[Congressional Bills 115th Congress]

[From the U.S. Government Publishing Office]

[S. 1761 Placed on Calendar Senate (PCS)]

Calendar No. 207 Calendar No. 207

115th CONGRESS

1st Session 1st Session

S. 1761 S. 1761

To authorize appropriations for fiscal year 2018 for intelligence and

intelligence-related activities of the United States Government, the intelligence-related activities of the United States Government, the

Community Management Account, and the Central Intelligence Agency Community Management Account, and the Central Intelligence Agency

Retirement and Disability System, and for other purposes. Retirement and Disability System, and for other purposes.

_______________________________________________________________________

IN THE SENATE OF THE UNITED STATES IN THE SENATE OF THE UNITED STATES

August 18, 2017 August 18, 2017

Mr. Burr, from the Select Committee on Intelligence of the Senate, Mr. Burr, from the Select Committee on Intelligence of the Senate,

reported, under authority of the order of the Senate of August 3, 2017,

the following original bill; which was read twice and placed on the the following original bill; which was read twice and placed on the

calendar calendar

_______________________________________________________________________

A BILL A BILL

To authorize appropriations for fiscal year 2018 for intelligence and To authorize appropriations for fiscal year 2018 for intelligence and

intelligence-related activities of the United States Government, the intelligence-related activities of the United States Government, the

Community Management Account, and the Central Intelligence Agency Community Management Account, and the Central Intelligence Agency

Retirement and Disability System, and for other purposes. Retirement and Disability System, and for other purposes.

Be it enacted by the Senate and House of Representatives of the Be it enacted by the Senate and House of Representatives of the

United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

(a) Short Title.--This Act may be cited as the ``Intelligence (a) Short Title.--This Act may be cited as the ``Intelligence

Authorization Act for Fiscal Year 2018''.

(b) Table of Contents.--The table of contents for this Act is as (b) Table of Contents.--The table of contents for this Act is as

follows:

Sec. 1. Short title; table of contents.

Sec. 2. Definitions.

TITLE I--INTELLIGENCE ACTIVITIES TITLE I--INTELLIGENCE ACTIVITIES

Sec. 101. Authorization of appropriations.

Sec. 102. Classified Schedule of Authorizations.

Sec. 103. Personnel ceiling adjustments.

Sec. 104. Intelligence Community Management Account.

TITLE II--CENTRAL INTELLIGENCE AGENCY RETIREMENT AND DISABILITY SYSTEM

Sec. 201. Authorization of appropriations.

TITLE III--GENERAL INTELLIGENCE COMMUNITY MATTERS TITLE III--GENERAL INTELLIGENCE COMMUNITY MATTERS

Sec. 301. Restriction on conduct of intelligence activities.

Sec. 302. Increase in employee compensation and benefits authorized by

law. law.

Sec. 303. Modification of special pay authority for science,

technology, engineering, or mathematics technology, engineering, or mathematics

positions and addition of special pay positions and addition of special pay

authority for cyber positions. authority for cyber positions.

Sec. 304. Director of National Intelligence review of placement of

positions within the intelligence community positions within the intelligence community

on the Executive Schedule. on the Executive Schedule.

Sec. 305. Modification of appointment of Chief Information Officer of

the Intelligence Community. the Intelligence Community.

Sec. 306. Supply Chain and Counterintelligence Risk Management Task

Force. Force.

Sec. 307. Inspector General of the Intelligence Community auditing

authority. authority.

Sec. 308. Inspectors General studies on classification.

TITLE IV--MATTERS RELATING TO ELEMENTS OF THE INTELLIGENCE COMMUNITY TITLE IV--MATTERS RELATING TO ELEMENTS OF THE INTELLIGENCE COMMUNITY

Subtitle A--Office of the Director of National Intelligence Subtitle A--Office of the Director of National Intelligence

Sec. 401. Authority for the protection of current and former employees

of the Office of the Director of National of the Office of the Director of National

Intelligence. Intelligence.

Sec. 402. Information sharing with State election officials.

Sec. 403. Technical modification to the Executive Schedule.

Sec. 404. Modification to the designation of the program manager-

information sharing environment. information sharing environment.

Subtitle B--Central Intelligence Agency Subtitle B--Central Intelligence Agency

Sec. 411. Repeal of foreign language proficiency requirement for

certain senior level positions in the certain senior level positions in the

Central Intelligence Agency. Central Intelligence Agency.

Subtitle C--Other Elements Subtitle C--Other Elements

Sec. 421. Designation of the Counterintelligence Directorate of the

Defense Security Service as an element of Defense Security Service as an element of

the intelligence community. the intelligence community.

TITLE V--SECURING ENERGY INFRASTRUCTURE TITLE V--SECURING ENERGY INFRASTRUCTURE

Sec. 501. Short title.

Sec. 502. Definitions.

Sec. 503. Pilot program for securing energy infrastructure.

Sec. 504. Working group to evaluate program standards and develop

strategy. strategy.

Sec. 505. Reports on the Program.

Sec. 506. No new regulatory authority for Federal agencies.

Sec. 507. Exemption from disclosure.

Sec. 508. Protection from liability.

Sec. 509. Authorization of appropriations.

TITLE VI--REPORTS AND OTHER MATTERS TITLE VI--REPORTS AND OTHER MATTERS

Sec. 601. Technical correction to Inspector General study.

Sec. 602. Governance for security clearance, suitability and fitness

for employment, and credentialing. for employment, and credentialing.

Sec. 603. Process for security clearances.

Sec. 604. Reports on the vulnerabilities equities policy and process of

the Federal Government. the Federal Government.

Sec. 605. Bug bounty programs.

Sec. 606. Report on cyber attacks by foreign governments against United

States election infrastructure. States election infrastructure.

Sec. 607. Review of intelligence community's posture to collect against

and analyze Russian efforts to influence and analyze Russian efforts to influence

the presidential election. the presidential election.

Sec. 608. Assessment of foreign intelligence threats to Federal

elections. elections.

Sec. 609. Strategy for countering Russian cyber threats to United

States elections. States elections.

Sec. 610. Limitation relating to establishment or support of cyber

security unit with the Government of security unit with the Government of

Russia. Russia.

Sec. 611. Report on returning Russian compounds.

Sec. 612. Intelligence community assessment on threat of Russian money

laundering to the United States. laundering to the United States.

Sec. 613. Notification of an active measures campaign.

Sec. 614. Notification of travel by accredited diplomatic and consular

personnel of the Russian Federation in the personnel of the Russian Federation in the

United States. United States.

Sec. 615. Modification of certain reporting requirement on travel of

foreign diplomats. foreign diplomats.

Sec. 616. Semiannual report on referrals to Department of Justice by

elements of the intelligence community elements of the intelligence community

regarding unauthorized disclosure of regarding unauthorized disclosure of

classified information. classified information.

Sec. 617. Notifications of designation of an intelligence officer as a

persona non grata. persona non grata.

Sec. 618. Biennial report on foreign investment risks.

Sec. 619. Report on surveillance by foreign governments against United

States telecommunications networks. States telecommunications networks.

Sec. 620. Reports on authorities of the Chief Intelligence Officer of

the Department of Homeland Security. the Department of Homeland Security.

Sec. 621. Report on geospatial commercial activities for basic and

applied research and development. applied research and development.

Sec. 622. Technical amendments related to the Department of Energy.

Sec. 623. Sense of Congress on WikiLeaks.

SEC. 2. DEFINITIONS.

In this Act: In this Act:

(1) Congressional intelligence committees.--The term (1) Congressional intelligence committees.--The term

``congressional intelligence committees'' means-- ``congressional intelligence committees'' means--

(A) the Select Committee on Intelligence of the (A) the Select Committee on Intelligence of the

Senate; and Senate; and

(B) the Permanent Select Committee on Intelligence (B) the Permanent Select Committee on Intelligence

of the House of Representatives. of the House of Representatives.

(2) Intelligence community.--The term ``intelligence (2) Intelligence community.--The term ``intelligence

community'' has the meaning given that term in section 3 of the community'' has the meaning given that term in section 3 of the

National Security Act of 1947 (50 U.S.C. 3003). National Security Act of 1947 (50 U.S.C. 3003).

TITLE I--INTELLIGENCE ACTIVITIES TITLE I--INTELLIGENCE ACTIVITIES

SEC. 101. AUTHORIZATION OF APPROPRIATIONS.

Funds are hereby authorized to be appropriated for fiscal year 2018 Funds are hereby authorized to be appropriated for fiscal year 2018

for the conduct of the intelligence and intelligence-related activities

of the following elements of the United States Government:

(1) The Office of the Director of National Intelligence. (1) The Office of the Director of National Intelligence.

(2) The Central Intelligence Agency. (2) The Central Intelligence Agency.

(3) The Department of Defense. (3) The Department of Defense.

(4) The Defense Intelligence Agency. (4) The Defense Intelligence Agency.

(5) The National Security Agency. (5) The National Security Agency.

(6) The Department of the Army, the Department of the Navy, (6) The Department of the Army, the Department of the Navy,

and the Department of the Air Force. and the Department of the Air Force.

(7) The Coast Guard. (7) The Coast Guard.

(8) The Department of State. (8) The Department of State.

(9) The Department of the Treasury. (9) The Department of the Treasury.

(10) The Department of Energy. (10) The Department of Energy.

(11) The Department of Justice. (11) The Department of Justice.

(12) The Federal Bureau of Investigation. (12) The Federal Bureau of Investigation.

(13) The Drug Enforcement Administration. (13) The Drug Enforcement Administration.

(14) The National Reconnaissance Office. (14) The National Reconnaissance Office.

(15) The National Geospatial-Intelligence Agency. (15) The National Geospatial-Intelligence Agency.

(16) The Department of Homeland Security. (16) The Department of Homeland Security.

SEC. 102. CLASSIFIED SCHEDULE OF AUTHORIZATIONS.

(a) Specifications of Amounts.--The amounts authorized to be (a) Specifications of Amounts.--The amounts authorized to be

appropriated under section 101 and, subject to section 103, the

authorized personnel ceilings as of September 30, 2018, for the conduct

of the intelligence activities of the elements listed in paragraphs (1)

through (16) of section 101, are those specified in the classified

Schedule of Authorizations prepared to accompany this Act.

