[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 885 Reported in Senate (RS)]
<DOC>
Calendar No. 204
118th CONGRESS
1st Session
S. 885
[Report No. 118-96]
To establish a Civilian Cybersecurity Reserve in the Department of
Homeland Security as a pilot project to address the cybersecurity needs
of the United States with respect to national security, and for other
purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
March 21, 2023
Ms. Rosen (for herself and Mrs. Blackburn) introduced the following
bill; which was read twice and referred to the Committee on Homeland
Security and Governmental Affairs
September 11, 2023
Reported by Mr. Peters, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To establish a Civilian Cybersecurity Reserve in the Department of
Homeland Security as a pilot project to address the cybersecurity needs
of the United States with respect to national security, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE.</DELETED>
<DELETED> This Act may be cited as the ``Department of Homeland
Security Civilian Cybersecurity Reserve Act''.</DELETED>
<DELETED>SEC. 2. CIVILIAN CYBERSECURITY RESERVE PILOT
PROJECT.</DELETED>
<DELETED> (a) Definitions.--In this section:</DELETED>
<DELETED> (1) Agency.--The term ``Agency'' means the
Cybersecurity and Infrastructure Security Agency.</DELETED>
<DELETED> (2) Appropriate congressional committees.--The
term ``appropriate congressional committees'' means--</DELETED>
<DELETED> (A) the Committee on Homeland Security and
Governmental Affairs of the Senate;</DELETED>
<DELETED> (B) the Committee on Appropriations of the
Senate;</DELETED>
<DELETED> (C) the Committee on Homeland Security of
the House of Representatives;</DELETED>
<DELETED> (D) the Committee on Oversight and
Accountability of the House of Representatives;
and</DELETED>
<DELETED> (E) the Committee on Appropriations of the
House of Representatives.</DELETED>
<DELETED> (3) Competitive service.--The term ``competitive
service'' has the meaning given the term in section 2102 of
title 5, United States Code.</DELETED>
<DELETED> (4) Director.--The term ``Director'' means the
Director of the Agency.</DELETED>
<DELETED> (5) Excepted service.--The term ``excepted
service'' has the meaning given the term in section 2103 of
title 5, United States Code.</DELETED>
<DELETED> (6) Significant incident.--The term ``significant
incident''--</DELETED>
<DELETED> (A) means an incident or a group of
related incidents that results, or is likely to result,
in demonstrable harm to--</DELETED>
<DELETED> (i) the national security
interests, foreign relations, or economy of the
United States; or</DELETED>
<DELETED> (ii) the public confidence, civil
liberties, or public health and safety of the
people of the United States; and</DELETED>
<DELETED> (B) does not include an incident or a
portion of a group of related incidents that occurs
on--</DELETED>
<DELETED> (i) a national security system, as
defined in section 3552 of title 44, United
States Code; or</DELETED>
<DELETED> (ii) an information system
described in paragraph (2) or (3) of section
3553(e) of title 44, United States
Code.</DELETED>
<DELETED> (7) Temporary position.--The term ``temporary
position'' means a position in the competitive or excepted
service for a period of 6 months or less.</DELETED>
<DELETED> (8) Uniformed services.--The term ``uniformed
services'' has the meaning given the term in section 2101 of
title 5, United States Code.</DELETED>
<DELETED> (b) Pilot Project.--</DELETED>
<DELETED> (1) In general.--The Director may carry out a
pilot project to establish a Civilian Cybersecurity Reserve at
the Agency.</DELETED>
<DELETED> (2) Purpose.--The purpose of a Civilian
Cybersecurity Reserve is to enable the Agency to effectively
respond to significant incidents.</DELETED>
<DELETED> (3) Alternative methods.--Consistent with section
4703 of title 5, United States Code, in carrying out a pilot
project authorized under paragraph (1), the Director may,
without further authorization from the Office of Personnel
Management, provide for alternative methods of--</DELETED>
<DELETED> (A) establishing qualifications
requirements for, recruitment of, and appointment to
positions; and</DELETED>
<DELETED> (B) classifying positions.</DELETED>
<DELETED> (4) Appointments.--Under the pilot project
authorized under paragraph (1), upon occurrence of a
significant incident, the Director--</DELETED>
