“In this subtitle:

“(a) Redesignation.—

“(1) IN GENERAL.—The National Protection and Programs Directorate of the Department shall, on and after the date of the enactment of this subtitle, be known as the ‘Cybersecurity and Infrastructure Security Agency’ (in this subtitle referred to as the ‘Agency’).

“(2) REFERENCES.—Any reference to the National Protection and Programs Directorate of the Department in any law, regulation, map, document, record, or other paper of the United States shall be deemed to be a reference to the Cybersecurity and Infrastructure Security Agency of the Department.

“(b) Director.—

“(1) IN GENERAL.—The Agency shall be headed by a Director of Cybersecurity and Infrastructure Security (in this subtitle referred to as the ‘Director’), who shall report to the Secretary.

“(2) REFERENCE.—Any reference to an Under Secretary responsible for overseeing critical infrastructure protection, cybersecurity, and any other related program of the Department as described in section 103(a)(1)(H) as in effect on the day before the date of the enactment of this subtitle in any law, regulation, map, document, record, or other paper of the United States shall be deemed to be a reference to the Director of Cybersecurity and Infrastructure Security of the Department.

“(c) Responsibilities.—The Director shall—

“(1) lead cybersecurity and critical infrastructure security programs, operations, and associated policy for the Agency, including national cybersecurity asset response activities;

“(2) coordinate with Federal entities and non-Federal entities, including international entities, to carry out the cybersecurity and critical infrastructure activities of the Agency, as appropriate;

“(3) carry out the Secretary’s responsibilities to secure Federal information and information systems consistent with law, including subchapter II of chapter 35 of title 44, United States Code, and the Cybersecurity Act of 2015 (contained in division N of the Consolidated Appropriations Act, 2016 (Public Law 114–113));

“(4) coordinate a national effort to secure and protect against critical infrastructure risks;

“(5) upon request provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators and, where appropriate, provide such analyses, expertise, and other technical assistance in coordination with critical infrastructure sector specific agencies and other Federal departments and agencies;

“(6) to the extent required by law, exercise duties in coordination with sector-specific agencies;

“(7) maintain and utilize mechanisms for the regular and ongoing consultation and collaboration among the Agency’s Divisions to further operational coordination, integrated situational awareness, and improved integration across the Agency in accordance with this Act;

“(8) develop, coordinate, and implement—

“(A) comprehensive strategic plans for the activities of the Agency; and

“(B) risk assessments;

“(9) carry out emergency communications responsibilities, in accordance with title XVIII;

“(10) carry out cybersecurity, infrastructure security, and emergency communications stakeholder outreach and engagement; and

“(11) carry out such other duties and powers prescribed by law or delegated by the Secretary.

“(d) Deputy director.—There shall be in the Agency a Deputy Director of Cybersecurity and Infrastructure Security who shall—

“(1) assist the Director in the management of the Agency; and

“(2) report to the Director.

“(e) Cybersecurity and infrastructure security authorities of the Secretary.—

“(1) IN GENERAL.—The responsibilities of the Secretary relating to cybersecurity and infrastructure security shall include the following:

“(A) To access, receive, and analyze law enforcement information, intelligence information, and other information from Federal Government agencies, State, local, tribal, and territorial government agencies (including law enforcement agencies), and private sector entities, and to integrate such information, in support of the mission responsibilities of the Department, in order to—

“(i) identify and assess the nature and scope of terrorist threats to the homeland;

“(ii) detect and identify threats of terrorism against the United States; and

“(iii) understand such threats in light of actual and potential vulnerabilities of the homeland.

“(B) To carry out comprehensive assessments of the vulnerabilities of the key resources and critical infrastructure of the United States, including the performance of risk assessments to determine the risks posed by particular types of terrorist attacks within the United States (including an assessment of the probability of success of such attacks and the feasibility and potential efficacy of various countermeasures to such attacks).

“(C) To integrate relevant information, analysis, and vulnerability assessments (regardless of whether such information, analysis, or assessments are provided or produced by the Department) in order to identify priorities for protective and support measures by the Department, other Federal Government agencies, State, local, tribal, and territorial government agencies and authorities, the private sector, and other entities regarding terrorist and other threats to homeland security.

