[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 2540 Reported in Senate (RS)]
<DOC>
Calendar No. 632
117th CONGRESS
2d Session
S. 2540
[Report No. 117-248]
To make technical corrections to title XXII of the Homeland Security
Act of 2002, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
July 29, 2021
Mr. Portman (for himself, Mr. Peters, and Ms. Hassan) introduced the
following bill; which was read twice and referred to the Committee on
Homeland Security and Governmental Affairs
December 13, 2022
Reported by Mr. Peters, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To make technical corrections to title XXII of the Homeland Security
Act of 2002, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE.</DELETED>
<DELETED> This Act may be cited as the ``CISA Technical Corrections
and Improvements Act of 2021''.</DELETED>
<DELETED>SEC. 2. REDESIGNATIONS.</DELETED>
<DELETED> (a) In General.--Subtitle A of title XXII of the Homeland
Security Act of 2002 (6 U.S.C. 651 et seq.) is amended--</DELETED>
<DELETED> (1) by striking section 2201 (6 U.S.C.
651);</DELETED>
<DELETED> (2) by redesignating sections 2202 through 2214 as
sections 2201 through 2213, respectively;</DELETED>
<DELETED> (3) by redesignating section 2217 (6 U.S.C. 665f)
as section 2219;</DELETED>
<DELETED> (4) by redesignating section 2216 (6 U.S.C. 665e)
as section 2218;</DELETED>
<DELETED> (5) by redesignating the fourth section 2215
(relating to Sector Risk Management Agencies) (6 U.S.C. 665d)
as section 2217;</DELETED>
<DELETED> (6) by redesignating the third section 2215
(relating to the Cybersecurity State Coordinator) (6 U.S.C.
665c) as section 2216; and</DELETED>
<DELETED> (7) by redesignating the first section 2215
(relating to Duties and Authorities Relating to .GOV Internet
Domain) (6 U.S.C. 665) as section 2214.</DELETED>
<DELETED> (b) Technical and Conforming Amendments.--The Homeland
Security Act of 2002 (6 U.S.C. 101 et seq.) is amended--</DELETED>
<DELETED> (1) in section 320(d)(3)(C) (6 U.S.C.
195f(d)(3)(C)) by striking ``section 2201'' and inserting
``section 2200'';</DELETED>
<DELETED> (2) in section 846(1) (6 U.S.C. 417(1)), by
striking ``section 2209'' and inserting ``section
2208'';</DELETED>
<DELETED> (3) in section 1801(c)(16) (6 U.S.C. 571(c)(16))
by striking ``section 2202(c)(7)'' and inserting ``section
2201(c)(7)'';</DELETED>
<DELETED> (4) in section 2001(4)(A)(iii)(II) (6 U.S.C.
601(4)(A)(iii)(II)), by striking ``section 2214(a)(2)'' and
inserting ``section 2213(a)(2)'';</DELETED>
<DELETED> (5) in section 2008(a)(3) (6 U.S.C. 609(a)(3)), by
striking ``section 2214(a)(2)'' and inserting ``section
2213(a)(2);''</DELETED>
<DELETED> (6) in section 2201, as so redesignated--
</DELETED>
<DELETED> (A) in subsection (c)--</DELETED>
<DELETED> (i) in the first paragraph (12),
by striking ``section 2215'' and inserting
``section 2216'';</DELETED>
<DELETED> (ii) by redesignating the second
and third paragraphs (12) as paragraphs (13)
and (14), respectively; and</DELETED>
<DELETED> (iii) in paragraph (13), as so
redesignated, by striking ``section 2215'' and
inserting ``section 2214''; and</DELETED>
<DELETED> (B) in subsection (e)(2), by striking
``sections 2203(b) and 2204(b)'' and inserting
``sections 2202(b) and 2203(b)'';</DELETED>
<DELETED> (7) in section 2202(b)(3), as so redesignated, by
striking ``section 2202(c)(7)'' and inserting ``section
2201(c)(7)'';</DELETED>
<DELETED> (8) in section 2203(b)(3), as so redesignated, by
striking ``section 2202(c)(7)'' and inserting ``section
2201(c)(7)'';</DELETED>
<DELETED> (9) in section 2204, as so redesignated, in the
matter preceding paragraph (1), by striking ``section 2202''
and inserting ``section 2201'';</DELETED>
<DELETED> (10) in section 2210(b)(2)(A), as so redesignated,
by striking ``section 2209'' and inserting ``section 2208'';
and</DELETED>
<DELETED> (11) in section 2217(c)(4)(A), by striking
``section 2209'' and inserting ``section 2208''.</DELETED>
<DELETED> (c) Table of Contents.--The table of contents in section
1(b) of the Homeland Security Act of 2002 (Public Law 107-296; 116
Stat. 2135) is amended--</DELETED>
<DELETED> (1) by striking inserting before the item relating
to subtitle A of title XXII the following:</DELETED>
<DELETED>``Sec. 2200. Definitions.'';
<DELETED>and</DELETED>
<DELETED> (2) by striking the items relating to sections
2201 through 2217 and inserting the following:</DELETED>
<DELETED>``Sec. 2201. Cybersecurity and Infrastructure Security Agency.
<DELETED>``Sec. 2202. Cybersecurity Division.
<DELETED>``Sec. 2203. Infrastructure Security Division.
<DELETED>``Sec. 2204. Enhancement of Federal and non-Federal
cybersecurity.
<DELETED>``Sec. 2205. Net guard.
<DELETED>``Sec. 2206. Cyber Security Enhancement Act of 2002.
<DELETED>``Sec. 2207. Cybersecurity recruitment and retention.
<DELETED>``Sec. 2208. National cybersecurity and communications
integration center.
<DELETED>``Sec. 2209. Cybersecurity plans.
<DELETED>``Sec. 2210. Cybersecurity strategy.
<DELETED>``Sec. 2211. Clearances.
<DELETED>``Sec. 2212. Federal intrusion detection and prevention
system.
<DELETED>``Sec. 2213. National Asset Database.
<DELETED>``Sec. 2214. Duties and authorities relating to .gov internet
domain.
<DELETED>``Sec. 2215. Joint Cyber Planning Office.
<DELETED>``Sec. 2216. Cybersecurity State Coordinator.
<DELETED>``Sec. 2217. Sector Risk Management Agencies.
<DELETED>``Sec. 2218. Cybersecurity Advisory Committee.
<DELETED>``Sec. 2219. Cybersecurity education and training programs.''.
