[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 1350 Reported in Senate (RS)]
<DOC>
Calendar No. 652
117th CONGRESS
2d Session
S. 1350
[Report No. 117-261]
To require the Secretary of Homeland Security to establish a national
risk management cycle, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
April 22, 2021
Ms. Hassan (for herself and Mr. Sasse) introduced the following bill;
which was read twice and referred to the Committee on Homeland Security
and Governmental Affairs
December 15, 2022
Reported by Mr. Peters, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To require the Secretary of Homeland Security to establish a national
risk management cycle, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE.</DELETED>
<DELETED> This Act may be cited as the ``National Risk Management
Act of 2021''.</DELETED>
<DELETED>SEC. 2. NATIONAL RISK MANAGEMENT CYCLE.</DELETED>
<DELETED> (a) In General.--Subtitle A of title XXII of the Homeland
Security Act of 2002 (6 U.S.C. 651 et seq.), is amended by adding at
the end the following:</DELETED>
<DELETED>``SEC. 2218. NATIONAL RISK MANAGEMENT CYCLE.</DELETED>
<DELETED> ``(a) Definitions.--In this section:</DELETED>
<DELETED> ``(1) Critical infrastructure.--The term `critical
infrastructure' has the meaning given the term in section
1016(e) of the Critical Infrastructures Protection Act of 2001
(42 U.S.C. 5195c(e)).</DELETED>
<DELETED> ``(2) National critical functions.--The term
`national critical functions' means the functions of government
and the private sector so vital to the United States that their
disruption, corruption, or dysfunction would have a
debilitating effect on security, national economic security,
national public health or safety, or any combination
thereof.</DELETED>
<DELETED> ``(b) National Risk Management Cycle.--</DELETED>
<DELETED> ``(1) Risk identification and assessment.--
</DELETED>
<DELETED> ``(A) In general.--The Secretary, acting
through the Director, shall establish a process by
which to identify, assess, and prioritize risks to
critical infrastructure, considering both cyber and
physical threats, vulnerabilities, and
consequences.</DELETED>
<DELETED> ``(B) Consultation.--In establishing the
process required under subparagraph (A), the Secretary
shall consult with Sector Risk Management Agencies,
critical infrastructure owners and operators, and the
National Cyber Director.</DELETED>
<DELETED> ``(C) Publication.--Not later than 180
days after the date of enactment of this section, the
Secretary shall publish in the Federal Register
procedures for the process established under
subparagraph (A).</DELETED>
<DELETED> ``(D) Report.--The Secretary shall submit
to the President, the Committee on Homeland Security
and Governmental Affairs of the Senate, and the
Committee on Homeland Security of the House of
Representatives a report on the risks identified by the
process established under subparagraph (A)--</DELETED>
<DELETED> ``(i) not later than 1 year after
the date of enactment of this section;
and</DELETED>
<DELETED> ``(ii) not later than 1 year after
the date on which the Secretary submits a
periodic evaluation described in section
9002(b)(2) of title XC of division H of the
William M. (Mac) Thornberry National Defense
Authorization Act for Fiscal Year 2021 (Public
Law 116-283).</DELETED>
<DELETED> ``(2) National critical infrastructure resilience
strategy.--</DELETED>
<DELETED> ``(A) In general.--Not later than 1 year
after the date on which the Secretary delivers each
report required under paragraph (1), the President
shall deliver to majority and minority leaders of the
Senate, the Speaker and minority leader of the House of
Representatives, the Committee on Homeland Security and
Governmental Affairs of the Senate, and the Committee
on Homeland Security of the House of Representatives a
national critical infrastructure resilience strategy
designed to address the risks identified by the
Secretary.</DELETED>
<DELETED> ``(B) Elements.--In each strategy
delivered under subparagraph (A), the President shall--
</DELETED>
<DELETED> ``(i) identify, assess, and
prioritize areas of risk to critical
infrastructure that would compromise, disrupt,
or impede their ability to support the national
critical functions of national security,
economic security, or public health and
safety;</DELETED>
<DELETED> ``(ii) assess the implementation
of the previous national critical
infrastructure resilience strategy, as
applicable;</DELETED>
<DELETED> ``(iii) identify and outline
current and proposed national-level actions,
programs, and efforts to be taken to address
the risks identified;</DELETED>
<DELETED> ``(iv) identify the Federal
departments or agencies responsible for leading
each national-level action, program, or effort
and the relevant critical infrastructure
sectors for each;</DELETED>
<DELETED> ``(v) outline the budget plan
required to provide sufficient resources to
successfully execute the full range of
activities proposed or described by the
strategy; and</DELETED>
<DELETED> ``(vi) request any additional
authorities or resources necessary to
successfully execute the strategy.</DELETED>
<DELETED> ``(C) Form.--Each strategy delivered under
subparagraph (A) shall be unclassified, but may contain
a classified annex.</DELETED>
<DELETED> ``(3) Congressional briefing.--Not later than 1
year after the date on which the President delivers a strategy
under this section, and every year thereafter, the Secretary,
in coordination with Sector Risk Management Agencies, shall
brief the appropriate committees of Congress on the national
risk management cycle activities undertaken pursuant to the
strategy.''.</DELETED>
<DELETED> (b) Technical and Conforming Amendment.--The table of
contents in section 1(b) of the Homeland Security Act of 2002 (Public
Law 107-296; 116 Stat. 2135) is amended by inserting after the item
relating to section 2217 the following:</DELETED>
<DELETED>``Sec. 2218. National risk management cycle.''.
