SEC. 108. CONSTRUCTION AND PREEMPTION. (a) Otherwise Lawful Disclosures.--Nothing in this title shall be construed-- (1) to limit or prohibit otherwise lawful disclosures of communications, records, or other information, including reporting of known or suspected criminal activity, by an entity to any other entity or the Federal Government under this title; or (2) to limit or prohibit otherwise lawful use of such disclosures by any Federal entity, even when such otherwise lawful disclosures duplicate or replicate disclosures made under this title. (b) Whistle Blower Protections.--Nothing in this title shall be construed to prohibit or limit the disclosure of information protected under section 2302(b)(8) of title 5, United States Code (governing disclosures of illegality, waste, fraud, abuse, or public health or safety threats), section 7211 of title 5, United States Code (governing disclosures to Congress), section 1034 of title 10, United States Code (governing disclosure to Congress by members of the military), section 1104 of the National Security Act of 1947 (50 U.S.C. 3234) (governing disclosure by employees of elements of the intelligence community), or any similar provision of Federal or State law. (c) Protection of Sources and Methods.--Nothing in this title shall be construed-- (1) as creating any immunity against, or otherwise affecting, any action brought by the Federal Government, or any agency or department thereof, to enforce any law, executive order, or procedure governing the appropriate handling, disclosure, or use of classified information; (2) to affect the conduct of authorized law enforcement or intelligence activities; or (3) to modify the authority of a department or agency of the Federal Government to protect classified information and sources and methods and the national security of the United States. (d) Relationship to Other Laws.--Nothing in this title shall be construed to affect any requirement under any other provision of law for an entity to provide information to the Federal Government. (e) Prohibited Conduct.--Nothing in this title shall be construed to permit price-fixing, allocating a market between competitors, monopolizing or attempting to monopolize a market, boycotting, or exchanges of price or cost information, customer lists, or information regarding future competitive planning. (f) Information Sharing Relationships.--Nothing in this title shall be construed-- (1) to limit or modify an existing information sharing relationship; (2) to prohibit a new information sharing relationship; (3) to require a new information sharing relationship between any entity and another entity or a Federal entity; or (4) to require the use of the capability and process within the Department of Homeland Security developed under section 105(c). (g) Preservation of Contractual Obligations and Rights.-- Nothing in this title shall be construed-- (1) to amend, repeal, or supersede any current or future contractual agreement, terms of service agreement, or other contractual relationship between any entities, or between any entity and a Federal entity; or (2) to abrogate trade secret or intellectual property rights of any entity or Federal entity. (h) Anti-tasking Restriction.--Nothing in this title shall be construed to permit a Federal entity-- (1) to require an entity to provide information to a Federal entity or another entity; (2) to condition the sharing of cyber threat indicators with an entity on such entity's provision of cyber threat indicators to a Federal entity or another entity; or (3) to condition the award of any Federal grant, contract, or purchase on the provision of a cyber threat indicator to a Federal entity or another entity. (i) No Liability for Non-participation.--Nothing in this title shall be construed to subject any entity to liability for choosing not to engage in the voluntary activities authorized in this title. (j) Use and Retention of Information.--Nothing in this title shall be construed to authorize, or to modify any existing authority of, a department or agency of the Federal Government to retain or use any information shared under this title for any use other than permitted in this title. (k) Federal Preemption.-- (1) In general.--This title supersedes any statute or other provision of law of a State or political subdivision of a State that restricts or otherwise expressly regulates an activity authorized under this title. (2) State law enforcement.--Nothing in this title shall be construed to supersede any statute or other provision of law of a State or political subdivision of a State concerning the use of authorized law enforcement practices and procedures. (l) Regulatory Authority.--Nothing in this title shall be construed-- (1) to authorize the promulgation of any regulations not specifically authorized by this title; (2) to establish or limit any regulatory authority not specifically established or limited under this title; or (3) to authorize regulatory actions that would duplicate or conflict with regulatory requirements, mandatory standards, or related processes under another provision of Federal law. (m) Authority of Secretary of Defense To Respond to Cyber Attacks.--Nothing in this title shall be construed to limit the authority of the Secretary of Defense to develop, prepare, coordinate, or, when authorized by the President to do so, conduct a military cyber operation in response to a malicious cyber activity carried out against the United States or a United States person by a foreign government or an organization sponsored by a foreign government or a terrorist organization. SEC. 109. REPORT ON CYBERSECURITY THREATS. (a) Report Required.