[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5491 Introduced in House (IH)]
<DOC>
117th CONGRESS
1st Session
H. R. 5491
To authorize the Director of the Cybersecurity and Infrastructure
Security Agency to designate certain elements of critical
infrastructure as systemically important, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
October 5, 2021
Mr. Katko (for himself, Ms. Spanberger, and Mr. Garbarino) introduced
the following bill; which was referred to the Committee on Homeland
Security
_______________________________________________________________________
A BILL
To authorize the Director of the Cybersecurity and Infrastructure
Security Agency to designate certain elements of critical
infrastructure as systemically important, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Securing Systemically Important
Critical Infrastructure Act''.
SEC. 2. DESIGNATION OF SYSTEMICALLY IMPORTANT CRITICAL INFRASTRUCTURE.
(a) Title XXII Technical and Clerical Amendments.--
(1) Technical amendments.--
(A) Homeland security act of 2002.--Subtitle A of
title XXII of the Homeland Security Act of 2002 (6
U.S.C. 651 et seq.) is amended--
(i) in section 2202 (6 U.S.C. 652)--
(I) in paragraph (11), by striking
``and'' after the semicolon;
(II) in the first paragraph (12)
(relating to appointment of a
Cybersecurity State Coordinator) by
striking ``as described in section
2215; and'' and inserting ``as
described in section 2217;'';
(III) by redesignating the second
paragraph (12) (relating to the .gov
internet domain) as paragraph (13); and
(IV) by redesignating the third
paragraph (12) (relating to carrying
out such other duties and
responsibilities) as paragraph (14);
(ii) in the first section 2215 (6 U.S.C.
665; relating to the duties and authorities
relating to .gov internet domain), by amending
the section enumerator and heading to read as
follows:
``SEC. 2215. DUTIES AND AUTHORITIES RELATING TO .GOV INTERNET
DOMAIN.'';
(iii) in the second section 2215 (6 U.S.C.
665b; relating to the joint cyber planning
office), by amending the section enumerator and
heading to read as follows:
``SEC. 2216. JOINT CYBER PLANNING OFFICE.'';
(iv) in the third section 2215 (6 U.S.C.
665c; relating to the Cybersecurity State
Coordinator), by amending the section
enumerator and heading to read as follows:
``SEC. 2217. CYBERSECURITY STATE COORDINATOR.'';
(v) in the fourth section 2215 (6 U.S.C.
665d; relating to Sector Risk Management
Agencies), by amending the section enumerator
and heading to read as follows:
``SEC. 2218. SECTOR RISK MANAGEMENT AGENCIES.'';
(vi) in section 2216 (6 U.S.C. 665e;
relating to the Cybersecurity Advisory
Committee), by amending the section enumerator
and heading to read as follows:
``SEC. 2219. CYBERSECURITY ADVISORY COMMITTEE.'';
and
(vii) in section 2217 (6 U.S.C. 665f;
relating to Cybersecurity Education and
Training Programs), by amending the section
enumerator and heading to read as follows:
``SEC. 2220. CYBERSECURITY EDUCATION AND TRAINING PROGRAMS.''.
(B) Consolidated appropriations act, 2021.--
Paragraph (1) of section 904(b) of division U of the
Consolidated Appropriations Act, 2021 (Public Law 116-
260) is amended, in the matter preceding subparagraph
(A), by inserting ``of 2002'' after ``Homeland Security
Act''.
(2) Clerical amendment.--The table of contents in section
1(b) of the Homeland Security Act of 2002 is amended by
striking the items relating to sections 2214 through 2217 and
inserting the following new items:
``Sec. 2214. National Asset Database.
``Sec. 2215. Duties and authorities relating to .gov internet domain.
``Sec. 2216. Joint cyber planning office.
``Sec. 2217. Cybersecurity State Coordinator.
``Sec. 2218. Sector Risk Management Agencies.
``Sec. 2219. Cybersecurity Advisory Committee.
``Sec. 2220. Cybersecurity Education and Training Programs.
``Sec. 2220A. Designation of systemically important critical
infrastructure.''.
(b) Designation of Systemically Important Critical
Infrastructure.--Subtitle A of title XXII of the Homeland Security Act
of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the
following new section:
``SEC. 2220A. DESIGNATION OF SYSTEMICALLY IMPORTANT CRITICAL
INFRASTRUCTURE.
``(a) In General.--The Director of the Cybersecurity and
Infrastructure Security Agency shall designate an element of critical
infrastructure as systemically important critical infrastructure if--
``(1) the Director makes a preliminary determination
pursuant to subsection (d)(1), using the methodology
established pursuant to subsection (b), that such element
satisfies the criteria established pursuant to subsection (c);
and
``(2) such preliminary determination becomes a final
determination pursuant to subsection (d)(2).