(b) Availability of Classified Schedule of Authorizations.-- (b) Availability of Classified Schedule of Authorizations.--

(1) Availability.--The classified Schedule of (1) Availability.--The classified Schedule of

Authorizations referred to in subsection (a) shall be made Authorizations referred to in subsection (a) shall be made

available to the Committee on Appropriations of the Senate, the available to the Committee on Appropriations of the Senate, the

Committee on Appropriations of the House of Representatives, Committee on Appropriations of the House of Representatives,

and the President. and the President.

(2) Distribution by the president.--Subject to paragraph (2) Distribution by the president.--Subject to paragraph

(3), the President shall provide for suitable distribution of (3), the President shall provide for suitable distribution of

the classified Schedule of Authorizations referred to in the classified Schedule of Authorizations referred to in

subsection (a), or of appropriate portions of such Schedule, subsection (a), or of appropriate portions of such Schedule,

within the executive branch. within the executive branch.

(3) Limits on disclosure.--The President shall not publicly (3) Limits on disclosure.--The President shall not publicly

disclose the classified Schedule of Authorizations or any disclose the classified Schedule of Authorizations or any

portion of such Schedule except-- portion of such Schedule except--

(A) as provided in section 601(a) of the (A) as provided in section 601(a) of the

Implementing Recommendations of the 9/11 Commission Act Implementing Recommendations of the 9/11 Commission Act

of 2007 (50 U.S.C. 3306(a)); of 2007 (50 U.S.C. 3306(a));

(B) to the extent necessary to implement the (B) to the extent necessary to implement the

budget; or budget; or

(C) as otherwise required by law. (C) as otherwise required by law.

SEC. 103. PERSONNEL CEILING ADJUSTMENTS.

(a) Authority for Increases.--The Director of National Intelligence (a) Authority for Increases.--The Director of National Intelligence

may authorize employment of civilian personnel in excess of the number

authorized for fiscal year 2018 by the classified Schedule of

Authorizations referred to in section 102(a) if the Director of

National Intelligence determines that such action is necessary to the

performance of important intelligence functions, except that the number

of personnel employed in excess of the number authorized under such

section may not, for any element of the intelligence community,

exceed--

(1) 3 percent of the number of civilian personnel (1) 3 percent of the number of civilian personnel

authorized under such schedule for such element; or authorized under such schedule for such element; or

(2) 10 percent of the number of civilian personnel (2) 10 percent of the number of civilian personnel

authorized under such schedule for such element for the authorized under such schedule for such element for the

purposes of converting the performance of any function by purposes of converting the performance of any function by

contractors to performance by civilian personnel. contractors to performance by civilian personnel.

(b) Treatment of Certain Personnel.--The Director of National (b) Treatment of Certain Personnel.--The Director of National

Intelligence shall establish guidelines that govern, for each element

of the intelligence community, the treatment under the personnel levels

authorized under section 102(a), including any exemption from such

personnel levels, of employment or assignment in--

(1) a student program, trainee program, or similar program; (1) a student program, trainee program, or similar program;

(2) a reserve corps or as a reemployed annuitant; or (2) a reserve corps or as a reemployed annuitant; or

(3) details, joint duty, or long-term, full-time training. (3) details, joint duty, or long-term, full-time training.

(c) Notice to Congressional Intelligence Committees.--Not later (c) Notice to Congressional Intelligence Committees.--Not later

than 15 days prior to the exercise of an authority described in

subsection (a), the Director of National Intelligence shall submit to

the congressional intelligence committees--

(1) a written notice of the exercise of such authority; and (1) a written notice of the exercise of such authority; and

(2) in the case of an exercise of such authority subject to (2) in the case of an exercise of such authority subject to

the limitation in subsection (a)(2), a written justification the limitation in subsection (a)(2), a written justification

for the contractor conversion that includes a comparison of for the contractor conversion that includes a comparison of

whole of government costs. whole of government costs.

SEC. 104. INTELLIGENCE COMMUNITY MANAGEMENT ACCOUNT.

(a) Authorization of Appropriations.--There is authorized to be (a) Authorization of Appropriations.--There is authorized to be

appropriated for the Intelligence Community Management Account of the

Director of National Intelligence for fiscal year 2018 the sum of

$550,200,000. Within such amount, funds identified in the classified

Schedule of Authorizations referred to in section 102(a) for advanced

research and development shall remain available until September 30,

2019.

(b) Authorized Personnel Levels.--The elements within the (b) Authorized Personnel Levels.--The elements within the

Intelligence Community Management Account of the Director of National

Intelligence are authorized 797 positions as of September 30, 2018.

Personnel serving in such elements may be permanent employees of the

Office of the Director of National Intelligence or personnel detailed

from other elements of the United States Government.

(c) Classified Authorizations.-- (c) Classified Authorizations.--

(1) Authorization of appropriations.--In addition to (1) Authorization of appropriations.--In addition to

amounts authorized to be appropriated for the Intelligence amounts authorized to be appropriated for the Intelligence

Community Management Account by subsection (a), there are Community Management Account by subsection (a), there are

authorized to be appropriated for the Intelligence Community authorized to be appropriated for the Intelligence Community

Management Account for fiscal year 2018 such additional amounts Management Account for fiscal year 2018 such additional amounts

as are specified in the classified Schedule of Authorizations as are specified in the classified Schedule of Authorizations

referred to in section 102(a). Such additional amounts made referred to in section 102(a). Such additional amounts made

available for advanced research and development shall remain available for advanced research and development shall remain

available until September 30, 2019. available until September 30, 2019.

(2) Authorization of personnel.--In addition to the (2) Authorization of personnel.--In addition to the

personnel authorized by subsection (b) for elements of the personnel authorized by subsection (b) for elements of the

Intelligence Community Management Account as of September 30, Intelligence Community Management Account as of September 30,

2018, there are authorized such additional personnel for the 2018, there are authorized such additional personnel for the

Community Management Account as of that date as are specified Community Management Account as of that date as are specified

in the classified Schedule of Authorizations referred to in in the classified Schedule of Authorizations referred to in

section 102(a). section 102(a).

TITLE II--CENTRAL INTELLIGENCE AGENCY RETIREMENT AND DISABILITY SYSTEM

SEC. 201. AUTHORIZATION OF APPROPRIATIONS.

There is authorized to be appropriated for the Central Intelligence There is authorized to be appropriated for the Central Intelligence

Agency Retirement and Disability Fund for fiscal year 2018 the sum of

$514,000,000.

TITLE III--GENERAL INTELLIGENCE COMMUNITY MATTERS TITLE III--GENERAL INTELLIGENCE COMMUNITY MATTERS

SEC. 301. RESTRICTION ON CONDUCT OF INTELLIGENCE ACTIVITIES.

The authorization of appropriations by this Act shall not be deemed The authorization of appropriations by this Act shall not be deemed

to constitute authority for the conduct of any intelligence activity

which is not otherwise authorized by the Constitution or the laws of

the United States.

SEC. 302. INCREASE IN EMPLOYEE COMPENSATION AND BENEFITS AUTHORIZED BY

LAW. LAW.

Appropriations authorized by this Act for salary, pay, retirement, Appropriations authorized by this Act for salary, pay, retirement,

and other benefits for Federal employees may be increased by such

additional or supplemental amounts as may be necessary for increases in

such compensation or benefits authorized by law.

SEC. 303. MODIFICATION OF SPECIAL PAY AUTHORITY FOR SCIENCE,

TECHNOLOGY, ENGINEERING, OR MATHEMATICS POSITIONS AND TECHNOLOGY, ENGINEERING, OR MATHEMATICS POSITIONS AND

ADDITION OF SPECIAL PAY AUTHORITY FOR CYBER POSITIONS. ADDITION OF SPECIAL PAY AUTHORITY FOR CYBER POSITIONS.

(a) In General.--Section 113B of the National Security Act of 1947 (a) In General.--Section 113B of the National Security Act of 1947

(50 U.S.C. 3049a) is amended--

(1) by amending subsection (a) to read as follows: (1) by amending subsection (a) to read as follows:

``(a) Special Rates of Pay for Positions Requiring Expertise in ``(a) Special Rates of Pay for Positions Requiring Expertise in

Science, Technology, Engineering, or Mathematics.--

``(1) In general.--Notwithstanding part III of title 5, ``(1) In general.--Notwithstanding part III of title 5,

United States Code, the head of each element of the United States Code, the head of each element of the

intelligence community may, for 1 or more categories of intelligence community may, for 1 or more categories of

positions in such element that require expertise in science, positions in such element that require expertise in science,

technology, engineering, or mathematics (STEM)-- technology, engineering, or mathematics (STEM)--

``(A) establish higher minimum rates of pay; and ``(A) establish higher minimum rates of pay; and

``(B) make corresponding increases in all rates of ``(B) make corresponding increases in all rates of

pay of the pay range for each grade or level, subject pay of the pay range for each grade or level, subject

to subsection (b) or (c), as applicable. to subsection (b) or (c), as applicable.

``(2) Treatment.--The special rate supplements resulting ``(2) Treatment.--The special rate supplements resulting

from the establishment of higher rates under paragraph (1) from the establishment of higher rates under paragraph (1)

shall be basic pay for the same or similar purposes as those shall be basic pay for the same or similar purposes as those

specified in section 5305(j) of title 5, United States Code.''; specified in section 5305(j) of title 5, United States Code.'';

(2) by striking subsection (f); (2) by striking subsection (f);

(3) by redesignating subsections (b) through (e) as (3) by redesignating subsections (b) through (e) as

subsections (c) through (f), respectively; subsections (c) through (f), respectively;

(4) by inserting after subsection (a) the following: (4) by inserting after subsection (a) the following:

``(b) Special Rates of Pay for Cyber Positions.-- ``(b) Special Rates of Pay for Cyber Positions.--

``(1) In general.--Notwithstanding subsection (c), the ``(1) In general.--Notwithstanding subsection (c), the

Director of the National Security Agency may establish a Director of the National Security Agency may establish a

special rate of pay-- special rate of pay--

``(A) not to exceed the rate of basic pay payable ``(A) not to exceed the rate of basic pay payable

for level II of the Executive Schedule under section for level II of the Executive Schedule under section

5313 of title 5, United States Code, if the Director 5313 of title 5, United States Code, if the Director

certifies to the Under Secretary of Defense for certifies to the Under Secretary of Defense for

Intelligence, in consultation with the Under Secretary Intelligence, in consultation with the Under Secretary

of Defense for Personnel and Readiness, that the rate of Defense for Personnel and Readiness, that the rate

of pay is for positions that perform functions that of pay is for positions that perform functions that

execute the cyber mission of the Agency; or execute the cyber mission of the Agency; or

``(B) not to exceed the rate of basic pay payable ``(B) not to exceed the rate of basic pay payable

for the Vice President of the United States under for the Vice President of the United States under

section 104 of title 3, United States Code, if the section 104 of title 3, United States Code, if the

Director certifies to the Secretary of Defense, by Director certifies to the Secretary of Defense, by

name, individuals that have advanced skills and name, individuals that have advanced skills and

competencies and that perform critical functions that competencies and that perform critical functions that

execute the cyber mission of the Agency. execute the cyber mission of the Agency.

