[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 9768 Introduced in House (IH)]
<DOC>
118th CONGRESS
2d Session
H. R. 9768
To amend the Homeland Security Act of 2002 to establish within the
Cybersecurity and Infrastructure Security Agency a Joint Cyber Defense
Collaborative, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
September 24, 2024
Mr. Swalwell (for himself and Mr. Thompson of Mississippi) introduced
the following bill; which was referred to the Committee on Homeland
Security, and in addition to the Committee on Oversight and
Accountability, for a period to be subsequently determined by the
Speaker, in each case for consideration of such provisions as fall
within the jurisdiction of the committee concerned
_______________________________________________________________________
A BILL
To amend the Homeland Security Act of 2002 to establish within the
Cybersecurity and Infrastructure Security Agency a Joint Cyber Defense
Collaborative, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Joint Cyber Defense Collaborative
Act''.
SEC. 2. ESTABLISHMENT OF JOINT CYBER DEFENSE COLLABORATIVE.
(a) In General.--Section 2216 of the Homeland Security Act of 2002
(6 U.S.C. 665b) is amended--
(1) in the section heading, by striking ``joint cyber
planning office'' and inserting ``joint cyber defense
collaborative'';
(2) by striking subsection (a);
(3) by redesignating subsections (b) through (f) as
subsections (f) through (j), respectively;
(4) by inserting before subsection (f), as so redesignated,
the following new subsections:
``(a) In General.--The Agency shall maintain the `Joint Cyber
Defense Collaborative' program (in this section referred to as the
`Collaborative') to support enhanced public-private partnerships across
critical infrastructure sectors for collective cyber defense
operations, information sharing, and operational collaboration, and
develop, for Federal and non-Federal entities, plans for cyber defense
operations, including the development of a set of coordinated actions
to detect, prevent, limit, prepare for, mitigate, protect against,
respond to, recover from, and build resilience to cybersecurity risks,
security vulnerabilities, and incidents, and cybersecurity threats to,
and incidents or active malicious cyber operations targeting, critical
infrastructure or national interests. The Collaborative shall be headed
by a senior official of the Agency selected by the Director.
``(b) Functions.--The Collaborative shall carry out the following:
``(1) Maintain strategic, operational partnerships with
entities and organizations with diverse cybersecurity roles,
expertise, and situational awareness that will enhance the
Agency's situational awareness of cybersecurity risks,
cybersecurity threats, and active malicious cyber operations,
including with cybersecurity and technology companies, critical
infrastructure owners and operators, security researchers and
academic institutions, non-governmental organizations,
information system vendors, manufacturers, and foreign
government entities in accordance with subsection (c), and
other entities as appropriate.
``(2) Develop, for public and private sector entities,
plans for cyber defense operations, including the development
of a set of coordinated actions to support governmental and
non-governmental entities to--
``(A) protect, detect, respond to, and recover from
cybersecurity risks, cybersecurity threats, active
malicious cyber operations, or incidents; or
``(B) limit, mitigate, or defend against active or
anticipated malicious cyber operations that pose a
potential risk to critical infrastructure or national
security interests.
``(3) Develop plans for governmental and non-governmental
entities, including cyber incident response plans under
2210(c), plans relating to threat-focused campaigns, and plans
to address long-term cybersecurity priorities.
``(4) Gather, analyze, synthesize, and rapidly share
information relating to cybersecurity threats and warnings to
inform collective cyber defense operations, either through
direct engagement or through the sharing of cybersecurity
guidance through industry organizations to drive action across
all stakeholder communities.
``(5) Facilitate the development and publication of joint
analyses with Government and non-government partners, as well
as international partners, as appropriate, regarding threat
actors, cybersecurity risks, cybersecurity threats, active
malicious cyber operations, and incidents within and across
critical infrastructure sectors, to enhance awareness of
adversary tactics, techniques, and procedures and provide
recommendations for mitigation.
``(6) Utilizing mechanisms that enable confidential real-
time information sharing and dissemination of technical
products between the Collaborative and its partners.
``(7) Develop processes and procedures to rapidly share
with non-governmental entities timely and actionable cyber
threat intelligence and information from Government entities,
including the Collaborative's partners, for purposes of
informing joint activities within the Collaborative, as well as
proactive defense actions to defend critical infrastructure and
non-Federal networks.
``(8) Establish, as appropriate, focused initiatives
designed to respond to significant, emergent, or evolving
cybersecurity risks or cybersecurity threats to, or active
malicious cyber operations targeting, critical infrastructure
sectors or technologies, including industrial control systems.
