(a) In general
The Cybersecurity Act of 2015 ( 6 U.S.C. 1501 et seq. ; enacted as division N of the Consolidated Appropriations Act, 2016; Public Law 114–113 ) is amended—
in section 102 ( 6 U.S.C. 1501 ; relating to definitions)—
by redesignating paragraphs (4), (5), (6), (7), (8), (9), (10), (11), (12), (13), (14), (15), (16), (17), and (18) as paragraphs (6), (7), (8), (9), (10), (11), (12), (13), (14), (15), (16), (17), (18), (19), and (20), respectively; and
by inserting after paragraph (3) the following new paragraphs:
in section 103 ( 6 U.S.C. 1502 ; relating to sharing of information by the Federal Government)—
in subsection (a), in the matter preceding paragraph (1), by striking develop and issue and inserting develop, issue, and, as appropriate, update ; and
in subsection (b)—
in paragraph (1)—
in paragraph (2)—
in subsection (c)—
by inserting and not later than 60 days after any update, as appropriate, of procedures required by subsection (a), after Act, ; and
by inserting (or update, as appropriate) after procedures ;
in section 104 ( 6 U.S.C. 1503 ; relating to authorizations for preventing, detecting, analyzing, and mitigating cybersecurity threats)—
in paragraph (3) of subsection (c)—
in the matter preceding subparagraph (A), by striking shall be and inserting may be ;
in subparagraph (A), by striking or after the semicolon;
in subparagraph (B), by striking the period and inserting ; or ; and
by adding at the end the following new subparagraph:
in subparagraph (B) of subsection (d)(2), by inserting , which may utilize artificial intelligence that is strictly deployed for cybersecurity purposes, after technical capability ;
in section 105 ( 6 U.S.C. 1504 ; relating to sharing of cyber threat indicators and defensive measures with the Federal Government)—
in subsection (a)—
in paragraph (2), by adding at the end the following new sentences: As appropriate, the Attorney General and the Secretary of Homeland Security shall, in consultation with the heads of the appropriate Federal entities, jointly update such policies and procedures, and issue and make publicly available such updated policies and procedures. Such updates shall prioritize rapid dissemination to State, local, Tribal, and territorial governments and owners and operators of non-Federal critical infrastructure or artificial intelligence of relevant and actionable cyber threat indicators and defensive measures. ;
in paragraph (3), in the matter preceding subparagraph (A), by striking developed or issued and inserting developed, issued, or, as appropriate, updated, ; and
in paragraph (4)—
in subsection (b)—
in paragraph (2)(B), by inserting , and, as appropriate, update, after review ; and
in paragraph (3), in the matter preceding subparagraph (A), by inserting and, as appropriate, updated, after required ; and
in subsection (c)—
in paragraph (1)(D), by inserting , including if such capability and process employs artificial intelligence before the semicolon; and
in paragraph (2), by adding at the end the following new subparagraphs:
in subsection (d)—
in paragraph (1), by striking trade secret protection and inserting intellectual property protection ; and
in paragraph (5)(A),
in section 108 ( 6 U.S.C. 1507 ; relating to construction and preemption)—
in subsection (c)—
in the matter preceding paragraph (1), by striking shall be and inserting may be ;
in paragraph (2), by striking or after the semicolon;
in paragraph (3), by striking the period and inserting ; or ; and
by adding at the end the following new paragraph:
in subsection (f)(3), by inserting to share cyber threat indicators or defensive measures after relationship ;
in section 109 ( 6 U.S.C. 1508 ; relating to report on cybersecurity threats)—
in subsection (a)—
by inserting and not later than September 30 of every two years thereafter, after Act, ;
by inserting the Secretary of Homeland Security and after in coordination with ;
by inserting and the Committee on Homeland Security and Governmental Affairs before of the Senate ;
by inserting and the Committee on Homeland Security before of the House ; and
by inserting prepositioning activities, ransomware, after attacks, ; and
in subsection (b)—
in paragraph (1), by inserting prepositioning activities, ransomware, after attacks, ;
in paragraph (2), by inserting prepositioning activity, ransomware, after attack, ;
in paragraph (3), by inserting prepositioning activities, ransomware, after attacks, each place it appears; and
in paragraph (4), by inserting prepositioning activities, ransomware, after attacks, ; and
in section 111(a) ( 6 U.S.C. 1510(a) , relating to effective period), by striking 2025 and inserting 2035 .
(b) Conforming amendments
Section 2200 of the Homeland Security Act of 2002 ( 6 U.S.C. 650 ; relating to definitions) is amended—
in paragraph (5)—
in subparagraph (B), by inserting or compromising after defeating ;
in subparagraph (C), by inserting including a security vulnerability affecting an information system or a technology included in the critical and emerging technologies list of the Office of Science and Technology Policy or successor list, such as artificial intelligence, which may be in a Federal entity’s or non-Federal entity’s software or hardware supply chain, after security vulnerability, ;
in subparagraph (D), by inserting or compromise after defeat ; and
in subparagraph (F), by inserting or compromised after exfiltrated ;
in paragraph (14), by amending subparagraph (B) to read as follows:
in paragraph (25), by inserting or compromise after defeat .