[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 3758 Introduced in Senate (IS)]
<DOC>
118th CONGRESS
2d Session
S. 3758
To address security vulnerabilities with respect to unmanned aircraft
systems used by civilian Federal agencies, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
February 7, 2024
Mr. Warner (for himself and Mr. Thune) introduced the following bill;
which was read twice and referred to the Committee on Commerce,
Science, and Transportation
_______________________________________________________________________
A BILL
To address security vulnerabilities with respect to unmanned aircraft
systems used by civilian Federal agencies, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Drone Evaluation To Eliminate Cyber
Threats Act'' or the ``DETECT Act''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Agency.--The term ``agency'' has the meaning given the
term in section 3502 of title 44, United States Code.
(2) Critical component.--The term ``critical component''
includes a flight controller, a radio, a data transmission
device, a camera, a gimbal, a ground control system, operating
software, network connectivity, and data storage.
(3) Director.--The term ``Director'' means the Director of
the Office of Management and Budget.
(4) Information system.--The term ``information system''
has the meaning given the term in section 3502 of title 44,
United States Code.
(5) National security system.--The term ``national security
system'' has the meaning given the term in section 3552(b) of
title 44, United States Code.
(6) Secretary.--The term ``Secretary'' means the Secretary
of Homeland Security.
(7) Security vulnerability.--The term ``security
vulnerability'' has the meaning given the term in section 2200
of the Homeland Security Act of 2002 (6 U.S.C. 650).
(8) Under secretary.--The term ``Under Secretary'' means
the Under Secretary of Commerce for Standards and Technology.
(9) Unmanned aircraft system.--The term ``unmanned aircraft
system'' has the meaning given the term in section 331 of the
FAA Modernization and Reform Act of 2012 (49 U.S.C. 44802
note).
SEC. 3. SECURITY GUIDELINES FOR FEDERAL AGENCIES ON USE AND MANAGEMENT
OF UNMANNED AIRCRAFT SYSTEMS.
(a) National Institute of Standards and Technology Development of
Standards and Guidelines for Federal Use of Unmanned Aircraft Systems
by Agencies.--
(1) In general.--Not later than 90 days after the date of
the enactment of this Act, the Under Secretary shall commence
the development of guidelines for the Federal Government on the
appropriate use and management by agencies of unmanned aircraft
systems owned or controlled by an agency and regularly
connected to or exchanging data with information systems owned
or controlled by an agency, including minimum information
security requirements for managing cybersecurity risks
associated with such devices.
(2) Publication.--Not later than 1 year after the date of
the enactment of this Act, the Under Secretary shall publish
the guidelines developed pursuant to paragraph (1) in a manner
that is consistent with section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3).
(3) Consistency with ongoing efforts.--The Under Secretary
shall ensure that the standards and guidelines developed under
paragraph (1) are consistent with the efforts of the National
Institute of Standards and Technology in effect on the date of
the enactment of this Act--
(A) regarding--
(i) examples of possible security
vulnerabilities of unmanned aircraft systems;
and
(ii) considerations for managing the
security vulnerabilities of unmanned aircraft
systems; and
(B) with respect to the following considerations
for unmanned aircraft systems:
(i) Secure Development.
(ii) Identity management.
(iii) Patch management.
(iv) Configuration management.
(v) Supply chain security.
(vi) Corporate cyber hygiene.
(vii) Software and hardware transparency.
(4) Considering relevant guidelines.--In developing the
guidelines under paragraph (1), the Under Secretary shall
consider relevant standards, guidelines, and best practices
developed by the private sector, agencies, and public-private
partnerships, including the following:
(A) National Institute of Standards and Technology
Special Publication 800-213 (relating to IoT device
cybersecurity guidance for the Federal Government).
(B) National Institute of Standards and Technology
Special Publication 800-37 (relating to risk management
framework for information systems and organizations).
(C) The Green UAS Frameworks of the Association for
Uncrewed Vehicle Systems International (AUVSI), as
amended and extended.
(D) The Cross-Sector Cybersecurity Performance
Goals of The Cybersecurity and Infrastructure Security
Agency.
(5) Consultation.--In developing the guidelines required by
paragraph (1), the Under Secretary shall consult with the
Administrator of the Federal Aviation Administration, the
Attorney General, and the heads of such other departments and
agencies of the Federal Government as the Under Secretary
considers appropriate.
(b) Review of Federal Agency Information Security Policies and
Principles.--
(1) Requirement.--
(A) In general.--Not later than 1 year after the
date on which the Under Secretary completes the
development of the guidelines required under subsection
(a), the Director shall require not less than 1 agency,
on a pilot basis, to implement policies and principles
based on the guidelines with respect to unmanned
aircraft systems owned or controlled by the agency.
