conduct of research, development, demonstration, testing and
evaluation.
Sec. 309. Utilization of Department of Energy national laboratories and
sites in support of homeland security activities.
Sec. 310. Transfer of Plum Island Animal Disease Center, Department of
Agriculture.
Sec. 311. Homeland Security Science and Technology Advisory Committee.
Sec. 312. Homeland Security Institute.
Sec. 313. Technology clearinghouse to encourage and support innovative
solutions to enhance homeland security.
TITLE VIII--COORDINATION WITH NON-FEDERAL ENTITIES; INSPECTOR GENERAL;
UNITED STATES SECRET SERVICE; COAST GUARD; GENERAL PROVISIONS
[...]
Sec. 880. Prohibition of the Terrorism Information and Prevention
System.
[...]
Sec. 886. Sense of Congress reaffirming the continued importance and
applicability of the Posse Comitatus Act.
[...]
Subtitle I--Information Sharing
Sec. 891. Short title; findings; and sense of Congress.
Sec. 892. Facilitating homeland security information sharing
procedures.
Sec. 893. Report.
Sec. 894. Authorization of appropriations.
Sec. 895. Authority to share grand jury information.
Sec. 896. Authority to share electronic, wire, and oral interception
information.
Sec. 897. Foreign intelligence information.
Sec. 898. Information acquired from an electronic surveillance.
Sec. 899. Information acquired from a physical search.
[...]
TITLE X--INFORMATION SECURITY
Sec. 1001. Information security.
Sec. 1002. Management of information technology.
Sec. 1003. National Institute of Standards and Technology.
Sec. 1004. Information Security and Privacy Advisory Board.
Sec. 1005. Technical and conforming amendments.
Sec. 1006. Construction.
[...]
TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION
Subtitle A--Directorate for Information Analysis and Infrastructure
Protection; Access to Information
SEC. 201. DIRECTORATE FOR INFORMATION ANALYSIS AND
INFRASTRUCTURE PROTECTION.
(a) Under Secretary of Homeland Security for Information
Analysis and Infrastructure Protection.--
(1) In general.--There shall be in the Department a
Directorate for Information Analysis and Infrastructure
Protection headed by an Under Secretary for Information
Analysis and Infrastructure Protection, who shall be
appointed by the President, by and with the advice and
consent of the Senate.
(2) Responsibilities.--The Under Secretary shall assist the
Secretary in discharging the responsibilities assigned by the
Secretary.
(b) Assistant Secretary for Information Analysis; Assistant
Secretary for Infrastructure Protection.--
(1) Assistant secretary for information analysis.--There
shall be in the Department an Assistant Secretary for
Information Analysis, who shall be appointed by the
President.
(2) Assistant secretary for infrastructure protection.--
There shall be in the Department an Assistant Secretary for
Infrastructure Protection, who shall be appointed by the
President.
(3) Responsibilities.--The Assistant Secretary for
Information Analysis and the Assistant Secretary for
Infrastructure Protection shall assist the Under Secretary
for Information Analysis and Infrastructure Protection in
discharging the responsibilities of the Under Secretary under
this section.
(c) Discharge of Information Analysis and Infrastructure
Protection.--The Secretary shall ensure that the
responsibilities of the Department regarding information
analysis and infrastructure protection are carried out
through the Under Secretary for Information Analysis and
Infrastructure Protection.
(d) Responsibilities of Under Secretary.--Subject to the
direction and control of the Secretary, the responsibilities
of the Under Secretary for Information Analysis and
Infrastructure Protection shall be as follows:
(1) To access, receive, and analyze law enforcement
information, intelligence information, and other information
from agencies of the Federal Government, State and local
government agencies (including law enforcement agencies), and
private sector entities, and to integrate such information in
order to--
(A) identify and assess the nature and scope of terrorist
threats to the homeland;
(B) detect and identify threats of terrorism against the
United States; and
(C) understand such threats in light of actual and
potential vulnerabilities of the homeland.
(2) To carry out comprehensive assessments of the
vulnerabilities of the key resources and critical
infrastructure of the United States, including the
performance of risk assessments to determine the risks posed
by particular types of terrorist attacks
[[Page H8651]]
within the United States (including an assessment of the
probability of success of such attacks and the feasibility
and potential efficacy of various countermeasures to such
attacks).
(3) To integrate relevant information, analyses, and
vulnerability assessments (whether such information,
analyses, or assessments are provided or produced by the
Department or others) in order to identify priorities for
protective and support measures by the Department, other
agencies of the Federal Government, State and local
government agencies and authorities, the private sector, and
other entities.
(4) To ensure, pursuant to section 202, the timely and
efficient access by the Department to all information
necessary to discharge the responsibilities under this
section, including obtaining such information from other
agencies of the Federal Government.
(5) To develop a comprehensive national plan for securing
the key resources and critical infrastructure of the United
States, including power production, generation, and
distribution systems, information technology and
telecommunications systems (including satellites), electronic
financial and property record storage and transmission
systems, emergency preparedness communications systems, and
the physical and technological assets that support such
systems.
(6) To recommend measures necessary to protect the key
resources and critical infrastructure of the United States in
coordination with other agencies of the Federal Government
and in cooperation with State and local government agencies
and authorities, the private sector, and other entities.
(7) To administer the Homeland Security Advisory System,
including--
(A) exercising primary responsibility for public advisories
related to threats to homeland security; and
(B) in coordination with other agencies of the Federal
Government, providing specific warning information, and
advice about appropriate protective measures and
countermeasures, to State and local government agencies and
authorities, the private sector, other entities, and the
public.
(8) To review, analyze, and make recommendations for
improvements in the policies and procedures governing the
sharing of law enforcement information, intelligence
information, intelligence-related information, and other
information relating to homeland security within the Federal
Government and between the Federal Government and State and
local government agencies and authorities.
(9) To disseminate, as appropriate, information analyzed by
the Department within the Department, to other agencies of
the Federal Government with responsibilities relating to
homeland security, and to agencies of State and local
governments and private sector entities with such
responsibilities in order to assist in the deterrence,
prevention, preemption of, or response to, terrorist attacks
against the United States.
(10) To consult with the Director of Central Intelligence
and other appropriate intelligence, law enforcement, or other
elements of the Federal Government to establish collection
priorities and strategies for information, including law
enforcement-related information, relating to threats of
terrorism against the United States through such means as the
representation of the Department in discussions regarding
requirements and priorities in the collection of such
information.
(11) To consult with State and local governments and
private sector entities to ensure appropriate exchanges of
information, including law enforcement-related information,
relating to threats of terrorism against the United States.
(12) To ensure that--
(A) any material received pursuant to this Act is protected
from unauthorized disclosure and handled and used only for
the performance of official duties; and
(B) any intelligence information under this Act is shared,
retained, and disseminated consistent with the authority of
the Director of Central Intelligence to protect intelligence
sources and methods under the National Security Act of 1947
(50 U.S.C. 401 et seq.) and related procedures and, as
appropriate, similar authorities of the Attorney General
concerning sensitive law enforcement information.
(13) To request additional information from other agencies
of the Federal Government, State and local government
agencies, and the private sector relating to threats of
terrorism in the United States, or relating to other areas of
responsibility assigned by the Secretary, including the entry
into cooperative agreements through the Secretary to obtain
such information.
(14) To establish and utilize, in conjunction with the
chief information officer of the Department, a secure
communications and information technology infrastructure,
including data-mining and other advanced analytical tools, in
order to access, receive, and analyze data and information in
furtherance of the responsibilities under this section, and
to disseminate information acquired and analyzed by the
Department, as appropriate.
(15) To ensure, in conjunction with the chief information
officer of the Department, that any information databases and
analytical tools developed or utilized by the Department--
(A) are compatible with one another and with relevant
information databases of other agencies of the Federal
Government; and
(B) treat information in such databases in a manner that
complies with applicable Federal law on privacy.
(16) To coordinate training and other support to the
elements and personnel of the Department, other agencies of
the Federal Government, and State and local governments that
provide information to the Department, or are consumers of
information provided by the Department, in order to
facilitate the identification and sharing of information
revealed in their ordinary duties and the optimal utilization
of information received from the Department.
(17) To coordinate with elements of the intelligence
community and with Federal, State, and local law enforcement
agencies, and the private sector, as appropriate.
(18) To provide intelligence and information analysis and
support to other elements of the Department.
(19) To perform such other duties relating to such
responsibilities as the Secretary may provide.
(e) Staff.--
(1) In general.--The Secretary shall provide the
Directorate with a staff of analysts having appropriate
expertise and experience to assist the Directorate in
discharging responsibilities under this section.
(2) Private sector analysts.--Analysts under this
subsection may include analysts from the private sector.
(3) Security clearances.--Analysts under this subsection
shall possess security clearances appropriate for their work
under this section.
(f) Detail of Personnel.--
(1) In general.--In order to assist the Directorate in
discharging responsibilities under this section, personnel of
the agencies referred to in paragraph (2) may be detailed to
the Department for the performance of analytic functions and
related duties.
(2) Covered agencies.--The agencies referred to in this
paragraph are as follows:
(A) The Department of State.
(B) The Central Intelligence Agency.
(C) The Federal Bureau of Investigation.
(D) The National Security Agency.
(E) The National Imagery and Mapping Agency.
(F) The Defense Intelligence Agency.
(G) Any other agency of the Federal Government that the
President considers appropriate.
(3) Cooperative agreements.--The Secretary and the head of
the agency concerned may enter into cooperative agreements
for the purpose of detailing personnel under this subsection.
(4) Basis.--The detail of personnel under this subsection
may be on a reimbursable or non-reimbursable basis.
(g) Functions Transferred.--In accordance with title XV,
there shall be transferred to the Secretary, for assignment
to the Under Secretary for Information Analysis and
Infrastructure Protection under this section, the functions,
personnel, assets, and liabilities of the following:
(1) The National Infrastructure Protection Center of the
Federal Bureau of Investigation (other than the Computer
Investigations and Operations Section), including the
functions of the Attorney General relating thereto.
(2) The National Communications System of the Department of
Defense, including the functions of the Secretary of Defense
relating thereto.
(3) The Critical Infrastructure Assurance Office of the
Department of Commerce, including the functions of the
Secretary of Commerce relating thereto.
(4) The National Infrastructure Simulation and Analysis
Center of the Department of Energy and the energy security
and assurance program and activities of the Department,
including the functions of the Secretary of Energy relating
thereto.
(5) The Federal Computer Incident Response Center of the
General Services Administration, including the functions of
the Administrator of General Services relating thereto.
(h) Inclusion of Certain Elements of the Department as
Elements of the Intelligence Community.--Section 3(4) of the
National Security Act of 1947 (50 U.S.C. 401(a)) is amended--
(1) by striking "and" at the end of subparagraph (I);
(2) by redesignating subparagraph (J) as subparagraph (K);
and
(3) by inserting after subparagraph (I) the following new
subparagraph:
"(J) the elements of the Department of Homeland Security
concerned with the analyses of foreign intelligence
information; and".
SEC. 202. ACCESS TO INFORMATION.
(a) In General.--
(1) Threat and vulnerability information.--Except as
otherwise directed by the President, the Secretary shall have
such access as the Secretary considers necessary to all
information, including reports, assessments, analyses, and
unevaluated intelligence relating to threats of terrorism
against the United States and to other areas of
responsibility assigned by the Secretary, and to all
information concerning infrastructure or other
vulnerabilities of the United States to terrorism, whether or
not such information has been analyzed, that may be
collected, possessed, or prepared by any agency of the
Federal Government.
(2) Other information.--The Secretary shall also have
access to other information
[[Page H8652]]
relating to matters under the responsibility of the Secretary
that may be collected, possessed, or prepared by an agency of
the Federal Government as the President may further provide.
(b) Manner of Access.--Except as otherwise directed by the
President, with respect to information to which the Secretary
has access pursuant to this section--
(1) the Secretary may obtain such material upon request,
and may enter into cooperative arrangements with other
executive agencies to provide such material or provide
Department officials with access to it on a regular or
routine basis, including requests or arrangements involving
broad categories of material, access to electronic databases,
or both; and
(2) regardless of whether the Secretary has made any
request or entered into any cooperative arrangement pursuant
to paragraph (1), all agencies of the Federal Government
shall promptly provide to the Secretary--
(A) all reports (including information reports containing
intelligence which has not been fully evaluated),
assessments, and analytical information relating to threats
of terrorism against the United States and to other areas of
responsibility assigned by the Secretary;
(B) all information concerning the vulnerability of the
infrastructure of the United States, or other vulnerabilities
of the United States, to terrorism, whether or not such
information has been analyzed;
(C) all other information relating to significant and
credible threats of terrorism against the United States,
whether or not such information has been analyzed; and
(D) such other information or material as the President may
direct.
(c) Treatment Under Certain Laws.--The Secretary shall be
deemed to be a Federal law enforcement, intelligence,
protective, national defense, immigration, or national
security official, and shall be provided with all information
from law enforcement agencies that is required to be given to
the Director of Central Intelligence, under any provision of
the following:
(1) The USA PATRIOT Act of 2001 (Public Law 107-56).
(2) Section 2517(6) of title 18, United States Code.
(3) Rule 6(e)(3)(C) of the Federal Rules of Criminal
Procedure.
(d) Access to Intelligence and Other Information.--
(1) Access by elements of federal government.--Nothing in
this title shall preclude any element of the intelligence
community (as that term is defined in section 3(4) of the
National Security Act of 1947 (50 U.S.C. 401a(4)), or other
any element of the Federal Government with responsibility for
analyzing terrorist threat information, from receiving any
intelligence or other information relating to terrorism.
(2) Sharing of information.--The Secretary, in consultation
with the Director of Central Intelligence, shall work to
ensure that intelligence or other information relating to
terrorism to which the Department has access is appropriately
shared with the elements of the Federal Government referred
to in paragraph (1), as well as with State and local
governments, as appropriate.
Subtitle B--Critical Infrastructure Information
SEC. 211. SHORT TITLE.
This subtitle may be cited as the "Critical Infrastructure
Information Act of 2002".
