Answer:
The summary below was written by the Congressional Research Service, which is a nonpartisan division of the Library of Congress.
12/18/2014--Public Law. (This measure has not been amended since it was passed by the Senate on December 11, 2014. The summary of that version is repeated here.)
Cybersecurity Enhancement Act of 2014 - Title I: Public-Private Collaboration on Cybersecurity - (Sec. 101) Amends the National Institute of Standards and Technology Act to permit the Secretary of Commerce, acting through the Director of the National Institute of Standards and Technology (NIST), to facilitate and support the development of a voluntary, consensus-based, industry-led set of standards and procedures to cost-effectively reduce cyber risks to critical infrastructure.
Requires the Director, in carrying out such activities, to: (1) coordinate regularly with, and incorporate the industry expertise of, relevant private sector personnel and entities, critical infrastructure owners and operators, sector coordinating councils, Information Sharing and Analysis Centers, and other relevant industry organizations; (2) consult with the heads of agencies with national security responsibilities, sector-specific agencies, state and local governments, governments of other nations, and international organizations; (3) identify a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, that may be voluntarily adopted by owners and operators of critical infrastructure to help identify, assess, and manage cyber risks; and (4) include methodologies to mitigate impacts on business confidentiality, protect individual privacy and civil liberties, incorporate voluntary consensus standards and industry best practices, align with international standards, and prevent duplication of regulatory processes.
Prohibits the Director from prescribing a specific solution or requiring that products or services be designed or manufactured in a particular manner.
Prohibits information provided to NIST for purposes of developing cyber risk standards from being used by federal, state, tribal, or local agencies to regulate the activity of any entity.
Directs the Comptroller General (GAO) to submit biennial reports over a specified period concerning NIST's progress in facilitating the development of such standards and procedures. Requires such reports to address the extent to which such standards: (1) are voluntary and led by industry representatives, (2) have been promoted by federal agencies and adopted by sectors of critical infrastructure, and (3) have protected against cyber threats. Instructs the Comptroller General to include in such reports an assessment of the reasons behind decisions of sectors to adopt or not adopt such standards.
Title II: Cybersecurity Research and Development - (Sec. 201) Directs the following agencies, working through the National Science and Technology Council and the Networking and Information Technology Research and Development Program, to develop, and update every four years, a federal cybersecurity research and development strategic plan:
Explanation: