[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5440 Introduced in House (IH)]

<DOC>






117th CONGRESS
  1st Session
                                H. R. 5440

   To amend the Homeland Security Act of 2002 to establish the Cyber 
Incident Review Office in the Cybersecurity and Infrastructure Security 
 Agency of the Department of Homeland Security, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           September 30, 2021

    Ms. Clarke of New York (for herself, Mr. Katko, Mr. Thompson of 
 Mississippi, and Mr. Garbarino) introduced the following bill; which 
           was referred to the Committee on Homeland Security

_______________________________________________________________________

                                 A BILL


 
   To amend the Homeland Security Act of 2002 to establish the Cyber 
Incident Review Office in the Cybersecurity and Infrastructure Security 
 Agency of the Department of Homeland Security, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cyber Incident Reporting for 
Critical Infrastructure Act of 2021''.

SEC. 2. CYBER INCIDENT REVIEW OFFICE.

    (a) In General.--Subtitle A of title XXII of the Homeland Security 
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the 
following new section:

``SEC. 2220A. CYBER INCIDENT REVIEW OFFICE.

    ``(a) Definitions.--In this section:
            ``(1) Cloud service provider.--The term `cloud service 
        provider' means an entity offering products or services related 
        to cloud computing, as defined by the National Institutes of 
        Standards and Technology in NIST Special Publication 800-145 
        and any amendatory or superseding document relating thereto.
            ``(2) Covered entity.--The term `covered entity' means an 
        entity that owns or operates critical infrastructure that 
        satisfies the definition established by the Director in the 
        reporting requirements and procedures issued pursuant to 
        subsection (d).
            ``(3) Covered cybsecurity incident.--The term `covered 
        cybersecurity incident' means a cybersecurity incident 
        experienced by a covered entity that satisfies the definition 
        and criteria established by the Director in the reporting 
        requirements and procedures issued pursuant to subsection (d).
            ``(4) Cyber threat indicator.--The term `cyber threat 
        indicator' has the meaning given such term in section 102 of 
        the Cybersecurity Act of 2015 (enacted as division N of the 
        Consolidated Appropriations Act, 2016 (Public Law 114-113; 6 
        U.S.C. 1501)).
            ``(5) Cybersecurity purpose.--The term `cybersecurity 
        purpose' has the meaning given such term in section 102 of the 
        Cybersecurity Act of 2015 (enacted as division N of the 
        Consolidated Appropriations Act, 2016 (Public Law 114-113; 6 
        U.S.C. 1501)).
            ``(6) Cybersecurity threat.--The term `cybersecurity 
        threat' has the meaning given such term in section 102 of the 
        Cybersecurity Act of 2015 (enacted as division N of the 
        Consolidated Appropriations Act, 2016 (Public Law 114-113; 6 
        U.S.C. 1501)).
            ``(7) Defensive measure.--The term `defensive measure' has 
        the meaning given such term in section 102 of the Cybersecurity 
        Act of 2015 (enacted as division N of the Consolidated 
        Appropriations Act, 2016 (Public Law 114-113; 6 U.S.C. 1501)).
            ``(8) Information sharing and analysis organization.--The 
        term `Information Sharing and Analysis Organization' has the 
        meaning given such term in section 2222(5).
            ``(9) Information system.--The term `information system' 
        has the meaning given such term in section 102 of the 
        Cybersecurity Act of 2015 (enacted as division N of the 
        Consolidated Appropriations Act, 2016 (Public Law 114-113; 6 
        U.S.C. 1501(9)).
            ``(10) Intelligence community.--The term `intelligence 
        community' has the meaning given the term in section 3(4) of 
        the National Security Act of 1947 (50 U.S.C. 3003(4)).
            ``(11) Managed service provider.--The term `managed service 
        provider' means an entity that delivers services, such as 
        network, application, infrastructure, or security services, via 
        ongoing and regular support and active administration on 
        customers' premises, in the managed service provider's data 
        center (such as hosting), or in a third-party data center.
            ``(12) Security control.--The term `security control' has 
        the meaning given such term in section 102 of the Cybersecurity 
        Act of 2015 (enacted as division N of the Consolidated 
        Appropriations Act, 2016 (Public Law 114-113; 6 U.S.C. 1501)).
            ``(13) Security vulnerability.--The term `security 
        vulnerability' has the meaning given such term in section 102 
        of the Cybersecurity Act of 2015 (enacted as division N of the 
        Consolidated Appropriations Act, 2016 (Public Law 114-113; 6 
        U.S.C. 1501)).
            ``(14) Significant cyber incident.--The term `significant 
        cyber incident' means a cyber incident, or a group of related 
        cyber incidents, that the Director determines is likely to 
        result in demonstrable harm to the national security interests, 
        foreign relations, or economy of the United States or to the 
        public confidence, civil liberties, or public health and safety 
        of the American people.
            ``(15) Supply chain attack.--The term `supply chain attack' 
        means an attack that allows an adversary to utilize implants or 
        other vulnerabilities inserted into information technology 
        hardware, software, operating systems, peripherals (such as 
        information technology products), or services at any point 
        during the life cycle in order to infiltrate the networks of 
        third parties where such products, services, or technologies 
        are deployed.
