IB

Union Calendar No. 311

112TH CONGRESS 2D SESSION

H. R. 3523
[Report No. 112445]

To provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes.

IN THE HOUSE OF REPRESENTATIVES

NOVEMBER 30, 2011 Mr. ROGERS of Michigan (for himself, Mr. RUPPERSBERGER, Mr. KING of New York, Mr. UPTON, Mrs. MYRICK, Mr. LANGEVIN, Mr. CONAWAY, Mr. MILLER of Florida, Mr. BOREN, Mr. LOBIONDO, Mr. CHANDLER, Mr. NUNES, Mr. GUTIERREZ, Mr. WESTMORELAND, Mrs. BACHMANN, Mr. ROONEY, Mr. HECK, Mr. DICKS, Mr. MCCAUL, Mr. WALDEN, Mr. CALVERT, Mr. SHIMKUS, Mr. TERRY, Mr. BURGESS, Mr. GINGREY of Georgia, Mr. THOMPSON of California, Mr. KINZINGER of Illinois, Mr. AMODEI, and Mr. POMPEO) introduced the following bill; which was referred to the Select Committee on Intelligence (Permanent Select) APRIL 17, 2012 Additional sponsors: Mr. LATTA, Mr. QUAYLE, Mr. MCHENRY, Mr. FRELINGHUYSEN, Mr. YODER, Mr. WALBERG, Mr. CAMP, Ms. ESHOO, Mr. MICHAUD, Mrs. MCMORRIS RODGERS, Mr. SULLIVAN, Mr. MCKINLEY, Ms. ROS-LEHTINEN, Mr. COFFMAN of Colorado, Mr. GOODLATTE, Mr. WOLF, Mr. FORBES, Mr. GARY G. MILLER of California, Mr. STEARNS, Mr. ISSA, Mr. COLE, Mr. TURNER of Ohio, Mr. BROOKS, Mr. HUIZENGA of Michigan, Mr. CARTER, Mrs. HARTZLER, Mr. GRIMM, Mrs. MILLER of Michigan, Mr. GUTHRIE, Mr. ROGERS of Alabama, Mr. BENISHEK, Mr. BROUN of Georgia, Mr. LANCE, Mr. HASTINGS of Washington, Mr. DAVIS of Kentucky, Mr. MEEHAN, Mr. SHUSTER, Mr. OLSON, Mr. KLINE, Mrs. BONO MACK, Mr. BACHUS, Mr. SCHOCK, Mr. ROE of Tennessee, Mr. FLEISCHMANN, Mr. BACA, Mr. BOSWELL, Mrs. NOEM, Mr. WITTMAN, Mr. HULTGREN, Mrs. BLACKBURN, Mr. HASTINGS of Florida, Mr. HURT, Mr. JOHNSON of Ohio, Mr. SMITH of Nebraska, Mr. CRAWFORD, Mr. FRANKS of Arizona, Mr. LARSEN of Washington, Mr. SIRES, Mr. TOWNS, Ms. BORDALLO, Mr. ROSS of Arkansas, Mr. COOPER,

mstockstill on DSK4VPTVN1PROD with BILLS

VerDate Mar 15 2010

22:20 Apr 17, 2012

Jkt 019200

PO 00000

Frm 00001

Fmt 6652

Sfmt 6652

E:\BILLS\H3523.RH

H3523

2
Mr. PITTS, Mr. RUNYAN, Mr. COSTA, Mr. CARDOZA, Mr. WOODALL, Mr. BARTLETT, Mr. SHULER, Mr. STIVERS, Mr. WILSON of South Carolina, Mr. MCINTYRE, Mr. KISSELL, Mr. SCALISE, Mr. BILBRAY, Mr. GRIFFITH of Virginia, Mr. PETERSON, Mr. OWENS, Mr. MULVANEY, Mr. HALL, Mr. CUELLAR, Mr. LAMBORN, Mr. AUSTRIA, and Mr. MCKEON APRIL 17, 2012 Reported with an amendment, committed to the Committee of the Whole House on the State of the Union, and ordered to be printed
[Strike out all after the enacting clause and insert the part printed in italic] [For text of introduced bill, see copy of bill as introduced on November 30, 2011]

A BILL
To provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes.

mstockstill on DSK4VPTVN1PROD with BILLS

HR 3523 RH
VerDate Mar 15 2010 22:20 Apr 17, 2012 Jkt 019200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6652 E:\BILLS\H3523.RH H3523

3 1 Be it enacted by the Senate and House of Representa-

2 tives of the United States of America in Congress assembled, 3 4

SECTION 1. SHORT TITLE.

