[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 4024 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 528
116th CONGRESS
  2d Session
                                S. 4024

                          [Report No. 116-265]

To establish in the Cybersecurity and Infrastructure Security Agency of 
the Department of Homeland Security a Cybersecurity Advisory Committee.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             June 22, 2020

Mr. Perdue (for himself and Ms. Sinema) introduced the following bill; 
which was read twice and referred to the Committee on Homeland Security 
                        and Governmental Affairs

                           September 9, 2020

               Reported by Mr. Johnson, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
To establish in the Cybersecurity and Infrastructure Security Agency of 
the Department of Homeland Security a Cybersecurity Advisory Committee.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``Cybersecurity Advisory 
Committee Authorization Act of 2020''.</DELETED>

<DELETED>SEC. 2. CYBERSECURITY ADVISORY COMMITTEE.</DELETED>

<DELETED>    (a) In General.--Subtitle A of title XXII of the Homeland 
Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the 
end the following:</DELETED>

<DELETED>``SEC. 2215. CYBERSECURITY ADVISORY COMMITTEE.</DELETED>

<DELETED>    ``(a) Establishment.--The Secretary shall establish within 
the Agency a Cybersecurity Advisory Committee (referred to in this 
section as the `Advisory Committee').</DELETED>
<DELETED>    ``(b) Duties.--</DELETED>
        <DELETED>    ``(1) In general.--The Advisory Committee may 
        advise, consult with, report to, and make recommendations to 
        the Director, as appropriate, on the development, refinement, 
        and implementation of policies, programs, planning, and 
        training pertaining to the cybersecurity mission of the 
        Agency.</DELETED>
        <DELETED>    ``(2) Recommendations.--</DELETED>
                <DELETED>    ``(A) In general.--The Advisory Committee 
                shall develop, at the request of the Director, 
                recommendations for improvements to advance the 
                cybersecurity mission of the Agency and strengthen the 
                cybersecurity of the United States.</DELETED>
                <DELETED>    ``(B) Recommendations of subcommittees.--
                Recommendations agreed upon by subcommittees 
                established under subsection (d) for any year shall be 
                approved by the Advisory Committee before the Advisory 
                Committee submits to the Director the annual report 
                under paragraph (4) for that year.</DELETED>
        <DELETED>    ``(3) Periodic reports.--The Advisory Committee 
        shall periodically submit to the Director--</DELETED>
                <DELETED>    ``(A) reports on matters identified by the 
                Director; and</DELETED>
                <DELETED>    ``(B) reports on other matters identified 
                by a majority of the members of the Advisory 
                Committee.</DELETED>
        <DELETED>    ``(4) Annual report.--</DELETED>
                <DELETED>    ``(A) In general.--The Advisory Committee 
                shall submit to the Director an annual report providing 
                information on the activities, findings, and 
                recommendations of the Advisory Committee, including 
                its subcommittees, for the preceding year.</DELETED>
                <DELETED>    ``(B) Publication.--Not later than 180 
                days after the date on which the Director receives an 
                annual report for a year under subparagraph (A), the 
                Director shall publish a public version of the report 
                describing the activities of the Advisory Committee and 
                such related matters as would be informative to the 
                public during that year, consistent with section 552(b) 
                of title 5, United States Code.</DELETED>
        <DELETED>    ``(5) Feedback.--Not later than 90 days after 
        receiving any recommendation submitted by the Advisory 
        Committee under paragraph (2), (3), or (4), the Director shall 
        respond in writing to the Advisory Committee with feedback on 
        the recommendation. Such a response shall include--</DELETED>
                <DELETED>    ``(A) with respect to any recommendation 
                with which the Director concurs, an action plan to 
                implement the recommendation; and</DELETED>
                <DELETED>    ``(B) with respect to any recommendation 
                with which the Director does not concur, a 
                justification for why the Director does not plan to 
                implement the recommendation.</DELETED>
        <DELETED>    ``(6) Congressional notification.--Not less 
        frequently than once per year after the date of enactment of 
        this section, the Director shall provide to the Committee on 
        Homeland Security and Governmental Affairs and the Committee on 
        Appropriations of the Senate and the Committee on Homeland 
        Security and the Committee on Appropriations of the House of 
        Representatives a briefing on feedback from the Advisory 
        Committee.</DELETED>
<DELETED>    ``(c) Membership.--</DELETED>
        <DELETED>    ``(1) Appointment.--</DELETED>
                <DELETED>    ``(A) In general.--Not later than 180 days 
                after the date of enactment of the Cybersecurity 
                Advisory Committee Authorization Act of 2020, the 
                Director shall appoint the members of the Advisory 
                Committee.</DELETED>
                <DELETED>    ``(B) Composition.--The membership of the 
                Advisory Committee shall consist of not more than 35 
                individuals.</DELETED>
                <DELETED>    ``(C) Representation.--</DELETED>
                        <DELETED>    ``(i) In general.--The membership 
                        of the Advisory Committee shall be 
                        geographically balanced and shall include 
                        representatives of State and local governments 
                        and of a broad range of industries, which may 
                        include the following:</DELETED>
                                <DELETED>    ``(I) Defense.</DELETED>
