National cybersecurity and communications integration center

§ 659

TITLE 6—DOMESTIC SECURITY

(2) Subsequent conversion
After the date on which an individual who
refuses a conversion under paragraph (1) stops
serving in the position selected to be converted, the position may be converted to a position in the excepted service.
(f) Study and report
Not later than 120 days after December 18,
2014, the National Protection and Programs Directorate shall submit a report regarding the
availability of, and benefits (including cost savings and security) of using, cybersecurity personnel and facilities outside of the National
Capital Region (as defined in section 2674 of title
10) to serve the Federal and national need to—
(1) the Subcommittee on Homeland Security
of the Committee on Appropriations and the
Committee on Homeland Security and Governmental Affairs of the Senate; and
(2) the Subcommittee on Homeland Security
of the Committee on Appropriations and the
Committee on Homeland Security of the
House of Representatives.
(Pub. L. 107–296, title XXII, § 2208, formerly title
II, § 226, as added Pub. L. 113–277, § 3(a), Dec. 18,
2014, 128 Stat. 3005; renumbered title XXII, § 2208,
Pub. L. 115–278, § 2(g)(2)(I), Nov. 16, 2018, 132 Stat.
4178.)
CODIFICATION
Section was formerly classified to section 147 of this
title prior to renumbering by Pub. L. 115–278.
CHANGE OF NAME
Reference to National Protection and Programs Directorate of the Department of Homeland Security
deemed to be a reference to the Cybersecurity and Infrastructure Security Agency of the Department, see
section 652(a)(2) of this title, enacted Nov. 16, 2018.

§ 659. National cybersecurity and communications integration center
(a) Definitions
In this section—
(1) the term ‘‘cybersecurity risk’’—
(A) means threats to and vulnerabilities of
information or information systems and any
related consequences caused by or resulting
from unauthorized access, use, disclosure,
degradation, disruption, modification, or destruction of such information or information
systems, including such related consequences caused by an act of terrorism; and
(B) does not include any action that solely
involves a violation of a consumer term of
service or a consumer licensing agreement;
(2) the terms ‘‘cyber threat indicator’’ and
‘‘defensive measure’’ have the meanings given
those terms in section 102 of the Cybersecurity
Act of 2015 [6 U.S.C. 1501];
(3) the term ‘‘incident’’ means an occurrence
that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently
jeopardizes, without lawful authority, an information system;
(4) the term ‘‘information sharing and analysis organization’’ has the meaning given that
term in section 671(5) of this title;

Page 290

(5) the term ‘‘information system’’ has the
meaning given that term in section 3502(8) of
title 44; and
(6) the term ‘‘sharing’’ (including all conjugations thereof) means providing, receiving,
and disseminating (including all conjugations
of each of such terms).
(b) Center
There is in the Department a national
cybersecurity and communications integration
center (referred to in this section as the ‘‘Center’’) to carry out certain responsibilities of the
Director. The Center shall be located in the
Cybersecurity and Infrastructure Security
Agency. The head of the Center shall report to
the Assistant Director for Cybersecurity.
(c) Functions
The cybersecurity functions of the Center
shall include—
(1) being a Federal civilian interface for the
multi-directional and cross-sector sharing of
information related to cyber threat indicators,
defensive measures, cybersecurity risks, incidents, analysis, and warnings for Federal and
non-Federal entities, including the implementation of title I of the Cybersecurity Act of
2015 [6 U.S.C. 1501 et seq.];
(2) providing shared situational awareness to
enable real-time, integrated, and operational
actions across the Federal Government and
non-Federal entities to address cybersecurity
risks and incidents to Federal and non-Federal
entities;
(3) coordinating the sharing of information
related to cyber threat indicators, defensive
measures, cybersecurity risks, and incidents
across the Federal Government;
(4) facilitating cross-sector coordination to
address cybersecurity risks and incidents, including cybersecurity risks and incidents that
may be related or could have consequential
impacts across multiple sectors;
(5)(A) conducting integration and analysis,
including cross-sector integration and analysis, of cyber threat indicators, defensive measures, cybersecurity risks, and incidents; and
(B) sharing the analysis conducted under
subparagraph (A) with Federal and non-Federal entities;
(6) upon request, providing timely technical
assistance, risk management support, and incident response capabilities to Federal and
non-Federal entities with respect to cyber
threat
indicators,
defensive
measures,
cybersecurity risks, and incidents, which may
include attribution, mitigation, and remediation;
(7) providing information and recommendations on security and resilience measures to
Federal and non-Federal entities, including information and recommendations to—
(A) facilitate information security;
(B)
strengthen
information
systems
against cybersecurity risks and incidents;
and
(C) sharing 1 cyber threat indicators and
defensive measures;
1 So

in original. Probably should be ‘‘share’’.

