[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 3511 Reported in Senate (RS)]
<DOC>
Calendar No. 428
117th CONGRESS
2d Session
S. 3511
[Report No. 117-122]
To require a report on Federal support to the cybersecurity of
commercial satellite systems, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
January 13 (legislative day, January 10), 2022
Mr. Peters (for himself and Mr. Cornyn) introduced the following bill;
which was read twice and referred to the Committee on Homeland Security
and Governmental Affairs
June 21, 2022
Reported by Mr. Peters, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To require a report on Federal support to the cybersecurity of
commercial satellite systems, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE.</DELETED>
<DELETED> This Act may be cited as the ``Satellite Cybersecurity
Act''.</DELETED>
<DELETED>SEC. 2. DEFINITIONS.</DELETED>
<DELETED> In this Act:</DELETED>
<DELETED> (1) Commercial satellite system.--The term
``commercial satellite system'' means an earth satellite owned
and operated by a non-Federal entity.</DELETED>
<DELETED> (2) Critical infrastructure.--The term ``critical
infrastructure'' has the meaning given the term in subsection
(e) of the Critical Infrastructure Protection Act of 2001 (42
U.S.C. 5195c(e)).</DELETED>
<DELETED> (3) Cybersecurity risk.--The term ``cybersecurity
risk'' has the meaning given the term in section 2209 of the
Homeland Security Act of 2002 (6 U.S.C. 659).</DELETED>
<DELETED> (4) Cybersecurity threat.--The term
``cybersecurity threat'' has the meaning given the term in
section 102 of the Cybersecurity Information Sharing Act of
2015 (6 U.S.C. 1501).</DELETED>
<DELETED>SEC. 3. REPORT ON COMMERCIAL SATELLITE
CYBERSECURITY.</DELETED>
<DELETED> (a) Study.--The Comptroller General of the United States
shall conduct a study on the actions the Federal Government has taken
to support the cybersecurity of commercial satellite systems, including
as part of any action to address the cybersecurity of critical
infrastructure sectors.</DELETED>
<DELETED> (b) Report.--Not later than 1 year after the date of
enactment of this Act, the Comptroller General of the United States
shall report to Congress on the study conducted under subsection (a),
which shall include information on--</DELETED>
<DELETED> (1) the effectiveness of efforts of the Federal
Government in improving the cybersecurity of commercial
satellite systems;</DELETED>
<DELETED> (2) the resources made available to the public by
Federal agencies to address cybersecurity threats to commercial
satellite systems;</DELETED>
<DELETED> (3) the extent to which commercial satellite
systems are reliant on or are relied on by critical
infrastructure and an analysis of how commercial satellite
systems, and the threats to such systems, are integrated into
Federal and non-Federal critical infrastructure risk analyses
and protection plans;</DELETED>
<DELETED> (4) the extent to which Federal agencies are
reliant on commercial satellite systems and how Federal
agencies mitigate cybersecurity risks associated with those
systems; and</DELETED>
<DELETED> (5) the extent to which Federal agencies
coordinate or duplicate authorities and take other actions
focused on the cybersecurity of commercial satellite
systems.</DELETED>
<DELETED> (c) Consultation.--In carrying out subsections (a) and
(b), the Comptroller General of the United States shall coordinate
with--</DELETED>
<DELETED> (1) the Secretary of Homeland Security;</DELETED>
<DELETED> (2) the Director of the National Institute of
Standards and Technology;</DELETED>
<DELETED> (3) the Secretary of Defense;</DELETED>
<DELETED> (4) the Federal Communications
Commission;</DELETED>
<DELETED> (5) the National Oceanic and Atmospheric
Administration;</DELETED>
<DELETED> (6) the National Aeronautics and Space
Administration;</DELETED>
<DELETED> (7) the Federal Aviation Administration;
and</DELETED>
<DELETED> (8) the head of any other Federal agency
determined appropriate by the Comptroller General of the United
States.</DELETED>
<DELETED>SEC. 4. RESPONSIBILITIES OF THE CYBERSECURITY AND
INFRASTRUCTURE SECURITY AGENCY.</DELETED>
<DELETED> (a) Definitions.--In this section:</DELETED>
<DELETED> (1) Clearinghouse.--The term ``clearinghouse''
means the commercial satellite system cybersecurity
clearinghouse required to be developed and maintained under
subsection (b)(1).</DELETED>
<DELETED> (2) Director.--The term ``Director'' means the
Director of the Cybersecurity and Infrastructure Security
Agency.</DELETED>
<DELETED> (3) Small business concern.--The term ``small
business concern'' has the meaning given the term in section 3
of the Small Business Act (15 U.S.C. 632).</DELETED>
<DELETED> (b) Establishment of Commercial Satellite System
Cybersecurity Clearinghouse.--</DELETED>
<DELETED> (1) In general.--Not later than 180 days after the
date of enactment of this Act, the Director shall develop and
maintain a commercial satellite system cybersecurity
clearinghouse.</DELETED>
<DELETED> (2) Requirements.--The clearinghouse shall--
</DELETED>
<DELETED> (A) be publicly available
online;</DELETED>
<DELETED> (B) contain publicly available commercial
satellite system cybersecurity resources, including the
recommendations developed under subsection (c), and any
other materials developed by entities in the Federal
Government, for reference by entities that develop
commercial satellite systems; and</DELETED>