``(2) Pay limitation.--Employees receiving a special rate ``(2) Pay limitation.--Employees receiving a special rate

under paragraph (1) shall be subject to an aggregate pay under paragraph (1) shall be subject to an aggregate pay

limitation that parallels the limitation established in section limitation that parallels the limitation established in section

5307 of title 5, United States Code, except that-- 5307 of title 5, United States Code, except that--

``(A) any allowance, differential, bonus, award, or ``(A) any allowance, differential, bonus, award, or

other similar cash payment in addition to basic pay other similar cash payment in addition to basic pay

that is authorized under title 10, United States Code, that is authorized under title 10, United States Code,

(or any other applicable law in addition to title 5 of (or any other applicable law in addition to title 5 of

such Code, excluding the Fair Labor Standards Act) such Code, excluding the Fair Labor Standards Act)

shall also be counted as part of aggregate shall also be counted as part of aggregate

compensation; and compensation; and

``(B) aggregate compensation may not exceed the ``(B) aggregate compensation may not exceed the

rate established for the Vice President of the United rate established for the Vice President of the United

States under section 104 of title 3, United States States under section 104 of title 3, United States

Code. Code.

``(3) Limitation on number of recipients.--The number of ``(3) Limitation on number of recipients.--The number of

individuals who receive basic pay established under paragraph individuals who receive basic pay established under paragraph

(1)(B) may not exceed 100 at any time. (1)(B) may not exceed 100 at any time.

``(4) Limitation on use as comparative reference.-- ``(4) Limitation on use as comparative reference.--

Notwithstanding any other provision of law, special rates of Notwithstanding any other provision of law, special rates of

pay and the limitation established under paragraph (1)(B) may pay and the limitation established under paragraph (1)(B) may

not be used as comparative references for the purpose of fixing not be used as comparative references for the purpose of fixing

the rates of basic pay or maximum pay limitations of qualified the rates of basic pay or maximum pay limitations of qualified

positions under section 1599f of title 10, United States Code, positions under section 1599f of title 10, United States Code,

or section 226 of the Homeland Security Act of 2002 (6 U.S.C. or section 226 of the Homeland Security Act of 2002 (6 U.S.C.

147).''; and 147).''; and

(5) in subsection (c), as redesignated by paragraph (3), by (5) in subsection (c), as redesignated by paragraph (3), by

striking ``A minimum'' and inserting ``Except as provided in striking ``A minimum'' and inserting ``Except as provided in

subsection (b), a minimum''. subsection (b), a minimum''.

(b) Special Rates for Cyber Employees Under Title 5.--Section 5305 (b) Special Rates for Cyber Employees Under Title 5.--Section 5305

of title 5, United States Code, is amended--

(1) in subsection (g)(1), by striking ``subsection (h)'' (1) in subsection (g)(1), by striking ``subsection (h)''

and inserting ``subsections (h) and (k)''; and and inserting ``subsections (h) and (k)''; and

(2) by adding at the end the following subsections: (2) by adding at the end the following subsections:

``(k)(1) Notwithstanding the rate limitations set forth in ``(k)(1) Notwithstanding the rate limitations set forth in

subsections (a)(1) and (g)(2), the Office of Personnel Management may

establish under this section a rate of pay that does not exceed the

rate of basic pay payable for level II of the Executive Schedule under

section 5313 for employees in positions that perform functions that

execute a cyber mission and who are certified to have specified skills

and competencies.

``(2) Payments under subsection (g)(1) may not be made to an ``(2) Payments under subsection (g)(1) may not be made to an

employee receiving a rate of pay established under this section and

described in paragraph (1) of this subsection if, or to the extent

that, when added to basic pay otherwise payable, such payments would

cause the total to exceed the rate of basic pay payable for level II of

the Executive Schedule under section 5313.

``(l) An employee who is subject to a reduction or termination of a ``(l) An employee who is subject to a reduction or termination of a

special rate of pay established under this section due to not

maintaining a required skill or competency certification, or due to not

obtaining a revised skill or competency certification, shall not be

entitled to pay retention under section 5363 based on any resulting

reduction in pay.''.

SEC. 304. DIRECTOR OF NATIONAL INTELLIGENCE REVIEW OF PLACEMENT OF

POSITIONS WITHIN THE INTELLIGENCE COMMUNITY ON THE POSITIONS WITHIN THE INTELLIGENCE COMMUNITY ON THE

EXECUTIVE SCHEDULE. EXECUTIVE SCHEDULE.

The Director of National Intelligence shall conduct a review of The Director of National Intelligence shall conduct a review of

positions within the intelligence community regarding the placement of

such positions on the Executive Schedule under subchapter II of chapter

53 of title 5, United States Code. In carrying out such review, the

Director shall determine--

(1) which positions should or should not be on the (1) which positions should or should not be on the

Executive Schedule; and Executive Schedule; and

(2) for those positions that should be on the Executive (2) for those positions that should be on the Executive

Schedule, the level of the Executive Schedule at which such Schedule, the level of the Executive Schedule at which such

positions should be placed. positions should be placed.

SEC. 305. MODIFICATION OF APPOINTMENT OF CHIEF INFORMATION OFFICER OF

THE INTELLIGENCE COMMUNITY. THE INTELLIGENCE COMMUNITY.

Section 103G(a) of the National Security Act of 1947 (50 U.S.C. Section 103G(a) of the National Security Act of 1947 (50 U.S.C.

3032(a)) is amended by striking ``President'' and inserting

``Director''.

SEC. 306. SUPPLY CHAIN AND COUNTERINTELLIGENCE RISK MANAGEMENT TASK

FORCE. FORCE.

(a) Requirement to Establish.--The Director of National (a) Requirement to Establish.--The Director of National

Intelligence shall establish a Supply Chain and Counterintelligence

Risk Management Task Force to standardize information sharing between

the intelligence community and the acquisition community of the

Government of the United States with respect to the supply chain and

counterintelligence risks.

(b) Members.--The Supply Chain and Counterintelligence Risk (b) Members.--The Supply Chain and Counterintelligence Risk

Management Task Force shall be composed of--

(1) a representative of the Defense Security Service; (1) a representative of the Defense Security Service;

(2) a representative of the General Services (2) a representative of the General Services

Administration; Administration;

(3) a representative of the Office of Federal Procurement (3) a representative of the Office of Federal Procurement

Policy of the Office of Management and Budget; and Policy of the Office of Management and Budget; and

(4) any other members the Director of National Intelligence (4) any other members the Director of National Intelligence

determines appropriate. determines appropriate.

(c) Security Clearances.--Each member of the Supply Chain and (c) Security Clearances.--Each member of the Supply Chain and

Counterintelligence Risk Management Task Force shall have a security

clearance at the Top Secret and Sensitive Compartmented Information

level.

(d) Annual Report.--The Supply Chain and Counterintelligence Risk (d) Annual Report.--The Supply Chain and Counterintelligence Risk

Management Task Force shall submit to the congressional intelligence

committees an annual report that describes the activities of the Task

Force during the previous year, including identification of the supply

chain and counterintelligence risks shared with the acquisition

community of the Government of the United States by the intelligence

community.

SEC. 307. INSPECTOR GENERAL OF THE INTELLIGENCE COMMUNITY AUDITING

AUTHORITY. AUTHORITY.

Section 103H(j)(2)(A) of the National Security Act of 1947 (50 Section 103H(j)(2)(A) of the National Security Act of 1947 (50

U.S.C. 3033(j)(2)(A)) is amended--

(1) by striking ``law and the policies of the Director of (1) by striking ``law and the policies of the Director of

National Intelligence,'' and inserting ``law,''; and National Intelligence,'' and inserting ``law,''; and

(2) by striking ``General.'' and inserting ``General and is (2) by striking ``General.'' and inserting ``General and is

authorized to obtain the temporary or intermittent services of authorized to obtain the temporary or intermittent services of

experts or consultants or an organization thereof.''. experts or consultants or an organization thereof.''.

SEC. 308. INSPECTORS GENERAL STUDIES ON CLASSIFICATION.

(a) Requirement for Study.--Not later than October 1, 2019, each (a) Requirement for Study.--Not later than October 1, 2019, each

Inspector General listed in subsection (b) shall carry out and submit

to the congressional intelligence committees a report on the following:

(1) A study of the application of classification and (1) A study of the application of classification and

handling markers on a representative sample of finished handling markers on a representative sample of finished

reports, including compartments. reports, including compartments.

(2) A study analyzing compliance with declassification (2) A study analyzing compliance with declassification

procedures. procedures.

(3) A study on reviewing processes for identifying topics (3) A study on reviewing processes for identifying topics

of public or historical importance that merit prioritization of public or historical importance that merit prioritization

for a declassification review. for a declassification review.

(b) Inspectors General.--The Inspectors General listed in this (b) Inspectors General.--The Inspectors General listed in this

subsection are as follows:

(1) The Inspector General of the Intelligence Community. (1) The Inspector General of the Intelligence Community.

(2) The Inspector General of the Central Intelligence (2) The Inspector General of the Central Intelligence

Agency. Agency.

(3) The Inspector General of the National Security Agency. (3) The Inspector General of the National Security Agency.

(4) The Inspector General of the Defense Intelligence (4) The Inspector General of the Defense Intelligence

Agency. Agency.

(5) The Inspector General of the National Reconnaissance (5) The Inspector General of the National Reconnaissance

Office. Office.

(6) The Inspector General of the National Geospatial- (6) The Inspector General of the National Geospatial-

Intelligence Agency. Intelligence Agency.

