[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 1316 Reported in Senate (RS)]
<DOC>
Calendar No. 648
117th CONGRESS
2d Session
S. 1316
[Report No. 117-257]
To amend the Homeland Security Act of 2002 to authorize the Secretary
of Homeland Security to make a declaration of a significant incident,
and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
April 22, 2021
Mr. Peters (for himself and Mr. Portman) introduced the following bill;
which was read twice and referred to the Committee on Homeland Security
and Governmental Affairs
December 14, 2022
Reported by Mr. Peters, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To amend the Homeland Security Act of 2002 to authorize the Secretary
of Homeland Security to make a declaration of a significant incident,
and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE.</DELETED>
<DELETED> This Act may be cited as the ``Cyber Response and Recovery
Act of 2021''.</DELETED>
<DELETED>SEC. 2. DECLARATION OF A SIGNIFICANT INCIDENT.</DELETED>
<DELETED> (a) In General.--Title XXII of the Homeland Security Act
of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the
following:</DELETED>
<DELETED>``Subtitle C--Declaration of a Significant Incident</DELETED>
<DELETED>``SEC. 2231. DEFINITIONS.</DELETED>
<DELETED> ``For the purposes of this subtitle:</DELETED>
<DELETED> ``(1) Asset response activity.--The term `asset
response activity' means an activity to support an entity
impacted by an incident with the response to, remediation of,
or recovery from, the incident, including--</DELETED>
<DELETED> ``(A) furnishing technical and advisory
assistance to the entity to protect the assets of the
entity, mitigate vulnerabilities, and reduce the
related impacts;</DELETED>
<DELETED> ``(B) assessing potential risks to the
critical infrastructure sector or geographic region
impacted by the incident, including potential cascading
effects of the incident on other critical
infrastructure sectors or geographic regions;</DELETED>
<DELETED> ``(C) developing courses of action to
mitigate the risks assessed under subparagraph
(B);</DELETED>
<DELETED> ``(D) facilitating information sharing and
operational coordination with entities performing
threat response activities; and</DELETED>
<DELETED> ``(E) providing guidance on how best to
use Federal resources and capabilities in a timely,
effective manner to speed recovery from the
incident.</DELETED>
<DELETED> ``(2) Declaration.--The term `declaration' means a
declaration of the Secretary under section
2232(a)(1).</DELETED>
<DELETED> ``(3) Director.--The term `Director' means the
Director of the Cybersecurity and Infrastructure Security
Agency.</DELETED>
<DELETED> ``(4) Federal agency.--The term `Federal agency'
has the meaning given the term `agency' in section 3502 of
title 44, United States Code.</DELETED>
<DELETED> ``(5) Fund.--The term `Fund' means the Cyber
Response and Recovery Fund established under section
2233(a).</DELETED>
<DELETED> ``(6) Incident.--The term `incident' has the
meaning given the term in section 3552 of title 44, United
States Code.</DELETED>
<DELETED> ``(7) Renewal.--The term `renewal' means a renewal
of a declaration under section 2232(d).</DELETED>
<DELETED> ``(8) Significant incident.--The term `significant
incident'--</DELETED>
<DELETED> ``(A) means an incident or a group of
related incidents that results, or is likely to result,
in demonstrable harm to--</DELETED>
<DELETED> ``(i) the national security
interests, foreign relations, or economy of the
United States; or</DELETED>
<DELETED> ``(ii) the public confidence,
civil liberties, or public health and safety of
the people of the United States; and</DELETED>
<DELETED> ``(B) does not include an incident or a
portion of a group of related incidents that occurs
on--</DELETED>
<DELETED> ``(i) a national security system
(as defined in section 3552 of title 44, United
States Code); or</DELETED>
<DELETED> ``(ii) an information system
described in paragraph (2) or (3) of section
3553(e) of title 44, United States
Code.</DELETED>
<DELETED>``SEC. 2232. DECLARATION.</DELETED>
<DELETED> ``(a) In General.--</DELETED>
<DELETED> ``(1) Declaration.--The Secretary, in consultation
with the National Cyber Director, may make a declaration of a
significant incident in accordance with this section if the
Secretary determines that--</DELETED>
<DELETED> ``(A) a specific significant incident--
</DELETED>
<DELETED> ``(i) has occurred; or</DELETED>
<DELETED> ``(ii) is likely to occur
imminently; and</DELETED>
<DELETED> ``(B) otherwise available resources, other
than the Fund, are likely insufficient to respond