--Not later than 180 days after the date of the enactment of this Act, the Director of National Intelligence, in coordination with the heads of other appropriate elements of the intelligence community, shall submit to the Select Committee on Intelligence of the Senate and the Permanent Select Committee on Intelligence of the House of Representatives a report on cybersecurity threats, including cyber attacks, theft, and data breaches. (b) Contents.--The report required by subsection (a) shall include the following: (1) An assessment of the current intelligence sharing and cooperation relationships of the United States with other countries regarding cybersecurity threats, including cyber attacks, theft, and data breaches, directed against the United States and which threaten the United States national security interests and economy and intellectual property, specifically identifying the relative utility of such relationships, which elements of the intelligence community participate in such relationships, and whether and how such relationships could be improved. (2) A list and an assessment of the countries and nonstate actors that are the primary threats of carrying out a cybersecurity threat, including a cyber attack, theft, or data breach, against the United States and which threaten the United States national security, economy, and intellectual property. (3) A description of the extent to which the capabilities of the United States Government to respond to or prevent cybersecurity threats, including cyber attacks, theft, or data breaches, directed against the United States private sector are degraded by a delay in the prompt notification by private entities of such threats or cyber attacks, theft, and breaches. (4) An assessment of additional technologies or capabilities that would enhance the ability of the United States to prevent and to respond to cybersecurity threats, including cyber attacks, theft, and data breaches. (5) An assessment of any technologies or practices utilized by the private sector that could be rapidly fielded to assist the intelligence community in preventing and responding to cybersecurity threats. (c) Additional Report.--At the time the report required by subsection (a) is submitted, the Director of National Intelligence shall submit to the Committee on Foreign Relations of the Senate and the Committee on Foreign Affairs of the House of Representatives a report containing the information required by subsection (b)(2). (d) Form of Report.--The report required by subsection (a) shall be made available in classified and unclassified forms. (e) Intelligence Community Defined.--In this section, the term ``intelligence community'' has the meaning given that term in section 3 of the National Security Act of 1947 (50 U.S.C. 3003). SEC. 110. CONFORMING AMENDMENT. Section 941(c)(3) of the National Defense Authorization Act for Fiscal Year 2013 (Public Law 112-239; 10 U.S.C. 2224 note) is amended by inserting at the end the following: ``The Secretary may share such information with other Federal entities if such information consists of cyber threat indicators and defensive measures and such information is shared consistent with the policies and procedures promulgated by the Attorney General and the Secretary of Homeland Security under section 105 of the Cybersecurity Information Sharing Act of 2015.''. TITLE II--FEDERAL CYBERSECURITY ENHANCEMENT SEC. 201. SHORT TITLE. This title may be cited as the ``Federal Cybersecurity Enhancement Act of 2015''. SEC. 202. DEFINITIONS. In this title-- (1) the term ``agency'' has the meaning given the term in section 3502 of title 44, United States Code; (2) the term ``agency information system'' has the meaning given the term in section 228 of the Homeland Security Act of 2002, as added by section 203(a); (3) the term ``appropriate congressional committees'' means-- (A) the Committee on Homeland Security and Governmental Affairs of the Senate; and (B) the Committee on Homeland Security of the House of Representatives; (4) the terms ``cybersecurity risk'' and ``information system'' have the meanings given those terms in section 227 of the Homeland Security Act of 2002, as so redesignated by section 203(a); (5) the term ``Director'' means the Director of the Office of Management and Budget; (6) the term ``intelligence community'' has the meaning given the term in section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)); [[Page S7528]] (7) the term ``national security system'' has the meaning given the term in section 11103 of title 40, United States Code; and (8) the term ``Secretary'' means the Secretary of Homeland Security. SEC. 203. IMPROVED FEDERAL NETWORK SECURITY. (a) In General.--Subtitle C of title II of the Homeland Security Act of 2002 (6 U.S.C. 141 et seq.) is amended-- (1) by redesignating section 228 as section 229; (2) by redesignating section 227 as subsection (c) of section 228, as added by paragraph (4), and adjusting the margins accordingly; (3) by redesignating the second section designated as section 226 (relating to the national cybersecurity and communications integration center) as section 227; (4) by inserting after section 227, as so redesignated, the following: ``SEC. 228. CYBERSECURITY PLANS. ``(a) Definitions.--In this section-- ``(1) the term `agency information system' means an information system used or operated by an agency or by another entity on behalf of an agency; ``(2) the terms `cybersecurity risk' and `information system' have the meanings given those terms in section 227; ``(3) the term `intelligence community' has the meaning given the term in section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)); and ``(4) the term `national security system' has the meaning given the term in section 11103 of title 40, United States Code. ``(b) Intrusion Assessment Plan.