Part B—Information Security
Editorial Notes
Codification
Subtitle C of title II of
Prior Provisions
A prior subtitle B of title II of
§§131 to 134. Transferred
Editorial Notes
Codification
Section 131,
Section 132,
Section 133,
Section 134,
§141. Procedures for sharing information
The Secretary shall establish procedures on the use of information shared under this subchapter that—
(1) limit the redissemination of such information to ensure that it is not used for an unauthorized purpose;
(2) ensure the security and confidentiality of such information;
(3) protect the constitutional and statutory rights of any individuals who are subjects of such information; and
(4) provide data integrity through the timely removal and destruction of obsolete or erroneous names and information.
(
Editorial Notes
References in Text
This subchapter, referred to in text, was in the original "this title", meaning title II of
§142. Privacy officer
(a) Appointment and responsibilities
The Secretary shall appoint a senior official in the Department, who shall report directly to the Secretary, to assume primary responsibility for privacy policy, including—
(1) assuring that the use of technologies sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information;
(2) assuring that personal information contained in Privacy Act systems of records is handled in full compliance with fair information practices as set out in the Privacy Act of 1974 [
(3) evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Federal Government;
(4) conducting a privacy impact assessment of proposed rules of the Department or that of the Department on the privacy of personal information, including the type of personal information collected and the number of people affected;
(5) coordinating with the Officer for Civil Rights and Civil Liberties to ensure that—
(A) programs, policies, and procedures involving civil rights, civil liberties, and privacy considerations are addressed in an integrated and comprehensive manner; and
(B) Congress receives appropriate reports on such programs, policies, and procedures; and
(6) preparing a report to Congress on an annual basis on activities of the Department that affect privacy, including complaints of privacy violations, implementation of the Privacy Act of 1974 [
(b) Authority to investigate
(1) In general
The senior official appointed under subsection (a) may—
(A) have access to all records, reports, audits, reviews, documents, papers, recommendations, and other materials available to the Department that relate to programs and operations with respect to the responsibilities of the senior official under this section;
(B) make such investigations and reports relating to the administration of the programs and operations of the Department as are, in the senior official's judgment, necessary or desirable;
(C) subject to the approval of the Secretary, require by subpoena the production, by any person other than a Federal agency, of all information, documents, reports, answers, records, accounts, papers, and other data and documentary evidence necessary to performance of the responsibilities of the senior official under this section; and
(D) administer to or take from any person an oath, affirmation, or affidavit, whenever necessary to performance of the responsibilities of the senior official under this section.
(2) Enforcement of subpoenas
Any subpoena issued under paragraph (1)(C) shall, in the case of contumacy or refusal to obey, be enforceable by order of any appropriate United States district court.
(3) Effect of oaths
Any oath, affirmation, or affidavit administered or taken under paragraph (1)(D) by or before an employee of the Privacy Office designated for that purpose by the senior official appointed under subsection (a) shall have the same force and effect as if administered or taken by or before an officer having a seal of office.
(c) Supervision and coordination
(1) In general
The senior official appointed under subsection (a) shall—
(A) report to, and be under the general supervision of, the Secretary; and
(B) coordinate activities with the Inspector General of the Department in order to avoid duplication of effort.
(2) Coordination with the Inspector General
(A) In general
Except as provided in subparagraph (B), the senior official appointed under subsection (a) may investigate any matter relating to possible violations or abuse concerning the administration of any program or operation of the Department relevant to the purposes under this section.
(B) Coordination
(i) Referral
Before initiating any investigation described under subparagraph (A), the senior official shall refer the matter and all related complaints, allegations, and information to the Inspector General of the Department.
(ii) Determinations and notifications by the Inspector General
(I) In general
Not later than 30 days after the receipt of a matter referred under clause (i), the Inspector General shall—
(aa) make a determination regarding whether the Inspector General intends to initiate an audit or investigation of the matter referred under clause (i); and
(bb) notify the senior official of that determination.
(II) Investigation not initiated
If the Inspector General notifies the senior official under subclause (I)(bb) that the Inspector General intended to initiate an audit or investigation, but does not initiate that audit or investigation within 90 days after providing that notification, the Inspector General shall further notify the senior official that an audit or investigation was not initiated. The further notification under this subclause shall be made not later than 3 days after the end of that 90-day period.
(iii) Investigation by senior official
The senior official may investigate a matter referred under clause (i) if—
(I) the Inspector General notifies the senior official under clause (ii)(I)(bb) that the Inspector General does not intend to initiate an audit or investigation relating to that matter; or
(II) the Inspector General provides a further notification under clause (ii)(II) relating to that matter.
(iv) Privacy training
Any employee of the Office of Inspector General who audits or investigates any matter referred under clause (i) shall be required to receive adequate training on privacy laws, rules, and regulations, to be provided by an entity approved by the Inspector General in consultation with the senior official appointed under subsection (a).
(d) Notification to Congress on removal
If the Secretary removes the senior official appointed under subsection (a) or transfers that senior official to another position or location within the Department, the Secretary shall—
(1) promptly submit a written notification of the removal or transfer to Houses of Congress; and
(2) include in any such notification the reasons for the removal or transfer.
(e) Reports by senior official to Congress
The senior official appointed under subsection (a) shall—
(1) submit reports directly to the Congress regarding performance of the responsibilities of the senior official under this section, without any prior comment or amendment by the Secretary, Deputy Secretary, or any other officer or employee of the Department or the Office of Management and Budget; and
(2) inform the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives not later than—
(A) 30 days after the Secretary disapproves the senior official's request for a subpoena under subsection (b)(1)(C) or the Secretary substantively modifies the requested subpoena; or
(B) 45 days after the senior official's request for a subpoena under subsection (b)(1)(C), if that subpoena has not either been approved or disapproved by the Secretary.