TITLE IV--MATTERS RELATING TO ELEMENTS OF THE INTELLIGENCE COMMUNITY TITLE IV--MATTERS RELATING TO ELEMENTS OF THE INTELLIGENCE COMMUNITY

Subtitle A--Office of the Director of National Intelligence Subtitle A--Office of the Director of National Intelligence

SEC. 401. AUTHORITY FOR THE PROTECTION OF CURRENT AND FORMER EMPLOYEES

OF THE OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE. OF THE OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE.

Section 5(a)(4) of the Central Intelligence Agency Act of 1949 (50 Section 5(a)(4) of the Central Intelligence Agency Act of 1949 (50

U.S.C. 3506(a)(4)) is amended by striking ``such personnel of the

Office of the Director of National Intelligence as the Director of

National Intelligence may designate;'' and inserting ``current and

former personnel of the Office of the Director of National Intelligence

and their immediate families as the Director of National Intelligence

may designate;''.

SEC. 402. INFORMATION SHARING WITH STATE ELECTION OFFICIALS.

(a) Security Clearances.-- (a) Security Clearances.--

(1) In general.--Not later than 30 days after the date of (1) In general.--Not later than 30 days after the date of

the enactment of this Act, the Director of National the enactment of this Act, the Director of National

Intelligence shall sponsor a security clearance up to the top Intelligence shall sponsor a security clearance up to the top

secret level for each eligible chief election official of a secret level for each eligible chief election official of a

State or the District of Columbia, and up to one eligible State or the District of Columbia, and up to one eligible

designee of such an election official, at the time that he or designee of such an election official, at the time that he or

she assumes such position. she assumes such position.

(2) Determination of levels.-- (2) Determination of levels.--

(A) In general.--The Director shall determine the (A) In general.--The Director shall determine the

level of clearances for the positions described in level of clearances for the positions described in

paragraph (1). paragraph (1).

(B) Interim clearances.--The Director may issue (B) Interim clearances.--The Director may issue

interim clearances, for a period to be determined by interim clearances, for a period to be determined by

the Director, to a chief election official as described the Director, to a chief election official as described

in paragraph (1) and up to one designee of such in paragraph (1) and up to one designee of such

official under such paragraph. official under such paragraph.

(b) Information Sharing.-- (b) Information Sharing.--

(1) In general.--The Director shall share appropriate (1) In general.--The Director shall share appropriate

classified information related to threats to election systems classified information related to threats to election systems

and to the integrity of the election process with chief and to the integrity of the election process with chief

election officials and such designees who have received a election officials and such designees who have received a

security clearance under subsection (a). security clearance under subsection (a).

(2) Reports.--The Director shall transmit reports on such (2) Reports.--The Director shall transmit reports on such

information sharing to the respective affected Secretary of information sharing to the respective affected Secretary of

State or States. State or States.

(c) State Defined.--In this section, the term ``State'' means any (c) State Defined.--In this section, the term ``State'' means any

State of the United States, the District of Columbia, the Commonwealth

of Puerto Rico, and any territory or possession of the United States.

SEC. 403. TECHNICAL MODIFICATION TO THE EXECUTIVE SCHEDULE.

Section 5313 of title 5, United States Code, is amended by adding Section 5313 of title 5, United States Code, is amended by adding

at the end the following:

``Director of the National Counterintelligence and Security ``Director of the National Counterintelligence and Security

Center.''. Center.''.

SEC. 404. MODIFICATION TO THE DESIGNATION OF THE PROGRAM MANAGER-

INFORMATION SHARING ENVIRONMENT. INFORMATION SHARING ENVIRONMENT.

(a) Information Sharing Environment.--Section 1016(b) of the (a) Information Sharing Environment.--Section 1016(b) of the

Intelligence Reform and Terrorism Prevention Act of 2004 (6 U.S.C.

485(b)) is amended--

(1) in paragraph (1), by striking ``President'' and (1) in paragraph (1), by striking ``President'' and

inserting ``Director of National Intelligence''; and inserting ``Director of National Intelligence''; and

(2) in paragraph (2), by striking ``President'' both places (2) in paragraph (2), by striking ``President'' both places

that term appears and inserting ``Director of National that term appears and inserting ``Director of National

Intelligence''. Intelligence''.

(b) Program Manager.--Section 1016(f) of the Intelligence Reform (b) Program Manager.--Section 1016(f) of the Intelligence Reform

and Terrorism Prevention Act of 2004 (6 U.S.C. 485(f)) is amended by

striking ``The individual designated as the program manager shall serve

as program manager until removed from service or replaced by the

President (at the President's sole discretion).'' and inserting

``Beginning on the date of the enactment of the Intelligence

Authorization Act for Fiscal Year 2018, each individual designated as

the program manager shall be appointed by the Director of National

Intelligence.''.

Subtitle B--Central Intelligence Agency Subtitle B--Central Intelligence Agency

SEC. 411. REPEAL OF FOREIGN LANGUAGE PROFICIENCY REQUIREMENT FOR

CERTAIN SENIOR LEVEL POSITIONS IN THE CENTRAL CERTAIN SENIOR LEVEL POSITIONS IN THE CENTRAL

INTELLIGENCE AGENCY. INTELLIGENCE AGENCY.

(a) Repeal of Foreign Language Proficiency Requirement.--Section (a) Repeal of Foreign Language Proficiency Requirement.--Section

104A of the National Security Act of 1947 (50 U.S.C. 3036) is amended

by striking subsection (g).

(b) Conforming Repeal of Report Requirement.--Section 611 of the (b) Conforming Repeal of Report Requirement.--Section 611 of the

Intelligence Authorization Act for Fiscal Year 2005 (Public Law 108-

487) is amended by striking subsection (c).

Subtitle C--Other Elements Subtitle C--Other Elements

SEC. 421. DESIGNATION OF THE COUNTERINTELLIGENCE DIRECTORATE OF THE

DEFENSE SECURITY SERVICE AS AN ELEMENT OF THE DEFENSE SECURITY SERVICE AS AN ELEMENT OF THE

INTELLIGENCE COMMUNITY. INTELLIGENCE COMMUNITY.

(a) Designation.--Paragraph (4) of section 3 of the National (a) Designation.--Paragraph (4) of section 3 of the National

Security Act of 1947 (50 U.S.C. 3003(4)) is amended--

(1) by redesignating subparagraphs (H) through (L) as (1) by redesignating subparagraphs (H) through (L) as

subparagraphs (I) through (M), respectively; and subparagraphs (I) through (M), respectively; and

(2) by inserting after subparagraph (G) the following: (2) by inserting after subparagraph (G) the following:

``(H) The Counterintelligence Directorate of the ``(H) The Counterintelligence Directorate of the

Defense Security Service of the Department of Defense Security Service of the Department of

Defense.''. Defense.''.

(b) Application of Laws, Regulations, Rules, and Policies.-- (b) Application of Laws, Regulations, Rules, and Policies.--

Beginning on the date of the enactment of this Act, any law,

regulation, rule, or policy that applies to the elements of the

intelligence community, as defined in section 3 of the National

Security Act of 1947 (50 U.S.C. 3303), shall apply to the

Counterintelligence Directorate of the Defense Security Service of the

Department of Defense.

TITLE V--SECURING ENERGY INFRASTRUCTURE TITLE V--SECURING ENERGY INFRASTRUCTURE

SEC. 501. SHORT TITLE.

This title may be cited as the ``Securing Energy Infrastructure Act This title may be cited as the ``Securing Energy Infrastructure Act

of 2017''.

SEC. 502. DEFINITIONS.

In this title: In this title:

(1) Covered entity.--The term ``covered entity'' means an (1) Covered entity.--The term ``covered entity'' means an

entity identified pursuant to section 9(a) of Executive Order entity identified pursuant to section 9(a) of Executive Order

13636 of February 12, 2013 (78 Fed. Reg. 11742) relating to 13636 of February 12, 2013 (78 Fed. Reg. 11742) relating to

identification of critical infrastructure where a cybersecurity identification of critical infrastructure where a cybersecurity

incident could reasonably result in catastrophic regional or incident could reasonably result in catastrophic regional or

national effects on public health or safety, economic security, national effects on public health or safety, economic security,

or national security. or national security.

(2) Director.--Except as otherwise specifically provided, (2) Director.--Except as otherwise specifically provided,

the term ``Director'' means the Director of Intelligence and the term ``Director'' means the Director of Intelligence and

Counterintelligence of the Department of Energy. Counterintelligence of the Department of Energy.

(3) Exploit.--The term ``exploit'' means a software tool (3) Exploit.--The term ``exploit'' means a software tool

designed to take advantage of a security vulnerability. designed to take advantage of a security vulnerability.

(4) Industrial control system.-- (4) Industrial control system.--

(A) In general.--The term ``industrial control (A) In general.--The term ``industrial control

system'' means an operational technology used to system'' means an operational technology used to

measure, control, or manage industrial functions. measure, control, or manage industrial functions.

(B) Inclusions.--The term ``industrial control (B) Inclusions.--The term ``industrial control

system'' includes supervisory control and data system'' includes supervisory control and data

acquisition systems, distributed control systems, and acquisition systems, distributed control systems, and

programmable logic or embedded controllers. programmable logic or embedded controllers.

(5) National laboratory.--The term ``National Laboratory'' (5) National laboratory.--The term ``National Laboratory''

has the meaning given the term in section 2 of the Energy has the meaning given the term in section 2 of the Energy

Policy Act of 2005 (42 U.S.C. 15801). Policy Act of 2005 (42 U.S.C. 15801).

(6) Program.--The term ``Program'' means the pilot program (6) Program.--The term ``Program'' means the pilot program

established under section 503. established under section 503.

(7) Security vulnerability.--The term ``security (7) Security vulnerability.--The term ``security

vulnerability'' means any attribute of hardware, software, vulnerability'' means any attribute of hardware, software,

process, or procedure that could enable or facilitate the process, or procedure that could enable or facilitate the

defeat of a security control. defeat of a security control.

SEC. 503. PILOT PROGRAM FOR SECURING ENERGY INFRASTRUCTURE.