(B) Exception.--A pilot implementation under
subparagraph (A) shall not apply to any unmanned
aircraft system comprised of any national security
system.
(2) Policies and principles.--Not later than 1 year after
the conclusion of the pilot implementation under paragraph
(1)(A), the Director shall issue policies and principles
necessary to ensure that the policies and principles of each
agency relating to the cybersecurity of unmanned aircraft
systems are consistent with the guidelines developed under
subsection (a).
(3) National security systems.--Any policy or principle
issued by the Director under paragraph (2) shall not apply to
national security systems.
(c) Quinquennial Review and Revision.--
(1) Review and revision of nist guidelines.--Not later than
5 years after the date on which the Under Secretary publishes
the guidelines under subsection (a), and not less frequently
than once every 5 years thereafter, the Under Secretary,
shall--
(A) review such guidelines; and
(B) revise such guidelines as the Under Secretary
considers appropriate.
(2) Updated omb policies and principles for federal
agencies.--Not later than 180 days after the Under Secretary
makes a revision pursuant to paragraph (1), the Director, in
consultation with the Director of the Cybersecurity and
Infrastructure Security Agency of the Department of Homeland
Security, shall update any policy or principle issued under
subsection (b)(1) as necessary to ensure those policies and
principles are consistent with the review and any revision
under paragraph (1) under this subsection and paragraphs (2)
and (3) of subsection (b).
(d) Revision of Federal Acquisition Regulation.--The Federal
Acquisition Regulation shall be revised as necessary to implement any
standards and guidelines promulgated in this section.
SEC. 4. GUIDELINES ON THE DISCLOSURE PROCESS FOR SECURITY
VULNERABILITIES RELATING TO UNMANNED AIRCRAFT SYSTEMS.
(a) In General.--
(1) Guidance.--The Director shall issue guidance to
agencies that includes--
(A) requirements for the reporting, coordinating,
and receiving of information about--
(i) a security vulnerability relating to an
unmanned aircraft system owned or controlled by
an agency; and
(ii) the resolution of a security
vulnerability described in clause (i); and
(B) requirements relating to the scope of
vulnerabilities required to be reported under
subparagraph (A), such as the minimum severity of a
vulnerability required to be reported or whether
vulnerabilities that are publicly disclosed are
required to be reported.
(2) Contractor compliance with coordinated disclosure of
security vulnerabilities relating to agency unmanned aircraft
systems.--Subject to the guidance issued under paragraph (1), a
contractor or awardee of an agency shall report to the agency
and the Director of the Cybersecurity and Infrastructure
Security Agency if--
(A) a critical component of any unmanned aircraft
system operated, managed, or maintained by the
contractor or awardee contains a security
vulnerability, including a supply chain compromise or
an identified software or hardware vulnerability, for
which there is reliable evidence of attempted or
successful exploitation by an actor without the
authorization of the owner of the unmanned aircraft
system; or
(B) the contractor or awardee has a reasonable
basis to suspect or conclude that a critical component
of any unmanned aircraft system operated, managed, or
maintained on behalf of an agency by the contractor or
awardee contains a security vulnerability, including a
supply chain compromise or an identified software or
hardware vulnerability, that has been reported to the
contractor or awardee by a third party, including
through a vulnerability disclosure program.
(b) Regulations; Modifications.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act--
(A) the Federal Acquisition Regulatory Council
shall promulgate regulations, as appropriate, relating
to the responsibilities of contractors and recipients
of other transaction agreements and cooperative
agreements to comply with subsection (a)(2); and
(B) the Office of Federal Financial Management
shall promulgate regulations under title 2, Code of
Federal Regulations, as appropriate, relating to the
responsibilities of grantees to comply with subsection
(a)(2).
(2) Implementation.--Not later than 1 year after the date
on which the Federal Acquisition Regulatory Council and the
Office of Federal Financial Management promulgate regulations
under paragraph (1), the head of each agency shall implement
policies and procedures, as appropriate, necessary to implement
those regulations.
(c) Responsibilities of CISA.--The Director of the Cybersecurity
and Infrastructure Security Agency shall--
(1) provide support to agencies with respect to the
implementation of the requirements of this section;
(2) develop tools, processes, and other mechanisms
determined appropriate to offer agencies capabilities to
implement the requirements of this section; and
(3) upon request by an agency, assist the agency in the
disclosure to vendors of newly identified security
vulnerabilities in vendor products and services.
