
	
		I
		112th CONGRESS
		2d Session
		H. R. 6221
		IN THE HOUSE OF REPRESENTATIVES
		
			July 26, 2012
			Ms. Clarke of New
			 York (for herself and Mr. Daniel E.
			 Lungren of California) introduced the following bill; which was
			 referred to the Committee on Homeland
			 Security
		
		A BILL
		To amend the Homeland Security Act of 2002 to require the
		  Secretary of Homeland Security to research, identify, and evaluate
		  cybersecurity risks to critical infrastructure, and for other
		  purposes.
	
	
		1.Short titleThis Act may be cited as the
			 Identifying Cybersecurity Risks to
			 Critical Infrastructure Act of 2012.
		2.Identification of
			 sector-specific cybersecurity risks
			(a)In
			 generalSubtitle C of title
			 II of the Homeland Security Act of 2002 (6 U.S.C. 141 et seq.) is amended by
			 adding at the end the following new section:
				
					226.Identification
				of sector-specific cybersecurity risks
						(a)In
				generalThe Secretary shall, on a continuous and sector-by-sector
				basis, research, identify, and evaluate cybersecurity risks to critical
				infrastructure. In carrying out this subsection, the Secretary shall
				coordinate, as appropriate, with the following:
							(1)The heads of sector specific
				agencies.
							(2)The owners and
				operators of critical infrastructure.
							(3)Any private sector entity engaged in
				ensuring the security or resilience of critical infrastructure, as determined
				appropriate by the Secretary.
							(b)Evaluation of
				risksThe Secretary, in coordination with the individuals and
				entities referred to in subsection (a), shall evaluate the cybersecurity risks
				researched and identified under such subsection by taking into account each of
				the following:
							(1)The actual or
				assessed threat, including a consideration of adversary capabilities and
				intent, preparedness, target attractiveness, and deterrence
				capabilities.
							(2)The extent and
				likelihood of death, injury, or serious adverse effects to human health and
				safety caused by a disruption, destruction, or unauthorized use of critical
				infrastructure.
							(3)The threat to
				national security caused by the disruption, destruction, or unauthorized use of
				critical infrastructure.
							(4)The harm to the
				economy that would result from the disruption, destruction, or unauthorized use
				of critical infrastructure.
							(5)Other risk-based
				security factors that the Secretary determines appropriate to protect public
				health and safety, critical infrastructure, or national and economic security,
				in consultation with the following:
								(A)The heads of
				sector specific agencies.
								(B)Any private sector
				entity determined appropriate by the Secretary.
								(c)Availability of
				identified risksThe
				Secretary shall ensure that information relating to the risks researched,
				identified, and evaluated under this section for each sector described in
				subsection (a) is disseminated, to the maximum extent possible, in an
				unclassified version, to owners and operators of critical infrastructure within
				each such sector. If the Secretary determines that such information, in whole
				or in part should be classified, the Secretary shall share such information, as
				the Secretary determines appropriate, with such owners and operators if such
				owners and operators possess the appropriate security clearances.
						(d)Periodic reports
				to CongressThe Secretary
				shall periodically, but not less often than semiannually, report to the
				appropriate congressional committees on the cybersecurity risks to critical
				infrastructure researched, identified, and evaluated pursuant to subsection
				(a).
						(e)Critical
				infrastructure definedIn
				this section, the term critical infrastructure has the meaning
				given such term under section 1016(e) of the Uniting and Strengthening America
				by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
				(USA PATRIOT ACT) Act of 2001 (42 U.S.C. 5195c(e); Public Law
				107–56).
						.
			(b)Clerical
			 amendmentSubsection (b) of section 1 of the Homeland Security
			 Act of 2002 (6 U.S.C. 101) is amended by adding after the item relating to
			 section 225 the following new item:
				
					
						Sec. 226. Identification of
				sector-specific cybersecurity
				risks.
					
					.
			