``(9) Develop plans for cyber defense operations for
Federal Government and non-Federal Government entities, as well
as plans to respond to specific cybersecurity risks,
cybersecurity threats, active malicious cyber operations, or
threat actors.
``(10) Identify information and intelligence gaps related
to cybersecurity risks, cybersecurity threats, active malicious
cyber operations, and threat actors.
``(11) Such other activities as the Director determines
appropriate to enhance the Agency's ability to carry out its
mission as described in subsection (a).
``(c) Charter.--
``(1) In general.--The Collaborative shall operate pursuant
to a charter, to be developed by the Director, that includes a
description of each of the following:
``(A) The organization and structure of the
Collaborative, as well as the relationship between the
Collaborative and existing Agency information sharing
functions, such programs within the national
cybersecurity and communications integration center
established pursuant to section 2209, and the manner in
which the Collaborative will engage, coordinate with,
and support other Agency divisions and programs.
``(B) The core capabilities the Collaborative will
provide.
``(C) How the Collaborative will prioritize,
refine, develop, and mature existing and future
capabilities to address significant, emergent, or
evolving cybersecurity risks, cybersecurity threats,
active malicious cyber operations, and incidents.
``(D) The policies and procedures that will be used
to govern the Collaborative, including mechanisms and
protocols to improve stakeholder awareness of, and
input into, Collaborative activities, as well as
procedures for notifying Collaborative partners about
changes in membership.
``(E) Policies governing the collection, use,
dissemination, and retention of information relating to
cybersecurity threats provided to or developed by the
Collaborative, consistent with the protections
established in sections 105 and 106 of the
Cybersecurity Act of 2015 (6 U.S.C. 1504 and 1505;
enacted as division N of the Consolidated
Appropriations Act, 2016 (Public Law 114-113)).
``(F) Criteria to be used in selecting focus areas,
activities, and initiatives the Collaborative will
pursue, with procedures requiring new initiatives to
cite relevant portions of the Charter, relevant
criteria, and other factors used to support such
selection.
``(G) A description of the types or categories of
partnerships in which the Collaborative will engage.
``(H) Procedures governing the selection of partner
organizations and terms of such partnerships, including
the following:
``(i) The different partnership models the
Collaborative plans to offer, depending on the
type of potential partner an organization is,
the role and function of a potential partner
organization within the cyber ecosystem, the
type of expertise and situational awareness a
potential partner organization is able to
provide, and the type of support or information
sharing a potential partner organization is
seeking from such a partnership.
``(ii) The criteria to be used in the
selection of governmental and non-governmental
entities with which the Collaborative will
partner.
``(iii) A clearly defined process for any
prospective partner to apply to join the
Collaborative, which shall be posted on the
Agency's website.
``(iv) A process for evaluating foreign
entity participation.
``(v) A process for alerting Collaborative
partners of new partners, including foreign
entities.
``(H) Administrative management policies to
facilitate regular communication between the
Collaborative and its partners, including designating
Collaborative liaisons to support the administrative
needs of Collaborative partners.
``(I) The types of assessments, guidance, reports,
and other products the Collective will release to
partners and the public, as well as the anticipated
frequency with which such products will be published.
``(J) Performance metrics that will be used
evaluate the effectiveness of the Collaborative and its
activities, and track progress on specific focus areas
and initiatives.
``(2) Considerations.--In developing the charter described
in paragraph (1), the Director shall consider the following:
``(A) Building and maintaining trust with and among
partners of the Collaborative.
``(B) Costs to partners associated with
participation in the Collaborative.
``(C) The potential of the Collaborative's
activities to reduce cybersecurity risks and
cybersecurity threats to, or active malicious cyber
operations targeting, partners of the Collaborative,
and entities that are not partners of the
Collaborative.
``(D) Appropriate mechanisms to assess
collaboration with foreign entities or foreign-owned
entities.
``(d) Advisory Council.--Not later than 60 days after the date of
the enactment of this paragraph, the Director shall establish a Joint
Cyber Defense Collaborative Advisory Council, comprised of 25
representatives of Collaborative partners with diverse cybersecurity
and critical infrastructure roles, expertise, and situational
awareness, to inform the development of the charter described in
paragraph (1) (and any updates thereto) and provide recommendations on
initiatives for the Collaborative to undertake. The Director shall seek
such recommendations from partners of the Collaborative, and appoint
members to the Advisory Council, on a rotational basis, for a period of
not more than two years. No Member of the Cybersecurity Advisory
Committee under section 2219 may serve on the Advisory Council.