<DELETED> (A) may activate members of the Civilian
Cybersecurity Reserve by--</DELETED>
<DELETED> (i) noncompetitively appointing
members of the Civilian Cybersecurity Reserve
to temporary positions in the competitive
service; or</DELETED>
<DELETED> (ii) appointing members of the
Civilian Cybersecurity Reserve to temporary
positions in the excepted service;</DELETED>
<DELETED> (B) shall notify Congress whenever a
member is activated under subparagraph (A);
and</DELETED>
<DELETED> (C) may appoint not more than 30 members
to the Civilian Cybersecurity Reserve under
subparagraph (A) at any time.</DELETED>
<DELETED> (5) Status as employees.--An individual appointed
under subsection (b)(4) shall be considered a Federal civil
service employee under section 2105 of title 5, United States
Code.</DELETED>
<DELETED> (6) Additional employees.--Individuals appointed
under subsection (b)(4) shall be in addition to any employees
of the Agency who provide cybersecurity services.</DELETED>
<DELETED> (7) Employment protections.--The Secretary of
Labor shall prescribe such regulations as necessary to ensure
the reemployment, continuation of benefits, and non-
discrimination in reemployment of individuals appointed under
subsection (b)(4), provided that such regulations shall
include, at a minimum, those rights and obligations set forth
under chapter 43 of title 38, United States Code.</DELETED>
<DELETED> (8) Status in reserve.--During the period
beginning on the date on which an individual is recruited by
the Agency to serve in the Civilian Cybersecurity Reserve and
ending on the date on which the individual is appointed under
subsection (b)(4), and during any period in between any such
appointments, the individual shall not be considered a Federal
employee.</DELETED>
<DELETED> (c) Eligibility; Application and Selection.--</DELETED>
<DELETED> (1) In general.--Under the pilot project
authorized under subsection (b), the Director shall establish
criteria for--</DELETED>
<DELETED> (A) individuals to be eligible for the
Civilian Cybersecurity Reserve; and</DELETED>
<DELETED> (B) the application and selection
processes for the Civilian Cybersecurity
Reserve.</DELETED>
<DELETED> (2) Requirements for individuals.--The criteria
established under paragraph (1)(A) with respect to an
individual shall include--</DELETED>
<DELETED> (A) previous employment--</DELETED>
<DELETED> (i) by the executive
branch;</DELETED>
<DELETED> (ii) within the uniformed
services;</DELETED>
<DELETED> (iii) as a Federal contractor
within the executive branch; or</DELETED>
<DELETED> (iv) by a State, local, Tribal, or
territorial government;</DELETED>
<DELETED> (B) if the individual has previously
served as a member of the Civilian Cybersecurity
Reserve of the Agency, that the previous appointment
ended not less than 60 days before the individual may
be appointed for a subsequent temporary position in the
Civilian Cybersecurity Reserve of the Agency;
and</DELETED>
<DELETED> (C) cybersecurity expertise.</DELETED>
<DELETED> (3) Prescreening.--The Agency shall--</DELETED>
<DELETED> (A) conduct a prescreening of each
individual prior to appointment under subsection (b)(4)
for any topic or product that would create a conflict
of interest; and</DELETED>
<DELETED> (B) require each individual appointed
under subsection (b)(4) to notify the Agency if a
potential conflict of interest arises during the
appointment.</DELETED>
<DELETED> (4) Agreement required.--An individual may become
a member of the Civilian Cybersecurity Reserve only if the
individual enters into an agreement with the Director to become
such a member, which shall set forth the rights and obligations
of the individual and the Agency.</DELETED>
<DELETED> (5) Exception for continuing military service
commitments.--A member of the Selected Reserve under section
10143 of title 10, United States Code, may not be a member of
the Civilian Cybersecurity Reserve.</DELETED>
<DELETED> (6) Priority.--In appointing individuals to the
Civilian Cybersecurity Reserve, the Agency shall prioritize the
appointment of individuals described in clause (i) or (ii) of
paragraph (2)(A) before considering individuals described in
clause (iii) or (iv) of paragraph (2)(A).</DELETED>
<DELETED> (7) Prohibition.--Any individual who is an
employee of the executive branch may not be recruited or
appointed to serve in the Civilian Cybersecurity
