H.R. 3696, The National Cybersecurity and Critical Infrastructure Protection Act

H.R. 3696

The National Cybersecurity and Critical Infrastructure Protection Act

July 28, 2014 (113th Congress, 2nd Session)

Staff Contact

Floor Situation

On Monday, July 28, 2014, the House will consider H.R. 3696, the National Cybersecurity and Critical Infrastructure Protection Act of 2014, under suspension of the rules.  H.R. 3696 was introduced on December 11, 2013 by Rep. Michael McCaul (R-TX) and was referred to the House Homeland Security Committee.  The bill was marked up on February 5, 2014 and was ordered reported, as amended, by voice vote.[1]

[1] House Committee Report 113-550, Part I.

Bill Summary

H.R. 3696 amends the Homeland Security Act of 2002 to improve cybersecurity and critical infrastructure protection.  The following summary was prepared by the Homeland Security Committee[2]: “H.R. 3696 codifies and strengthens the National Cybersecurity and Communications Integration Center (NCCIC), a Federal civilian interface to facilitate real-time cyber threat information sharing across critical infrastructure sectors.”

“In furtherance of fostering an effective partnership between private industry and the Department of Homeland Security [DHS], H.R. 3696 directs DHS to leverage industry-led organizations to facilitate critical infrastructure protection and incident response, as appropriate.  Successful aspects of the National Infrastructure Protection Plan, a public-private partnership framework called for in Homeland Security Presidential Directive 7, [and] Critical Infrastructure Identification, Prioritization, and Protection, [which] has been supported by the private sector since 2003, are codified in this legislation.”[3]

“Additionally, H.R. 3696 codifies [DHS’s] Cyber Incident Response Teams to provide timely technical assistance, crisis management, and actionable recommendations on cyber threats to critical infrastructure owners and operators on a voluntary basis.  This ensures that a National Cybersecurity Incident Response Plan is developed and exercised.

“H.R. 3696 also amends [the SAFETY Act][4] to clarify that cybersecurity technologies and services may be certified by the DHS SAFETY Act Office and establish a threshold for qualifying cyber incidents.  This allows private entities [to] voluntarily submit their cybersecurity procedures to the SAFETY Act Office to gain additional liability protections in the event of an act of terrorism or a qualifying cyber incident.”

Additionally, H.R. 3696 contains the Homeland Security Cybersecurity Boots-on-the-Ground-Act, which the House will also consider this week as a stand-alone bill.  The Legislative Digest for the bill is available here.

[2] Id. at 19.
[3] “These include: (1) The roles and responsibilities of Sector Specific Agencies; (2) the formation of Sector Coordinating Councils; and (3) the establishment of Information Sharing and Analysis Centers. This public-private partnership framework was recently updated in February 2013 by Presidential Policy Directive 21 (PPD–21), Critical Infrastructure Security and Resilience.”  Id.
[4] Subtitle G of the Homeland Security Act of 2002, Pub. L. 107–296.


Cyber attacks present significant threats to the U.S. economy and to national security.  Daily attacks by state and non-state actors seek to disrupt the nation’s critical infrastructure, steal intellectual property, and compromise sensitive personal information such as bank accounts and social security numbers.  “In 2013, Mandiant released a report . . . providing detailed evidence of hackers linked to the Chinese military hacking into major U.S. companies for intellectual property and for economic espionage purposes, defense systems to steal sensitive military information, and critical infrastructure to gain access to gas lines, power grids and water systems.  Additionally, Iranian-backed hackers are increasing the number of cyber attacks against U.S. companies, and in one example gained access to control system software that could allow the hackers to control, shut down, or damage oil and gas pipelines in the [U.S].”[5]  Director of National Intelligence James Clapper and FBI Director James Comey, respectively, recently emphasized the increasing risk to U.S. critical infrastructure and the corresponding increase in resources that will be needed to defend against these and other cybersecurity risks.[6]

Presidential Policy Directive 21, released in February of 2013, tasks DHS with coordinating overall national cybersecurity efforts.[7]  H.R. 3696 codifies a number of the efforts made by DHS on this front and provides increased congressional oversight.

[5] Id. at 20.
[6] Id.
[7] Id.


According to CBO estimates, implementing H.R. 3696 “would cost an additional $160 million over the 2015-2019 period.”  The bill would not affect direct spending or revenues.

Additional Information

For questions or further information contact the GOP Conference at 5-5107.