“(D) To ensure, pursuant to section 202, the timely and efficient access by the Department to all information necessary to discharge the responsibilities under this title, including obtaining such information from other Federal Government agencies.

“(E) To develop a comprehensive national plan for securing the key resources and critical infrastructure of the United States, including power production, generation, and distribution systems, information technology and telecommunications systems (including satellites), electronic financial and property record storage and transmission systems, emergency preparedness communications systems, and the physical and technological assets that support such systems.

“(F) To recommend measures necessary to protect the key resources and critical infrastructure of the United States in coordination with other Federal Government agencies and in cooperation with State, local, tribal, and territorial government agencies and authorities, the private sector, and other entities.

“(G) To review, analyze, and make recommendations for improvements to the policies and procedures governing the sharing of law enforcement information, and other information relating to homeland security within the Federal Government and between Federal Government agencies and State, local, tribal, and territorial government agencies and authorities.

“(H) To disseminate, as appropriate, information analyzed by the Department within the Department, to other Federal Government agencies with responsibilities relating to homeland security, and to State, local, tribal, and territorial government agencies and private sector entities with such responsibilities in order to assist in the deterrence, prevention, preemption of, or response to, terrorist attacks against the United States.

“(I) To consult with State, local, tribal, and territorial government agencies and private sector entities to ensure appropriate exchanges of information, including law enforcement-related information, relating to threats of terrorism against the United States.

“(J) To ensure that any material received pursuant to this Act is protected from unauthorized disclosure and handled and used only for the performance of official duties.

“(K) To request additional information from other Federal Government agencies, State, local, tribal, and territorial government agencies, and the private sector relating to threats of terrorism in the United States, or relating to other areas of responsibility assigned by the Secretary, including the entry into cooperative agreements through the Secretary to obtain such information.

“(L) To establish and utilize, in conjunction with the chief information officer of the Department, a secure communications and information technology infrastructure, including data-mining and other advanced analytical tools, in order to access, receive, and analyze data and information in furtherance of the responsibilities under this section, and to disseminate information acquired and analyzed by the Department, as appropriate.

“(M) To ensure, in conjunction with the chief information officer of the Department, that any information databases and analytical tools developed or utilized by the Department—

“(i) are compatible with one another and with relevant information databases of other Federal Government agencies; and

“(ii) treat information in such databases in a manner that complies with applicable Federal law on privacy.

“(N) To coordinate training and other support to the elements and personnel of the Department, other Federal Government agencies, and State, local, tribal, and territorial government agencies that provide information to the Department, or are consumers of information provided by the Department, in order to facilitate the identification and sharing of information revealed in their ordinary duties and the optimal utilization of information received from the Department.

“(O) To coordinate with Federal, State, local, tribal, and territorial law enforcement agencies, and the private sector, as appropriate.

“(P) To exercise the authorities and oversight of the functions, personnel, assets, and liabilities of those components transferred to the Department pursuant to section 201(g).

“(Q) To carry out the functions of the national cybersecurity and communications integration center under section 2209.

“(R) To carry out requirements of the Chemical Facilities Anti-Terrorism Standards Program established under title XXI and the secure handling of ammonium nitrate established under subtitle J of title VIII.

“(2) MODIFICATION.—The Secretary may modify the functions specified in sections 2203(b) and 2204(b) upon certifying to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate 60 days prior to any such modification that such modification is necessary for carrying out the activities of the Agency.

“(3) STAFF.—

“(A) IN GENERAL.—The Secretary shall provide the Agency with a staff of analysts having appropriate expertise and experience to assist the Agency in discharging its responsibilities under this section.

“(B) PRIVATE SECTOR ANALYSTS.—Analysts under this subsection may include analysts from the private sector.

“(C) SECURITY CLEARANCES.—Analysts under this subsection shall possess security clearances appropriate for their work under this section.

“(4) DETAIL OF PERSONNEL.—

“(A) IN GENERAL.—In order to assist the Agency in discharging its responsibilities under this section, personnel of the Federal agencies referred to in subparagraph (B) may be detailed to the Agency for the performance of analytic functions and related duties.

“(B) AGENCIES SPECIFIED.—The Federal agencies referred to in subparagraph (A) are the following:

“(i) The Department of State.

“(ii) The Central Intelligence Agency.

“(iii) The Federal Bureau of Investigation.

