H.R. 3523 - Cyber Intelligence Sharing and Protection Act

Bill Text

    Text of H.R. 3523 PDF

    Rules Committee Print 112-20, showing text of the bill as reported with additional changes recommended by the Chair and Ranking Minority Member of the Permanent Select Committee on Intelligence

    Text of H. Rept. 112-445 PDF

    Report from the Permanent Select Committee on Intelligence

Rule Information


REPORTED BY VOICE VOTE on Wednesday, April 25, 2012.

Adopted by record vote of 236-185, after agreeing to the previous question of 241-179, on Thursday, April 26, 2012.  

MANAGERS: Nugent/Polis

1. Structured rule for H.R. 3523.

2. Provides one hour of general debate equally divided and controlled by the chair and ranking minority member of the Permanent Select Committee on Intelligence.

3. Waives all points of order against consideration of the bill.

4. Makes in order as original text for purpose of amendment the amendment in the nature of a substitute consisting of the text of Rules Committee Print 112-20 and provides that it shall be considered as read.

5. Waives all points of order against consideration of the bill.

6. Makes in order only those amendments printed int he Rules Committee report. Each such amendment may be offered only int eh order printed in the report, may be offered only by a member designated int he report, shall be considered as read, shall be debatable for the time specified in the report equally divided and controlled by the proponent and an opponent, shall not be subject to amendment, and shall not be subject to a demand for division of the question.

7. Waives all points of order against the amendment in the nature of a substitute.

8. Provides one motion to recommit with or without instructions.

9. Provides that it shall be in order at any time through the legislative day of April 27, 2012, for the Speaker to entertain motions that the House suspend the rules, as though under clause 1 of rule XV, relating to the following measures: H.R. 2096, the Cybersecurity Enhancement Act of 2011; H.R. 3834, the Advancing America's Networking and Information Technology Research and Development Act of 2012; and H.R. 4257, the Federal Information Security Amendments Act of 2012.

10. Closed rule for H.R. 4628.

11. Provides one hour of debate equally divided and controlled by the chair and ranking minority member of the Committee on Education and the Workforce.

12. Waives all points of order against consideration of the bill and provides that it shall be considered as read.

13. Waives all points of order against provisions in the bill.

14. Provides one motion to recommit.

15. Provides that the Committee on Appropriations may, at any time before 6 p.m. on Wednesday, May 2, 2012, file privileged reports to accompany measures making appropriations for the fiscal year ending September 30, 2013.


Amendments (click headers to sort)