``(b) Methodology.--The Director, in consultation with the heads of
Sector Risk Management Agencies and covered stakeholders, shall--
``(1) establish a methodology for determining whether an
element of critical infrastructure satisfies the criteria
established for systemically important critical infrastructure
pursuant to subsection (c); and
``(2) update such methodology, as necessary.
``(c) Criteria.--
``(1) In general.--The Director, in consultation with the
heads of Sector Risk Management Agencies and covered
stakeholders, shall develop objective criteria to determine
whether an element of critical infrastructure should be
designated as systemically important.
``(2) Considerations.--In developing the criteria required
under paragraph (1), the Director shall consider the following:
``(A) The likelihood that a disruption to, or
compromise of, such element of critical infrastructure
would result in a debilitating effect on national
security, economic security, public health or safety,
or any combination thereof.
``(B) The extent to which damage, disruption, or
unauthorized access to such element or collectively to
the category of critical infrastructure to which such
element belongs--
``(i) would disrupt the reliable operation
of a category of critical infrastructure; and
``(ii) would impede provisioning of a
national critical function.
``(C) The extent to which increasing the risk
management coordination between the Federal Government
and the owner or operator of the element would enhance
the cybersecurity resilience of the United States.
``(3) Updates.--The Director, in consultation with the
heads of Sector Risk Management Agencies and covered
stakeholders, shall update the criteria established pursuant to
paragraph (1), as necessary.
``(d) Determinations.--
``(1) Preliminary determination.--In the case of an element
of critical infrastructure that the Director determines
satisfies the criteria established under subsection (c), the
Director shall--
``(A) use the methodology under subsection (b) to
make a preliminary determination with respect to
whether such element is systemically important;
``(B) notify the owner or operator of the element
of such determination; and
``(C) provide such owner or operator with an
opportunity to provide additional information for
consideration in the final determination under
paragraph (2).
``(2) Final determination.--On the date that is 30 days
after the date on which the Director provides notice under
paragraph (1)(B) with respect to a preliminary determination,
such preliminary determination shall become final unless the
Director determines, on the basis of additional information,
that the element subject to the preliminary determination does
not satisfy the criteria under subsection (c).
``(3) Periodic review.--Periodically, the Director shall
review a final designation made pursuant to paragraph (2) with
respect to an element using the same procedures outlined under
such paragraph.
``(4) Protection of information.--Information obtained by
the Director pursuant to paragraph (1)(C) shall be protected
under section 2224 or classified, as determined appropriate by
the Director.
``(e) List of Systemically Important Critical Infrastructure.--
``(1) In general.--Not later than 1 year after the date of
the enactment of this section, the Director, in coordination
with the heads of Sector Risk Management Agencies, shall
develop a comprehensive list that includes any element of
critical infrastructure designated as systemically important
under this section.
``(2) Update of list and notification to owners and
operators.--Not later than 7 days after the date on which the
Director makes a final determination pursuant to paragraph (2)
or (3) of subsection (d), the Director shall--
``(A) update the list required under paragraph (1);
and
``(B) notify the appropriate owner or operator of
the element of critical infrastructure of the addition,
modification, or removal of such element from such
list.
``(3) Congressional notification.--Not later than 30 days
after the list is updated pursuant to paragraph (2), the
Director shall submit to the appropriate congressional
committees such updated list.
``(4) Limitation on dissemination of list.--The Director
shall limit the dissemination of the list required under
paragraph (1) to individuals who need access to such list to
carry out official duties or responsibilities.
``(f) Prioritization of Agency Resources.--
``(1) In general.--The Director shall--
``(A) seek to enter into enhanced risk management
coordination with the owners and operators of elements
of critical infrastructure designated as systemically
important under this section; and
``(B) in allocating Agency resources to such owners
and operators, prioritize owners and operators who
coordinate with the Director pursuant to subparagraph
(A).
``(2) Prioritized representation in the office for joint
cyber planning.--The head of the office for joint cyber
planning established pursuant to section 2216, in carrying out
the responsibilities of such office with respect to relevant
cyber defense planning, joint cyber operations, cybersecurity
exercises, and information-sharing practices, shall, to the
extent practicable, prioritize the involvement of owners and
operators of elements of critical infrastructure designated as
systemically important under this section.
``(3) Continuous monitoring services.--The Director shall,
to the extent practicable, encourage the participation of the
owners and operators of elements of critical infrastructure
designated as systemically important pursuant to this section
in voluntary programs to provide technical assistance in the
form of continuous monitoring and detection of cybersecurity
risks.
``(g) Reports.--
``(1) Initial report.--Not later than 180 days after the
date of the enactment of this section, the Director, in
consultation with the heads of Sector Risk Management Agencies
and covered stakeholders, shall submit to the appropriate
congressional committees a report that includes the following:
``(A) A description of the capabilities of the
Agency that exist immediately before the date of the
enactment of this section with respect to identifying
critical infrastructure.
