[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 2491 Reported in Senate (RS)]
<DOC>
Calendar No. 670
117th CONGRESS
2d Session
S. 2491
[Report No. 117-271]
To amend the Homeland Security Act of 2002 to establish the National
Cyber Resilience Assistance Fund, to improve the ability of the Federal
Government to assist in enhancing critical infrastructure cyber
resilience, to improve security in the national cyber ecosystem, to
address Systemically Important Critical Infrastructure, and for other
purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
July 27, 2021
Mr. King (for himself, Mr. Rounds, Mr. Sasse, Ms. Rosen, Ms. Hassan,
and Mr. Ossoff) introduced the following bill; which was read twice and
referred to the Committee on Homeland Security and Governmental Affairs
December 19, 2022
Reported by Mr. Peters, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To amend the Homeland Security Act of 2002 to establish the National
Cyber Resilience Assistance Fund, to improve the ability of the Federal
Government to assist in enhancing critical infrastructure cyber
resilience, to improve security in the national cyber ecosystem, to
address Systemically Important Critical Infrastructure, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE; TABLE OF CONTENTS.</DELETED>
<DELETED> (a) Short Title.--This Act may be cited as the ``Defense
of United States Infrastructure Act of 2021''.</DELETED>
<DELETED> (b) Table of Contents.--The table of contents for this Act
is as follows:</DELETED>
<DELETED>Sec. 1. Short title; table of contents.
<DELETED>TITLE I--INVESTING IN CYBER RESILIENCY IN CRITICAL
INFRASTRUCTURE
<DELETED>Sec. 101. Establishment of the National Cyber Resilience
Assistance Fund.
<DELETED>TITLE II--IMPROVING THE ABILITY OF THE FEDERAL GOVERNMENT TO
ASSIST IN ENHANCING CRITICAL INFRASTRUCTURE CYBER RESILIENCE
<DELETED>Sec. 201. Institute a 5-year term for the cybersecurity and
infrastructure security director.
<DELETED>Sec. 202. Create a joint collaborative environment.
<DELETED>Sec. 203. Designate three critical technology security
centers.
<DELETED>TITLE III--IMPROVING SECURITY IN THE NATIONAL CYBER ECOSYSTEM
<DELETED>Sec. 301. Establish a National Cybersecurity Certification and
Labeling Authority.
<DELETED>Sec. 302. Establish the Bureau of Cybersecurity Statistics.
<DELETED>Sec. 303. Secure foundational internet protocols.
<DELETED>TITLE IV--SYSTEMICALLY IMPORTANT CRITICAL INFRASTRUCTURE
<DELETED>Sec. 401. Definitions.
<DELETED>Sec. 402. Systemically Important Critical Infrastructure.
<DELETED>Sec. 403. Plan for enhancement of Systemically Important
Critical Infrastructure methodology and
capability.
<DELETED>TITLE V--ENABLING THE NATIONAL CYBER DIRECTOR
<DELETED>Sec. 501. Establishment of hiring authorities for the Office
of the National Cyber Director.
<DELETED>TITLE I--INVESTING IN CYBER RESILIENCY IN CRITICAL
INFRASTRUCTURE</DELETED>
<DELETED>SEC. 101. ESTABLISHMENT OF THE NATIONAL CYBER RESILIENCE
ASSISTANCE FUND.</DELETED>
<DELETED> (a) Sense of Congress.--It is the sense of Congress that--
</DELETED>
<DELETED> (1) the United States now operates in a cyber
landscape that requires a level of data security, resilience,
and trustworthiness that neither the United States Government
nor the private sector alone is currently equipped to
provide;</DELETED>
<DELETED> (2) the United States must deny benefits to
adversaries who have long exploited cyberspace to their
advantage, to the disadvantage of the United States, and at
little cost to themselves;</DELETED>
<DELETED> (3) this new approach requires securing critical
networks in collaboration with the private sector to promote
national resilience and increase the security of the cyber
ecosystem;</DELETED>
<DELETED> (4) reducing the vulnerabilities adversaries can
target denies them opportunities to attack the interests of the
United States through cyberspace;</DELETED>
<DELETED> (5) the public and private sectors struggle to
coordinate cyber defenses, leaving gaps that decrease national
resilience and create systemic risk;</DELETED>
<DELETED> (6) new technology continues to emerge that
further compounds these challenges;</DELETED>
<DELETED> (7) while the Homeland Security Grant Program and
resourcing for national preparedness under the Federal
Emergency Management Agency are well-established, the United
States Government has no equivalent for cybersecurity
preparation or prevention;</DELETED>
<DELETED> (8) the lack of a consistent, resourced fund for
investing in resilience in key areas inhibits the United States
Government from conveying its understanding of risk into
strategy, planning, and action in furtherance of core
objectives for the security and resilience of critical
infrastructure;</DELETED>
<DELETED> (9) Congress has worked diligently to establish
the Cybersecurity and Infrastructure Security Agency, creating
a new agency that can leverage broad authorities to receive and
share information, provide technical assistance to operators,
and partner with stakeholders across the executive branch,
State and local communities, and the private sector;</DELETED>
<DELETED> (10) the Cybersecurity and Infrastructure Security
Agency requires strengthening in its mission to ensure the
national resilience of critical infrastructure, promote a more
secure cyber ecosystem, and serve as the central coordinating
element to support and integrate Federal, State, local, and
private-sector cybersecurity efforts; and</DELETED>
<DELETED> (11) the Cybersecurity and Infrastructure Security
Agency requires further resource investment and clear
authorities to realize its full potential.</DELETED>
<DELETED> (b) Amendments.--Subtitle A of title XXII of the Homeland
Security Act of 2002 (6 U.S.C. 651 et seq.) is amended--</DELETED>
<DELETED> (1) in section 2202(c) (6 U.S.C. 652(c))--
</DELETED>
<DELETED> (A) in paragraph (11), by striking ``and''
at the end;</DELETED>
<DELETED> (B) in the first paragraph designated as
paragraph (12), relating to the Cybersecurity State
Coordinator--</DELETED>
<DELETED> (i) by striking ``section 2215''
and inserting ``section 2217''; and</DELETED>
<DELETED> (ii) by striking ``and'' at the
end; and</DELETED>
<DELETED> (C) by redesignating the second and third
paragraphs designated as paragraph (12) as paragraphs
(13) and (14), respectively;</DELETED>
<DELETED> (2) by redesignating section 2217 (6 U.S.C. 665f)
as section 2220;</DELETED>
<DELETED> (3) by redesignating section 2216 (6 U.S.C. 665e)
as section 2219;</DELETED>
<DELETED> (4) by redesignating the fourth section 2215
(relating to Sector Risk Management Agencies) (6 U.S.C. 665d)
as section 2218;</DELETED>
<DELETED> (5) by redesignating the third section 2215
(relating to the Cybersecurity State Coordinator) (6 U.S.C.
665c) as section 2217;</DELETED>
<DELETED> (6) by redesignating the second section 2215
(relating to the Joint Cyber Planning Office) (6 U.S.C. 665b)
as section 2216; and</DELETED>
<DELETED> (7) by adding at the end the following:</DELETED>
<DELETED>``SEC. 2220A. NATIONAL CYBER RESILIENCE ASSISTANCE
FUND.</DELETED>
<DELETED> ``(a) Definitions.--In this section:</DELETED>
<DELETED> ``(1) Cybersecurity risk.--The term `cybersecurity
risk' has the meaning given that term in section
2209.</DELETED>
<DELETED> ``(2) Eligible entity.--The term `eligible entity'
means an entity that meets the guidelines and requirements for
eligible entities established by the Secretary under subsection
(d)(4).</DELETED>
<DELETED> ``(3) Fund.--The term `Fund' means the National
Cyber Resilience Assistance Fund established under subsection
(c).</DELETED>
<DELETED> ``(4) National critical functions.--The term
`national critical functions' means the functions of government
and the private sector so vital to the United States that their
disruption, corruption, or dysfunction would have a
debilitating effect on security, national economic security,
national public health or safety, or any combination
thereof.</DELETED>
<DELETED> ``(b) Creation of a Critical Infrastructure Resilience
Strategy and a National Risk Management Cycle.--</DELETED>
<DELETED> ``(1) Initial risk identification and
assessment.--</DELETED>
<DELETED> ``(A) In general.--The Secretary, acting
through the Director, shall establish a process by
which to identify, assess, and prioritize risks to
critical infrastructure, considering both cyber and
physical threats, vulnerabilities, and
consequences.</DELETED>
<DELETED> ``(B) Consultation.--In establishing the
process required under subparagraph (A), the Secretary
shall consult with Sector Risk Management Agencies,
critical infrastructure owners and operators, and the
National Cyber Director.</DELETED>
<DELETED> ``(C) Publication.--Not later than 180
days after the date of enactment of this section, the
Secretary shall publish in the Federal Register
procedures for the process established under
subparagraph (A).</DELETED>
<DELETED> ``(D) Report.--Not later than 1 year after
the date of enactment of this section, the Secretary
shall submit to the President, the Committee on
Homeland Security and Governmental Affairs of the
Senate, and the Committee on Homeland Security of the
House of Representatives a report on the risks
identified by the process established under
subparagraph (A).</DELETED>
<DELETED> ``(2) Initial national critical infrastructure
resilience strategy.--</DELETED>
<DELETED> ``(A) In general.--Not later than 1 year
after the date on which the Secretary delivers the
report required under paragraph (1)(D), the President
shall deliver to majority and minority leaders of the
Senate, the Speaker and minority leader of the House of
Representatives, the Committee on Homeland Security and
Governmental Affairs of the Senate, and the Committee
on Homeland Security of the House of Representatives a
national critical infrastructure resilience strategy
designed to address the risks identified by the
Secretary.</DELETED>
<DELETED> ``(B) Elements.--In the strategy delivered
under subparagraph (A), the President shall--</DELETED>
<DELETED> ``(i) identify, assess, and
prioritize areas of risk to critical
infrastructure that would compromise, disrupt,
or impede the ability of the critical
infrastructure to support the national critical
functions of national security, economic
security, or public health and
safety;</DELETED>
<DELETED> ``(ii) identify and outline
current and proposed national-level actions,
programs, and efforts to be taken to address
the risks identified;</DELETED>
<DELETED> ``(iii) identify the Federal
departments or agencies responsible for leading
each national-level action, program, or effort
and the relevant critical infrastructure
sectors for each;</DELETED>
<DELETED> ``(iv) outline the budget plan
required to provide sufficient resources to
successfully execute the full range of
activities proposed or described by the
strategy; and</DELETED>
<DELETED> ``(v) request any additional
authorities or resources necessary to
successfully execute the strategy.</DELETED>
<DELETED> ``(C) Form.--The strategy delivered under
subparagraph (A) shall be unclassified, but may contain
a classified annex.</DELETED>
<DELETED> ``(3) Congressional briefing.--Not later than 1
year after the date on which the President delivers the
strategy under subparagraph (A), and every year thereafter, the
Secretary, in coordination with Sector Risk Management
Agencies, shall brief the appropriate congressional committees
on the national risk management cycle activities undertaken
pursuant to the strategy.</DELETED>
<DELETED> ``(4) Five year risk management cycle.--</DELETED>
<DELETED> ``(A) Risk identification and
assessment.--Under procedures established by the
Secretary, the Secretary shall repeat the conducting
and reporting of the risk identification and assessment
required under paragraph (1), in accordance with the
requirements in paragraph (1), every 5 years.</DELETED>
<DELETED> ``(B) Strategy.--Under procedures
established by the President, the President shall
repeat the preparation and delivery of the critical
infrastructure resilience strategy required under
paragraph (2), in accordance with the requirements in
paragraph (2), every 5 years, which shall also include
assessing the implementation of the previous national