This Act may be cited as the Cyber Intelligence Shar-

5 ing and Protection Act. 6 7 8

SEC. 2. CYBER THREAT INTELLIGENCE AND INFORMATION SHARING.

(a) IN GENERAL.Title XI of the National Security

9 Act of 1947 (50 U.S.C. 442 et seq.) is amended by adding 10 at the end the following new section: 11 12 13 14 15 16 17 18 19 20 21 22 23
mstockstill on DSK4VPTVN1PROD with BILLS

CYBER

THREAT INTELLIGENCE AND INFORMATION SHARING

SEC. 1104. (a) INTELLIGENCE COMMUNITY SHARING

OF

CYBER THREAT INTELLIGENCE WITH PRIVATE SEC-

TOR.

(1) IN

GENERAL.The

Director of National In-

telligence shall establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and to encourage the sharing of such intelligence. (2) SHARING
LIGENCE.The AND USE OF CLASSIFIED INTEL-

procedures established under para-

graph (1) shall provide that classified cyber threat intelligence may only be (A) shared by an element of the intelligence community with
HR 3523 RH
Jkt 019200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6203 E:\BILLS\H3523.RH H3523

24 25 26
VerDate Mar 15 2010 22:20 Apr 17, 2012

4 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
mstockstill on DSK4VPTVN1PROD with BILLS

(i) certified entities; or (ii) a person with an appropriate security clearance to receive such cyber threat intelligence; (B) shared consistent with the need to protect the national security of the United States; and (C) used by a certified entity in a manner which protects such cyber threat intelligence from unauthorized disclosure. (3) SECURITY
CLEARANCE APPROVALS.The

Director of National Intelligence shall issue guidelines providing that the head of an element of the intelligence community may, as the head of such element considers necessary to carry out this subsection (A) grant a security clearance on a temporary or permanent basis to an employee or officer of a certified entity; (B) grant a security clearance on a temporary or permanent basis to a certified entity and approval to use appropriate facilities; and (C) expedite the security clearance process for a person or entity as the head of such element considers necessary, consistent with the need to

24

HR 3523 RH
VerDate Mar 15 2010 22:20 Apr 17, 2012 Jkt 019200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6203 E:\BILLS\H3523.RH H3523

5 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
mstockstill on DSK4VPTVN1PROD with BILLS

protect the national security of the United States. (4) NO

RIGHT OR BENEFIT.The

provision of

information to a private-sector entity under this subsection shall not create a right or benefit to similar information by such entity or any other private-sector entity. (b) PRIVATE SECTOR USE
TEMS AND OF

CYBERSECURITY SYS-

SHARING

OF

CYBER THREAT INFORMATION.

(1) IN

GENERAL.

(A)

CYBERSECURITY

PROVIDERS.Not-

withstanding any other provision of law, a cybersecurity provider, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, may, for cybersecurity purposes (i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity; and (ii) share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the Federal Government.

24 25

HR 3523 RH
VerDate Mar 15 2010 22:20 Apr 17, 2012 Jkt 019200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6203 E:\BILLS\H3523.RH H3523

6 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
mstockstill on DSK4VPTVN1PROD with BILLS

(B)

SELF-PROTECTED

ENTITIES.Not-

withstanding any other provision of law, a selfprotected entity may, for cybersecurity purposes (i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such selfprotected entity; and (ii) share such cyber threat information with any other entity, including the Federal Government. (2) USE
AND PROTECTION OF INFORMATION.

Cyber threat information shared in accordance with paragraph (1) (A) shall only be shared in accordance with any restrictions placed on the sharing of such information by the protected entity or selfprotected entity authorizing such sharing, including appropriate anonymization or minimization of such information; (B) may not be used by an entity to gain an unfair competitive advantage to the detriment of the protected entity or the self-protected entity authorizing the sharing of information; and

24 25

HR 3523 RH
VerDate Mar 15 2010 22:20 Apr 17, 2012 Jkt 019200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6203 E:\BILLS\H3523.RH H3523

7 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
mstockstill on DSK4VPTVN1PROD with BILLS

(C) if shared with the Federal Government (i) shall be exempt from disclosure under section 552 of title 5, United States Code; (ii) shall be considered proprietary information and shall not be disclosed to an entity outside of the Federal Government except as authorized by the entity sharing such information; and (iii) shall not be used by the Federal Government for regulatory purposes. (3) EXEMPTION
FROM LIABILITY.No

civil or

criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, selfprotected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith (A) for using cybersecurity systems or sharing information in accordance with this section; or (B) for not acting on information obtained or shared in accordance with this section.

