[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3166 Introduced in House (IH)]
<DOC>
118th CONGRESS
1st Session
H. R. 3166
To require the Cybersecurity and Infrastructure Security Agency of the
Department of Homeland Security to submit a report on the impact of the
SolarWinds cyber incident on information systems owned and operated by
Federal departments and agencies and other critical infrastructure, and
for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
May 9, 2023
Mr. Torres of New York introduced the following bill; which was
referred to the Committee on Homeland Security, and in addition to the
Committee on Oversight and Accountability, for a period to be
subsequently determined by the Speaker, in each case for consideration
of such provisions as fall within the jurisdiction of the committee
concerned
_______________________________________________________________________
A BILL
To require the Cybersecurity and Infrastructure Security Agency of the
Department of Homeland Security to submit a report on the impact of the
SolarWinds cyber incident on information systems owned and operated by
Federal departments and agencies and other critical infrastructure, and
for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Building Cyber Resilience After
SolarWinds Act of 2023''.
SEC. 2. BUILDING CYBER RESILIENCE AFTER SOLARWINDS.
(a) Definitions.--In this section:
(1) Critical infrastructure.--The term ``critical
infrastructure'' has the meaning given such term in section
1016(e) of Public Law 107-56 (42 U.S.C. 5195c(e)).
(2) Director.--The term ``Director'' means the Director of
the Cybersecurity and Infrastructure Security Agency.
(3) Information system.--The term ``information system''
has the meaning given such term in section 2200 of the Homeland
Security Act of 2002 (6 U.S.C. 650).
(4) Significant cyber incident.--The term ``significant
cyber incident'' has the meaning given such term in section
2240 of the Homeland Security Act of 2002 (6 U.S.C. 681).
(5) Solarwinds incident.--The term ``SolarWinds incident''
refers to the significant cyber incident that prompted the
establishment of a Unified Cyber Coordination Group, as
provided by section V(B)(2) of Presidential Policy Directive
41, in December 2020.
(b) SolarWinds Investigation and Report.--
(1) Investigation.--The Director, in consultation with the
National Cyber Director and the heads of other relevant Federal
departments and agencies, shall carry out an investigation to
evaluate the impact of the SolarWinds incident on information
systems owned and operated by Federal departments and agencies,
and, to the extent practicable, other critical infrastructure.
(2) Elements.--In carrying out subsection (b), the Director
shall review the following:
(A) The extent to which Federal information systems
were accessed, compromised, or otherwise impacted by
the SolarWinds incident, and any potential ongoing
security concerns or consequences arising from such
incident.
(B) The extent to which information systems that
support other critical infrastructure were accessed,
compromised, or otherwise impacted by the SolarWinds
incident, where such information is available to the
Director.
(C) Any ongoing security concerns or consequences
arising from the SolarWinds incident, including any
sensitive information that may have been accessed or
exploited in a manner that poses a threat to national
security.
(D) Implementation of Executive Order 14028
(Improving the Nation's Cybersecurity (May 12, 2021)).
(E) Efforts taken by the Director, the heads of
Federal departments and agencies, and critical
infrastructure owners and operators to address
cybersecurity vulnerabilities and mitigate risks
associated with the SolarWinds incident.
(c) Report.--Not later than 120 days after the date of the
enactment of this Act, the Director shall submit to the Committee on
Homeland Security of the House of Representatives and Committee on
Homeland Security and Governmental Affairs of the Senate a report that
includes the following:
(1) Findings for each of the elements specified in
subsection (b).
(2) Recommendations to address security gaps, improve
incident response efforts, and prevent similar cyber incidents.
(3) Any areas with respect to which the Director lacked the
information necessary to fully review and assessment such
elements, the reason the information necessary was unavailable,
and recommendations to close such informational gaps.
(d) GAO Report on Cyber Safety Review Board.--Not later than one
year after the date of the enactment of this Act, the Comptroller
General of the United States shall evaluate the activities of the Cyber
Safety Review Board established pursuant to Executive Order 14028
(Improving the Nation's Cybersecurity (May 12, 2021)), with a focus on
the Board's inaugural review announced in February 2022, and assess
whether the Board has the authorities, resources, and expertise
necessary to carry out its mission of reviewing and assessing
significant cyber incidents.
<all>