critical infrastructure resilience strategy.</DELETED>
<DELETED> ``(c) Establishment of the National Cyber Resilience
Assistance Fund.--There is established in the Treasury of the United
States a fund, to be known as the `National Cyber Resilience Assistance
Fund', which shall be available for the cost of risk-based grant
programs focused on systematically increasing the resilience of public
and private critical infrastructure against cybersecurity risk, thereby
increasing the overall resilience of the United States.</DELETED>
<DELETED> ``(d) Administration of Grants From the National Cyber
Resilience Assistance Fund.--</DELETED>
<DELETED> ``(1) In general.--In accordance with this
section, the Secretary, acting through the Administrator of the
Federal Emergency Management Agency and the Director, shall
develop and administer processes to--</DELETED>
<DELETED> ``(A) establish focused grant programs to
address identified areas of cybersecurity risk to, and
bolster the resilience of, critical
infrastructure;</DELETED>
<DELETED> ``(B) accept and evaluate applications for
each such grant program;</DELETED>
<DELETED> ``(C) award grants under each such grant
program; and</DELETED>
<DELETED> ``(D) disburse amounts from the
Fund.</DELETED>
<DELETED> ``(2) Establishment of risk-focused grant
programs.--</DELETED>
<DELETED> ``(A) Establishment.--</DELETED>
<DELETED> ``(i) In general.--The Secretary,
acting through the Director and the
Administrator of the Federal Emergency
Management Agency, may establish not less than
1 grant program focused on mitigating an
identified category of cybersecurity risk
identified under the national risk management
cycle and critical infrastructure resilience
strategy under subsection (b) in order to
bolster the resilience of critical
infrastructure within the United
States.</DELETED>
<DELETED> ``(ii) Selection of focus area.--
Before selecting a focus area for a grant
program pursuant to this subparagraph, the
Director shall ensure--</DELETED>
<DELETED> ``(I) there is a clearly
defined cybersecurity risk identified
through the national risk management
cycle and critical infrastructure
resilience strategy under subsection
(b) to be mitigated;</DELETED>
<DELETED> ``(II) market forces do
not provide sufficient private-sector
incentives to mitigate the risk without
Government investment; and</DELETED>
<DELETED> ``(III) there is clear
Federal need, role, and responsibility
to mitigate the risk in order to
bolster the resilience of critical
infrastructure.</DELETED>
<DELETED> ``(B) Funding.--</DELETED>
<DELETED> ``(i) Recommendation.--Beginning
in the first fiscal year following the
establishment of the Fund and each fiscal year
thereafter, the Director shall--</DELETED>
<DELETED> ``(I) assess the funds
available in the Fund for the fiscal
year; and</DELETED>
<DELETED> ``(II) recommend to the
Secretary the total amount to be made
available from the Fund under each
grant program established under this
subsection.</DELETED>
<DELETED> ``(ii) Allocation.--After
considering the recommendations made by the
Director under clause (i) for a fiscal year,
the Director shall allocate amounts from the
Fund to each active grant program established
under this subsection for the fiscal
year.</DELETED>
<DELETED> ``(3) Use of funds.--Amounts in the Fund shall be
used to mitigate risks identified through the national risk
management cycle and critical infrastructure resilience
strategy under subsection (b).</DELETED>
<DELETED> ``(4) Eligible entities.--</DELETED>
<DELETED> ``(A) Guidelines and requirements.--
</DELETED>
<DELETED> ``(i) In general.--In accordance
with clause (ii), the Secretary shall submit to
the Committee on Homeland Security and
Governmental Affairs and the Committee on
Appropriations of the Senate and the Committee
on Homeland Security and the Committee on
Appropriations of the House of Representatives
a set of guidelines and requirements for
determining the entities that are eligible
entities.</DELETED>
<DELETED> ``(ii) Deadlines.--The Secretary
shall submit the guidelines and requirements
under clause (i)--</DELETED>
<DELETED> ``(I) not later than 180
days after the date of enactment of
this section, and every 2 years
thereafter; and</DELETED>
<DELETED> ``(II) not later than 30
days before the date on which the
Secretary implements the guidelines and
requirements.</DELETED>
<DELETED> ``(B) Considerations.--In developing
guidelines and requirements for eligible entities under
subparagraph (A), the Secretary shall consider--
</DELETED>
<DELETED> ``(i) number of
employees;</DELETED>
<DELETED> ``(ii) annual revenue;</DELETED>
<DELETED> ``(iii) existing entity
cybersecurity spending;</DELETED>
<DELETED> ``(iv) current cyber risk
assessments, including credible threats,
vulnerabilities, and consequences;
and</DELETED>
<DELETED> ``(v) entity capacity to invest in
mitigating cybersecurity risk absent assistance
from the Federal Government.</DELETED>
<DELETED> ``(5) Limitation.--For any fiscal year, an
eligible entity may not receive more than 1 grant from each
grant program established under this subsection.</DELETED>
<DELETED> ``(6) Grant processes.--The Secretary, acting
through the Administrator of the Federal Emergency Management
Agency, shall require the submission of such information as the
Secretary determines is necessary to--</DELETED>
<DELETED> ``(A) evaluate a grant application against
the criteria established under this section;</DELETED>
<DELETED> ``(B) disburse grant funds;</DELETED>
<DELETED> ``(C) provide oversight of disbursed grant
funds; and</DELETED>
<DELETED> ``(D) evaluate the effectiveness of the
funded project in increasing the overall resilience of
the United States with respect to cybersecurity
risks.</DELETED>
<DELETED> ``(7) Grant criteria.--For each grant program
established under this subsection, the Director, in
coordination with the Administrator of the Federal Emergency
Management Agency, shall develop and publish criteria for
evaluating applications for funding, which shall include--
</DELETED>
<DELETED> ``(A) whether the application identifies a
clearly defined cybersecurity risk;</DELETED>
<DELETED> ``(B) whether the cybersecurity risk
identified in the grant application poses a substantial
threat to critical infrastructure;</DELETED>
<DELETED> ``(C) whether the application identifies a
program or project clearly designed to mitigate a
cybersecurity risk;</DELETED>
<DELETED> ``(D) the potential consequences of
leaving the identified cybersecurity risk unmitigated,
including the potential impact to the critical
functions and overall resilience of the nation;
and</DELETED>
<DELETED> ``(E) other appropriate factors identified
by the Director.</DELETED>
<DELETED> ``(8) Evaluation of grants applications.--
</DELETED>
<DELETED> ``(A) In general.--Utilizing the criteria
established under paragraph (7), the Director, in
coordination with the Administrator of the Federal
Emergency Management Agency, shall evaluate grant
applications made under each grant program established
under this subsection.</DELETED>
<DELETED> ``(B) Recommendation.--Following the
evaluations required under subparagraph (A), the
Director shall recommend to the Secretary applications
for approval, including the amount of funding
recommended for each such approval.</DELETED>
<DELETED> ``(9) Award of grant funding.--The Secretary
shall--</DELETED>
<DELETED> ``(A) review the recommendations of the
Director prepared pursuant to paragraph (8);
and</DELETED>
<DELETED> ``(B) provide a final determination of
grant awards to the Administrator of the Federal
Emergency Management Agency to be disbursed and
administered under the process established under
paragraph (6).</DELETED>
<DELETED> ``(e) Evaluation of Grant Programs Utilizing the National
Cyber Resilience Assistance Fund.--</DELETED>
<DELETED> ``(1) Evaluation.--The Secretary shall establish a
process to evaluate the effectiveness and efficiency of grants
distributed under this section and develop appropriate updates,
as needed, to the grant programs.</DELETED>
<DELETED> ``(2) Annual report.--Not later than 180 days
after the conclusion of the first fiscal year in which grants
are awarded under this section, and every fiscal year
thereafter, the Secretary shall submit to the Committee on
Homeland Security and Governmental Affairs and the Committee on
Appropriations of the Senate and the Committee on Homeland
Security and the Committee on Appropriations of the House of
Representatives a report detailing the grants awarded from the
Fund, the status of projects undertaken with the grant funds,
any planned changes to the disbursement methodology of the
Fund, measurements of success, and total outlays from the
Fund.</DELETED>
<DELETED> ``(3) Grant program review.--</DELETED>
<DELETED> ``(A) Annual assessment.--Before the start
of the second fiscal year in which grants are awarded
under this section, and every fiscal year thereafter,
the Director shall assess the grant programs
established under this section and determine--
</DELETED>
<DELETED> ``(i) for the coming fiscal year--
</DELETED>
<DELETED> ``(I) whether new grant
programs with additional focus areas
should be created;</DELETED>
<DELETED> ``(II) whether any
existing grant program should be
discontinued; and</DELETED>
<DELETED> ``(III) whether the scope
of any existing grant program should be
modified; and</DELETED>
<DELETED> ``(ii) the success of the grant
programs in the prior fiscal year.</DELETED>
<DELETED> ``(B) Submission to congress.--Not later
than 90 days before the start of the second fiscal year
in which grants are awarded under this section, and
every fiscal year thereafter, the Secretary shall
submit to the Committee on Homeland Security and
Governmental Affairs and the Committee on
Appropriations of the Senate and the Committee on
Homeland Security and the Committee on Appropriations
of the House of Representatives the assessment
conducted pursuant to subparagraph (A) and any planned
alterations to the grant program for the coming fiscal
year.</DELETED>
<DELETED> ``(f) Limitation on Use of Grant Funds.--Funds awarded
pursuant to this section--</DELETED>
<DELETED> ``(1) shall supplement and not supplant State or
local funds or, as applicable, funds supplied by the Bureau of
Indian Affairs; and</DELETED>
<DELETED> ``(2) may not be used--</DELETED>
<DELETED> ``(A) to provide any Federal cost-sharing
contribution on behalf of a State or local
government;</DELETED>
<DELETED> ``(B) to pay a ransom;</DELETED>
<DELETED> ``(C) by or for a non-United States
entity; or</DELETED>
<DELETED> ``(D) for any recreational or social
purpose.</DELETED>
<DELETED> ``(g) Authorization of Appropriations.--There are
authorized to be appropriated to carry out this section $75,000,000 for
each of fiscal years 2022 through 2026.</DELETED>
<DELETED> ``(h) Transfers Authorized.--During a fiscal year, the
Secretary or the head of any component of the Department that
administers the State and Local Cybersecurity Grant Program may
transfer not more than 5 percent of the amounts appropriated pursuant
to subsection (g) or other amounts appropriated to carry out the
National Cyber Resilience Assistance Fund for that fiscal year to an
account of the Department for salaries, expenses, and other
administrative costs incurred for the management, administration, or
evaluation of this section.''.</DELETED>
<DELETED> (c) Technical and Conforming Amendments.--</DELETED>
<DELETED> (1) Table of contents.--The table of contents in
section 1(b) of the Homeland Security Act of 2002 (Public Law
107-296; 116 Stat. 2135) is amended by striking the item
relating to section 2214 and all that follows through the item
relating to section 2217 and inserting the following:</DELETED>
<DELETED>``Sec. 2214. National Asset Database.
<DELETED>``Sec. 2215. Duties and authorities relating to .gov internet
domain.
<DELETED>``Sec. 2216. Joint Cyber Planning Office.
<DELETED>``Sec. 2217. Cybersecurity State Coordinator.
<DELETED>``Sec. 2218. Sector Risk Management Agencies.
<DELETED>``Sec. 2219. Cybersecurity Advisory Committee.
<DELETED>``Sec. 2220. Cybersecurity education and training programs.
<DELETED>``Sec. 2220A. National Cyber Resilience Assistance Fund.''.