Reserve.</DELETED>
<DELETED> (d) Security Clearances.--</DELETED>
<DELETED> (1) In general.--The Director shall ensure that
all members of the Civilian Cybersecurity Reserve undergo the
appropriate personnel vetting and adjudication commensurate
with the duties of the position, including a determination of
eligibility for access to classified information where a
security clearance is necessary, according to applicable policy
and authorities.</DELETED>
<DELETED> (2) Cost of sponsoring clearances.--If a member of
the Civilian Cybersecurity Reserve requires a security
clearance in order to carry out their duties, the Agency shall
be responsible for the cost of sponsoring the security
clearance of a member of the Civilian Cybersecurity
Reserve.</DELETED>
<DELETED> (e) Study and Implementation Plan.--</DELETED>
<DELETED> (1) Study.--Not later than 60 days after the date
of enactment of this Act, the Agency shall begin a study on the
design and implementation of the pilot project authorized under
subsection (b)(1) at the Agency, including--</DELETED>
<DELETED> (A) compensation and benefits for members
of the Civilian Cybersecurity Reserve;</DELETED>
<DELETED> (B) activities that members may undertake
as part of their duties;</DELETED>
<DELETED> (C) methods for identifying and recruiting
members, including alternatives to traditional
qualifications requirements;</DELETED>
<DELETED> (D) methods for preventing conflicts of
interest or other ethical concerns as a result of
participation in the pilot project and details of
mitigation efforts to address any conflict of interest
concerns;</DELETED>
<DELETED> (E) resources, including additional
funding, needed to carry out the pilot
project;</DELETED>
<DELETED> (F) possible penalties for individuals who
do not respond to activation when called, in accordance
with the rights and procedures set forth under title 5,
Code of Federal Regulations; and</DELETED>
<DELETED> (G) processes and requirements for
training and onboarding members.</DELETED>
<DELETED> (2) Implementation plan.--Not later than 1 year
after beginning the study required under paragraph (1), the
Agency shall--</DELETED>
<DELETED> (A) submit to the appropriate
congressional committees an implementation plan for the
pilot project authorized under subsection (b)(1);
and</DELETED>
<DELETED> (B) provide to the appropriate
congressional committees a briefing on the
implementation plan.</DELETED>
<DELETED> (3) Prohibition.--The Agency may not take any
action to begin implementation of the pilot project authorized
under subsection (b)(1) until the Agency fulfills the
requirements under paragraph (2).</DELETED>
<DELETED> (f) Project Guidance.--Not later than 2 years after the
date of enactment of this Act, the Director shall, in consultation with
the Office of Personnel Management and the Office of Government Ethics,
issue guidance establishing and implementing the pilot project
authorized under subsection (b)(1) at the Agency.</DELETED>
<DELETED> (g) Briefings and Report.--</DELETED>
<DELETED> (1) Briefings.--Not later than 1 year after the
date on which the Director issues the guidance required under
subsection (f), and every year thereafter, the Agency shall
provide to the appropriate congressional committees a briefing
on activities carried out under the pilot project of the
Agency, including--</DELETED>
<DELETED> (A) participation in the Civilian
Cybersecurity Reserve, including the number of
participants, the diversity of participants, and any
barriers to recruitment or retention of
members;</DELETED>
<DELETED> (B) an evaluation of the ethical
requirements of the pilot project;</DELETED>
<DELETED> (C) whether the Civilian Cybersecurity
Reserve has been effective in providing additional
capacity to the Agency during significant incidents;
and</DELETED>
<DELETED> (D) an evaluation of the eligibility
requirements for the pilot project.</DELETED>
<DELETED> (2) Report.--Not earlier than 6 months and not
later than 3 months before the date on which the pilot project
of the Agency terminates under subsection (i), the Agency shall
submit to the appropriate congressional committees a report and
provide a briefing on recommendations relating to the pilot
project, including recommendations for--</DELETED>
<DELETED> (A) whether the pilot project should be
modified, extended in duration, or established as a