<DELETED> (d) Additional Technical Amendment.--</DELETED>
<DELETED> (1) Amendment.--Section 904(b)(1) of the DOTGOV
Act of 2020 (title IX of division U of Public Law 116-260) is
amended, in the matter preceding subparagraph (A), by striking
``Homeland Security Act'' and inserting ``Homeland Security Act
of 2002''.</DELETED>
<DELETED> (2) Effective date.--The amendment made by
paragraph (1) shall take effect as if enacted as part of the
DOTGOV Act of 2020 (title IX of division U of Public Law 116-
260).</DELETED>
<DELETED>SEC. 3. CONSOLIDATION OF DEFINITIONS.</DELETED>
<DELETED> (a) In General.--Title XXII of the Homeland Security Act
of 2002 (6 U.S.C. 651) is amended--</DELETED>
<DELETED> (1) by striking section 2201; and</DELETED>
<DELETED> (2) by inserting before the subtitle A heading the
following:</DELETED>
<DELETED>``SEC. 2200. DEFINITIONS.</DELETED>
<DELETED> ``Except as otherwise specifically provided, in this
title:</DELETED>
<DELETED> ``(1) Agency.--The term `Agency' means the
Cybersecurity and Infrastructure Security Agency.</DELETED>
<DELETED> ``(2) Agency information.--The term `agency
information' means information collected or maintained by or on
behalf of an agency.</DELETED>
<DELETED> ``(3) Agency information system.--The term `agency
information system' means an information system used or
operated by an agency or by another entity on behalf of an
agency.</DELETED>
<DELETED> ``(4) Appropriate congressional committees.--The
term `appropriate congressional committees' means--</DELETED>
<DELETED> ``(A) the Committee on Homeland Security
and Governmental Affairs of the Senate; and</DELETED>
<DELETED> ``(B) the Committee on Homeland Security
of the House of Representatives.</DELETED>
<DELETED> ``(5) Critical infrastructure information.--The
term `critical infrastructure information' means information
not customarily in the public domain and related to the
security of critical infrastructure or protected systems--
</DELETED>
<DELETED> ``(A) actual, potential, or threatened
interference with, attack on, compromise of, or
incapacitation of critical infrastructure or protected
systems by either physical or computer-based attack or
other similar conduct (including the misuse of or
unauthorized access to all types of communications and
data transmission systems) that violates Federal,
State, or local law, harms interstate commerce of the
United States, or threatens public health or
safety;</DELETED>
<DELETED> ``(B) the ability of any critical
infrastructure or protected system to resist such
interference, compromise, or incapacitation, including
any planned or past assessment, projection, or estimate
of the vulnerability of critical infrastructure or a
protected system, including security testing, risk
evaluation thereto, risk management planning, or risk
audit; or</DELETED>
<DELETED> ``(C) any planned or past operational
problem or solution regarding critical infrastructure
or protected systems, including repair, recovery,
reconstruction, insurance, or continuity, to the extent
it is related to such interference, compromise, or
incapacitation.</DELETED>
<DELETED> ``(6) Cyber threat indicator.--The term `cyber
threat indicator' means information that is necessary to
describe or identify--</DELETED>
<DELETED> ``(A) malicious reconnaissance, including
anomalous patterns of communications that appear to be
transmitted for the purpose of gathering technical
information related to a cybersecurity threat or
security vulnerability;</DELETED>
<DELETED> ``(B) a method of defeating a security
control or exploitation of a security
vulnerability;</DELETED>
<DELETED> ``(C) a security vulnerability, including
anomalous activity that appears to indicate the
existence of a security vulnerability;</DELETED>
<DELETED> ``(D) a method of causing a user with
legitimate access to an information system or
information that is stored on, processed by, or
transiting an information system to unwittingly enable
the defeat of a security control or exploitation of a
security vulnerability;</DELETED>
<DELETED> ``(E) malicious cyber command and
control;</DELETED>
<DELETED> ``(F) the actual or potential harm caused
by an incident, including a description of the
information exfiltrated as a result of a particular
cybersecurity threat;</DELETED>
<DELETED> ``(G) any other attribute of a
cybersecurity threat, if disclosure of such attribute
is not otherwise prohibited by law; or</DELETED>
<DELETED> ``(H) any combination thereof.</DELETED>
<DELETED> ``(7) Cybersecurity purpose.--The term
`cybersecurity purpose' means the purpose of protecting an
information system or information that is stored on, processed
by, or transiting an information system from a cybersecurity
threat or security vulnerability.</DELETED>
<DELETED> ``(8) Cybersecurity risk.--The term `cybersecurity
risk'--</DELETED>
<DELETED> ``(A) means threats to and vulnerabilities
of information or information systems and any related
consequences caused by or resulting from unauthorized
access, use, disclosure, degradation, disruption,
modification, or destruction of such information or
information systems, including such related
consequences caused by an act of terrorism;
and</DELETED>
<DELETED> ``(B) does not include any action that
solely involves a violation of a consumer term of
service or a consumer licensing agreement.</DELETED>
<DELETED> ``(9) Cybersecurity threat.--</DELETED>
<DELETED> ``(A) In general.--Except as provided in
subparagraph (B), the term `cybersecurity threat' means
an action, not protected by the First Amendment to the
Constitution of the United States, on or through an
information system that may result in an unauthorized
effort to adversely impact the security, availability,
confidentiality, or integrity of an information system
or information that is stored on, processed by, or
transiting an information system.</DELETED>
<DELETED> ``(B) Exclusion.--The term `cybersecurity
threat' does not include any action that solely
involves a violation of a consumer term of service or a
consumer licensing agreement.</DELETED>
<DELETED> ``(10) Defensive measure.--</DELETED>
<DELETED> ``(A) In general.--Except as provided in
subparagraph (B), the term `defensive measure' means an
action, device, procedure, signature, technique, or
other measure applied to an information system or
information that is stored on, processed by, or
transiting an information system that detects,
prevents, or mitigates a known or suspected
cybersecurity threat or security
vulnerability.</DELETED>
<DELETED> ``(B) Exclusion.--The term `defensive
measure' does not include a measure that destroys,
renders unusable, provides unauthorized access to, or
substantially harms an information system or
information stored on, processed by, or transiting such
information system not owned by--</DELETED>
<DELETED> ``(i) the entity operating the
measure; or</DELETED>
<DELETED> ``(ii) another entity or Federal
entity that is authorized to provide consent
and has provided consent to that private entity
for operation of such measure.</DELETED>
<DELETED> ``(11) Homeland security enterprise.--The term
`Homeland Security Enterprise' means relevant governmental and
nongovernmental entities involved in homeland security,
including Federal, State, local, and tribal government
officials, private sector representatives, academics, and other
policy experts.</DELETED>
<DELETED> ``(12) Incident.--The term `incident' means an
occurrence that actually or imminently jeopardizes, without
lawful authority, the integrity, confidentiality, or
availability of information on an information system, or
actually or imminently jeopardizes, without lawful authority,
an information system.</DELETED>
<DELETED> ``(13) Information sharing and analysis
organization.--The term `Information Sharing and Analysis
Organization' means any formal or informal entity or
collaboration created or employed by public or private sector
organizations, for purposes of--</DELETED>
<DELETED> ``(A) gathering and analyzing critical
infrastructure information, including information
related to cybersecurity risks and incidents, in order
to better understand security problems and
interdependencies related to critical infrastructure,
including cybersecurity risks and incidents, and
protected systems, so as to ensure the availability,
integrity, and reliability thereof;</DELETED>
<DELETED> ``(B) communicating or disclosing critical
infrastructure information, including cybersecurity
risks and incidents, to help prevent, detect, mitigate,
or recover from the effects of a interference,
compromise, or a incapacitation problem related to
critical infrastructure, including cybersecurity risks
and incidents, or protected systems; and</DELETED>
<DELETED> ``(C) voluntarily disseminating critical
infrastructure information, including cybersecurity
risks and incidents, to its members, State, local, and
Federal Governments, or any other entities that may be
of assistance in carrying out the purposes specified in
subparagraphs (A) and (B).</DELETED>
<DELETED> ``(14) Information system.--The term `information
system' has the meaning given the term in section 3502 of title
44, United States Code.</DELETED>
<DELETED> ``(15) Intelligence community.--The term
`intelligence community' has the meaning given the term in
section 3(4) of the National Security Act of 1947 (50 U.S.C.