<DELETED> (2) Additional technical amendment.--</DELETED>
<DELETED> (A) Amendment.--Section 904(b)(1) of the
DOTGOV Act of 2020 (title IX of division U of Public
Law 116-260) is amended, in the matter preceding
subparagraph (A), by striking ``Homeland Security Act''
and inserting ``Homeland Security Act of
2002''.</DELETED>
<DELETED> (B) Effective date.--The amendment made by
subparagraph (A) shall take effect as if enacted as
part of the DOTGOV Act of 2020 (title IX of division U
of Public Law 116-260).</DELETED>
<DELETED>TITLE II--IMPROVING THE ABILITY OF THE FEDERAL GOVERNMENT TO
ASSIST IN ENHANCING CRITICAL INFRASTRUCTURE CYBER RESILIENCE</DELETED>
<DELETED>SEC. 201. INSTITUTE A 5-YEAR TERM FOR THE CYBERSECURITY AND
INFRASTRUCTURE SECURITY DIRECTOR.</DELETED>
<DELETED> (a) In General.--Subsection (b)(1) of section 2202 of the
Homeland Security Act of 2002 (6 U.S.C. 652), is amended by inserting
``The Director shall be appointed for a term of 5 years.'' after ``who
shall report to the Secretary.''.</DELETED>
<DELETED> (b) Transition Rules.--The amendment made by subsection
(a) shall take effect on the earlier of--</DELETED>
<DELETED> (1) the first appointment of an individual to the
position of Director of the Cybersecurity and Infrastructure
Protection Agency of the Department of Homeland Security, by
and with the advice and consent of the Senate, that is made on
or after the date of enactment of this Act; or</DELETED>
<DELETED> (2) January 1, 2022.</DELETED>
<DELETED>SEC. 202. CREATE A JOINT COLLABORATIVE ENVIRONMENT.</DELETED>
<DELETED> (a) In General.--The Director of the Cybersecurity and
Infrastructure Security Agency shall establish a joint, cloud-based,
information sharing environment to--</DELETED>
<DELETED> (1) integrate the Federal Government's
unclassified and classified cyber threat information, malware
forensics, and data related to cybersecurity risks (as defined
in section 2209 of the Homeland Security Act of 2002 (6 U.S.C.
659)) that is derived from network sensor programs;</DELETED>
<DELETED> (2) enable cross-correlation of threat data at the
speed and scale necessary for rapid detection and
identification;</DELETED>
<DELETED> (3) enable query and analysis by appropriate
operators across the Federal Government;</DELETED>
<DELETED> (4) facilitate a whole-of-Government,
comprehensive understanding of the cyber threats to the
resilience of the Federal Government and national critical
infrastructure networks;</DELETED>
<DELETED> (5) enable and support the private-public
cybersecurity collaboration efforts of the Federal Government,
whose successes will be directly dependent on the accuracy,
comprehensiveness, and timeliness of threat information
collected and held by the Federal Government; and</DELETED>
<DELETED> (6) enable data curation for artificial
intelligence models and provide an environment to enable the
Federal Government to curate data and build
applications.</DELETED>
<DELETED> (b) Development.--</DELETED>
<DELETED> (1) Initial evaluation.--Not later than 180 days
after the date of enactment of this Act, the Director of the
Cybersecurity and Infrastructure Security Agency, in
coordination with the Director shall--</DELETED>
<DELETED> (A) identify all Federal sources of
classified and unclassified cyber threat
information;</DELETED>
<DELETED> (B) evaluate all programs, applications,
or platforms of the Federal Government that are
intended to detect, identify, analyze, or monitor cyber
threats against the resiliency of the Federal
Government or critical infrastructure; and</DELETED>
<DELETED> (C) submit a recommendation to the
President identifying Federal programs to be designated
and required to participate in the Information Sharing
Environment, including--</DELETED>
<DELETED> (i) Government network-monitoring
and intrusion detection programs;</DELETED>
<DELETED> (ii) cyber threat indicator-
sharing programs and Government-sponsored
network sensors or network-monitoring programs
for the private sector or for State, local,
tribal, and territorial governments;</DELETED>
<DELETED> (iii) incident response and
cybersecurity technical assistance programs;
and</DELETED>
<DELETED> (iv) malware forensics and
reverse-engineering programs.</DELETED>
<DELETED> (2) Designation of participating programs.--Not
later than 60 days after completion of the evaluation required
under paragraph (1), the President shall issue a determination
designating the departments, agencies, Federal programs, and
corresponding systems and assets that are required to be a part
of the Information Sharing Environment.</DELETED>
<DELETED> (3) Design.--Not later than 1 year after
completion of the evaluation required under paragraph (1), the
Director of the Cybersecurity and Infrastructure Security
Agency, in consultation with the Director, shall design the
structure of a common platform for sharing and fusing existing
Government information, insights, and data related to cyber
threats and threat actors, which, at a minimum, shall--
</DELETED>
<DELETED> (A) account for appropriate data standards
and interoperability requirements;</DELETED>
<DELETED> (B) enable integration of existing
applications, platforms, data, and information, to
include classified information;</DELETED>
<DELETED> (C) ensure access by such Federal
departments and agencies as the Director of the
Cybersecurity and Infrastructure Security Agency
determines necessary;</DELETED>
<DELETED> (D) account for potential private sector
participation and partnerships;</DELETED>
<DELETED> (E) enable unclassified data to be
integrated with classified data;</DELETED>
<DELETED> (F) anticipate the deployment of analytic
tools across classification levels to leverage all
relevant data sets, as appropriate;</DELETED>
<DELETED> (G) identify tools and analytical software
that can be applied and shared to manipulate,
transform, and display data and other identified
needs;</DELETED>
<DELETED> (H) anticipate the integration of new
technologies and data streams, including data related
to cybersecurity risks derived from Government-
sponsored voluntary network sensors or network-
monitoring programs for the private sector or for
State, local, Tribal, and territorial governments;
and</DELETED>
<DELETED> (I) appropriately account for departments,
agencies, programs, and systems and assets determined
to be required to participate by the President under
paragraph (2) in the Information Sharing
Environment.</DELETED>
<DELETED> (c) Operation.--The Information Sharing Environment shall
be managed by the Director of the Cybersecurity and Infrastructure
Security Agency.</DELETED>
<DELETED> (d) Post-Deployment Assessment.--Not later than 1 year
after the date on which the Information Sharing Environment is
established, the Director of the Cybersecurity and Infrastructure
Security Agency and the Director shall assess the means by which the
Information Sharing Environment may be expanded to include the private
sector and critical infrastructure information sharing organizations
and, to the maximum extent practicable, begin the process of such
expansion.</DELETED>
<DELETED> (e) Private Sector Sharing Information Sharing
Protections.--To the extent any private entity shares cyber threat
indicators and defensive measures through or with the Information
Sharing Environment and in a manner that is consistent with all
requirements under section 1752 of the William M. (Mac) Thornberry
National Defense Authorization Act for Fiscal Year 2021 (6 U.S.C.
1500), the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501
et seq.), and any applicable guidelines promulgated under subsection
(f), such activities shall be considered to be authorized by and in
accordance with section 1752 of the William M. (Mac) Thornberry
National Defense Authorization Act for Fiscal Year 2021 and the
Cybersecurity Information Sharing Act of 2015.</DELETED>
<DELETED> (f) Privacy and Civil Liberties.--</DELETED>
<DELETED> (1) Guidelines of attorney general.--Not later
than 60 days after the date of enactment of this Act, the
Secretary of Homeland Security (acting through the Director of
the Cybersecurity and Infrastructure Security Agency) and the
Attorney General, shall jointly, and in coordination with heads
of the appropriate Federal entities and in consultation with
officers designated under section 1062 of the National Security
Intelligence Reform Act of 2004 (42 U.S.C. 2000ee-1), develop,
submit to Congress, and make available to the public interim
guidelines relating to privacy and civil liberties which shall
govern the receipt, retention, use, and dissemination of cyber
threat indicators by a Federal entity obtained in connection
with activities authorized in this section.</DELETED>
<DELETED> (2) Final guidelines.--</DELETED>
<DELETED> (A) In general.--Not later than 180 days
after the date of enactment of this Act, the Secretary
of Homeland Security (acting through the Director of
the Cybersecurity and Infrastructure Security Agency)
and the Attorney General, shall jointly, in
coordination with heads of the appropriate Federal
entities and in consultation with officers designated
under section 1062 of the National Security
Intelligence Reform Act of 2004 (42 U.S.C. 2000ee-1)
and such private entities with industry expertise as
the Secretary and the Attorney General consider
relevant, promulgate final guidelines relating to
privacy and civil liberties which shall govern the
receipt, retention, use, and dissemination of cyber
threat indicators by a Federal entity obtained in
connection with activities authorized in this
section.</DELETED>
<DELETED> (B) Periodic review.--The Secretary of
Homeland Security (acting through the Director of the
Cybersecurity and Infrastructure Security Agency) and
the Attorney General, shall jointly, in coordination
with heads of the appropriate Federal entities and in
consultation with officers and private entities
described in subparagraph (A), periodically, but not
less frequently than once every 2 years, review the
guidelines promulgated under subparagraph
(A).</DELETED>
<DELETED> (3) Content.--The guidelines required by
paragraphs (1) and (2) shall, consistent with the need to
bolster the resilience of information systems and mitigate
cybersecurity threats--</DELETED>
<DELETED> (A) limit the effect on privacy and civil
liberties of activities by the Federal Government under
this section;</DELETED>
<DELETED> (B) limit the receipt, retention, use, and
dissemination of cyber threat indicators containing
personal information or information that identifies
specific persons, including by establishing--</DELETED>
<DELETED> (i) a process for the timely
destruction of such information that is known
not to be directly related to uses authorized
under this section; and</DELETED>
<DELETED> (ii) specific limitations on the
length of any period in which a cyber threat
indicator may be retained;</DELETED>
<DELETED> (C) include requirements to safeguard
cyber threat indicators containing personal information
or information that identifies specific persons from
unauthorized access or acquisition, including
appropriate sanctions for activities by officers,
employees, or agents of the Federal Government in
contravention of such guidelines;</DELETED>
<DELETED> (D) include procedures for notifying
entities and Federal entities if information received
pursuant to this subsection is known or determined by a
Federal entity receiving such information not to
constitute a cyber threat indicator;</DELETED>
<DELETED> (E) protect the confidentiality of cyber
threat indicators containing personal information or
information that identifies specific persons to the
greatest extent practicable and require recipients to
be informed that such indicators may only be used for
purposes authorized under this section; and</DELETED>
<DELETED> (F) include steps that may be needed so
that dissemination of cyber threat indicators is
consistent with the protection of classified and other
sensitive national security information.</DELETED>
<DELETED> (g) Oversight of Government Activities.--</DELETED>
<DELETED> (1) Biennial report on privacy and civil
liberties.--Not later than 2 years after the date of enactment
of this Act, and not less frequently than once every year
thereafter, the Privacy and Civil Liberties Oversight Board
shall submit to Congress and the President a report providing--
</DELETED>
<DELETED> (A) an assessment of the effect on privacy
and civil liberties by the type of activities carried
out under this section; and</DELETED>
<DELETED> (B) an assessment of the sufficiency of
the guidelines established pursuant to subsection (f)
in addressing concerns relating to privacy and civil
liberties.</DELETED>
<DELETED> (2) Biennial report by inspectors general.--
</DELETED>
<DELETED> (A) In general.--Not later than 2 years
after the date of enactment of this Act, and not less
frequently than once every 2 years thereafter, the
Inspector General of the Department of Homeland
Security, the Inspector General of the Intelligence
Community, the Inspector General of the Department of
Justice, the Inspector General of the Department of
Defense, and the Inspector General of the Department of
Energy shall, in consultation with the Council of
Inspectors General on Integrity and Efficiency, jointly
submit to Congress a report on the receipt, use, and
dissemination of cyber threat indicators and defensive
measures that have been shared with Federal entities
under this section.</DELETED>
<DELETED> (B) Contents.--Each report submitted under
subparagraph (A) shall include the following:</DELETED>
<DELETED> (i) A review of the types of cyber
threat indicators shared with Federal
entities.</DELETED>
<DELETED> (ii) A review of the actions taken
by Federal entities as a result of the receipt
of such cyber threat indicators.</DELETED>
<DELETED> (iii) A list of Federal entities
receiving such cyber threat
indicators.</DELETED>
<DELETED> (iv) A review of the sharing of
such cyber threat indicators among Federal
entities to identify inappropriate barriers to
sharing information.</DELETED>
<DELETED> (3) Recommendations.--Each report submitted under
this subsection may include such recommendations as the Privacy
and Civil Liberties Oversight Board, with respect to a report
submitted under paragraph (1), or the Inspectors General
referred to in paragraph (2)(A), with respect to a report
submitted under paragraph (2), may have for improvements or
modifications to the authorities under this section.</DELETED>
<DELETED> (4) Form.--Each report required under this
subsection shall be submitted in unclassified form, but may
include a classified annex.</DELETED>
<DELETED> (h) Authorization of Appropriations.--There are authorized
to be appropriated to carry out this section $100,000,000 for each of
fiscal years 2022 through 2026.</DELETED>
<DELETED> (i) Definitions.--In this section:</DELETED>
<DELETED> (1) Critical infrastructure.--The term ``critical
infrastructure'' has the meaning given that term in section
1016(e) of the Critical Infrastructure Protection Act of 2001
(42 U.S.C. 5195c(e)).</DELETED>
<DELETED> (2) Director.--The term ``Director'' means the
National Cyber Director.</DELETED>
<DELETED> (3) Information sharing environment.--The term
``Information Sharing Environment'' means the information
sharing environment established under subsection (a).</DELETED>
<DELETED>SEC. 203. DESIGNATE THREE CRITICAL TECHNOLOGY SECURITY
CENTERS.</DELETED>
<DELETED> (a) In General.--Section 307(b)(3) of the Homeland
Security Act of 2002 (6 U.S.C. 187(b)(3)), is amended--</DELETED>
<DELETED> (1) in the matter preceding subparagraph (A), by
inserting ``national laboratories,'' before ``and
universities'';</DELETED>
<DELETED> (2) in subparagraph (C), by striking ``and'' at
the end;</DELETED>
<DELETED> (3) in subparagraph (D), by striking the period at
the end and inserting ``; and''; and</DELETED>
<DELETED> (4) by adding at the end the following:</DELETED>
<DELETED> ``(E) establish not less than 1, and not
more than 3, cybersecurity-focused critical technology
security centers, in order to bolster the overall
resilience of the networks and critical infrastructure
of the United States, to perform--</DELETED>
<DELETED> ``(i) network technology security
testing, to test the security of cyber-related
hardware and software;</DELETED>
<DELETED> ``(ii) connected industrial
control system security testing, to test the
security of connected programmable data logic
controllers, supervisory control and data
acquisition servers, and other cyber connected
industrial equipment; and</DELETED>
<DELETED> ``(iii) open source software
security testing, to test and coordinate
efforts to fix vulnerabilities in open-source
software.''.</DELETED>
<DELETED> (b) Authorization of Appropriations.--There are authorized
to be appropriated to carry out the amendments made by this section
$15,000,000 for each of fiscal years 2022 through 2026.</DELETED>
<DELETED>TITLE III--IMPROVING SECURITY IN THE NATIONAL CYBER
ECOSYSTEM</DELETED>
<DELETED>SEC. 301. ESTABLISH A NATIONAL CYBERSECURITY CERTIFICATION AND
LABELING AUTHORITY.</DELETED>
<DELETED> (a) Definitions.--In this section:</DELETED>
<DELETED> (1) Accredited certifying agent.--The term
``accredited certifying agent'' means any person who is
accredited by the Authority as a certifying agent for the
purposes of certifying a specific class of critical information
and communications technology.</DELETED>
<DELETED> (2) Authority.--The term ``Authority'' means the
National Cybersecurity Certification and Labeling Authority
established under subsection (b)(1).</DELETED>
<DELETED> (3) Certification.--The term ``certification''
means a seal or symbol provided by the Authority or an
accredited certifying agent, that results from passage of a
comprehensive evaluation of an information and communications
technology that establishes the extent to which a particular
design and implementation meets a set of specified security
standards.</DELETED>
<DELETED> (4) Critical information and communications
technology.--The term ``critical information and communications
technology'' means information and communications technology
that is in use in critical infrastructure sectors and that
underpins the resilience of national critical functions, as
determined by the Secretary.</DELETED>
<DELETED> (5) Critical infrastructure.--The term ``critical
infrastructure'' has the meaning given that term in section
1016(e) of the Critical Infrastructure Protection Act of 2001
(42 U.S.C. 5195c(e)).</DELETED>
<DELETED> (6) Label.--The term ``label'' means a clear,
visual, and easy to understand symbol or list that conveys
specific information about a product's security attributes,
characteristics, functionality, components, or other
features.</DELETED>
<DELETED> (7) Program.--The term ``Program'' means the
program administered under subsection (b)(1).</DELETED>
<DELETED> (8) Secretary.--The term ``Secretary'' means the
Secretary of Homeland Security.</DELETED>
<DELETED> (b) National Cybersecurity Certification and Labeling
Authority.--</DELETED>
<DELETED> (1) Establishment.--There is established a
National Cybersecurity Certification and Labeling Authority for
the purpose of establishing and administering a voluntary
national cybersecurity certification and labeling program for
critical information and communications technology in order to
bolster the resilience of the networks and critical
infrastructure of the United States.</DELETED>
<DELETED> (2) Programs.--</DELETED>
<DELETED> (A) Accreditation of certifying agents.--
As part of the Program, the Authority shall define and
publish a process whereby governmental and
nongovernmental entities may apply to become accredited
certifying agents for the certification of specific
critical information and communications technology,
including--</DELETED>
<DELETED> (i) smartphones;</DELETED>
<DELETED> (ii) tablets;</DELETED>
<DELETED> (iii) laptop computers;</DELETED>
<DELETED> (iv) operating systems;</DELETED>
<DELETED> (v) routers;</DELETED>
<DELETED> (vi) software-as-a-
service;</DELETED>
<DELETED> (vii) infrastructure-as-a-
service;</DELETED>
<DELETED> (viii) platform-as-a-
service;</DELETED>
<DELETED> (ix) programmable logic
controllers;</DELETED>
<DELETED> (x) intelligent electronic
devices; and</DELETED>
<DELETED> (xi) programmable automation
controllers.</DELETED>
<DELETED> (B) Identification of standards,
frameworks, and benchmarks.--As part of the Program,
the Authority shall work in coordination with
accredited certifying agents, the Secretary, and
subject matter experts from the Federal Government,
academia, nongovernmental organizations, and the
private sector to identify and harmonize common
security standards, frameworks, and benchmarks against
which the security of critical information and
communications technologies may be measured.</DELETED>
<DELETED> (C) Product certification.--As part of the
Program, the Authority, in consultation with the
Secretary and other experts from the Federal
Government, academia, nongovernmental organizations,
and the private sector, shall--</DELETED>
<DELETED> (i) develop, and disseminate to
accredited certifying agents, guidelines to
standardize the presentation of certifications
to communicate the level of security for
critical information and communications
technologies;</DELETED>
<DELETED> (ii) develop, or permit accredited
certifying agents to develop, certification
criteria for critical information and
communications technologies based on identified
security standards, frameworks, and benchmarks,
through the work conducted under subparagraph
(B);</DELETED>
<DELETED> (iii) issue, or permit accredited
certifying agents to issue, certifications for
critical information and communications
technology that meet and comply with security
standards, frameworks, and benchmarks
identified through the work conducted under
subparagraph (B);</DELETED>
<DELETED> (iv) permit a manufacturer or
distributor of critical information and
communications technology to display a
certificate reflecting the extent to which the
critical information and communications
technology meets security standards,
frameworks, and benchmarks identified through
the work conducted under subparagraph
(B);</DELETED>
<DELETED> (v) remove the certification of a
critical information and communications
technology as a critical information and
communications technology certified under the
Program if the manufacturer of the certified
critical information and communications
technology falls out of conformity with the
benchmarks security standards, frameworks, or
benchmarks identified through the work
conducted under subparagraph (B) for the
critical information and communications
technology;</DELETED>
<DELETED> (vi) work to enhance public
awareness of the certification and labeling
efforts of the Authority and accredited
certifying agents, including through public
outreach, education, research and development,
and other means; and</DELETED>
<DELETED> (vii) publicly display a list of
labels and certified critical information and
communications technology, along with their
respective certification information.</DELETED>
<DELETED> (D) Certifications.--</DELETED>
<DELETED> (i) In general.--A certification
shall remain valid for 1 year from the date of
issuance.</DELETED>
<DELETED> (ii) Classes of certification.--In
developing the guidelines and criteria required
under subparagraph (C)(i), the Authority shall
designate at least 3 classes of certifications,
including the following:</DELETED>
<DELETED> (I) For critical
information and communications
technology which the product
manufacturer or service provider
attests meets the criteria for a
certification, attestation-based
certification.</DELETED>
<DELETED> (II) For critical
information and communications
technology products and services that
have undergone third-party
accreditation of criteria for
certification, accreditation-based
certification.</DELETED>
<DELETED> (III) For critical
information and communications
technology that has undergone a
security evaluation and testing process
by a qualifying third party, as
determined by the Authority, test-based
certification.</DELETED>
<DELETED> (E) Product labeling.--The Authority, in
consultation with the Secretary and other experts from
the Federal Government, academia, nongovernmental
organizations, and the private sector, shall--
</DELETED>
<DELETED> (i) collaborate with the private
sector to standardize language and define a
labeling schema to provide transparent
information on the security characteristics and
constituent components of a software or
hardware product; and</DELETED>
<DELETED> (ii) establish a mechanism by
which product developers can provide this
information for both product labeling and
public posting.</DELETED>
<DELETED> (3) Enforcement.--</DELETED>
<DELETED> (A) In general.--It shall be unlawful for
a product manufacturer, distributor, or seller to--
</DELETED>
<DELETED> (i) falsely attest to, or falsify
an audit or test for, a security standard,
framework, or benchmark for
certification;</DELETED>
<DELETED> (ii) intentionally mislabel a
product; or</DELETED>
<DELETED> (iii) fail to maintain the
security standard, framework, or benchmark to
which the manufacturer, distributor, or seller
attested.</DELETED>
<DELETED> (B) Enforcement by federal trade
commission.--</DELETED>
<DELETED> (i) Unfair or deceptive acts or
practices.--A violation of subparagraph (A)
shall be treated as an unfair and deceptive act
or practice in violation of a regulation under
section 18(a)(1)(B) of the Federal Trade
Commission Act (15 U.S.C. 57a(a)(1)(B))
regarding unfair or deceptive acts or
practices.</DELETED>
<DELETED> (ii) Powers of commission.--
</DELETED>
<DELETED> (I) In general.--The
Federal Trade Commission shall enforce
this paragraph in the same manner, by
the same means, and with the same
jurisdiction, powers, and duties as
though all applicable terms and
provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.)
