§ 659.
(c)
Functions
The cybersecurity functions of the Center shall include—
(1)
being a Federal civilian interface for the multi-directional and cross-sector sharing of information related to cyber threat indicators, defensive measures, cybersecurity risks, incidents, analysis, and warnings for Federal and non-Federal entities, including the implementation of title I of the Cybersecurity Act of 2015 [
6 U.S.C. 1501 et seq.];
(2)
providing shared situational awareness to enable real-time, integrated, and operational actions across the Federal Government and non-Federal entities to address cybersecurity risks and incidents to Federal and non-Federal entities;
(3)
coordinating the sharing of information related to cyber threat indicators, defensive measures, cybersecurity risks, and incidents across the Federal Government;
(4)
facilitating cross-sector coordination to address cybersecurity risks and incidents, including cybersecurity risks and incidents that may be related or could have consequential impacts across multiple sectors;
(5)
(A)
conducting integration and analysis, including cross-sector integration and analysis, of cyber threat indicators, defensive measures, cybersecurity risks, and incidents;
(B)
sharing mitigation protocols to counter cybersecurity vulnerabilities pursuant to subsection (n), as appropriate; and
(C)
sharing the analysis conducted under subparagraph (A) and mitigation protocols to counter cybersecurity vulnerabilities in accordance with subparagraph (B), as appropriate, with Federal and non-Federal entities;
(6)
upon request, providing operational and timely technical assistance, risk management support, and incident response capabilities to Federal and non-Federal entities with respect to cyber threat indicators, defensive measures, cybersecurity risks, and incidents, which may include attribution, mitigation, and remediation, which may take the form of continuous monitoring and detection of cybersecurity risks to critical infrastructure entities that own or operate industrial control systems that support national critical functions;
(7)
providing information and recommendations on security and resilience measures to Federal and non-Federal entities, including information and recommendations to—
(A)
facilitate information security;
(B)
strengthen information systems against cybersecurity risks and incidents; and
(C)
share cyber threat indicators and defensive measures;
(8)
engaging with international partners, in consultation with other appropriate agencies, to—
(A)
collaborate on cyber threat indicators, defensive measures, and information related to cybersecurity risks and incidents; and
(B)
enhance the security and resilience of global cybersecurity;
(9)
sharing cyber threat indicators, defensive measures, mitigation protocols to counter cybersecurity vulnerabilities, as appropriate, and other information related to cybersecurity risks and incidents with Federal and non-Federal entities, including across sectors of critical infrastructure and with State and major urban area fusion centers, as appropriate;
(10)
participating, as appropriate, in national exercises run by the Department;
(11)
in coordination with the Emergency Communications Division of the Department, assessing and evaluating consequence, vulnerability, and threat information regarding cyber incidents to public safety communications to help facilitate continuous improvements to the security and resiliency of such communications;
(12)
detecting, identifying, and receiving information for a cybersecurity purpose about security vulnerabilities relating to critical infrastructure in information systems and devices; and
(13)
receiving, aggregating, and analyzing reports related to covered cyber incidents (as defined in
section 681 of this title) submitted by covered entities (as defined in
section 681 of this title) and reports related to ransom payments (as defined in
section 681 of this title) submitted by covered entities (as defined in
section 681 of this title) in furtherance of the activities specified in sections 652(e), 653, and 681a of this title, this subsection, and any other authorized activity of the Director, to enhance the situational awareness of cybersecurity threats across critical infrastructure sectors.
(p)
Subpoena authority
(1)
Definition
In this subsection, the term “covered device or system”—
(A)
means a device or system commonly used to perform industrial, commercial, scientific, or governmental functions or processes that relate to critical infrastructure, including operational and industrial control systems, distributed control systems, and programmable logic controllers; and
(B)
does not include personal devices and systems, such as consumer mobile devices, home computers, residential wireless routers, or residential internet enabled consumer devices.
(2)
Authority
(B)
Limit on information
A subpoena issued pursuant to subparagraph (A) may seek information—
(ii)
for not more than 20 covered devices or systems.
(C)
Liability protections for disclosing providers
(3)
Coordination
(B)
Contents
The inter-agency procedures developed under this paragraph shall provide that a subpoena issued by the Director under this subsection shall be—
(i)
issued to carry out a function described in subsection (c)(12); and
(ii)
subject to the limitations specified in this subsection.
(6)
Authentication
(B)
Invalid if not authenticated
(7)
Procedures
Not later than 90 days after January 1, 2021, the Director shall establish internal procedures and associated training, applicable to employees and operations of the Agency, regarding subpoenas issued pursuant to this subsection, which shall address the following:
(A)
The protection of and restriction on dissemination of nonpublic information obtained through such a subpoena, including a requirement that the Agency not disseminate nonpublic information obtained through such a subpoena that identifies the party that is subject to such subpoena or the entity at risk identified by information obtained, except that the Agency may share the nonpublic information with the Department of Justice for the purpose of enforcing such subpoena in accordance with paragraph (4), and may share with a Federal agency the nonpublic information of the entity at risk if—
(i)
the Agency identifies or is notified of a cybersecurity incident involving such entity, which relates to the vulnerability which led to the issuance of such subpoena;
(ii)
the Director determines that sharing the nonpublic information with another Federal department or agency is necessary to allow such department or agency to take a law enforcement or national security action, consistent with the interagency procedures under paragraph (3)(A), or actions related to mitigating or otherwise resolving such incident;
(iii)
the entity to which the information pertains is notified of the Director’s determination, to the extent practicable consistent with national security or law enforcement interests, consistent with such interagency procedures; and
(iv)
the entity consents, except that the entity’s consent shall not be required if another Federal department or agency identifies the entity to the Agency in connection with a suspected cybersecurity incident.
