[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5439 Introduced in House (IH)]
<DOC>
118th CONGRESS
1st Session
H. R. 5439
To amend the Homeland Security Act of 2002 to require the Secretary of
Homeland Security to establish a national risk management process, and
for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
September 13, 2023
Mr. Gallagher (for himself and Ms. Spanberger) introduced the following
bill; which was referred to the Committee on Homeland Security
_______________________________________________________________________
A BILL
To amend the Homeland Security Act of 2002 to require the Secretary of
Homeland Security to establish a national risk management process, and
for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``National Risk Management Act of
2023''.
SEC. 2. NATIONAL RISK MANAGEMENT PROCESS.
(a) In General.--Subtitle A of title XXII of the Homeland Security
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the
following new section:
``SEC. 2220F. NATIONAL RISK MANAGEMENT PROCESS.
``(a) National Critical Functions Defined.--In this section, the
term `national critical functions' means the functions of government
and the private sector so vital to the United States that their
disruption, corruption, or dysfunction would have a debilitating effect
on security, national economic security, national public health or
safety, or any combination thereof.
``(b) National Risk Management Process.--
``(1) Risk identification and assessment.--
``(A) In general.--The Secretary, acting through
the Director, shall establish a recurring process to
identify and assess risks to critical infrastructure,
considering both cybersecurity threats and physical
threats, the associated likelihoods of such threats,
vulnerabilities within systems rendering such systems
susceptible to such threats, and consequences of such
threats to critical functions.
``(B) Consultation.--In establishing the process
required under subparagraph (A), the Secretary shall
consult the following:
``(i) Sector Risk Management Agencies.
``(ii) Critical infrastructure owners and
operators.
``(iii) The Assistant to the President for
National Security Affairs.
``(iv) The Assistant to the President for
Homeland Security.
``(v) The National Cyber Director.
``(C) Process elements.--The process established
under subparagraph (A) shall include elements to--
``(i) collect relevant information,
collected pursuant to section 2218, from Sector
Risk Management Agencies relating to the
threats, vulnerabilities, and consequences
related to the particular sectors of those
Sector Risk Management Agencies;
``(ii) allow critical infrastructure owners
and operators to submit relevant information to
the Secretary for consideration; and
``(iii) outline how the Secretary will
solicit input from other Federal departments
and agencies.
``(D) Publication.--Not later than 180 days after
the date of the enactment of this section, the
Secretary shall publish in the Federal Register
procedures for the process established under
subparagraph (A).
``(E) Reports.--The Secretary shall submit to the
President, the Committee on Homeland Security and
Governmental Affairs of the Senate, and the Committee
on Homeland Security of the House of Representatives a
report on the risks from cybersecurity threats and
physical threats identified by the process established
under subparagraph (A)--
``(i) not later than one year after the
date of the enactment of this section; and
``(ii) not later than one year after the
date on which the Secretary submits a periodic
evaluation described in section 9002(b)(2) of
title XC of division H of the William M. (Mac)
Thornberry National Defense Authorization Act
for Fiscal Year 2021 (6 U.S.C. 652a(b)(2)).
``(2) National critical infrastructure resilience
strategy.--
``(A) In general.--Not later than one year after
the date on which the Secretary submits each report
required under paragraph (1), the President shall
transmit to the majority and minority leaders of the
Senate, the Speaker and minority leader of the House of
Representatives, the Committee on Homeland Security and
Governmental Affairs of the Senate, and the Committee
on Homeland Security of the House of Representatives a
national critical infrastructure resilience strategy to
address the risks identified by the Secretary.
``(B) Elements.--Each strategy under subparagraph
(A) shall--
``(i) prioritize areas of risk to critical
infrastructure that would compromise or disrupt
national critical functions impacting national
security, economic security, or public health
and safety;
``(ii) assess the implementation of the
previous national critical infrastructure
resilience strategy, as applicable;
``(iii) identify and outline current and
proposed national-level actions, programs, and
efforts, including resource requirements, to be
taken to address the risks identified;
``(iv) identify the Federal departments or
agencies responsible for leading each national-
level action, program, or effort, and the
relevant critical infrastructure sectors for
each; and
``(v) request any additional authorities
necessary to successfully execute the strategy.
``(C) Form.--Each strategy under subparagraph (A)
shall be unclassified but may contain a classified
annex.
``(3) Congressional briefing.--Not later than one year
after the date on which the President transmits the first
strategy required under paragraph (2)(A) and each year
thereafter, the Secretary, in coordination with Sector Risk
Management Agencies, shall brief the Committee on Homeland
Security and Governmental Affairs of the Senate and the
Committee on Homeland Security of the House of Representatives
on--
``(A) the national risk management process
activities undertaken pursuant to the strategy
transmitted in accordance with paragraph (2)(A); and
``(B) the amounts and timeline for funding that the
Secretary has determined would be necessary to address
risks of cybersecurity threats and physical threats and
successfully execute the full range of activities
proposed by such strategy.''.
(b) Clerical Amendment.--The table of contents in section 1(b) of
the Homeland Security Act of 2002 is amended by inserting after the
item relating to section 2220E the following new item:
``Sec. 2220F. National risk management process.''.
<all>