Homeland Security Act of 2002 Part 3

(B) Exclusions.--The term ''voluntary''-- (i) in the case of any action brought under the securities laws as is defined in section 3(a)(47) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(47))-- (I) does not include information or statements contained in any doc.u.ments or materials filed with the Securities and Exchange Commission, or with Federal banking regulators, pursuant to section 12(i) of the Securities Exchange Act of 1934 (15 U.S.C.

781(I)); and (II) with respect to the submittal of critical infrastructure information, does not include any disclosure or writing that when made accompanied the solicitation of an offer or a sale of securities; and (ii) does not include information or statements submitted or relied upon as a basis for making licensing or permitting determinations, or during regulatory proceedings.

SEC. 213. [6 U.S.C. 132] DESIGNATION OF CRITICAL INFRASTRUCTURE PROTECTION PROGRAM.

A critical infrastructure protection program may be designated as such by one of the following: (1) The President.

(2) The Secretary of Homeland Security.

SEC. 214. [6 U.S.C. 123] PROTECTION OF VOLUNTARILY SHARED CRITICAL INFRASTRUCTURE INFORMATION.

(a) Protection.-- (1) In general.--Notwithstanding any other provision of law, critical infrastructure information (including the ident.i.ty of the submitting person or ent.i.ty) that is voluntarily submitted to a covered Federal agency for use by that agency regarding the security of critical infrastructure and protected systems, a.n.a.lysis, warning, interdependency study, recovery, reconst.i.tution, or other informational purpose, when accompanied by an express statement specified in paragraph (2)-- (A) shall be exempt from disclosure under section 552 of t.i.tle 5, United States Code (commonly referred to as the Freedom of Information Act); (B) shall not be subject to any agency rules or judicial doctrine regarding ex parte communications with a decision making official; (C) shall not, without the written consent of the person or ent.i.ty submitting such information, be used directly by such agency, any other Federal, State, or local authority, or any third party, in any civil action arising under Federal or State law if such information is submitted in good faith; (D) shall not, without the written consent of the person or ent.i.ty submitting such information, be used or disclosed by any officer or employee of the United States for purposes other than the purposes of this subt.i.tle, except-- (i) in furtherance of an investigation or the prosecution of a criminal act; or (ii) when disclosure of the information would be-- (I) to either House of Congress, or to the extent of matter within its jurisdiction, any committee or subcommittee thereof, any joint committee thereof or subcommittee of any such joint committee; or (II) to the Comptroller General, or any authorized representative of the Comptroller General, in the course of the performance of the duties of the General Accounting Office.

(E) shall not, if provided to a State or local government or government agency-- (i) be made available pursuant to any State or local law requiring disclosure of information or records; (ii) otherwise be disclosed or distributed to any party by said State or local government or government agency without the written consent of the person or ent.i.ty submitting such information; or (iii) be used other than for the purpose of protecting critical infrastructure or protected systems, or in furtherance of an investigation or the prosecution of a criminal act; and (F) does not const.i.tute a waiver of any applicable privilege or protection provided under law, such as trade secret protection.

(2) Express statement.--For purposes of paragraph (1), the term ''express statement'', with respect to information or records, means-- (A) in the case of written information or records, a written marking on the information or records substantially similar to the following: ''This information is voluntarily submitted to the Federal Government in expectation of protection from disclosure as provided by the provisions of the Critical Infrastructure Information Act of 2002.''; or (B) in the case of oral information, a similar written statement submitted within a reasonable period following the oral communication.

(b) Limitation.--No communication of critical infrastructure information to a covered Federal agency made pursuant to this subt.i.tle shall be considered to be an action subject to the requirements of the Federal Advisory Committee Act (5 U.S.C. App. 2).

(c) Independently Obtained Information.--Nothing in this section shall be construed to limit or otherwise affect the ability of a State, local, or Federal Government ent.i.ty, agency, or authority, or any third party, under applicable law, to obtain critical infrastructure information in a manner not covered by subsection (a), including any information lawfully and properly disclosed generally or broadly to the public and to use such information in any manner permitted by law.

(d) Treatment of Voluntary Submittal of Information.--The voluntary submittal to the Government of information or records that are protected from disclosure by this subt.i.tle shall not be construed to const.i.tute compliance with any requirement to submit such information to a Federal agency under any other provision of law.