were incorporated into and made a part
of this paragraph.</DELETED>
<DELETED> (II) Privileges and
immunities.--Any person who violates
this paragraph shall be subject to the
penalties and entitled to the
privileges and immunities provided in
the Federal Trade Commission Act (15
U.S.C. 41 et seq.).</DELETED>
<DELETED> (c) Selection of the Authority.--</DELETED>
<DELETED> (1) Selection.--The Secretary shall issue a notice
of funding opportunity and select, on a competitive basis, a
nonprofit, nongovernmental organization to serve as the
Authority for a period of 5 years.</DELETED>
<DELETED> (2) Eligibility for selection.--The Secretary may
only select an organization to serve as the Authority if such
organization--</DELETED>
<DELETED> (A) is a nongovernmental, nonprofit
organization that is--</DELETED>
<DELETED> (i) exempt from taxation under
section 501(a) of the Internal Revenue Code of
1986; and</DELETED>
<DELETED> (ii) described in sections
501(c)(3) and 170(b)(1)(A)(vi) of that
Code;</DELETED>
<DELETED> (B) has a demonstrable track record of
work on cybersecurity and information security
standards, frameworks, and benchmarks; and</DELETED>
<DELETED> (C) possesses requisite staffing and
expertise, with demonstrable prior experience in
technology security or safety standards, frameworks,
and benchmarks, as well as certification.</DELETED>
<DELETED> (3) Application.--The Secretary shall establish a
process by which a nonprofit, nongovernmental organization that
seeks to be selected as the Authority may apply for
consideration.</DELETED>
<DELETED> (4) Program evaluation.--Not later than the date
that is 4 years after the initial selection pursuant paragraph
(1), and every 4 years thereafter, the Secretary shall--
</DELETED>
<DELETED> (A) assess the effectiveness of the labels
and certificates produced by the Authority, including--
</DELETED>
<DELETED> (i) assessing the costs to
businesses that manufacture critical
information and communications technology
participating in the Program;</DELETED>
<DELETED> (ii) evaluating the level of
participation in the Program by businesses that
manufacture critical information and
communications technology; and</DELETED>
<DELETED> (iii) assessing the level of
public awareness and consumer awareness of the
label;</DELETED>
<DELETED> (B) audit the impartiality and fairness of
the Authority's activities conducted under this
section;</DELETED>
<DELETED> (C) issue a public report on the
assessment most recently carried out under subparagraph
(A) and the audit most recently carried out under
subparagraph (B); and</DELETED>
<DELETED> (D) brief Congress on the findings of the
Secretary with respect to the most recent assessment
under subparagraph (A) and the most recent audit under
subparagraph (B).</DELETED>
<DELETED> (5) Renewal.--After the initial selection pursuant
to paragraph (1), the Secretary shall, every 5 years--
</DELETED>
<DELETED> (A) accept applications from nonprofit,
nongovernmental organizations seeking selection as the
Authority; and</DELETED>
<DELETED> (B) following competitive consideration of
all applications--</DELETED>
<DELETED> (i) renew the selection of the
organization serving as the Authority;
or</DELETED>
<DELETED> (ii) select another applicant
organization to serve as the
Authority.</DELETED>
<DELETED> (d) Authorization of Appropriations.--There are authorized
to be appropriated to carry out this section $25,000,000 for each of
fiscal years 2022 through 2026.</DELETED>
<DELETED>SEC. 302. ESTABLISH THE BUREAU OF CYBERSECURITY
STATISTICS.</DELETED>
<DELETED> (a) Definitions.--In this section:</DELETED>
<DELETED> (1) Bureau.--The term ``Bureau'' means the Bureau
of Cybersecurity Statistics established under subsection
(b).</DELETED>
<DELETED> (2) Covered entity.--The term ``covered entity''
means any nongovernmental organization, corporation, trust,
partnership, sole proprietorship, unincorporated association,
or venture (without regard to whether it is established for
profit) that is engaged in or affecting interstate commerce and
that provides cybersecurity incident response services or
cybersecurity insurance products.</DELETED>
<DELETED> (3) Cyber incident.--The term cyber incident
includes each of the following:</DELETED>
<DELETED> (A) Unauthorized access to an information
system or network that leads to loss of
confidentiality, integrity, or availability of that
information system or network.</DELETED>
<DELETED> (B) Disruption of business operations due
to a distributed denial of service attack against an
information system or network.</DELETED>
<DELETED> (C) Unauthorized access or disruption of
business operations due to loss of service facilitated
through, or caused by a cloud service provider, managed
service provider, or other data hosting
provider.</DELETED>
<DELETED> (D) Fraudulent or malicious use of a cloud
service account, data hosting account, internet service
account, or any other digital service.</DELETED>
<DELETED> (4) Director.--The term ``Director'' means the
Director of the Bureau.</DELETED>
<DELETED> (5) Statistical purpose.--The term ``statistical
purpose''--</DELETED>
<DELETED> (A) means the description, estimation, or
analysis of the characteristics of groups, without
identifying the individuals or organizations that
comprise such groups; and</DELETED>
<DELETED> (B) includes the development,
implementation, or maintenance of methods, technical or
administrative procedures, or information resources
that support the purposes described in subsection
(e).</DELETED>
<DELETED> (b) Establishment.--There is established within the
Department of Homeland Security a Bureau of Cybersecurity
Statistics.</DELETED>
<DELETED> (c) Director.--</DELETED>
<DELETED> (1) In general.--The Bureau shall be headed by a
Director, who shall--</DELETED>
<DELETED> (A) report to the Secretary of Homeland
Security; and</DELETED>
<DELETED> (B) be appointed by the
President.</DELETED>
<DELETED> (2) Authority.--The Director shall--</DELETED>
<DELETED> (A) have final authority for all
cooperative agreements and contracts awarded by the
Bureau;</DELETED>
<DELETED> (B) be responsible for the integrity of
data and statistics collected or issued by the Bureau;
and</DELETED>
<DELETED> (C) protect against improper or illegal
use or disclosure of information furnished for
exclusively statistical purposes under this section,
consistent with the requirements of subsection
(f).</DELETED>
<DELETED> (3) Qualifications.--The Director--</DELETED>
<DELETED> (A) shall have experience in statistical
programs; and</DELETED>
<DELETED> (B) shall not--</DELETED>
<DELETED> (i) engage in any other
employment; or</DELETED>
<DELETED> (ii) hold any office in, or act in
any capacity for, any organization, agency, or
institution with which the Bureau makes any
contract or other arrangement under this
section.</DELETED>
<DELETED> (4) Duties and functions.--The Director shall--
</DELETED>
<DELETED> (A) collect and analyze information
concerning cybersecurity, including data related to
cyber incidents, cyber crime, and any other area the
Director determines appropriate;</DELETED>
<DELETED> (B) collect and analyze data that will
serve as a continuous and comparable national
indication of the prevalence, incidents, rates, extent,
distribution, and attributes of all relevant cyber
incidents, as determined by the Director, in support of
national policy and decision making;</DELETED>
<DELETED> (C) compile, collate, analyze, publish,
and disseminate uniform national cyber statistics
concerning any area that the Director determines
appropriate;</DELETED>
<DELETED> (D) in coordination with the National
Institute of Standards and Technology, recommend
national standards, metrics, and measurement criteria
for cyber statistics and for ensuring the reliability
and validity of statistics collected pursuant to this
subsection;</DELETED>
<DELETED> (E) conduct or support research relating
to methods of gathering or analyzing cyber
statistics;</DELETED>
<DELETED> (F) enter into cooperative agreements or
contracts with public agencies, institutions of higher
education, or private organizations for purposes
related to this subsection;</DELETED>
<DELETED> (G) provide appropriate information to the
President, the Congress, Federal agencies, the private
sector, and the general public on cyber
statistics;</DELETED>
<DELETED> (H) maintain liaison with State and local
governments concerning cyber statistics;</DELETED>
<DELETED> (I) confer and cooperate with Federal
statistical agencies as needed to carry out the
purposes of this section, including by entering into
cooperative data sharing agreements in conformity with
all laws and regulations applicable to the disclosure
and use of data; and</DELETED>
<DELETED> (J) request from any person or entity
information, data, and reports as may be required to
carry out the purposes of this subsection.</DELETED>
<DELETED> (d) Furnishment of Information, Data, or Reports by
Federal Departments and Agencies.--Federal departments and agencies
requested by the Director to furnish information, data, or reports
pursuant to subsection (c)(4)(J) shall provide to the Bureau such
information as the Director determines necessary to carry out the
purposes of this section.</DELETED>
<DELETED> (e) Furnishment of Cyber Incident Information, Data, or
Reports to the Bureau by the Private Sector.--</DELETED>
<DELETED> (1) In general.--Not later than 180 days after the
date of enactment of this Act, and every 180 days thereafter,
each covered entity shall submit to the Bureau a report
containing such data and information as the Director determines
necessary to carry out the purposes of this section.</DELETED>
<DELETED> (2) Determination of data and information
necessary to carry out the purposes of this section.--Not later
than 90 days after the date of enactment of this Act, and
annually thereafter, the Director shall publish a list of data
and information determined necessary to carry out the purposes
of this section, including individual descriptions of cyber
incidents, which shall include--</DELETED>
<DELETED> (A) identification of the affected
databases, information systems, or devices that were,
or are reasonably believed to have been accessed by an
unauthorized person;</DELETED>
<DELETED> (B) where applicable, a description of the
vulnerabilities, tactics, techniques, and procedures
used;</DELETED>
<DELETED> (C) where applicable, any identifying
information related to the malicious actors who
perpetrated the incident;</DELETED>
<DELETED> (D) where applicable any cybersecurity
controls implemented by the victim organization;
and</DELETED>
<DELETED> (E) the industrial sectors, regions, and
size of affected entities (as determined by number of
employees) without providing any information that can
reasonably be expected to identify such
entities.</DELETED>
<DELETED> (3) Standards for submission of information and
data.--Not later than 180 days after the date of enactment of
this Act, the Director shall, in consultation with covered
entities, develop standardized procedures for the submission of
data and information the Director determines necessary to carry
out the purposes of this section.</DELETED>
<DELETED> (4) Private sector reporting.--Not later than 90
days after the date on which the Director develops the
standards required under paragraph (3), the Director shall--
</DELETED>
<DELETED> (A) publish the processes for submission
of information, data, and reports by covered entities;
and</DELETED>
<DELETED> (B) begin accepting reporting required
under paragraph (1).</DELETED>
<DELETED> (5) Regulatory use.--Information disclosed to the
Bureau under this section that is not otherwise available,
shall not be used by the Federal Government or any State,
local, tribal, or territorial government to sanction or
otherwise punish the entity disclosing the information, or the
entity in which the cyber incident initially
occurred.</DELETED>
<DELETED> (6) Preservation of privilege.--Disclosure of
information pursuant to this section or by a covered entity to
the Bureau shall not waive any otherwise applicable privilege,
immunity, or protection provided by law.</DELETED>
<DELETED> (7) Preservation of existing obligations.--Nothing
in this section shall modify, prevent, or abrogate any notice
or notification obligations under Federal contracts,
enforceable agreements with the government, or other Federal
law.</DELETED>
<DELETED> (8) Enforcement.--</DELETED>
<DELETED> (A) Unfair or deceptive acts or
practices.--Compliance with the requirements imposed
under this subsection by covered entities shall be
enforced by the Federal Trade Commission under the
Federal Trade Commission Act (15 U.S.C. 41 et seq.).
