G:\M\15\LIEU\LIEU_076.XML ..................................................................... (Original Signature of Member) H. R. ll 115TH CONGRESS 1ST SESSION To establish a voluntary program to identify and promote Internet-connected products that meet industry-leading cybersecurity and data security standards, guidelines, best practices, methodologies, procedures, and processes. IN THE HOUSE OF REPRESENTATIVES Mr. TED LIEU of California introduced the following bill; which was referred to the Committee on llllllllllllll A BILL To establish a voluntary program to identify and promote Internet-connected products that meet industry-leading cybersecurity and data security standards, guidelines, best practices, methodologies, procedures, and processes. 1 Be it enacted by the Senate and House of Representa- 2 tives of the United States of America in Congress assembled, 3 4 SECTION 1. SHORT TITLE. This Act may be cited as the ‘‘Cyber Shield Act of 5 2017’’. g:\VHLC\102417\102417.036.xml October 24, 2017 (10:09 a.m.) VerDate 0ct 09 2002 10:09 Oct 24, 2017 Jkt 000000 (678318 1) PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 C:\USERS\ECBLOUNT\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\LIEU_076.XM G:\M\15\LIEU\LIEU_076.XML 2 1 2 SEC. 2. DEFINITIONS. In this Act— 3 (1) the term ‘‘Advisory Committee’’ means the 4 Cyber Shield Advisory Committee established under 5 section 3(a); 6 (2) the term ‘‘benchmarks’’ means standards, 7 guidelines, best practices, methodologies, procedures, 8 and processes; 9 10 (3) the term ‘‘covered product’’ means a consumer-facing physical object that can— 11 (A) connect to the Internet; and 12 (B) collect, send, or receive data; 13 (4) the term ‘‘Cyber Shield program’’ means 14 the voluntary program established under section 15 4(a)(1); and 16 17 18 19 (5) the term ‘‘Secretary’’ means the Secretary of Commerce. SEC. 3. CYBER SHIELD ADVISORY COMMITTEE. (a) ESTABLISHMENT.—Not later than 90 days after 20 the date of enactment of this Act, the Secretary shall es21 tablish a Cyber Shield Advisory Committee. 22 (b) DUTIES.— 23 (1) IN later than 1 year after 24 the date of enactment of this Act, the Advisory 25 Committee shall provide recommendations to the 26 Secretary regarding— g:\VHLC\102417\102417.036.xml October 24, 2017 (10:09 a.m.) VerDate 0ct 09 2002 GENERAL.—Not 10:09 Oct 24, 2017 Jkt 000000 (678318 1) PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 C:\USERS\ECBLOUNT\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\LIEU_076.XM G:\M\15\LIEU\LIEU_076.XML 3 1 (A) the format and content of the Cyber 2 Shield labels required to be established under 3 section 4; and 4 (B) the process for identifying, estab- 5 lishing, reporting on, adopting, maintaining, 6 and promoting compliance with the voluntary 7 cybersecurity and data security benchmarks re- 8 quired to be established under section 4. 9 (2) PUBLIC 10 TIONS.—The 11 provide the public with an opportunity to comment 12 on, the recommendations provided to the Secretary 13 under paragraph (1). 14 (c) MEMBERS, CHAIRMAN, AND DUTIES.— 15 Advisory Committee shall publish, and (1) APPOINTMENT.— 16 (A) IN GENERAL.—The Advisory Com- 17 mittee shall be composed of members appointed 18 by the Secretary from among individuals who 19 are specially qualified to serve on the Advisory 20 Committee based on their education, training, 21 or experience. 22 (B) 23 10:09 Oct 24, 2017 REPRESENTATION.—Members ap- pointed under subparagraph (A) shall include— g:\VHLC\102417\102417.036.xml October 24, 2017 (10:09 a.m.) VerDate 0ct 09 2002 AVAILABILITY OF RECOMMENDA- Jkt 000000 (678318 1) PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 C:\USERS\ECBLOUNT\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\LIEU_076.XM G:\M\15\LIEU\LIEU_076.XML 4 1 (i) representatives of the covered 2 products industry, including small, me- 3 dium, and large businesses; 4 (ii) cybersecurity experts; 5 (iii) public interest advocates; and 6 (iv) Federal employees with expertise 7 in 8 cybersecurity, including employees of the 9 Department of Commerce, the Federal 10 Trade Commission, and the Federal Com- 11 munications Commission. 