SEC. 212. DEFINITIONS.
In this subtitle:
(1) Agency.--The term "agency" has the meaning given it
in section 551 of title 5, United States Code.
(2) Covered federal agency.--The term "covered Federal
agency" means the Department of Homeland Security.
(3) Critical infrastructure information.--The term
"critical infrastructure information" means information not
customarily in the public domain and related to the security
of critical infrastructure or protected systems--
(A) actual, potential, or threatened interference with,
attack on, compromise of, or incapacitation of critical
infrastructure or protected systems by either physical or
computer-based attack or other similar conduct (including the
misuse of or unauthorized access to all types of
communications and data transmission systems) that violates
Federal, State, or local law, harms interstate commerce of
the United States, or threatens public health or safety;
(B) the ability of any critical infrastructure or protected
system to resist such interference, compromise, or
incapacitation, including any planned or past assessment,
projection, or estimate of the vulnerability of critical
infrastructure or a protected system, including security
testing, risk evaluation thereto, risk management planning,
or risk audit; or
(C) any planned or past operational problem or solution
regarding critical infrastructure or protected systems,
including repair, recovery, reconstruction, insurance, or
continuity, to the extent it is related to such interference,
compromise, or incapacitation.
(4) Critical infrastructure protection program.--The term
"critical infrastructure protection program" means any
component or bureau of a covered Federal agency that has been
designated by the President or any agency head to receive
critical infrastructure information.
(5) Information sharing and analysis organization.--The
term "Information Sharing and Analysis Organization" means
any formal or informal entity or collaboration created or
employed by public or private sector organizations, for
purposes of--
(A) gathering and analyzing critical infrastructure
information in order to better understand security problems
and interdependencies related to critical infrastructure and
protected systems, so as to ensure the availability,
integrity, and reliability thereof;
(B) communicating or disclosing critical infrastructure
information to help prevent, detect, mitigate, or recover
from the effects of a interference, compromise, or a
incapacitation problem related to critical infrastructure or
protected systems; and
(C) voluntarily disseminating critical infrastructure
information to its members, State, local, and Federal
Governments, or any other entities that may be of assistance
in carrying out the purposes specified in subparagraphs (A)
and (B).
(6) Protected system.--The term "protected system"--
(A) means any service, physical or computer-based system,
process, or procedure that directly or indirectly affects the
viability of a facility of critical infrastructure; and
(B) includes any physical or computer-based system,
including a computer, computer system, computer or
communications network, or any component hardware or element
thereof, software program, processing instructions, or
information or data in transmission or storage therein,
irrespective of the medium of transmission or storage.
(7) Voluntary.--
(A) In general.--The term "voluntary", in the case of any
submittal of critical infrastructure information to a covered
Federal agency, means the submittal thereof in the absence of
such agency's exercise of legal authority to compel access to
or submission of such information and may be accomplished by
a single entity or an Information Sharing and Analysis
Organization on behalf of itself or its members.
(B) Exclusions.--The term "voluntary"--
(i) in the case of any action brought under the securities
laws as is defined in section 3(a)(47) of the Securities
Exchange Act of 1934 (15 U.S.C. 78c(a)(47))--
(I) does not include information or statements contained in
any documents or materials filed with the Securities and
Exchange Commission, or with Federal banking regulators,
pursuant to section 12(i) of the Securities Exchange Act of
1934 (15 U.S.C. 781(I)); and
(II) with respect to the submittal of critical
infrastructure information, does not include any disclosure
or writing that when made accompanied the solicitation of an
offer or a sale of securities; and
(ii) does not include information or statements submitted
or relied upon as a basis for making licensing or permitting
determinations, or during regulatory proceedings.
SEC. 213. DESIGNATION OF CRITICAL INFRASTRUCTURE PROTECTION
PROGRAM.
A critical infrastructure protection program may be
designated as such by one of the following:
(1) The President.
(2) The Secretary of Homeland Security.
SEC. 214. PROTECTION OF VOLUNTARILY SHARED CRITICAL
INFRASTRUCTURE INFORMATION.
(a) Protection.--
(1) In general.--Notwithstanding any other provision of
law, critical infrastructure information (including the
identity of the submitting person or entity) that is
voluntarily submitted to a covered Federal agency for use by
that agency regarding the security of critical infrastructure
and protected systems, analysis, warning, interdependency
study, recovery, reconstitution, or other informational
purpose, when accompanied by an express statement specified
in paragraph (2)--
(A) shall be exempt from disclosure under section 552 of
title 5, United States Code (commonly referred to as the
Freedom of Information Act);
(B) shall not be subject to any agency rules or judicial
doctrine regarding ex parte communications with a decision
making official;
(C) shall not, without the written consent of the person or
entity submitting such information, be used directly by such
agency, any other Federal, State, or local authority, or any
third party, in any civil action arising under Federal or
State law if such information is submitted in good faith;
(D) shall not, without the written consent of the person or
entity submitting such information, be used or disclosed by
any officer or employee of the United States for purposes
other than the purposes of this subtitle, except--
(i) in furtherance of an investigation or the prosecution
of a criminal act; or
(ii) when disclosure of the information would be--
(I) to either House of Congress, or to the extent of matter
within its jurisdiction, any committee or subcommittee
thereof, any joint committee thereof or subcommittee of any
such joint committee; or
(II) to the Comptroller General, or any authorized
representative of the Comptroller General, in the course of
the performance of the duties of the General Accounting
Office.
(E) shall not, if provided to a State or local government
or government agency--
(i) be made available pursuant to any State or local law
requiring disclosure of information or records;
[[Page H8653]]
(ii) otherwise be disclosed or distributed to any party by
said State or local government or government agency without
the written consent of the person or entity submitting such
information; or
(iii) be used other than for the purpose of protecting
critical infrastructure or protected systems, or in
furtherance of an investigation or the prosecution of a
criminal act; and
(F) does not constitute a waiver of any applicable
privilege or protection provided under law, such as trade
secret protection.
(2) Express statement.--For purposes of paragraph (1), the
term "express statement", with respect to information or
records, means--
(A) in the case of written information or records, a
written marking on the information or records substantially
similar to the following: "This information is voluntarily
submitted to the Federal Government in expectation of
protection from disclosure as provided by the provisions of
the Critical Infrastructure Information Act of 2002."; or
(B) in the case of oral information, a similar written
statement submitted within a reasonable period following the
oral communication.
(b) Limitation.--No communication of critical
infrastructure information to a covered Federal agency made
pursuant to this subtitle shall be considered to be an action
subject to the requirements of the Federal Advisory Committee
Act (5 U.S.C. App. 2).
(c) Independently Obtained Information.--Nothing in this
section shall be construed to limit or otherwise affect the
ability of a State, local, or Federal Government entity,
agency, or authority, or any third party, under applicable
law, to obtain critical infrastructure information in a
manner not covered by subsection (a), including any
information lawfully and properly disclosed generally or
broadly to the public and to use such information in any
manner permitted by law.
(d) Treatment of Voluntary Submittal of Information.--The
voluntary submittal to the Government of information or
records that are protected from disclosure by this subtitle
shall not be construed to constitute compliance with any
requirement to submit such information to a Federal agency
under any other provision of law.
(e) Procedures.--
(1) In general.--The Secretary of the Department of
Homeland Security shall, in consultation with appropriate
representatives of the National Security Council and the
Office of Science and Technology Policy, establish uniform
procedures for the receipt, care, and storage by Federal
agencies of critical infrastructure information that is
voluntarily submitted to the Government. The procedures shall
be established not later than 90 days after the date of the
enactment of this subtitle.
(2) Elements.--The procedures established under paragraph
(1) shall include mechanisms regarding--
(A) the acknowledgement of receipt by Federal agencies of
critical infrastructure information that is voluntarily
submitted to the Government;
(B) the maintenance of the identification of such
information as voluntarily submitted to the Government for
purposes of and subject to the provisions of this subtitle;
(C) the care and storage of such information; and
(D) the protection and maintenance of the confidentiality
of such information so as to permit the sharing of such
information within the Federal Government and with State and
local governments, and the issuance of notices and warnings
related to the protection of critical infrastructure and
protected systems, in such manner as to protect from public
disclosure the identity of the submitting person or entity,
or information that is proprietary, business sensitive,
relates specifically to the submitting person or entity, and
is otherwise not appropriately in the public domain.
(f) Penalties.--Whoever, being an officer or employee of
the United States or of any department or agency thereof,
knowingly publishes, divulges, discloses, or makes known in
any manner or to any extent not authorized by law, any
critical infrastructure information protected from disclosure
by this subtitle coming to him in the course of this
employment or official duties or by reason of any examination
or investigation made by, or return, report, or record made
to or filed with, such department or agency or officer or
employee thereof, shall be fined under title 18 of the United
States Code, imprisoned not more than 1 year, or both, and
shall be removed from office or employment.
(g) Authority To Issue Warnings.--The Federal Government
may provide advisories, alerts, and warnings to relevant
companies, targeted sectors, other governmental entities, or
the general public regarding potential threats to critical
infrastructure as appropriate. In issuing a warning, the
Federal Government shall take appropriate actions to protect
from disclosure--
(1) the source of any voluntarily submitted critical
infrastructure information that forms the basis for the
warning; or
(2) information that is proprietary, business sensitive,
relates specifically to the submitting person or entity, or
is otherwise not appropriately in the public domain.
(h) Authority To Delegate.--The President may delegate
authority to a critical infrastructure protection program,
designated under subsection (e), to enter into a voluntary
agreement to promote critical infrastructure security,
including with any Information Sharing and Analysis
Organization, or a plan of action as otherwise defined in
section 708 of the Defense Production Act of 1950 (50 U.S.C.
App. 2158).
SEC. 215. NO PRIVATE RIGHT OF ACTION.
Nothing in this subtitle may be construed to create a
private right of action for enforcement of any provision of
this Act.
Subtitle C--Information Security
SEC. 221. PROCEDURES FOR SHARING INFORMATION.
The Secretary shall establish procedures on the use of
information shared under this title that--
(1) limit the redissemination of such information to ensure
that it is not used for an unauthorized purpose;
(2) ensure the security and confidentiality of such
information;
(3) protect the constitutional and statutory rights of any
individuals who are subjects of such information; and
(4) provide data integrity through the timely removal and
destruction of obsolete or erroneous names and information.
SEC. 222. PRIVACY OFFICER.
The Secretary shall appoint a senior official in the
Department to assume primary responsibility for privacy
policy, including--
(1) assuring that the use of technologies sustain, and do
not erode, privacy protections relating to the use,
collection, and disclosure of personal information;
(2) assuring that personal information contained in Privacy
Act systems of records is handled in full compliance with
fair information practices as set out in the Privacy Act of
1974;
(3) evaluating legislative and regulatory proposals
involving collection, use, and disclosure of personal
information by the Federal Government;
(4) conducting a privacy impact assessment of proposed
rules of the Department or that of the Department on the
privacy of personal information, including the type of
personal information collected and the number of people
affected; and
(5) preparing a report to Congress on an annual basis on
activities of the Department that affect privacy, including
complaints of privacy violations, implementation of the
Privacy Act of 1974, internal controls, and other matters.
SEC. 223. ENHANCEMENT OF NON-FEDERAL CYBERSECURITY.
In carrying out the responsibilities under section 201, the
Under Secretary for Information Analysis and Infrastructure
Protection shall--
(1) as appropriate, provide to State and local government
entities, and upon request to private entities that own or
operate critical information systems--
(A) analysis and warnings related to threats to, and
vulnerabilities of, critical information systems; and
(B) in coordination with the Under Secretary for Emergency
Preparedness and Response, crisis management support in
response to threats to, or attacks on, critical information
systems; and
(2) as appropriate, provide technical assistance, upon
request, to the private sector and other government entities,
in coordination with the Under Secretary for Emergency
Preparedness and Response, with respect to emergency recovery
plans to respond to major failures of critical information
systems.
SEC. 224. NET GUARD.
The Under Secretary for Information Analysis and
Infrastructure Protection may establish a national technology
guard, to be known as "NET Guard", comprised of local teams
of volunteers with expertise in relevant areas of science and
technology, to assist local communities to respond and
recover from attacks on information systems and
communications networks.
SEC. 225. CYBER SECURITY ENHANCEMENT ACT OF 2002.
(a) Short Title.--This section may be cited as the "Cyber
Security Enhancement Act of 2002".
(b) Amendment of Sentencing Guidelines Relating to Certain
Computer Crimes.--
(1) Directive to the united states sentencing commission.--
Pursuant to its authority under section 994(p) of title 28,
United States Code, and in accordance with this subsection,
the United States Sentencing Commission shall review and, if
appropriate, amend its guidelines and its policy statements
applicable to persons convicted of an offense under section
1030 of title 18, United States Code.
(2) Requirements.--In carrying out this subsection, the
Sentencing Commission shall--
(A) ensure that the sentencing guidelines and policy
statements reflect the serious nature of the offenses
described in paragraph (1), the growing incidence of such
offenses, and the need for an effective deterrent and
appropriate punishment to prevent such offenses;
(B) consider the following factors and the extent to which
the guidelines may or may not account for them--
(i) the potential and actual loss resulting from the
offense;
(ii) the level of sophistication and planning involved in
the offense;
(iii) whether the offense was committed for purposes of
commercial advantage or private financial benefit;
(iv) whether the defendant acted with malicious intent to
cause harm in committing the offense;
[[Page H8654]]
(v) the extent to which the offense violated the privacy
rights of individuals harmed;
(vi) whether the offense involved a computer used by the
government in furtherance of national defense, national
security, or the administration of justice;
(vii) whether the violation was intended to or had the
effect of significantly interfering with or disrupting a
critical infrastructure; and
(viii) whether the violation was intended to or had the
effect of creating a threat to public health or safety, or
injury to any person;
(C) assure reasonable consistency with other relevant
directives and with other sentencing guidelines;
(D) account for any additional aggravating or mitigating
circumstances that might justify exceptions to the generally
applicable sentencing ranges;
(E) make any necessary conforming changes to the sentencing
guidelines; and
(F) assure that the guidelines adequately meet the purposes
of sentencing as set forth in section 3553(a)(2) of title 18,
United States Code.