Not later than 180 days after the date of enactment of this title, Not later than 180 days after the date of enactment of this title,

the Director shall establish a 2-year control systems implementation

pilot program within the National Laboratories for the purposes of--

(1) partnering with covered entities in the energy sector (1) partnering with covered entities in the energy sector

(including critical component manufacturers in the supply (including critical component manufacturers in the supply

chain) that voluntarily participate in the Program to identify chain) that voluntarily participate in the Program to identify

new classes of security vulnerabilities of the covered new classes of security vulnerabilities of the covered

entities; and entities; and

(2) researching, developing, testing, and implementing (2) researching, developing, testing, and implementing

technology platforms and standards, in partnership with covered technology platforms and standards, in partnership with covered

entities, to isolate and defend industrial control systems of entities, to isolate and defend industrial control systems of

covered entities from security vulnerabilities and exploits in covered entities from security vulnerabilities and exploits in

the most critical systems of the covered entities, including-- the most critical systems of the covered entities, including--

(A) analog and nondigital control systems; (A) analog and nondigital control systems;

(B) purpose-built control systems; and (B) purpose-built control systems; and

(C) physical controls. (C) physical controls.

SEC. 504. WORKING GROUP TO EVALUATE PROGRAM STANDARDS AND DEVELOP

STRATEGY. STRATEGY.

(a) Establishment.--The Director shall establish a working group-- (a) Establishment.--The Director shall establish a working group--

(1) to evaluate the technology platforms and standards used (1) to evaluate the technology platforms and standards used

in the Program under section 503(2); and in the Program under section 503(2); and

(2) to develop a national cyber-informed engineering (2) to develop a national cyber-informed engineering

strategy to isolate and defend covered entities from security strategy to isolate and defend covered entities from security

vulnerabilities and exploits in the most critical systems of vulnerabilities and exploits in the most critical systems of

the covered entities. the covered entities.

(b) Membership.--The working group established under subsection (a) (b) Membership.--The working group established under subsection (a)

shall be composed of not fewer than 10 members, to be appointed by the

Director, at least 1 member of which shall represent each of the

following:

(1) The Department of Energy. (1) The Department of Energy.

(2) The energy industry, including electric utilities and (2) The energy industry, including electric utilities and

manufacturers recommended by the Energy Sector coordinating manufacturers recommended by the Energy Sector coordinating

councils. councils.

(3)(A) The Department of Homeland Security; or (3)(A) The Department of Homeland Security; or

(B) the Industrial Control Systems Cyber Emergency Response (B) the Industrial Control Systems Cyber Emergency Response

Team. Team.

(4) The North American Electric Reliability Corporation. (4) The North American Electric Reliability Corporation.

(5) The Nuclear Regulatory Commission. (5) The Nuclear Regulatory Commission.

(6)(A) The Office of the Director of National Intelligence; (6)(A) The Office of the Director of National Intelligence;

or or

(B) the intelligence community (as defined in section 3 of (B) the intelligence community (as defined in section 3 of

the National Security Act of 1947 (50 U.S.C. 3003)). the National Security Act of 1947 (50 U.S.C. 3003)).

(7)(A) The Department of Defense; or (7)(A) The Department of Defense; or

(B) the Assistant Secretary of Defense for Homeland (B) the Assistant Secretary of Defense for Homeland

Security and America's Security Affairs. Security and America's Security Affairs.

(8) A State or regional energy agency. (8) A State or regional energy agency.

(9) A national research body or academic institution. (9) A national research body or academic institution.

(10) The National Laboratories. (10) The National Laboratories.

SEC. 505. REPORTS ON THE PROGRAM.

(a) Interim Report.--Not later than 180 days after the date on (a) Interim Report.--Not later than 180 days after the date on

which funds are first disbursed under the Program, the Director shall

submit to the appropriate committees of Congress an interim report

that--

(1) describes the results of the Program; (1) describes the results of the Program;

(2) includes an analysis of the feasibility of each method (2) includes an analysis of the feasibility of each method

studied under the Program; and studied under the Program; and

(3) describes the results of the evaluations conducted by (3) describes the results of the evaluations conducted by

the working group established under section 504(a). the working group established under section 504(a).

(b) Final Report.--Not later than 2 years after the date on which (b) Final Report.--Not later than 2 years after the date on which

funds are first disbursed under the Program, the Director shall submit

to the appropriate committees of Congress a final report that--

(1) describes the results of the Program; (1) describes the results of the Program;

(2) includes an analysis of the feasibility of each method (2) includes an analysis of the feasibility of each method

studied under the Program; and studied under the Program; and

(3) describes the results of the evaluations conducted by (3) describes the results of the evaluations conducted by

the working group established under section 504(a). the working group established under section 504(a).

(c) Appropriate Committees of Congress Defined.--In this section, (c) Appropriate Committees of Congress Defined.--In this section,

the term ``appropriate committees of Congress'' means--

(1) the congressional intelligence committees; (1) the congressional intelligence committees;

(2) the Committee on Energy and Natural Resources of the (2) the Committee on Energy and Natural Resources of the

Senate; and Senate; and

(3) the Committee on Energy and Commerce of the House of (3) the Committee on Energy and Commerce of the House of

Representatives. Representatives.

SEC. 506. NO NEW REGULATORY AUTHORITY FOR FEDERAL AGENCIES.

Nothing in this title authorizes the Director or the head of any Nothing in this title authorizes the Director or the head of any

other Federal agency to issue new regulations.

SEC. 507. EXEMPTION FROM DISCLOSURE.

Information shared by or with the Federal Government or a State, Information shared by or with the Federal Government or a State,

tribal, or local government under this title shall be--

(1) deemed to be voluntarily shared information; and (1) deemed to be voluntarily shared information; and

(2) exempt from disclosure under any provision of Federal, (2) exempt from disclosure under any provision of Federal,

State, tribal, or local freedom of information law, open State, tribal, or local freedom of information law, open

government law, open meetings law, open records law, sunshine government law, open meetings law, open records law, sunshine

law, or similar law requiring the disclosure of information or law, or similar law requiring the disclosure of information or

records. records.

SEC. 508. PROTECTION FROM LIABILITY.

(a) In General.--A cause of action against a covered entity for (a) In General.--A cause of action against a covered entity for

engaging in the voluntary activities authorized under section 503--

(1) shall not lie or be maintained in any court; and (1) shall not lie or be maintained in any court; and

(2) shall be promptly dismissed by the applicable court. (2) shall be promptly dismissed by the applicable court.

(b) Voluntary Activities.--Nothing in this title subjects any (b) Voluntary Activities.--Nothing in this title subjects any

covered entity to liability for not engaging in the voluntary

activities authorized under section 503.

SEC. 509. AUTHORIZATION OF APPROPRIATIONS.

(a) Pilot Program.--There is authorized to be appropriated (a) Pilot Program.--There is authorized to be appropriated

$10,000,000 to carry out section 503.

(b) Working Group and Report.--There is authorized to be (b) Working Group and Report.--There is authorized to be

appropriated $1,500,000 to carry out sections 504 and 505.

(c) Availability.--Amounts made available under subsections (a) and (c) Availability.--Amounts made available under subsections (a) and

(b) shall remain available until expended.

TITLE VI--REPORTS AND OTHER MATTERS TITLE VI--REPORTS AND OTHER MATTERS

SEC. 601. TECHNICAL CORRECTION TO INSPECTOR GENERAL STUDY.

Section 11001(d) of title 5, United States Code, is amended-- Section 11001(d) of title 5, United States Code, is amended--

(1) in the subsection heading, by striking ``Audit'' and (1) in the subsection heading, by striking ``Audit'' and

inserting ``Review''; inserting ``Review'';

(2) in paragraph (1), by striking ``audit'' and inserting (2) in paragraph (1), by striking ``audit'' and inserting

``review''; and ``review''; and

(3) in paragraph (2), by striking ``audit'' and inserting (3) in paragraph (2), by striking ``audit'' and inserting

``review''. ``review''.

SEC. 602. GOVERNANCE FOR SECURITY CLEARANCE, SUITABILITY AND FITNESS

FOR EMPLOYMENT, AND CREDENTIALING. FOR EMPLOYMENT, AND CREDENTIALING.

(a) Governance Council for Suitability, Credentialing, and (a) Governance Council for Suitability, Credentialing, and

Security.--

(1) Establishment.--There is an interagency Security, (1) Establishment.--There is an interagency Security,

Suitability, and Credentialing Council (in this section the Suitability, and Credentialing Council (in this section the

``Council''). The Council shall be accountable to the President ``Council''). The Council shall be accountable to the President

and to Congress to achieve the goals of the executive branch and to Congress to achieve the goals of the executive branch

vetting enterprise. vetting enterprise.

(2) Membership.-- (2) Membership.--

(A) Composition.--The Council shall be composed for (A) Composition.--The Council shall be composed for

the following: the following:

(i) One individual who shall be appointed (i) One individual who shall be appointed

by the Director of the Office of Management and by the Director of the Office of Management and

Budget. Budget.

(ii) The individual serving as the (ii) The individual serving as the

Suitability Executive Agent and the Suitability Executive Agent and the

Credentialing Executive Agent pursuant to Credentialing Executive Agent pursuant to

subsections (b) and (c), respectively. subsections (b) and (c), respectively.

(iii) The individual serving as the (iii) The individual serving as the

Security Executive Agent pursuant to subsection Security Executive Agent pursuant to subsection

(d)(1). (d)(1).

(iv) The Under Secretary of Defense for (iv) The Under Secretary of Defense for

Intelligence. Intelligence.

(v) The Director of the National Background (v) The Director of the National Background

Investigations Bureau. Investigations Bureau.

(B) Chairperson.--The Chairperson of the Council (B) Chairperson.--The Chairperson of the Council

shall be the individual appointed under subparagraph shall be the individual appointed under subparagraph

(A)(i). The Chairperson shall have authority, (A)(i). The Chairperson shall have authority,

direction, and control over the functions of the direction, and control over the functions of the

Council. Council.

(3) Functions.--The functions of the Council are as (3) Functions.--The functions of the Council are as

follows: follows:

(A) Ensuring enterprise-wide alignment of (A) Ensuring enterprise-wide alignment of

suitability, security, credentialing, and as suitability, security, credentialing, and as

appropriate, fitness processes. appropriate, fitness processes.

(B) Holding agencies accountable for the (B) Holding agencies accountable for the

implementation of suitability, security, fitness, and implementation of suitability, security, fitness, and

credentialing processes and procedures. credentialing processes and procedures.

(C) Defining requirements for enterprise-wide (C) Defining requirements for enterprise-wide

reciprocity management information technology, and reciprocity management information technology, and

develop standards for enterprise-wide information develop standards for enterprise-wide information

technology. technology.

