§665i — Title 6 Domestic Security | U.S. Code

Summary

Creates a program called CyberSentry inside the Agency to give continuous monitoring and detection of cybersecurity risks to industrial control systems that support national critical functions, but only when an owner or operator asks for it and agrees. The Director must use CyberSentry to form partnerships with regionally or nationally important owners and operators to provide technical help (like continuous monitoring of control systems and the IT that supports them), use sensitive intelligence to advise and share information as appropriate, find and help fix vulnerabilities that could let attackers reach control systems, produce anonymized, combined reports with findings and recommendations, and support activities authorized under section 1501 of the National Defense Authorization Act for Fiscal Year 2022. Within 180 days after December 27, 2021, the Agency’s Privacy Officer must review CyberSentry’s policies to make sure they follow privacy laws about how information is collected, kept, used, and shared, and must report compliance or any problems to the House and Senate Homeland Security committees. Within one year after December 27, 2021, the Director must brief and send a written report to those same committees about how the program is being carried out. The program cannot be used to force access to information from public remote computing or electronic service providers if disclosure is barred by section 2702 of title 18. Industrial control system: an information system used to monitor or control industrial processes, such as SCADA, DCS, HMIs, and programmable logic controllers. The program’s authority ends seven years after December 27, 2021.

Title 6, §665i

Domestic Security — Source: USLM XML via OLRC

(a)There is established in the Agency a program, to be known as “CyberSentry”, to provide continuous monitoring and detection of cybersecurity risks to critical infrastructure entities that own or operate industrial control systems that support national critical functions, upon request and subject to the consent of such owner or operator.

(b)The Director, through CyberSentry, shall—

(1)enter into strategic partnerships with critical infrastructure owners and operators that, in the determination of the Director and subject to the availability of resources, own or operate regionally or nationally significant industrial control systems that support national critical functions, in order to provide technical assistance in the form of continuous monitoring of industrial control systems and the information systems that support such systems and detection of cybersecurity risks to such industrial control systems and other cybersecurity services, as appropriate, based on and subject to the agreement and consent of such owner or operator;

(2)leverage sensitive or classified intelligence about cybersecurity risks regarding particular sectors, particular adversaries, and trends in tactics, techniques, and procedures to advise critical infrastructure owners and operators regarding mitigation measures and share information as appropriate;

(3)identify cybersecurity risks in the information technology and information systems that support industrial control systems which could be exploited by adversaries attempting to gain access to such industrial control systems, and work with owners and operators to remediate such vulnerabilities;

(4)produce aggregated, anonymized analytic products, based on threat hunting and continuous monitoring and detection activities and partnerships, with findings and recommendations that can be disseminated to critical infrastructure owners and operators; and

(5)support activities authorized in accordance with section 1501 of the National Defense Authorization Act for Fiscal Year 2022.

(c)Not later than 180 days after December 27, 2021, the Privacy Officer of the Agency under section 652(h) of this title shall—

(1)review the policies, guidelines, and activities of CyberSentry for compliance with all applicable privacy laws, including such laws governing the acquisition, interception, retention, use, and disclosure of communities; and

(2)submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report certifying compliance with all applicable privacy laws as referred to in paragraph (1), or identifying any instances of noncompliance with such privacy laws.

(d)Not later than one year after December 27, 2021, the Director shall provide to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a briefing and written report on implementation of this section.

(e)Nothing in this section may be construed to permit the Federal Government to gain access to information of a remote computing service provider to the public or an electronic service provider to the public, the disclosure of which is not permitted under section 2702 of title 18.

(f)In this section, the term “industrial control system” means an information system used to monitor and/or control industrial processes such as manufacturing, product handling, production, and distribution, including supervisory control and data acquisition (SCADA) systems used to monitor and/or control geographically dispersed assets, distributed control systems (DCSs), Human-Machine Interfaces (HMIs), and programmable logic controllers that control localized processes.

(g)The authority to carry out a program under this section shall terminate on the date that is seven years after December 27, 2021.

Notes & Related Subsidiaries

Editorial Notes

References in Text

section 1501 of the National Defense Authorization Act for Fiscal Year 2022, referred to in subsec. (b)(5), is section 1501 of Pub. L. 117–81, div. A, title XV, Dec. 27, 2021, 135 Stat. 2020, related to development of taxonomy of cyber capabilities, which is not classified to the Code. Codification section 1548(a) of Pub. L. 117–81, which directed that this section be added at the end of title XXII of the Homeland Security Act of 2002, was executed by adding this section at the end of this part as if the directory language had added the section at the end of subtitle A of title XXII of the Act, to reflect the probable intent of Congress.

Amendments

2022—Subsec. (f). Pub. L. 117–263 added subsec. (f) and struck out former subsec. (f) which defined cybersecurity risk, industrial control system, and information system.

§665i CyberSentry program