§681a — Title 6 Domestic Security | U.S. Code

Summary

The Center must collect, combine, study, and protect reports from covered entities about covered cyber incidents. It must also track ransom payments, including those using virtual currency. The Center must share useful, anonymized findings and defensive steps with federal agencies, state and local governments, owners and operators of critical systems, tech companies, response firms, and researchers. It must set up ways to get feedback from stakeholders, help critical infrastructure groups voluntarily share incident and ransom information, review significant or related incidents (including ransomware) to find ways to prevent them, and quickly pull out threat indicators from ongoing threats to share with partners. The Center must publish public, unclassified reports every quarter, support cybersecurity research by sharing usable data, and, under rules that protect privacy and sources, make received incident or ransom reports available to Sector Risk Management Agencies and other federal agencies as soon as possible but no later than 24 hours after receipt. The President or a presidential designee may set a specific deadline for that 24‑hour sharing and will decide which federal agencies should get the information. Within 60 days after a required final rule and then on the first day of each month, the Director (with other national security officials) must brief congressional leaders and key committees about the national cyber threat picture. The briefing must include the number of reports (required and voluntary), month-to-month trends, common attacker tools and techniques, any intelligence gaps, and a summary of how report information is being used. The briefing must have an unclassified part and may include a classified part.

Title 6, §681a

Domestic Security — Source: USLM XML via OLRC

(a)The Center shall—

(1)receive, aggregate, analyze, and secure, using processes consistent with the processes developed pursuant to the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501 et seq.) reports from covered entities related to a covered cyber incident to assess the effectiveness of security controls, identify tactics, techniques, and procedures adversaries use to overcome those controls and other cybersecurity purposes, including to assess potential impact of cyber incidents on public health and safety and to enhance situational awareness of cyber threats across critical infrastructure sectors;

(2)coordinate and share information with appropriate Federal departments and agencies to identify and track ransom payments, including those utilizing virtual currencies;

(3)leverage information gathered about cyber incidents to—

(A)enhance the quality and effectiveness of information sharing and coordination efforts with appropriate entities, including agencies, sector coordinating councils, Information Sharing and Analysis Organizations, State, local, Tribal, and territorial governments, technology providers, critical infrastructure owners and operators, cybersecurity and cyber incident response firms, and security researchers; and

(B)provide appropriate entities, including sector coordinating councils, Information Sharing and Analysis Organizations, State, local, Tribal, and territorial governments, technology providers, cybersecurity and cyber incident response firms, and security researchers, with timely, actionable, and anonymized reports of cyber incident campaigns and trends, including, to the maximum extent practicable, related contextual information, cyber threat indicators, and defensive measures, pursuant to section 681e of this title;

(4)establish mechanisms to receive feedback from stakeholders on how the Agency can most effectively receive covered cyber incident reports, ransom payment reports, and other voluntarily provided information, and how the Agency can most effectively support private sector cybersecurity;

(5)facilitate the timely sharing, on a voluntary basis, between relevant critical infrastructure owners and operators of information relating to covered cyber incidents and ransom payments, particularly with respect to ongoing cyber threats or security vulnerabilities and identify and disseminate ways to prevent or mitigate similar cyber incidents in the future;

(6)for a covered cyber incident, including a ransomware attack, that also satisfies the definition of a significant cyber incident, or is part of a group of related cyber incidents that together satisfy such definition, conduct a review of the details surrounding the covered cyber incident or group of those incidents and identify and disseminate ways to prevent or mitigate similar incidents in the future;

(7)with respect to covered cyber incident reports under section 11 So in original. Probably should be “sections”. 681b(a) and 681c of this title involving an ongoing cyber threat or security vulnerability, immediately review those reports for cyber threat indicators that can be anonymized and disseminated, with defensive measures, to appropriate stakeholders, in coordination with other divisions within the Agency, as appropriate;

(8)publish quarterly unclassified, public reports that describe aggregated, anonymized observations, findings, and recommendations based on covered cyber incident reports, which may be based on the unclassified information contained in the briefings required under subsection (c);

(9)proactively identify opportunities, consistent with the protections in section 681e of this title, to leverage and utilize data on cyber incidents in a manner that enables and strengthens cybersecurity research carried out by academic institutions and other private sector organizations, to the greatest extent practicable; and

(10)in accordance with section 681e of this title and subsection (b) of this section, as soon as possible but not later than 24 hours after receiving a covered cyber incident report, ransom payment report, voluntarily submitted information pursuant to section 681c of this title, or information received pursuant to a request for information or subpoena under section 681d of this title, make available the information to appropriate Sector Risk Management Agencies and other appropriate Federal agencies.

(b)The President or a designee of the President—

(1)may establish a specific time requirement for sharing information under subsection (a)(10); and

(2)shall determine the appropriate Federal agencies under subsection (a)(10).

(c)Not later than 60 days after the effective date of the final rule required under section 681b(b) of this title, and on the first day of each month thereafter, the Director, in consultation with the National Cyber Director, the Attorney General, and the Director of National Intelligence, shall provide to the majority leader of the Senate, the minority leader of the Senate, the Speaker of the House of Representatives, the minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a briefing that characterizes the national cyber threat landscape, including the threat facing Federal agencies and covered entities, and applicable intelligence and law enforcement information, covered cyber incidents, and ransomware attacks, as of the date of the briefing, which shall—

(1)include the total number of reports submitted under section 681b and 681c of this title during the preceding month, including a breakdown of required and voluntary reports;

(2)include any identified trends in covered cyber incidents and ransomware attacks over the course of the preceding month and as compared to previous reports, including any trends related to the information collected in the reports submitted under section 681b and 681c of this title, including—

(A)the infrastructure, tactics, and techniques malicious cyber actors commonly use; and

(B)intelligence gaps that have impeded, or currently are impeding, the ability to counter covered cyber incidents and ransomware threats;

(3)include a summary of the known uses of the information in reports submitted under section 681b and 681c of this title; and

(4)include an unclassified portion, but may include a classified component.

Notes & Related Subsidiaries

Editorial Notes

References in Text

The Cybersecurity Information Sharing Act of 2015, referred to in subsec. (a)(1), is title I of div. N of Pub. L. 114–113, Dec. 18, 2015, 129 Stat. 2936, which is classified generally to subchapter I (§ 1501 et seq.) of chapter 6 of this title. For complete classification of this Act to the Code, see

Short Title

note set out under section 1501 of this title and Tables.

§681a Cyber Incident Review