permanent program, and if so, an appropriate scope for
the program;</DELETED>
<DELETED> (B) how to attract participants, ensure a
diversity of participants, and address any barriers to
recruitment or retention of members of the Civilian
Cybersecurity Reserve;</DELETED>
<DELETED> (C) the ethical requirements of the pilot
project and the effectiveness of mitigation efforts to
address any conflict of interest concerns;
and</DELETED>
<DELETED> (D) an evaluation of the eligibility
requirements for the pilot project.</DELETED>
<DELETED> (h) Evaluation.--Not later than 3 years after the pilot
project authorized under subsection (b) is established in the Agency,
the Comptroller General of the United States shall--</DELETED>
<DELETED> (1) conduct a study evaluating the pilot project
at the Agency; and</DELETED>
<DELETED> (2) submit to Congress--</DELETED>
<DELETED> (A) a report on the results of the study;
and</DELETED>
<DELETED> (B) a recommendation with respect to
whether the pilot project should be modified, extended
in duration, or established as a permanent
program.</DELETED>
<DELETED> (i) Sunset.--The pilot project authorized under this
section shall terminate on the date that is 4 years after the date on
which the pilot project is established.</DELETED>
<DELETED> (j) No Additional Funds.--</DELETED>
<DELETED> (1) In general.--No additional funds are
authorized to be appropriated for the purpose of carrying out
this Act.</DELETED>
<DELETED> (2) Existing authorized amounts.--Funds to carry
out this Act may, as provided in advance in appropriations
Acts, only come from amounts authorized to be appropriated to
the Agency.</DELETED>
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Department of Homeland Security
Civilian Cybersecurity Reserve Act''.
SEC. 2. CIVILIAN CYBERSECURITY RESERVE PILOT PROJECT.
(a) Definitions.--In this section:
(1) Agency.--The term ``Agency'' means the Cybersecurity
and Infrastructure Security Agency.
(2) Appropriate congressional committees.--The term
``appropriate congressional committees'' means--
(A) the Committee on Homeland Security and
Governmental Affairs of the Senate;
(B) the Committee on Appropriations of the Senate;
(C) the Committee on Homeland Security of the House
of Representatives;
(D) the Committee on Oversight and Accountability
of the House of Representatives; and
(E) the Committee on Appropriations of the House of
Representatives.
(3) Competitive service.--The term ``competitive service''
has the meaning given the term in section 2102 of title 5,
United States Code.
(4) Director.--The term ``Director'' means the Director of
the Agency.
(5) Excepted service.--The term ``excepted service'' has
the meaning given the term in section 2103 of title 5, United
States Code.
(6) Significant incident.--The term ``significant
incident''--
(A) means an incident or a group of related
incidents that results, or is likely to result, in
demonstrable harm to--
(i) the national security interests,
foreign relations, or economy of the United
States; or
(ii) the public confidence, civil
liberties, or public health and safety of the
people of the United States; and
(B) does not include an incident or a portion of a
group of related incidents that occurs on--
(i) a national security system, as defined
in section 3552 of title 44, United States
Code; or
(ii) an information system described in
paragraph (2) or (3) of section 3553(e) of
title 44, United States Code.
(7) Temporary position.--The term ``temporary position''
means a position in the competitive or excepted service for a
period of 6 months or less.
(8) Uniformed services.--The term ``uniformed services''
has the meaning given the term in section 2101 of title 5,
United States Code.
(b) Pilot Project.--
(1) In general.--The Director may carry out a pilot project
to establish a Civilian Cybersecurity Reserve at the Agency.
(2) Purpose.--The purpose of a Civilian Cybersecurity
Reserve is to enable the Agency to effectively respond to
significant incidents.
(3) Alternative methods.--Consistent with section 4703 of
title 5, United States Code, in carrying out a pilot project
authorized under paragraph (1), the Director may, without
further authorization from the Office of Personnel Management,
provide for alternative methods of--
(A) establishing qualifications requirements for,
recruitment of, and appointment to positions; and
(B) classifying positions.