Page 291

TITLE 6—DOMESTIC SECURITY

(8) engaging with international partners, in
consultation with other appropriate agencies,
to—
(A) collaborate on cyber threat indicators,
defensive measures, and information related
to cybersecurity risks and incidents; and
(B) enhance the security and resilience of
global cybersecurity;
(9) sharing cyber threat indicators, defensive
measures, and other information related to
cybersecurity risks and incidents with Federal
and non-Federal entities, including across sectors of critical infrastructure and with State
and major urban area fusion centers, as appropriate;
(10) participating, as appropriate, in national exercises run by the Department; and
(11) in coordination with the Emergency
Communications Division of the Department,
assessing and evaluating consequence, vulnerability, and threat information regarding
cyber incidents to public safety communications to help facilitate continuous improvements to the security and resiliency of such
communications.
(d) Composition
(1) In general
The Center shall be composed of—
(A) appropriate representatives of Federal
entities, such as—
(i) sector-specific agencies;
(ii) civilian and law enforcement agencies; and
(iii) elements of the intelligence community, as that term is defined under section
3003(4) of title 50;
(B) appropriate representatives of nonFederal entities, such as—
(i) State, local, and tribal governments;
(ii) information sharing and analysis organizations, including information sharing
and analysis centers;
(iii) owners and operators of critical information systems; and
(iv)
private
entities,
including
cybersecurity specialists;
(C) components within the Center that
carry out cybersecurity and communications activities;
(D) a designated Federal official for operational coordination with and across each
sector;
(E) an entity that collaborates with State
and local governments on cybersecurity
risks and incidents, and has entered into a
voluntary information sharing relationship
with the Center; and
(F) other appropriate representatives or
entities, as determined by the Secretary.
(2) Incidents
In the event of an incident, during exigent
circumstances the Secretary may grant a Federal or non-Federal entity immediate temporary access to the Center.
(e) Principles
In carrying out the functions under subsection
(c), the Center shall ensure—

§ 659

(1) to the extent practicable, that—
(A) timely, actionable, and relevant cyber
threat indicators, defensive measures, and
information related to cybersecurity risks,
incidents, and analysis is shared;
(B) when appropriate, cyber threat indicators, defensive measures, and information
related to cybersecurity risks, incidents, and
analysis is integrated with other relevant
information and tailored to the specific
characteristics of a sector;
(C) activities are prioritized and conducted
based on the level of risk;
(D) industry sector-specific, academic, and
national laboratory expertise is sought and
receives appropriate consideration;
(E) continuous, collaborative, and inclusive coordination occurs—
(i) across sectors; and
(ii) with—
(I) sector coordinating councils;
(II) information sharing and analysis
organizations; and
(III) other appropriate non-Federal
partners;
(F) as appropriate, the Center works to develop and use mechanisms for sharing information related to cyber threat indicators,
defensive measures, cybersecurity risks, and
incidents that are technology-neutral, interoperable, real-time, cost-effective, and resilient;
(G) the Center works with other agencies
to reduce unnecessarily duplicative sharing
of information related to cyber threat indicators, defensive measures, cybersecurity
risks, and incidents; and; 2
(H) the Center designates an agency contact for non-Federal entities;
(2) that information related to cyber threat
indicators, defensive measures, cybersecurity
risks, and incidents is appropriately safeguarded against unauthorized access or disclosure; and
(3) that activities conducted by the Center
comply with all policies, regulations, and laws
that protect the privacy and civil liberties of
United States persons, including by working
with the Privacy Officer appointed under section 142 of this title to ensure that the Center
follows the policies and procedures specified in
subsections (b) and (d)(5)(C) of section 105 of
the Cybersecurity Act of 2015 [6 U.S.C. 1504].
(f) Cyber hunt and incident response teams
(1) In general
The Center shall maintain cyber hunt and
incident response teams for the purpose of
leading Federal asset response activities and
providing timely technical assistance to Federal and non-Federal entities, including across
all critical infrastructure sectors, regarding
actual or potential security incidents, as appropriate and upon request, including—
(A) assistance to asset owners and operators in restoring services following a cyber
incident;
(B)
identification
and
analysis
of
cybersecurity risk and unauthorized cyber
activity;
2 So

in original. The semicolon probably should not appear.