3003(4)).</DELETED>
<DELETED> ``(16) Monitor.--The term `monitor' means to
acquire, identify, or scan, or to possess, information that is
stored on, processed by, or transiting an information
system.</DELETED>
<DELETED> ``(17) National cybersecurity asset response
activities.--The term `national cybersecurity asset response
activities' means--</DELETED>
<DELETED> ``(A) furnishing cybersecurity technical
assistance to entities affected by cybersecurity risks
to protect assets, mitigate vulnerabilities, and reduce
impacts of cyber incidents;</DELETED>
<DELETED> ``(B) identifying other entities that may
be at risk of an incident and assessing risk to the
same or similar vulnerabilities;</DELETED>
<DELETED> ``(C) assessing potential cybersecurity
risks to a sector or region, including potential
cascading effects, and developing courses of action to
mitigate such risks;</DELETED>
<DELETED> ``(D) facilitating information sharing and
operational coordination with threat response;
and</DELETED>
<DELETED> ``(E) providing guidance on how best to
utilize Federal resources and capabilities in a timely,
effective manner to speed recovery from cybersecurity
risks.</DELETED>
<DELETED> ``(18) National security system.--The term
`national security system' has the meaning given the term in
section 11103 of title 40, United States Code.</DELETED>
<DELETED> ``(19) Sector risk management agency.--The term
`Sector Risk Management Agency' means a Federal department or
agency, designated by law or Presidential directive, with
responsibility for providing institutional knowledge and
specialized expertise of a sector, as well as leading,
facilitating, or supporting programs and associated activities
of its designated critical infrastructure sector in the all
hazards environment in coordination with the
Department.</DELETED>
<DELETED> ``(20) Security vulnerability.--The term `security
vulnerability' means any attribute of hardware, software,
process, or procedure that could enable or facilitate the
defeat of a security control.</DELETED>
<DELETED> ``(21) Sharing.--The term `sharing' (including all
conjugations thereof) means providing, recieving, and
disseminating (including all conjugations of each such
terms).''.</DELETED>
<DELETED> (b) Technical and Conforming Amendments.--The Homeland
Security Act of 2002 (6 U.S.C. 101 et seq.) is amended--</DELETED>
<DELETED> (1) in section 2201, as so redesignated--
</DELETED>
<DELETED> (A) in subsection (a)(1), by striking
``(in this subtitle referred to as the
Agency)'';</DELETED>
<DELETED> (B) in subsection (f)--</DELETED>
<DELETED> (i) in paragraph (1), by inserting
``Executive'' before ``Assistant Director'';
and</DELETED>
<DELETED> (ii) in paragraph (2), by
inserting ``Executive'' before ``Assistant
Director'';</DELETED>
<DELETED> (2) in section 2202(a)(2), as so redesignated, by
striking ``as the `Assistant Director''' and inserting ``as the
`Executive Assistant Director''';</DELETED>
<DELETED> (3) in section 2203(a)(2), as so redesignated, by
striking ``as the `Assistant Director''' and inserting ``as the
`Executive Assistant Director''';</DELETED>
<DELETED> (4) in section 2208, as so redesignated--
</DELETED>
<DELETED> (A) by striking subsection (a);</DELETED>
<DELETED> (B) by redesignating subsections (b)
through subsection (o) as subsections (a) through (n),
respectively;</DELETED>
<DELETED> (C) in subsection (c)(1)(A)(iii), as so
redesignated, by striking ``, as that term is defined
under section 3(4) of the National Security Act of 1947
(50 U.S.C. 3003(4))'';</DELETED>
<DELETED> (D) in subsection (d), as so redesignated,
in the matter preceding paragraph (1), by striking
``subsection (c)'' and inserting ``subsection
(b)'';</DELETED>
<DELETED> (E) in subsection (j), as so redesignated,
by striking ``subsection (c)(8)'' and inserting
``subsection (b)(8)''; and</DELETED>
<DELETED> (F) in subsection (n), as so
redesignated--</DELETED>
<DELETED> (i) in paragraph (2)(A), by
striking ``subsection (c)(12)'' and inserting
``subsection (b)(12)''; and</DELETED>
<DELETED> (ii) in paragraph (3)(B)(i), by
striking ``subsection (c)(12)'' and inserting
``subsection (b)(12)'';</DELETED>
<DELETED> (5) in section 2209, as so redesignated--
</DELETED>
<DELETED> (A) by striking subsection (a);</DELETED>
<DELETED> (B) by redesignating subsections (b)
through (d) as subsections (a) through (c),
respectively;</DELETED>
<DELETED> (C) in subsection (b), as so
redesignated--</DELETED>
<DELETED> (i) by striking ``information
sharing and analysis organizations (as defined
in section 2222(5))'' and inserting
``Information Sharing and Analysis
Organizations''; and</DELETED>
<DELETED> (ii) by striking ``(as defined in
section 2209)''; and</DELETED>
<DELETED> (D) in subsection (c), as so redesignated,
by striking ``subsection (c)'' and inserting
``subsection (b)'';</DELETED>
<DELETED> (6) in section 2210, as so redesignated, by
striking subsection (h);</DELETED>
<DELETED> (7) in section 2211, as so redesignated, by