(4) Appointments.--Under the pilot project authorized under
paragraph (1), upon occurrence of a significant incident, the
Director--
(A) may activate members of the Civilian
Cybersecurity Reserve by--
(i) noncompetitively appointing members of
the Civilian Cybersecurity Reserve to temporary
positions in the competitive service; or
(ii) appointing members of the Civilian
Cybersecurity Reserve to temporary positions in
the excepted service;
(B) shall notify Congress whenever a member is
activated under subparagraph (A); and
(C) may appoint not more than 30 members to
temporary positions.
(5) Status as employees.--An individual appointed under
paragraph (4) shall be considered a Federal civil service
employee under section 2105 of title 5, United States Code.
(6) Additional employees.--Individuals appointed under
paragraph (4) shall be in addition to any employees of the
Agency who provide cybersecurity services.
(7) Employment protections.--The Secretary of Labor shall
prescribe such regulations as necessary to ensure the
reemployment, continuation of benefits, and non-discrimination
in reemployment of individuals appointed under paragraph (4),
provided that such regulations shall include, at a minimum,
those rights and obligations set forth under chapter 43 of
title 38, United States Code.
(8) Status in reserve.--During the period beginning on the
date on which an individual is recruited by the Agency to serve
in the Civilian Cybersecurity Reserve and ending on the date on
which the individual is appointed under paragraph (4), and
during any period in between any such appointments, the
individual shall not be considered a Federal employee.
(c) Eligibility; Application and Selection.--
(1) In general.--Under the pilot project authorized under
subsection (b)(1), the Director shall establish criteria for--
(A) individuals to be eligible for the Civilian
Cybersecurity Reserve; and
(B) the application and selection processes for the
Civilian Cybersecurity Reserve.
(2) Requirements for individuals.--The criteria established
under paragraph (1)(A) with respect to an individual shall
include--
(A) previous employment--
(i) by the executive branch;
(ii) within the uniformed services;
(iii) as a Federal contractor within the
executive branch; or
(iv) by a State, local, Tribal, or
territorial government;
(B) if the individual has previously served as a
member of the Civilian Cybersecurity Reserve of the
Agency, that the previous appointment ended not less
than 60 days before the individual may be appointed for
a subsequent temporary position in the Civilian
Cybersecurity Reserve of the Agency; and
(C) cybersecurity expertise.
(3) Prescreening.--The Agency shall--
(A) conduct a prescreening of each individual prior
to appointment under subsection (b)(4) for any topic or
product that would create a conflict of interest; and
(B) require each individual appointed under
subsection (b)(4) to notify the Agency if a potential
conflict of interest arises during the appointment.
(4) Agreement required.--An individual may become a member
of the Civilian Cybersecurity Reserve only if the individual
enters into an agreement with the Director to become such a
member, which shall set forth the rights and obligations of the
individual and the Agency.
(5) Exception for continuing military service
commitments.--A member of the Selected Reserve under section
10143 of title 10, United States Code, may not be a member of
the Civilian Cybersecurity Reserve.
(6) Priority.--In appointing individuals to the Civilian
Cybersecurity Reserve, the Agency shall prioritize the
appointment of individuals described in clause (i) or (ii) of
paragraph (2)(A) before considering individuals described in
clause (iii) or (iv) of paragraph (2)(A).
(7) Prohibition.--Any individual who is an employee (as
defined in section 2105 of title 5, United States Code) of the
executive branch may not be recruited or appointed to serve in
the Civilian Cybersecurity Reserve.
(d) Security Clearances.--
(1) In general.--The Director shall ensure that all members
of the Civilian Cybersecurity Reserve undergo the appropriate
personnel vetting and adjudication commensurate with the duties
of the position, including a determination of eligibility for
access to classified information where a security clearance is
necessary, according to applicable policy and authorities.
(2) Cost of sponsoring clearances.--If a member of the
Civilian Cybersecurity Reserve requires a security clearance in
order to carry out their duties, the Agency shall be
responsible for the cost of sponsoring the security clearance
of that member.