<DELETED> (C) include materials specifically aimed
at assisting small business concerns with the secure
development, operation, and maintenance of commercial
satellite systems.</DELETED>
<DELETED> (3) Content maintenance.--The Director shall
maintain current and relevant cybersecurity information on the
clearinghouse.</DELETED>
<DELETED> (4) Existing platform or website.--The Director
may establish and maintain the clearinghouse on an online
platform or a website that is in existence as of the date of
enactment of this Act.</DELETED>
<DELETED> (c) Development of Commercial Satellite System
Cybersecurity Recommendations.--</DELETED>
<DELETED> (1) In general.--The Director shall develop
voluntary cybersecurity recommendations designed to assist in
the development, maintenance, and operation of commercial
satellite systems.</DELETED>
<DELETED> (2) Requirements.--The recommendations required
under paragraph (1) shall include materials addressing the
following:</DELETED>
<DELETED> (A) Risk-based, cybersecurity-informed
engineering, including continuous monitoring and
resiliency.</DELETED>
<DELETED> (B) Planning for retention or recovery of
positive control of commercial satellite systems in the
event of a cybersecurity incident.</DELETED>
<DELETED> (C) Protection against unauthorized access
to vital commercial satellite system
functions.</DELETED>
<DELETED> (D) Physical protection measures designed
to reduce the vulnerabilities of a commercial satellite
system's command, control, and telemetry receiver
systems.</DELETED>
<DELETED> (E) Protection against communications
jamming and spoofing.</DELETED>
<DELETED> (F) Security against threats throughout a
commercial satellite system's mission
lifetime.</DELETED>
<DELETED> (G) Management of supply chain risks that
affect cybersecurity of commercial satellite
systems.</DELETED>
<DELETED> (H) As appropriate, the findings and
recommendations from the study conducted by the
Comptroller General of the United States under section
3(a).</DELETED>
<DELETED> (I) Any other recommendations to ensure
the confidentiality, availability, and integrity of
data residing on or in transit through commercial
satellite systems.</DELETED>
<DELETED> (d) Consultation.--With respect to the collation and
development of clearinghouse content under subsection (b)(2) and the
recommendations developed pursuant to subsection (c), the Director
shall consult with--</DELETED>
<DELETED> (1) the heads of appropriate Federal agencies with
expertise and experience in satellite operations; and</DELETED>
<DELETED> (2) non-Federal entities developing commercial
satellite systems or otherwise supporting the cybersecurity of
commercial satellite systems.</DELETED>
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Satellite Cybersecurity Act''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Commercial satellite system.--The term ``commercial
satellite system'' means an earth satellite owned and operated
by a non-Federal entity.
(2) Critical infrastructure.--The term ``critical
infrastructure'' has the meaning given the term in subsection
(e) of the Critical Infrastructure Protection Act of 2001 (42
U.S.C. 5195c(e)).
(3) Cybersecurity risk.--The term ``cybersecurity risk''
has the meaning given the term in section 2209 of the Homeland
Security Act of 2002 (6 U.S.C. 659).
(4) Cybersecurity threat.--The term ``cybersecurity
threat'' has the meaning given the term in section 102 of the
Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).
SEC. 3. REPORT ON COMMERCIAL SATELLITE CYBERSECURITY.
(a) Study.--The Comptroller General of the United States shall
conduct a study on the actions the Federal Government has taken to
support the cybersecurity of commercial satellite systems, including as
part of any action to address the cybersecurity of critical
infrastructure sectors.
(b) Report.--Not later than 2 years after the date of enactment of
this Act, the Comptroller General of the United States shall report to
Congress on the study conducted under subsection (a), which shall
include information on--
(1) the effectiveness of efforts of the Federal Government
in improving the cybersecurity of commercial satellite systems;
(2) the resources made available to the public, as of the
date of enactment of this Act, by Federal agencies to address
cybersecurity risks and threats to commercial satellite
systems;
(3) the extent to which commercial satellite systems are
reliant on or are relied on by critical infrastructure and an
analysis of how commercial satellite systems, and the threats
to such systems, are integrated into Federal and non-Federal
critical infrastructure risk analyses and protection plans;
(4) the extent to which Federal agencies are reliant on
commercial satellite systems and how Federal agencies mitigate
cybersecurity risks associated with those systems;
(5) the extent to which Federal agencies are reliant on
commercial satellite systems owned wholly or in part or
controlled by foreign entities, and how Federal agencies
mitigate associated cybersecurity risks;
(6) the extent to which Federal agencies are reliant on
commercial satellite systems with physical structures, such as
satellite ground control systems, in foreign countries, and how
Federal agencies mitigate associated cybersecurity risks; and
(7) the extent to which Federal agencies coordinate or
duplicate authorities and take other actions focused on the
cybersecurity of commercial satellite systems.