(c) Study and Report on Computer Crimes.--Not later than
May 1, 2003, the United States Sentencing Commission shall
submit a brief report to Congress that explains any actions
taken by the Sentencing Commission in response to this
section and includes any recommendations the Commission may
have regarding statutory penalties for offenses under section
1030 of title 18, United States Code.
(d) Emergency Disclosure Exception.--
(1) In general.--Section 2702(b) of title 18, United States
Code, is amended--
(A) in paragraph (5), by striking "or" at the end;
(B) in paragraph (6)(A), by inserting "or" at the end;
(C) by striking paragraph (6)(C); and
(D) by adding at the end the following:
"(7) to a Federal, State, or local governmental entity, if
the provider, in good faith, believes that an emergency
involving danger of death or serious physical injury to any
person requires disclosure without delay of communications
relating to the emergency.".
(2) Reporting of disclosures.--A government entity that
receives a disclosure under section 2702(b) of title 18,
United States Code, shall file, not later than 90 days after
such disclosure, a report to the Attorney General stating the
paragraph of that section under which the disclosure was
made, the date of the disclosure, the entity to which the
disclosure was made, the number of customers or subscribers
to whom the information disclosed pertained, and the number
of communications, if any, that were disclosed. The Attorney
General shall publish all such reports into a single report
to be submitted to Congress 1 year after the date of
enactment of this Act.
(e) Good Faith Exception.--Section 2520(d)(3) of title 18,
United States Code, is amended by inserting "or 2511(2)(i)"
after "2511(3)".
(f) Internet Advertising of Illegal Devices.--Section
2512(1)(c) of title 18, United States Code, is amended--
(1) by inserting "or disseminates by electronic means"
after "or other publication"; and
(2) by inserting "knowing the content of the advertisement
and" before "knowing or having reason to know".
(g) Strengthening Penalties.--Section 1030(c) of title 18,
United States Code, is amended--
(1) by striking "and" at the end of paragraph (3);
(2) in each of subparagraphs (A) and (C) of paragraph (4),
by inserting "except as provided in paragraph (5)," before
"a fine under this title";
(3) in paragraph (4)(C), by striking the period at the end
and inserting "; and"; and
(4) by adding at the end the following:
"(5)(A) if the offender knowingly or recklessly causes or
attempts to cause serious bodily injury from conduct in
violation of subsection (a)(5)(A)(i), a fine under this title
or imprisonment for not more than 20 years, or both; and
"(B) if the offender knowingly or recklessly causes or
attempts to cause death from conduct in violation of
subsection (a)(5)(A)(i), a fine under this title or
imprisonment for any term of years or for life, or both.".
(h) Provider Assistance.--
(1) Section 2703.--Section 2703(e) of title 18, United
States Code, is amended by inserting ", statutory
authorization" after "subpoena".
(2) Section 2511.--Section 2511(2)(a)(ii) of title 18,
United States Code, is amended by inserting ", statutory
authorization," after "court order" the last place it
appears.
(i) Emergencies.--Section 3125(a)(1) of title 18, United
States Code, is amended--
(1) in subparagraph (A), by striking "or" at the end;
(2) in subparagraph (B), by striking the comma at the end
and inserting a semicolon; and
(3) by adding at the end the following:
"(C) an immediate threat to a national security interest;
or
"(D) an ongoing attack on a protected computer (as defined
in section 1030) that constitutes a crime punishable by a
term of imprisonment greater than one year;".
(j) Protecting Privacy.--
(1) Section 2511.--Section 2511(4) of title 18, United
States Code, is amended--
(A) by striking paragraph (b); and
(B) by redesignating paragraph (c) as paragraph (b).
(2) Section 2701.--Section 2701(b) of title 18, United
States Code, is amended--
(A) in paragraph (1), by inserting ", or in furtherance of
any criminal or tortious act in violation of the Constitution
or laws of the United States or any State" after
"commercial gain";
(B) in paragraph (1)(A), by striking "one year" and
inserting "5 years";
(C) in paragraph (1)(B), by striking "two years" and
inserting "10 years"; and
(D) by striking paragraph (2) and inserting the following:
"(2) in any other case--
"(A) a fine under this title or imprisonment for not more
than 1 year or both, in the case of a first offense under
this paragraph; and
"(B) a fine under this title or imprisonment for not more
than 5 years, or both, in the case of an offense under this
subparagraph that occurs after a conviction of another
offense under this section.".
[...]
TITLE III--SCIENCE AND TECHNOLOGY IN SUPPORT OF HOMELAND SECURITY
SEC. 301. UNDER SECRETARY FOR SCIENCE AND TECHNOLOGY.
There shall be in the Department a Directorate of Science
and Technology headed by an Under Secretary for Science and
Technology.
SEC. 302. RESPONSIBILITIES AND AUTHORITIES OF THE UNDER
SECRETARY FOR SCIENCE AND TECHNOLOGY.
The Secretary, acting through the Under Secretary for
Science and Technology, shall have the responsibility for--
(1) advising the Secretary regarding research and
development efforts and priorities in support of the
Department's missions;
(2) developing, in consultation with other appropriate
executive agencies, a national policy and strategic plan for,
identifying priorities, goals, objectives and policies for,
and coordinating the Federal Government's civilian efforts to
identify and develop countermeasures to chemical, biological,
radiological, nuclear, and other emerging terrorist threats,
including the development of comprehensive, research-based
definable goals for such efforts and development of annual
measurable objectives and specific targets to accomplish and
evaluate the goals for such efforts;
(3) supporting the Under Secretary for Information Analysis
and Infrastructure Protection, by assessing and testing
homeland security vulnerabilities and possible threats;
(4) conducting basic and applied research, development,
demonstration, testing, and evaluation activities that are
relevant to any or all elements of the Department, through
both intramural and extramural programs, except that such
responsibility does not extend to human health-related
research and development activities;
(5) establishing priorities for, directing, funding, and
conducting national research, development, test and
evaluation, and procurement of technology and systems for--
(A) preventing the importation of chemical, biological,
radiological, nuclear, and related weapons and material; and
(B) detecting, preventing, protecting against, and
responding to terrorist attacks;
(6) establishing a system for transferring homeland
security developments or technologies to federal, state,
local government, and private sector entities;
(7) entering into work agreements, joint sponsorships,
contracts, or any other agreements with the Department of
Energy regarding the use of the national laboratories or
sites and support of the science and technology base at those
facilities;
(8) collaborating with the Secretary of Agriculture and the
Attorney General as provided in section 212 of the
Agricultural Bioterrorism Protection Act of 2002 (7 U.S.C.
8401), as amended by section 1709(b);
(9) collaborating with the Secretary of Health and Human
Services and the Attorney General in determining any new
biological agents and toxins that shall be listed as "select
agents" in Appendix A of part 72 of title 42, Code of
Federal Regulations, pursuant to section 351A of the Public
Health Service Act (42 U.S.C. 262a);
(10) supporting United States leadership in science and
technology;
(11) establishing and administering the primary research
and development activities of the Department, including the
long-term research and development needs and capabilities for
all elements of the Department;
(12) coordinating and integrating all research,
development, demonstration, testing, and evaluation
activities of the Department;
(13) coordinating with other appropriate executive agencies
in developing and carrying out the science and technology
agenda of the Department to reduce duplication and identify
unmet needs; and
(14) developing and overseeing the administration of
guidelines for merit review of research and development
projects throughout the Department, and for the dissemination
of research conducted or sponsored by the Department.
SEC. 303. FUNCTIONS TRANSFERRED.
In accordance with title XV, there shall be transferred to
the Secretary the functions, personnel, assets, and
liabilities of the following entities:
(1) The following programs and activities of the Department
of Energy, including the functions of the Secretary of Energy
relating thereto (but not including programs and activities
relating to the strategic nuclear defense posture of the
United States):
(A) The chemical and biological national security and
supporting programs and activities of the nonproliferation
and verification research and development program.
(B) The nuclear smuggling programs and activities within
the proliferation detection program of the nonproliferation
and verification research and development program. The
programs and activities described in this subparagraph may be
designated by the President either for transfer to the
Department or for joint operation by the Secretary and the
Secretary of Energy.
(C) The nuclear assessment program and activities of the
assessment, detection, and cooperation program of the
international materials protection and cooperation program.
(D) Such life sciences activities of the biological and
environmental research program related to microbial pathogens
as may be designated by the President for transfer to the
Department.
(E) The Environmental Measurements Laboratory.
(F) The advanced scientific computing research program and
activities at Lawrence Livermore National Laboratory.
(2) The National Bio-Weapons Defense Analysis Center of the
Department of Defense, including the functions of the
Secretary of Defense related thereto.
[[Page H8604]]
(3) The Plum Island Animal Disease Center of the Department
of Agriculture, as provided in section 310.
SEC. 304. CONDUCT OF CERTAIN PUBLIC HEALTH-RELATED
ACTIVITIES.
(a) In General.--With respect to civilian human health-
related research and development activities relating to
countermeasures for chemical, biological, radiological, and
nuclear and other emerging terrorist threats carried out by
the Department of Health and Human Services (including the
Public Health Service), the Secretary of Health and Human
Services shall set priorities, goals, objectives, and
policies and develop a coordinated strategy for such
activities in collaboration with the Secretary of Homeland
Security to ensure consistency with the national policy and
strategic plan developed pursuant to section 302(2).
(b) Evaluation of Progress.--In carrying out subsection
(a), the Secretary of Health and Human Services shall
collaborate with the Secretary in developing specific
benchmarks and outcome measurements for evaluating progress
toward achieving the priorities and goals described in such
subsection.
(c) Administration of Countermeasures Against Smallpox.--
Section 224 of the Public Health Service Act (42 U.S.C. 233)
is amended by adding the following:
"(p) Administration of Smallpox Countermeasures by Health
Professionals.--
"(1) In general.--For purposes of this section, and
subject to other provisions of this subsection, a covered
person shall be deemed to be an employee of the Public Health
Service with respect to liability arising out of
administration of a covered countermeasure against smallpox
to an individual during the effective period of a declaration
by the Secretary under paragraph (2)(A).
"(2) Declaration by secretary concerning countermeasure
against smallpox.--
"(A) Authority to issue declaration.--
"(i) In general.--The Secretary may issue a declaration,
pursuant to this paragraph, concluding that an actual or
potential bioterrorist incident or other actual or potential
public health emergency makes advisable the administration of
a covered countermeasure to a category or categories of
individuals.
"(ii) Covered countermeasure.--The Secretary shall specify
in such declaration the substance or substances that shall be
considered covered countermeasures (as defined in paragraph
(8)(A)) for purposes of administration to individuals during
the effective period of the declaration.
"(iii) Effective period.--The Secretary shall specify in
such declaration the beginning and ending dates of the
effective period of the declaration, and may subsequently
amend such declaration to shorten or extend such effective
period, provided that the new closing date is after the date
when the declaration is amended.
"(iv) Publication.--The Secretary shall promptly publish
each such declaration and amendment in the Federal Register.
"(B) Liability of united states only for administrations
within scope of declaration.--Except as provided in paragraph
(5)(B)(ii), the United States shall be liable under this
subsection with respect to a claim arising out of the
administration of a covered countermeasure to an individual
only if--
"(i) the countermeasure was administered by a qualified
person, for a purpose stated in paragraph (7)(A)(i), and
during the effective period of a declaration by the Secretary
under subparagraph (A) with respect to such countermeasure;
and
"(ii)(I) the individual was within a category of
individuals covered by the declaration; or
"(II) the qualified person administering the
countermeasure had reasonable grounds to believe that such
individual was within such category.
"(C) Presumption of administration within scope of
declaration in case of accidental vaccinia inoculation.--
"(i) In general.--If vaccinia vaccine is a covered
countermeasure specified in a declaration under subparagraph
(A), and an individual to whom the vaccinia vaccine is not
administered contracts vaccinia, then, under the
circumstances specified in clause (ii), the individual--
"(I) shall be rebuttably presumed to have contracted
vaccinia from an individual to whom such vaccine was
administered as provided by clauses (i) and (ii) of
subparagraph (B); and
"(II) shall (unless such presumption is rebutted) be
deemed for purposes of this subsection to be an individual to
whom a covered countermeasure was administered by a qualified
person in accordance with the terms of such declaration and
as described by subparagraph (B).
"(ii) Circumstances in which presumption applies.--The
presumption and deeming stated in clause (i) shall apply if--
"(I) the individual contracts vaccinia during the
effective period of a declaration under subparagraph (A) or
by the date 30 days after the close of such period; or
"(II) the individual resides or has resided with an
individual to whom such vaccine was administered as provided
by clauses (i) and (ii) of subparagraph (B) and contracts
vaccinia after such date.
"(3) Exclusivity of remedy.--The remedy provided by
subsection (a) shall be exclusive of any other civil action
or proceeding for any claim or suit this subsection
encompasses.
"(4) Certification of action by attorney general.--
Subsection (c) applies to actions under this subsection,
subject to the following provisions:
"(A) Nature of certification.--The certification by the
Attorney General that is the basis for deeming an action or
proceeding to be against the United States, and for removing
an action or proceeding from a State court, is a
certification that the action or proceeding is against a
covered person and is based upon a claim alleging personal
injury or death arising out of the administration of a
covered countermeasure.
"(B) Certification of attorney general conclusive.--The
certification of the Attorney General of the facts specified
in subparagraph (A) shall conclusively establish such facts
for purposes of jurisdiction pursuant to this subsection.
"(5) Defendant to cooperate with united states.--
"(A) In general.--A covered person shall cooperate with
the United States in the processing and defense of a claim or
action under this subsection based upon alleged acts or
omissions of such person.