-- ``(1) Requirement.--The Secretary, in coordination with the Director of the Office of Management and Budget, shall develop and implement an intrusion assessment plan to identify and remove intruders in agency information systems. ``(2) Exception.--The intrusion assessment plan required under paragraph (1) shall not apply to the Department of Defense, a national security system, or an element of the intelligence community.''; (5) in section 228(c), as so redesignated, by striking ``section 226'' and inserting ``section 227''; and (6) by inserting after section 229, as so redesignated, the following: ``SEC. 230. FEDERAL INTRUSION DETECTION AND PREVENTION SYSTEM. ``(a) Definitions.--In this section-- ``(1) the term `agency' has the meaning given that term in section 3502 of title 44, United States Code; ``(2) the term `agency information' means information collected or maintained by or on behalf of an agency; ``(3) the term `agency information system' has the meaning given the term in section 228; and ``(4) the terms `cybersecurity risk' and `information system' have the meanings given those terms in section 227. ``(b) Requirement.-- ``(1) In general.--Not later than 1 year after the date of enactment of this section, the Secretary shall deploy, operate, and maintain, to make available for use by any agency, with or without reimbursement-- ``(A) a capability to detect cybersecurity risks in network traffic transiting or traveling to or from an agency information system; and ``(B) a capability to prevent network traffic associated with such cybersecurity risks from transiting or traveling to or from an agency information system or modify such network traffic to remove the cybersecurity risk. ``(2) Regular improvement.--The Secretary shall regularly deploy new technologies and modify existing technologies to the intrusion detection and prevention capabilities described in paragraph (1) as appropriate to improve the intrusion detection and prevention capabilities. ``(c) Activities.--In carrying out subsection (b), the Secretary-- ``(1) may access, and the head of an agency may disclose to the Secretary or a private entity providing assistance to the Secretary under paragraph (2), information transiting or traveling to or from an agency information system, regardless of the location from which the Secretary or a private entity providing assistance to the Secretary under paragraph (2) accesses such information, notwithstanding any other provision of law that would otherwise restrict or prevent the head of an agency from disclosing such information to the Secretary or a private entity providing assistance to the Secretary under paragraph (2); ``(2) may enter into contracts or other agreements with, or otherwise request and obtain the assistance of, private entities to deploy and operate technologies in accordance with subsection (b); ``(3) may retain, use, and disclose information obtained through the conduct of activities authorized under this section only to protect information and information systems from cybersecurity risks; ``(4) shall regularly assess through operational test and evaluation in real world or simulated environments available advanced protective technologies to improve detection and prevention capabilities, including commercial and non- commercial technologies and detection technologies beyond signature-based detection, and utilize such technologies when appropriate; ``(5) shall establish a pilot to acquire, test, and deploy, as rapidly as possible, technologies described in paragraph (4); ``(6) shall periodically update the privacy impact assessment required under section 208(b) of the E-Government Act of 2002 (44 U.S.C. 3501 note); and ``(7) shall ensure that-- ``(A) activities carried out under this section are reasonably necessary for the purpose of protecting agency information and agency information systems from a cybersecurity risk; ``(B) information accessed by the Secretary will be retained no longer than reasonably necessary for the purpose of protecting agency information and agency information systems from a cybersecurity risk; ``(C) notice has been provided to users of an agency information system concerning access to communications of users of the agency information system for the purpose of protecting agency information and the agency information system; and ``(D) the activities are implemented pursuant to policies and procedures governing the operation of the intrusion detection and prevention capabilities. ``(d) Private Entities.-- ``(1) Conditions.--A private entity described in subsection (c)(2) may not-- ``(A) disclose any network traffic transiting or traveling to or from an agency information system to any entity without the consent of the Department or the agency that disclosed the information under subsection (c)(1); or ``(B) use any network traffic transiting or traveling to or from an agency information system to which the private entity gains access in accordance with this section for any purpose other than to protect agency information and agency information systems against cybersecurity risks or to administer a contract or other agreement entered into pursuant to subsection (c)(2) or as part of another contract with the Secretary. ``(2) Limitation on liability.--No cause of action shall lie in any court against a private entity for assistance provided to the Secretary in accordance with this section and any contract or agreement entered into pursuant to subsection (c)(2). ``(3) Rule of construction.--Nothing in paragraph (2) shall be construed to authorize an Internet service provider to break a user agreement with a customer without the consent of the customer. ``(e) Attorney General Review.