SECTION 1. SHORT TITLE.
This Act may be cited as the ``National Risk Management Act of
2021''.
SEC. 2. NATIONAL RISK MANAGEMENT CYCLE.
(a) In General.--Subtitle A of title XXII of the Homeland Security
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the
following:
``SEC. 2218. NATIONAL RISK MANAGEMENT CYCLE.
``(a) National Critical Functions Defined.--In this section, the
term `national critical functions' means the functions of government
and the private sector so vital to the United States that their
disruption, corruption, or dysfunction would have a debilitating effect
on security, national economic security, national public health or
safety, or any combination thereof.
``(b) National Risk Management Cycle.--
``(1) Risk identification and assessment.--
``(A) In general.--The Secretary, acting through
the Director, shall establish a recurring process by
which to identify, assess, and prioritize risks to
critical infrastructure, considering both cyber and
physical threats, the associated likelihoods,
vulnerabilities, and consequences, and the resources
necessary to address them.
``(B) Consultation.--In establishing the process
required under subparagraph (A), the Secretary shall
consult with, and request and collect information to
support analysis from, Sector Risk Management Agencies,
critical infrastructure owners and operators, the
Assistant to the President for National Security
Affairs, the Assistant to the President for Homeland
Security, and the National Cyber Director.
``(C) Publication.--Not later than 180 days after
the date of enactment of this section, the Secretary
shall publish in the Federal Register procedures for
the process established under subparagraph (A), subject
to any redactions the Secretary determines are
necessary to protect classified or other sensitive
information.
``(D) Report.--The Secretary shall submit to the
President, the Committee on Homeland Security and
Governmental Affairs of the Senate, and the Committee
on Homeland Security of the House of Representatives a
report on the risks identified by the process
established under subparagraph (A)--
``(i) not later than 1 year after the date
of enactment of this section; and
``(ii) not later than 1 year after the date
on which the Secretary submits a periodic
evaluation described in section 9002(b)(2) of
title XC of division H of the William M. (Mac)
Thornberry National Defense Authorization Act
for Fiscal Year 2021 (Public Law 116-283).
``(2) National critical infrastructure resilience
strategy.--
``(A) In general.--Not later than 1 year after the
date on which the Secretary delivers each report
required under paragraph (1), the President shall
deliver to majority and minority leaders of the Senate,
the Speaker and minority leader of the House of
Representatives, the Committee on Homeland Security and
Governmental Affairs of the Senate, and the Committee
on Homeland Security of the House of Representatives a
national critical infrastructure resilience strategy
designed to address the risks identified by the
Secretary.
``(B) Elements.--Each strategy delivered under
subparagraph (A) shall--
``(i) identify, assess, and prioritize
areas of risk to critical infrastructure that
would compromise or disrupt national critical
functions impacting national security, economic
security, or public health and safety;
``(ii) assess the implementation of the
previous national critical infrastructure
resilience strategy, as applicable;
``(iii) identify and outline current and
proposed national-level actions, programs, and
efforts to be taken to address the risks
identified;
``(iv) identify the Federal departments or
agencies responsible for leading each national-
level action, program, or effort and the
relevant critical infrastructure sectors for
each; and
``(v) request any additional authorities
necessary to successfully execute the strategy.
``(C) Form.--Each strategy delivered under
subparagraph (A) shall be unclassified, but may contain
a classified annex.
``(3) Congressional briefing.--Not later than 1 year after
the date on which the President delivers the first strategy
required under paragraph (2)(A), and every year thereafter, the
Secretary, in coordination with Sector Risk Management
Agencies, shall brief the appropriate congressional committees
on--
``(A) the national risk management cycle activities
undertaken pursuant to the strategy; and
``(B) the amounts and timeline for funding that the
Secretary has determined would be necessary to address
risks and successfully execute the full range of
activities proposed by the strategy.''.
(b) Technical and Conforming Amendment.--The table of contents in
section 1(b) of the Homeland Security Act of 2002 (Public Law 107-296;
116 Stat. 2135) is amended by inserting after the item relating to
section 2217 the following:
``Sec. 2218. National risk management cycle.''.
Calendar No. 652
117th CONGRESS
2d Session
S. 1350
[Report No. 117-261]
_______________________________________________________________________
A BILL
To require the Secretary of Homeland Security to establish a national
risk management cycle, and for other purposes.
_______________________________________________________________________
December 15, 2022
Reported with an amendment