#Version #Sponsor(s)PartySummaryStatus
12Version 1Akin (MO)RepublicanWould prohibit private companies from sharing with the government personally identifiable information of users or customers without a court order or express written consent.Submitted
33Version 1Amash (MI), Labrador (ID), Paul (TX), Nadler (NY), Polis (CO)Bi-PartisanWould prohibit the federal government from using, inter alia, library records, firearms sales records, and tax returns that it receives from private entities under CISPA.Made In Order
43Version 2Barton (TX), Markey, Edward (MA)Bi-PartisanLate Revised Would instruct companies to only share consumers' personal information as needed to counteract a cyber attack and for no other purpose.Submitted
24Version 1Broun (GA)RepublicanWithdrawn Would amend Section 2 (c) (1) to only allow the Federal Government to use cyber threat information for a cybersecurity purpose or for the protection of the national security of the United States.Withdrawn
30Version 2Conyers (MI)DemocratRevised Would strike the exemption from criminal liability, strike the civil liability exemption for decisions made based upon cyber threat information identified, obtained, or shared under the bill, and ensure that those who negligently cause injury through the use of cybersecurity systems or the sharing of information are not exempt from potential civil liability.Made In Order
31Version 1Conyers (MI)DemocratWould specify that the information authorized to be shared under the bill not be shared for the purpose of certain specified antitrust violations.Submitted
3Version 1Flake, Jeff (AZ)RepublicanWould add a requirement to include a list of all federal agencies receiving information shared with the government in the report by the Inspector General of the Intelligence Community required under the legislation.Made In Order
39Version 1Goodlatte (VA)RepublicanWould narrow definitions in the bill regarding what information may be identified, obtained, and shared. Made In Order
20Version 1Hahn (CA)DemocratWithdrawn Would require the Secretary of DHS to conduct an internal review of cyber threat intelligence information shared with the department and destroy personally identifiable information that no longer serves a cybersecurity purpose. Would also encourage the Secretary to develop procedures that provide for the continuous destruction of any personally identifiable information that is unnecessary.Withdrawn
40Version 1Heck (NV)RepublicanLate Withdrawn Would make clear that companies could voluntarily contract out of the liability protection provided in the bill in order to compete on the basis of privacy protections.Withdrawn
10Version 1Jackson Lee (TX)DemocratWould ensure that The Director of National Intelligence in coordination with DHS Secretary shall on a continual basis identify and evaluate cybersecurity risks to critical infrastructure to the transportation systems sector for inclusion in annual risk assessments required under the Department of Homeland Security National Infrastructure Protection Plan.Submitted
11Version 1Jackson Lee (TX)DemocratWould authorize the Secretary to intercept and deploy countermeasure with regard to system traffic for cybersecurity purposes in effect identification of cybersecurity risks to federal systems.Made In Order
15Version 1Jackson Lee (TX)DemocratWithdrawn Would require outreach to women and minorities for business opportunities.Withdrawn
16Version 1Jackson Lee (TX)DemocratWould provide that the DNI and the Secretary of DHS may establish a consortium to be known as the "Cyberintelligence Domestic Preparedness Consortium".Submitted
17Version 1Jackson Lee (TX)DemocratWould require coordination between DNI and DHS when sharing with overseas affiliates.Submitted
34Version 1Langevin (RI), Lungren (CA)Bi-PartisanWould expand eligibility to participate in the voluntary information sharing program created in the bill to include critical infrastructure owners and operators, which allows entities that are not entirely privately owned, such as airports, utilities, and public transit systems, to receive vital cybersecurity information and better secure their networks against cyber threats.Made In Order
35Version 1Langevin (RI), Connolly (VA)DemocratWould create a National Office for Cyberspace in the Executive Office of the President and codify multiple policy recommendations made by the Obama Administration’s 60-Day Cyberspace Policy Review, public-private sector working groups such as the CSIS Commission on Cybersecurity for the 44th Presidency, and GAO for remedying security deficiencies throughout the federal government.Submitted
9Version 1Lewis, John (GA)DemocratWould protect lawful protestors from unwarranted surveillance.Submitted
25Version 2Lofgren (CA), Paul (TX), Polis (CO), Hastings, Alcee (FL)Bi-PartisanRevised Would restrict the Federal Government's use of the information it collects under the Act to cybersecurity purposes. Would also allow for law enforcement use upon probable cause that the information is relevant and material to an investigation of a federal crime (limited to wiretap predicates, in 18 USC 2516).Submitted
32Version 1McNerney (CA)DemocratWould prevent states or their subdivisions from requiring that private entities locate data centers in their jurisdiction as a condition of doing business in that area. Would not apply to data centers solely serving governmental purposes.Submitted
29Version 1Mulvaney (SC)RepublicanWould sunset the provisions of the bill five years after the date of enactment.Made In Order
41Version 1Mulvaney (SC), Dicks (WA)Bi-PartisanLate Would provide clear authority to the government to create reasonable procedures to protect privacy and civil liberties, consistent with the need of the government to protect federal systems and cybersecurity. Would also prohibit the federal government from retaining or using information shared pursuant to paragraph (b)(1) for anything other than a use permitted under paragraph (c)(1).Made In Order
14Version 1Myrick (NC), Wolf (VA)RepublicanWithdrawn Would exclude certain entities from the definition of a "private-sector entity". Would make clear to the Director of National Intelligence that such companies are not suitable partners for the U.S., and ensure that any sharing of U.S. government information on cybersecurity excludes such entities.Withdrawn