(D) Working with agencies-- (D) Working with agencies--

(i) to implement continuous performance (i) to implement continuous performance

improvement programs, policies, and procedures; improvement programs, policies, and procedures;

(ii) to establish annual goals and progress (ii) to establish annual goals and progress

metrics; and metrics; and

(iii) to prepare annual reports on results. (iii) to prepare annual reports on results.

(E) Ensuring and overseeing the development of (E) Ensuring and overseeing the development of

tools and techniques for enhancing background tools and techniques for enhancing background

investigations and adjudications. investigations and adjudications.

(F) Enabling discussion and consensus resolution of (F) Enabling discussion and consensus resolution of

differences in processes, policies, and procedures differences in processes, policies, and procedures

among the members of the Council, and other agencies as among the members of the Council, and other agencies as

appropriate. appropriate.

(G) Sharing best practices. (G) Sharing best practices.

(H) Advise the Suitability Executive Agent, the (H) Advise the Suitability Executive Agent, the

Credentialing Executive Agent, and the Security Credentialing Executive Agent, and the Security

Executive Agent on policies affecting the alignment of Executive Agent on policies affecting the alignment of

investigations and adjudications. investigations and adjudications.

(I) Working with agencies to develop agency (I) Working with agencies to develop agency

policies and procedures to enable sharing of vetting policies and procedures to enable sharing of vetting

information consistent with the law and the protection information consistent with the law and the protection

of privacy and civil liberties and to the extent of privacy and civil liberties and to the extent

necessary for enterprise-wide efficiency, necessary for enterprise-wide efficiency,

effectiveness, and security. effectiveness, and security.

(J) Monitoring performance to identify and drive (J) Monitoring performance to identify and drive

enterprise-level process enhancements, and make enterprise-level process enhancements, and make

recommendations for changes to executive branch-wide recommendations for changes to executive branch-wide

guidance and authorities to resolve overlaps or close guidance and authorities to resolve overlaps or close

policy gaps where they may exist. policy gaps where they may exist.

(K) Promoting data-driven, transparent, and (K) Promoting data-driven, transparent, and

expeditious policy-making processes. expeditious policy-making processes.

(L) Developing and continuously reevaluating and (L) Developing and continuously reevaluating and

revising outcome-based metrics that measure the revising outcome-based metrics that measure the

quality, efficiency and effectiveness of the vetting quality, efficiency and effectiveness of the vetting

enterprise. enterprise.

(4) Subordinate bodies.--The Chairperson may establish (4) Subordinate bodies.--The Chairperson may establish

subordinate entities, mechanisms, and policies to support and subordinate entities, mechanisms, and policies to support and

assist the Council in carrying out the functions of the assist the Council in carrying out the functions of the

Council. Council.

(b) Suitability Executive Agent.-- (b) Suitability Executive Agent.--

(1) In general.--The Director of the Office of Personnel (1) In general.--The Director of the Office of Personnel

Management shall serve as the Suitability Executive Agent. Management shall serve as the Suitability Executive Agent.

(2) Duties.--The duties of the Suitability Executive Agent (2) Duties.--The duties of the Suitability Executive Agent

are as follows: are as follows:

(A) Pursuant to sections 1103 and 1104 of title 5, (A) Pursuant to sections 1103 and 1104 of title 5,

United States Code, and the Civil Service Rules, to be United States Code, and the Civil Service Rules, to be

responsible for suitability and fitness by-- responsible for suitability and fitness by--

(i) prescribing suitability standards and (i) prescribing suitability standards and

minimum standards of fitness for employment; minimum standards of fitness for employment;

(ii) prescribing position designation (ii) prescribing position designation

requirements with regard to the risk to the requirements with regard to the risk to the

efficiency and integrity of the service; efficiency and integrity of the service;

(iii) prescribing applicable investigative (iii) prescribing applicable investigative

standards, policies, and procedures for standards, policies, and procedures for

suitability and fitness; suitability and fitness;

(iv) prescribing suitability and fitness (iv) prescribing suitability and fitness

reciprocity standards; reciprocity standards;

(v) making suitability determinations; and (v) making suitability determinations; and

(vi) taking suitability actions. (vi) taking suitability actions.

(B) To issue regulations, guidance, and standards (B) To issue regulations, guidance, and standards

to fulfill the Director's responsibilities related to to fulfill the Director's responsibilities related to

suitability and fitness under Executive Order 13488 of suitability and fitness under Executive Order 13488 of

January 16, 2009, as amended. January 16, 2009, as amended.

(C) To promote reciprocal recognition of (C) To promote reciprocal recognition of

suitability or fitness determinations among the suitability or fitness determinations among the

agencies, including acting as the final authority to agencies, including acting as the final authority to

arbitrate and resolve disputes among the agencies arbitrate and resolve disputes among the agencies

involving the reciprocity of investigations and involving the reciprocity of investigations and

adjudications of suitability and fitness. adjudications of suitability and fitness.

(D) To continue to initially approve, and (D) To continue to initially approve, and

periodically review for renewal, agencies' requests to periodically review for renewal, agencies' requests to

administer polygraphs in connection with appointment in administer polygraphs in connection with appointment in

the competitive service, in consultation with the the competitive service, in consultation with the

Security Executive Agent as appropriate. Security Executive Agent as appropriate.

(E) To make a continuing review of agency programs (E) To make a continuing review of agency programs

for suitability and fitness vetting to determine for suitability and fitness vetting to determine

whether they are being implemented according to this whether they are being implemented according to this

section. section.

(F) Shall, pursuant to section 1104 of title 5, (F) Shall, pursuant to section 1104 of title 5,

United States Code, prescribe performance standards and United States Code, prescribe performance standards and

a system of oversight for any suitability or fitness a system of oversight for any suitability or fitness

function delegated by the Director to the head of function delegated by the Director to the head of

another agency, including uniform and consistent another agency, including uniform and consistent

policies and procedures to ensure the effective, policies and procedures to ensure the effective,

efficient, timely, and secure completion of delegated efficient, timely, and secure completion of delegated

functions. functions.

(3) Guidelines and instructions.--The Suitability Executive (3) Guidelines and instructions.--The Suitability Executive

Agent may issue guidelines and instructions to the heads of Agent may issue guidelines and instructions to the heads of

agencies to promote appropriate uniformity, centralization, agencies to promote appropriate uniformity, centralization,

efficiency, effectiveness, reciprocity, timeliness, and efficiency, effectiveness, reciprocity, timeliness, and

security in processes relating to determining suitability or security in processes relating to determining suitability or

fitness. fitness.

(c) Credentialing Executive Agent.-- (c) Credentialing Executive Agent.--

(1) In general.--In addition to serving as the Suitability (1) In general.--In addition to serving as the Suitability

Executive Agent, the Director of the Office of Personnel Executive Agent, the Director of the Office of Personnel

Management shall also serve as the Credentialing Executive Management shall also serve as the Credentialing Executive

Agent. Agent.

(2) Duties.--The duties of the Credentialing Executive (2) Duties.--The duties of the Credentialing Executive

Agent are as follows: Agent are as follows:

(A) To develop standards for investigations, (A) To develop standards for investigations,

reinvestigations, and continuous vetting for a covered reinvestigations, and continuous vetting for a covered

individual's eligibility for a PIV credential. individual's eligibility for a PIV credential.

(B) To develop adjudicative guidelines for a (B) To develop adjudicative guidelines for a

covered individual's eligibility for a PIV credential. covered individual's eligibility for a PIV credential.

(C) To develop guidelines on reporting and (C) To develop guidelines on reporting and

recording determinations of eligibility for a PIV recording determinations of eligibility for a PIV

credential. credential.

(D) To develop standards for unfavorable (D) To develop standards for unfavorable

determinations of eligibility for a PIV credential, determinations of eligibility for a PIV credential,

including procedures for denying and revoking the including procedures for denying and revoking the

eligibility for a PIV credential, for reconsideration eligibility for a PIV credential, for reconsideration

of unfavorable determinations, and for rendering the of unfavorable determinations, and for rendering the

PIV credential inoperable. PIV credential inoperable.

(E) To develop standards and procedures for (E) To develop standards and procedures for

suspending eligibility for a PIV credential when there suspending eligibility for a PIV credential when there

is a reasonable basis to believe there may be an is a reasonable basis to believe there may be an

unacceptable risk pending an inquiry or investigation, unacceptable risk pending an inquiry or investigation,

including special standards and procedures for imminent including special standards and procedures for imminent

risk. risk.

(F) To develop uniform and consistent policies and (F) To develop uniform and consistent policies and

procedures to ensure the effective, efficient, timely, procedures to ensure the effective, efficient, timely,

and secure completion of investigations and and secure completion of investigations and

adjudications relating to eligibility for a PIV adjudications relating to eligibility for a PIV

credential. credential.

(G) To monitor and make a continuing review of (G) To monitor and make a continuing review of

agency programs for determining eligibility for a PIV agency programs for determining eligibility for a PIV

credential to determine whether they are being credential to determine whether they are being

implemented according to this section. implemented according to this section.

(H) To consult to the extent practicable with other (H) To consult to the extent practicable with other

agencies with responsibilities related to PIV agencies with responsibilities related to PIV

credentials to ensure that policies and procedures are credentials to ensure that policies and procedures are

consistent with law. consistent with law.

(3) Guidelines and instructions.--The Credentialing (3) Guidelines and instructions.--The Credentialing

Executive Agent may develop guidelines and instructions to the Executive Agent may develop guidelines and instructions to the

heads of agencies as necessary to ensure appropriate heads of agencies as necessary to ensure appropriate

uniformity, centralization, efficiency, effectiveness, and uniformity, centralization, efficiency, effectiveness, and

timeliness in processes relating to eligibility for a PIV timeliness in processes relating to eligibility for a PIV

credential. credential.

(4) PIV credential defined.--In this subsection, the term (4) PIV credential defined.--In this subsection, the term

``PIV credential'' means a personal identity verification ``PIV credential'' means a personal identity verification

credential permitting logical and physical access to Federally credential permitting logical and physical access to Federally

controlled facilities and Federally controlled information controlled facilities and Federally controlled information

systems. systems.

(d) Security Executive Agent.-- (d) Security Executive Agent.--

(1) In general.--The Director of National Intelligence (1) In general.--The Director of National Intelligence

shall serve as the Security Executive Agent. shall serve as the Security Executive Agent.

