[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 2993 Reported in Senate (RS)]
<DOC>
Calendar No. 674
117th CONGRESS
2d Session
S. 2993
[Report No. 117-275]
To amend the Homeland Security Act of 2002 to establish in the
Cybersecurity and Infrastructure Security Agency the National Cyber
Exercise Program, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
October 19, 2021
Ms. Rosen (for herself, Mr. Sasse, and Mr. King) introduced the
following bill; which was read twice and referred to the Committee on
Homeland Security and Governmental Affairs
December 19, 2022
Reported by Mr. Peters, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To amend the Homeland Security Act of 2002 to establish in the
Cybersecurity and Infrastructure Security Agency the National Cyber
Exercise Program, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE.</DELETED>
<DELETED> This Act may be cited as the ``CISA Cyber Exercise
Act''.</DELETED>
<DELETED>SEC. 2. NATIONAL CYBER EXERCISE PROGRAM.</DELETED>
<DELETED> (a) In General.--Subtitle A of title XXII of the Homeland
Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the
end the following new section:</DELETED>
<DELETED>``SEC. 2220A. NATIONAL CYBER EXERCISE PROGRAM.</DELETED>
<DELETED> ``(a) Establishment of Program.--</DELETED>
<DELETED> ``(1) In general.--There is established in the
Agency the National Cyber Exercise Program (referred to in this
section as the `Exercise Program') to evaluate the National
Cyber Incident Response Plan, and other related plans and
strategies.</DELETED>
<DELETED> ``(2) Requirements.--</DELETED>
<DELETED> ``(A) In general.--The Exercise Program
shall be--</DELETED>
<DELETED> ``(i) based on current risk
assessments, including credible threats,
vulnerabilities, and consequences;</DELETED>
<DELETED> ``(ii) designed, to the extent
practicable, to simulate the partial or
complete incapacitation of a government or
critical infrastructure network resulting from
a cyber incident;</DELETED>
<DELETED> ``(iii) designed to provide for
the systematic evaluation of cyber readiness
and enhance operational understanding of the
cyber incident response system and relevant
information sharing agreements; and</DELETED>
<DELETED> ``(iv) designed to promptly
develop after-action reports and plans that can
quickly incorporate lessons learned into future
operations.</DELETED>
<DELETED> ``(B) Model exercise selection.--The
Exercise Program shall--</DELETED>
<DELETED> ``(i) include a selection of model
exercises that government and private entities
can readily adapt for use; and</DELETED>
<DELETED> ``(ii) aid such governments and
private entities with the design,
implementation, and evaluation of exercises
that--</DELETED>
<DELETED> ``(I) conform to the
requirements described in subparagraph
(A);</DELETED>
<DELETED> ``(II) are consistent with
any applicable national, State, local,
or Tribal strategy or plan;
and</DELETED>
<DELETED> ``(III) provide for
systematic evaluation of
readiness.</DELETED>
<DELETED> ``(3) Consultation.--In carrying out the Exercise
Program, the Director may consult with appropriate
representatives from Sector Risk Management Agencies, the
Office of the National Cyber Director, cybersecurity research
stakeholders, and Sector Coordinating Councils.</DELETED>
<DELETED> ``(b) Definitions.--In this section:</DELETED>
<DELETED> ``(1) State.--The term `State' means any State of
the United States, the District of Columbia, the Commonwealth
of Puerto Rico, the Northern Mariana Islands, the United States
Virgin Islands, Guam, American Samoa, and any other territory
or possession of the United States.</DELETED>
<DELETED> ``(2) Private entity.--The term `private entity'
has the meaning given such term in section 102 of the
Cybersecurity Information Sharing Act of 2015 (6 U.S.C.
1501).''.</DELETED>
<DELETED> (b) Technical Amendments.--</DELETED>
<DELETED> (1) Homeland security act of 2002.--Subtitle A of
title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651
et seq.) is amended--</DELETED>
<DELETED> (A) in the first section 2215 (6 U.S.C.
665; relating to the duties and authorities relating to
.gov internet domain), by amending the section
enumerator and heading to read as follows:</DELETED>
<DELETED>``SEC. 2215. DUTIES AND AUTHORITIES RELATING TO .GOV INTERNET
DOMAIN.'';</DELETED>
<DELETED> (B) in the second section 2215 (6 U.S.C.
665b; relating to the joint cyber planning office), by
amending the section enumerator and heading to read as
follows:</DELETED>
<DELETED>``SEC. 2216. JOINT CYBER PLANNING OFFICE.'';</DELETED>
<DELETED> (C) in the third section 2215 (6 U.S.C.
665c; relating to the Cybersecurity State Coordinator),
by amending the section enumerator and heading to read
as follows:</DELETED>
<DELETED>``SEC. 2217. CYBERSECURITY STATE COORDINATOR.'';</DELETED>
<DELETED> (D) in the fourth section 2215 (6 U.S.C.