(e) Procedures.-- (1) In general.--The Secretary of the Department of Homeland Security shall, in consultation with appropriate representatives of the National Security Council and the Office of Science and Technology Policy, establish uniform procedures for the receipt, care, and storage by Federal agencies of critical infrastructure information that is voluntarily submitted to the Government. The procedures shall be established not later than 90 days after the date of the enactment of this subt.i.tle.

(2) Elements.--The procedures established under paragraph (1) shall include mechanisms regarding-- (A) the acknowledgement of receipt by Federal agencies of critical infrastructure information that is voluntarily submitted to the Government; (B) the maintenance of the identification of such information as voluntarily submitted to the Government for purposes of and subject to the provisions of this subt.i.tle; (C) the care and storage of such information; and (D) the protection and maintenance of the confidentiality of such information so as to permit the sharing of such information within the Federal Government and with State and local governments, and the issuance of notices and warnings related to the protection of critical infrastructure and protected systems, in such manner as to protect from public disclosure the ident.i.ty of the submitting person or ent.i.ty, or information that is proprietary, business sensitive, relates specifically to the submitting person or ent.i.ty, and is otherwise not appropriately in the public domain.

(f) Penalties.--Whoever, being an officer or employee of the United States or of any department or agency thereof, knowingly publishes, divulges, discloses, or makes known in any manner or to any extent not authorized by law, any critical infrastructure information protected from disclosure by this subt.i.tle coming to him in the course of this employment or official duties or by reason of any examination or investigation made by, or return, report, or record made to or filed with, such department or agency or officer or employee thereof, shall be fined under t.i.tle 18 of the United States Code, imprisoned not more than 1 year, or both, and shall be removed from office or employment.

(g) Authority To Issue Warnings.--The Federal Government may provide advisories, alerts, and warnings to relevant companies, targeted sectors, other governmental ent.i.ties, or the general public regarding potential threats to critical infrastructure as appropriate. In issuing a warning, the Federal Government shall take appropriate actions to protect from disclosure-- (1) the source of any voluntarily submitted critical infrastructure information that forms the basis for the warning; or (2) information that is proprietary, business sensitive, relates specifically to the submitting person or ent.i.ty, or is otherwise not appropriately in the public domain.

(h) Authority To Delegate.--The President may delegate authority to a critical infrastructure protection program, designated under section 213, to enter into a voluntary agreement to promote critical infrastructure security, including with any Information Sharing and a.n.a.lysis Organization, or a plan of action as otherwise defined in section 708 of the Defense Production Act of 1950 (50 U.S.C.

App. 2158).

SEC. 215. [6 U.S.C. 134] NO PRIVATE RIGHT OF ACTION.

Nothing in this subt.i.tle may be construed to create a private right of action for enforcement of any provision of this Act.

Subt.i.tle C--Information Security

SEC. 221. [6 U.S.C. 141] PROCEDURES FOR SHARING INFORMATION.

The Secretary shall establish procedures on the use of information shared under this t.i.tle that-- (1) limit the redissemination of such information to ensure that it is not used for an unauthorized purpose; (2) ensure the security and confidentiality of such information; (3) protect the const.i.tutional and statutory rights of any individuals who are subjects of such information; and (4) provide data integrity through the timely removal and destruction of obsolete or erroneous names and information.

SEC. 222. [6 U.S.C. 142] PRIVACY OFFICER.

(a) Appointment and Responsibilities.--The Secretary shall appoint a senior official in the Department, who shall report directly to the Secretary, to a.s.sume primary responsibility for privacy policy, including-- (1) a.s.suring that the use of technologies sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information; (2) a.s.suring that personal information contained in Privacy Act systems of records is handled in full compliance with fair information practices as set out in the Privacy Act of 1974; (3) evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Federal Government; (4) conducting a privacy impact a.s.sessment of proposed rules of the Department or that of the Department on the privacy of personal information, including the type of personal information collected and the number of people affected; (5) coordinating with the Officer for Civil Rights and Civil Liberties to ensure that-- (A) programs, policies, and procedures involving civil rights, civil liberties, and privacy considerations are addressed in an integrated and comprehensive manner; and (B) Congress receives appropriate reports on such programs, policies, and procedures; and (6) preparing a report to Congress on an annual basis on activities of the Department that affect privacy, including complaints of privacy violations, implementation of the Privacy Act of 1974, internal controls, and other matters.