"(B) Consequences of failure to cooperate.--Upon the
motion of the United States or any other party and upon
finding that such person has failed to so cooperate--
"(i) the court shall substitute such person as the party
defendant in place of the United States and, upon motion,
shall remand any such suit to the court in which it was
instituted if it appears that the court lacks subject matter
jurisdiction;
"(ii) the United States shall not be liable based on the
acts or omissions of such person; and
"(iii) the Attorney General shall not be obligated to
defend such action.
"(6) Recourse against covered person in case of gross
misconduct or contract violation.--
"(A) In general.--Should payment be made by the United
States to any claimant bringing a claim under this
subsection, either by way of administrative determination,
settlement, or court judgment, the United States shall have,
notwithstanding any provision of State law, the right to
recover for that portion of the damages so awarded or paid,
as well as interest and any costs of litigation, resulting
from the failure of any covered person to carry out any
obligation or responsibility assumed by such person under a
contract with the United States or from any grossly
negligent, reckless, or illegal conduct or willful misconduct
on the part of such person.
"(B) Venue.--The United States may maintain an action
under this paragraph against such person in the district
court of the United States in which such person resides or
has its principal place of business.
"(7) Definitions.--As used in this subsection, terms have
the following meanings:
"(A) Covered countermeasure.--The term `covered
countermeasure', or `covered countermeasure against
smallpox', means a substance that is--
"(i)(I) used to prevent or treat smallpox (including the
vaccinia or another vaccine); or
"(II) vaccinia immune globulin used to control or treat
the adverse effects of vaccinia inoculation; and
"(ii) specified in a declaration under paragraph (2).
"(B) Covered person.--The term `covered person', when used
with respect to the administration of a covered
countermeasure, includes any person who is--
"(i) a manufacturer or distributor of such countermeasure;
"(ii) a health care entity under whose auspices such
countermeasure was administered;
"(iii) a qualified person who administered such
countermeasure; or
"(iv) an official, agent, or employee of a person
described in clause (i), (ii), or (iii).
"(C) Qualified person.--The term `qualified person', when
used with respect to the administration of a covered
countermeasure, means a licensed health professional or other
individual who is authorized to administer such
countermeasure under the law of the State in which the
countermeasure was administered.".
SEC. 305. FEDERALLY FUNDED RESEARCH AND DEVELOPMENT CENTERS.
The Secretary, acting through the Under Secretary for
Science and Technology, shall have the authority to establish
or contract with 1 or more federally funded research and
development centers to provide independent analysis of
homeland security issues, or to carry out other
responsibilities under this Act, including coordinating and
integrating both the extramural and intramural programs
described in section 308.
SEC. 306. MISCELLANEOUS PROVISIONS.
(a) Classification.--To the greatest extent practicable,
research conducted or supported by the Department shall be
unclassified.
(b) Construction.--Nothing in this title shall be construed
to preclude any Under Secretary of the Department from
carrying out research, development, demonstration, or
deployment activities, as long as such activities are
coordinated through the Under Secretary for Science and
Technology.
(c) Regulations.--The Secretary, acting through the Under
Secretary for Science and Technology, may issue necessary
regulations with respect to research, development,
demonstration, testing, and evaluation activities
[[Page H8605]]
of the Department, including the conducting, funding, and
reviewing of such activities.
(d) Notification of Presidential Life Sciences
Designations.--Not later than 60 days before effecting any
transfer of Department of Energy life sciences activities
pursuant to section 303(1)(D) of this Act, the President
shall notify the appropriate congressional committees of the
proposed transfer and shall include the reasons for the
transfer and a description of the effect of the transfer on
the activities of the Department of Energy.
SEC. 307. HOMELAND SECURITY ADVANCED RESEARCH PROJECTS
AGENCY.
(a) Definitions.--In this section:
(1) Fund.--The term "Fund" means the Acceleration Fund
for Research and Development of Homeland Security
Technologies established in subsection (c).
(2) Homeland security research.--The term "homeland
security research" means research relevant to the detection
of, prevention of, protection against, response to,
attribution of, and recovery from homeland security threats,
particularly acts of terrorism.
(3) Hsarpa.--The term "HSARPA" means the Homeland
Security Advanced Research Projects Agency established in
subsection (b).
(4) Under secretary.--The term "Under Secretary" means
the Under Secretary for Science and Technology.
(b) HSARPA.--
(1) Establishment.--There is established the Homeland
Security Advanced Research Projects Agency.
(2) Director.--HSARPA shall be headed by a Director, who
shall be appointed by the Secretary. The Director shall
report to the Under Secretary.
(3) Responsibilities.--The Director shall administer the
Fund to award competitive, merit-reviewed grants, cooperative
agreements or contracts to public or private entities,
including businesses, federally funded research and
development centers, and universities. The Director shall
administer the Fund to--
(A) support basic and applied homeland security research to
promote revolutionary changes in technologies that would
promote homeland security;
(B) advance the development, testing and evaluation, and
deployment of critical homeland security technologies; and
(C) accelerate the prototyping and deployment of
technologies that would address homeland security
vulnerabilities.
(4) Targeted competitions.--The Director may solicit
proposals to address specific vulnerabilities identified by
the Director.
(5) Coordination.--The Director shall ensure that the
activities of HSARPA are coordinated with those of other
relevant research agencies, and may run projects jointly with
other agencies.
(6) Personnel.--In hiring personnel for HSARPA, the
Secretary shall have the hiring and management authorities
described in section 1101 of the Strom Thurmond National
Defense Authorization Act for Fiscal Year 1999 (5 U.S.C. 3104
note; Public Law 105-261). The term of appointments for
employees under subsection (c)(1) of that section may not
exceed 5 years before the granting of any extension under
subsection (c)(2) of that section.
(7) Demonstrations.--The Director, periodically, shall hold
homeland security technology demonstrations to improve
contact among technology developers, vendors and acquisition
personnel.
(c) Fund.--
(1) Establishment.--There is established the Acceleration
Fund for Research and Development of Homeland Security
Technologies, which shall be administered by the Director of
HSARPA.
(2) Authorization of appropriations.--There are authorized
to be appropriated $500,000,000 to the Fund for fiscal year
2003 and such sums as may be necessary thereafter.
(3) Coast guard.--Of the funds authorized to be
appropriated under paragraph (2), not less than 10 percent of
such funds for each fiscal year through fiscal year 2005
shall be authorized only for the Under Secretary, through
joint agreement with the Commandant of the Coast Guard, to
carry out research and development of improved ports,
waterways and coastal security surveillance and perimeter
protection capabilities for the purpose of minimizing the
possibility that Coast Guard cutters, aircraft, helicopters,
and personnel will be diverted from non-homeland security
missions to the ports, waterways and coastal security
mission.
SEC. 308. CONDUCT OF RESEARCH, DEVELOPMENT, DEMONSTRATION,
TESTING AND EVALUATION.
(a) In General.--The Secretary, acting through the Under
Secretary for Science and Technology, shall carry out the
responsibilities under section 302(4) through both extramural
and intramural programs.
(b) Extramural Programs.--
(1) In general.--The Secretary, acting through the Under
Secretary for Science and Technology, shall operate
extramural research, development, demonstration, testing, and
evaluation programs so as to--
(A) ensure that colleges, universities, private research
institutes, and companies (and consortia thereof) from as
many areas of the United States as practicable participate;
(B) ensure that the research funded is of high quality, as
determined through merit review processes developed under
section 302(14); and
(C) distribute funds through grants, cooperative
agreements, and contracts.
(2) University-based centers for homeland security.--
(A) Establishment.--The Secretary, acting through the Under
Secretary for Science and Technology, shall establish within
1 year of the date of enactment of this Act a university-
based center or centers for homeland security. The purpose of
this center or centers shall be to establish a coordinated,
university-based system to enhance the Nation's homeland
security.
(B) Criteria for selection.--In selecting colleges or
universities as centers for homeland security, the Secretary
shall consider the following criteria:
(i) Demonstrated expertise in the training of first
responders.
(ii) Demonstrated expertise in responding to incidents
involving weapons of mass destruction and biological warfare.
(iii) Demonstrated expertise in emergency medical services.
(iv) Demonstrated expertise in chemical, biological,
radiological, and nuclear countermeasures.
(v) Strong affiliations with animal and plant diagnostic
laboratories.
(vi) Demonstrated expertise in food safety.
(vii) Affiliation with Department of Agriculture
laboratories or training centers.
(viii) Demonstrated expertise in water and wastewater
operations.
(ix) Demonstrated expertise in port and waterway security.
(x) Demonstrated expertise in multi-modal transportation.
(xi) Nationally recognized programs in information
security.
(xii) Nationally recognized programs in engineering.
(xiii) Demonstrated expertise in educational outreach and
technical assistance.
(xiv) Demonstrated expertise in border transportation and
security.
(xv) Demonstrated expertise in interdisciplinary public
policy research and communication outreach regarding science,
technology, and public policy.
(C) Discretion of secretary.--The Secretary shall have the
discretion to establish such centers and to consider
additional criteria as necessary to meet the evolving needs
of homeland security and shall report to Congress concerning
the implementation of this paragraph as necessary.
(D) Authorization of appropriations.--There are authorized
to be appropriated such sums as may be necessary to carry out
this paragraph.
(c) Intramural Programs.--
(1) Consultation.--In carrying out the duties under section
302, the Secretary, acting through the Under Secretary for
Science and Technology, may draw upon the expertise of any
laboratory of the Federal Government, whether operated by a
contractor or the Government.
(2) Laboratories.--The Secretary, acting through the Under
Secretary for Science and Technology, may establish a
headquarters laboratory for the Department at any laboratory
or site and may establish additional laboratory units at
other laboratories or sites.
(3) Criteria for headquarters laboratory.--If the Secretary
chooses to establish a headquarters laboratory pursuant to
paragraph (2), then the Secretary shall do the following:
(A) Establish criteria for the selection of the
headquarters laboratory in consultation with the National
Academy of Sciences, appropriate Federal agencies, and other
experts.
(B) Publish the criteria in the Federal Register.
(C) Evaluate all appropriate laboratories or sites against
the criteria.
(D) Select a laboratory or site on the basis of the
criteria.
(E) Report to the appropriate congressional committees on
which laboratory was selected, how the selected laboratory
meets the published criteria, and what duties the
headquarters laboratory shall perform.
(4) Limitation on operation of laboratories.--No laboratory
shall begin operating as the headquarters laboratory of the
Department until at least 30 days after the transmittal of
the report required by paragraph (3)(E).
SEC. 309. UTILIZATION OF DEPARTMENT OF ENERGY NATIONAL
LABORATORIES AND SITES IN SUPPORT OF HOMELAND
SECURITY ACTIVITIES.
(a) Authority to Utilize National Laboratories and Sites.--
(1) In general.--In carrying out the missions of the
Department, the Secretary may utilize the Department of
Energy national laboratories and sites through any 1 or more
of the following methods, as the Secretary considers
appropriate:
(A) A joint sponsorship arrangement referred to in
subsection (b).
(B) A direct contract between the Department and the
applicable Department of Energy laboratory or site, subject
to subsection (c).
(C) Any "work for others" basis made available by that
laboratory or site.
(D) Any other method provided by law.
(2) Acceptance and Performance by Labs and Sites.--
Notwithstanding any other law governing the administration,
mission, use, or operations of any of the Department of
Energy national laboratories and sites, such laboratories and
sites are authorized to accept and perform work for the
Secretary,
[[Page H8606]]
consistent with resources provided, and perform such work on
an equal basis to other missions at the laboratory and not on
a noninterference basis with other missions of such
laboratory or site.
(b) Joint Sponsorship Arrangements.--
(1) Laboratories.--The Department may be a joint sponsor,
under a multiple agency sponsorship arrangement with the
Department of Energy, of 1 or more Department of Energy
national laboratories in the performance of work.
(2) Sites.--The Department may be a joint sponsor of a
Department of Energy site in the performance of work as if
such site were a federally funded research and development
center and the work were performed under a multiple agency
sponsorship arrangement with the Department.
(3) Primary sponsor.--The Department of Energy shall be the
primary sponsor under a multiple agency sponsorship
arrangement referred to in paragraph (1) or (2).
(4) Lead agent.--The Secretary of Energy shall act as the
lead agent in coordinating the formation and performance of a
joint sponsorship arrangement under this subsection between
the Department and a Department of Energy national laboratory
or site.
(5) Federal acquisition regulation.--Any work performed by
a Department of Energy national laboratory or site under a
joint sponsorship arrangement under this subsection shall
comply with the policy on the use of federally funded
research and development centers under the Federal
Acquisition Regulations.
(6) Funding.--The Department shall provide funds for work
at the Department of Energy national laboratories or sites,
as the case may be, under a joint sponsorship arrangement
under this subsection under the same terms and conditions as
apply to the primary sponsor of such national laboratory
under section 303(b)(1)(C) of the Federal Property and
Administrative Services Act of 1949 (41 U.S.C. 253 (b)(1)(C))
or of such site to the extent such section applies to such
site as a federally funded research and development center by
reason of this subsection.
(c) Separate Contracting.--To the extent that programs or
activities transferred by this Act from the Department of
Energy to the Department of Homeland Security are being
carried out through direct contracts with the operator of a
national laboratory or site of the Department of Energy, the
Secretary of Homeland Security and the Secretary of Energy
shall ensure that direct contracts for such programs and
activities between the Department of Homeland Security and
such operator are separate from the direct contracts of the
Department of Energy with such operator.
(d) Authority With Respect to Cooperative Research and
Development Agreements and Licensing Agreements.--In
connection with any utilization of the Department of Energy
national laboratories and sites under this section, the
Secretary may permit the director of any such national
laboratory or site to enter into cooperative research and
development agreements or to negotiate licensing agreements
with any person, any agency or instrumentality, of the United
States, any unit of State or local government, and any other
entity under the authority granted by section 12 of the
Stevenson-Wydler Technology Innovation Act of 1980 (15 U.S.C.
3710a). Technology may be transferred to a non-Federal party
to such an agreement consistent with the provisions of
sections 11 and 12 of that Act (15 U.S.C. 3710, 3710a).