“(iv) The National Security Agency.

“(v) The National Geospatial-Intelligence Agency.

“(vi) The Defense Intelligence Agency.

“(vii) Any other agency of the Federal Government that the President considers appropriate.

“(C) INTERAGENCY AGREEMENTS.—The Secretary and the head of an agency specified in subparagraph (B) may enter into agreements for the purpose of detailing personnel under this paragraph.

“(D) BASIS.—The detail of personnel under this paragraph may be on a reimbursable or non-reimbursable basis.

“(f) Composition.—The Agency shall be composed of the following divisions:

“(1) The Cybersecurity Division, headed by an Assistant Director.

“(2) The Infrastructure Security Division, headed by an Assistant Director.

“(3) The Emergency Communications Division under title XVIII, headed by an Assistant Director.

“(g) Co-Location.—To the maximum extent practicable, the Director shall examine the establishment of central locations in geographical regions with a significant Agency presence. When establishing such locations, the Director shall coordinate with component heads and the Under Secretary for Management to co-locate or partner on any new real property leases, renewing any existing leases, or agreeing to extend or newly occupy any Federal space or new construction.

“(h) Privacy.—

“(1) IN GENERAL.—There shall be a Privacy Officer of the Agency with primary responsibility for privacy policy and compliance for the Agency.

“(2) RESPONSIBILITIES.—The responsibilities of the Privacy Officer of the Agency shall include—

“(A) assuring that the use of technologies by the Agency sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information;

“(B) assuring that personal information contained in Privacy Act systems of records of the Agency is handled in full compliance with fair information practices as specified in the Privacy Act of 1974;

“(C) evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Agency; and

“(D) conducting a privacy impact assessment of proposed rules of the Agency on the privacy of personal information, including the type of personal information collected and the number of people affected.

“(i) Savings.—Nothing in this title may be construed as affecting in any manner the authority, existing on the day before the date of the enactment of this title, of any other component of the Department or any other Federal department or agency.

“(a) Establishment.—

“(1) IN GENERAL.—There is established in the Agency a Cybersecurity Division.

“(2) ASSISTANT DIRECTOR.—The Cybersecurity Division shall be headed by an Assistant Director for Cybersecurity (in this subtitle referred to as the ‘Assistant Director’), who shall—

“(A) be at the level of Assistant Secretary within the Department; and

“(B) report to the Director.

“(3) REFERENCE.—Any reference to the Assistant Secretary for Cybersecurity and Communications in any law, regulation, map, document, record, or other paper of the United States shall be deemed to be a reference to the Assistant Director for Cybersecurity.

“(b) Functions.—The Assistant Director shall—

“(1) direct the cybersecurity efforts of the Agency;

“(2) carry out activities, at the direction of the Director, related to the security of information and information systems for Federal entities consistent with law, including subchapter II of chapter 35 of title 44, United States Code, and the Cybersecurity Act of 2015 (contained in division N of the Consolidated Appropriations Act, 2016 (Public Law 114–113));

“(3) fully participate in the mechanisms required under subsection (c)(7) of section 2202; and

“(4) carry out such other duties and powers as prescribed by the Director.

“(a) Establishment.—

“(1) IN GENERAL.—There is established in the Agency an Infrastructure Security Division.

“(2) ASSISTANT DIRECTOR.—The Infrastructure Security Division shall be headed by an Assistant Director of Infrastructure Security (in this section referred to as the ‘Assistant Director’), who shall—

“(A) be at the level of Assistant Secretary within the Department; and

“(B) report to the Director.

“(3) REFERENCE.—Any reference to the Assistant Secretary for Infrastructure Protection in any law, regulation, map, document, record, or other paper of the United States shall be deemed to be a reference to the Assistant Director for Infrastructure Security.

“(b) Functions.—The Assistant Director shall—

“(1) direct the critical infrastructure security efforts of the Agency;

“(2) carry out efforts, at the direction of the Director, to secure the United States high-risk chemicals and chemical facilities consistent with law, including the Chemical Facilities Anti-Terrorism Standards Program established under title XXI and the secure handling of ammonium nitrate established under subtitle J of title VIII;

“(3) fully participate in the mechanisms required under subsection (c)(7) of section 2202; and

“(4) carry out such other duties and powers as prescribed by the Director.”.