(b) Authority To Investigate.-- (1) In general.--The senior official appointed under subsection (a) may-- (A) have access to all records, reports, audits, reviews, doc.u.ments, papers, recommendations, and other materials available to the Department that relate to programs and operations with respect to the responsibilities of the senior official under this section; (B) make such investigations and reports relating to the administration of the programs and operations of the Department as are, in the senior official's judgment, necessary or desirable; (C) subject to the approval of the Secretary, require by subpoena the production, by any person other than a Federal agency, of all information, doc.u.ments, reports, answers, records, accounts, papers, and other data and doc.u.mentary evidence necessary to performance of the responsibilities of the senior official under this section; and (D) administer to or take from any person an oath, affirmation, or affidavit, whenever necessary to performance of the responsibilities of the senior official under this section.

(2) Enforcement of subpoenas.--Any subpoena issued under paragraph (1)(C) shall, in the case of contumacy or refusal to obey, be enforceable by order of any appropriate United States district court.

(3) Effect of oaths.--Any oath, affirmation, or affidavit administered or taken under paragraph (1)(D) by or before an employee of the Privacy Office designated for that purpose by the senior official appointed under subsection (a) shall have the same force and effect as if administered or taken by or before an officer having a seal of office.

(c) Supervision and Coordination.-- (1) In general.--The senior official appointed under subsection (a) shall-- (A) report to, and be under the general supervision of, the Secretary; and (B) coordinate activities with the Inspector General of the Department in order to avoid duplication of effort.

(2) Coordination with the inspector general.-- (A) In general.--Except as provided in subparagraph (B), the senior official appointed under subsection (a) may investigate any matter relating to possible violations or abuse concerning the administration of any program or operation of the Department relevant to the purposes under this section.

(B) Coordination.-- (i) Referral.--Before initiating any investigation described under subparagraph (A), the senior official shall refer the matter and all related complaints, allegations, and information to the Inspector General of the Department.

(ii) Determinations and notifications by the inspector general.-- (I) In general.--Not later than 30 days after the receipt of a matter referred under clause (i), the Inspector General shall-- (aa) make a determination regarding whether the Inspector General intends to initiate an audit or investigation of the matter referred under clause (i); and (bb) notify the senior official of that determination.

(II) Investigation not initiated.--If the Inspector General notifies the senior official under subclause (I)(bb) that the Inspector General intended to initiate an audit or investigation, but does not initiate that audit or investigation within 90 days after providing that notification, the Inspector General shall further notify the senior official that an audit or investigation was not initiated. The further notification under this subclause shall be made not later than 3 days after the end of that 90-day period.

(iii) Investigation by senior official.--The senior official may investigate a matter referred under clause (i) if-- (I) the Inspector General notifies the senior official under clause (ii)(I)(bb) that the Inspector General does not intend to initiate an audit or investigation relating to that matter; or (II) the Inspector General provides a further notification under clause (ii)(II) relating to that matter.

(iv) Privacy training.--Any employee of the Office of Inspector General who audits or investigates any matter referred under clause (i) shall be required to receive adequate training on privacy laws, rules, and regulations, to be provided by an ent.i.ty approved by the Inspector General in consultation with the senior official appointed under subsection (a).

(d) Notification to Congress on Removal.--If the Secretary removes the senior official appointed under subsection (a) or transfers that senior official to another position or location within the Department, the Secretary shall-- (1) promptly submit a written notification of the removal or transfer to Houses of Congress; and (2) include in any such notification the reasons for the removal or transfer.

(e) Reports by Senior Official to Congress.--The senior official appointed under subsection (a) shall-- (1) submit reports directly to the Congress regarding performance of the responsibilities of the senior official under this section, without any prior comment or amendment by the Secretary, Deputy Secretary, or any other officer or employee of the Department or the Office of Management and Budget; and (2) inform the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives not later than-- (A) 30 days after the Secretary disapproves the senior official's request for a subpoena under subsection (b)(1)(C) or the Secretary substantively modifies the requested subpoena; or (B) 45 days after the senior official's request for a subpoena under subsection (b)(1)(C), if that subpoena has not either been approved or disapproved by the Secretary.