(e) Reimbursement of Costs.--In the case of an activity
carried out by the operator of a Department of Energy
national laboratory or site in connection with any
utilization of such laboratory or site under this section,
the Department of Homeland Security shall reimburse the
Department of Energy for costs of such activity through a
method under which the Secretary of Energy waives any
requirement for the Department of Homeland Security to pay
administrative charges or personnel costs of the Department
of Energy or its contractors in excess of the amount that the
Secretary of Energy pays for an activity carried out by such
contractor and paid for by the Department of Energy.
(f) Laboratory Directed Research and Development by the
Department of Energy.--No funds authorized to be appropriated
or otherwise made available to the Department in any fiscal
year may be obligated or expended for laboratory directed
research and development activities carried out by the
Department of Energy unless such activities support the
missions of the Department of Homeland Security.
(g) Office for National Laboratories.--There is established
within the Directorate of Science and Technology an Office
for National Laboratories, which shall be responsible for the
coordination and utilization of the Department of Energy
national laboratories and sites under this section in a
manner to create a networked laboratory system for the
purpose of supporting the missions of the Department.
(h) Department of Energy Coordination on Homeland Security
Related Research.--The Secretary of Energy shall ensure that
any research, development, test, and evaluation activities
conducted within the Department of Energy that are directly
or indirectly related to homeland security are fully
coordinated with the Secretary to minimize duplication of
effort and maximize the effective application of Federal
budget resources.
SEC. 310. TRANSFER OF PLUM ISLAND ANIMAL DISEASE CENTER,
DEPARTMENT OF AGRICULTURE.
(a) In General.--In accordance with title XV, the Secretary
of Agriculture shall transfer to the Secretary of Homeland
Security the Plum Island Animal Disease Center of the
Department of Agriculture, including the assets and
liabilities of the Center.
(b) Continued Department of Agriculture Access.--On
completion of the transfer of the Plum Island Animal Disease
Center under subsection (a), the Secretary of Homeland
Security and the Secretary of Agriculture shall enter into an
agreement to ensure that the Department of Agriculture is
able to carry out research, diagnostic, and other activities
of the Department of Agriculture at the Center.
(c) Direction of Activities.--The Secretary of Agriculture
shall continue to direct the research, diagnostic, and other
activities of the Department of Agriculture at the Center
described in subsection (b).
(d) Notification.--
(1) In general.--At least 180 days before any change in the
biosafety level at the Plum Island Animal Disease Center, the
President shall notify Congress of the change and describe
the reasons for the change.
(2) Limitation.--No change described in paragraph (1) may
be made earlier than 180 days after the completion of the
transition period (as defined in section 1501.
SEC. 311. HOMELAND SECURITY SCIENCE AND TECHNOLOGY ADVISORY
COMMITTEE.
(a) Establishment.--There is established within the
Department a Homeland Security Science and Technology
Advisory Committee (in this section referred to as the
"Advisory Committee"). The Advisory Committee shall make
recommendations with respect to the activities of the Under
Secretary for Science and Technology, including identifying
research areas of potential importance to the security of the
Nation.
(b) Membership.--
(1) Appointment.--The Advisory Committee shall consist of
20 members appointed by the Under Secretary for Science and
Technology, which shall include emergency first-responders or
representatives of organizations or associations of emergency
first-responders. The Advisory Committee shall also include
representatives of citizen groups, including economically
disadvantaged communities. The individuals appointed as
members of the Advisory Committee--
(A) shall be eminent in fields such as emergency response,
research, engineering, new product development, business, and
management consulting;
(B) shall be selected solely on the basis of established
records of distinguished service;
(C) shall not be employees of the Federal Government; and
(D) shall be so selected as to provide representation of a
cross-section of the research, development, demonstration,
and deployment activities supported by the Under Secretary
for Science and Technology.
(2) National research council.--The Under Secretary for
Science and Technology may enter into an arrangement for the
National Research Council to select members of the Advisory
Committee, but only if the panel used by the National
Research Council reflects the representation described in
paragraph (1).
(c) Terms of Office.--
(1) In general.--Except as otherwise provided in this
subsection, the term of office of each member of the Advisory
Committee shall be 3 years.
(2) Original appointments.--The original members of the
Advisory Committee shall be appointed to three classes of
three members each. One class shall have a term of 1 year, 1
a term of 2 years, and the other a term of 3 years.
(3) Vacancies.--A member appointed to fill a vacancy
occurring before the expiration of the term for which the
member's predecessor was appointed shall be appointed for the
remainder of such term.
(d) Eligibility.--A person who has completed two
consecutive full terms of service on the Advisory Committee
shall thereafter be ineligible for appointment during the 1-
year period following the expiration of the second such term.
(e) Meetings.--The Advisory Committee shall meet at least
quarterly at the call of the Chair or whenever one-third of
the members so request in writing. Each member shall be given
appropriate notice of the call of each meeting, whenever
possible not less than 15 days before the meeting.
(f) Quorum.--A majority of the members of the Advisory
Committee not having a conflict of interest in the matter
being considered by the Advisory Committee shall constitute a
quorum.
(g) Conflict of Interest Rules.--The Advisory Committee
shall establish rules for determining when 1 of its members
has a conflict of interest in a matter being considered by
the Advisory Committee.
(h) Reports.--
(1) Annual report.--The Advisory Committee shall render an
annual report to the Under Secretary for Science and
Technology for transmittal to Congress on or before January
31 of each year. Such report shall describe the activities
and recommendations of the Advisory Committee during the
previous year.
[[Page H8607]]
(2) Additional reports.--The Advisory Committee may render
to the Under Secretary for transmittal to Congress such
additional reports on specific policy matters as it considers
appropriate.
(i) FACA Exemption.--Section 14 of the Federal Advisory
Committee Act shall not apply to the Advisory Committee.
(j) Termination.--The Department of Homeland Security
Science and Technology Advisory Committee shall terminate 3
years after the effective date of this Act.
SEC. 312. HOMELAND SECURITY INSTITUTE.
(a) Establishment.--The Secretary shall establish a
federally funded research and development center to be known
as the "Homeland Security Institute" (in this section
referred to as the "Institute").
(b) Administration.--The Institute shall be administered as
a separate entity by the Secretary.
(c) Duties.--The duties of the Institute shall be
determined by the Secretary, and may include the following:
(1) Systems analysis, risk analysis, and simulation and
modeling to determine the vulnerabilities of the Nation's
critical infrastructures and the effectiveness of the systems
deployed to reduce those vulnerabilities.
(2) Economic and policy analysis to assess the distributed
costs and benefits of alternative approaches to enhancing
security.
(3) Evaluation of the effectiveness of measures deployed to
enhance the security of institutions, facilities, and
infrastructure that may be terrorist targets.
(4) Identification of instances when common standards and
protocols could improve the interoperability and effective
utilization of tools developed for field operators and first
responders.
(5) Assistance for Federal agencies and departments in
establishing testbeds to evaluate the effectiveness of
technologies under development and to assess the
appropriateness of such technologies for deployment.
(6) Design of metrics and use of those metrics to evaluate
the effectiveness of homeland security programs throughout
the Federal Government, including all national laboratories.
(7) Design of and support for the conduct of homeland
security-related exercises and simulations.
(8) Creation of strategic technology development plans to
reduce vulnerabilities in the Nation's critical
infrastructure and key resources.
(d) Consultation on Institute Activities.--In carrying out
the duties described in subsection (c), the Institute shall
consult widely with representatives from private industry,
institutions of higher education, nonprofit institutions,
other Government agencies, and federally funded reseach and
development centers.
(e) Use of Centers.--The Institute shall utilize the
capabilities of the National Infrastructure Simulation and
Analysis Center.
(f) Annual Reports.--The Institute shall transmit to the
Secretary and Congress an annual report on the activities of
the Institute under this section.
(g) Termination.--The Homeland Security Institute shall
terminate 3 years after the effective date of this Act.
SEC. 313. TECHNOLOGY CLEARINGHOUSE TO ENCOURAGE AND SUPPORT
INNOVATIVE SOLUTIONS TO ENHANCE HOMELAND
SECURITY.
(a) Establishment of Program.--The Secretary, acting
through the Under Secretary for Science and Technology, shall
establish and promote a program to encourage technological
innovation in facilitating the mission of the Department (as
described in section 101).
(b) Elements of Program.--The program described in
subsection (a) shall include the following components:
(1) The establishment of a centralized Federal
clearinghouse for information relating to technologies that
would further the mission of the Department for
dissemination, as appropriate, to Federal, State, and local
government and private sector entities for additional review,
purchase, or use.
(2) The issuance of announcements seeking unique and
innovative technologies to advance the mission of the
Department.
(3) The establishment of a technical assistance team to
assist in screening, as appropriate, proposals submitted to
the Secretary (except as provided in subsection (c)(2)) to
assess the feasibility, scientific and technical merits, and
estimated cost of such proposals, as appropriate.
(4) The provision of guidance, recommendations, and
technical assistance, as appropriate, to assist Federal,
State, and local government and private sector efforts to
evaluate and implement the use of technologies described in
paragraph (1) or (2).
(5) The provision of information for persons seeking
guidance on how to pursue proposals to develop or deploy
technologies that would enhance homeland security, including
information relating to Federal funding, regulation, or
acquisition.
(c) Miscellaneous Provisions.--
(1) In general.--Nothing in this section shall be construed
as authorizing the Secretary or the technical assistance team
established under subsection (b)(3) to set standards for
technology to be used by the Department, any other executive
agency, any State or local government entity, or any private
sector entity.
(2) Certain proposals.--The technical assistance team
established under subsection (b)(3) shall not consider or
evaluate proposals submitted in response to a solicitation
for offers for a pending procurement or for a specific agency
requirement.
(3) Coordination.--In carrying out this section, the
Secretary shall coordinate with the Technical Support Working
Group (organized under the April 1982 National Security
Decision Directive Numbered 30).
[...]
SEC. 880. PROHIBITION OF THE TERRORISM INFORMATION AND
PREVENTION SYSTEM.
Any and all activities of the Federal Government to
implement the proposed component program of the Citizen Corps
known as Operation TIPS (Terrorism Information and Prevention
System) are hereby prohibited.
[...]
SEC. 886. SENSE OF CONGRESS REAFFIRMING THE CONTINUED
IMPORTANCE AND APPLICABILITY OF THE POSSE
COMITATUS ACT.
(a) Findings.--Congress finds the following:
(1) Section 1385 of title 18, United States Code (commonly
known as the "Posse Comitatus Act"), prohibits the use of
the Armed Forces as a posse comitatus to execute the laws
except in cases and under circumstances expressly authorized
by the Constitution or Act of Congress.
(2) Enacted in 1878, the Posse Comitatus Act was expressly
intended to prevent United States Marshals, on their own
initiative, from calling on the Army for assistance in
enforcing Federal law.
(3) The Posse Comitatus Act has served the Nation well in
limiting the use of the Armed Forces to enforce the law.
(4) Nevertheless, by its express terms, the Posse Comitatus
Act is not a complete barrier to the use of the Armed Forces
for a range of domestic purposes, including law enforcement
functions, when the use of the Armed Forces is authorized by
Act of Congress or the President determines that the use of
the Armed Forces is required to fulfill the President's
obligations under the Constitution to respond promptly in
time of war, insurrection, or other serious emergency.
(5) Existing laws, including chapter 15 of title 10, United
States Code (commonly known as the "Insurrection Act"), and
the Robert T. Stafford Disaster Relief and Emergency
Assistance Act (42 U.S.C. 5121 et seq.), grant the President
broad powers that may be invoked in the event of domestic
emergencies, including an attack against the Nation using
weapons of mass destruction, and these laws specifically
authorize the President to use the Armed Forces to help
restore public order.
(b) Sense of Congress.--Congress reaffirms the continued
importance of section 1385 of title 18, United States Code,
and it is the sense of Congress that nothing in this Act
should be construed to alter the applicability of such
section to any use of the Armed Forces as a posse comitatus
to execute the laws.
[...]
Subtitle I--Information Sharing
SEC. 891. SHORT TITLE; FINDINGS; AND SENSE OF CONGRESS.
(a) Short Title.--This subtitle may be cited as the
"Homeland Security Information Sharing Act".
(b) Findings.--Congress finds the following:
(1) The Federal Government is required by the Constitution
to provide for the common defense, which includes terrorist
attack.
(2) The Federal Government relies on State and local
personnel to protect against terrorist attack.
(3) The Federal Government collects, creates, manages, and
protects classified and sensitive but unclassified
information to enhance homeland security.
(4) Some homeland security information is needed by the
State and local personnel to prevent and prepare for
terrorist attack.
(5) The needs of State and local personnel to have access
to relevant homeland security information to combat terrorism
must be reconciled with the need to preserve the protected
status of such information and to protect the sources and
methods used to acquire such information.
(6) Granting security clearances to certain State and local
personnel is one way to facilitate the sharing of information
regarding specific terrorist threats among Federal, State,
and local levels of government.
(7) Methods exist to declassify, redact, or otherwise adapt
classified information so it may be shared with State and
local personnel without the need for granting additional
security clearances.
(8) State and local personnel have capabilities and
opportunities to gather information on suspicious activities
and terrorist threats not possessed by Federal agencies.
(9) The Federal Government and State and local governments
and agencies in other jurisdictions may benefit from such
information.
(10) Federal, State, and local governments and
intelligence, law enforcement, and other emergency
preparation and response agencies must act in partnership to
maximize the benefits of information gathering and analysis
to prevent and respond to terrorist attacks.
(11) Information systems, including the National Law
Enforcement Telecommunications System and the Terrorist
Threat Warning System, have been established for rapid
sharing of classified and sensitive but unclassified
information among Federal, State, and local entities.
(12) Increased efforts to share homeland security
information should avoid duplicating existing information
systems.
(c) Sense of Congress.--It is the sense of Congress that
Federal, State, and local entities should share homeland
security information to the maximum extent practicable, with
special emphasis on hard-to-reach urban and rural
communities.
SEC. 892. FACILITATING HOMELAND SECURITY INFORMATION SHARING
PROCEDURES.