    ``(b) Cyber Incident Review Office.--There is established in the 
Agency a Cyber Incident Review Office (in this section referred to as 
the `Office') to receive, aggregate, and analyze reports related to 
covered cybersecurity incidents submitted by covered entities in 
furtherance of the activities specified in subsection (c) of this 
section and sections 2202(e), 2209(c), and 2203 to enhance the 
situational awareness of cybersecurity threats across critical 
infrastructure sectors.
    ``(c) Activities.--The Office shall, in furtherance of the 
activities specified in sections 2202(e), 2209(c), and 2203--
            ``(1) receive, aggregate, analyze, and secure reports from 
        covered entities related to a covered cybersecurity incident to 
        assess the effectiveness of security controls and identify 
        tactics, techniques, and procedures adversaries use to overcome 
        such controls;
            ``(2) facilitate the timely sharing between relevant 
        critical infrastructure owners and operators and, as 
        appropriate, the intelligence community of information relating 
        to covered cybersecurity incidents, particularly with respect 
        to an ongoing cybersecurity threat or security vulnerability;
            ``(3) for a covered cybersecurity incident that also 
        satisfies the definition of a significant cyber incident, or 
        are part of a group of related cyber incidents that together 
        satisfy such definition, conduct a review of the details 
        surrounding such covered cybersecurity incident or group of 
        such incidents and identify ways to prevent or mitigate similar 
        incidents in the future;
            ``(4) with respect to covered cybersecurity incident 
        reports under subsection (d) involving an ongoing cybersecurity 
        threat or security vulnerability, immediately review such 
        reports for cyber threat indicators that can be anonymized and 
        disseminated, with defensive measures, to appropriate 
        stakeholders, in coordination with other Divisions within the 
        Agency, as appropriate;
            ``(5) publish quarterly unclassified, public reports that 
        describe aggregated, anonymized observations, findings, and 
        recommendations based on covered cybersecurity incident reports 
        under subsection (d);
            ``(6) leverage information gathered regarding cybersecurity 
        incidents to enhance the quality and effectiveness of bi-
        directional information sharing and coordination efforts with 
        appropriate stakeholders, including sector coordinating 
        councils, information sharing and analysis organizations, 
        technology providers, cybersecurity and incident response 
        firms, and security researchers, including by establishing 
        mechanisms to receive feedback from such stakeholders regarding 
        how the Agency can most effectively support private sector 
        cybersecurity; and
            ``(7) proactively identify opportunities, in accordance 
        with the protections specified in subsections (e) and (f), to 
        leverage and utilize data on cybersecurity incidents in a 
        manner that enables and strengthens cybersecurity research 
        carried out by academic institutions and other private sector 
        organizations, to the greatest extent practicable.
    ``(d) Covered Cybersecurity Incident Reporting Requirements and 
Procedures.--
            ``(1) In general.--Not later than 270 days after the date 
        of the enactment of this section, the Director, in consultation 
        with Sector Risk Management Agencies and the heads of other 
        Federal departments and agencies, as appropriate, shall, after 
        a 60 day consultative period, followed by a 90 day comment 
        period with appropriate stakeholders, including sector 
        coordinating councils, publish in the Federal Register an 
        interim final rule implementing this section. Notwithstanding 
        section 553 of title 5, United States Code, such rule shall be 
        effective, on an interim basis, immediately upon publication, 
        but may be subject to change and revision after public notice 
        and opportunity for comment. The Director shall issue a final 
        rule not later than one year after publication of such interim 
        final rule. Such interim final rule shall--
                    ``(A) require covered entities to submit to the 
                Office reports containing information relating to 
                covered cybersecurity incidents; and
                    ``(B) establish procedures that clearly describe--
                            ``(i) the types of critical infrastructure 
                        entities determined to be covered entities;
                            ``(ii) the types of cybersecurity incidents 
                        determined to be covered cybersecurity 
                        incidents;
                            ``(iii) the mechanisms by which covered 
                        cybersecurity incident reports under 
                        subparagraph (A) are to be submitted, 
                        including--
                                    ``(I) the contents, described in 
                                paragraph (4), to be included in each 
                                such report, including any supplemental 
                                reporting requirements;
                                    ``(II) the timing relating to when 
                                each such report should be submitted; 
                                and
                                    ``(III) the format of each such 
                                report;
                            ``(iv) describe the manner in which the 
                        Office will carry out enforcement actions under 
                        subsection (g), including with respect to the 
                        issuance of subpoenas, conducting examinations, 
