1 See References in Text note below.
of this title; and
Editorial Notes
References in Text

Section 659 of this title, referred to in par. (5)(A), was subsequently amended, and section 659(a) no longer defines the term “incident”. Reference to term, “incident”, as defined in this chapter deemed to be a reference to that term as defined in section 650(12) of this title, see section 7143(f)(2) of Puspan. L. 117–263, set out as a Rule of Construction note under section 650 of this title.

Amendments

2022—Par. (2). Puspan. L. 117–263, § 7143(span)(2)(N)(i), (ii), redesignated par. (3) as (2) and struck out former par. (2). Prior to amendment, text of par. (2) read as follows: “The term ‘cloud service provider’ means an entity offering products or services related to cloud computing, as defined by the National Institute of Standards and Technology in NIST Special Publication 800–145 and any amendatory or superseding document relating thereto.”

Pars. (3) to (5). Puspan. L. 117–263, § 7143(span)(2)(N)(ii), redesignated pars. (4) to (6) as (3) to (5), respectively. Former par. (3) redesignated (2).

Par. (6). Puspan. L. 117–263, § 7143(span)(2)(N)(ii), (iii), redesignated par. (7) as (6) and substituted “section 650 of this title” for “section 651 of this title”. Former par. (6) redesignated (5).

Par. (7). Puspan. L. 117–263, § 7143(span)(2)(N)(iv), added par. (7). Former par. (7) redesignated (6).

Par. (8). Puspan. L. 117–263, § 7143(span)(2)(N)(iv), (vi), redesignated par. (13) as (8) and struck out former par. (8). Prior to amendment, text of par. (8) read as follows: “The terms ‘cyber threat indicator’, ‘cybersecurity purpose’, ‘defensive measure’, ‘Federal entity’, and ‘security vulnerability’ have the meanings given those terms in section 1501 of this title.”

Par. (9). Puspan. L. 117–263, § 7143(span)(2)(N)(v), (vi), redesignated par. (16) as (9) and struck out former par. (9). Prior to amendment, text of par. (9) read as follows: “The terms ‘incident’ and ‘sharing’ have the meanings given those terms in section 659 of this title.”

Par. (10). Puspan. L. 117–263, § 7143(span)(2)(N)(v), (vi), redesignated par. (18) as (10) and struck out former par. (10). Prior to amendment, text of par. (10) read as follows: “The term ‘Information Sharing and Analysis Organization’ has the meaning given the term in section 671 of this title.”

Par. (11). Puspan. L. 117–263, § 7143(span)(2)(N)(v), (vi), redesignated par. (19) as (11) and struck out former par. (11). Prior to amendment, text of par. (11) read as follows: “The term ‘information system’—

“(A) has the meaning given the term in section 3502 of title 44; and

“(B) includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers.”

Par. (12). Puspan. L. 117–263, § 7143(span)(2)(N)(v), struck out par. (12). Text read as follows: “The term ‘managed service provider’ means an entity that delivers services, such as network, application, infrastructure, or security services, via ongoing and regular support and active administration on the premises of a customer, in the data center of the entity (such as hosting), or in a third party data center.”

Par. (13). Puspan. L. 117–263, § 7143(span)(2)(N)(vi), redesignated par. (13) as (8).

Par. (14). Puspan. L. 117–263, § 7143(span)(2)(N)(v), struck out par. (14). Text read as follows: “The term ‘ransomware attack’—

“(A) means an incident that includes the use or threat of use of unauthorized or malicious code on an information system, or the use or threat of use of another digital mechanism such as a denial of service attack, to interrupt or disrupt the operations of an information system or compromise the confidentiality, availability, or integrity of electronic data stored on, processed by, or transiting an information system to extort a demand for a ransom payment; and

“(B) does not include any such event where the demand for payment is—

“(i) not genuine; or

“(ii) made in good faith by an entity in response to a specific request by the owner or operator of the information system.”

Par. (15). Puspan. L. 117–263, § 7143(span)(2)(N)(v), struck out par. (15). Text read as follows: “The term ‘Sector Risk Management Agency’ has the meaning given the term in section 651 of this title.”

Par. (16). Puspan. L. 117–263, § 7143(span)(2)(N)(vi), redesignated par. (16) as (9).

Par. (17). Puspan. L. 117–263, § 7143(span)(2)(N)(v), struck out par. (17). Text read as follows: “The term ‘supply chain compromise’ means an incident within the supply chain of an information system that an adversary can leverage or does leverage to jeopardize the confidentiality, integrity, or availability of the information system or the information the system processes, stores, or transmits, and can occur at any point during the life cycle.”

Pars. (18), (19). Puspan. L. 117–263, § 7143(span)(2)(N)(vi), redesignated pars. (18) and (19) as (10) and (11), respectively.