SEC. 223. [6 U.S.C. 143] ENHANCEMENT OF NON-FEDERAL CYBERSECURITY.

In carrying out the responsibilities under section 201, the Under Secretary for Intelligence and a.n.a.lysis, in cooperation with the a.s.sistant Secretary for Infrastructure Protection shall-- (1) as appropriate, provide to State and local government ent.i.ties, and upon request to private ent.i.ties that own or operate critical information systems-- (A) a.n.a.lysis and warnings related to threats to, and vulnerabilities of, critical information systems; and (B) in coordination with the Under Secretary for Emergency Preparedness and Response, crisis management support in response to threats to, or attacks on, critical information systems; and (2) as appropriate, provide technical a.s.sistance, upon request, to the private sector and other government ent.i.ties, in coordination with the Under Secretary for Emergency Preparedness and Response, with respect to emergency recovery plans to respond to major failures of critical information systems.

SEC. 224. [6 U.S.C. 144] NET GUARD.

The a.s.sistant Secretary for Infrastructure Protection may establish a national technology guard, to be known as ''NET Guard'', comprised of local teams of volunteers with expertise in relevant areas of science and technology, to a.s.sist local communities to respond and recover from attacks on information systems and communications networks.

SEC. 225. [6 U.S.C. 145] CYBER SECURITY ENHANCEMENT ACT OF 2002.

(a) Short t.i.tle.--This section may be cited as the ''Cyber Security Enhancement Act of 2002''.

(b) Amendment of Sentencing Guidelines Relating to Certain Computer Crimes.-- (1) Directive to the united states sentencing commission.--Pursuant to its authority under section 994(p) of t.i.tle 28, United States Code, and in accordance with this subsection, the United States Sentencing Commission shall review and, if appropriate, amend its guidelines and its policy statements applicable to persons convicted of an offense under section 1030 of t.i.tle 18, United States Code.

(2) Requirements.--In carrying out this subsection, the Sentencing Commission shall-- (A) ensure that the sentencing guidelines and policy statements reflect the serious nature of the offenses described in paragraph (1), the growing incidence of such offenses, and the need for an effective deterrent and appropriate punishment to prevent such offenses; (B) consider the following factors and the extent to which the guidelines may or may not account for them-- (i) the potential and actual loss resulting from the offense; (ii) the level of sophistication and planning involved in the offense; (iii) whether the offense was committed for purposes of commercial advantage or private financial benefit; (iv) whether the defendant acted with malicious intent to cause harm in committing the offense; (v) the extent to which the offense violated the privacy rights of individuals harmed; (vi) whether the offense involved a computer used by the government in furtherance of national defense, national security, or the administration of justice; (vii) whether the violation was intended to or had the effect of significantly interfering with or disrupting a critical infrastructure; and (viii) whether the violation was intended to or had the effect of creating a threat to public health or safety, or injury to any person; (C) a.s.sure reasonable consistency with other relevant directives and with other sentencing guidelines; (D) account for any additional aggravating or mitigating circ.u.mstances that might justify exceptions to the generally applicable sentencing ranges; (E) make any necessary conforming changes to the sentencing guidelines; and (F) a.s.sure that the guidelines adequately meet the purposes of sentencing as set forth in section 3553(a)(2) of t.i.tle 18, United States Code.

(c) Study and Report on Computer Crimes.--Not later than May 1, 2003, the United States Sentencing Commission shall submit a brief report to Congress that explains any actions taken by the Sentencing Commission in response to this section and includes any recommendations the Commission may have regarding statutory penalties for offenses under section 1030 of t.i.tle 18, United States Code.

(d) Emergency Disclosure Exception.-- (1) * * *

(2) Reporting of disclosures.--A government ent.i.ty that receives a disclosure under section 2702(b) of t.i.tle 18, United States Code, shall file, not later than 90 days after such disclosure, a report to the Attorney General stating the paragraph of that section under which the disclosure was made, the date of the disclosure, the ent.i.ty to which the disclosure was made, the number of customers or subscribers to whom the information disclosed pertained, and the number of communications, if any, that were disclosed. The Attorney General shall publish all such reports into a single report to be submitted to Congress 1 year after the date of enactment of this Act.