--Not later than 1 year after the date of enactment of this section, the Attorney General shall review the policies and guidelines for the program carried out under this section to ensure that the policies and guidelines are consistent with applicable law governing the acquisition, interception, retention, use, and disclosure of communications.''. (b) Prioritizing Advanced Security Tools.--The Director and the Secretary, in consultation with appropriate agencies, shall-- (1) review and update governmentwide policies and programs to ensure appropriate prioritization and use of network security monitoring tools within agency networks; and (2) brief appropriate congressional committees on such prioritization and use. (c) Agency Responsibilities.-- (1) In general.--Except as provided in paragraph (2)-- (A) not later than 1 year after the date of enactment of this Act or 2 months after the date on which the Secretary makes available the intrusion detection and prevention capabilities under section 230(b)(1) of the Homeland Security Act of 2002, as added by subsection (a), whichever is later, the head of each agency shall apply and continue to utilize the capabilities to all information traveling between an agency information system and any information system other than an agency information system; and (B) not later than 6 months after the date on which the Secretary makes available improvements to the intrusion detection and prevention capabilities pursuant to section 230(b)(2) of the Homeland Security Act of 2002, as added by subsection (a), the head of each agency shall apply and continue to utilize the improved intrusion detection and prevention capabilities. (2) Exception.--The requirements under paragraph (1) shall not apply to the Department of Defense, a national security system, or an element of the intelligence community. (3) Definition.--In this subsection only, the term ``agency information system'' means an information system owned or operated by an agency. (4) Rule of construction.--Nothing in this subsection shall be construed to limit an agency from applying the intrusion detection and prevention capabilities under section 230(b)(1) of the Homeland Security Act of 2002, as added by subsection (a), at the discretion of the head of the agency or as provided in relevant policies, directives, and guidelines. (d) Table of Contents Amendment.--The table of contents in section 1(b) of the Homeland Security Act of 2002 (6 U.S.C. 101 note) is amended by striking the items relating to the first section designated as section 226, the second section designated as section 226 (relating to the national cybersecurity and communications integration center), section 227, and section 228 and inserting the following: ``Sec. 226. Cybersecurity recruitment and retention. ``Sec. 227. National cybersecurity and communications integration center. [[Page S7529]] ``Sec. 228. Cybersecurity plans. ``Sec. 229. Clearances. ``Sec. 230. Federal intrusion detection and prevention system.''. SEC. 204. ADVANCED INTERNAL DEFENSES. (a) Advanced Network Security Tools.-- (1) In general.--The Secretary shall include in the Continuous Diagnostics and Mitigation Program advanced network security tools to improve visibility of network activity, including through the use of commercial and free or open source tools, to detect and mitigate intrusions and anomalous activity. (2) Development of plan.--The Director shall develop and implement a plan to ensure that each agency utilizes advanced network security tools, including those described in paragraph (1), to detect and mitigate intrusions and anomalous activity. (b) Improved Metrics.--The Secretary, in collaboration with the Director, shall review and update the metrics used to measure security under section 3554 of title 44, United States Code, to include measures of intrusion and incident detection and response times. (c) Transparency and Accountability.--The Director, in consultation with the Secretary, shall increase transparency to the public on agency cybersecurity posture, including by increasing the number of metrics available on Federal Government performance websites and, to the greatest extent practicable, displaying metrics for department components, small agencies, and micro agencies. (d) Maintenance of Technologies.--Section 3553(b)(6)(B) of title 44, United States Code, is amended by inserting ``, operating, and maintaining'' after ``deploying''. (e) Exception.--The requirements under this section shall not apply to the Department of Defense, a national security system, or an element of the intelligence community. SEC. 205. FEDERAL CYBERSECURITY REQUIREMENTS. (a) Implementation of Federal Cybersecurity Standards.-- Consistent with section 3553 of title 44, United States Code, the Secretary, in consultation with the Director, shall exercise the authority to issue binding operational directives to assist the Director in ensuring timely agency adoption of and compliance with policies and standards promulgated under section 11331 of title 40, United States Code, for securing agency information systems. (b) Cybersecurity Requirements at Agencies.-- (1) In general.