effectively to, or to mitigate effectively, the
specific significant incident described in subparagraph
(A).</DELETED>
<DELETED> ``(2) Prohibition on delegation.--The Secretary
may not delegate the authority provided to the Secretary under
paragraph (1).</DELETED>
<DELETED> ``(b) Asset Response Activities.--Upon a declaration, the
Director shall coordinate--</DELETED>
<DELETED> ``(1) the asset response activities of each
Federal agency in response to the specific significant incident
associated with the declaration; and</DELETED>
<DELETED> ``(2) with appropriate entities, which may
include--</DELETED>
<DELETED> ``(A) public and private entities and
State and local governments with respect to the asset
response activities of those entities and governments;
and</DELETED>
<DELETED> ``(B) Federal, State, local, and Tribal
law enforcement agencies with respect to investigations
and threat response activities of those law enforcement
agencies.</DELETED>
<DELETED> ``(c) Duration.--Subject to subsection (d), a declaration
shall terminate upon the earlier of--</DELETED>
<DELETED> ``(1) a determination by the Secretary that the
declaration is no longer necessary; or</DELETED>
<DELETED> ``(2) the expiration of the 120-day period
beginning on the date on which the Secretary makes the
declaration.</DELETED>
<DELETED> ``(d) Renewal.--The Secretary, without delegation, may
renew a declaration as necessary.</DELETED>
<DELETED> ``(e) Publication.--Not later than 72 hours after a
declaration or a renewal, the Secretary shall publish the declaration
or renewal in the Federal Register.</DELETED>
<DELETED> ``(f) Advance Actions.--The Secretary--</DELETED>
<DELETED> ``(1) shall assess the resources available to
respond to a potential declaration; and</DELETED>
<DELETED> ``(2) may take actions before and while a
declaration is in effect to arrange or procure additional
resources for asset response activities or technical assistance
the Secretary determines necessary, which may include entering
into standby contracts with private entities for cybersecurity
services or incident responders in the event of a
declaration.</DELETED>
<DELETED>``SEC. 2233. CYBER RESPONSE AND RECOVERY FUND.</DELETED>
<DELETED> ``(a) In General.--There is established a Cyber Response
and Recovery Fund, which shall be available for--</DELETED>
<DELETED> ``(1) the coordination of activities described in
section 2232(b);</DELETED>
<DELETED> ``(2) response and recovery support for the
specific significant incident associated with a declaration to
Federal, State, local, and Tribal, entities and public and
private entities on a reimbursable or non-reimbursable basis,
including through asset response activities and technical
assistance, such as--</DELETED>
<DELETED> ``(A) vulnerability assessments and
mitigation;</DELETED>
<DELETED> ``(B) technical incident
mitigation;</DELETED>
<DELETED> ``(C) malware analysis;</DELETED>
<DELETED> ``(D) analytic support;</DELETED>
<DELETED> ``(E) threat detection and hunting;
and</DELETED>
<DELETED> ``(F) network protections;</DELETED>
<DELETED> ``(3) as the Director determines appropriate,
grants for, or cooperative agreements with, Federal, State,
local, and Tribal public and private entities to respond to,
and recover from, the specific significant incident associated
with a declaration, such as--</DELETED>
<DELETED> ``(A) hardware or software to replace,
update, improve, harden, or enhance the functionality
of existing hardware, software, or systems;
and</DELETED>
<DELETED> ``(B) technical contract personnel
support; and</DELETED>
<DELETED> ``(4) advance actions taken by the Secretary under
section 2232(f)(2).</DELETED>
<DELETED> ``(b) Deposits.--Money shall be deposited into the Fund
from--</DELETED>
<DELETED> ``(1) appropriations to the Fund for activities of
the Fund;</DELETED>
<DELETED> ``(2) reimbursement from Federal agencies for the
activities described in paragraphs (1), (2), and (4) of
subsection (a); and</DELETED>
<DELETED> ``(3) any other income incident to activities of
the Fund.</DELETED>
<DELETED> ``(c) Supplement Not Supplant.--Amounts in the Fund shall
be used to supplement, not supplant, other Federal, State, local, or
Tribal funding for activities in response to a declaration.</DELETED>
<DELETED>``SEC. 2234. NOTIFICATION AND REPORTING.</DELETED>
<DELETED> ``(a) Notification.--Upon a declaration or renewal, the
Secretary shall immediately notify the National Cyber Director and
appropriate congressional committees and include in the notification--
</DELETED>
<DELETED> ``(1) an estimation of the planned duration of the