Subt.i.tle D--Office of Science and Technology

SEC. 231. [6 U.S.C. 161] ESTABLISHMENT OF OFFICE; DIRECTOR.

(a) Establishment.-- (1) In general.--There is hereby established within the Department of Justice an Office of Science and Technology (hereinafter in this t.i.tle referred to as the ''Office'').

(2) Authority.--The Office shall be under the general authority of the a.s.sistant Attorney General, Office of Justice Programs, and shall be established within the National Inst.i.tute of Justice.

(b) Director.--The Office shall be headed by a Director, who shall be an individual appointed based on approval by the Office of Personnel Management of the executive qualifications of the individual.

SEC. 232. [6 U.S.C. 162] MISSION OF OFFICE; DUTIES.

(a) Mission.--The mission of the Office shall be-- (1) to serve as the national focal point for work on law enforcement technology; and (2) to carry out programs that, through the provision of equipment, training, and technical a.s.sistance, improve the safety and effectiveness of law enforcement technology and improve access to such technology by Federal, State, and local law enforcement agencies.

(b) Duties.--In carrying out its mission, the Office shall have the following duties: (1) To provide recommendations and advice to the Attorney General.

(2) To establish and maintain advisory groups (which shall be exempt from the provisions of the Federal Advisory Committee Act (5 U.S.C. App.)) to a.s.sess the law enforcement technology needs of Federal, State, and local law enforcement agencies.

(3) To establish and maintain performance standards in accordance with the National Technology Transfer and Advancement Act of 1995 (Public Law 104-113) for, and test and evaluate law enforcement technologies that may be used by, Federal, State, and local law enforcement agencies.

(4) To establish and maintain a program to certify, validate, and mark or otherwise recognize law enforcement technology products that conform to standards established and maintained by the Office in accordance with the National Technology Transfer and Advancement Act of 1995 (Public Law 104-113). The program may, at the discretion of the Office, allow for supplier's declaration of conformity with such standards.

(5) To work with other ent.i.ties within the Department of Justice, other Federal agencies, and the executive office of the President to establish a coordinated Federal approach on issues related to law enforcement technology.

(6) To carry out research, development, testing, evaluation, and cost-benefit a.n.a.lyses in fields that would improve the safety, effectiveness, and efficiency of law enforcement technologies used by Federal, State, and local law enforcement agencies, including, but not limited to-- (A) weapons capable of preventing use by unauthorized persons, including personalized guns; (B) protective apparel; (C) bullet-resistant and explosion- resistant gla.s.s; (D) monitoring systems and alarm systems capable of providing precise location information; (E) wire and wireless interoperable communication technologies; (F) tools and techniques that facilitate investigative and forensic work, including computer forensics; (G) equipment for particular use in counterterrorism, including devices and technologies to disable terrorist devices; (H) guides to a.s.sist State and local law enforcement agencies; (I) DNA identification technologies; and (J) tools and techniques that facilitate investigations of computer crime.

(7) To administer a program of research, development, testing, and demonstration to improve the interoperability of voice and data public safety communications.

(8) To serve on the Technical Support Working Group of the Department of Defense, and on other relevant interagency panels, as requested.

(9) To develop, and disseminate to State and local law enforcement agencies, technical a.s.sistance and training materials for law enforcement personnel, including prosecutors.

(10) To operate the regional National Law Enforcement and Corrections Technology Centers and, to the extent necessary, establish additional centers through a compet.i.tive process.

(11) To administer a program of acquisition, research, development, and dissemination of advanced investigative a.n.a.lysis and forensic tools to a.s.sist State and local law enforcement agencies in combating cybercrime.

(12) To support research fellowships in support of its mission.

(13) To serve as a clearinghouse for information on law enforcement technologies.

(14) To represent the United States and State and local law enforcement agencies, as requested, in international activities concerning law enforcement technology.

(15) To enter into contracts and cooperative agreements and provide grants, which may require in- kind or cash matches from the recipient, as necessary to carry out its mission.

(16) To carry out other duties a.s.signed by the Attorney General to accomplish the mission of the Office.

(c) Compet.i.tion Required.--Except as otherwise expressly provided by law, all research and development carried out by or through the Office shall be carried out on a compet.i.tive basis.