8Version 1Nadler (NY)DemocratWould improve the ability of Americans to hold its government accountable for violations of provisions of the bill. Specifically, it would (1) change to the statute of limitations to allow civil actions two years after a complainant knew or should have known of a violation, (2) allow civil actions if the government violates a provision of the bill due to negligence, and (3) allows complainants to obtain injunctive relief.Submitted
1Version 1Paulsen (MN)RepublicanWould encourage international cooperation on cyber security where feasible.Made In Order
36Version 1Pompeo (KS)RepublicanWould make clear in the bill’s liability provision that the reference to the use of cybersecurity systems is the use of such systems to identify and obtain cyber threat information.Made In Order
37Version 1Pompeo (KS)RepublicanWould clarify that nothing in the bill would alter existing authorities or provide new authority to any federal agency, including DOD, NSA, DHS or the Intelligence Community to install, employ, or otherwise use cybersecurity systems on private sector networks.Made In Order
38Version 1Quayle (AZ), Eshoo (CA), Thompson, Mike (CA), Broun (GA)Bi-PartisanWould limit government use of shared cyber threat information to only 5 purposes: 1) cybersecurity; 2) investigation and prosecution of cybersecurity crimes; 3) protection of individuals from the danger of death or physical injury; 4) protection of minors from physical or psychological harm; and 5) protection of the national security of the United States.Made In Order
13Version 1Quigley (IL)DemocratWould only allow material shared with the Federal Government to be exempt from FOIA if the Director of National Intelligence determines, in writing, that the security interest in preventing disclosure of such information outweighs the public interest in disclosing such information. Requires the DNI to make the determination available to the public.Submitted
7Version 1Richardson (CA)DemocratWould make explicit that nothing in the legislation would prohibit a department or agency of the federal government from providing cyber threat information to owners and operators of critical infrastructure.Made In Order
27Version 1Richmond (LA)DemocratWould require that any federal agency receiving cyber threat information from the private sector shall provide it to the National Cybersecurity and Communications Integrations Center of the Department of Homeland Security “upon receipt."Submitted
28Version 1Richmond (LA)DemocratWould require that any federal agency receiving cyber threat information from the private sector shall provide it to the National Cybersecurity and Communications Integrations Center of the Department of Homeland Security “as soon as practicable."Submitted
42Version 1Rogers, Mike (MI), Ruppersberger (MD), Issa (CA), Langevin (RI)Bi-PartisanLate Would make clear that regulatory information already required to be provided remains FOIAable under current law. Made In Order
2Version 1Sanchez, Loretta (CA)DemocratWould provide guidelines for any department or agency in the Federal government who are charged with border search and seizure of electronic devices.Submitted
18Version 1Schakowsky (IL), Thompson, Bennie (MS), Sanchez, Loretta (CA)DemocratWould require reasonable efforts to be made to remove personally identifiable information, unrelated to a cybersecurity threat, shared in accordance with this legislation.Submitted
19Version 1Schakowsky (IL), Sanchez, Loretta (CA)DemocratWould specify that entities can only share cyber threat information with civilian federal agencies. Submitted
26Version 1Schiff (CA), Schakowsky (IL), Hastings, Alcee (FL)DemocratWould put in place additional protections for civil liberties and privacy, including minimization of personally identifiable information, restrictions on the usage of cyber threat information, and ensures civilian oversight of cybersecurity. Would also alter definitions to more specifically define cyber threat information and cyber security information.Submitted
21Version 1Thompson, Bennie (MS), Paul (TX), Sanchez, Loretta (CA), Clarke (NY), Hastings, Alcee (FL), Polis (CO)Bi-PartisanWould direct that cyber threat information shared from the private sector to the government would go through Department of Homeland Security or another civilian Federal agency.Submitted
22Version 1Thompson, Bennie (MS), Paul (TX), Sanchez, Loretta (CA), Amash (MI)Bi-PartisanWould mandate the development of policies and procedures governing the acquisition, interception, retention, use, and disclosure of communications, records, system traffic, or other information associated with specific persons by the Federal Government in connection with the activities authorized by the underlying bill to foster more robust privacy and civil liberties protections.Submitted
23Version 1Thompson, Bennie (MS), Langevin (RI), Sanchez, Loretta (CA), Hastings, Alcee (FL)DemocratWould authorize existing activities of the Department of Homeland Security for securing Federal networks and supporting private sector cybersecurity efforts. Would also put in place a framework by which the Secretary would determine which infrastructure sectors are critical to our Nation, conduct risk assessments of those sectors, develop and disseminate best practices for mitigating cybersecurity risks, and work with existing regulatory agencies of critical infrastructure to incorporate best practices into existing regulations, where necessary.Submitted
6Version 1Turner (OH)RepublicanWould make a technical correction to definitions in Section 2 (g) to provide consistency with other cyber security policies within the Executive branch and the Department of Defense. Made In Order
4Version 1Woodall (GA)RepublicanWould ensure that those who choose not to participate in the voluntary program authorized by this bill are not subject to new liabilities. Made In Order
5Version 1Woodall (GA), Hahn (CA)Bi-PartisanWould hold federal government liable should the rules regarding disclosure, use, and protection of sensitive information be violated due to negligence on the part of the relevant department or agency.Submitted