--Consistent with policies, standards, guidelines, and directives on information security under subchapter II of chapter 35 of title 44, United States Code, and the standards and guidelines promulgated under section 11331 of title 40, United States Code, and except as provided in paragraph (2), not later than 1 year after the date of the enactment of this Act, the head of each agency shall-- (A) identify sensitive and mission critical data stored by the agency consistent with the inventory required under the first subsection (c) (relating to the inventory of major information systems) and the second subsection (c) (relating to the inventory of information systems) of section 3505 of title 44, United States Code; (B) assess access controls to the data described in subparagraph (A), the need for readily accessible storage of the data, and individuals' need to access the data; (C) encrypt or otherwise render indecipherable to unauthorized users the data described in subparagraph (A) that is stored on or transiting agency information systems; (D) implement a single sign-on trusted identity platform for individuals accessing each public website of the agency that requires user authentication, as developed by the Administrator of General Services in collaboration with the Secretary; and (E) implement identity management consistent with section 504 of the Cybersecurity Enhancement Act of 2014 (Public Law 113-274; 15 U.S.C. 7464), including multi-factor authentication, for-- (i) remote access to an agency information system; and (ii) each user account with elevated privileges on an agency information system. (2) Exception.--The requirements under paragraph (1) shall not apply to an agency information system for which-- (A) the head of the agency has personally certified to the Director with particularity that-- (i) operational requirements articulated in the certification and related to the agency information system would make it excessively burdensome to implement the cybersecurity requirement; (ii) the cybersecurity requirement is not necessary to secure the agency information system or agency information stored on or transiting it; and (iii) the agency has taken all necessary steps to secure the agency information system and agency information stored on or transiting it; and (B) the head of the agency or the designee of the head of the agency has submitted the certification described in subparagraph (A) to the appropriate congressional committees and the agency's authorizing committees. (3) Construction.--Nothing in this section shall be construed to alter the authority of the Secretary, the Director, or the Director of the National Institute of Standards and Technology in implementing subchapter II of chapter 35 of title 44, United States Code. Nothing in this section shall be construed to affect the National Institute of Standards and Technology standards process or the requirement under section 3553(a)(4) of such title or to discourage continued improvements and advancements in the technology, standards, policies, and guidelines used to promote Federal information security. (c) Exception.--The requirements under this section shall not apply to the Department of Defense, a national security system, or an element of the intelligence community. SEC. 206. ASSESSMENT; REPORTS. (a) Definitions.--In this section-- (1) the term ``intrusion assessments'' means actions taken under the intrusion assessment plan to identify and remove intruders in agency information systems; (2) the term ``intrusion assessment plan'' means the plan required under section 228(b)(1) of the Homeland Security Act of 2002, as added by section 203(a) of this Act; and (3) the term ``intrusion detection and prevention capabilities'' means the capabilities required under section 230(b) of the Homeland Security Act of 2002, as added by section 203(a) of this Act. (b) Third Party Assessment.--Not later than 3 years after the date of enactment of this Act, the Government Accountability Office shall conduct a study and publish a report on the effectiveness of the approach and strategy of the Federal Government to securing agency information systems, including the intrusion detection and prevention capabilities and the intrusion assessment plan. (c) Reports to Congress.-- (1) Intrusion detection and prevention capabilities.-- (A) Secretary of homeland security report.--Not later than 6 months after the date of enactment of this Act, and annually thereafter, the Secretary shall submit to the appropriate congressional committees a report on the status of implementation of the intrusion detection and prevention capabilities, including-- (i) a description of privacy controls; (ii) a description of the technologies and capabilities utilized to detect cybersecurity risks in network traffic, including the extent to which those technologies and capabilities include existing commercial and non-commercial technologies; (iii) a description of the technologies and capabilities utilized to prevent network traffic associated with cybersecurity risks from transiting or traveling to or from agency information systems, including the extent to which those technologies and capabilities include existing commercial and non-commercial technologies; (iv) a list of the types of indicators or other identifiers or techniques used to detect cybersecurity risks in network traffic transiting or traveling to or from agency information systems on each iteration of the intrusion detection and prevention capabilities and the number of each such type of indicator, identifier, and technique; (v) the number of instances in which the intrusion detection and prevention capabilities detected a cybersecurity risk in network traffic transiting or traveling to or from agency information systems and the number of times the intrusion detection and prevention capabilities blocked network traffic associated with cybersecurity risk; and (vi) a description of the pilot established under section 230(c)(5) of the Homeland Security Act of 2002, as added by section 203(a) of this Act, including the number of new technologies tested and the number of participating agencies. (B) OMB report.