For the purpose of the exercise by the Federal Trade
Commission of its functions and powers under the
Federal Trade Commission Act, a violation of any
requirement or prohibition imposed under this
subsection shall be treated as an unfair and deceptive
act or practice in violation of a regulation under
section 18(a)(1)(B) of the Federal Trade Commission Act
(15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive
acts or practices.</DELETED>
<DELETED> (B) Powers of commission.--Subject to
subparagraph (C), the Federal Trade Commission shall
enforce this subsection in the same manner, by the same
means, and with the same jurisdiction, powers, and
duties as though all applicable terms and provisions of
the Federal Trade Commission Act (15 U.S.C. 41 et seq.)
were incorporated into and made a part of this
subsection.</DELETED>
<DELETED> (C) Additional entities.--</DELETED>
<DELETED> (i) In general.--Notwithstanding
sections 4, 5(a)(2), or 6 of the Federal Trade
Commission Act (15 U.S.C. 44, 45(a)(2), 46) or
any jurisdictional limitation of the Federal
Trade Commission, the Federal Trade Commission
shall also enforce this subsection, in the same
manner provided in subparagraph (A) of this
paragraph, with respect to--</DELETED>
<DELETED> (I) organizations not
organized to carry on business for
their own profit or that of their
members; and</DELETED>
<DELETED> (II) common carriers
subject to the Communications Act of
1934 (47 U.S.C. 151 et seq.).</DELETED>
<DELETED> (ii) Coordination and notice.--The
Federal Trade Commission shall--</DELETED>
<DELETED> (I) coordinate with the
Federal Communications Commission
regarding enforcement of this
subsection with respect to common
carriers subject to the Communications
Act of 1934 (47 U.S.C. 151 et
seq.);</DELETED>
<DELETED> (II) notify the Bureau of
Consumer Financial Protection regarding
enforcement of this subsection with
respect to information associated with
the provision of financial products or
services by an entity that provides a
consumer financial product or service
(as defined in section 1002 of the
Consumer Financial Protection Act of
2010 (12 U.S.C. 5481)); and</DELETED>
<DELETED> (III) for enforcement of
this subsection with respect to matters
implicating the jurisdiction or
authorities of another Federal agency,
notify that agency as
appropriate.</DELETED>
<DELETED> (D) Privileges and immunities.--Any
covered entity that violates the requirements imposed
under this subsection shall be subject to the penalties
and entitled to the privileges and immunities provided
in the Federal Trade Commission Act (15 U.S.C. 41 et
seq.).</DELETED>
<DELETED> (E) Construction.--Nothing in this
paragraph shall be construed to limit the authority of
the Federal Trade Commission under any other provision
of law.</DELETED>
<DELETED> (f) Protection of Information.--</DELETED>
<DELETED> (1) In general.--No officer or employee of the
Federal Government or agent of the Federal Government may,
without the consent of the individual, entity, agency, or other
person who is the subject of the submission or provides the
submission--</DELETED>
<DELETED> (A) use any submission that is furnished
for exclusively statistical purposes under this section
for any purpose other than the statistical purposes for
which the submission is furnished;</DELETED>
<DELETED> (B) make any publication or media
transmittal of the data contained in a submission
described in subparagraph (A) that permits information
concerning individual entities or individual incidents
to be reasonably inferred by either direct or indirect
means; or</DELETED>
<DELETED> (C) permit anyone other than a sworn
officer, employee, agent, or contractor of the Bureau
to examine an individual submission described in
subsection (e).</DELETED>
<DELETED> (2) Immunity from legal process.--Any submission
(including any data derived from the submission) that is
collected and retained by the Bureau, or an officer, employee,
agent, or contractor of the Bureau, for exclusively statistical
purposes under this section shall be immune from the legal
process and shall not, without the consent of the individual,
entity, agency, or other person who is the subject of the
submission or provides the submission, be admitted as evidence
or used for any purpose in any action, suit, or other judicial
or administrative proceeding.</DELETED>
<DELETED> (3) Rule of construction.--Nothing in this
subsection shall be construed to provide immunity from the
legal process for a submission (including any data derived from
the submission) if the submission is in the possession of any
person, agency, or entity other than the Bureau or an officers,
employee, agent, or contractor of the Bureau, or if the
submission is independently collected, retained, or produced
for purposes other than the purposes of this section.</DELETED>
<DELETED> (g) Authorization of Appropriation.--There are authorized
to be appropriated such sums as may be necessary to carry out this
section. Such funds shall remain available until expended.</DELETED>
<DELETED>SEC. 303. SECURE FOUNDATIONAL INTERNET PROTOCOLS.</DELETED>
<DELETED> (a) Definitions.--In this section:</DELETED>
<DELETED> (1) Border gateway protocol.--The term ``border
gateway protocol'' means a protocol designed to optimize
routing of information exchanged through the
internet.</DELETED>
<DELETED> (2) Domain name system.--The term ``domain name
system'' means a system that stores information associated with
domain names in a distributed database on networks.</DELETED>
<DELETED> (3) Information and communications technology
infrastructure providers.--The term ``information and
communications technology infrastructure providers'' means all
systems that enable connectivity and operability of internet
service, backbone, cloud, web hosting, content delivery, domain
name system, and software-defined networks and other systems
and services.</DELETED>
<DELETED> (b) Creation of a Strategy To Secure Foundational Internet
Protocols.--</DELETED>
<DELETED> (1) Protocol security strategy.--In order to
secure foundational internet protocols, not later than December
31, 2021, the National Telecommunications and Information
Administration and the Department of Homeland Security shall
submit to Congress a strategy to secure the border gateway
protocol and the domain name system.</DELETED>
<DELETED> (2) Strategy requirements.--The strategy required
under paragraph (1) shall--</DELETED>
<DELETED> (A) articulate the security and privacy
benefits of implementing security for the border
gateway protocol and the domain name system and the
burdens of implementation and the entities on whom
those burdens will most likely fall;</DELETED>
<DELETED> (B) identify key United States and
international stakeholders;</DELETED>
<DELETED> (C) outline identified security measures
that could be used to secure or provide authentication
for the border gateway protocol and the domain name
system;</DELETED>
<DELETED> (D) identify any barriers to implementing
security for the border gateway protocol and the domain
name system at scale;</DELETED>
<DELETED> (E) propose a strategy to implement
identified security measures at scale, accounting for
barriers to implementation and balancing benefits and
burdens, where feasible; and</DELETED>
<DELETED> (F) provide an initial estimate of the
total cost to the Government and implementing entities
in the private sector of implementing security for the
border gateway protocol and the domain name system and
propose recommendations for defraying these costs, if
applicable.</DELETED>
<DELETED> (3) Consultation.--In developing the strategy
required under paragraph (1) the National Telecommunications
and Information Administration and the Department of Homeland
Security shall consult with information and communications
technology infrastructure providers, civil society
organizations, relevant nonprofit organizations, and academic
experts.</DELETED>
<DELETED>TITLE IV--SYSTEMICALLY IMPORTANT CRITICAL
INFRASTRUCTURE</DELETED>
<DELETED>SEC. 401. DEFINITIONS.</DELETED>
<DELETED> In this title:</DELETED>
<DELETED> (1) Appropriate congressional committees.--The
term ``appropriate congressional committees'' means the
Committee on Homeland Security and Governmental Affairs of the
Senate and the Committee on Homeland Security of the House of
Representatives.</DELETED>
<DELETED> (2) Critical infrastructure.--The term ``critical
infrastructure'' has the meaning given that term in section
1016(e) of the Critical Infrastructure Protection Act of 2001
(42 U.S.C. 5195c(e)).</DELETED>
<DELETED> (3) Department.--The term ``Department'' means the
Department of Homeland Security.</DELETED>
<DELETED> (4) Entity.--The term ``entity'' means a non-
Federal entity and a private entity, as such terms are defined
under section 102 of the Cybersecurity Information Sharing Act
of 2015 (6 U.S.C. 1501).</DELETED>
<DELETED> (5) National critical functions.--The term
``national critical functions'' means functions of government
and the private sector so vital to the United States that their
disruption, corruption, or dysfunction would have a
debilitating effect on security, national economic security,
national public health or safety, or any combination
thereof.</DELETED>
<DELETED> (6) Secretary.--The term ``Secretary'' means the
Secretary of Homeland Security.</DELETED>
<DELETED> (7) Stakeholders.--The term ``stakeholders'' means
persons or groups whose consultation may aid the Secretary in
exercising the authority of the Secretary under this title,
including--</DELETED>
<DELETED> (A) Sector Coordinating Councils within
the Critical Infrastructure Partnership Advisory
Council, established under section 871 of the Homeland
Security Act of 2002 (6 U.S.C. 451);</DELETED>
<DELETED> (B) the State, Local, Tribal and
Territorial Government Coordinating Council, within the
Critical Infrastructure Partnership Advisory Council,
established under section 871 of the Homeland Security
Act of 2002 (6.U.S.C. 451);</DELETED>
<DELETED> (C) the Cybersecurity Advisory Committee
established under section 2219 of the Homeland Security
Act of 2002 (6 U.S.C. 665e), as so redesignated by
section 101 of this Act;</DELETED>
<DELETED> (D) the National Security
Telecommunications Advisory Committee established
pursuant to Executive Order 12382 (47 Fed. Reg. 40531);
and</DELETED>
<DELETED> (E) the National Infrastructure Advisory
Council, established pursuant to Executive Order 13231
(66 Fed. Reg. 53063).</DELETED>
<DELETED> (8) Systemically important critical
infrastructure.--The term ``Systemically Important Critical
Infrastructure'' means an entity that has been designated as
such by the Secretary through the process and procedures
established under section 402.</DELETED>
<DELETED>SEC. 402. SYSTEMICALLY IMPORTANT CRITICAL
INFRASTRUCTURE.</DELETED>
<DELETED> (a) In General.--The Secretary may designate entities as
Systemically Important Critical Infrastructure.</DELETED>
<DELETED> (b) Establishment of Methodology and Criteria.--Prior to
designating any entities as Systemically Important Critical
Infrastructure, the Secretary, in consultation with the National Cyber
Director, Sector Risk Management Agencies, and appropriate stakeholders
shall develop--</DELETED>
<DELETED> (1) a methodology for identifying Systemically
Important Critical Infrastructure; and</DELETED>
<DELETED> (2) criteria for determining whether an entity
qualifies as Systemically Important Critical
Infrastructure.</DELETED>
<DELETED> (c) Considerations.--In establishing criteria for
determining whether an entity qualifies as Systemically Important
Critical Infrastructure, the Secretary shall consider--</DELETED>
<DELETED> (1) the likelihood that disruption to or
compromise of such an entity could cause a debilitating effect
on national security, economic security, public health or
safety, or any combination thereof;</DELETED>
<DELETED> (2) the extent to which damage, disruption, or
unauthorized access to such an entity either separately or
collectively, will disrupt the reliable operation of other
critical infrastructure assets, or impede provisioning of one
or more national critical functions;</DELETED>
<DELETED> (3) the extent to which national cybersecurity
resilience would be enhanced by deeper risk management
integration between Systemically Important Critical
Infrastructure entities and the Federal Government;
and</DELETED>
<DELETED> (4) the extent to which compromise or unauthorized
access of such an entity could separately or collectively
create widespread compromise of the cyber ecosystem,
significant portions of critical infrastructure, or multiple
critical infrastructure sectors.</DELETED>
<DELETED> (d) List.--</DELETED>
<DELETED> (1) In general.--Not later than 1 year after the
date of enactment of this Act, the Secretary shall complete an
initial list of entities designated as Systemically Important
Critical Infrastructure.</DELETED>
<DELETED> (2) Maintenance of list.--The Secretary shall
maintain a comprehensive list of entities designated as
Systemically Important Critical Infrastructure, which shall be
updated within 7 days of a change in whether an entity
qualifies as Systemically Important Critical
Infrastructure.</DELETED>
<DELETED> (e) Entity Notifications.--Not later than 90 days after
designating an entity as Systemically Important Critical Infrastructure
or removing the designation of an entity as Systemically Important
Critical Infrastructure, the Secretary shall notify the
entity.</DELETED>
<DELETED> (f) Congressional Notifications.--The Secretary shall--
</DELETED>
<DELETED> (1) not later than 30 days after the date of any
addition, modification, or removal of an entity from the list
of Significantly Important Critical Infrastructure maintained
under subsection (d), notify the appropriate Congressional
committees; and</DELETED>
<DELETED> (2) at least every 2 years, submit to the
appropriate Congressional committees an updated comprehensive
list of entities designated as Systemically Important Critical
Infrastructure, in conjunction with each plan required pursuant
to section 403.</DELETED>
<DELETED>SEC. 403. PLAN FOR ENHANCEMENT OF SYSTEMICALLY IMPORTANT
CRITICAL INFRASTRUCTURE METHODOLOGY AND
CAPABILITY.</DELETED>
<DELETED> (a) In General.--Not later than 180 days after the date of
enactment of this Act, and every 2 years thereafter for 10 years, the
Secretary, in consultation with Sector Risk Management Agencies and
appropriate stakeholders, shall develop and submit to the appropriate
congressional committees a plan for enhancing the methodology of the
Department for identifying Systemically Important Critical
Infrastructure, including a discussion of the progress of the
Department as of the date of submission of the plan in implementing the
plan.</DELETED>
<DELETED> (b) Contents of Plan.--</DELETED>
<DELETED> (1) In general.--The plan required under
subsection (a) shall include--</DELETED>
<DELETED> (A) the methodology and criteria used for
identifying and determining entities that qualify as
Systemically Important Critical Infrastructure as
described in section 402(b) and the analysis used to
establish such methodology and criteria;</DELETED>
<DELETED> (B) a proposed timeline for enhancing the
capabilities of the Department to expand the list
beyond the designated entities to also include
facilities, systems, assets, or other relevant units of
critical infrastructure that may further enhance the
ability to manage risk of Systemically Important
Critical Infrastructure;</DELETED>
<DELETED> (C) information regarding the outreach by
the Department to stakeholders and other Sector Risk
Management Agencies on such efforts, including
mechanisms for incorporation of industry
feedback;</DELETED>
<DELETED> (D) information regarding the efforts of
the Department, and the associated challenges with such
efforts, to access information from stakeholders and
other Sector Risk Management Agencies to identify
Systemically Important Critical
Infrastructure;</DELETED>
<DELETED> (E) information regarding other critical
infrastructure entity identification programs within
the Department and how they are being incorporated into
the overarching process to identify Systemically
Important Critical Infrastructure, which shall include
the efforts of the Department under section 9 of
Executive Order 13636 (78 Fed. Reg. 11739), the
National Infrastructure Prioritization Program, and
section 4 of Executive Order 14028 (86 Fed. Reg.