12 (C) LIMITATION.—In appointing members 13 under subparagraph (A), the Secretary shall en- 14 sure that— certification, devices, or 15 (i) each interest group described in 16 clauses (i) through (iv) of subparagraph 17 (B) is proportionally represented on the 18 Advisory Committee, including— 19 (I) businesses of each size de- 20 scribed in such clause (i); 21 (II) Federal employees with ex- 22 pertise in each subject described in 23 such clause (iv); and g:\VHLC\102417\102417.036.xml October 24, 2017 (10:09 a.m.) VerDate 0ct 09 2002 covered 10:09 Oct 24, 2017 Jkt 000000 (678318 1) PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 C:\USERS\ECBLOUNT\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\LIEU_076.XM G:\M\15\LIEU\LIEU_076.XML 5 1 (III) Federal employees from 2 each agency described in such clause 3 (iv); and 4 (ii) no single interest group is rep- 5 resented by a majority of the members of 6 the Advisory Committee. 7 (2) CHAIR.—The Secretary shall designate a 8 member of the Advisory Committee to serve as 9 Chair. 10 (3) PAY.—Members of the Advisory Committee 11 shall serve without pay, except that the Secretary 12 may allow a member, while attending meetings of 13 the Advisory Committee or a subcommittee of the 14 Advisory Committee, expenses authorized under sec- 15 tion 5703 of title 5, United States Code, relating to 16 per diem, travel, and transportation. 17 (d) SUPPORT STAFF; ADMINISTRATIVE SERVICES.— 18 19 (1) SUPPORT Secretary shall pro- vide support staff for the Advisory Committee. 20 (2) ADMINISTRATIVE SERVICES.—Upon request 21 by the Advisory Committee, the Secretary shall pro- 22 vide any information, administrative services, and 23 supplies that the Secretary considers necessary for 24 the Advisory Committee to carry out its duties and 25 powers. g:\VHLC\102417\102417.036.xml October 24, 2017 (10:09 a.m.) VerDate 0ct 09 2002 STAFF.—The 10:09 Oct 24, 2017 Jkt 000000 (678318 1) PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 C:\USERS\ECBLOUNT\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\LIEU_076.XM G:\M\15\LIEU\LIEU_076.XML 6 1 (e) NO TERMINATION.—Section 14 of the Federal 2 Advisory Committee Act (5 U.S.C. App.) shall not apply 3 to the Advisory Committee. 4 5 SEC. 4. CYBER SHIELD PROGRAM. (a) ESTABLISHMENT OF PROGRAM.— 6 (1) IN GENERAL.—The Secretary shall establish 7 a voluntary program to identify and certify covered 8 products with superior cybersecurity and data secu- 9 rity through voluntary certification and labeling of, 10 and other forms of communication about, covered 11 products and subsets of covered products that meet 12 industry-leading cybersecurity and data security 13 benchmarks to enhance cybersecurity and protect 14 data. 15 16 (2) GRADES.—Labels applied to products under the Cyber Shield program— 17 (A) may be digital; and 18 (B) may be in the form of different grades 19 that display the extent to which a product 20 meets the industry-leading cybersecurity and 21 data security benchmarks. 22 (b) CONSULTATION.—Not later than 90 days after 23 the date of enactment of this Act, the Secretary shall es24 tablish a process for consulting interested parties, the Sec25 retary of Health and Human Services, the Commissioner g:\VHLC\102417\102417.036.xml October 24, 2017 (10:09 a.m.) VerDate 0ct 09 2002 10:09 Oct 24, 2017 Jkt 000000 (678318 1) PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 C:\USERS\ECBLOUNT\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\LIEU_076.XM G:\M\15\LIEU\LIEU_076.XML 7 1 of Food and Drugs, the Secretary of Homeland Security, 2 and other Federal agencies in carrying out the Cyber 3 Shield program. 4 (c) DUTIES.