--Not later than 18 months after the date of enactment of this Act, and annually thereafter, the Director shall submit to Congress, as part of the report required under section 3553(c) of title 44, United States Code, an analysis of agency application of the intrusion detection and prevention capabilities, including-- (i) a list of each agency and the degree to which each agency has applied the intrusion detection and prevention capabilities to an agency information system; and (ii) a list by agency of-- (I) the number of instances in which the intrusion detection and prevention capabilities detected a cybersecurity risk in network traffic transiting or traveling to or from an agency information system and the types of indicators, identifiers, and techniques used to detect such cybersecurity risks; and (II) the number of instances in which the intrusion detection and prevention capabilities prevented network traffic associated with a cybersecurity risk from transiting or traveling to or from an agency information system and the types of indicators, identifiers, and techniques used to detect such agency information systems. (2) OMB report on development and implementation of intrusion assessment plan, advanced internal defenses, and federal cybersecurity best practices.--The Director shall-- (A) not later than 6 months after the date of enactment of this Act, and 30 days after any update thereto, submit the intrusion assessment plan to the appropriate congressional committees; (B) not later than 1 year after the date of enactment of this Act, and annually thereafter, submit to Congress, as part of the report required under section 3553(c) of title 44, United States Code-- [[Page S7530]] (i) a description of the implementation of the intrusion assessment plan; (ii) the findings of the intrusion assessments conducted pursuant to the intrusion assessment plan; (iii) advanced network security tools included in the Continuous Diagnostics and Mitigation Program pursuant to section 204(a)(1); (iv) the results of the assessment of the Secretary of best practices for Federal cybersecurity pursuant to section 205(a); and (v) a list by agency of compliance with the requirements of section 205(b); and (C) not later than 1 year after the date of enactment of this Act, submit to the appropriate congressional committees-- (i) a copy of the plan developed pursuant to section 204(a)(2); and (ii) the improved metrics developed pursuant to section 204(b). SEC. 207. TERMINATION. (a) In General.--The authority provided under section 230 of the Homeland Security Act of 2002, as added by section 203(a) of this Act, and the reporting requirements under section 206(c) shall terminate on the date that is 7 years after the date of enactment of this Act. (b) Rule of Construction.--Nothing in subsection (a) shall be construed to affect the limitation of liability of a private entity for assistance provided to the Secretary under section 230(d)(2) of the Homeland Security Act of 2002, as added by section 203(a) of this Act, if such assistance was rendered before the termination date under subsection (a) or otherwise during a period in which the assistance was authorized. SEC. 208. IDENTIFICATION OF INFORMATION SYSTEMS RELATING TO NATIONAL SECURITY. (a) In General.--Except as provided in subsection (c), not later than 180 days after the date of enactment of this Act-- (1) the Director of National Intelligence and the Director of the Office of Management and Budget, in coordination with the heads of other agencies, shall-- (A) identify all unclassified information systems that provide access to information that may provide an adversary with the ability to derive information that would otherwise be considered classified; (B) assess the risks that would result from the breach of each unclassified information system identified in subparagraph (A); and (C) assess the cost and impact on the mission carried out by each agency that owns an unclassified information system identified in subparagraph (A) if the system were to be subsequently designated as a national security system; and (2) the Director of National Intelligence and the Director of the Office of Management and Budget shall submit to the appropriate congressional committees, the Select Committee on Intelligence of the Senate, and the Permanent Select Committee on Intelligence of the House of Representatives a report that includes the findings under paragraph (1). (b) Form.--The report submitted under subsection (a)(2) shall be in unclassified form, and shall include a classified annex. (c) Exception.--The requirements under subsection (a)(1) shall not apply to the Department of Defense, a national security system, or an element of the intelligence community. (d) Rule of Construction.--Nothing in this section shall be construed to designate an information system as a national security system. SEC. 209. DIRECTION TO AGENCIES. (a) In General.--Section 3553 of title 44, United States Code, is amended by adding at the end the following: ``(h) Direction to Agencies.-- ``(1) Authority.-- ``(A) In general.--Subject to subparagraph (B), in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, the Secretary may issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat. ``(B) Exception.--The authorities of the Secretary under this subsection shall not apply to a system described subsection (d) or to a system described in paragraph (2) or (3) of subsection (e). ``(2) Procedures for use of authority.