(2) Duties.--The duties of the Security Executive Agent are (2) Duties.--The duties of the Security Executive Agent are

as follows: as follows:

(A) To direct the oversight of investigations, (A) To direct the oversight of investigations,

reinvestigations, adjudications, and, as applicable, reinvestigations, adjudications, and, as applicable,

polygraphs for eligibility for access to classified polygraphs for eligibility for access to classified

information or eligibility to hold a sensitive position information or eligibility to hold a sensitive position

made by any agency. made by any agency.

(B) To make a continuing review of agencies' (B) To make a continuing review of agencies'

national security background investigation and national security background investigation and

adjudication programs to determine whether they are adjudication programs to determine whether they are

being implemented according to this section. being implemented according to this section.

(C) To develop and issue uniform and consistent (C) To develop and issue uniform and consistent

policies and procedures to ensure the effective, policies and procedures to ensure the effective,

efficient, timely, and secure completion of efficient, timely, and secure completion of

investigations, polygraphs, and adjudications relating investigations, polygraphs, and adjudications relating

to determinations of eligibility for access to to determinations of eligibility for access to

classified information or eligibility to hold a classified information or eligibility to hold a

sensitive position. sensitive position.

(D) To serve as the final authority to designate an (D) To serve as the final authority to designate an

agency or agencies, to the extent that it is not agency or agencies, to the extent that it is not

practicable to use the National Background practicable to use the National Background

Investigations Bureau, to conduct investigations of Investigations Bureau, to conduct investigations of

persons who are proposed for access to classified persons who are proposed for access to classified

information or for eligibility to hold a sensitive information or for eligibility to hold a sensitive

position to ascertain whether such persons satisfy the position to ascertain whether such persons satisfy the

criteria for obtaining and retaining access to criteria for obtaining and retaining access to

classified information or eligibility to hold a classified information or eligibility to hold a

sensitive position. sensitive position.

(E) To serve as the final authority to designate an (E) To serve as the final authority to designate an

agency or agencies to determine eligibility for access agency or agencies to determine eligibility for access

to classified information or eligibility to hold a to classified information or eligibility to hold a

sensitive position in accordance with Executive Order sensitive position in accordance with Executive Order

12968 of August 2, 1995, as amended. 12968 of August 2, 1995, as amended.

(F) To ensure reciprocal recognition of eligibility (F) To ensure reciprocal recognition of eligibility

for access to classified information or eligibility to for access to classified information or eligibility to

hold a sensitive position among the agencies, including hold a sensitive position among the agencies, including

acting as the final authority to arbitrate and resolve acting as the final authority to arbitrate and resolve

disputes among the agencies involving the reciprocity disputes among the agencies involving the reciprocity

of investigations and adjudications of eligibility. of investigations and adjudications of eligibility.

(3) Authorities.--The Security Executive Agent may-- (3) Authorities.--The Security Executive Agent may--

(A) issue guidelines and instructions to the heads (A) issue guidelines and instructions to the heads

of agencies to ensure appropriate uniformity, of agencies to ensure appropriate uniformity,

centralization, efficiency, effectiveness, timeliness, centralization, efficiency, effectiveness, timeliness,

and security in processes relating to determinations by and security in processes relating to determinations by

agencies of eligibility for access to classified agencies of eligibility for access to classified

information or eligibility to hold a sensitive information or eligibility to hold a sensitive

position, including such matters as investigations, position, including such matters as investigations,

polygraphs, adjudications, and reciprocity; polygraphs, adjudications, and reciprocity;

(B) if consistent with the national security, (B) if consistent with the national security,

authorize exceptions to or waivers of national security authorize exceptions to or waivers of national security

investigative requirements, and may issue implementing investigative requirements, and may issue implementing

or clarifying guidance as necessary; or clarifying guidance as necessary;

(C) assign, in whole or in part, to the head of any (C) assign, in whole or in part, to the head of any

agency (solely or jointly) any of the duties of the agency (solely or jointly) any of the duties of the

Security Executive Agent under paragraph (2) or the Security Executive Agent under paragraph (2) or the

authorities in subparagraphs (A) and (B) of this authorities in subparagraphs (A) and (B) of this

paragraph, with the agency's exercise of such assigned paragraph, with the agency's exercise of such assigned

duties or authorities to be subject to the Security duties or authorities to be subject to the Security

Executive Agent's oversight and with such terms and Executive Agent's oversight and with such terms and

conditions (including approval by the Security conditions (including approval by the Security

Executive Agent) as the Security Executive Agent Executive Agent) as the Security Executive Agent

determines appropriate; and determines appropriate; and

(D) define and set standards for continuous (D) define and set standards for continuous

evaluation for continued access to classified evaluation for continued access to classified

information. information.

(e) Preservation of Authority.--Nothing in this section shall be (e) Preservation of Authority.--Nothing in this section shall be

construed to limit the authorities of the Director of the Office of

Personnel Management, the Director of National Intelligence, or the

Secretary of Defense under any provision of law.

SEC. 603. PROCESS FOR SECURITY CLEARANCES.

(a) Reviews.--Not later than 180 days after the date of the (a) Reviews.--Not later than 180 days after the date of the

enactment of this Act, the Director of National Intelligence, acting as

the Security Executive Agent in accordance with subsection (d) of

section 602, in coordination with the Suitability Executive Agent and

the Credentialing Executive Agent who are serving in accordance with

subsections (b) and (c) of such section, shall submit to the

congressional intelligence committees a report that includes the

following:

(1) Review and assessment of standards.-- (1) Review and assessment of standards.--

(A) In general.--A review of the relationship among (A) In general.--A review of the relationship among

the information requested by the Questionnaire for the information requested by the Questionnaire for

National Security Positions (Standard Form 86), the National Security Positions (Standard Form 86), the

application of the Federal Investigative Standards application of the Federal Investigative Standards

prescribed by the Office of Personnel Management and prescribed by the Office of Personnel Management and

the Office of the Director of National Intelligence, the Office of the Director of National Intelligence,

and the application of the adjudicative guidelines and the application of the adjudicative guidelines

under Security Executive Agent Directive 4 (``National under Security Executive Agent Directive 4 (``National

Security Adjudicative Guidelines''). Security Adjudicative Guidelines'').

(B) Assessment.--An assessment of whether such (B) Assessment.--An assessment of whether such

Questionnaire, Standards, and guidelines should be Questionnaire, Standards, and guidelines should be

revised to account for the prospect of a holder of a revised to account for the prospect of a holder of a

security clearance becoming an insider threat. security clearance becoming an insider threat.

(2) Recommendations to improve background investigations.-- (2) Recommendations to improve background investigations.--

Recommendations to improve the background investigation Recommendations to improve the background investigation

process, including recommendations-- process, including recommendations--

(A) to simplify the Questionnaire for National (A) to simplify the Questionnaire for National

Security Positions (Standard Form 86) and increase Security Positions (Standard Form 86) and increase

customer support to applicants completing such customer support to applicants completing such

Questionnaire; Questionnaire;

(B) to use remote and virtual techniques and (B) to use remote and virtual techniques and

centralized locations during field investigation work; centralized locations during field investigation work;

(C) to utilize secure and reliable digitization of (C) to utilize secure and reliable digitization of

information obtained during the clearance process; and information obtained during the clearance process; and

(D) to build the capacity of the background (D) to build the capacity of the background

investigation labor sector. investigation labor sector.

(3) Review of schedules.--A review of whether the schedule (3) Review of schedules.--A review of whether the schedule

for processing security clearances included in section 3001 of for processing security clearances included in section 3001 of

the Intelligence Reform and Terrorism Prevention Act of 2004 the Intelligence Reform and Terrorism Prevention Act of 2004

(50 U.S.C. 3341) should be modified. (50 U.S.C. 3341) should be modified.

(4) Evaluation of splitting the background investigation (4) Evaluation of splitting the background investigation

function.-- function.--

(A) In general.--An evaluation of the impact on (A) In general.--An evaluation of the impact on

costs, quality, and timeliness of security clearance costs, quality, and timeliness of security clearance

background investigations associated with transferring background investigations associated with transferring

to the Secretary of Defense responsibility for to the Secretary of Defense responsibility for

conducting background investigations for-- conducting background investigations for--

(i) personnel of the Department of Defense; (i) personnel of the Department of Defense;

or or

(ii) all contractors to and personnel of (ii) all contractors to and personnel of

the United States Government. the United States Government.

(B) Analysis.--An analysis of-- (B) Analysis.--An analysis of--

(i) the time required for the Secretary of (i) the time required for the Secretary of

Defense to gain sufficient institutional Defense to gain sufficient institutional

capacity and capability to perform the capacity and capability to perform the

investigations described in clauses (i) and investigations described in clauses (i) and

(ii) of subparagraph (A); (ii) of subparagraph (A);

(ii) past experience with agencies and (ii) past experience with agencies and

departments of the United States having departments of the United States having

responsibility for conducting background responsibility for conducting background

investigations, including the transfer to the investigations, including the transfer to the

Office of Personnel Management of background Office of Personnel Management of background

investigations for personnel of the Department investigations for personnel of the Department

of Defense during 2003, 2004, and 2005; and of Defense during 2003, 2004, and 2005; and

(iii) the mobility of the workforce who (iii) the mobility of the workforce who

perform background investigations between perform background investigations between

government agencies and contractors. government agencies and contractors.

(b) Policy, Strategy, and Implementation.--Not later than 90 days (b) Policy, Strategy, and Implementation.--Not later than 90 days

after the date of the enactment of this Act, the Director of National

Intelligence, acting as the Security Executive Agent in accordance with

section 602(d), shall establish the following:

(1) Policy and implementation plan for interim security (1) Policy and implementation plan for interim security

clearances.--A policy and implementation plan for the issuance clearances.--A policy and implementation plan for the issuance

of interim security clearances. of interim security clearances.