striking ``information sharing and analysis organizations (as
defined in section 2222(5))'' and inserting ``Information
Sharing and Analysis Organizations'';</DELETED>
<DELETED> (8) in section 2212, as so redesignated--
</DELETED>
<DELETED> (A) by striking subsection (a);</DELETED>
<DELETED> (B) by redesignating subsections (b)
through (f) as subsections (a) through (e);
respectively;</DELETED>
<DELETED> (C) in subsection (b), as so redesignated,
by striking ``subsection (b)'' each place it appears
and inserting ``subsection (a)'';</DELETED>
<DELETED> (D) in subsection (c), as so redesignated,
in the matter preceding paragraph (1), by striking
``subsection (b)'' and inserting ``subsection (a)'';
and</DELETED>
<DELETED> (E) in subsection (d), as so
redesignated--</DELETED>
<DELETED> (i) in paragraph (1)--</DELETED>
<DELETED> (I) in the matter
preceding subparagraph (A), by striking
``subsection (c)(2)'' and inserting
``subsection (b)(2)'';</DELETED>
<DELETED> (II) in subparagraph (A),
by striking ``subsection (c)(1)'' and
inserting ``subsection (b)(1)'';
and</DELETED>
<DELETED> (III) in subparagraph (B),
by striking ``subsection (c)(2)'' and
inserting ``subsection (b)(2)'';
and</DELETED>
<DELETED> (ii) in paragraph (2), by striking
``subsection (c)(2)'' and inserting
``subsection (b)(2)'';</DELETED>
<DELETED> (9) in section 2215 (6 U.S.C. 665b)--</DELETED>
<DELETED> (A) by striking subsection (a);</DELETED>
<DELETED> (B) by redesignating subsections (b)
through (h) as subsections (a) through (g),
respectively;</DELETED>
<DELETED> (C) in subsection (a), as so
redesignated--</DELETED>
<DELETED> (i) in the matter preceding
paragraph (1), by striking ``subsection (e)''
and inserting ``subsection (d)'';</DELETED>
<DELETED> (ii) in paragraph (1), by striking
``subsection (c)'' and inserting ``subsection
(b)''; and</DELETED>
<DELETED> (iii) in paragraph (2), by
striking ``subsection (c)'' and inserting
``subsection (b)'';</DELETED>
<DELETED> (D) in subsection (b)(4), as so
redesignated--</DELETED>
<DELETED> (i) by striking ``subsection (e)''
and inserting ``subsection (d)''; and</DELETED>
<DELETED> (ii) by striking ``subsection
(h)'' and inserting ``subsection
(g)'';</DELETED>
<DELETED> (E) in subsection (d), as so redesignated,
by striking ``subsection (b)(1)'' each place it appears
and inserting ``subsection (a)(1)'';</DELETED>
<DELETED> (F) in subsection (e), as so
redesignated--</DELETED>
<DELETED> (i) by striking ``subsection (b)''
and inserting ``subsection (a)'';</DELETED>
<DELETED> (ii) by striking ``subsection
(e)'' and inserting ``subsection (d)'';
and</DELETED>
<DELETED> (iii) by striking ``subsection
(b)(1)'' and inserting ``subsection (a)(1)'';
and</DELETED>
<DELETED> (G) in subsection (f), as so redesignated,
by striking ``subsection (c)'' and inserting
``subsection (b)'';</DELETED>
<DELETED> (10) in section 2216, as so redesignated, by
striking subsection (f) and inserting the following:</DELETED>
<DELETED> ``(f) Cyber Defense Operation Defined.--In this section,
the term `cyber defense operation' means the use of a defensive
measure.''; and</DELETED>
<DELETED> (11) in section 2222--</DELETED>
<DELETED> (A) by striking paragraphs (3), (5), and
(8);</DELETED>
<DELETED> (B) by redesignating paragraph (4) as
paragraph (3); and</DELETED>
<DELETED> (C) by redesignating paragraphs (6) and
(7) as paragraphs (4) and (5), respectively.</DELETED>
<DELETED> (c) Cybersecurity Act of 2015 Definitions.--Section 102 of
the Cybersecurity Act of 2015 (6 U.S.C. 1501) is amended--</DELETED>
<DELETED> (1) by striking paragraphs (4) through (7) and
inserting the following:</DELETED>
<DELETED> ``(4) Cybersecurity purpose.--The term
`cybersecurity purpose' has the meaning given the term in
section 2200 of the Homeland Security Act of 2002.</DELETED>
<DELETED> ``(5) Cybersecurity threat.--The term
`cybersecurity threat' has the meaning given the term in
section 2200 of the Homeland Security Act of 2002.</DELETED>
<DELETED> ``(6) Cyber theat indicator.--The term `cyber
threat indicator' has the meaning given the term in section
2200 of the Homeland Security Act of 2002.</DELETED>
<DELETED> ``(7) Defensive measure.--The term `defensive
measure' has the meaning given the term in section 2200 of the
Homeland Security Act of 2002.'';</DELETED>
<DELETED> (2) by striking paragraph (13) and inserting the
following:</DELETED>
<DELETED> ``(13) Monitor.-- The term `monitor' has the
meaning given the term in section 2200 of the Homeland Security
Act of 2002.''; and</DELETED>
<DELETED> (3) by striking paragraph (17) and inserting the
following:</DELETED>
<DELETED> ``(17) Security vulnerability.--The term `security
vulnerability' has the meaning given the term in section 2200
of the Homeland Security Act of 2002.''.</DELETED>
<DELETED>SEC. 4. ADDITIONAL TECHNICAL AND CONFORMING
AMENDMENTS.</DELETED>
<DELETED> (a) Federal Cybersecurity Enhancement Act of 2015.--The
Federal Cybersecurity Enhancement Act of 2015 (6 U.S.C. 1521 et seq.)