declaration;</DELETED>
<DELETED> ``(2) with respect to a notification of a
declaration, the reason for the declaration, including
information relating to the specific significant incident or
imminent specific significant incident, including--</DELETED>
<DELETED> ``(A) the operational or mission impact or
anticipated impact of the specific significant incident
on Federal and non-Federal entities;</DELETED>
<DELETED> ``(B) if known, the perpetrator of the
specific significant incident; and</DELETED>
<DELETED> ``(C) the scope of the Federal and non-
Federal entities impacted or anticipated to be impacted
by the specific significant incident;</DELETED>
<DELETED> ``(3) with respect to a notification of a renewal,
the reason for the renewal;</DELETED>
<DELETED> ``(4) justification as to why available resources,
other than the Fund, are insufficient to respond to or mitigate
the specific significant incident; and</DELETED>
<DELETED> ``(5) a description of the coordination activities
described in section 2232(b) that the Secretary anticipates the
Director to perform.</DELETED>
<DELETED> ``(b) Report to Congress.--Not later than 180 days after
the date of a declaration or renewal, the Secretary shall submit to the
appropriate congressional committees a report that includes--</DELETED>
<DELETED> ``(1) the reason for the declaration or renewal,
including information and intelligence relating to the specific
significant incident that led to the declaration or
renewal;</DELETED>
<DELETED> ``(2) the use of any funds from the Fund for the
purpose of responding to the incidents or threat described in
paragraph (1);</DELETED>
<DELETED> ``(3) a description of the actions, initiatives,
and projects undertaken by the Department and State and local
governments and public and private entities in responding to
and recovering from the specific significant incident described
in paragraph (1);</DELETED>
<DELETED> ``(4) an accounting of the specific obligations
and outlays of the Fund; and</DELETED>
<DELETED> ``(5) an analysis of--</DELETED>
<DELETED> ``(A) the impact of the specific
significant incident described in paragraph (1) on
Federal and non-Federal entities;</DELETED>
<DELETED> ``(B) the impact of the declaration or
renewal on the response to, and recovery from, the
specific significant incident described in paragraph
(1); and</DELETED>
<DELETED> ``(C) the impact of the funds made
available from the Fund as a result of the declaration
or renewal on the recovery from, and response to, the
specific significant incident described in paragraph
(1).</DELETED>
<DELETED> ``(c) Classification.--Each notification made under
subsection (a) and each report submitted under subsection (b)--
</DELETED>
<DELETED> ``(1) shall be in an unclassified form;
and</DELETED>
<DELETED> ``(2) may include a classified annex.</DELETED>
<DELETED> ``(d) Consolidated Report.--The Secretary shall not be
required to submit multiple reports under subsection (b) for multiple
declarations or renewals if the Secretary determines that the
declarations or renewals substantively relate to the same specific
significant incident.</DELETED>
<DELETED> ``(e) Exemption.--The requirements of subchapter I of
chapter 35 of title 44 (commonly known as the `Paperwork Reduction
Act') shall not apply to the voluntary collection of information by the
Department during an investigation of, a response to, or an immediate
post-response review of, the specific significant incident leading to a
declaration or renewal.</DELETED>
<DELETED>``SEC. 2235. RULE OF CONSTRUCTION.</DELETED>
<DELETED> ``Nothing in this subtitle shall be construed to impair or
limit the ability of the Director to carry out the authorized
activities of the Cybersecurity and Infrastructure Security
Agency.</DELETED>
<DELETED>``SEC. 2236. AUTHORIZATION OF APPROPRIATIONS.</DELETED>
<DELETED> ``There are authorized to be appropriated to the Fund
$20,000,000 for fiscal year 2022, which shall remain available to be
expended until September 30, 2028.</DELETED>
<DELETED>``SEC. 2237. SUNSET.</DELETED>
<DELETED> ``The authorities granted to the Secretary or the Director
under this subtitle shall expire on the date that is 7 years after the
date of enactment of the Cyber Response and Recovery Act of
2021.''.</DELETED>
<DELETED> (b) Clerical Amendment.--The table of contents in section
1(b) of the Homeland Security Act of 2002 (Public Law 107-296; 116
Stat. 2135) is amended by adding at the end the following:</DELETED>
<DELETED>``Subtitle C--Declaration of a Significant Incident
<DELETED>``Sec. 2231. Definitions.