                                <DELETED>    ``(II) 
                                Education.</DELETED>
                                <DELETED>    ``(III) Financial services 
                                and insurance.</DELETED>
                                <DELETED>    ``(IV) 
                                Healthcare.</DELETED>
                                <DELETED>    ``(V) 
                                Manufacturing.</DELETED>
                                <DELETED>    ``(VI) Media and 
                                entertainment.</DELETED>
                                <DELETED>    ``(VII) 
                                Chemicals.</DELETED>
                                <DELETED>    ``(VIII) Retail.</DELETED>
                                <DELETED>    ``(IX) 
                                Transportation.</DELETED>
                                <DELETED>    ``(X) Energy.</DELETED>
                                <DELETED>    ``(XI) Information 
                                Technology.</DELETED>
                                <DELETED>    ``(XII) 
                                Communications.</DELETED>
                                <DELETED>    ``(XIII) Other relevant 
                                fields identified by the 
                                Director.</DELETED>
                        <DELETED>    ``(ii) Prohibition.--Not more than 
                        3 members may represent any 1 category under 
                        clause (i).</DELETED>
        <DELETED>    ``(2) Term of office.--</DELETED>
                <DELETED>    ``(A) Terms.--The term of each member of 
                the Advisory Committee shall be 2 years, except that a 
                member may continue to serve until a successor is 
                appointed.</DELETED>
                <DELETED>    ``(B) Removal.--The Director may review 
                the participation of a member of the Advisory Committee 
                and remove such member any time at the discretion of 
                the Director.</DELETED>
                <DELETED>    ``(C) Reappointment.--A member of the 
                Advisory Committee may be reappointed for an unlimited 
                number of terms.</DELETED>
        <DELETED>    ``(3) Prohibition on compensation.--The members of 
        the Advisory Committee may not receive pay or benefits from the 
        United States Government by reason of their service on the 
        Advisory Committee.</DELETED>
        <DELETED>    ``(4) Meetings.--</DELETED>
                <DELETED>    ``(A) In general.--The Director shall 
                require the Advisory Committee to meet not less 
                frequently than semiannually, and may convene 
                additional meetings as necessary.</DELETED>
                <DELETED>    ``(B) Public meetings.--At least one of 
                the meetings referred to in subparagraph (A) shall be 
                open to the public.</DELETED>
                <DELETED>    ``(C) Attendance.--The Advisory Committee 
                shall maintain a record of the persons present at each 
                meeting.</DELETED>
        <DELETED>    ``(5) Member access to classified information.--
        </DELETED>
                <DELETED>    ``(A) In general.--Not later than 60 days 
                after the date on which a member is first appointed to 
                the Advisory Committee and before the member is granted 
                access to any classified information, the Director 
                shall determine if the member should be restricted from 
                reviewing, discussing, or possessing classified 
                information.</DELETED>
                <DELETED>    ``(B) Access.--Access to classified 
                materials shall be managed in accordance with Executive 
                Order No. 13526 of December 29, 2009 (75 Fed. Reg 707), 
                or any subsequent corresponding Executive 
                Order.</DELETED>
                <DELETED>    ``(C) Protections.--A member of the 
                Advisory Committee shall protect all classified 
                information in accordance with the applicable 
                requirements for the particular level of classification 
                of such information.</DELETED>
        <DELETED>    ``(6) Chairperson.--The Advisory Committee shall 
        select, from among the members of the Advisory Committee--
        </DELETED>
                <DELETED>    ``(A) a member to serve as chairperson of 
                the Advisory Committee; and</DELETED>
                <DELETED>    ``(B) a member to serve as chairperson of 
                each subcommittee of the Advisory Committee established 
                under subsection (d).</DELETED>
<DELETED>    ``(d) Subcommittees.--</DELETED>
        <DELETED>    ``(1) In general.--The Director shall establish 
        subcommittees within the Advisory Committee to address 
        cybersecurity issues, which may include the 
        following:</DELETED>
                <DELETED>    ``(A) Information exchange.</DELETED>
                <DELETED>    ``(B) Critical infrastructure.</DELETED>
                <DELETED>    ``(C) Risk management.</DELETED>
                <DELETED>    ``(D) Public and private 
                partnerships.</DELETED>
        <DELETED>    ``(2) Meetings and reporting.--Each subcommittee 
        shall meet not less frequently than semiannually, and submit to 
        the Advisory Committee for inclusion in the annual report 
        required under subsection (b)(4) information, including 
        activities, findings, and recommendations, regarding subject 
        matter considered by the subcommittee.</DELETED>
        <DELETED>    ``(3) Subject matter experts.--The chair of the 
        Advisory Committee shall appoint members to subcommittees and 
        shall ensure that each member appointed to a subcommittee has 
        subject matter expertise relevant to the subject matter of the 
        subcommittee.</DELETED>
<DELETED>    ``(e) Nonapplicability of FACA.--The Federal Advisory 
Committee Act (5 U.S.C. App.) shall not apply to the Advisory Committee 
and its subcommittees.''.</DELETED>
<DELETED>    (b) Clerical Amendment.--The table of contents in section 
1(b) of the Homeland Security Act of 2002 (Public Law 107-296; 116 
Stat. 2135) is amended by inserting after the item relating to section 
2214 the following:</DELETED>