SEC. 5. CONTRACTOR COMPLIANCE WITH COORDINATED DISCLOSURE OF SECURITY
VULNERABILITIES RELATING TO AGENCY UNMANNED AIRCRAFT
SYSTEMS.
(a) Prohibition on Procurement and Use.--
(1) In general.--Subject to paragraph (2), the head of an
agency may not procure or obtain, renew a contract to procure
or obtain, or use an unmanned aircraft system if the Chief
Information Officer of the agency determines, in conducting the
review required under section 11319(b)(1)(C) of title 40,
United States Code, of the contract for the unmanned aircraft
system, that the use of the unmanned aircraft system prevents
compliance with the standards and guidelines developed under
section 3(a)(1) of this Act or the guidelines issued under
section 4(a)(1) of this Act with respect to the unmanned
aircraft system.
(2) Exemption for commercial data buys.--Paragraph (1)
shall not apply when the head of an agency acquires data--
(A) solely from a commercial or nonprofit entity,
the contract or agreement for which does not specify
the type of unmanned aircraft system or the
specifications for the unmanned aircraft system;
(B) that will never connect to any network of the
Federal Government; and
(C) over which the head of the agency will not have
operational direction or control.
(3) Simplified acquisition threshold.--Notwithstanding
section 1905 of title 41, United States Code, the requirements
under paragraph (1) shall apply to a contract or subcontract in
amounts not greater than the simplified acquisition threshold.
(b) Waiver.--
(1) Authority.--The head of an agency may waive the
prohibition under subsection (a)(1) with respect to an unmanned
aircraft system if the Chief Information Officer of that agency
determines that--
(A) the waiver is necessary in the interest of
national security;
(B) procuring, obtaining, or using the unmanned
aircraft system is necessary for research, testing,
evaluation, or training purposes; or
(C) the unmanned aircraft system is used--
(i) in a manner that does not implicate
agency operational or cybersecurity concerns;
or
(ii) in other circumstances in which the
head of the agency determines the risks are
minimal or acceptable.
(2) Agency process.--The Director shall establish a
standardized process for the Chief Information Officer of each
agency to follow in determining whether the waiver under
paragraph (1) may be granted.
(c) Reports to Congress.--
(1) Report.--Not later than 2 years after the date of
enactment of this Act, and every 2 years thereafter until the
date that is 6 years after the date of enactment of this Act,
the Comptroller General of the United States, in consultation
with the heads of other Federal agencies as appropriate, shall
submit to the Committee on Homeland Security and Governmental
Affairs of the Senate, the Committee on Oversight and
Accountability of the House of Representatives, and the
Committee on Homeland Security of the House of Representatives
a report--
(A) on the effectiveness of the process established
under subsection (b)(2);
(B) that contains recommended best practices for
the procurement of unmanned aircraft systems; and
(C) that lists--
(i) the number and type of each unmanned
aircraft system for which a waiver under
subsection (b)(1) was granted during the 2-year
period prior to the submission of the report;
and
(ii) the legal authority under which each
such waiver was granted, such as whether the
waiver was granted pursuant to subparagraph
(A), (B), or (C) of subsection (b).
(2) Classification of report.--Each report submitted under
this subsection shall be submitted in unclassified form, but
may include--
(A) a classified annex that contains the
information described in paragraph (1)(C); and
(B) a committee-use only annex that contains
information described in paragraph (1)(C) that is law
enforcement sensitive.
(d) Effective Date.--The prohibition under subsection (a)(1) shall
take effect on the date that is 2 years after the date of enactment of
this Act.
SEC. 6. GOVERNMENT ACCOUNTABILITY OFFICE REPORT ON CYBERSECURITY
CONSIDERATIONS OF UNMANNED AIRCRAFT SYSTEMS.
(a) Briefing.--Not later than 1 year after the date of enactment of
this Act, the Comptroller General of the United States shall provide a
briefing to the Committee on Homeland Security and Governmental Affairs
of the Senate, the Committee on Oversight and Accountability of the
House of Representatives, and the Committee on Homeland Security of the
House of Representatives on broader unmanned aircraft system
cybersecurity efforts.
(b) Report.--Not later than 2 years after the date of enactment of
this Act, the Comptroller General of the United States shall submit to
the Committee on Homeland Security and Governmental Affairs of the
Senate, the Committee on Oversight and Accountability of the House of
Representatives, and the Committee on Homeland Security of the House of
Representatives a report on broader unmanned aircraft system
cybersecurity efforts addressed in the briefing required under
subsection (a).
<all>