--The Secretary shall-- ``(A) in coordination with the Director, establish procedures governing the circumstances under which a directive may be issued under this subsection, which shall include-- ``(i) thresholds and other criteria; ``(ii) privacy and civil liberties protections; and ``(iii) providing notice to potentially affected third parties; ``(B) specify the reasons for the required action and the duration of the directive; ``(C) minimize the impact of a directive under this subsection by-- ``(i) adopting the least intrusive means possible under the circumstances to secure the agency information systems; and ``(ii) limiting directives to the shortest period practicable; ``(D) notify the Director and the head of any affected agency immediately upon the issuance of a directive under this subsection; ``(E) consult with the Director of the National Institute of Standards and Technology regarding any directive under this subsection that implements standards and guidelines developed by the National Institute of Standards and Technology; ``(F) ensure that directives issued under this subsection do not conflict with the standards and guidelines issued under section 11331 of title 40; ``(G) consider any applicable standards or guidelines developed by the National Institute of Standards and issued by the Secretary of Commerce under section 11331 of title 40; and ``(H) not later than February 1 of each year, submit to the appropriate congressional committees a report regarding the specific actions the Secretary has taken pursuant to paragraph (1)(A). ``(3) Imminent threats.-- ``(A) In general.--Notwithstanding section 3554, the Secretary may authorize the intrusion detection and prevention capabilities under section 230(b)(1) of the Homeland Security Act of 2002 for the purpose of ensuring the security of agency information systems, if-- ``(i) the Secretary determines there is an imminent threat to agency information systems; ``(ii) the Secretary determines a directive under subsection (b)(2)(C) or paragraph (1)(A) is not reasonably likely to result in a timely response to the threat; ``(iii) the Secretary determines the risk posed by the imminent threat outweighs any adverse consequences reasonably expected to result from the use of protective capabilities under the control of the Secretary; ``(iv) the Secretary provides prior notice to the Director, and the head and chief information officer (or equivalent official) of each agency to which specific actions will be taken pursuant to subparagraph (A), and notifies the appropriate congressional committees and authorizing committees of each such agencies within seven days of taking an action under this subsection of-- ``(I) any action taken under this subsection; and ``(II) the reasons for and duration and nature of the action; ``(v) the action of the Secretary is consistent with applicable law; and ``(vi) the Secretary authorizes the use of protective capabilities in accordance with the advance procedures established under subparagraph (C). ``(B) Limitation on delegation.--The authority under this subsection may not be delegated by the Secretary. ``(C) Advance procedures.--The Secretary shall, in coordination with the Director, and in consultation with the heads of Federal agencies, establish procedures governing the circumstances under which the Secretary may authorize the use of protective capabilities subparagraph (A). The Secretary shall submit the procedures to Congress. ``(4) Limitation.--The Secretary may direct or authorize lawful action or protective capability under this subsection only to-- ``(A) protect agency information from unauthorized access, use, disclosure, disruption, modification, or destruction; or ``(B) require the remediation of or protect against identified information security risks with respect to-- ``(i) information collected or maintained by or on behalf of an agency; or ``(ii) that portion of an information system used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. ``(i) Annual Report to Congress.--Not later than February 1 of each year, the Director shall submit to the appropriate congressional committees a report regarding the specific actions the Director has taken pursuant to subsection (a)(5), including any actions taken pursuant to section 11303(b)(5) of title 40. ``(j) Appropriate Congressional Committees Defined.--In this section, the term `appropriate congressional committees' means-- ``(1) the Committee on Appropriations and the Committee on Homeland Security and Governmental Affairs of the Senate; and ``(2) the Committee on Appropriations, the Committee on Homeland Security, the Committee on Oversight and Government Reform, and the Committee on Science, Space, and Technology of the House of Representatives.''. (b) Conforming Amendment.--Section 3554(a)(1)(B) of title 44, United States Code, is amended-- (1) in clause (iii), by striking ``and'' at the end; and (2) by adding at the end the following: ``(v) emergency directives issued by the Secretary under section 3553(h); and''. TITLE III--FEDERAL CYBERSECURITY WORKFORCE ASSESSMENT SEC. 301. SHORT TITLE. This title may be cited as the ``Federal Cybersecurity Workforce Assessment Act of 2015''. SEC. 302. DEFINITIONS. In this title: (1) Appropriate congressional committees.--The term ``appropriate congressional committees'' means-- (A) the Committee on Armed Services of the Senate; [[Page S7531]] (B) the Committee on Homeland Security and Governmental Affairs of the Senate; (C) the Select Committee on Intelligence of the Senate; (D) the Committee on Commerce, Science, and Transportation of the Senate; (E) the Committee on Armed Services in the House of Representatives; (F) the Committee on Homeland Security of the House of Representatives; (G) the Committee on Oversight and Government Reform of the House of Representatives; and (H) the Permanent Select Committee on Intelligence of the House of Representatives. (2) Director.--The term ``Director'' means the Director of the Office of Personnel Management. (3) Roles.