—In carrying out the Cyber Shield pro- 5 gram, the Secretary— 6 (1) shall— 7 (A) establish and maintain cybersecurity 8 and data security benchmarks, by convening 9 and consulting interested parties and other 10 Federal agencies, for products with the Cyber 11 Shield label to ensure that those products per- 12 form better than their less secure counterparts; 13 and 14 (B) in carrying out subparagraph (A)— 15 (i) engage in an open public review 16 and comment process; 17 (ii) in consultation with the Advisory 18 Committee, 19 cybersecurity and data security bench- 20 marks to different subsets of covered prod- 21 ucts based on— 22 apply rity risk; g:\VHLC\102417\102417.036.xml October 24, 2017 (10:09 a.m.) 10:09 Oct 24, 2017 and (I) cybersecurity and data secu- 23 VerDate 0ct 09 2002 identify Jkt 000000 (678318 1) PO 00000 Frm 00007 Fmt 6652 Sfmt 6201 C:\USERS\ECBLOUNT\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\LIEU_076.XM G:\M\15\LIEU\LIEU_076.XML 8 1 (II) the sensitivity of the infor- 2 mation 3 stored by the product; and 4 transmitted, or (III) product functionality; and 5 (iii) to the extent possible, incorporate 6 existing benchmarks when establishing and 7 maintaining cybersecurity and data secu- 8 rity benchmarks; 9 10 (2) may not establish benchmarks under paragraph (1) that are— 11 (A) arbitrary, capricious, an abuse of dis- 12 cretion, or otherwise not in accordance with 13 law; or 14 (B) unsupported by evidence; 15 (3) shall permit a manufacturer or distributor 16 of a covered product to display a Cyber Shield label 17 reflecting the extent to which the product meets the 18 industry-leading cybersecurity and data security 19 benchmarks established under paragraph (1); 20 (4) shall promote technologies that are compli- 21 ant with the cybersecurity and data security bench- 22 marks established by the Secretary as the preferred 23 technologies in the marketplace for— 24 (A) enhancing cybersecurity; and 25 (B) protecting data; g:\VHLC\102417\102417.036.xml October 24, 2017 (10:09 a.m.) VerDate 0ct 09 2002 collected, 10:09 Oct 24, 2017 Jkt 000000 (678318 1) PO 00000 Frm 00008 Fmt 6652 Sfmt 6201 C:\USERS\ECBLOUNT\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\LIEU_076.XM G:\M\15\LIEU\LIEU_076.XML 9 1 (5) shall work to enhance public awareness of 2 the Cyber Shield label, including through public out- 3 reach, education, research and development, and 4 other means; 5 6 (6) shall preserve the integrity of the Cyber Shield label; 7 (7) if helpful in fulfilling the obligation under 8 paragraph (6), may elect to not treat a covered 9 product as a Cyber Shield-certified product until the 10 product meets appropriate conformity standards, 11 which may include— 12 (A) testing by an accredited third-party 13 certifying laboratory or other entity in accord- 14 ance with the Cyber Shield program; and 15 (B) certification by the laboratory or entity 16 described in subparagraph (A) as meeting the 17 applicable 18 benchmarks established by the Secretary; 19 (8) not less frequently than once every 2 years 20 after establishing cybersecurity and data security 21 benchmarks for a product category under paragraph 22 (1), shall review and, if appropriate, update the 23 cybersecurity and data security benchmarks for that 24 product category; g:\VHLC\102417\102417.036.xml October 24, 2017 (10:09 a.m.) VerDate 0ct 09 2002 10:09 Oct 24, 2017 Jkt 000000 cybersecurity and data security (678318 1) PO 00000 Frm 00009 Fmt 6652 Sfmt 6201 C:\USERS\ECBLOUNT\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\LIEU_076.XM G:\M\15\LIEU\LIEU_076.XML 10 1 (9) shall solicit comments from interested par- 2 ties and the Advisory Committee prior to estab- 3 lishing or revising a Cyber Shield product category 4 or benchmark (or prior to the effective date of the 5 establishment or revision of a product category or 6 benchmark); 7 (10) upon adoption of a new or revised product 8 category or benchmark, shall provide reasonable no- 9 tice to interested parties of any changes (including 10 effective dates) to product categories or benchmarks, 11 along with— 12 (A) an explanation of the changes; and 13 (B) as appropriate, responses to comments 14 submitted by interested parties; and 15 (11) shall provide appropriate lead time prior to 16 the applicable effective date for a new or a signifi- 17 cant revision to a product category or benchmark, 18 taking into account the timing requirements of the 19 manufacturing, product marketing, and distribution 20 process for the product or products addressed. 