Title I of the Cybersecurity Act of 2015, referred to in subsecs. (c)(1) and (h)(1), is title I of Pub. L. 114–113, div. N,
This chapter, referred to in subsec. (p)(8), was in the original “this Act”, meaning Pub. L. 107–296,
Section was formerly classified to section 148 of this title prior to renumbering by Pub. L. 115–278.
2022—Subsec. (a). Pub. L. 117–263, § 7143(b)(2)(D)(i), added subsec. (a) and struck out former subsec. (a) which defined cybersecurity purpose, cybersecurity risk, cyber threat indicator, defensive measure, cybersecurity vulnerability, incident, information sharing and analysis organization, information system, security vulnerability, and sharing.
Subsec. (b). Pub. L. 117–263, § 7143(b)(2)(D)(ii), inserted “Executive” before “Assistant Director for Cybersecurity”.
Subsec. (c)(6). Pub. L. 117–150, § 2(2)(A), inserted “operational and” before “timely”.
Subsec. (c)(13). Pub. L. 117–103 added par. (13).
Subsec. (d)(1)(A)(iii). Pub. L. 117–263, § 7143(b)(2)(D)(iii)(I), struck out “, as that term is defined under section 3003(4) of title 50” after “intelligence community”.
Subsec. (d)(1)(B)(ii). Pub. L. 117–263, § 7143(b)(2)(D)(iii)(II), substituted “Information Sharing and Analysis Organizations” for “information sharing and analysis organizations”.
Subsec. (d)(1)(E). Pub. L. 117–150, § 2(2)(B), inserted “, including an entity that collaborates with election officials,” after “governments”.
Subsec. (e)(1)(E)(ii)(II). Pub. L. 117–263, § 7143(b)(2)(D)(iv), substituted “Information Sharing and Analysis Organizations” for “information sharing and analysis organizations”.
Subsec. (p). Pub. L. 117–263, § 7143(b)(2)(D)(v), redesignated subsec. (p) relating to coordination on cybersecurity for SLTT entities as (r).
Pub. L. 117–150, § 2(2)(C), added subsec. (p) relating to coordination on cybersecurity for SLTT entities.
Subsec. (q). Pub. L. 117–263, § 7143(b)(2)(D)(vi), redesignated subsec. (q) relating to report as (s).
Pub. L. 117–150, § 2(2)(C), added subsec. (q) relating to report.
Subsec. (r). Pub. L. 117–263, § 7143(b)(2)(D)(v), redesignated subsec. (p) relating to coordination on cybersecurity for SLTT entities as (r).
Subsec. (s). Pub. L. 117–263, § 7143(b)(2)(D)(vi), redesignated subsec. (q) relating to report as (s).
2021—Subsec. (a). Pub. L. 117–81, § 1542(1), added par. (4) and redesignated former pars. (4) to (8) (as previously added or redesignated by Pub. L. 116–283) as (5) to (9), respectively.
Pub. L. 116–283, § 1716(a)(1), added pars. (1) and (7) and redesignated former pars. (1) to (5) as (2) to (6), respectively, and former par. (6) as (8).
Subsec. (c)(5)(B), (C). Pub. L. 117–81, § 1542(2)(A), added subpar. (B), redesignated former subpar. (B) as (C), and inserted in subpar. (C) as redesignated “and mitigation protocols to counter cybersecurity vulnerabilities in accordance with subparagraph (B), as appropriate,” before “with Federal”.
Subsec. (c)(6). Pub. L. 117–81, § 1548(c), inserted “, which may take the form of continuous monitoring and detection of cybersecurity risks to critical infrastructure entities that own or operate industrial control systems that support national critical functions” after “mitigation, and remediation”.
Subsec. (c)(7)(C). Pub. L. 117–81, § 1542(2)(B), substituted “share” for “sharing”.
Subsec. (c)(9). Pub. L. 117–81, § 1542(2)(C), inserted “mitigation protocols to counter cybersecurity vulnerabilities, as appropriate,” after “measures,”.
Subsec. (c)(12). Pub. L. 116–283, § 1716(a)(2), added par. (12).
Subsec. (e)(1)(I). Pub. L. 117–81, § 1541(a)(1), added subpar. (I).