(a) Procedures for Determining Extent of Sharing of
Homeland Security Information.--
(1) The President shall prescribe and implement procedures
under which relevant Federal agencies--
(A) share relevant and appropriate homeland security
information with other Federal agencies, including the
Department, and appropriate State and local personnel;
(B) identify and safeguard homeland security information
that is sensitive but unclassified; and
(C) to the extent such information is in classified form,
determine whether, how, and to what extent to remove
classified information, as appropriate, and with which such
personnel it may be shared after such information is removed.
(2) The President shall ensure that such procedures apply
to all agencies of the Federal Government.
(3) Such procedures shall not change the substantive
requirements for the classification and safeguarding of
classified information.
(4) Such procedures shall not change the requirements and
authorities to protect sources and methods.
(b) Procedures for Sharing of Homeland Security
Information.--
(1) Under procedures prescribed by the President, all
appropriate agencies, including the intelligence community,
shall, through information sharing systems, share homeland
security information with Federal agencies and appropriate
State and local personnel to the extent such information may
be shared, as determined in accordance with
[[Page H8681]]
subsection (a), together with assessments of the credibility
of such information.
(2) Each information sharing system through which
information is shared under paragraph (1) shall--
(A) have the capability to transmit unclassified or
classified information, though the procedures and recipients
for each capability may differ;
(B) have the capability to restrict delivery of information
to specified subgroups by geographic location, type of
organization, position of a recipient within an organization,
or a recipient's need to know such information;
(C) be configured to allow the efficient and effective
sharing of information; and
(D) be accessible to appropriate State and local personnel.
(3) The procedures prescribed under paragraph (1) shall
establish conditions on the use of information shared under
paragraph (1)--
(A) to limit the redissemination of such information to
ensure that such information is not used for an unauthorized
purpose;
(B) to ensure the security and confidentiality of such
information;
(C) to protect the constitutional and statutory rights of
any individuals who are subjects of such information; and
(D) to provide data integrity through the timely removal
and destruction of obsolete or erroneous names and
information.
(4) The procedures prescribed under paragraph (1) shall
ensure, to the greatest extent practicable, that the
information sharing system through which information is
shared under such paragraph include existing information
sharing systems, including, but not limited to, the National
Law Enforcement Telecommunications System, the Regional
Information Sharing System, and the Terrorist Threat Warning
System of the Federal Bureau of Investigation.
(5) Each appropriate Federal agency, as determined by the
President, shall have access to each information sharing
system through which information is shared under paragraph
(1), and shall therefore have access to all information, as
appropriate, shared under such paragraph.
(6) The procedures prescribed under paragraph (1) shall
ensure that appropriate State and local personnel are
authorized to use such information sharing systems--
(A) to access information shared with such personnel; and
(B) to share, with others who have access to such
information sharing systems, the homeland security
information of their own jurisdictions, which shall be marked
appropriately as pertaining to potential terrorist activity.
(7) Under procedures prescribed jointly by the Director of
Central Intelligence and the Attorney General, each
appropriate Federal agency, as determined by the President,
shall review and assess the information shared under
paragraph (6) and integrate such information with existing
intelligence.
(c) Sharing of Classified Information and Sensitive but
Unclassified Information With State and Local Personnel.--
(1) The President shall prescribe procedures under which
Federal agencies may, to the extent the President considers
necessary, share with appropriate State and local personnel
homeland security information that remains classified or
otherwise protected after the determinations prescribed under
the procedures set forth in subsection (a).
(2) It is the sense of Congress that such procedures may
include 1 or more of the following means:
(A) Carrying out security clearance investigations with
respect to appropriate State and local personnel.
(B) With respect to information that is sensitive but
unclassified, entering into nondisclosure agreements with
appropriate State and local personnel.
(C) Increased use of information-sharing partnerships that
include appropriate State and local personnel, such as the
Joint Terrorism Task Forces of the Federal Bureau of
Investigation, the Anti-Terrorism Task Forces of the
Department of Justice, and regional Terrorism Early Warning
Groups.
(d) Responsible Officials.--For each affected Federal
agency, the head of such agency shall designate an official
to administer this Act with respect to such agency.
(e) Federal Control of Information.--Under procedures
prescribed under this section, information obtained by a
State or local government from a Federal agency under this
section shall remain under the control of the Federal agency,
and a State or local law authorizing or requiring such a
government to disclose information shall not apply to such
information.
(f) Definitions.--As used in this section:
(1) The term "homeland security information" means any
information possessed by a Federal, State, or local agency
that--
(A) relates to the threat of terrorist activity;
(B) relates to the ability to prevent, interdict, or
disrupt terrorist activity;
(C) would improve the identification or investigation of a
suspected terrorist or terrorist organization; or
(D) would improve the response to a terrorist act.
(2) The term "intelligence community" has the meaning
given such term in section 3(4) of the National Security Act
of 1947 (50 U.S.C. 401a(4)).
(3) The term "State and local personnel" means any of the
following persons involved in prevention, preparation, or
response for terrorist attack:
(A) State Governors, mayors, and other locally elected
officials.
(B) State and local law enforcement personnel and
firefighters.
(C) Public health and medical professionals.
(D) Regional, State, and local emergency management agency
personnel, including State adjutant generals.
(E) Other appropriate emergency response agency personnel.
(F) Employees of private-sector entities that affect
critical infrastructure, cyber, economic, or public health
security, as designated by the Federal government in
procedures developed pursuant to this section.
(4) The term "State" includes the District of Columbia
and any commonwealth, territory, or possession of the United
States.
(g) Construction.--Nothing in this Act shall be construed
as authorizing any department, bureau, agency, officer, or
employee of the Federal Government to request, receive, or
transmit to any other Government entity or personnel, or
transmit to any State or local entity or personnel otherwise
authorized by this Act to receive homeland security
information, any information collected by the Federal
Government solely for statistical purposes in violation of
any other provision of law relating to the confidentiality of
such information.
SEC. 893. REPORT.
(a) Report Required.--Not later than 12 months after the
date of the enactment of this Act, the President shall submit
to the congressional committees specified in subsection (b) a
report on the implementation of section 892. The report shall
include any recommendations for additional measures or
appropriation requests, beyond the requirements of section
892, to increase the effectiveness of sharing of information
between and among Federal, State, and local entities.
(b) Specified Congressional Committees.--The congressional
committees referred to in subsection (a) are the following
committees:
(1) The Permanent Select Committee on Intelligence and the
Committee on the Judiciary of the House of Representatives.
(2) The Select Committee on Intelligence and the Committee
on the Judiciary of the Senate.
SEC. 894. AUTHORIZATION OF APPROPRIATIONS.
There are authorized to be appropriated such sums as may be
necessary to carry out section 892.
SEC. 895. AUTHORITY TO SHARE GRAND JURY INFORMATION.
Rule 6(e) of the Federal Rules of Criminal Procedure is
amended--
(1) in paragraph (2), by inserting ", or of guidelines
jointly issued by the Attorney General and Director of
Central Intelligence pursuant to Rule 6," after "Rule 6";
and
(2) in paragraph (3)--
(A) in subparagraph (A)(ii), by inserting "or of a foreign
government" after "(including personnel of a state or
subdivision of a state";
(B) in subparagraph (C)(i)--
(i) in subclause (I), by inserting before the semicolon the
following: "or, upon a request by an attorney for the
government, when sought by a foreign court or prosecutor for
use in an official criminal investigation";
(ii) in subclause (IV)--
(I) by inserting "or foreign" after "may disclose a
violation of State";
(II) by inserting "or of a foreign government" after "to
an appropriate official of a State or subdivision of a
State"; and
(III) by striking "or" at the end;
(iii) by striking the period at the end of subclause (V)
and inserting "; or"; and
(iv) by adding at the end the following:
"(VI) when matters involve a threat of actual or potential
attack or other grave hostile acts of a foreign power or an
agent of a foreign power, domestic or international sabotage,
domestic or international terrorism, or clandestine
intelligence gathering activities by an intelligence service
or network of a foreign power or by an agent of a foreign
power, within the United States or elsewhere, to any
appropriate federal, state, local, or foreign government
official for the purpose of preventing or responding to such
a threat."; and
(C) in subparagraph (C)(iii)--
(i) by striking "Federal";
(ii) by inserting "or clause (i)(VI)" after "clause
(i)(V)"; and
(iii) by adding at the end the following: "Any state,
local, or foreign official who receives information pursuant
to clause (i)(VI) shall use that information only consistent
with such guidelines as the Attorney General and Director of
Central Intelligence shall jointly issue.".
SEC. 896. AUTHORITY TO SHARE ELECTRONIC, WIRE, AND ORAL
INTERCEPTION INFORMATION.
Section 2517 of title 18, United States Code, is amended by
adding at the end the following:
"(7) Any investigative or law enforcement officer, or
other Federal official in carrying out official duties as
such Federal official, who by any means authorized by this
chapter, has obtained knowledge of the contents of any wire,
oral, or electronic communication, or evidence derived
therefrom, may disclose such contents or derivative evidence
to a foreign investigative or law enforcement officer to the
extent that such disclosure is appropriate to the proper
performance of the
[[Page H8682]]
official duties of the officer making or receiving the
disclosure, and foreign investigative or law enforcement
officers may use or disclose such contents or derivative
evidence to the extent such use or disclosure is appropriate
to the proper performance of their official duties.
"(8) Any investigative or law enforcement officer, or
other Federal official in carrying out official duties as
such Federal official, who by any means authorized by this
chapter, has obtained knowledge of the contents of any wire,
oral, or electronic communication, or evidence derived
therefrom, may disclose such contents or derivative evidence
to any appropriate Federal, State, local, or foreign
government official to the extent that such contents or
derivative evidence reveals a threat of actual or potential
attack or other grave hostile acts of a foreign power or an
agent of a foreign power, domestic or international sabotage,
domestic or international terrorism, or clandestine
intelligence gathering activities by an intelligence service
or network of a foreign power or by an agent of a foreign
power, within the United States or elsewhere, for the purpose
of preventing or responding to such a threat. Any official
who receives information pursuant to this provision may use
that information only as necessary in the conduct of that
person's official duties subject to any limitations on the
unauthorized disclosure of such information, and any State,
local, or foreign official who receives information pursuant
to this provision may use that information only consistent
with such guidelines as the Attorney General and Director of
Central Intelligence shall jointly issue.".
SEC. 897. FOREIGN INTELLIGENCE INFORMATION.
(a) Dissemination Authorized.--Section 203(d)(1) of the
Uniting and Strengthening America by Providing Appropriate
Tools Required to Intercept and Obstruct Terrorism (USA
PATRIOT ACT) Act of 2001 (Public Law 107-56; 50 U.S.C. 403-
5d) is amended by adding at the end the following:
"Consistent with the responsibility of the Director of
Central Intelligence to protect intelligence sources and
methods, and the responsibility of the Attorney General to
protect sensitive law enforcement information, it shall be
lawful for information revealing a threat of actual or
potential attack or other grave hostile acts of a foreign
power or an agent of a foreign power, domestic or
international sabotage, domestic or international terrorism,
or clandestine intelligence gathering activities by an
intelligence service or network of a foreign power or by an
agent of a foreign power, within the United States or
elsewhere, obtained as part of a criminal investigation to be
disclosed to any appropriate Federal, State, local, or
foreign government official for the purpose of preventing or
responding to such a threat. Any official who receives
information pursuant to this provision may use that
information only as necessary in the conduct of that person's
official duties subject to any limitations on the
unauthorized disclosure of such information, and any State,
local, or foreign official who receives information pursuant
to this provision may use that information only consistent
with such guidelines as the Attorney General and Director of
Central Intelligence shall jointly issue.".
(b) Conforming Amendments.--Section 203(c) of that Act is
amended--
(1) by striking "section 2517(6)" and inserting
"paragraphs (6) and (8) of section 2517 of title 18, United
States Code,"; and
(2) by inserting "and (VI)" after "Rule
6(e)(3)(C)(i)(V)".
SEC. 898. INFORMATION ACQUIRED FROM AN ELECTRONIC
SURVEILLANCE.
Section 106(k)(1) of the Foreign Intelligence Surveillance
Act of 1978 (50 U.S.C. 1806) is amended by inserting after
"law enforcement officers" the following: "or law
enforcement personnel of a State or political subdivision of
a State (including the chief executive officer of that State
or political subdivision who has the authority to appoint or
direct the chief law enforcement officer of that State or
political subdivision)".
SEC. 899. INFORMATION ACQUIRED FROM A PHYSICAL SEARCH.
Section 305(k)(1) of the Foreign Intelligence Surveillance
Act of 1978 (50 U.S.C. 1825) is amended by inserting after
"law enforcement officers" the following: "or law
enforcement personnel of a State or political subdivision of
a State (including the chief executive officer of that State
or political subdivision who has the authority to appoint or
direct the chief law enforcement officer of that State or
political subdivision)".
[...]
TITLE X--INFORMATION SECURITY
SEC. 1001. INFORMATION SECURITY.
(a) Short Title.--This title may be cited as the "Federal
Information Security Management Act of 2002".
(b) Information Security.--
(1) In general.--Subchapter II of chapter 35 of title 44,
United States Code, is amended to read as follows:
"SUBCHAPTER II--INFORMATION SECURITY
"Sec. 3531. Purposes
"The purposes of this subchapter are to--
"(1) provide a comprehensive framework for ensuring the
effectiveness of information security controls over
information resources that support Federal operations and
assets;
"(2) recognize the highly networked nature of the current
Federal computing environment and provide effective
governmentwide management and oversight of the related
information security risks, including coordination of
information security efforts throughout the civilian,
national security, and law enforcement communities;
"(3) provide for development and maintenance of minimum
controls required to protect Federal information and
information systems;
"(4) provide a mechanism for improved oversight of Federal
agency information security programs;
"(5) acknowledge that commercially developed information
security products offer advanced, dynamic, robust, and
effective information security solutions, reflecting market
solutions for the protection of critical information
infrastructures important to the national defense and
economic security of the nation that are designed, built, and
operated by the private sector; and
"(6) recognize that the selection of specific technical
hardware and software information security solutions should
be left to individual agencies from among commercially
developed products.".