26633);</DELETED>
<DELETED> (F) any identified gaps in authorities or
resources required to successfully carry out the
process of identifying Systemically Important Critical
Infrastructure, including facilities, systems, assets,
or other relevant units of critical infrastructure, as
well as legislative proposals to address such
gaps;</DELETED>
<DELETED> (G) an assessment of potential benefits
for entities designated as Systemically Important
Critical Infrastructure, which shall include an
assessment of--</DELETED>
<DELETED> (i) enhanced intelligence support
and information sharing;</DELETED>
<DELETED> (ii) prioritized Federal technical
assistance;</DELETED>
<DELETED> (iii) liability protection for
entities designated as Systemically Important
Critical Infrastructure that conform to
identified security standards for damages or
harm directly or indirectly caused by a cyber
incident;</DELETED>
<DELETED> (iv) prioritized emergency
planning;</DELETED>
<DELETED> (v) benefits described in the
final report of the U.S. Cyberspace Solarium
Commission, dated March 2020; and</DELETED>
<DELETED> (vi) additional authorizations or
resources necessary to implement the benefits
assessed under this subparagraph; and</DELETED>
<DELETED> (H) an assessment of potential mechanisms
to improve the security of entities designated as
Systemically Important Critical Infrastructure, which
shall include an assessment of--</DELETED>
<DELETED> (i) risk-based cybersecurity
performance standards for all Systemically
Important Critical Infrastructure entities,
incorporating, to the greatest extent possible,
existing industry best practices, standards,
and guidelines;</DELETED>
<DELETED> (ii) sector-specific performance
standards;</DELETED>
<DELETED> (iii) additional regulations to
enhance the security of Systemically Important
Critical Infrastructure against cyber risks,
including how to prevent duplicative
requirements for already regulated
sectors;</DELETED>
<DELETED> (iv) cyber incident reporting
requirements for entities designated as
Systemically Important Critical Infrastructure;
and</DELETED>
<DELETED> (v) additional authorizations or
resources necessary to implement the mechanisms
to improve the security of Systemically
Important Critical Infrastructure assessed
under this subparagraph.</DELETED>
<DELETED> (2) Initial plan.--The initial plan submitted
under this section shall include a detailed description of the
capabilities of the Department with respect to identifying
Systemically Important Critical Infrastructure as they were on
the date of enactment of this Act.</DELETED>
<DELETED> (c) Classified Annex.--The plan shall be in unclassified
form, but may include a classified annex, as the Secretary determines
necessary.</DELETED>
<DELETED> (d) Publication.--Not later than 30 days after the date on
which the Secretary submits a plan to Congress, the Secretary shall
make the plan available to relevant stakeholders.</DELETED>
<DELETED> (e) Restriction.--Subchapter I of chapter 35 of title 44,
United States Code, shall not apply to any action to implement this
section or to any exercise of the authority of the Secretary pursuant
to this section.</DELETED>
<DELETED>TITLE V--ENABLING THE NATIONAL CYBER DIRECTOR</DELETED>
<DELETED>SEC. 501. ESTABLISHMENT OF HIRING AUTHORITIES FOR THE OFFICE
OF THE NATIONAL CYBER DIRECTOR.</DELETED>
<DELETED> Section 1752 of the William M. (Mac) Thornberry National
Defense Authorization Act for Fiscal Year 2021 (Public Law 116-283) is
amended--</DELETED>
<DELETED> (1) in subsection (e)--</DELETED>
<DELETED> (A) in paragraph (1), by inserting ``and
in accordance with paragraphs (3) through (7) of this
subsection,'' after ``and classification
laws,'';</DELETED>
<DELETED> (B) in paragraph (2), by inserting
``notwithstanding paragraphs (3) through (7) of this
subsection,'' before ``employ experts'';</DELETED>
<DELETED> (C) by redesignating paragraphs (3)
through (8) as paragraphs (8) through (13),
respectively; and</DELETED>
<DELETED> (D) by inserting after paragraph (2) the
following:</DELETED>
<DELETED> ``(3) establish, as positions in the excepted
service, such qualified positions in the Office as the Director
determines necessary to carry out the responsibilities of the
Office, appoint an individual to a qualified position (after
taking into consideration the availability of preference
eligibles for appointment to the position), and, subject to the
requirements of paragraphs (4) and (5), fix the compensation of
an individual for service in a qualified position;</DELETED>
<DELETED> ``(4) fix the rates of basic pay for any qualified
position established under paragraph (3) in relation to the
rates of pay provided for employees in comparable positions in
the Office, in which the employee occupying the comparable
position performs, manages, or supervises functions that
execute the mission of the Office, and, subject to the same
limitations on maximum rates of pay and consistent with section
5341 of title 5, United States Code, adopt such provisions of
that title to provide for prevailing rate systems of basic pay
and apply those provisions to qualified positions for employees
in or under which the Office may employ individuals described
by section 5342(a)(2)(A) of such title;</DELETED>
<DELETED> ``(5) employ an officer or employee of the United
States or member of the Armed Forces detailed to the staff of
the Office on a non-reimbursable basis--</DELETED>
<DELETED> ``(A) as jointly agreed to by the heads of
the receiving and detailing elements, for a period not
to exceed 3 years;</DELETED>
<DELETED> ``(B) which shall not be construed to
limit any other source of authority for reimbursable or
non-reimbursable details; and</DELETED>
<DELETED> ``(C) which shall not be considered an
augmentation of the appropriations of the receiving
element of the Office;</DELETED>
<DELETED> ``(6) provide--</DELETED>
<DELETED> ``(A) employees in qualified positions
compensation (in addition to basic pay), including
benefits, incentives, and allowances, consistent with,
and not in excess of the level authorized for,
comparable positions authorized by title 5, United
States Code; and</DELETED>
<DELETED> ``(B) employees in a qualified position
whose rate of basic pay is fixed under paragraph (4) an
allowance under section 5941 of title 5, United States
Code, on the same basis and to the same extent as if
the employee was an employee covered by such section,
including eligibility conditions, allowance rates, and
all other terms and conditions in law or
regulation;</DELETED>
<DELETED> ``(7) establish a fellowship program to facilitate
a talent exchange program between the private sector and the
Office to arrange, with the agreement of a private sector
organization and the consent of the employee, for the temporary
assignment of an employee to the private sector organization,
or from the private sector organization to the Office;'';
and</DELETED>
<DELETED> (2) in subsection (g)--</DELETED>
<DELETED> (A) by redesignating paragraphs (3)
through (6) as paragraphs (4) through (7),
respectively;</DELETED>
<DELETED> (B) by inserting after paragraph (2) the
following:</DELETED>
<DELETED> ``(3) The term `excepted service' has the meaning
given that term in section 2103 of title 5, United States
Code.''; and</DELETED>
<DELETED> (3) by adding at the end the following:</DELETED>
<DELETED> ``(8) The term `preference eligible' has the
meaning given that term in section 2108(3) of title 5, United
States Code.</DELETED>
<DELETED> ``(9) The term `qualified position' means a
position, designated by the Director for the purpose of this
section, in which the individual occupying such position
performs, manages, or supervises functions that execute the
responsibilities of the Office.''.</DELETED>
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Defense of United
States Infrastructure Act of 2021''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
TITLE I--IMPROVING THE ABILITY OF THE FEDERAL GOVERNMENT TO ASSIST IN
ENHANCING CRITICAL INFRASTRUCTURE CYBER RESILIENCE
Sec. 101. Institute a 5-year term for the Director of the Cybersecurity
and Infrastructure Security Agency.
Sec. 102. Pilot program on cyber threat information collaboration
environment.
TITLE II--IMPROVING SECURITY IN THE NATIONAL CYBER ECOSYSTEM
Sec. 201. Report on cybersecurity certifications and labeling.
Sec. 202. Secure foundational internet protocols.
TITLE III--ENABLING THE NATIONAL CYBER DIRECTOR
Sec. 301. Establishment of hiring authorities for the Office of the
National Cyber Director.
SEC. 2. DEFINITIONS.
In this Act:
(1) Critical infrastructure.--The term ``critical
infrastructure'' has the meaning given such term in section
1016(e) of the Critical Infrastructure Protection Act of 2001
(42 U.S.C. 5195c(e)).
(2) Cybersecurity risk.--The term ``cybersecurity risk''
has the meaning given such term in section 2209 of the Homeland
Security Act of 2002 (6 U.S.C. 659).
(3) Department.--The term ``Department'' means the
Department of Homeland Security.
(4) Secretary.--The term ``Secretary'' means the Secretary
of Homeland Security.
TITLE I--IMPROVING THE ABILITY OF THE FEDERAL GOVERNMENT TO ASSIST IN
ENHANCING CRITICAL INFRASTRUCTURE CYBER RESILIENCE
SEC. 101. INSTITUTE A 5-YEAR TERM FOR THE DIRECTOR OF THE CYBERSECURITY
AND INFRASTRUCTURE SECURITY AGENCY.
(a) In General.--Subsection (b)(1) of section 2202 of the Homeland
Security Act of 2002 (6 U.S.C. 652), is amended by inserting ``The term
of office of an individual serving as Director shall be 5 years.''
after ``who shall report to the Secretary.''.
(b) Transition Rules.--The amendment made by subsection (a) shall
take effect on the first appointment of an individual to the position
of Director of the Cybersecurity and Infrastructure Security Agency, by
and with the advice and consent of the Senate, that is made on or after
the date of enactment of this Act.
SEC. 102. PILOT PROGRAM ON CYBER THREAT INFORMATION COLLABORATION
ENVIRONMENT.
(a) Definitions.--In this section:
(1) Critical infrastructure information.--The term
``critical infrastructure information'' has the meaning given
such term in section 2222 of the Homeland Security Act of 2002
(6 U.S.C. 671).
(2) Cyber threat indicator.--The term ``cyber threat
indicator'' has the meaning given such term in section 102 of
the Cybersecurity Act of 2015 (6 U.S.C. 1501).
(3) Cybersecurity threat.--The term ``cybersecurity
threat'' has the meaning given such term in section 102 of the
Cybersecurity Act of 2015 (6 U.S.C. 1501).
(4) Environment.--The term ``environment'' means the
information collaboration environment established under
subsection (b).
(5) Information sharing and analysis organization.--The
term ``information sharing and analysis organization'' has the
meaning given such term in section 2222 of the Homeland
Security Act of 2002 (6 U.S.C. 671).
(6) Non-federal entity.--The term ``non-Federal entity''
has the meaning given such term in section 102 of the
Cybersecurity Act of 2015 (6 U.S.C. 1501).