Subsec. (o). Pub. L. 117–81, § 1542(4), added subsec. (o). Former subsec. (o) redesignated (p) relating to subpoena authority.
Pub. L. 116–283, § 1716(a)(3), added subsec. (o).
Subsec. (p). Pub. L. 117–81, § 1542(3), redesignated subsec. (o) as (p) relating to subpoena authority.
Subsec. (q). Pub. L. 117–81, § 1541(a)(2), added subsec. (q) relating to industrial control systems.
2019—Subsec. (d)(1)(B)(iv). Pub. L. 116–94, § 102(a)(1), inserted “, including cybersecurity specialists” after “entities”.
Subsec. (f). Pub. L. 116–94, § 102(a)(3), added subsec. (f). Former subsec. (f) redesignated (g).
Subsec. (g). Pub. L. 116–94, § 102(a)(2), redesignated subsec. (f) as (g). Former subsec. (g) redesignated (h).
Subsec. (g)(1), (2). Pub. L. 116–94, § 102(a)(4), inserted “, or any team or activity of the Center,” after “Center”.
Subsecs. (h) to (n). Pub. L. 116–94, § 102(a)(2), redesignated subsecs. (g) to (m) as (h) to (n), respectively.
2018—Pub. L. 115–278, § 2(g)(9)(A)(iii)(I), substituted “Director” for “Under Secretary appointed under section 113(a)(1)(H) of this title” wherever appearing.
Subsec. (a)(4). Pub. L. 115–278, § 2(g)(9)(A)(iii)(II), substituted “section 671(5) of this title” for “section 131(5) of this title”.
Subsec. (b). Pub. L. 115–278, § 2(g)(9)(A)(iii)(III), inserted at end “The Center shall be located in the Cybersecurity and Infrastructure Security Agency. The head of the Center shall report to the Assistant Director for Cybersecurity.”
Subsec. (c)(11). Pub. L. 115–278, § 2(g)(9)(A)(iii)(IV), substituted “Emergency Communications Division” for “Office of Emergency Communications”.
2016—Subsecs. (l), (m). Pub. L. 114–328 added subsec. (l) and redesignated former subsec. (l) as (m).
2015—Subsec. (a)(1) to (5). Pub. L. 114–113, § 203(1)(A), (B), added pars. (1) to (3), redesignated former pars. (3) and (4) as (4) and (5), respectively, and struck out former pars. (1) and (2), which defined “cybersecurity risk” and “incident”, respectively.
Subsec. (a)(6). Pub. L. 114–113, § 203(1)(C)–(E), added par. (6).
Subsec. (c)(1). Pub. L. 114–113, § 203(2)(A), inserted “cyber threat indicators, defensive measures,” before “cybersecurity risks” and “, including the implementation of title I of the Cybersecurity Act of 2015” before semicolon at end.
Subsec. (c)(3). Pub. L. 114–113, § 203(2)(B), substituted “cyber threat indicators, defensive measures, cybersecurity risks,” for “cybersecurity risks”.
Subsec. (c)(5)(A). Pub. L. 114–113, § 203(2)(C), substituted “cyber threat indicators, defensive measures, cybersecurity risks,” for “cybersecurity risks”.
Subsec. (c)(6). Pub. L. 114–113, § 203(2)(D), substituted “cyber threat indicators, defensive measures, cybersecurity risks,” for “cybersecurity risks” and struck out “and” at end.
Subsec. (c)(7)(C). Pub. L. 114–113, § 203(2)(E), added subpar. (C).
Subsec. (c)(8) to (11). Pub. L. 114–113, § 203(2)(F), added pars. (8) to (11).
Subsec. (d)(1)(B)(i). Pub. L. 114–113, § 203(3)(A)(i), substituted “, local, and tribal” for “and local”.
Subsec. (d)(1)(B)(ii). Pub. L. 114–113, § 203(3)(A)(ii), substituted “, including information sharing and analysis centers;” for “; and”.
Subsec. (d)(1)(B)(iv). Pub. L. 114–113, § 203(3)(A)(iii), (iv), added cl. (iv).
Subsec. (d)(1)(E), (F). Pub. L. 114–113, § 203(3)(B)–(D), added subpar. (E) and redesignated former subpar. (E) as (F).