is amended--</DELETED>
<DELETED> (1) in section 222 (6 U.S.C. 1521)--</DELETED>
<DELETED> (A) in paragraph (2), by striking
``section 2210'' and inserting ``section 2200'';
and</DELETED>
<DELETED> (B) in paragraph (4), by striking
``section 2209'' and inserting ``section
2200'';</DELETED>
<DELETED> (2) in section 223 (6 U.S.C. 151 note) is amended
by striking ``section 2213(b)(1)'' each place it appears and
inserting ``section 2212(a)(1)''; and</DELETED>
<DELETED> (3) in section 226--</DELETED>
<DELETED> (A) in subsection (a)--</DELETED>
<DELETED> (i) in paragraph (1), by striking
``section 2213'' and inserting ``section
2200'';</DELETED>
<DELETED> (ii) in paragraph (4), by striking
``section 2210(b)(1)'' and inserting ``section
2209(a)(1)''; and</DELETED>
<DELETED> (iii) in paragraph (5), by
striking ``section 2213(b)'' and inserting
``section 2212(a)''; and</DELETED>
<DELETED> (B) in subsection (c)(1)(A)(vi), by
striking ``section 2213(c)(5)'' and inserting ``section
2212(b)(5)''; and</DELETED>
<DELETED> (4) in section 227 (6 U.S.C. 1525)--</DELETED>
<DELETED> (A) in subsection (a), by striking
``section 2213'' and inserting ``section 2212'';
and</DELETED>
<DELETED> (B) in subsection (b), by striking
``section 2213(d)(2)'' and inserting ``section
2212(c)(2)''.</DELETED>
<DELETED> (b) Public Health Service Act.--Section 2811(b)(4)(D) of
the Public Health Service Act (42 U.S.C. 300hh-10(b)(4)(D)) is amended
by striking ``section 228(c) of the Homeland Security Act of 2002 (6
U.S.C. 149(c))'' and inserting ``section 2209(c) of the Homeland
Security Act of 2002''.</DELETED>
<DELETED> (c) William M. (Mac) Thornberry National Defense
Authorization Act of Fiscal Year 2021.--Section 9002 of the William M.
(Mac) Thornberry National Defense Authorization Act for Fiscal Year
2021 (6 U.S.C. 652a) is amended--</DELETED>
<DELETED> (1) in subsection (a)--</DELETED>
<DELETED> (A) in paragraph (5), by striking
``section 2222(5) of the Homeland Security Act of 2002
(6 U.S.C. 671(5))'' and inserting ``section 2200 of the
Homeland Security Act of 2002''; and</DELETED>
<DELETED> (B) in paragraph (7), by striking ``given
the term'' and all that follows and inserting ``given
the term in section 2200 of the Homeland Security Act
of 2002'';</DELETED>
<DELETED> (2) in subsection (b)(1)(A), by striking ``section
2202(c)(4) of the Homeland Security Act (6 U.S.C. 652(c)(4))''
and inserting ``section 2201(c)(4)'';</DELETED>
<DELETED> (3) in subsection (c)(3)(B), by striking ``section
2201(5) of the Homeland Security Act of 2002 (6 U.S.C.
651(5))'' and inserting ``section 2200 of the Homeland Security
Act of 2002''; and</DELETED>
<DELETED> (4) in subsection (d)--</DELETED>
<DELETED> (A) by striking ``section 2215'' and
inserting ``2217''; and</DELETED>
<DELETED> (B) by striking ``, as added by this
section''.</DELETED>
<DELETED> (d) National Security Act of 1947.--Section 113B of the
National Security Act of 1947 (50 U.S.C. 3049a(b)(4)) is amended by
striking section ``226 of the Homeland Security Act of 2002 (6 U.S.C.
147)'' and inserting ``section 2207 of the Homeland Security Act of
2002''.</DELETED>
<DELETED> (e) Cybersecurity Act of 2015.--Section 404(a) of the
Cybersecurity Act of 2015 (6 U.S.C. 1532(a)) is amended by striking
``section 2209'' and inserting ``section 2208''.</DELETED>
<DELETED> (f) IoT Cybersecurity Improvement Act of 2020.--Section
5(b)(3) of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C.
278g-3c) is amended by striking ``section 2209(m)'' and inserting
``section 2208(l)''.</DELETED>
<DELETED> (g) Small Business Act.--Section 21(a)(8)(B) of the Small
Business Act (15 U.S.C. 648(a)(8)(B)) is amended by striking ``section
2209(a)'' and inserting ``section 2200''.</DELETED>
<DELETED> (h) Title 46.--Section 70101(2) of title 46, United States
Code, is amended by striking ``section 227 of the Homeland Security Act
of 2002 (6 U.S.C. 148)'' and inserting ``section 2200 of the Homeland
Security Act of 2002''.</DELETED>
SECTION 1. SHORT TITLE.
This Act may be cited as the ``CISA Technical Corrections and
Improvements Act of 2021''.
SEC. 2. REDESIGNATIONS.
(a) In General.--Subtitle A of title XXII of the Homeland Security
Act of 2002 (6 U.S.C. 651 et seq.) is amended--
(1) by redesignating section 2217 (6 U.S.C. 665f) as
section 2220;
(2) by redesignating section 2216 (6 U.S.C. 665e) as
section 2219;
(3) by redesignating the fourth section 2215 (relating to
Sector Risk Management Agencies) (6 U.S.C. 665d) as section
2218;
(4) by redesignating the third section 2215 (relating to
the Cybersecurity State Coordinator) (6 U.S.C. 665c) as section
2217; and
(5) by redesignating the second section 2215 (relating to
the Joint Cyber Planning Office) (6 U.S.C. 665b) as section
2216.
(b) Technical and Conforming Amendments.--Section 2202(c) of the
Homeland Security Act of 2002 (6 U.S.C. 652(c)) is amended--
(1) in paragraph (11), by striking ``and'' at the end;
(2) in the first paragraph (12)--
(A) by striking ``section 2215'' and inserting
``section 2217''; and
(B) by striking ``and'' at the end; and
(3) by redesignating the second and third paragraphs (12)
as paragraphs (13) and (14), respectively.
(c) Additional Technical Amendment.--
(1) Amendment.--Section 904(b)(1) of the DOTGOV Act of 2020
(title IX of division U of Public Law 116-260) is amended, in
the matter preceding subparagraph (A), by striking ``Homeland
Security Act'' and inserting ``Homeland Security Act of 2002''.
(2) Effective date.--The amendment made by paragraph (1)
shall take effect as if enacted as part of the DOTGOV Act of
2020 (title IX of division U of Public Law 116-260).