(b) Pilot Program.--The Secretary, in consultation with the
Secretary of Defense, the Director of National Intelligence, the
Director of the National Security Agency, and the Attorney General
shall carry out a pilot program under which the Secretary shall develop
an information collaboration environment and associated analytic tools
that enable Federal and non-Federal entities to identify, mitigate, and
prevent malicious cyber activity to--
(1) provide limited access to appropriate and operationally
relevant data from unclassified and classified intelligence
about cybersecurity risks and cybersecurity threats, as well as
malware forensics and data from network sensor programs, on a
platform that enables query and analysis;
(2) enable cross-correlation of data on cybersecurity risks
and cybersecurity threats at the speed and scale necessary for
rapid detection and identification;
(3) facilitate a comprehensive understanding of
cybersecurity risks and cybersecurity threats; and
(4) facilitate collaborative analysis between the Federal
Government and public and private sector critical
infrastructure entities and information and analysis
organizations.
(c) Implementation of Information Collaboration Environment.--
(1) Evaluation.--Not later than 180 days after the date of
enactment of this Act, the Secretary, acting through the
Director of the Cybersecurity and Infrastructure Security
Agency, and in coordination with the Secretary of Defense, the
Director of National Intelligence, the Director of the National
Security Agency, and the Attorney General, shall--
(A) identify, inventory, and evaluate existing
Federal sources of classified and unclassified
information on cybersecurity threats;
(B) evaluate current programs, applications, or
platforms intended to detect, identify, analyze, and
monitor cybersecurity risks and cybersecurity threats;
(C) consult with public and private sector critical
infrastructure entities to identify public and private
critical infrastructure cyber threat capabilities,
needs, and gaps; and
(D) identify existing tools, capabilities, and
systems that may be adapted to achieve the purposes of
the environment in order to maximize return on
investment and minimize cost.
(2) Implementation.--
(A) In general.--Not later than 1 year after
completing the evaluation required under paragraph
(1)(B), the Secretary, acting through the Director of
the Cybersecurity and Infrastructure Security Agency,
and in consultation with the Secretary of Defense, the
Director of National Intelligence, the Director of the
National Security Agency, and the Attorney General,
shall begin implementation of the environment to enable
participants in the environment to develop and run
analytic tools referred to in subsection (b) on
specified data sets for the purpose of identifying,
mitigating, and preventing malicious cyber activity
that is a threat to public and private critical
infrastructure.
(B) Requirements.--The environment and the use of
analytic tools referred to in subsection (b) shall--
(i) operate in a manner consistent with
relevant privacy, civil rights, and civil
liberties policies and protections, including
such policies and protections established
pursuant to section 1016 of the Intelligence
Reform and Terrorism Prevention Act of 2004 (6
U.S.C. 485);
(ii) account for appropriate data standards
and interoperability requirements, consistent
with the standards set forth in subsection (d);
(iii) enable integration of current
applications, platforms, data, and information,
including classified information, in a manner
that supports integration of unclassified and
classified information on cybersecurity risks
and cybersecurity threats;
(iv) incorporate tools to manage access to
classified and unclassified data, as
appropriate;
(v) ensure accessibility by entities the
Secretary, in consultation with the Secretary
of Defense, the Director of National
Intelligence, the Director of the National
Security Agency, and the Attorney General,
determines appropriate;
(vi) allow for access by critical
infrastructure stakeholders and other private
sector partners, at the discretion of the
Secretary, in consultation with the Secretary
of Defense;
(vii) deploy analytic tools across
classification levels to leverage all relevant
data sets, as appropriate;
(viii) identify tools and analytical
software that can be applied and shared to
manipulate, transform, and display data and
other identified needs; and
(ix) anticipate the integration of new
technologies and data streams, including data
from government-sponsored network sensors or
network-monitoring programs deployed in support
of non-Federal entities.
(3) Annual report requirement on the implementation,
execution, and effectiveness of the pilot program.--Not later
than 1 year after the date of enactment of this Act, and every
year thereafter until the date that is 1 year after the pilot
program under this section terminates under subsection (e), the
Secretary shall submit to the Committee on Homeland Security
and Governmental Affairs, the Committee on the Judiciary, and
the Select Committee on Intelligence of the Senate and the
Committee on Homeland Security, the Committee on the Judiciary,
and the Permanent Select Committee on Intelligence of the House
of Representatives a report that details--
(A) Federal Government participation in the
environment, including the Federal entities
participating in the environment and the volume of
information shared by Federal entities into the
environment;
(B) non-Federal entities' participation in the
environment, including the non-Federal entities
participating in the environment and the volume of
information shared by non-Federal entities into the
environment;
(C) the impact of the environment on positive
security outcomes in the Federal Government and non-
Federal entities;
(D) barriers identified to fully realizing the
benefit of the environment both for the Federal
Government and non-Federal entities; and
(E) additional authorities or resources necessary
to successfully execute the environment.
(d) Cyber Threat Data Standards and Interoperability.--
(1) Establishment.--The Secretary, in coordination with the
Secretary of Defense, the Director of National Intelligence,
the Director of the National Security Agency, and the Attorney
General, shall establish data standards and requirements for
non-Federal entities to participate in the environment.
(2) Data streams.--The Secretary shall identify, designate,
and periodically update programs that shall participate in or
be interoperable with the environment, which may include--
(A) network-monitoring and intrusion detection
programs;
(B) cyber threat indicator sharing programs;
(C) certain government-sponsored network sensors or
network-monitoring programs;
(D) incident response and cybersecurity technical
assistance programs; or
(E) malware forensics and reverse-engineering
programs.
(3) Data governance.--The Secretary, in consultation with
the Secretary of Defense, the Director of National
Intelligence, the Director of the National Security Agency, and
the Attorney General shall establish procedures and data
governance structures, as necessary, to protect sensitive data,
comply with Federal regulations and statutes, and respect
existing consent agreements with public and private sector
critical infrastructure entities that apply to critical
infrastructure information.
(4) Rule of construction.--Nothing in this subsection shall
change existing ownership or protection of, or policies and
processes for access to, agency data.
(e) Duration.--The pilot program under this section shall terminate
on the date that is 5 years after the date of enactment of this Act.
TITLE II--IMPROVING SECURITY IN THE NATIONAL CYBER ECOSYSTEM
SEC. 201. REPORT ON CYBERSECURITY CERTIFICATIONS AND LABELING.
Not later than October 1, 2022, the National Cyber Director, in
consultation with the Director of the National Institute of Standards
and Technology and the Director of the Cybersecurity and Infrastructure
Security Agency, shall submit to the Committee on Homeland Security and
Governmental Affairs of the Senate and the Committee on Homeland
Security of the House of Representatives a report that--
(1) identifies and assesses existing efforts by the Federal
Government to create, administer, or otherwise support the use
of certifications or labels to communicate the security or
security characteristics of information technology or
operational technology products and services; and
(2) assesses the viability of and need for a new program at
the Department to harmonize information technology and
operational technology product and service security
certification and labeling efforts across the Federal
Government and between the Federal Government and the private
sector.
SEC. 202. SECURE FOUNDATIONAL INTERNET PROTOCOLS.
(a) Definitions.--In this section:
(1) Border gateway protocol.--The term ``border gateway
protocol'' means a protocol designed to optimize routing of
information exchanged through the internet.
(2) Domain name system.--The term ``domain name system''
means a system that stores information associated with domain
names in a distributed database on networks.
(3) Information and communications technology
infrastructure providers.--The term ``information and
communications technology infrastructure providers'' means all
systems that enable connectivity and operability of internet
service, backbone, cloud, web hosting, content delivery, domain
name system, and software-defined networks and other systems
and services.
(b) Creation of a Strategy to Encourage Implementation of Measures
to Secure Foundational Internet Protocols.--
(1) Protocol security strategy.--In order to encourage
implementation of measures to secure foundational internet
protocols by information and communications technology
infrastructure providers, not later than 180 days after the
date of enactment of this Act, the Assistant Secretary for
Communications and Information of the Department of Commerce,
in coordination with the Director of the National Institute
Standards and Technology and the Director of the Cybersecurity
and Infrastructure Security Agency, shall establish a working
group composed of appropriate stakeholders, including
representatives of the Internet Engineering Task Force and
information and communications technology infrastructure
providers, to prepare and submit to Congress a strategy to
encourage implementation of measures to secure the border
gateway protocol and the domain name system.
(2) Strategy requirements.--The strategy required under
paragraph (1) shall--
(A) articulate the motivation and goal of the
strategy to reduce incidents of border gateway protocol
hijacking and domain name system hijacking;
(B) articulate the security and privacy benefits of
implementing the most up-to-date and secure instances
of the border gateway protocol and the domain name
system and the burdens of implementation and the
entities on whom those burdens will most likely fall;
(C) identify key United States and international
stakeholders;
(D) outline varying measures that could be used to
implement security or provide authentication for the
border gateway protocol and the domain name system;
(E) identify any barriers to implementing security
for the border gateway protocol and the domain name
system at scale;
(F) propose a strategy to implement identified
security measures at scale, accounting for barriers to
implementation and balancing benefits and burdens,
where feasible; and
(G) provide an initial estimate of the total cost
to the Government and implementing entities in the
private sector of implementing security for the border
gateway protocol and the domain name system and propose
recommendations for defraying these costs, if
applicable.
TITLE III--ENABLING THE NATIONAL CYBER DIRECTOR
SEC. 301. ESTABLISHMENT OF HIRING AUTHORITIES FOR THE OFFICE OF THE
NATIONAL CYBER DIRECTOR.
(a) Definitions.--In this section:
(1) Director.--The term ``Director'' means the National
Cyber Director.
(2) Excepted service.--The term ``excepted service'' has
the meaning given such term in section 2103 of title 5, United
States Code.
(3) Office.--The term ``Office'' means the Office of the
National Cyber Director.
(4) Qualified position.--The term ``qualified position''
means a position identified by the Director under subsection
(b)(1)(A), in which the individual occupying such position
performs, manages, or supervises functions that execute the
responsibilities of the Office.
(b) Hiring Plan.--The Director shall, for purposes of carrying out
the functions of the Office--
(1) craft an implementation plan for positions in the
excepted service in the Office, which shall propose--
(A) qualified positions in the Office, as the
Director determines necessary to carry out the
responsibilities of the Office; and
(B) subject to the requirements of paragraph (2),
rates of compensation for an individual serving in a
qualified position;
(2) propose rates of basic pay for qualified positions,
which shall--
(A) be determined in relation to the rates of pay
provided for employees in comparable positions in the
Office, in which the employee occupying the comparable
position performs, manages, or supervises functions
that execute the mission of the Office; and
(B) subject to the same limitations on maximum
rates of pay and consistent with section 5341 of title
5, United States Code, adopt such provisions of that
title to provide for prevailing rate systems of basic
pay and apply those provisions to qualified positions
for employees in or under which the Office may employ
individuals described by section 5342(a)(2)(A) of such
title; and
(3) craft proposals to provide--
(A) employees in qualified positions compensation
(in addition to basic pay), including benefits,
incentives, and allowances, consistent with, and not in
excess of the level authorized for, comparable
positions authorized by title 5, United States Code;
and
(B) employees in a qualified position for which the
Director proposes a rate of basic pay under paragraph
(2) an allowance under section 5941 of title 5, United
States Code, on the same basis and to the same extent
as if the employee was an employee covered by such
section, including eligibility conditions, allowance
rates, and all other terms and conditions in law or
regulation.
Calendar No. 670
117th CONGRESS
2d Session
S. 2491
[Report No. 117-271]
_______________________________________________________________________
A BILL
To amend the Homeland Security Act of 2002 to establish the National
Cyber Resilience Assistance Fund, to improve the ability of the Federal
Government to assist in enhancing critical infrastructure cyber
resilience, to improve security in the national cyber ecosystem, to
address Systemically Important Critical Infrastructure, and for other
purposes.
_______________________________________________________________________
December 19, 2022
Reported with an amendment