<DELETED>``2215. Cybersecurity Advisory Committee.''.

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cybersecurity Advisory Committee 
Authorization Act of 2020''.

SEC. 2. CYBERSECURITY ADVISORY COMMITTEE.

    (a) In General.--Subtitle A of title XXII of the Homeland Security 
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the 
following:

``SEC. 2215. CYBERSECURITY ADVISORY COMMITTEE.

    ``(a) Establishment.--The Secretary shall establish within the 
Agency a Cybersecurity Advisory Committee (referred to in this section 
as the `Advisory Committee').
    ``(b) Duties.--
            ``(1) In general.--The Advisory Committee shall advise, 
        consult with, report to, and make recommendations to the 
        Director, as appropriate, on the development, refinement, and 
        implementation of policies, programs, planning, and training 
        pertaining to the cybersecurity mission of the Agency.
            ``(2) Recommendations.--
                    ``(A) In general.--The Advisory Committee shall 
                develop, at the request of the Director, 
                recommendations for improvements to advance the 
                cybersecurity mission of the Agency and strengthen the 
                cybersecurity of the United States.
                    ``(B) Recommendations of subcommittees.--
                Recommendations agreed upon by subcommittees 
                established under subsection (d) for any year shall be 
                approved by the Advisory Committee before the Advisory 
                Committee submits to the Director the annual report 
                under paragraph (4) for that year.
            ``(3) Periodic reports.--The Advisory Committee shall 
        periodically submit to the Director--
                    ``(A) reports on matters identified by the 
                Director; and
                    ``(B) reports on other matters identified by a 
                majority of the members of the Advisory Committee.
            ``(4) Annual report.--
                    ``(A) In general.--The Advisory Committee shall 
                submit to the Director an annual report providing 
                information on the activities, findings, and 
                recommendations of the Advisory Committee, including 
                its subcommittees, for the preceding year.
                    ``(B) Publication.--Not later than 180 days after 
                the date on which the Director receives an annual 
                report for a year under subparagraph (A), the Director 
                shall publish a public version of the report describing 
                the activities of the Advisory Committee and such 
                related matters as would be informative to the public 
                during that year, consistent with section 552(b) of 
                title 5, United States Code.
            ``(5) Feedback.--Not later than 90 days after receiving any 
        recommendation submitted by the Advisory Committee under 
        paragraph (2), (3), or (4), the Director shall respond in 
        writing to the Advisory Committee with feedback on the 
        recommendation. Such a response shall include--
                    ``(A) with respect to any recommendation with which 
                the Director concurs, an action plan to implement the 
                recommendation; and
                    ``(B) with respect to any recommendation with which 
                the Director does not concur, a justification for why 
                the Director does not plan to implement the 
                recommendation.
            ``(6) Congressional notification.--Not less frequently than 
        once per year after the date of enactment of this section, the 
        Director shall provide to the Committee on Homeland Security 
        and Governmental Affairs and the Committee on Appropriations of 
        the Senate and the Committee on Homeland Security and the 
        Committee on Appropriations of the House of Representatives a 
        briefing on feedback from the Advisory Committee.
            ``(7) Governance rules.--The Director shall establish rules 
        for the structure and governance of the Advisory Committee and 
        all subcommittees established under subsection (d).
    ``(c) Membership.--
            ``(1) Appointment.--
                    ``(A) In general.--Not later than 180 days after 
                the date of enactment of the Cybersecurity Advisory 
                Committee Authorization Act of 2020, the Director shall 
                appoint the members of the Advisory Committee.
                    ``(B) Composition.--The membership of the Advisory 
                Committee shall consist of not more than 35 
                individuals.
                    ``(C) Representation.--
                            ``(i) In general.--The membership of the 
                        Advisory Committee shall--
                                    ``(I) consist of subject matter 
                                experts;
                                    ``(II) be geographically balanced; 
                                and
                                    ``(III) include representatives of 
                                State, local, and Tribal governments 
                                and of a broad range of industries, 
                                which may include the following:
                                            ``(aa) Defense.
                                            ``(bb) Education.
                                            ``(cc) Financial services 
                                        and insurance.
                                            ``(dd) Healthcare.
                                            ``(ee) Manufacturing.
                                            ``(ff) Media and 
                                        entertainment.
                                            ``(gg) Chemicals.
                                            ``(hh) Retail.
                                            ``(ii) Transportation.
                                            ``(jj) Energy.