SEC. 3. CONSOLIDATION OF DEFINITIONS.
(a) In General.--Title XXII of the Homeland Security Act of 2002 (6
U.S.C. 651) is amended by inserting before the subtitle A heading the
following:
``SEC. 2200. DEFINITIONS.
``Except as otherwise specifically provided, in this title:
``(1) Agency.--The term `Agency' means the Cybersecurity
and Infrastructure Security Agency.
``(2) Agency information.--The term `agency information'
means information collected or maintained by or on behalf of an
agency.
``(3) Agency information system.--The term `agency
information system' means an information system used or
operated by an agency or by another entity on behalf of an
agency.
``(4) Appropriate congressional committees.--The term
`appropriate congressional committees' means--
``(A) the Committee on Homeland Security and
Governmental Affairs of the Senate; and
``(B) the Committee on Homeland Security of the
House of Representatives.
``(5) Critical infrastructure information.--The term
`critical infrastructure information' means information not
customarily in the public domain and related to the security of
critical infrastructure or protected systems--
``(A) actual, potential, or threatened interference
with, attack on, compromise of, or incapacitation of
critical infrastructure or protected systems by either
physical or computer-based attack or other similar
conduct (including the misuse of or unauthorized access
to all types of communications and data transmission
systems) that violates Federal, State, or local law,
harms interstate commerce of the United States, or
threatens public health or safety;
``(B) the ability of any critical infrastructure or
protected system to resist such interference,
compromise, or incapacitation, including any planned or
past assessment, projection, or estimate of the
vulnerability of critical infrastructure or a protected
system, including security testing, risk evaluation
thereto, risk management planning, or risk audit; or
``(C) any planned or past operational problem or
solution regarding critical infrastructure or protected
systems, including repair, recovery, reconstruction,
insurance, or continuity, to the extent it is related
to such interference, compromise, or incapacitation.
``(6) Cyber threat indicator.--The term `cyber threat
indicator' means information that is necessary to describe or
identify--
``(A) malicious reconnaissance, including anomalous
patterns of communications that appear to be
transmitted for the purpose of gathering technical
information related to a cybersecurity threat or
security vulnerability;
``(B) a method of defeating a security control or
exploitation of a security vulnerability;
``(C) a security vulnerability, including anomalous
activity that appears to indicate the existence of a
security vulnerability;
``(D) a method of causing a user with legitimate
access to an information system or information that is
stored on, processed by, or transiting an information
system to unwittingly enable the defeat of a security
control or exploitation of a security vulnerability;
``(E) malicious cyber command and control;
``(F) the actual or potential harm caused by an
incident, including a description of the information
exfiltrated as a result of a particular cybersecurity
threat;
``(G) any other attribute of a cybersecurity
threat, if disclosure of such attribute is not
otherwise prohibited by law; or
``(H) any combination thereof.
``(7) Cybersecurity purpose.--The term `cybersecurity
purpose' means the purpose of protecting an information system
or information that is stored on, processed by, or transiting
an information system from a cybersecurity threat or security
vulnerability.
``(8) Cybersecurity risk.--The term `cybersecurity risk'--
``(A) means threats to and vulnerabilities of
information or information systems and any related
consequences caused by or resulting from unauthorized
access, use, disclosure, degradation, disruption,
modification, or destruction of such information or
information systems, including such related
consequences caused by an act of terrorism; and
``(B) does not include any action that solely
involves a violation of a consumer term of service or a
consumer licensing agreement.
``(9) Cybersecurity threat.--
``(A) In general.--Except as provided in
subparagraph (B), the term `cybersecurity threat' means
an action, not protected by the First Amendment to the
Constitution of the United States, on or through an
information system that may result in an unauthorized
effort to adversely impact the security, availability,
confidentiality, or integrity of an information system
or information that is stored on, processed by, or
transiting an information system.
``(B) Exclusion.--The term `cybersecurity threat'
does not include any action that solely involves a
violation of a consumer term of service or a consumer
licensing agreement.
``(10) Defensive measure.--
``(A) In general.--Except as provided in
subparagraph (B), the term `defensive measure' means an
action, device, procedure, signature, technique, or
other measure applied to an information system or
information that is stored on, processed by, or
transiting an information system that detects,
prevents, or mitigates a known or suspected
cybersecurity threat or security vulnerability.
``(B) Exclusion.--The term `defensive measure' does
not include a measure that destroys, renders unusable,
provides unauthorized access to, or substantially harms
an information system or information stored on,
processed by, or transiting such information system not
owned by--
``(i) the entity operating the measure; or
``(ii) another entity or Federal entity
that is authorized to provide consent and has
provided consent to that private entity for
operation of such measure.
``(11) Homeland security enterprise.--The term `Homeland
Security Enterprise' means relevant governmental and
nongovernmental entities involved in homeland security,
including Federal, State, local, and tribal government
officials, private sector representatives, academics, and other
policy experts.
``(12) Incident.--The term `incident' means an occurrence
that actually or imminently jeopardizes, without lawful
authority, the integrity, confidentiality, or availability of
information on an information system, or actually or imminently
jeopardizes, without lawful authority, an information system.
``(13) Information sharing and analysis organization.--The
term `Information Sharing and Analysis Organization' means any
formal or informal entity or collaboration created or employed
by public or private sector organizations, for purposes of--
``(A) gathering and analyzing critical
infrastructure information, including information
related to cybersecurity risks and incidents, in order
to better understand security problems and
interdependencies related to critical infrastructure,
including cybersecurity risks and incidents, and
protected systems, so as to ensure the availability,
integrity, and reliability thereof;
``(B) communicating or disclosing critical
infrastructure information, including cybersecurity
risks and incidents, to help prevent, detect, mitigate,
or recover from the effects of a interference,
compromise, or a incapacitation problem related to
critical infrastructure, including cybersecurity risks
and incidents, or protected systems; and
``(C) voluntarily disseminating critical
infrastructure information, including cybersecurity
risks and incidents, to its members, State, local, and
Federal Governments, or any other entities that may be
of assistance in carrying out the purposes specified in
subparagraphs (A) and (B).
``(14) Information system.--The term `information system'
has the meaning given the term in section 3502 of title 44,
United States Code.
``(15) Intelligence community.--The term `intelligence
community' has the meaning given the term in section 3(4) of
the National Security Act of 1947 (50 U.S.C. 3003(4)).