"Sec. 3532. Definitions
"(a) In General.--Except as provided under subsection (b),
the definitions under section 3502 shall apply to this
subchapter.
"(b) Additional Definitions.--As used in this subchapter--
"(1) the term `information security' means protecting
information and information systems from unauthorized access,
use, disclosure, disruption, modification, or destruction in
order to provide--
"(A) integrity, which means guarding against improper
information modification or destruction, and includes
ensuring information nonrepudiation and authenticity;
"(B) confidentiality, which means preserving authorized
restrictions on access and disclosure, including means for
protecting personal privacy and proprietary information;
"(C) availability, which means ensuring timely and
reliable access to and use of information; and
"(D) authentication, which means utilizing digital
credentials to assure the identity of users and validate
their access;
"(2) the term `national security system' means any
information system (including any telecommunications system)
used or operated by an agency or by a contractor of an
agency, or other organization on behalf of an agency, the
function, operation, or use of which--
"(A) involves intelligence activities;
"(B) involves cryptologic activities related to national
security;
"(C) involves command and control of military forces;
"(D) involves equipment that is an integral part of a
weapon or weapons system; or
"(E) is critical to the direct fulfillment of military or
intelligence missions provided that this definition does not
apply to a system that is used for routine administrative and
business applications (including payroll, finance, logistics,
and personnel management applications);
"(3) the term `information technology' has the meaning
given that term in section 11101 of title 40; and
"(4) the term `information system' means any equipment or
interconnected system or subsystems of equipment that is used
in the
[[Page H8683]]
automatic acquisition, storage, manipulation, management,
movement, control, display, switching, interchange,
transmission, or reception of data or information, and
includes--
"(A) computers and computer networks;
"(B) ancillary equipment;
"(C) software, firmware, and related procedures;
"(D) services, including support services; and
"(E) related resources.".
"Sec. 3533. Authority and functions of the Director
"(a) The Director shall oversee agency information
security policies and practices, by--
"(1) promulgating information security standards under
section 11331 of title 40;
"(2) overseeing the implementation of policies,
principles, standards, and guidelines on information
security;
"(3) requiring agencies, consistent with the standards
promulgated under such section 11331 and the requirements of
this subchapter, to identify and provide information security
protections commensurate with the risk and magnitude of the
harm resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of--
"(A) information collected or maintained by or on behalf
of an agency; or
"(B) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
"(4) coordinating the development of standards and
guidelines under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3) with agencies
and offices operating or exercising control of national
security systems (including the National Security Agency) to
assure, to the maximum extent feasible, that such standards
and guidelines are complementary with standards and
guidelines developed for national security systems;
"(5) overseeing agency compliance with the requirements of
this subchapter, including through any authorized action
under section 11303(b)(5) of title 40, to enforce
accountability for compliance with such requirements;
"(6) reviewing at least annually, and approving or
disapproving, agency information security programs required
under section 3534(b);
"(7) coordinating information security policies and
procedures with related information resources management
policies and procedures; and
"(8) reporting to Congress no later than March 1 of each
year on agency compliance with the requirements of this
subchapter, including--
"(A) a summary of the findings of evaluations required by
section 3535;
"(B) significant deficiencies in agency information
security practices;
"(C) planned remedial action to address such deficiencies;
and
"(D) a summary of, and the views of the Director on, the
report prepared by the National Institute of Standards and
Technology under section 20(e)(7) of the National Institute
of Standards and Technology Act (15 U.S.C. 278g-3).".
"(b) Except for the authorities described in paragraphs
(4) and (7) of subsection (a), the authorities of the
Director under this section shall not apply to national
security systems.
"Sec. 3534. Federal agency responsibilities
"(a) The head of each agency shall--
"(1) be responsible for--
"(A) providing information security protections
commensurate with the risk and magnitude of the harm
resulting from unauthorized access, use, disclosure,
disruption, modification, or destruction of--
"(i) information collected or maintained by or on behalf
of the agency; and
"(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
"(B) complying with the requirements of this subchapter
and related policies, procedures, standards, and guidelines,
including--
"(i) information security standards promulgated by the
Director under section 11331 of title 40; and
"(ii) information security standards and guidelines for
national security systems issued in accordance with law and
as directed by the President; and
"(C) ensuring that information security management
processes are integrated with agency strategic and
operational planning processes;
"(2) ensure that senior agency officials provide
information security for the information and information
systems that support the operations and assets under their
control, including through--
"(A) assessing the risk and magnitude of the harm that
could result from the unauthorized access, use, disclosure,
disruption, modification, or destruction of such information
or information systems;
"(B) determining the levels of information security
appropriate to protect such information and information
systems in accordance with standards promulgated under
section 11331 of title 40 for information security
classifications and related requirements;
"(C) implementing policies and procedures to cost-
effectively reduce risks to an acceptable level; and
"(D) periodically testing and evaluating information
security controls and techniques to ensure that they are
effectively implemented;
"(3) delegate to the agency Chief Information Officer
established under section 3506 (or comparable official in an
agency not covered by such section) the authority to ensure
compliance with the requirements imposed on the agency under
this subchapter, including--
"(A) designating a senior agency information security
officer who shall--
"(i) carry out the Chief Information Officer's
responsibilities under this section;
"(ii) possess professional qualifications, including
training and experience, required to administer the functions
described under this section;
"(iii) have information security duties as that official's
primary duty; and
"(iv) head an office with the mission and resources to
assist in ensuring agency compliance with this section;
"(B) developing and maintaining an agencywide information
security program as required by subsection (b);
"(C) developing and maintaining information security
policies, procedures, and control techniques to address all
applicable requirements, including those issued under section
3533 of this title, and section 11331 of title 40;
"(D) training and overseeing personnel with significant
responsibilities for information security with respect to
such responsibilities; and
"(E) assisting senior agency officials concerning their
responsibilities under paragraph (2);
"(4) ensure that the agency has trained personnel
sufficient to assist the agency in complying with the
requirements of this subchapter and related policies,
procedures, standards, and guidelines; and
"(5) ensure that the agency Chief Information Officer, in
coordination with other senior agency officials, reports
annually to the agency head on the effectiveness of the
agency information security program, including progress of
remedial actions.
"(b) Each agency shall develop, document, and implement an
agencywide information security program, approved by the
Director under section 3533(a)(5), to provide information
security for the information and information systems that
support the operations and assets of the agency, including
those provided or managed by another agency, contractor, or
other source, that includes--
"(1) periodic assessments of the risk and magnitude of the
harm that could result from the unauthorized access, use,
disclosure, disruption, modification, or destruction of
information and information systems that support the
operations and assets of the agency;
"(2) policies and procedures that--
"(A) are based on the risk assessments required by
paragraph (1);
"(B) cost-effectively reduce information security risks to
an acceptable level;
"(C) ensure that information security is addressed
throughout the life cycle of each agency information system;
and
"(D) ensure compliance with--
"(i) the requirements of this subchapter;
"(ii) policies and procedures as may be prescribed by the
Director, and information security standards promulgated
under section 11331 of title 40;
"(iii) minimally acceptable system configuration
requirements, as determined by the agency; and
"(iv) any other applicable requirements, including
standards and guidelines for national security systems issued
in accordance with law and as directed by the President;
"(3) subordinate plans for providing adequate information
security for networks, facilities, and systems or groups of
information systems, as appropriate;
"(4) security awareness training to inform personnel,
including contractors and other users of information systems
that support the operations and assets of the agency, of--
"(A) information security risks associated with their
activities; and
"(B) their responsibilities in complying with agency
policies and procedures designed to reduce these risks;
"(5) periodic testing and evaluation of the effectiveness
of information security policies, procedures, and practices,
to be performed with a frequency depending on risk, but no
less than annually, of which such testing--
"(A) shall include testing of management, operational, and
technical controls of every information system identified in
the inventory required under section 3505(c); and
"(B) may include testing relied on in a evaluation under
section 3535;
"(6) a process for planning, implementing, evaluating, and
documenting remedial action to address any deficiencies in
the information security policies, procedures, and practices
of the agency;
"(7) procedures for detecting, reporting, and responding
to security incidents, including--
"(A) mitigating risks associated with such incidents
before substantial damage is done; and
"(B) notifying and consulting with, as appropriate--
"(i) law enforcement agencies and relevant Offices of
Inspector General;
"(ii) an office designated by the President for any
incident involving a national security system; and
"(iii) any other agency or office, in accordance with law
or as directed by the President; and
[[Page H8684]]
"(8) plans and procedures to ensure continuity of
operations for information systems that support the
operations and assets of the agency.
"(c) Each agency shall--
"(1) report annually to the Director, the Committees on
Government Reform and Science of the House of
Representatives, the Committees on Governmental Affairs and
Commerce, Science, and Transportation of the Senate, the
appropriate authorization and appropriations committees of
Congress, and the Comptroller General on the adequacy and
effectiveness of information security policies, procedures,
and practices, and compliance with the requirements of this
subchapter, including compliance with each requirement of
subsection (b);
"(2) address the adequacy and effectiveness of information
security policies, procedures, and practices in plans and
reports relating to--
"(A) annual agency budgets;
"(B) information resources management under subchapter 1
of this chapter;
"(C) information technology management under subtitle III
of title 40;
"(D) program performance under sections 1105 and 1115
through 1119 of title 31, and sections 2801 and 2805 of title
39;
"(E) financial management under chapter 9 of title 31, and
the Chief Financial Officers Act of 1990 (31 U.S.C. 501 note;
Public Law 101-576) (and the amendments made by that Act);
"(F) financial management systems under the Federal
Financial Management Improvement Act (31 U.S.C. 3512 note);
and
"(G) internal accounting and administrative controls under
section 3512 of title 31, United States Code, (known as the
`Federal Managers Financial Integrity Act'); and
"(3) report any significant deficiency in a policy,
procedure, or practice identified under paragraph (1) or
(2)--
"(A) as a material weakness in reporting under section
3512 of title 31; and
"(B) if relating to financial management systems, as an
instance of a lack of substantial compliance under the
Federal Financial Management Improvement Act (31 U.S.C. 3512
note).
"(d)(1) In addition to the requirements of subsection (c),
each agency, in consultation with the Director, shall include
as part of the performance plan required under section 1115
of title 31 a description of--
"(A) the time periods, and
"(B) the resources, including budget, staffing, and
training,
that are necessary to implement the program required under
subsection (b).
"(2) The description under paragraph (1) shall be based on
the risk assessments required under subsection (b)(2)(1).
"(e) Each agency shall provide the public with timely
notice and opportunities for comment on proposed information
security policies and procedures to the extent that such
policies and procedures affect communication with the public.
"Sec. 3535. Annual independent evaluation
"(a)(1) Each year each agency shall have performed an
independent evaluation of the information security program
and practices of that agency to determine the effectiveness
of such program and practices.
"(2) Each evaluation by an agency under this section shall
include--
"(A) testing of the effectiveness of information security
policies, procedures, and practices of a representative
subset of the agency's information systems;
"(B) an assessment (made on the basis of the results of
the testing) of compliance with--
"(i) the requirements of this subchapter; and
"(ii) related information security policies, procedures,
standards, and guidelines; and
"(C) separate presentations, as appropriate, regarding
information security relating to national security systems.
"(b) Subject to subsection (c)--
"(1) for each agency with an Inspector General appointed
under the Inspector General Act of 1978, the annual
evaluation required by this section shall be performed by the
Inspector General or by an independent external auditor, as
determined by the Inspector General of the agency; and
"(2) for each agency to which paragraph (1) does not
apply, the head of the agency shall engage an independent
external auditor to perform the evaluation.
"(c) For each agency operating or exercising control of a
national security system, that portion of the evaluation
required by this section directly relating to a national
security system shall be performed--
"(1) only by an entity designated by the agency head; and
"(2) in such a manner as to ensure appropriate protection
for information associated with any information security
vulnerability in such system commensurate with the risk and
in accordance with all applicable laws.
"(d) The evaluation required by this section--
"(1) shall be performed in accordance with generally
accepted government auditing standards; and
"(2) may be based in whole or in part on an audit,
evaluation, or report relating to programs or practices of
the applicable agency.
"(e) Each year, not later than such date established by
the Director, the head of each agency shall submit to the
Director the results of the evaluation required under this
section.
"(f) Agencies and evaluators shall take appropriate steps
to ensure the protection of information which, if disclosed,
may adversely affect information security. Such protections
shall be commensurate with the risk and comply with all
applicable laws and regulations.
"(g)(1) The Director shall summarize the results of the
evaluations conducted under this section in the report to
Congress required under section 3533(a)(8).
"(2) The Director's report to Congress under this
subsection shall summarize information regarding information
security relating to national security systems in such a
manner as to ensure appropriate protection for information
associated with any information security vulnerability in
such system commensurate with the risk and in accordance with
all applicable laws.
"(3) Evaluations and any other descriptions of information
systems under the authority and control of the Director of
Central Intelligence or of National Foreign Intelligence
Programs systems under the authority and control of the
Secretary of Defense shall be made available to Congress only
through the appropriate oversight committees of Congress, in
accordance with applicable laws.
"(h) The Comptroller General shall periodically evaluate
and report to Congress on--
"(1) the adequacy and effectiveness of agency information
security policies and practices; and
"(2) implementation of the requirements of this
subchapter.
"Sec. 3536. National security systems
"The head of each agency operating or exercising control
of a national security system shall be responsible for
ensuring that the agency--
"(1) provides information security protections
commensurate with the risk and magnitude of the harm
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of the information
contained in such system;
"(2) implements information security policies and
practices as required by standards and guidelines for
national security systems, issued in accordance with law and
as directed by the President; and
"(3) complies with the requirements of this subchapter.
"Sec. 3537. Authorization of appropriations
"There are authorized to be appropriated to carry out the
provisions of this subchapter such sums as may be necessary
for each of fiscal years 2003 through 2007.