(
Editorial Notes
References in Text
The Privacy Act of 1974, referred to in subsec. (a)(2), (6), is
Amendments
2007—
2004—
Pars. (5), (6).
§§143 to 145. Transferred
Editorial Notes
Codification
Section 143,
Section 144,
Section 145,
§146. Cybersecurity workforce assessment and strategy
(a) Workforce assessment
(1) In general
Not later than 180 days after December 18, 2014, and annually thereafter for 3 years, the Secretary shall assess the cybersecurity workforce of the Department.
(2) Contents
The assessment required under paragraph (1) shall include, at a minimum—
(A) an assessment of the readiness and capacity of the workforce of the Department to meet its cybersecurity mission;
(B) information on where cybersecurity workforce positions are located within the Department;
(C) information on which cybersecurity workforce positions are—
(i) performed by—
(I) permanent full-time equivalent employees of the Department, including, to the greatest extent practicable, demographic information about such employees;
(II) independent contractors; and
(III) individuals employed by other Federal agencies, including the National Security Agency; or
(ii) vacant; and
(D) information on—
(i) the percentage of individuals within each Cybersecurity Category and Specialty Area who received essential training to perform their jobs; and
(ii) in cases in which such essential training was not received, what challenges, if any, were encountered with respect to the provision of such essential training.
(b) Workforce strategy
(1) In general
The Secretary shall—
(A) not later than 1 year after December 18, 2014, develop a comprehensive workforce strategy to enhance the readiness, capacity, training, recruitment, and retention of the cybersecurity workforce of the Department; and
(B) maintain and, as necessary, update the comprehensive workforce strategy developed under subparagraph (A).
(2) Contents
The comprehensive workforce strategy developed under paragraph (1) shall include a description of—
(A) a multi-phased recruitment plan, including with respect to experienced professionals, members of disadvantaged or underserved communities, the unemployed, and veterans;
(B) a 5-year implementation plan;
(C) a 10-year projection of the cybersecurity workforce needs of the Department;
(D) any obstacle impeding the hiring and development of a cybersecurity workforce in the Department; and
(E) any gap in the existing cybersecurity workforce of the Department and a plan to fill any such gap.
(c) Updates
The Secretary submit 1 to the appropriate congressional committees annual updates on—
(1) the cybersecurity workforce assessment required under subsection (a); and
(2) the progress of the Secretary in carrying out the comprehensive workforce strategy required to be developed under subsection (b).
(
Editorial Notes
Codification
Section was enacted as part of the Cybersecurity Workforce Assessment Act, and not as part of the Homeland Security Act of 2002 which comprises this chapter.
Statutory Notes and Related Subsidiaries
Homeland Security Cybersecurity Workforce Assessment
"(a)
"(b)
"(1)
"(A) the Committee on Homeland Security and Governmental Affairs of the Senate;
"(B) the Committee on Homeland Security of the House of Representatives; and
"(C) the Committee on House Administration of the House of Representatives.
"(2)
"(3)
"(4)
"(5)
"(c)
"(1)
"(A) identify all cybersecurity workforce positions within the Department;
"(B) determine the primary Cybersecurity Work Category and Specialty Area of such positions; and
"(C) assign the corresponding Data Element Code, as set forth in the Office of Personnel Management's Guide to Data Standards which is aligned with the National Initiative for Cybersecurity Education's National Cybersecurity Workforce Framework report, in accordance with paragraph (2).
"(2)
"(A)
"(i) to identify open positions that include cybersecurity functions (as defined in the OPM Guide to Data Standards); and
"(ii) to assign the appropriate employment code to each such position, using agreed standards and definitions.
"(B)
"(i) each employee within the Department who carries out cybersecurity functions; and
"(ii) each open position within the Department that have been identified as having cybersecurity functions.
"(3)
"(d)
"(1)
"(A) identify Cybersecurity Work Categories and Specialty Areas of critical need in the Department's cybersecurity workforce; and
"(B) submit a report to the Director that—
"(i) describes the Cybersecurity Work Categories and Specialty Areas identified under subparagraph (A); and
"(ii) substantiates the critical need designations.
"(2)
"(A) current Cybersecurity Work Categories and Specialty Areas with acute skill shortages; and
"(B) Cybersecurity Work Categories and Specialty Areas with emerging skill shortages.
"(3)
"(A) identify Specialty Areas of critical need for cybersecurity workforce across the Department; and
"(B) submit a progress report on the implementation of this subsection to the appropriate congressional committees.
"(e)
"(1) analyze and monitor the implementation of subsections (c) and (d); and
"(2) not later than 3 years after the date of the enactment of this Act, submit a report to the appropriate congressional committees that describes the status of such implementation."
Definitions
"(1) the term 'Cybersecurity Category' means a position's or incumbent's primary work function involving cybersecurity, which is further defined by Specialty Area;
"(2) the term 'Department' means the Department of Homeland Security;
"(3) the term 'Secretary' means the Secretary of Homeland Security; and
"(4) the term 'Specialty Area' means any of the common types of cybersecurity work as recognized by the National Initiative for Cybersecurity Education's National Cybersecurity Workforce Framework report."
§§147 to 151. Transferred
Editorial Notes
Codification
Section 147,
Section 148,
A prior section 227 of
Section 149,
A prior section 228 of
Section 149a,
Section 150,
Section 151,