                                            ``(kk) Information 
                                        Technology.
                                            ``(ll) Communications.
                                            ``(mm) Other relevant 
                                        fields identified by the 
                                        Director.
                            ``(ii) Prohibition.--Not less than 1 member 
                        nor more than 3 members may represent any 1 
                        category under clause (i)(III).
                            ``(iii) Publication of membership list.--
                        The Advisory Committee shall publish its 
                        membership list on a publicly available website 
                        not less than once per fiscal year and shall 
                        update the membership list as changes occur.
            ``(2) Term of office.--
                    ``(A) Terms.--The term of each member of the 
                Advisory Committee shall be 2 years, except that a 
                member may continue to serve until a successor is 
                appointed.
                    ``(B) Removal.--The Director may review the 
                participation of a member of the Advisory Committee and 
                remove such member any time at the discretion of the 
                Director.
                    ``(C) Reappointment.--A member of the Advisory 
                Committee may be reappointed for an unlimited number of 
                terms.
            ``(3) Prohibition on compensation.--The members of the 
        Advisory Committee may not receive pay or benefits from the 
        United States Government by reason of their service on the 
        Advisory Committee.
            ``(4) Meetings.--
                    ``(A) In general.--The Director shall require the 
                Advisory Committee to meet not less frequently than 
                semiannually, and may convene additional meetings as 
                necessary.
                    ``(B) Public meetings.--At least one of the 
                meetings referred to in subparagraph (A) shall be open 
                to the public.
                    ``(C) Attendance.--The Advisory Committee shall 
                maintain a record of the persons present at each 
                meeting.
            ``(5) Member access to classified information.--
                    ``(A) In general.--Not later than 60 days after the 
                date on which a member is first appointed to the 
                Advisory Committee and before the member is granted 
                access to any classified information, the Director 
                shall determine, for the purposes of the Advisory 
                Committee, if the member should be restricted from 
                reviewing, discussing, or possessing classified 
                information.
                    ``(B) Access.--Access to classified materials shall 
                be managed in accordance with Executive Order No. 13526 
                of December 29, 2009 (75 Fed. Reg. 707), or any 
                subsequent corresponding Executive Order.
                    ``(C) Protections.--A member of the Advisory 
                Committee shall protect all classified information in 
                accordance with the applicable requirements for the 
                particular level of classification of such information.
                    ``(D) Rule of construction.--Nothing in this 
                paragraph shall be construed to affect the security 
                clearance of a member of the Advisory Committee or the 
                authority of a Federal agency to provide a member of 
                the Advisory Committee access to classified 
                information.
            ``(6) Chairperson.--The Advisory Committee shall select, 
        from among the members of the Advisory Committee--
                    ``(A) a member to serve as chairperson of the 
                Advisory Committee; and
                    ``(B) a member to serve as chairperson of each 
                subcommittee of the Advisory Committee established 
                under subsection (d).
    ``(d) Subcommittees.--
            ``(1) In general.--The Director shall establish 
        subcommittees within the Advisory Committee to address 
        cybersecurity issues, which may include the following:
                    ``(A) Information exchange.
                    ``(B) Critical infrastructure.
                    ``(C) Risk management.
                    ``(D) Public and private partnerships.
            ``(2) Meetings and reporting.--Each subcommittee shall meet 
        not less frequently than semiannually, and submit to the 
        Advisory Committee for inclusion in the annual report required 
        under subsection (b)(4) information, including activities, 
        findings, and recommendations, regarding subject matter 
        considered by the subcommittee.
            ``(3) Subject matter experts.--The chairperson of the 
        Advisory Committee shall appoint members to subcommittees and 
        shall ensure that each member appointed to a subcommittee has 
        subject matter expertise relevant to the subject matter of the 
        subcommittee.''.
    (b) Clerical Amendment.--The table of contents in section 1(b) of 
the Homeland Security Act of 2002 (Public Law 107-296; 116 Stat. 2135) 
is amended by inserting after the item relating to section 2214 the 
following:

``Sec. 2215. Cybersecurity Advisory Committee.''.
                                                       Calendar No. 528

116th CONGRESS

  2d Session

                                S. 4024

                          [Report No. 116-265]

_______________________________________________________________________

                                 A BILL

To establish in the Cybersecurity and Infrastructure Security Agency of 
the Department of Homeland Security a Cybersecurity Advisory Committee.

_______________________________________________________________________

                           September 9, 2020

                       Reported with an amendment