``(B) Information relating to the criteria and
methodology established pursuant to subsections (b) and
(c) to identify an element of critical infrastructure
as systemically important pursuant to this section.
``(C) Information relating to--
``(i) the capabilities of the Agency to
identify systems, assets, and facilities as
systemically important pursuant to this
section; and
``(ii) any updates relating to the
capabilities referred to in clause (i).
``(D) Information relating to--
``(i) the interactions between the Agency,
the heads of Sector Risk Management Agencies,
and covered stakeholders with respect to
carrying out this section, including processes
used for incorporation of industry feedback and
any associated challenges;
``(ii) critical infrastructure
identification programs within the Department
and how such programs are being incorporated
into the process to identify such
infrastructure, including--
``(I) section 9 of Executive Order
13636;
``(II) the National Asset Database
established under section 2214; and
``(III) section 4 of Executive
Order 14028;
``(iii) any identified gaps in authorities
or any additional resources required to carry
out this section, including necessary
legislation;
``(iv) any resources the Agency is
authorized to provide to the owners and
operators of an element of critical
infrastructure designated as systemically
important pursuant to this section; and
``(v) opportunities for enhanced risk
management coordination between the Federal
Government and the owners and operators of an
element of critical infrastructure designated
as systemically important pursuant to this
section.
``(2) Subsequent reports.--Not later than 2 years after the
date on which the initial report is submitted pursuant to
paragraph (1), and once every 2 years thereafter for 10 years,
the Director, in consultation with the heads of Sector Risk
Management Agencies and covered stakeholders, shall submit to
the appropriate congressional committees a report that includes
the updated information required under subparagraphs (B)
through (D) of paragraph (1).
``(3) Form.--Each of the reports required under paragraphs
(1) and (2) shall be submitted in unclassified form, but may
contain a classified annex.
``(h) Restriction.--Subchapter I of chapter 35 of title 44, United
States Code, shall not apply to any action by the Director to implement
this section.
``(i) Covered Stakeholders Described.--In this section, the term
`covered stakeholders' means individuals identified by the Director.
Such individuals shall include--
``(1) representatives from the Critical Infrastructure
Partnership Advisory Council, established pursuant to section
871;
``(2) representatives from the Cybersecurity Advisory
Committee established under section 2219;
``(3) individuals representing critical infrastructure
industries, the elements of which are subject to, or likely to
be subject to, a preliminary determination under subsection
(d)(1);
``(4) representatives from trade organizations whose
memberships include a concentration of owners and operators of
critical infrastructure industries, the elements of which are
subject to, or likely to be subject to, a preliminary
determination under subsection (d)(1); and
``(5) any other individual determined appropriate by the
Director.
``(j) Definitions.--In this section:
``(1) Appropriate congressional committees.--The term
`appropriate congressional committees' means--
``(A) the Committee on Homeland Security of the
House of Representatives; and
``(B) the Committee on Homeland Security and
Governmental Affairs of the Senate.
``(2) National critical function.--The term `national
critical function' means a function of the Federal Government
or a United States private sector entity, as determined by the
Director, that the disruption, corruption, or dysfunction of
such function would have a debilitating effect on security,
national economic security, national public health or safety,
or any combination thereof.''.
(c) Assessment of Risk Management Coordination.--
(1) In general.--Not later than 120 days after the date of
the enactment of this Act, the Director, in consultation with
the heads of Sector Risk Management Agencies and covered
stakeholders, shall conduct an assessment of potential
processes for, and benefits of, enhanced risk management
coordination between the Federal Government and the owners and
operators of elements of critical infrastructure designated as
systemically important pursuant to section 2220A of the
Homeland Security Act of 2002, as added by subsection (b) of
this Act.
(2) Consideration.--The assessment required under paragraph
(1) shall include a consideration of--
(A) opportunities for enhanced intelligence support
and information-sharing;
(B) prioritized Federal technical assistance;
(C) any other process for, or benefit of, enhanced
risk management coordination determined appropriate by
the Director; and
(D) any additional resources or authorization
required to conduct enhanced risk management
coordination between the Federal Government and owners
and operators of elements of critical infrastructure
designated as systemically important pursuant to
section 2220A of the Homeland Security Act of 2002, as
added by subsection (b) of this Act, including the
prevention of duplicative requirements for regulated
sectors and entities.
(3) Covered stakeholders described.--The term ``covered
stakeholders'' has the meaning given such term in section
2220A(i) of the Homeland Security Act of 2002, as added by
subsection (b) of this Act.
SEC. 3. PRIORITIZATION OF CLEARANCES FOR SYSTEMICALLY IMPORTANT
CRITICAL INFRASTRUCTURE.
Section 2212 of the Homeland Security Act of 2002 (6 U.S.C. 662) is
amended by adding at the end the following new sentence: ``In carrying
out this section, the Secretary shall prioritize the applications of
owners and operators of elements of critical infrastructure designated
as systemically important pursuant to section 2220A.''.
<all>