[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[H.R. 1975 Introduced in House (IH)]

<DOC>






116th CONGRESS
  1st Session
                                H. R. 1975

To establish in the Cybersecurity and Infrastructure Security Agency of 
   the Department of Homeland Security a Chief Information Security 
                      Officer Advisory Committee.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             March 28, 2019

    Mr. Katko (for himself, Mr. Newhouse, Mr. Fitzpatrick, and Mr. 
  Lipinski) introduced the following bill; which was referred to the 
 Committee on Homeland Security, and in addition to the Committees on 
   Energy and Commerce, and Oversight and Reform, for a period to be 
subsequently determined by the Speaker, in each case for consideration 
  of such provisions as fall within the jurisdiction of the committee 
                               concerned

_______________________________________________________________________

                                 A BILL


 
To establish in the Cybersecurity and Infrastructure Security Agency of 
   the Department of Homeland Security a Chief Information Security 
                      Officer Advisory Committee.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cybersecurity Advisory Committee 
Authorization Act of 2019''.

SEC. 2. CYBERSECURITY ADVISORY COMMITTEE.

    (a) In General.--Subtitle A of title XXII of the Homeland Security 
Act of 2002 is amended by adding at the end the following new section:

``SEC. 2215. CYBERSECURITY ADVISORY COMMITTEE.