"Sec. 3538. Effect on existing law
"Nothing in this subchapter, section 11331 of title 40, or
section 20 of the National Standards and Technology Act (15
U.S.C. 278g-3) may be construed as affecting the authority of
the President, the Office of Management and Budget or the
Director thereof, the National Institute of Standards and
Technology, or the head of any agency, with respect to the
authorized use or disclosure of information, including with
regard to the protection of personal privacy under section
552a of title 5, the disclosure of information under section
552 of title 5, the management and disposition of records
under chapters 29, 31, or 33 of title 44, the management of
information resources under subchapter I of chapter 35 of
this title, or the disclosure of information to Congress or
the Comptroller General of the United States.".
(2) Clerical amendment.--The items in the table of sections
at the beginning of such chapter 35 under the heading
"SUBCHAPTER II" are amended to read as follows:
"3531. Purposes.
"3532. Definitions.
"3533. Authority and functions of the Director.
"3534. Federal agency responsibilities.
"3535. Annual independent evaluation.
"3536. National security systems.
"3537. Authorization of appropriations.
"3538. Effect on existing law.".
(c) Information Security Responsibilities of Certain
Agencies.--
(1) National security responsibilities.--(A) Nothing in
this Act (including any amendment made by this Act) shall
supersede any authority of the Secretary of Defense, the
Director of Central Intelligence, or other agency head, as
authorized by law and as directed by the President, with
regard to the operation, control, or management of national
security systems, as defined by section 3532(3) of title 44,
United States Code.
(B) Section 2224 of title 10, United States Code, is
amended--
(i) in subsection 2224(b), by striking "(b) Objectives and
Minimum Requirements.--(1)" and inserting "(b) Objectives
of the Program.--";
(ii) in subsection 2224(b), by striking "(2) the program
shall at a minimum meet the requirements of section 3534 and
3535 of title 44, United States Code."; and
(iii) in subsection 2224(c), by inserting ", including
through compliance with subtitle II of chapter 35 of title
44" after "infrastructure".
(2) Atomic energy act of 1954.--Nothing in this Act shall
supersede any requirement made by or under the Atomic Energy
Act of 1954 (42 U.S.C. 2011 et seq.). Restricted Data or
Formerly Restricted Data shall be handled, protected,
classified, downgraded, and declassified in conformity with
the Atomic Energy Act of 1954 (42 U.S.C. 2011 et seq.).
[[Page H8685]]
SEC. 1002. MANAGEMENT OF INFORMATION TECHNOLOGY.
(a) In General.--Section 11331 of title 40, United States
Code, is amended to read as follows:
"Sec. 11331. Responsibilities for Federal information
systems standards
"(a) Definition.--In this section, the term `information
security' has the meaning given that term in section
3532(b)(1) of title 44.
"(b) Requirement to Prescribe Standards.--
"(1) In general.--
"(A) Requirement.--Except as provided under paragraph (2),
the Director of the Office of Management and Budget shall, on
the basis of proposed standards developed by the National
Institute of Standards and Technology pursuant to paragraphs
(2) and (3) of section 20(a) of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3(a)) and in
consultation with the Secretary of Homeland Security,
promulgate information security standards pertaining to
Federal information systems.
"(B) Required standards.--Standards promulgated under
subparagraph (A) shall include--
"(i) standards that provide minimum information security
requirements as determined under section 20(b) of the
National Institute of Standards and Technology Act (15 U.S.C.
278g-3(b)); and
"(ii) such standards that are otherwise necessary to
improve the efficiency of operation or security of Federal
information systems.
"(C) Required standards binding.--Information security
standards described under subparagraph (B) shall be
compulsory and binding.
"(2) Standards and guidelines for national security
systems.--Standards and guidelines for national security
systems, as defined under section 3532(3) of title 44, shall
be developed, promulgated, enforced, and overseen as
otherwise authorized by law and as directed by the President.
"(c) Application of More Stringent Standards.--The head of
an agency may employ standards for the cost-effective
information security for all operations and assets within or
under the supervision of that agency that are more stringent
than the standards promulgated by the Director under this
section, if such standards--
"(1) contain, at a minimum, the provisions of those
applicable standards made compulsory and binding by the
Director; and
"(2) are otherwise consistent with policies and guidelines
issued under section 3533 of title 44.
"(d) Requirements Regarding Decisions by Director.--
"(1) Deadline.--The decision regarding the promulgation of
any standard by the Director under subsection (b) shall occur
not later than 6 months after the submission of the proposed
standard to the Director by the National Institute of
Standards and Technology, as provided under section 20 of the
National Institute of Standards and Technology Act (15 U.S.C.
278g-3).
"(2) Notice and comment.--A decision by the Director to
significantly modify, or not promulgate, a proposed standard
submitted to the Director by the National Institute of
Standards and Technology, as provided under section 20 of the
National Institute of Standards and Technology Act (15 U.S.C.
278g-3), shall be made after the public is given an
opportunity to comment on the Director's proposed
decision.".
(b) Clerical Amendment.--The table of sections at the
beginning of chapter 113 of title 40, United States Code, is
amended by striking the item relating to section 11331 and
inserting the following:
"11331. Responsibilities for Federal information systems standards.".
SEC. 1003. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY.
Section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3), is amended by striking the
text and inserting the following:
"(a) The Institute shall--
"(1) have the mission of developing standards, guidelines,
and associated methods and techniques for information
systems;
"(2) develop standards and guidelines, including minimum
requirements, for information systems used or operated by an
agency or by a contractor of an agency or other organization
on behalf of an agency, other than national security systems
(as defined in section 3532(b)(2) of title 44, United States
Code);
"(3) develop standards and guidelines, including minimum
requirements, for providing adequate information security for
all agency operations and assets, but such standards and
guidelines shall not apply to national security systems; and
"(4) carry out the responsibilities described in paragraph
(3) through the Computer Security Division.
"(b) The standards and guidelines required by subsection
(a) shall include, at a minimum--
"(1)(A) standards to be used by all agencies to categorize
all information and information systems collected or
maintained by or on behalf of each agency based on the
objectives of providing appropriate levels of information
security according to a range of risk levels;
"(B) guidelines recommending the types of information and
information systems to be included in each such category; and
"(C) minimum information security requirements for
information and information systems in each such category;
"(2) a definition of and guidelines concerning detection
and handling of information security incidents; and
"(3) guidelines developed in coordination with the
National Security Agency for identifying an information
system as a national security system consistent with
applicable requirements for national security systems, issued
in accordance with law and as directed by the President.
"(c) In developing standards and guidelines required by
subsections (a) and (b), the Institute shall--
"(1) consult with other agencies and offices (including,
but not limited to, the Director of the Office of Management
and Budget, the Departments of Defense and Energy, the
National Security Agency, the General Accounting Office, and
the Secretary of Homeland Security) to assure--
"(A) use of appropriate information security policies,
procedures, and techniques, in order to improve information
security and avoid unnecessary and costly duplication of
effort; and
"(B) that such standards and guidelines are complementary
with standards and guidelines employed for the protection of
national security systems and information contained in such
systems;
"(2) provide the public with an opportunity to comment on
proposed standards and guidelines;
"(3) submit to the Director of the Office of Management
and Budget for promulgation under section 11331 of title 40,
United States Code--
"(A) standards, as required under subsection (b)(1)(A), no
later than 12 months after the date of the enactment of this
section; and
"(B) minimum information security requirements for each
category, as required under subsection (b)(1)(C), no later
than 36 months after the date of the enactment of this
section;
"(4) issue guidelines as required under subsection
(b)(1)(B), no later than 18 months after the date of the
enactment of this Act;
"(5) ensure that such standards and guidelines do not
require specific technological solutions or products,
including any specific hardware or software security
solutions;
"(6) ensure that such standards and guidelines provide for
sufficient flexibility to permit alternative solutions to
provide equivalent levels of protection for identified
information security risks; and
"(7) use flexible, performance-based standards and
guidelines that, to the greatest extent possible, permit the
use of off-the-shelf commercially developed information
security products.
"(d) The Institute shall--
"(1) submit standards developed pursuant to subsection
(a), along with recommendations as to the extent to which
these should be made compulsory and binding, to the Director
of the Office of Management and Budget for promulgation under
section 11331 of title 40, United States Code;
"(2) provide assistance to agencies regarding--
"(A) compliance with the standards and guidelines
developed under subsection (a);
"(B) detecting and handling information security
incidents; and
"(C) information security policies, procedures, and
practices;
"(3) conduct research, as needed, to determine the nature
and extent of information security vulnerabilities and
techniques for providing cost-effective information security;
"(4) develop and periodically revise performance
indicators and measures for agency information security
policies and practices;
"(5) evaluate private sector information security policies
and practices and commercially available information
technologies to assess potential application by agencies to
strengthen information security;
"(6) evaluate security policies and practices developed
for national security systems to assess potential application
by agencies to strengthen information security;
"(7) periodically assess the effectiveness of standards
and guidelines developed under this section and undertake
revisions as appropriate;
"(8) solicit and consider the recommendations of the
Information Security and Privacy Advisory Board, established
by section 21, regarding standards and guidelines developed
under subsection (a) and submit such recommendations to the
Director of the Office of Management and Budget with such
standards submitted to the Director; and
"(9) prepare an annual public report on activities
undertaken in the previous year, and planned for the coming
year, to carry out responsibilities under this section.
"(e) As used in this section--
"(1) the term `agency' has the same meaning as provided in
section 3502(1) of title 44, United States Code;
"(2) the term `information security' has the same meaning
as provided in section 3532(1) of such title;
"(3) the term `information system' has the same meaning as
provided in section 3502(8) of such title;
"(4) the term `information technology' has the same
meaning as provided in section 11101 of title 40, United
States Code; and
"(5) the term `national security system' has the same
meaning as provided in section 3532(b)(2) of such title.".
[[Page H8686]]
SEC. 1004. INFORMATION SECURITY AND PRIVACY ADVISORY BOARD.
Section 21 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-4), is amended--
(1) in subsection (a), by striking "Computer System
Security and Privacy Advisory Board" and inserting
"Information Security and Privacy Advisory Board";
(2) in subsection (a)(1), by striking "computer or
telecommunications" and inserting "information
technology";
(3) in subsection (a)(2)--
(A) by striking "computer or telecommunications
technology" and inserting "information technology"; and
(B) by striking "computer or telecommunications
equipment" and inserting "information technology";
(4) in subsection (a)(3)--
(A) by striking "computer systems" and inserting
"information system"; and
(B) by striking "computer systems security" and inserting
"information security";
(5) in subsection (b)(1) by striking "computer systems
security" and inserting "information security";
(6) in subsection (b) by striking paragraph (2) and
inserting the following:
"(2) to advise the Institute and the Director of the
Office of Management and Budget on information security and
privacy issues pertaining to Federal Government information
systems, including through review of proposed standards and
guidelines developed under section 20; and";
(7) in subsection (b)(3) by inserting "annually" after
"report";
(8) by inserting after subsection (e) the following new
subsection:
"(f) The Board shall hold meetings at such locations and
at such time and place as determined by a majority of the
Board.";
(9) by redesignating subsections (f) and (g) as subsections
(g) and (h), respectively; and
(10) by striking subsection (h), as redesignated by
paragraph (9), and inserting the following:
"(h) As used in this section, the terms "information
system" and "information technology" have the meanings
given in section 20.".
SEC. 1005. TECHNICAL AND CONFORMING AMENDMENTS.
(a) Federal Computer System Security Training and Plan.--
(1) Repeal.--Section 11332 of title 40, United States Code,
is repealed.
(2) Clerical amendment.--The table of sections at the
beginning of chapter 113 of title 40, United States Code, as
amended by striking the item relating to section 11332.
(b) Floyd D. Spence National Defense Authorization Act for
Fiscal Year 2001.--The Floyd D. Spence National Defense
Authorization Act for Fiscal Year 2001 (Public Law 106-398)
is amended by striking subtitle G of title X (44 U.S.C. 3531
note).
(c) Paperwork Reduction Act.--(1) Section 3504(g) of title
44, United States Code, is amended--
(A) by adding "and" at the end of paragraph (1);
(B) in paragraph (2)--
(i) by striking "sections 11331 and 11332(b) and (c) of
title 40" and inserting "section 11331 of title 40 and
subchapter II of this title"; and
(ii) by striking the semicolon and inserting a period; and
(C) by striking paragraph (3).
(2) Section 3505 of such title is amended by adding at the
end the following:
"(c) Inventory of Information Systems.--(1) The head of
each agency shall develop and maintain an inventory of the
information systems (including national security systems)
operated by or under the control of such agency;
"(2) The identification of information systems in an
inventory under this subsection shall include an
identification of the interfaces between each such system and
all other systems or networks, including those not operated
by or under the control of the agency;
"(3) Such inventory shall be--
"(A) updated at least annually;
"(B) made available to the Comptroller General; and
"(C) used to support information resources management,
including--
"(i) preparation and maintenance of the inventory of
information resources under section 3506(b)(4);
"(ii) information technology planning, budgeting,
acquisition, and management under section 3506(h), subtitle
III of title 40, and related laws and guidance;
"(iii) monitoring, testing, and evaluation of information
security controls under subchapter II;
"(iv) preparation of the index of major information
systems required under section 552(g) of title 5, United
States Code; and
"(v) preparation of information system inventories
required for records management under chapters 21, 29, 31,
and 33.
"(4) The Director shall issue guidance for and oversee the
implementation of the requirements of this subsection.".
(3) Section 3506(g) of such title is amended--
(A) by adding "and" at the end of paragraph (1);
(B) in paragraph (2)--
(i) by striking "section 11332 of title 40" and inserting
"subchapter II of this chapter"; and
(ii) by striking "; and" and inserting a period; and
(C) by striking paragraph (3).
SEC. 1006. CONSTRUCTION.
Nothing in this Act, or the amendments made by this Act,
affects the authority of the National Institute of Standards
and Technology or the Department of Commerce relating to the
development and promulgation of standards or guidelines under
paragraphs (1) and (2) of section 20(a) of the National
Institute of Standards and Technology Act (15 U.S.C. 278g-
3(a)).
[...]
