1. 1 Sources: National Journal, “The 22 Amendments That Could Determine the fate of the Senate’s Cybersecurity Bill,” August 26, 2015 S. AmdtDescription 2581Offers liability protection for sharing with FBI and Secret Service [Tom Cotton (R-AR)] 2612Narrows definitions of cybersecurity threats and indicators [Al Franken (D-MN), Patrick Leahy (D-VT), and Ron Wyden (D-OR)] 2580Restates voluntary nature of private sector sharing [Jeff Flake (R-AZ)] 2564Prevents business from using CISA liability protections to break user agreements [Rand Paul (R-KY)] 2621Requires companies to remove personal information “to the extent feasible” [Ron Wyden (D-OR)] 2548Requires companies to remove personal information if they “reasonably believe” it’s unrelated [Dean Heller (R-NV)] 2615Require DHS to remove personal information before sharing with other government agencies [Tom Carper (D-DE)] 2552Require DHS to remove personal information before sharing with other government agencies [Chris Coons (D-DE)] 2582Implements a six-year sunset [Jeff Flake (R-AZ) and Al Franken (D-MN)] 2622Requires government to notify individuals about improper sharing [Ron Wyden (D-OR)] 2587Removes FOIA exemption [Patrick Leahy (D-VT)] 2632Commission government cyber reports [Jon Tester (D-MT)] 2604Commission government cyber reports [Dan Coats (R-IN)] 2578Eases clearance processes for committee staffers [David Vitter (R-LA)] 2579Establishes small-business cyber center at DHS [David Vitter R-LA] 2631Requires Department of State to write international cyber policy [Cory Gardner (R-CO) and Benjamin Cardin (D-MD)] 2603Mandates reports on foreign governments’ cybercrime efforts [Mark Kirk (R-IL) and Kirsten Gillibrand (D-NY)] 2589Extends Privacy Act rights to allied countries’ citizens[(Chris Murphy (D-CT)] 2557Increases funding for OPM cybersecurity [Barbara Mikulski (D-MD)] 2627Authorize DHS to introduce government-wide cyberdefenses [Tom Carper (D-DE)] 2626Increases punishment for cybercrimes [Sheldon Whitehouse (D-RI)] Manager’s Amdt Multiple privacy, operations, and oversight changes [Dianne Feinstein (D-CA) and Richard Burr (R-NC)] Senate Majority Leader Lined Up 22 CISA Amendments for Vote

2. 2 Operations and Liability Amendments S. AMDT.SponsorAmendment DetailsCriticism of Amendment 2581 Sen. Tom Cotton (R-AR) Offers liability protection for companies Would grant companies that share information with FBI and Secret Service some immunity from lawsuits While CISA permits businesses to share information with any federal agency, it only offers liability protection for sharing cyberthreat information with the Department of Homeland Security Raises potential privacy concerns as it decentralizes the provision of information within the government from the DHS hub 2612 Sen. Al Franken (D-MN) Narrows definitions of the types of information that companies could share with the government Cosponsors: Patrick Leahy (D-VT), Ron Wyden (D-OR) Would allow companies to share cyberthreat information only insofar as it’s “necessary to describe or identify” certain malicious activities that hackers generally engage in Critics of the amendment argue that the time necessary to reach a high- level of confidence that harm is or could be done may be extremely costly 2580 Sen. Jeff Flake (R-AZ) Restates voluntary nature of private sector sharing Reinforces the voluntary nature of the information-sharing program, addressing concerns that the unamended bill virtually forces companies to share information with the government Does not address the likelihood that the government will require all participants to share cyberthreat information 2564 Sen. Rand Paul (R-KY) Prevents businesses from using CISA liability protections to break user agreements Limit the liability protection extended to business so that companies would remain bound to the privacy agreements they enter into with their customers If liability protection is removed or thrown into question, it may compromise the main tool that CISA employs to get encourage business participation Sources: National Journal, “The 22 Amendments That Could Determine the fate of the Senate’s Cybersecurity Bill,” August 26, 2015

3. 3 Privacy Amendments S.AMDT.SponsorAmendment DetailsCriticism of Amendment 2621 Sen. Ron Wyden (D-OR) Would strengthen a requirement for companies to remove personal information “to the extent feasible” Cosponsors: Tom Udall (D-NM), Sherrod Brown (D-OH), Al Franken (D-MN), Edward Markey (D-MA), Richard Blumenthal (D-CT), Tammy Baldwin (D-WI) While some CISA opponents say this is the most important must-pass change, CISA supporters say the vague language makes it hard for companies to know if they’ve complied 2548 Sen. Dean Heller (R-NV) Would require companies to remove personal information if they “reasonably believe” it does not relate directly to a threat Cosponsor: Patrick Leahy (D-VT) Would impose less stringent restrictions on businesses than Sen. Wyden’s amendment (S. Amdt 2621) Lacks the ‘legal certainty’ and ease of interpretation that businesses are seeking 2615 (Carper, Leahy) 2552 (Coons) Sen. Tom Carper (D-DE) Sen. Chris Coons (D-DE) These two amendments would require DHS to remove personal information before sharing with other government agencies Both the Coons and the Carper amendments place the burden of removing personal information on the DHS, instead of on companies Since CISA would allow businesses to share directly with any federal agency, there would remain ways for personal information to make is way into government systems Sources: National Journal, “The 22 Amendments That Could Determine the fate of the Senate’s Cybersecurity Bill,” August 26, 2015