<DELETED>``Sec. 2232. Declaration.
<DELETED>``Sec. 2233. Cyber response and recovery fund.
<DELETED>``Sec. 2234. Notification and reporting.
<DELETED>``Sec. 2235. Rule of construction.
<DELETED>``Sec. 2236. Authorization of appropriations.
<DELETED>``Sec. 2237. Sunset.''.
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Cyber Response and Recovery Act of
2021''.
SEC. 2. DECLARATION OF A SIGNIFICANT INCIDENT.
(a) In General.--Title XXII of the Homeland Security Act of 2002 (6
U.S.C. 651 et seq.) is amended by adding at the end the following:
``Subtitle C--Declaration of a Significant Incident
``SEC. 2231. SENSE OF CONGRESS.
``It is the sense of Congress that--
``(1) the purpose of this subtitle is to authorize the
Secretary to declare that a significant incident has occurred
and to establish the authorities that are provided under the
declaration to respond to and recover from the significant
incident; and
``(2) the authorities established under this subtitle are
intended to enable the Secretary to provide voluntary
assistance to non-Federal entities impacted by a significant
incident.
``SEC. 2232. DEFINITIONS.
``For the purposes of this subtitle:
``(1) Asset response activity.--The term `asset response
activity' means an activity to support an entity impacted by an
incident with the response to, remediation of, or recovery
from, the incident, including--
``(A) furnishing technical and advisory assistance
to the entity to protect the assets of the entity,
mitigate vulnerabilities, and reduce the related
impacts;
``(B) assessing potential risks to the critical
infrastructure sector or geographic region impacted by
the incident, including potential cascading effects of
the incident on other critical infrastructure sectors
or geographic regions;
``(C) developing courses of action to mitigate the
risks assessed under subparagraph (B);
``(D) facilitating information sharing and
operational coordination with entities performing
threat response activities; and
``(E) providing guidance on how best to use Federal
resources and capabilities in a timely, effective
manner to speed recovery from the incident.
``(2) Declaration.--The term `declaration' means a
declaration of the Secretary under section 2233(a)(1).
``(3) Director.--The term `Director' means the Director of
the Cybersecurity and Infrastructure Security Agency.
``(4) Federal agency.--The term `Federal agency' has the
meaning given the term `agency' in section 3502 of title 44,
United States Code.
``(5) Fund.--The term `Fund' means the Cyber Response and
Recovery Fund established under section 2234(a).
``(6) Incident.--The term `incident' has the meaning given
the term in section 3552 of title 44, United States Code.
``(7) Renewal.--The term `renewal' means a renewal of a
declaration under section 2233(d).
``(8) Significant incident.--The term `significant
incident'--
``(A) means an incident or a group of related
incidents that results, or is likely to result, in
demonstrable harm to--
``(i) the national security interests,
foreign relations, or economy of the United
States; or
``(ii) the public confidence, civil
liberties, or public health and safety of the
people of the United States; and
``(B) does not include an incident or a portion of
a group of related incidents that occurs on--
``(i) a national security system (as
defined in section 3552 of title 44, United
States Code); or
``(ii) an information system described in
paragraph (2) or (3) of section 3553(e) of
title 44, United States Code.
``SEC. 2233. DECLARATION.