``(16) Monitor.--The term `monitor' means to acquire,
identify, or scan, or to possess, information that is stored
on, processed by, or transiting an information system.
``(17) National cybersecurity asset response activities.--
The term `national cybersecurity asset response activities'
means--
``(A) furnishing cybersecurity technical assistance
to entities affected by cybersecurity risks to protect
assets, mitigate vulnerabilities, and reduce impacts of
cyber incidents;
``(B) identifying other entities that may be at
risk of an incident and assessing risk to the same or
similar vulnerabilities;
``(C) assessing potential cybersecurity risks to a
sector or region, including potential cascading
effects, and developing courses of action to mitigate
such risks;
``(D) facilitating information sharing and
operational coordination with threat response; and
``(E) providing guidance on how best to utilize
Federal resources and capabilities in a timely,
effective manner to speed recovery from cybersecurity
risks.
``(18) National security system.--The term `national
security system' has the meaning given the term in section
11103 of title 40, United States Code.
``(19) Sector risk management agency.--The term `Sector
Risk Management Agency' means a Federal department or agency,
designated by law or Presidential directive, with
responsibility for providing institutional knowledge and
specialized expertise of a sector, as well as leading,
facilitating, or supporting programs and associated activities
of its designated critical infrastructure sector in the all
hazards environment in coordination with the Department.
``(20) Security control.--The term `security control' means
the management, operational, and technical controls used to
protect against an unauthorized effort to adversely affect the
confidentiality, integrity, and availability of an information
system or its information.
``(21) Security vulnerability.--The term `security
vulnerability' means any attribute of hardware, software,
process, or procedure that could enable or facilitate the
defeat of a security control.
``(22) Sharing.--The term `sharing' (including all
conjugations thereof) means providing, receiving, and
disseminating (including all conjugations of each such
terms).''.
(b) Technical and Conforming Amendments.--The Homeland Security Act
of 2002 (6 U.S.C. 101 et seq.) is amended--
(1) by amending section 2201 to read as follows:
``SEC. 2201. DEFINITION.
``In this subtitle, the term `Cybersecurity Advisory Committee'
means the advisory committee established under section 2219(a).'';
(2) in section 2202--
(A) in subsection (a)(1), by striking ``(in this
subtitle referred to as the Agency)'';
(B) in subsection (f)--
(i) in paragraph (1), by inserting
``Executive'' before ``Assistant Director'';
and
(ii) in paragraph (2), by inserting
``Executive'' before ``Assistant Director'';
(3) in section 2203(a)(2), by striking ``as the `Assistant
Director''' and inserting ``as the `Executive Assistant
Director''';
(4) in section 2204(a)(2), by striking ``as the `Assistant
Director''' and inserting ``as the `Executive Assistant
Director''';
(5) in section 2209--
(A) by striking subsection (a);
(B) by redesignating subsections (b) through
subsection (o) as subsections (a) through (n),
respectively;
(C) in subsection (c)(1)--
(i) in subparagraph (A)(iii), as so
redesignated, by striking ``, as that term is
defined under section 3(4) of the National
Security Act of 1947 (50 U.S.C. 3003(4))''; and
(ii) in subparagraph (B)(ii), by striking
``information sharing and analysis
organizations'' and inserting ``Information
Sharing and Analysis Organizations'';
(D) in subsection (d), as so redesignated--
(i) in the matter preceding paragraph (1),
by striking ``subsection (c)'' and inserting
``subsection (b)''; and
(ii) in paragraph (1)(E)(ii)(II), by
striking ``information sharing and analysis
organizations'' and inserting ``Information
Sharing and Analysis Organizations'';
(E) in subsection (j), as so redesignated, by
striking ``subsection (c)(8)'' and inserting
``subsection (b)(8)''; and
(F) in subsection (n), as so redesignated--
(i) in paragraph (2)(A), by striking
``subsection (c)(12)'' and inserting
``subsection (b)(12)''; and
(ii) in paragraph (3)(B)(i), by striking
``subsection (c)(12)'' and inserting
``subsection (b)(12)'';
(6) in section 2210--
(A) by striking subsection (a);
(B) by redesignating subsections (b) through (d) as
subsections (a) through (c), respectively;
(C) in subsection (b), as so redesignated--
(i) by striking ``information sharing and
analysis organizations (as defined in section
2222(5))'' and inserting ``Information Sharing
and Analysis Organizations''; and
(ii) by striking ``(as defined in section
2209)''; and
(D) in subsection (c), as so redesignated, by
striking ``subsection (c)'' and inserting ``subsection
(b)'';
(7) in section 2211, by striking subsection (h);
(8) in section 2212, by striking ``information sharing and
analysis organizations (as defined in section 2222(5))'' and
inserting ``Information Sharing and Analysis Organizations'';
(9) in section 2213--
(A) by striking subsection (a);
(B) by redesignating subsections (b) through (f) as
subsections (a) through (e); respectively;
(C) in subsection (b), as so redesignated, by
striking ``subsection (b)'' each place it appears and
inserting ``subsection (a)'';
(D) in subsection (c), as so redesignated, in the
matter preceding paragraph (1), by striking
``subsection (b)'' and inserting ``subsection (a)'';
and
(E) in subsection (d), as so redesignated--
(i) in paragraph (1)--
(I) in the matter preceding
subparagraph (A), by striking
``subsection (c)(2)'' and inserting
``subsection (b)(2)'';
(II) in subparagraph (A), by
striking ``subsection (c)(1)'' and
inserting ``subsection (b)(1)''; and
(III) in subparagraph (B), by
striking ``subsection (c)(2)'' and
inserting ``subsection (b)(2)''; and
(ii) in paragraph (2), by striking
``subsection (c)(2)'' and inserting
``subsection (b)(2)'';
(10) in section 2216, as so redesignated--
(A) in subsection (d)(2), by striking ``information
sharing and analysis organizations'' and inserting
``Information Sharing and Analysis Organizations''; and
(B) by striking subsection (f) and inserting the
following:
``(f) Cyber Defense Operation Defined.--In this section, the term
`cyber defense operation' means the use of a defensive measure.'';
(11) in section 2218(c)(4)(A), as so redesignated, by
striking ``information sharing and analysis organizations'' and
inserting ``Information Sharing and Analysis Organizations'';
and
(12) in section 2222--
(A) by striking paragraphs (3), (5), and (8);
(B) by redesignating paragraph (4) as paragraph
(3); and
(C) by redesignating paragraphs (6) and (7) as
paragraphs (4) and (5), respectively.