    ``(a) Establishment.--The Secretary shall establish within the 
Cybersecurity and Infrastructure Security Agency a Cybersecurity 
Advisory Committee.
    ``(b) Duties.--
            ``(1) In general.--The Advisory Committee may advise, 
        consult with, report to, and make recommendations to the 
        Director of Cybersecurity and Infrastructure Security on the 
        development, refinement, and implementation of policies, 
        programs, rulemakings, planning, training, and security 
        directives pertaining to the mission of the Cybersecurity and 
        Infrastructure Security Agency.
            ``(2) Recommendations.--
                    ``(A) In general.--The Advisory Committee shall 
                develop, at the request of the Director, 
                recommendations for improvements to the cybersecurity 
                mission of the Cybersecurity and Infrastructure 
                Security Agency.
                    ``(B) Recommendations of subcommittees.--
                Recommendations agreed upon by the subcommittees 
                established under subsection (d) for any year shall be 
                approved by the Advisory Committee before the Advisory 
                Committee submits to the Director the annual report 
                under paragraph (4) for that year.
            ``(3) Periodic reports.--The Advisory Committee shall 
        periodically submit to the Director--
                    ``(A) reports on matters identified by the 
                Director; and
                    ``(B) reports on other matters identified by a 
                majority of the members of the Advisory Committee.
            ``(4) Annual report.--The Advisory Committee shall submit 
        to the Director an annual report providing information on the 
        activities, findings, and recommendations of the Advisory 
        Committee, including its subcommittees, for the preceding year. 
        Not later than six months after the date that the Director 
        receives an annual report for a year, the Director shall 
        publish a public version of the report describing the 
        activities of the Advisory Committee and such related matters 
        as would be informative to the public during that year, 
        consistent with section 552(b) of title 5, United States Code.
            ``(5) Feedback.--Not later than 90 days after receiving any 
        recommendation submitted by the Advisory Committee under 
        paragraph (2), (3), or (4), the Director shall respond in 
        writing to the Advisory Committee with feedback on the 
        recommendation. Such a response shall include--
                    ``(A) with respect to any recommendation with which 
                the Director concurs, an action plan to implement the 
                recommendation; and
                    ``(B) with respect to any recommendation with which 
                the Director does not concur, a justification for why 
                the Director does not plan to implement the 
                recommendation.
            ``(6) Congressional notification.--For each fiscal quarter 
        beginning after the date of the enactment of this section, the 
        Director shall provide to the Committee on Homeland Security 
        and Governmental Affairs and the Committee on Appropriations of 
        the Senate and the Committee on Homeland Security and the 
        Committee on Appropriations of the House of Representatives a 
        briefing on feedback from the Advisory Committee.
    ``(c) Membership.--
            ``(1) Appointment.--
                    ``(A) In general.--Not later than 180 days after 
                the date of the enactment of this Act, the Director 
                shall appoint the members of the Advisory Committee.
                    ``(B) Composition.--The membership of the Advisory 
                Committee shall consist of not more than 35 
                individuals, each of whom represent a category referred 
                to in subparagraph (C)(i).
                    ``(C) Representation.--
                            ``(i) In general.--The membership of the 
                        Advisory Committee shall include 
                        representatives of State and local governments 
                        and of a broad range of industries, including 
                        the following:
                                    ``(I) Defense.
                                    ``(II) Education.
                                    ``(III) Financial services.
                                    ``(IV) Healthcare.
                                    ``(V) Manufacturing.
                                    ``(VI) Media and entertainment.
                                    ``(VII) Chemicals.
                                    ``(VIII) Retail.
                                    ``(IX) Transportation.
                                    ``(X) Energy.
                                    ``(XI) Information Technology.
                                    ``(XII) Communications.
                                    ``(XIII) Other relevant fields 
                                identified by the Director.
                            ``(ii) Prohibition.--Not more than three 
                        members may represent any one category under 
                        clause (i).
            ``(2) Term of office.--
                    ``(A) Terms.--The term of each member of the 
                Advisory Committee shall be two years, but a member may 
                continue to serve until a successor is appointed.
                    ``(B) Removal.--The Director may review the 
                participation of a member of the Advisory Committee and 
                remove such member for cause at any time.
                    ``(C) Reappointment.--A member of the Advisory 
                Committee may be reappointed for an unlimited number of 
                terms.
            ``(3) Delegation of responsibilities.--A member of the 
        Advisory Committee may delegate that member's responsibilities 
        under this section to another individual, with the exception of 
        access to protected information and classified information 
        under paragraph (6).
            ``(4) Prohibition on compensation.--The members of the 
        Advisory Committee may not receive pay or benefits from the 
        United States Government by reason of their service on the 
        Advisory Committee.
            ``(5) Meetings.--
                    ``(A) In general.--The Director shall require the 
                Advisory Committee to meet at least quarterly, and may 
                convene additional meetings as necessary.
                    ``(B) Public meetings.--At least one of the 
                meetings referred to in subparagraph (A) shall be open 
                to the public.
                    ``(C) Attendance.--The Advisory Committee shall 
                maintain a record of the persons present at each 
                meeting.
            ``(6) Member access to classified and protected 
        information.--
                    ``(A) In general.--Not later than 60 days after the 
                date on which a member is first appointed to the 
                Advisory Committee and before the member is granted 
                access to any classified information or protected 
                information, the Director shall determine if there is 
                cause for such member to be restricted from reviewing, 
                discussing, or possessing such information.
                    ``(B) Access.--
                            ``(i) Protected information.--If the 
                        Director does not restrict a member from 
                        reviewing, discussing, or possessing sensitive 
                        information under subparagraph (A) and the 
                        member voluntarily signs a nondisclosure 
                        agreement with respect to protected 
                        information, the member may be granted access 
                        to protected information that the Director 
                        determines is relevant to such member's service 
                        on the Advisory Committee.
                            ``(ii) Classified information.--Access to 
                        classified materials shall be managed in 
                        accordance with Executive Order No. 13526 of 
                        December 29, 2009 (75 Fed. Reg 707), or any 
                        subsequent corresponding Executive Order.
                    ``(C) Protections.--A member of the Advisory 
                Committee shall agree, as a condition of such 
                membership, to protect all classified information in 
                accordance with the applicable requirements for the 
                particular level of classification of such information 
                and to protect all protected information appropriately.
                    ``(D) Protected information defined.--In this 
                section, the term `protected information' means--
                            ``(i) information specifically exempted 
                        from disclosure by statute or regulation;
                            ``(ii) trade secrets and commercial or 
                        financial information obtained from a person 
                        and privileged or confidential;
                            ``(iii) deliberative process privileged 
                        information;
                            ``(iv) personally identifiable information, 
                        the disclosure of which would constitute an 
                        invasion of personal privacy;
                            ``(v) records containing law enforcement 
                        sensitive information; and
                            ``(vi) other categories of information, as 
                        determined by the Director.
            ``(7) Chairperson.--The Advisory Committee shall select, 
        from among the members of the Advisory Committee--
                    ``(A) a member to serve as chairperson of the 
                Advisory Committee; and
                    ``(B) a member to serve as chairperson of each 
                subcommittee of the Advisory Committee established 
                under subsection (d).
    ``(d) Subcommittees.--
            ``(1) In general.--The Director and the Advisory Committee 
        shall establish subcommittees within the Advisory Committee to 
        address cybersecurity issues, including relating to the 
        following:
                    ``(A) Information exchange.
                    ``(B) Critical infrastructure.
                    ``(C) Risk management.
                    ``(D) Public and private partnerships.
            ``(2) Additional subcommittees.--In addition to the 
        subcommittees established pursuant to paragraph (1), the 
        Advisory Committee chairperson, in coordination with the 
        Director, may establish within the Advisory Committee 
        additional subcommittees that the Director and Advisory 
        Committee determine to be necessary.
            ``(3) Meetings and reporting.--Each subcommittee shall meet 
        at least bimonthly, and submit to the Advisory Committee for 
        inclusion in the annual report required under subsection (b)(4) 
        information, including activities, findings, and 
        recommendations, regarding subject matter considered by the 
        subcommittee.
            ``(4) Subject matter experts.--The chair of the Advisory 
        Committee shall appoint members to subcommittees and shall 
        ensure that each member appointed to a subcommittee has subject 
        matter expertise relevant to the subject matter of the 
        subcommittee.
    ``(e) Nonapplicability of FACA.--The Federal Advisory Committee Act 
(5 U.S.C. App.) shall not apply to the Advisory Committee and its 
subcommittees.''.
    (b) Clerical Amendment.--The table of contents in section 1(b) of 
such Act is amended by inserting after the item relating to section 
2214 the following new item:

``2215. Cybersecurity Advisory Committee.''.
                                 <all>