S.3480: Protecting Cyberspace as a National Asset Act of 2010

Office of Cyberspace Policy
The bill would establish an Office of Cyberspace Policy in the Executive Office of the President, headed by a Director of Cyberspace Policy (appointed by the President and confirmed by the Senate). The Director will be responsible for: The Director will have access to any information possessed by a federal agency that he deems relevant to cybersecurity.
 * developing a national strategy to improve national cybersecurity
 * coordinating federal cybersecurity activities
 * advising the President on matters related to cybersecurity
 * submitting an annual report to Congress on the activities of his office.

National Center for Cybersecurity and Communications
The bill would establish a National Center for Cybersecurity and Communications within the Department of Homeland Security, headed by a Director (again, appointed by the President and confirmed by the Senate). The Director of the NCCC will: Within the NCCC would be established the United States Computer Emergency Readiness Team (US-CERT), headed by a Director. It will work with other federal agencies, state and local governments, and the private sector. It will be responsible for monitoring the security of networks of federal agencies, and for warning operators of the national information infrastructure of detected risks.
 * be responsible for leading the federal effort to secure information infrastructure in the United States
 * be responsible for "developing, overseeing, and enforcing information security throughout the federal government" (formerly the responsibility of the OMB Office of Electronic Government and Information Technology)
 * have access to any information possessed by a federal agency that is relevant to his responsibilities.
 * establish security performance requirements, and ensure that covered critical infrastructure meets them (through measures selected by operators of that infrastructure)
 * work with heads of other federal agencies, to coordinate cybersecurity regulations

National Cyber Emergencies
If the President declares a national cyber emergency, the Director of the NCCC will issue emergency measures necessary to secure covered critical infrastructure. The emergency measures must be the least disruptive means feasible, and cannot override the Wiretap Act, the Electronic Communications Privacy Act, or the Foreign Intelligence Surveillance Act of 1978. Operators of this infrastructure would have to comply immediately with the emergency measures.

The measures would expire after 30 days unless the Director of the NCCC or the President affirms that there is still a threat or that the measures are still necessary. For any declaration or extension, the President would have to provide a report to the appropriate committees of Congress describing the nature of the emergency, why current security requirements are insufficient, and what actions are necessary to handle the situation.

CISOs and the Federal Information Security Taskforce
Agencies would delegate a senior official to be the Chief Information Security Officer (CISO), who would have the authority to develop and enforce information security policies throughout the department. The CISO's authority would extend to contractors working on the agency's behalf.

The bill would establish a Federal Information Security Taskforce, headed by the Director of the NCCC and comprised of (among many others) the CISO of each agency, US-CERT, and any other person designated by the chairperson. Unless extended by an Executive Order or act of Congress, the Taskforce will terminate after four years.

Senate Action
Sen. Joseph Lieberman (I-CT) introduced the bill on June 10, 2010.