21 (d) DEADLINES.—Not later than 2 years after the 22 date of enactment of this Act, the Secretary shall establish 23 cybersecurity and data security benchmarks for covered 24 products under subsection (c)(1), which shall take effect g:\VHLC\102417\102417.036.xml October 24, 2017 (10:09 a.m.) VerDate 0ct 09 2002 10:09 Oct 24, 2017 Jkt 000000 (678318 1) PO 00000 Frm 00010 Fmt 6652 Sfmt 6201 C:\USERS\ECBLOUNT\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\LIEU_076.XM G:\M\15\LIEU\LIEU_076.XML 11 1 not later than 60 days after the date on which the bench2 marks are established. 3 (e) ADMINISTRATION.—The Secretary, in consulta- 4 tion with the Advisory Committee, may enter into a con5 tract with a third party to administer the Cyber Shield 6 program if— 7 8 (1) the third party is an impartial administrator; and 9 (2) entering into the contract improves the 10 cybersecurity and data security of covered products. 11 (f) PROGRAM EVALUATION.— 12 (1) IN later than 4 years after 13 the date of enactment of this Act, and not less fre- 14 quently than every 2 years thereafter, the Inspector 15 General of the Department of Commerce shall evalu- 16 ate the Cyber Shield program. 17 (2) REQUIREMENTS.—In conducting an evalua- 18 tion under paragraph (1), the Inspector General of 19 the Department of Commerce shall— 20 (A) evaluate the extent to which the 21 cybersecurity and data security benchmarks es- 22 tablished under the Cyber Shield program ad- 23 dress cybersecurity and data security threats; g:\VHLC\102417\102417.036.xml October 24, 2017 (10:09 a.m.) VerDate 0ct 09 2002 GENERAL.—Not 10:09 Oct 24, 2017 Jkt 000000 (678318 1) PO 00000 Frm 00011 Fmt 6652 Sfmt 6201 C:\USERS\ECBLOUNT\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\LIEU_076.XM G:\M\15\LIEU\LIEU_076.XML 12 1 (B) assess how the benchmarks have 2 evolved to meet emerging cybersecurity and 3 data security threats; 4 (C) conduct covert testing to evaluate the 5 integrity of certification testing; and 6 (D) assess the costs to businesses of par- 7 ticipating in the Cyber Shield program. 8 SEC. 5. CYBER SHIELD DIGITAL PRODUCT PORTAL. 9 (a) IN GENERAL.—The Secretary shall make publicly 10 available on the website of the Department of Commerce 11 in a searchable format— 12 13 (1) a web page providing information about the Cyber Shield program; and 14 (2) a database of covered products certified 15 under the Cyber Shield program. 16 (b) REQUIREMENTS.—The database established 17 under subsection (a) shall include— 18 19 (1) the cybersecurity and data security benchmarks for each product category; and 20 21 (2) for each covered product certified under the Cyber Shield program— 22 (A) the certification for the product; 23 (B) the name and manufacturer of the 24 product; g:\VHLC\102417\102417.036.xml October 24, 2017 (10:09 a.m.) VerDate 0ct 09 2002 10:09 Oct 24, 2017 Jkt 000000 (678318 1) PO 00000 Frm 00012 Fmt 6652 Sfmt 6201 C:\USERS\ECBLOUNT\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\LIEU_076.XM G:\M\15\LIEU\LIEU_076.XML 13 1 (C) the contact information for the manu- 2 facturer; 3 (D) the functionality of the product; 4 (E) the location of any applicable privacy 5 policy; and 6 (F) any other information the Secretary 7 8 9 determines necessary and appropriate. SEC. 6. RULE OF CONSTRUCTION. The decision of a manufacturer of a covered product 10 not to participate in the Cyber Shield program shall not 11 affect the liability of the manufacturer for a cybersecurity 12 or data security breach of that covered product. g:\VHLC\102417\102417.036.xml October 24, 2017 (10:09 a.m.) VerDate 0ct 09 2002 10:09 Oct 24, 2017 Jkt 000000 (678318 1) PO 00000 Frm 00013 Fmt 6652 Sfmt 6201 C:\USERS\ECBLOUNT\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\LIEU_076.XM