(c) Consultation.--In carrying out subsections (a) and (b), the
Comptroller General of the United States shall coordinate with
appropriate Federal agencies, including--
(1) the Department of Homeland Security;
(2) the Department of Commerce;
(3) the Department of Defense;
(4) the Department of Transportation;
(5) the Federal Communications Commission;
(6) the National Aeronautics and Space Administration; and
(7) the National Executive Committee for Space-Based
Positioning, Navigation, and Timing.
(d) Briefing.--Not later than 1 year after the date of enactment of
this Act, the Comptroller General of the United States shall provide a
briefing to the appropriate congressional committees.
(e) Classification.--The report made under subsection (b) shall be
unclassified but may include a classified annex.
SEC. 4. RESPONSIBILITIES OF THE CYBERSECURITY AND INFRASTRUCTURE
SECURITY AGENCY.
(a) Definitions.--In this section:
(1) Clearinghouse.--The term ``clearinghouse'' means the
commercial satellite system cybersecurity clearinghouse
required to be developed and maintained under subsection
(b)(1).
(2) Director.--The term ``Director'' means the Director of
the Cybersecurity and Infrastructure Security Agency.
(3) Small business concern.--The term ``small business
concern'' has the meaning given the term in section 3 of the
Small Business Act (15 U.S.C. 632).
(b) Establishment of Commercial Satellite System Cybersecurity
Clearinghouse.--
(1) In general.--Not later than 180 days after the date of
enactment of this Act, the Director shall develop and maintain
a commercial satellite system cybersecurity clearinghouse.
(2) Requirements.--The clearinghouse shall--
(A) be publicly available online;
(B) contain publicly available commercial satellite
system cybersecurity resources, including the
recommendations consolidated under subsection (c)(1),
and any other appropriate materials for reference by
entities that develop commercial satellite systems; and
(C) include materials specifically aimed at
assisting small business concerns with the secure
development, operation, and maintenance of commercial
satellite systems.
(3) Content maintenance.--The Director shall maintain
current and relevant cybersecurity information on the
clearinghouse.
(4) Existing platform or website.--The Director may
establish and maintain the clearinghouse on an online platform
or a website that is in existence as of the date of enactment
of this Act.
(c) Consolidation of Commercial Satellite System Cybersecurity
Recommendations.--
(1) In general.--The Director shall consolidate voluntary
cybersecurity recommendations designed to assist in the
development, maintenance, and operation of commercial satellite
systems.
(2) Requirements.--The recommendations consolidated under
paragraph (1) shall include, to the greatest extent
practicable, materials addressing the following:
(A) Risk-based, cybersecurity-informed engineering,
including continuous monitoring and resiliency.
(B) Planning for retention or recovery of positive
control of commercial satellite systems in the event of
a cybersecurity incident.
(C) Protection against unauthorized access to vital
commercial satellite system functions.
(D) Physical protection measures designed to reduce
the vulnerabilities of a commercial satellite system's
command, control, and telemetry receiver systems.
(E) Protection against jamming and spoofing.
(F) Security against threats throughout a
commercial satellite system's mission lifetime.
(G) Management of supply chain risks that affect
the cybersecurity of commercial satellite systems.
(H) Protection against vulnerabilities posed by
ownership of commercial satellite systems or commercial
satellite system companies by foreign entities.
(I) Protection against vulnerabilities posed by
locating physical infrastructure, such as satellite
ground control systems, in foreign countries.
(J) As appropriate, and as applicable pursuant to
the maintenance requirement under subsection (b)(3),
the findings and recommendations from the study
conducted by the Comptroller General of the United
States under section 3(a).
(K) Any other recommendations to ensure the
confidentiality, availability, and integrity of data
residing on or in transit through commercial satellite
systems.
(d) Implementation.--In implementing this Act, the Director shall--
(1) to the extent practicable, carry out the implementation
as a public-private partnership;
(2) coordinate with the heads of appropriate Federal
agencies with expertise and experience in satellite operations,
including the entities described in section 3(c); and
(3) consult with non-Federal entities developing commercial
satellite systems or otherwise supporting the cybersecurity of
commercial satellite systems, including private, consensus
organizations that develop relevant standards.
Calendar No. 428
117th CONGRESS
2d Session
S. 3511
[Report No. 117-122]
_______________________________________________________________________
A BILL
To require a report on Federal support to the cybersecurity of
commercial satellite systems, and for other purposes.
_______________________________________________________________________
June 21, 2022
Reported with an amendment