``(a) In General.--
``(1) Declaration.--The Secretary, in consultation with the
National Cyber Director, may make a declaration of a
significant incident in accordance with this section for the
purpose of enabling the activities described in this subtitle
if the Secretary determines that--
``(A) a specific significant incident--
``(i) has occurred; or
``(ii) is likely to occur imminently; and
``(B) otherwise available resources, other than the
Fund, are likely insufficient to respond effectively
to, or to mitigate effectively, the specific
significant incident described in subparagraph (A).
``(2) Prohibition on delegation.--The Secretary may not
delegate the authority provided to the Secretary under
paragraph (1).
``(b) Asset Response Activities.--Upon a declaration, the Director
shall coordinate--
``(1) the asset response activities of each Federal agency
in response to the specific significant incident associated
with the declaration; and
``(2) with appropriate entities, which may include--
``(A) public and private entities and State and
local governments with respect to the asset response
activities of those entities and governments; and
``(B) Federal, State, local, and Tribal law
enforcement agencies with respect to investigations and
threat response activities of those law enforcement
agencies.
``(c) Duration.--Subject to subsection (d), a declaration shall
terminate upon the earlier of--
``(1) a determination by the Secretary that the declaration
is no longer necessary; or
``(2) the expiration of the 120-day period beginning on the
date on which the Secretary makes the declaration.
``(d) Renewal.--The Secretary, without delegation, may renew a
declaration as necessary.
``(e) Publication.--
``(1) In general.--Not later than 72 hours after a
declaration or a renewal, the Secretary shall publish the
declaration or renewal in the Federal Register.
``(2) Prohibition.--A declaration or renewal published
under paragraph (1) may not include the name of any affected
individual or private company.
``(f) Advance Actions.--
``(1) In general.--The Secretary--
``(A) shall assess the resources available to
respond to a potential declaration; and
``(B) may take actions before and while a
declaration is in effect to arrange or procure
additional resources for asset response activities or
technical assistance the Secretary determines
necessary, which may include entering into standby
contracts with private entities for cybersecurity
services or incident responders in the event of a
declaration.
``(2) Expenditure of funds.--Any expenditure made for the
purpose of paragraph (1)(B) shall be made from amounts--
``(A) available in the Fund; or
``(B) otherwise appropriated to the Department.
``SEC. 2234. CYBER RESPONSE AND RECOVERY FUND.
``(a) In General.--There is established a Cyber Response and
Recovery Fund, which shall be available for--
``(1) the coordination of activities described in section
2233(b);
``(2) response and recovery support for the specific
significant incident associated with a declaration to Federal,
State, local, and Tribal, entities and public and private
entities on a reimbursable or non-reimbursable basis, including
through asset response activities and technical assistance,
such as--
``(A) vulnerability assessments and mitigation;
``(B) technical incident mitigation;
``(C) malware analysis;
``(D) analytic support;
``(E) threat detection and hunting; and
``(F) network protections;
``(3) as the Director determines appropriate, grants for,
or cooperative agreements with, Federal, State, local, and
Tribal public and private entities to respond to, and recover
from, the specific significant incident associated with a
declaration, such as--
``(A) hardware or software to replace, update,
improve, harden, or enhance the functionality of
existing hardware, software, or systems; and
``(B) technical contract personnel support; and
``(4) advance actions taken by the Secretary under section
2233(f)(1)(B).
``(b) Deposits and Expenditures.--
``(1) In general.--Amounts shall be deposited into the Fund
from--
``(A) appropriations to the Fund for activities of
the Fund;
``(B) reimbursement from Federal agencies for the
activities described in paragraphs (1), (2), and (4) of
subsection (a); and
``(C) any other income incident to activities of
the Fund.
``(2) Expenditures.--Any expenditure from the Fund shall be
made from amounts that are available in the Fund from a deposit
described in paragraph (1).
``(c) Supplement Not Supplant.--Amounts in the Fund shall be used
to supplement, not supplant, other Federal, State, local, or Tribal
funding for activities in response to a declaration.
``SEC. 2235. NOTIFICATION AND REPORTING.