24

HR 3523 RH
VerDate Mar 15 2010 22:20 Apr 17, 2012 Jkt 019200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6203 E:\BILLS\H3523.RH H3523

8 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
mstockstill on DSK4VPTVN1PROD with BILLS

(4) RELATIONSHIP

TO OTHER LAWS REQUIRING

THE DISCLOSURE OF INFORMATION.The

submission

of information under this subsection to the Federal Government shall not satisfy or affect any requirement under any other provision of law for a person or entity to provide information to the Federal Government. (c) FEDERAL GOVERNMENT USE (1) LIMITATION.The
OF INFORMATION.

Federal

Government

may use cyber threat information shared with the Federal Government in accordance with subsection (b) for any lawful purpose only if (A) the use of such information is not for a regulatory purpose; and (B) at least one significant purpose of the use of such information is (i) a cybersecurity purpose; or (ii) the protection of the national security of the United States. (2) AFFIRMATIVE
SEARCH RESTRICTION.The

Federal Government may not affirmatively search cyber threat information shared with the Federal Government under subsection (b) for a purpose other than a purpose referred to in paragraph (1)(B).

24

HR 3523 RH
VerDate Mar 15 2010 22:20 Apr 17, 2012 Jkt 019200 PO 00000 Frm 00008 Fmt 6652 Sfmt 6203 E:\BILLS\H3523.RH H3523

9 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
mstockstill on DSK4VPTVN1PROD with BILLS

(3) ANTI-TASKING

RESTRICTION.Nothing

in

this section shall be construed to permit the Federal Government to (A) require a private-sector entity to share information with the Federal Government; or (B) condition the sharing of cyber threat intelligence with a private-sector entity on the provision of cyber threat information to the Federal Government. (d) REPORT ON INFORMATION SHARING. (1) REPORT.The Inspector General of the Intelligence Community shall annually submit to the congressional intelligence committees a report containing a review of the use of information shared with the Federal Government under this section, including (A) a review of the use by the Federal Government of such information for a purpose other than a cybersecurity purpose; (B) a review of the type of information shared with the Federal Government under this section; (C) a review of the actions taken by the Federal Government based on such information;

24

HR 3523 RH
VerDate Mar 15 2010 22:20 Apr 17, 2012 Jkt 019200 PO 00000 Frm 00009 Fmt 6652 Sfmt 6203 E:\BILLS\H3523.RH H3523

10 1 2 3 4 5 6 7 8 9 10 11 (D) appropriate metrics to determine the impact of the sharing of such information with the Federal Government on privacy and civil liberties, if any; and (E) any recommendations of the Inspector General for improvements or modifications to the authorities under this section. (2) FORM.Each report required under paragraph (1) shall be submitted in unclassified form, but may include a classified annex. (e) FEDERAL PREEMPTION.This section supersedes

12 any statute of a State or political subdivision of a State 13 that restricts or otherwise expressly regulates an activity 14 authorized under subsection (b). 15 (f) SAVINGS CLAUSE.Nothing in this section shall

16 be construed to limit any other authority to use a cybersecu17 rity system or to identify, obtain, or share cyber threat in18 telligence or cyber threat information. 19 20 21 22 23
mstockstill on DSK4VPTVN1PROD with BILLS

(g) DEFINITIONS.In this section: (1) CERTIFIED

ENTITY.The

term certified en-

tity means a protected entity, self-protected entity, or cybersecurity provider that (A) possesses or is eligible to obtain a security clearance, as determined by the Director of National Intelligence; and

24 25

HR 3523 RH
VerDate Mar 15 2010 22:20 Apr 17, 2012 Jkt 019200 PO 00000 Frm 00010 Fmt 6652 Sfmt 6203 E:\BILLS\H3523.RH H3523

11 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
mstockstill on DSK4VPTVN1PROD with BILLS