``(e) Partner Organization Views.--The Director shall establish a
mechanism to receive the views of partner organizations regarding the
activities of the Collaborative, and, in addition, accept voluntary
annual evaluations from sector coordinating councils with members that
are partners of the Collaborative. Any such evaluations shall by shared
by the Director with the Committee on Homeland Security of the House of
Representatives and the Committee on Homeland Security and Governmental
Affairs of the Senate.
``(f) No Right or Benefit.--
``(1) In general.--The provision of assistance or
information to, and inclusion in the Collaborative, or any
activity of the Collaborative, of any governmental or non-
governmental entity under this section shall be at the
discretion of the Director.
``(2) Limitation.--The provision of certain assistance or
information to, or inclusion in the Collaborative, or any
activity of the Collaborative, pursuant to this section shall
not create a right or benefit, whether substantive or
procedural, to similar assistance or information for any other
governmental or non-governmental entity.
``(g) Implementation.--For any action taken to implement this
section, the following shall not apply:
``(1) Chapter 35 of title 44, United States Code.
``(2) Chapter 10 of title 5, United States Code.'';
(5) in subsection (g), as so redesignated--
(A) in the matter preceding paragraph (1), by
striking ``Office'' and inserting ``Collaborative'';
(B) in paragraph (1), by striking ``planning''; and
(C) in paragraph (2)--
(i) in subparagraph (E), by striking
``and'' after the semicolon; and
(ii) in subparagraph (F), by striking the
period and inserting a semicolon; and
(iii) by adding at the end the following
new subparagraphs:
``(G) the Department of State; and
``(H) the Central Intelligence Agency.'';
(6) in subsection (h), as so redesignated, in the matter
preceding paragraph (1), by striking ``responsibilities'' and
inserting ``functions'';
(7) in subsection (i), as so redesignated, by striking
``subsection (c)'' and inserting ``subsection (g)''; and
(8) by adding at the end the following new subsection:
``(k) Sunset.--This section shall expire on the date that is five
years after the date of the enactment of this subsection.''.
(b) Strategy; Annual Briefings; Information Policy.--
(1) Charter.--Not later than 120 days after the date of the
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency of the Department of Homeland
Security shall submit to the Committee on Homeland Security of
the House of Representatives and the Committee on Homeland
Security and Governmental Affairs of the Senate the charter for
the Joint Cyber Defense Collaborative developed pursuant to
subsection (c) of section 2216 of the Homeland Security Act of
2002 (6 U.S.C. 665b), as amended by this section, and shall
make such charter publicly available in the Federal Register
within seven days after such submission to Congress.
(2) Strategy.--Not later than one year after the date of
the enactment of this Act, the Director of the Cybersecurity
and Infrastructure Security Agency of the Department of
Homeland Security shall submit to the Committee on Homeland
Security of the House of Representatives and the Committee on
Homeland Security and Governmental Affairs of the Senate a
strategy describing the key priorities, objectives, and
milestones of the Joint Cyber Defense Collaborative under
section 2216 of the Homeland Security Act of 2002 (6 U.S.C.
665b), as amended by this section, as well as plans to carry
out such objectives and metrics that will be used to evaluate
effectiveness and sustain operations over time. The Director
may, as appropriate, submit to such Committees any legislative
proposals for new authorities the Collaborative needs to carry
out its mission.
(3) Annual briefings.--Not later than one year after the
date of the enactment of this Act and annually thereafter, the
Director of the Cybersecurity and Infrastructure Security
Agency of the Department of Homeland Security shall provide to
the Committee on Homeland Security of the House of
Representatives and the Committee on Homeland Security and
Governmental Affairs of the Senate a briefing on the activities
of the Joint Cyber Defense Collaborative under section 2216 of
the Homeland Security Act of 2002 (6 U.S.C. 665b), as amended
by this section.
(4) Information access and security policy.--Not later than
90 days after the date of the enactment of this Act, the
Director of the Cybersecurity and Infrastructure Security
Agency of the Department of Homeland Security shall issue a
policy regarding how information shared with the Joint Cyber
Defense Collaborative under section 2216 of the Homeland
Security Act of 2002 (6 U.S.C. 665b), as amended by this
section, may be used, including among different participants
within the Collaborative, as well as restri