Subsec. (e)(1)(A). Pub. L. 114–113, § 203(4)(A)(i), inserted “cyber threat indicators, defensive measures, and” before “information”.
Subsec. (e)(1)(B). Pub. L. 114–113, § 203(4)(A)(ii), inserted “cyber threat indicators, defensive measures, and” before “information related”.
Subsec. (e)(1)(F). Pub. L. 114–113, § 203(4)(A)(iii), substituted “cyber threat indicators, defensive measures, cybersecurity risks,” for “cybersecurity risks” and struck out “and” at end.
Subsec. (e)(1)(G). Pub. L. 114–113, § 203(4)(A)(iv), substituted “cyber threat indicators, defensive measures, cybersecurity risks, and incidents; and” for “cybersecurity risks and incidents”.
Subsec. (e)(1)(H). Pub. L. 114–113, § 203(4)(A)(v), added subpar. (H).
Subsec. (e)(2). Pub. L. 114–113, § 203(4)(B), substituted “cyber threat indicators, defensive measures, cybersecurity risks,” for “cybersecurity risks” and inserted “or disclosure” after “access”.
Subsec. (e)(3). Pub. L. 114–113, § 203(4)(C), inserted “, including by working with the Privacy Officer appointed under section 142 of this title to ensure that the Center follows the policies and procedures specified in subsections (b) and (d)(5)(C) of section 105 of the Cybersecurity Act of 2015” before period at end.
Subsecs. (g) to (l). Pub. L. 114–113, § 203(5), added subsecs. (g) to (l).
Nothing in amendment made by Pub. L. 117–263 to be construed to alter the authorities, responsibilities, functions, or activities of any agency (as such term is defined in 44 U.S.C. 3502) or officer or employee of the United States on or before
Pub. L. 116–283, div. A, title XVII, § 1716(b), “(1) Nothing in this section or the amendments made by this section [amending this section] may be construed to grant the Secretary of Homeland Security, or the head of any another Federal agency or department, any authority to promulgate regulations or set standards relating to the cybersecurity of private sector critical infrastructure that was not in effect on the day before the date of the enactment of this Act [“(2) Nothing in this section or the amendments made by this section [amending this section] may be construed to require any private entity to—“(A) request assistance from the Director of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security; or“(B) implement any measure or recommendation suggested by the Director.”
Pub. L. 113–282, § 8, “(a) Nothing in this Act [see section 1 of Pub. L. 113–282, set out as a Short Title of 2014 Amendment note under section 101 of this title] or the amendments made by this Act shall be construed to grant the Secretary [of Homeland Security] any authority to promulgate regulations or set standards relating to the cybersecurity of private sector critical infrastructure that was not in effect on the day before the date of enactment of this Act [“(b) Nothing in this Act or the amendments made by this Act shall be construed to require any private entity—“(1) to request assistance from the Secretary; or“(2) that requested such assistance from the Secretary to implement any measure or recommendation suggested by the Secretary.”
Pub. L. 113–282, § 2, “(1) the term ‘Center’ means the national cybersecurity and communications integration center under section 226 [renumbered 227 by section 223(a)(3) of Pub. L. 114–113 and renumbered 2209 by section 2(g)(2)(I) of Pub. L. 115–278] of the Homeland Security Act of 2002 [6 U.S.C. 659], as added by section 3;“(2) the term ‘critical infrastructure’ has the meaning given that term in section 2 of the Homeland Security Act of 2002 (6 U.S.C. 101);“(3) the term ‘cybersecurity risk’ has the meaning given that term in section 226 [2209] of the Homeland Security Act of 2002, as added by section 3;“(4) the term ‘information sharing and analysis organization’ has the meaning given that term in section 212(5) [renumbered 2222(5) by section 2(g)(2)(H) of Pub. L. 115–278] of the Homeland Security Act of 2002 ([former] 6 U.S.C. 131(5)) [now 6 U.S.C. 671(5); see 6 U.S.C. 650(13)];“(5) the term ‘information system’ has the meaning given that term in section 3502(8) of title 44, United States Code; and“(6) the term ‘Secretary’ means the Secretary of Homeland Security.”