665d; relating to Sector Risk Management Agencies), by
amending the section enumerator and heading to read as
follows:</DELETED>
<DELETED>``SEC. 2218. SECTOR RISK MANAGEMENT AGENCIES.'';</DELETED>
<DELETED> (E) in section 2216 (6 U.S.C. 665e;
relating to the Cybersecurity Advisory Committee), by
amending the section enumerator and heading to read as
follows:</DELETED>
<DELETED>``SEC. 2219. CYBERSECURITY ADVISORY COMMITTEE.'';</DELETED>
<DELETED>and</DELETED>
<DELETED> (F) in section 2217 (6 U.S.C. 665f;
relating to Cybersecurity Education and Training
Programs), by amending the section enumerator and
heading to read as follows:</DELETED>
<DELETED>``SEC. 2220. CYBERSECURITY EDUCATION AND TRAINING
PROGRAMS.''.</DELETED>
<DELETED> (2) Consolidated appropriations act, 2021.--
Paragraph (1) of section 904(b) of division U of the
Consolidated Appropriations Act, 2021 (Public Law 116-260) is
amended, in the matter preceding subparagraph (A), by inserting
``of 2002'' after ``Homeland Security Act''.</DELETED>
<DELETED> (c) Clerical Amendment.--The table of contents in section
1(b) of the Homeland Security Act of 2002 is amended by striking the
items relating to sections 2214 through 2217 and inserting the
following new items:</DELETED>
<DELETED>``Sec. 2214. National Asset Database.
<DELETED>``Sec. 2215. Duties and authorities relating to .gov internet
domain.
<DELETED>``Sec. 2216. Joint cyber planning office.
<DELETED>``Sec. 2217. Cybersecurity State Coordinator.
<DELETED>``Sec. 2218. Sector Risk Management Agencies.
<DELETED>``Sec. 2219. Cybersecurity Advisory Committee.
<DELETED>``Sec. 2220. Cybersecurity Education and Training Programs.
<DELETED>``Sec. 2220A. National Cyber Exercise Program.''.
SECTION 1. SHORT TITLE.
This Act may be cited as the ``CISA Cyber Exercise Act''.
SEC. 2. NATIONAL CYBER EXERCISE PROGRAM.
(a) In General.--Subtitle A of title XXII of the Homeland Security
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the
following new section:
``SEC. 2220A. NATIONAL CYBER EXERCISE PROGRAM.
``(a) Establishment of Program.--
``(1) In general.--There is established in the Agency the
National Cyber Exercise Program (referred to in this section as
the `Exercise Program') to evaluate the National Cyber Incident
Response Plan, and other related plans and strategies.
``(2) Requirements.--
``(A) In general.--The Exercise Program shall be--
``(i) based on current risk assessments,
including credible threats, vulnerabilities,
and consequences;
``(ii) designed, to the extent practicable,
to simulate the partial or complete
incapacitation of a government or critical
infrastructure network resulting from a cyber
incident;
``(iii) designed to provide for the
systematic evaluation of cyber readiness and
enhance operational understanding of the cyber
incident response system and relevant
information sharing agreements; and
``(iv) designed to promptly develop after-
action reports and plans that can quickly
incorporate lessons learned into future
operations.
``(B) Model exercise selection.--The Exercise
Program shall--
``(i) include a selection of model
exercises that government and private entities
can readily adapt for use; and
``(ii) aid such governments and private
entities with the design, implementation, and
evaluation of exercises that--
``(I) conform to the requirements
described in subparagraph (A);
``(II) are consistent with any
applicable national, State, local, or
Tribal strategy or plan; and
``(III) provide for systematic
evaluation of readiness.
``(3) Consultation.--In carrying out the Exercise Program,
the Director may consult with appropriate representatives from
Sector Risk Management Agencies, the Office of the National
Cyber Director, cybersecurity research stakeholders, and Sector
Coordinating Councils.
``(b) Definitions.--In this section:
``(1) State.--The term `State' means any State of the
United States, the District of Columbia, the Commonwealth of
Puerto Rico, the Northern Mariana Islands, the United States
Virgin Islands, Guam, American Samoa, and any other territory
or possession of the United States.
``(2) Private entity.--The term `private entity' has the
meaning given such term in section 102 of the Cybersecurity
Information Sharing Act of 2015 (6 U.S.C. 1501).
``(c) Rule of Construction.--Nothing in this section shall be
construed to affect the authority or responsibilities of the
Administrator of the Federal Emergency Management Agency pursuant to
section 648 of the Post-Katrina Emergency Management Reform Act of 2006
(6 U.S.C. 748).''.
(b) Clerical Amendment.--The table of contents in section 1(b) of
the Homeland Security Act of 2002 is amended by inserting after the
item relating to section 2217 the following:
``Sec. 2220A. National Cyber Exercise Program.''.
Calendar No. 674
117th CONGRESS
2d Session
S. 2993
[Report No. 117-275]
_______________________________________________________________________
A BILL
To amend the Homeland Security Act of 2002 to establish in the
Cybersecurity and Infrastructure Security Agency the National Cyber
Exercise Program, and for other purposes.
_______________________________________________________________________
December 19, 2022
Reported with an amendment