``(a) Notification.--Upon a declaration or renewal, the Secretary
shall immediately notify the National Cyber Director and appropriate
congressional committees and include in the notification--
``(1) an estimation of the planned duration of the
declaration;
``(2) with respect to a notification of a declaration, the
reason for the declaration, including information relating to
the specific significant incident or imminent specific
significant incident, including--
``(A) the operational or mission impact or
anticipated impact of the specific significant incident
on Federal and non-Federal entities;
``(B) if known, the perpetrator of the specific
significant incident; and
``(C) the scope of the Federal and non-Federal
entities impacted or anticipated to be impacted by the
specific significant incident;
``(3) with respect to a notification of a renewal, the
reason for the renewal;
``(4) justification as to why available resources, other
than the Fund, are insufficient to respond to or mitigate the
specific significant incident; and
``(5) a description of the coordination activities
described in section 2233(b) that the Secretary anticipates the
Director to perform.
``(b) Report to Congress.--Not later than 180 days after the date
of a declaration or renewal, the Secretary shall submit to the
appropriate congressional committees a report that includes--
``(1) the reason for the declaration or renewal, including
information and intelligence relating to the specific
significant incident that led to the declaration or renewal;
``(2) the use of any funds from the Fund for the purpose of
responding to the incident or threat described in paragraph
(1);
``(3) a description of the actions, initiatives, and
projects undertaken by the Department and State and local
governments and public and private entities in responding to
and recovering from the specific significant incident described
in paragraph (1);
``(4) an accounting of the specific obligations and outlays
of the Fund; and
``(5) an analysis of--
``(A) the impact of the specific significant
incident described in paragraph (1) on Federal and non-
Federal entities;
``(B) the impact of the declaration or renewal on
the response to, and recovery from, the specific
significant incident described in paragraph (1); and
``(C) the impact of the funds made available from
the Fund as a result of the declaration or renewal on
the recovery from, and response to, the specific
significant incident described in paragraph (1).
``(c) Classification.--Each notification made under subsection (a)
and each report submitted under subsection (b)--
``(1) shall be in an unclassified form with appropriate
markings to indicate information that is exempt from disclosure
under section 552 of title 5, United States Code (commonly
known as the `Freedom of Information Act'); and
``(2) may include a classified annex.
``(d) Consolidated Report.--The Secretary shall not be required to
submit multiple reports under subsection (b) for multiple declarations
or renewals if the Secretary determines that the declarations or
renewals substantively relate to the same specific significant
incident.
``(e) Exemption.--The requirements of subchapter I of chapter 35 of
title 44 (commonly known as the `Paperwork Reduction Act') shall not
apply to the voluntary collection of information by the Department
during an investigation of, a response to, or an immediate post-
response review of, the specific significant incident leading to a
declaration or renewal.
``SEC. 2236. RULE OF CONSTRUCTION.
``Nothing in this subtitle shall be construed to impair or limit
the ability of the Director to carry out the authorized activities of
the Cybersecurity and Infrastructure Security Agency.
``SEC. 2237. AUTHORIZATION OF APPROPRIATIONS.
``There are authorized to be appropriated to the Fund $20,000,000
for fiscal year 2022, which shall remain available to be expended until
September 30, 2028.
``SEC. 2238. SUNSET.
``The authorities granted to the Secretary or the Director under
this subtitle shall expire on the date that is 7 years after the date
of enactment of the Cyber Response and Recovery Act of 2021.''.
(b) Clerical Amendment.--The table of contents in section 1(b) of
the Homeland Security Act of 2002 (Public Law 107-296; 116 Stat. 2135)
is amended by adding at the end the following:
``Subtitle C--Declaration of a Significant Incident
``Sec. 2231. Sense of Congress.
``Sec. 2232. Definitions.
``Sec. 2233. Declaration.
``Sec. 2234. Cyber response and recovery fund.
``Sec. 2235. Notification and reporting.
``Sec. 2236. Rule of construction.
``Sec. 2237. Authorization of appropriations.
``Sec. 2238. Sunset.''.
Calendar No. 648
117th CONGRESS
2d Session
S. 1316
[Report No. 117-257]
_______________________________________________________________________
A BILL
To amend the Homeland Security Act of 2002 to authorize the Secretary
of Homeland Security to make a declaration of a significant incident,
and for other purposes.
_______________________________________________________________________
December 14, 2022
Reported with an amendment