(e) Study and Implementation Plan.--
(1) Study.--Not later than 60 days after the date of
enactment of this Act, the Agency shall begin a study on the
design and implementation of the pilot project authorized under
subsection (b)(1) at the Agency, including--
(A) compensation and benefits for members of the
Civilian Cybersecurity Reserve;
(B) activities that members may undertake as part
of their duties;
(C) methods for identifying and recruiting members,
including alternatives to traditional qualifications
requirements;
(D) methods for preventing conflicts of interest or
other ethical concerns as a result of participation in
the pilot project and details of mitigation efforts to
address any conflict of interest concerns;
(E) resources, including additional funding, needed
to carry out the pilot project;
(F) possible penalties for individuals who do not
respond to activation when called, in accordance with
the rights and procedures set forth under title 5, Code
of Federal Regulations; and
(G) processes and requirements for training and
onboarding members.
(2) Implementation plan.--Not later than 1 year after
beginning the study required under paragraph (1), the Agency
shall--
(A) submit to the appropriate congressional
committees an implementation plan for the pilot project
authorized under subsection (b)(1); and
(B) provide to the appropriate congressional
committees a briefing on the implementation plan.
(3) Prohibition.--The Agency may not take any action to
begin implementation of the pilot project authorized under
subsection (b)(1) until the Agency fulfills the requirements
under paragraph (2).
(f) Project Guidance.--Not later than 2 years after the date of
enactment of this Act, the Director shall, in consultation with the
Office of Government Ethics, issue guidance establishing and
implementing the pilot project authorized under subsection (b)(1) at
the Agency.
(g) Briefings and Report.--
(1) Briefings.--Not later than 1 year after the date on
which the Director issues the guidance required under
subsection (f), and every year thereafter, the Agency shall
provide to the appropriate congressional committees a briefing
on activities carried out under the pilot project authorized
under subsection (b)(1), including--
(A) participation in the Civilian Cybersecurity
Reserve, including the number of participants, the
diversity of participants, and any barriers to
recruitment or retention of members;
(B) an evaluation of the ethical requirements of
the pilot project;
(C) whether the Civilian Cybersecurity Reserve has
been effective in providing additional capacity to the
Agency during significant incidents; and
(D) an evaluation of the eligibility requirements
for the pilot project.
(2) Report.--Not earlier than 6 months and not later than 3
months before the date on which the pilot project of the Agency
terminates under subsection (i), the Agency shall submit to the
appropriate congressional committees a report on, and provide a
briefing on recommendations relating to, the pilot project,
including recommendations for--
(A) whether the pilot project should be modified,
extended in duration, or established as a permanent
program, and if so, an appropriate scope for the
program;
(B) how to attract participants, ensure a diversity
of participants, and address any barriers to
recruitment or retention of members of the Civilian
Cybersecurity Reserve;
(C) the ethical requirements of the pilot project
and the effectiveness of mitigation efforts to address
any conflict of interest concerns; and
(D) an evaluation of the eligibility requirements
for the pilot project.
(h) Evaluation.--Not later than 3 years after the pilot project
authorized under subsection (b)(1) is established in the Agency, the
Comptroller General of the United States shall--
(1) conduct a study evaluating the pilot project at the
Agency; and
(2) submit to Congress--
(A) a report on the results of the study; and
(B) a recommendation with respect to whether the
pilot project should be modified, extended in duration,
or established as a permanent program.
(i) Sunset.--The pilot project authorized under subsection (b)(1)
shall terminate on the date that is 4 years after the date on which the
pilot project is established, except that an activated member of the
Civilian Cybersecurity Reserve who was appointed to and is serving in a
temporary position under this section as of the day before that
termination date may continue to serve until the end of the
appointment.
(j) No Additional Funds.--No additional funds are authorized to be
appropriated for the purpose of carrying out this Act.
Calendar No. 204
118th CONGRESS
1st Session
S. 885
[Report No. 118-96]
_______________________________________________________________________
A BILL
To establish a Civilian Cybersecurity Reserve in the Department of
Homeland Security as a pilot project to address the cybersecurity needs
of the United States with respect to national security, and for other
purposes.
_______________________________________________________________________
September 11, 2023
Reported with an amendment