(c) Table of Contents Amendments.--The table of contents in section
1(b) of the Homeland Security Act of 2002 (Public Law 107-296; 116
Stat. 2135) is amended--
(1) by inserting before the item relating to subtitle A of
title XXII the following:
``Sec. 2200. Definitions.'';
(2) by striking the item relating to section 2201 and
insert the following:
``Sec. 2201. Definition.''; and
(3) by striking the item relating to section 2214 and all
that follows through the item relating to section 2217 and
inserting the following:
``Sec. 2214. National Asset Database.
``Sec. 2215. Duties and authorities relating to .gov internet domain.
``Sec. 2216. Joint Cyber Planning Office.
``Sec. 2217. Cybersecurity State Coordinator.
``Sec. 2218. Sector Risk Management Agencies.
``Sec. 2219. Cybersecurity Advisory Committee.
``Sec. 2220. Cybersecurity Education and Training Programs.''.
(d) Cybersecurity Act of 2015 Definitions.--Section 102 of the
Cybersecurity Act of 2015 (6 U.S.C. 1501) is amended--
(1) by striking paragraphs (4) through (7) and inserting
the following:
``(4) Cybersecurity purpose.--The term `cybersecurity
purpose' has the meaning given the term in section 2200 of the
Homeland Security Act of 2002.
``(5) Cybersecurity threat.--The term `cybersecurity
threat' has the meaning given the term in section 2200 of the
Homeland Security Act of 2002.
``(6) Cyber threat indicator.--The term `cyber threat
indicator' has the meaning given the term in section 2200 of
the Homeland Security Act of 2002.
``(7) Defensive measure.--The term `defensive measure' has
the meaning given the term in section 2200 of the Homeland
Security Act of 2002.'';
(2) by striking paragraph (13) and inserting the following:
``(13) Monitor.-- The term `monitor' has the meaning given
the term in section 2200 of the Homeland Security Act of
2002.''; and
(3) by striking paragraphs (16) and (17) and inserting the
following:
``(16) Security control.--The term `security control' has
the meaning given the term in section 2200 of the Homeland
Security Act of 2002.
``(17) Security vulnerability.--The term `security
vulnerability' has the meaning given the term in section 2200
of the Homeland Security Act of 2002.''.
SEC. 4. ADDITIONAL TECHNICAL AND CONFORMING AMENDMENTS.
(a) Federal Cybersecurity Enhancement Act of 2015.--The Federal
Cybersecurity Enhancement Act of 2015 (6 U.S.C. 1521 et seq.) is
amended--
(1) in section 222 (6 U.S.C. 1521)--
(A) in paragraph (2), by striking ``section 2210''
and inserting ``section 2200''; and
(B) in paragraph (4), by striking ``section 2209''
and inserting ``section 2200'';
(2) in section 223(b) (6 U.S.C. 151 note), by striking
``section 2213(b)(1)'' each place it appears and inserting
``section 2213(a)(1)'';
(3) in section 226 (6 U.S.C. 1524)--
(A) in subsection (a)--
(i) in paragraph (1), by striking ``section
2213'' and inserting ``section 2200'';
(ii) in paragraph (2), by striking
``section 102'' and inserting ``section 2200 of
the Homeland Security Act of 2002'';
(iii) in paragraph (4), by striking
``section 2210(b)(1)'' and inserting ``section
2210(a)(1)''; and
(iv) in paragraph (5), by striking
``section 2213(b)'' and inserting ``section
2213(a)''; and
(B) in subsection (c)(1)(A)(vi), by striking
``section 2213(c)(5)'' and inserting ``section
2213(b)(5)''; and
(4) in section 227(b) (6 U.S.C. 1525(b)), by striking
``section 2213(d)(2)'' and inserting ``section 2213(c)(2)''.
(b) Public Health Service Act.--Section 2811(b)(4)(D) of the Public
Health Service Act (42 U.S.C. 300hh-10(b)(4)(D)) is amended by striking
``section 228(c) of the Homeland Security Act of 2002 (6 U.S.C.
149(c))'' and inserting ``section 2210(b) of the Homeland Security Act
of 2002 (6 U.S.C. 660(b))''.
(c) William M. (Mac) Thornberry National Defense Authorization Act
of Fiscal Year 2021.--Section 9002 of the William M. (Mac) Thornberry
National Defense Authorization Act for Fiscal Year 2021 (6 U.S.C. 652a)
is amended--
(1) in subsection (a)--
(A) in paragraph (5), by striking ``section 2222(5)
of the Homeland Security Act of 2002 (6 U.S.C.
671(5))'' and inserting ``section 2200 of the Homeland
Security Act of 2002''; and
(B) by amending paragraph (7) to read as follows:
``(7) Sector risk management agency.--The term `Sector Risk
Management Agency' has the meaning given the term in section
2200 of the Homeland Security Act of 2002.'';
(2) in subsection (c)(3)(B), by striking ``section
2201(5)'' and inserting ``section 2200''; and
(3) in subsection (d)--
(A) by striking ``section 2215'' and inserting
``2218''; and
(B) by striking ``, as added by this section''.
(d) National Security Act of 1947.--Section 113B of the National
Security Act of 1947 (50 U.S.C. 3049a(b)(4)) is amended by striking
section ``226 of the Homeland Security Act of 2002 (6 U.S.C. 147)'' and
inserting ``section 2208 of the Homeland Security Act of 2002 (6 U.S.C.
658)''.
(e) IoT Cybersecurity Improvement Act of 2020.--Section 5(b)(3) of
the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-3c) is
amended by striking ``section 2209(m) of the Homeland Security Act of
2002 (6 U.S.C. 659(m))'' and inserting ``section 2209(l) of the
Homeland Security Act of 2002 (6 U.S.C. 659(l))''.
(f) Small Business Act.--Section 21(a)(8)(B) of the Small Business
Act (15 U.S.C. 648(a)(8)(B)) is amended by striking ``section 2209(a)''
and inserting ``section 2200''.
(g) Title 46.--Section 70101(2) of title 46, United States Code, is
amended by striking ``section 227 of the Homeland Security Act of 2002
(6 U.S.C. 148)'' and inserting ``section 2200 of the Homeland Security
Act of 2002''.
Calendar No. 632
117th CONGRESS
2d Session
S. 2540
[Report No. 117-248]
_______________________________________________________________________
A BILL
To make technical corrections to title XXII of the Homeland Security
Act of 2002, and for other purposes.
_______________________________________________________________________
December 13, 2022
Reported with an amendment