[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 824 Reported in Senate (RS)]
<DOC>
Calendar No. 59
118th CONGRESS
1st Session
S. 824
[Report No. 118-20]
To require the Secretary of Homeland Security to establish a national
risk management cycle, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
March 15, 2023
Ms. Hassan (for herself and Mr. Romney) introduced the following bill;
which was read twice and referred to the Committee on Homeland Security
and Governmental Affairs
May 9, 2023
Reported by Mr. Peters, with amendments
[Omit the part struck through and insert the part printed in italic]
_______________________________________________________________________
A BILL
To require the Secretary of Homeland Security to establish a national
risk management cycle, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``National Risk Management Act of
2023''.
SEC. 2. NATIONAL RISK MANAGEMENT CYCLE.
(a) In General.--Subtitle A of title XXII of the Homeland Security
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the
following:
``SEC. 2220F. NATIONAL RISK MANAGEMENT CYCLE.
``(a) National Critical Functions Defined.--In this section, the
term `national critical functions' means the functions of government
and the private sector so vital to the United States that their
disruption, corruption, or dysfunction would have a debilitating effect
on security, national economic security, national public health or
safety, or any combination thereof.
``(b) National Risk Management Cycle.--
``(1) Risk identification and assessment.--
``(A) In general.--The Secretary, acting through
the Director, shall establish a recurring process by
which to identify and assess risks to critical
infrastructure, considering both cyber and physical
threats and the associated likelihoods,
vulnerabilities, and consequences.
``(B) Consultation.--In establishing the process
required under subparagraph (A), the Secretary shall
consult--
``(i) Sector Risk Management Agencies;
``(ii) critical infrastructure owners and
operators;
``(iii) the Assistant to the President for
National Security Affairs;
``(iv) the Assistant to the President for
Homeland Security; and
``(v) the National Cyber Director.
``(C) Process elements.--The process established
under subparagraph (A) shall include elements to--
``(i) collect relevant information,
collected pursuant to section 2218, from Sector
Risk Management Agencies relating to the
threats, vulnerabilities, and consequences
related to the particular sectors of those
Sector Risk Management Agencies;
``(ii) allow critical infrastructure owners
and operators to submit relevant information to
the Secretary for consideration; and
``(iii) outline how the Secretary will
solicit input from other Federal departments
and agencies.
``(D) Publication.--Not later than 180 days after
the date of enactment of this section, the Secretary
shall publish in the Federal Register procedures for
the process established under subparagraph (A), subject
to any redactions the Secretary determines are
necessary to protect classified or other sensitive
information.
``(E) Report.--The Secretary shall submit to the
President, the Committee on Homeland Security and
Governmental Affairs of the Senate, and the Committee
on Homeland Security of the House of Representatives a
report on the risks identified by the process
established under subparagraph (A)--
``(i) not later than 1 year after the date
of enactment of this section; and
``(ii) not later than 1 year after the date
on which the Secretary submits a periodic
evaluation described in section 9002(b)(2) of
title XC of division H of the William M. (Mac)
Thornberry National Defense Authorization Act
for Fiscal Year 2021 (6 U.S.C. 652a(b)(2)).
``(2) National critical infrastructure resilience
strategy.--
``(A) In general.--Not later than 1 year after the
date on which the Secretary delivers each report
required under paragraph (1), the President shall
deliver to majority and minority leaders of the Senate,
the Speaker and minority leader of the House of
Representatives, the Committee on Homeland Security and
Governmental Affairs of the Senate, and the Committee
on Homeland Security of the House of Representatives a
national critical infrastructure resilience strategy
designed to address the risks identified by the
Secretary.
``(B) Elements.--Each strategy delivered under
subparagraph (A) shall--
``(i) prioritize areas of risk to critical
infrastructure that would compromise or disrupt
national critical functions impacting national
security, economic security, or public health
and safety;
``(ii) assess the implementation of the
previous national critical infrastructure
resilience strategy, as applicable;
``(iii) identify and outline current and
proposed national-level actions, programs, and
efforts, including resource requirements, to be
taken to address the risks identified;
``(iv) identify the Federal departments or
agencies responsible for leading each national-
level action, program, or effort and the
relevant critical infrastructure sectors for
each; and
``(v) request any additional authorities
necessary to successfully execute the strategy.
``(C) Form.--Each strategy delivered under
subparagraph (A) shall be unclassified, but may contain
a classified annex.
``(3) Congressional briefing.--Not later than 1 year after
the date on which the President delivers the first strategy
required under paragraph (2)(A), and each year thereafter, the
Secretary, in coordination with Sector Risk Management
Agencies, shall brief the Committee on Homeland Security and
Governmental Affairs of the Senate and the Committee on
Homeland Security of the House of Representatives on--
``(A) the national risk management cycle activities
undertaken pursuant to the strategy delivered under
subparagraph (A) paragraph (2)(A); and
``(B) the amounts and timeline for funding that the
Secretary has determined would be necessary to address
risks and successfully execute the full range of
activities proposed by the strategy delivered
subparagraph (A) under paragraph (2)(A).''.
(b) Technical and Conforming Amendment.--The table of contents in
section 1(b) of the Homeland Security Act of 2002 (Public Law 107-296;
116 Stat. 2135) is amended by inserting after the item relating to
section 2220E the following:
``Sec. 2220F. National risk management cycle.''.
Calendar No. 59
118th CONGRESS
1st Session
S. 824
[Report No. 118-20]
_______________________________________________________________________
A BILL
To require the Secretary of Homeland Security to establish a national
risk management cycle, and for other purposes.
_______________________________________________________________________
May 9, 2023
Reported with amendments