(B)
The restriction on the use of information obtained through such a subpoena for a cybersecurity purpose.
(C)
The retention and destruction of nonpublic information obtained through such a subpoena, including—
(i)
destruction of such information that the Director determines is unrelated to critical infrastructure immediately upon providing notice to the entity pursuant to paragraph (5); and
(ii)
destruction of any personally identifiable information not later than 6 months after the date on which the Director receives information obtained through such a subpoena, unless otherwise agreed to by the individual identified by the subpoena respondent.
(D)
The processes for providing notice to each party that is subject to such a subpoena and each entity identified by information obtained under such a subpoena.
(E)
The processes and criteria for conducting critical infrastructure security risk assessments to determine whether a subpoena is necessary prior to being issued pursuant to this subsection.
(F)
The information to be provided to an entity at risk at the time of the notice of the vulnerability, which shall include—
(i)
a discussion or statement that responding to, or subsequent engagement with, the Agency, is voluntary; and
(ii)
to the extent practicable, information regarding the process through which the Director identifies security vulnerabilities.
(8)
Limitation on procedures
(9)
Review of procedures
Not later than 1 year after January 1, 2021, the Privacy Officer of the Agency shall—
(A)
review the internal procedures established pursuant to paragraph (7) to ensure that—
(i)
such procedures are consistent with fair information practices; and
(ii)
the operations of the Agency comply with such procedures; and
(B)
notify the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives of the results of the review under subparagraph (A).
(10)
Publication of information
Not later than 120 days after establishing the internal procedures under paragraph (7), the Director shall publish information on the website of the Agency regarding the subpoena process under this subsection, including information regarding the following:
(A)
Such internal procedures.
(B)
The purpose for subpoenas issued pursuant to this subsection.
(C)
The subpoena process.
(D)
The criteria for the critical infrastructure security risk assessment conducted prior to issuing a subpoena.
(E)
Policies and procedures on retention and sharing of data obtained by subpoenas.
(F)
Guidelines on how entities contacted by the Director may respond to notice of a subpoena.
(11)
Annual reports
The Director shall annually submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report (which may include a classified annex but with the presumption of declassification) on the use of subpoenas issued pursuant to this subsection, which shall include the following:
(A)
A discussion of the following:
(i)
The effectiveness of the use of such subpoenas to mitigate critical infrastructure security vulnerabilities.
(ii)
The critical infrastructure security risk assessment process conducted for subpoenas issued under this subsection.
(iii)
The number of subpoenas so issued during the preceding year.
(iv)
To the extent practicable, the number of vulnerable covered devices or systems mitigated under this subsection by the Agency during the preceding year.
(v)
The number of entities notified by the Director under this subsection, and their responses, during the preceding year.
(B)
For each subpoena issued pursuant to this subsection, the following:
(i)
Information relating to the source of the security vulnerability detected, identified, or received by the Director.
(ii)
Information relating to the steps taken to identify the entity at risk prior to issuing the subpoena.
(iii)
A description of the outcome of the subpoena, including discussion on the resolution or mitigation of the critical infrastructure security vulnerability.
(12)
Publication of the annual reports
(13)
Prohibition on use of information for unauthorized purposes
(q)
Industrial control systems
The Director shall maintain capabilities to identify and address threats and vulnerabilities to products and technologies intended for use in the automated control of critical infrastructure processes. In carrying out this subsection, the Director shall—
(1)
lead Federal Government efforts, in consultation with Sector Risk Management Agencies, as appropriate, to identify and mitigate cybersecurity threats to industrial control systems, including supervisory control and data acquisition systems;
(2)
maintain threat hunting and incident response capabilities to respond to industrial control system cybersecurity risks and incidents;
(3)
provide cybersecurity technical assistance to industry end-users, product manufacturers, Sector Risk Management Agencies, other Federal agencies, and other industrial control system stakeholders to identify, evaluate, assess, and mitigate vulnerabilities;
(4)
collect, coordinate, and provide vulnerability information to the industrial control systems community by, as appropriate, working closely with security researchers, industry end-users, product manufacturers, Sector Risk Management Agencies, other Federal agencies, and other industrial control systems stakeholders; and
(5)
conduct such other efforts and assistance as the Secretary determines appropriate.
([Pub. L. 107–296, title XXII, § 2209], formerly title II, § 227, formerly § 226, as added [Pub. L. 113–282, § 3(a)], Dec. 18, 2014, [128 Stat. 3066]; renumbered § 227 and amended [Pub. L. 114–113, div. N, title II], §§ 203, 223(a)(3), Dec. 18, 2015, [129 Stat. 2957], 2963; [Pub. L. 114–328, div. A, title XVIII, § 1841(b)], Dec. 23, 2016, [130 Stat. 2663]; renumbered title XXII, § 2209, and amended [Pub. L. 115–278, § 2(g)(2)(I)], (9)(A)(iii), Nov. 16, 2018, [132 Stat. 4178], 4180; [Pub. L. 116–94, div. L, § 102(a)], Dec. 20, 2019, [133 Stat. 3089]; [Pub. L. 116–283, div. A, title XVII, § 1716(a)], Jan. 1, 2021, [134 Stat. 4094]; [Pub. L. 117–81, div. A, title XV], §§ 1541(a), 1542, 1548(c), Dec. 27, 2021, [135 Stat. 2054], 2056, 2063; [Pub. L. 117–103, div. Y, § 103(a)(1)], Mar. 15, 2022, [136 Stat. 1038]; [Pub. L. 117–150, § 2(2)], June 21, 2022, [136 Stat. 1295]; [Pub. L. 117–263, div. G, title LXXI, § 7143(b)(2)(D)], Dec. 23, 2022, [136 Stat. 3659].)