(B) is able to demonstrate to the Director of National Intelligence that such provider or such entity can appropriately protect classified cyber threat intelligence. (2) CYBER
THREAT INFORMATION.The

term

cyber threat information means information directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from (A) efforts to degrade, disrupt, or destroy such system or network; or (B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information. (3) CYBER
THREAT INTELLIGENCE.The

term

cyber threat intelligence means information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from (A) efforts to degrade, disrupt, or destroy such system or network; or

24

HR 3523 RH
VerDate Mar 15 2010 22:20 Apr 17, 2012 Jkt 019200 PO 00000 Frm 00011 Fmt 6652 Sfmt 6203 E:\BILLS\H3523.RH H3523

12 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
mstockstill on DSK4VPTVN1PROD with BILLS

(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information. (4) CYBERSECURITY
PROVIDER.The

term cy-

bersecurity provider means a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes. (5) CYBERSECURITY
PURPOSE.The

term cy-

bersecurity purpose means the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from (A) efforts to degrade, disrupt, or destroy such system or network; or (B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information. (6) CYBERSECURITY
SYSTEM.The

term cyber-

security system means a system designed or employed to ensure the integrity, confidentiality, or availability of, or safeguard, a system or network, including protecting a system or network from (A) efforts to degrade, disrupt, or destroy such system or network; or

24

HR 3523 RH
VerDate Mar 15 2010 22:20 Apr 17, 2012 Jkt 019200 PO 00000 Frm 00012 Fmt 6652 Sfmt 6203 E:\BILLS\H3523.RH H3523

13 1 2 3 4 5 6 7 8 9 10 11 12 (B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information. (7) PROTECTED
ENTITY.The

term protected

entity means an entity, other than an individual, that contracts with a cybersecurity provider for goods or services to be used for cybersecurity purposes. (8) SELF-PROTECTED
ENTITY.The

term self-

protected entity means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself.. (b) PROCEDURES
AND

GUIDELINES.The Director of

13 National Intelligence shall 14 15 16 17 18 19 20 21 22 23

mstockstill on DSK4VPTVN1PROD with BILLS

(1) not later than 60 days after the date of the enactment of this Act, establish procedures under paragraph (1) of section 1104(a) of the National Security Act of 1947, as added by subsection (a) of this section, and issue guidelines under paragraph (3) of such section 1104(a); and (2) following the establishment of such procedures and the issuance of such guidelines, expeditiously distribute such procedures and such guidelines to appropriate Federal Government and private-sector entities.

24

HR 3523 RH
VerDate Mar 15 2010 22:20 Apr 17, 2012 Jkt 019200 PO 00000 Frm 00013 Fmt 6652 Sfmt 6203 E:\BILLS\H3523.RH H3523

14 1 (c) INITIAL REPORT.The first report required to be

2 submitted under subsection (d) of section 1104 of the Na3 tional Security Act of 1947, as added by subsection (a) of 4 this section, shall be submitted not later than one year after 5 the date of the enactment of this Act. 6 (d) TABLE
OF

CONTENTS AMENDMENT.The table of

7 contents in the first section of the National Security Act 8 of 1947 is amended by adding at the end the following new 9 item:
Sec. 1104. Cyber threat intelligence and information sharing..

mstockstill on DSK4VPTVN1PROD with BILLS

HR 3523 RH
VerDate Mar 15 2010 22:20 Apr 17, 2012 Jkt 019200 PO 00000 Frm 00014 Fmt 6652 Sfmt 6213 E:\BILLS\H3523.RH H3523

mstockstill on DSK4VPTVN1PROD with BILLS

VerDate Mar 15 2010

22:20 Apr 17, 2012

Jkt 019200

PO 00000

Frm 00015

Fmt 6652

Sfmt 6213

E:\BILLS\H3523.RH

H3523

Union Calendar No. 311

112TH CONGRESS 2D SESSION

H. R. 3523

To provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes.
APRIL 17, 2012 Reported with an amendment, committed to the Committee of the Whole House on the State of the Union, and ordered to be printed

mstockstill on DSK4VPTVN1PROD with BILLS

VerDate Mar 15 2010

22:20 Apr 17, 2012

Jkt 019200

PO 00000

Frm 00016

Fmt 6651

Sfmt 6651

E:\BILLS\H3523.RH

A BILL

H3523

[Report No. 112445]