(2) Policy on consistent treatment of government and (2) Policy on consistent treatment of government and

contractor personnel.--A policy and implementation plan to contractor personnel.--A policy and implementation plan to

ensure contractors are treated consistently in the security ensure contractors are treated consistently in the security

clearance process across agencies and departments of the United clearance process across agencies and departments of the United

States and as compared to employees of such agencies and States and as compared to employees of such agencies and

departments. Such policy shall address-- departments. Such policy shall address--

(A) prioritization of processing security (A) prioritization of processing security

clearances based on the mission the contractors will be clearances based on the mission the contractors will be

performing; performing;

(B) standardization of how requests for clearance (B) standardization of how requests for clearance

sponsorship are issued; sponsorship are issued;

(C) digitization of background investigation- (C) digitization of background investigation-

related forms; related forms;

(D) use of the polygraph; (D) use of the polygraph;

(E) the application of the adjudicative guidelines (E) the application of the adjudicative guidelines

under Security Executive Agent Directive 4 (``National under Security Executive Agent Directive 4 (``National

Security Adjudicative Guidelines''); Security Adjudicative Guidelines'');

(F) reciprocal recognition of clearances across (F) reciprocal recognition of clearances across

agencies and departments of the United States, agencies and departments of the United States,

regardless of status of periodic reinvestigation; regardless of status of periodic reinvestigation;

(G) tracking of clearance files as individuals move (G) tracking of clearance files as individuals move

from employment with an agency or department of the from employment with an agency or department of the

United States to employment in the private sector; and United States to employment in the private sector; and

(H) reporting on security incidents and (H) reporting on security incidents and

performance. performance.

(3) Strategy and implementation for periodic (3) Strategy and implementation for periodic

reinvestigations.-- reinvestigations.--

(A) Strategy and implementation plan.--A strategy (A) Strategy and implementation plan.--A strategy

and implementation plan to conduct periodic and implementation plan to conduct periodic

reinvestigations as part of a security clearance reinvestigations as part of a security clearance

determination exclusively on an as-needed, risk-based determination exclusively on an as-needed, risk-based

basis. Such plan shall include actions to assess the basis. Such plan shall include actions to assess the

extent to which automated records checks and other extent to which automated records checks and other

continuous evaluation methods may be used to expedite continuous evaluation methods may be used to expedite

or focus reinvestigations. or focus reinvestigations.

(B) Exception.--The Security Executive Agent may (B) Exception.--The Security Executive Agent may

provide justification if certain populations are provide justification if certain populations are

determined to require periodic reinvestigations at determined to require periodic reinvestigations at

regular intervals. regular intervals.

(4) Policy for automated records checks.--A policy and (4) Policy for automated records checks.--A policy and

implementation plan for agencies and departments of the United implementation plan for agencies and departments of the United

States Government, as a part of the security clearance process, States Government, as a part of the security clearance process,

to accept automated records checks generated pursuant to a to accept automated records checks generated pursuant to a

security clearance applicant's employment with a prior security clearance applicant's employment with a prior

employer. employer.

(5) Policy and implementation for sharing of background (5) Policy and implementation for sharing of background

investigation data.--A policy and implementation plan for investigation data.--A policy and implementation plan for

sharing information between and among agencies or departments sharing information between and among agencies or departments

of the United States and private entities that is relevant to of the United States and private entities that is relevant to

decisions about granting or renewing security clearances. Such decisions about granting or renewing security clearances. Such

information shall-- information shall--

(A) pertain to security and human resources (A) pertain to security and human resources

matters; and matters; and

(B) be treated in a manner consistent with privacy (B) be treated in a manner consistent with privacy

concerns. concerns.

SEC. 604. REPORTS ON THE VULNERABILITIES EQUITIES POLICY AND PROCESS OF

THE FEDERAL GOVERNMENT. THE FEDERAL GOVERNMENT.

(a) Report Policy and Process.-- (a) Report Policy and Process.--

(1) In general.--Not later than 90 days after the date of (1) In general.--Not later than 90 days after the date of

the enactment of this Act and not later than 30 days after any the enactment of this Act and not later than 30 days after any

substantive change in policy, the head of each element of the substantive change in policy, the head of each element of the

intelligence community shall submit to the congressional intelligence community shall submit to the congressional

intelligence committees a report detailing the process and intelligence committees a report detailing the process and

criteria the head uses for determining whether to submit a criteria the head uses for determining whether to submit a

vulnerability for review under the vulnerabilities equities vulnerability for review under the vulnerabilities equities

policy and process of the Federal Government. policy and process of the Federal Government.

(2) Form.--Each report submitted under paragraph (1) shall (2) Form.--Each report submitted under paragraph (1) shall

be submitted in unclassified form, but may include a classified be submitted in unclassified form, but may include a classified

annex. annex.

(b) Annual Report on Vulnerabilities.-- (b) Annual Report on Vulnerabilities.--

(1) In general.--Not less frequently than once each year, (1) In general.--Not less frequently than once each year,

the Director of National Intelligence shall submit to the the Director of National Intelligence shall submit to the

congressional intelligence committees a report on-- congressional intelligence committees a report on--

(A) how many vulnerabilities the intelligence (A) how many vulnerabilities the intelligence

community has submitted for review during the previous community has submitted for review during the previous

calendar year; calendar year;

(B) how many of such vulnerabilities were (B) how many of such vulnerabilities were

ultimately disclosed to the vendor responsible for ultimately disclosed to the vendor responsible for

correcting the vulnerability during the previous correcting the vulnerability during the previous

calendar year; and calendar year; and

(C) vulnerabilities disclosed since the previous (C) vulnerabilities disclosed since the previous

report that have either-- report that have either--

(i) been patched or mitigated by the (i) been patched or mitigated by the

responsible vendor; or responsible vendor; or

(ii) have not been patched or mitigated by (ii) have not been patched or mitigated by

the responsible vendor and more than 180 days the responsible vendor and more than 180 days

have elapsed since the vulnerability was have elapsed since the vulnerability was

disclosed. disclosed.

(2) Contents.--Each report submitted under paragraph (1) (2) Contents.--Each report submitted under paragraph (1)

shall include the following: shall include the following:

(A) The date the vulnerability was disclosed to the (A) The date the vulnerability was disclosed to the

responsible vendor. responsible vendor.

(B) The date the patch or mitigation for the (B) The date the patch or mitigation for the

vulnerability was made publicly available by the vulnerability was made publicly available by the

responsible vendor. responsible vendor.

(C) An unclassified appendix that includes-- (C) An unclassified appendix that includes--

(i) a top-line summary of the aggregate (i) a top-line summary of the aggregate

number of vulnerabilities disclosed to vendors, number of vulnerabilities disclosed to vendors,

how many have been patched, and the average how many have been patched, and the average

time between disclosure of the vulnerability time between disclosure of the vulnerability

and the patching of the vulnerability; and and the patching of the vulnerability; and

(ii) the aggregate number of (ii) the aggregate number of

vulnerabilities disclosed to each responsible vulnerabilities disclosed to each responsible

vendor, delineated by the amount of time vendor, delineated by the amount of time

required to patch or mitigate the required to patch or mitigate the

vulnerability, as defined by thirty day vulnerability, as defined by thirty day

increments. increments.

(3) Form.--Each report submitted under paragraph (1) shall (3) Form.--Each report submitted under paragraph (1) shall

be in classified form. be in classified form.

(c) Vulnerabilities Equities Policy and Process of the Federal (c) Vulnerabilities Equities Policy and Process of the Federal

Government Defined.--In this section, the term ``vulnerabilities

equities policy and process of the Federal Government'' means the

policy and process established by the National Security Council for the

Federal Government, or successor set of policies and processes,

establishing policy and responsibilities for disseminating information

about vulnerabilities discovered by the Federal Government or its

contractors, or disclosed to the Federal Government by the private

sector in government off-the-shelf (GOTS), commercial off-the-shelf

(COTS), or other commercial information technology or industrial

control products or systems (including both hardware and software).

SEC. 605. BUG BOUNTY PROGRAMS.

(a) Definitions.--In this section: (a) Definitions.--In this section:

(1) Bug bounty program.--The term ``bug bounty program'' (1) Bug bounty program.--The term ``bug bounty program''

means a program under which an approved computer security means a program under which an approved computer security

specialist or security researcher is temporarily authorized to specialist or security researcher is temporarily authorized to

identify and report vulnerabilities within an information identify and report vulnerabilities within an information

system in exchange for payment. system in exchange for payment.

(2) Information system.--The term ``information system'' (2) Information system.--The term ``information system''

has the meaning given that term in section 3502 of title 44, has the meaning given that term in section 3502 of title 44,

United States Code. United States Code.

(b) Bug Bounty Program Plan.-- (b) Bug Bounty Program Plan.--

(1) Requirement.--Not later than 180 days after the date of (1) Requirement.--Not later than 180 days after the date of

the enactment of this Act, the Under Secretary for Intelligence the enactment of this Act, the Under Secretary for Intelligence

and Analysis of the Department of Homeland Security shall and Analysis of the Department of Homeland Security shall

submit to the congressional intelligence committees a strategic submit to the congressional intelligence committees a strategic

plan to implement bug bounty programs at appropriate agencies plan to implement bug bounty programs at appropriate agencies

and departments of the United States. and departments of the United States.

(2) Contents.--The plan required by paragraph (1) shall (2) Contents.--The plan required by paragraph (1) shall

include-- include--

(A) an assessment of-- (A) an assessment of--

(i) the effectiveness of the ``Hack the (i) the effectiveness of the ``Hack the

Pentagon'' pilot program carried out by the Pentagon'' pilot program carried out by the

Department of Defense in 2016 and subsequent Department of Defense in 2016 and subsequent

bug bounty programs in identifying and bug bounty programs in identifying and

reporting vulnerabilities within the reporting vulnerabilities within the

information systems of the Department of information systems of the Department of

Defense; and Defense; and

(ii) private sector bug bounty programs, (ii) private sector bug bounty programs,

including such programs implemented by leading including such programs implemented by leading

technology companies in the United States; and technology companies in the United States; and

(B) recommendations on the feasibility of (B) recommendations on the feasibility of

initiating bug bounty programs at appropriate agencies initiating bug bounty programs at appropriate agencies

and departments of the United States. and departments of the United States.

SEC. 606. REPORT ON CYBER ATTACKS BY FOREIGN GOVERNMENTS AGAINST UNITED

STATES ELECTION INFRASTRUCTURE. STATES ELECTION INFRASTRUCTURE.

(a) Report Required.--Not later than 60 days after the date of the (a) Report Required.--Not later than 60 days after the date of the

enactment of this Act, the Under Secretary of Homeland Security for

Intelligence and Analysis shall submit to congressional leadership and

the congressional intelligence committees a report on cyber attacks and

attempted cyber attacks by foreign governments on United States

election infrastructure in States and localities in connection with the

2016 presidential election in the United States and such cyber attacks

or attempted cyber attacks as the Under Secretary anticipates against

such infrastructure. Such report shall identify the States and

localities af