--The term ``roles'' has the meaning given the term in the National Initiative for Cybersecurity Education's Cybersecurity Workforce Framework. SEC. 303. NATIONAL CYBERSECURITY WORKFORCE MEASUREMENT INITIATIVE. (a) In General.--The head of each Federal agency shall-- (1) identify all positions within the agency that require the performance of cybersecurity or other cyber-related functions; and (2) assign the corresponding employment code, which shall be added to the National Initiative for Cybersecurity Education's National Cybersecurity Workforce Framework, in accordance with subsection (b). (b) Employment Codes.-- (1) Procedures.-- (A) Coding structure.--Not later than 180 days after the date of the enactment of this Act, the Secretary of Commerce, acting through the National Institute of Standards and Technology, shall update the National Initiative for Cybersecurity Education's Cybersecurity Workforce Framework to include a corresponding coding structure. (B) Identification of civilian cyber personnel.--Not later than 9 months after the date of enactment of this Act, the Director, in coordination with the Director of the National Institute of Standards and Technology and the Director of National Intelligence, shall establish procedures to implement the National Initiative for Cybersecurity Education's coding structure to identify all Federal civilian positions that require the performance of information technology, cybersecurity, or other cyber-related functions. (C) Identification of noncivilian cyber personnel.--Not later than 18 months after the date of enactment of this Act, the Secretary of Defense shall establish procedures to implement the National Initiative for Cybersecurity Education's coding structure to identify all Federal noncivilian positions that require the performance of information technology, cybersecurity, or other cyber-related functions. (D) Baseline assessment of existing cybersecurity workforce.--Not later than 3 months after the date on which the procedures are developed under subparagraphs (B) and (C), respectively, the head of each Federal agency shall submit to the appropriate congressional committees of jurisdiction a report that identifies-- (i) the percentage of personnel with information technology, cybersecurity, or other cyber-related job functions who currently hold the appropriate industry- recognized certifications as identified in the National Initiative for Cybersecurity Education's Cybersecurity Workforce Framework; (ii) the level of preparedness of other civilian and noncivilian cyber personnel without existing credentials to take certification exams; and (iii) a strategy for mitigating any gaps identified in clause (i) or (ii) with the appropriate training and certification for existing personnel. (E) Procedures for assigning codes.--Not later than 3 months after the date on which the procedures are developed under subparagraphs (B) and (C), respectively, the head of each Federal agency shall establish procedures-- (i) to identify all encumbered and vacant positions with information technology, cybersecurity, or other cyber-related functions (as defined in the National Initiative for Cybersecurity Education's coding structure); and (ii) to assign the appropriate employment code to each such position, using agreed standards and definitions. (2) Code assignments.--Not later than 1 year after the date after the procedures are established under paragraph (1)(E), the head of each Federal agency shall complete assignment of the appropriate employment code to each position within the agency with information technology, cybersecurity, or other cyber-related functions. (c) Progress Report.--Not later than 180 days after the date of enactment of this Act, the Director shall submit a progress report on the implementation of this section to the appropriate congressional committees. SEC. 304. IDENTIFICATION OF CYBER-RELATED ROLES OF CRITICAL NEED. (a) In General.--Beginning not later than 1 year after the date on which the employment codes are assigned to employees pursuant to section 203(b)(2), and annually through 2022, the head of each Federal agency, in consultation with the Director, the Director of the National Institute of Standards and Technology, and the Secretary of Homeland Security, shall-- (1) identify information technology, cybersecurity, or other cyber-related roles of critical need in the agency's workforce; and (2) submit a report to the Director that-- (A) describes the information technology, cybersecurity, or other cyber-related roles identified under paragraph (1); and (B) substantiates the critical need designations. (b) Guidance.--The Director shall provide Federal agencies with timely guidance for identifying information technology, cybersecurity, or other cyber-related roles of critical need, including-- (1) current information technology, cybersecurity, and other cyber-related roles with acute skill shortages; and (2) information technology, cybersecurity, or other cyber- related roles with emerging skill shortages. (c) Cybersecurity Needs Report.--Not later than 2 years after the date of the enactment of this Act, the Director, in consultation with the Secretary of Homeland Security, shall-- (1) identify critical needs for information technology, cybersecurity, or other cyber-related workforce across all Federal agencies; and (2) submit a progress report on the implementation of this section to the appropriate congressional committees. SEC. 305. GOVERNMENT ACCOUNTABILITY OFFICE STATUS REPORTS. The Comptroller General of the United States shall-- (1) analyze and monitor the implementation of sections 303 and 304; and (2) not later than 3 years after the date of the enactment of this Act, submit a report to the appropriate congressional committees that describes the status of such implementation.