4. 4 Oversight Amendments S.AMDTSponsorAmendment Information 2582 Sen. Jeff Flake (R-AZ) Would implement a six-year sunset to CISA’s authorization Cosponsors: Sen. Al Franken After six-year sunset, Congress would have to reauthorize the bill and would have a chance to make changes 2622 Sen. Ron Wyden (D-OR) Would require the federal government to notify individuals about improper sharing Cosponsors: Tom Udall (D-NM), Sherrod Brown (D-OH), Al Franken (D-MN), Edward Markey (D-MA), Richard Blumenthal (D-CT), Tammy Baldwin (D-WI) 2587 Sen. Patrick Leahy (D-VT) Would remove a FOIA exemption This amendment would remove a part of the bill that exempts information shared through the program from Freedom of Information Act requests 2632 2604 Sen. Jon Tester (D-MT) Sen. Dan Coats (R-IN) These two amendments would commission government cyber reports Tester’s amendment would require the government to report on a variety of information sharing metrics, including the number of times personal information was not removed but should have been Coats’s amendment would commission a report on cyber security threats to mobile devices Sources: National Journal, “The 22 Amendments That Could Determine the fate of the Senate’s Cybersecurity Bill,” August 26, 2015

5. 5 Other Amendments S.AMDTSponsorAmendment Information 2578 (Vitter, Leahy) 2579 Sen. David Vitter (R-LA) Vitter’s first amendment would ease the security clearance process for staffers Cosponsor: Jon Tester (D-MT) Would make it easier for members on Senate committees who handle sensitive information to get at least one staffer a security clearance Vitter’s second amendment would establish small-business cyber center at DHS 2631 Sen. Cory Gardner (R-CO) Would require the State Department to write international cyber policy Cosponsor: Benjamin Cardin (D-MD) Would require the Secretary of State to draw up a “comprehensive strategy relating to United States international policy with regard to cyberspace” 2603 Sen. Mark Kirk (R-IL) Would mandate reports on foreign governments’ cybercrime efforts Cosponsor: Kirsten Gillibrand (D-NY) Would push the Secretary of State to consult with governments of countries that are home to cyber criminals to determine how those criminals are being pursued 2589 Sen. Chris Murphy (D-CT) Would extend Privacy Act rights to allied countries’ citizens Cosponsor: Orrin Hatch (R-UT) Extending the rights in the Privacy Act to US allies would allow foreign citizens to challenge how their private information is used in American courts Sources: National Journal, “The 22 Amendments That Could Determine the fate of the Senate’s Cybersecurity Bill,” August 26, 2015

6. 6 Other Amendments S.AMDT.SponsorAmendment Information 2557 Sen. Barbara Mikulski (D-MD) Would increase funding for OPM cybersecurity Cosponsors: Benjamin Cardin (D-MD) and Mark Warner (D-VA) This amendment would appropriate $37 million to the Office of Personnel Management to boost its cybersecurity efforts 2627 Sen. Tom Carper (D-DE) Would authorize DHS to introduce government-wide cyberdefenses Cosponsors: Ron Johnson (R-WI), Kelly Ayotte (R-NH), Claire McCaskill (D-MO), Susan Collins (R-ME), Mark Warner (D-VA) This amendment would tack-on the Federal Cybersecurity Enhancement Act, which would authorize DHS to roll out the Einstein cyberdefense system to every federal agency 2626 Sen. Sheldon Whitehouse (D-RI) Increases punishment for cybercrimes The amendment would allow prosecutors to seek up to 20 years of prison time for an individual who harms a computer connected to “critical infrastructure” Manager’s Amdt. Sen. Richard Burr (R-NC) Sen. Dianne Feinstein (D-CA) This manager’s amendment proposes multiple privacy, operations and oversight changes Put forward by the co-sponsors of CISA, the manager’s amendment has the support of all sides Would allow information sharing only for cybersecurity purposes and removes authorization that would have allowed law enforcement to use cyberthreat information to pursue violent felons Sources: National Journal, “The 22 Amendments That Could Determine the fate of the Senate’s Cybersecurity Bill,” August 26, 2015