                        and other aspects relating to noncompliance; 
                        and
                            ``(v) any other responsibilities to be 
                        carried out by covered entities, or other 
                        procedures necessary to implement this section.
            ``(2) Covered entities.--In determining which types of 
        critical infrastructure entities are covered entities for 
        purposes of this section, the Secretary, acting through the 
        Director, in consultation with Sector Risk Management Agencies 
        and the heads of other Federal departments and agencies, as 
        appropriate, shall consider--
                    ``(A) the consequences that disruption to or 
                compromise of such an entity could cause to national 
                security, economic security, or public health and 
                safety;
                    ``(B) the likelihood that such an entity may be 
                targeted by a malicious cyber actor, including a 
                foreign country;
                    ``(C) the extent to which damage, disruption, or 
                unauthorized access to such and entity will disrupt the 
                reliable operation of other critical infrastructure 
                assets; and
                    ``(D) the extent to which an entity or sector is 
                subject to existing regulatory requirements to report 
                cybersecurity incidents, and the possibility of 
                coordination and sharing of reports between the Office 
                and the regulatory authority to which such entity 
                submits such other reports.
            ``(3) Outreach to covered entities.--
                    ``(A) In general.--The Director shall conduct an 
                outreach and education campaign to inform covered 
                entities of the requirements of this section.
                    ``(B) Elements.--The outreach and education 
                campaign under subparagraph (A) shall include the 
                following:
                            ``(i) Overview of the interim final rule 
                        and final rule issued pursuant to this section.
                            ``(ii) Overview of reporting requirements 
                        and procedures issued pursuant to paragraph 
                        (1).
                            ``(iii) Overview of mechanisms to submit to 
                        the Office covered cybersecurity incident 
                        reports and information relating to the 
                        disclosure, retention, and use of incident 
                        reports under this section.
                            ``(iv) Overview of the protections afforded 
                        to covered entities for complying with 
                        requirements under subsection (f).
                            ``(v) Overview of the steps taken under 
                        subsection (g) when a covered entity is not in 
                        compliance with the reporting requirements 
                        under paragraph (1).
                    ``(C) Coordination.--The Director may conduct the 
                outreach and education campaign under subparagraph (A) 
                through coordination with the following:
                            ``(i) The Critical Infrastructure 
                        Partnership Advisory Council established 
                        pursuant to section 871.
                            ``(ii) Information Sharing and Analysis 
                        Organizations.
                            ``(iii) Any other means the Director 
                        determines to be effective to conduct such 
                        campaign.
            ``(4) Covered cybersecurity incidents.--
                    ``(A) Considerations.--In accordance with 
                subparagraph (B), in determining which types of 
                incidents are covered cybersecurity incidents for 
                purposes of this section, the Director shall consider--
                            ``(i) the sophistication or novelty of the 
                        tactics used to perpetrate such an incident, as 
                        well as the type, volume, and sensitivity of 
                        the data at issue;
                            ``(ii) the number of individuals directly 
                        or indirectly affected or potentially affected 
                        by such an incident; and
                            ``(iii) potential impacts on industrial 
                        control systems, such as supervisory control 
                        and data acquisition systems, distributed 
                        control systems, and programmable logic 
                        controllers.
                    ``(B) Minimum thresholds.--For a cybersecurity 
                incident to be considered a covered cybersecurity 
                incident a cybersecurity incident shall, at a minimum, 
                include at least one of the following:
                            ``(i) Unauthorized access to an information 
                        system or network that leads to loss of 
                        confidentiality, integrity, or availability of 
                        such information system or network, or has a 
                        serious impact on the safety and resiliency of 
                        operational systems and processes.
                            ``(ii) Disruption of business or industrial 
                        operations due to a denial of service attack, a 
                        ransomware attack, or exploitation of a zero-
                        day vulnerability, against--
                                    ``(I) an information system or 
                                network; or
                                    ``(II) an operational technology 
                                system or process.
                            ``(iii) Unauthorized access or disruption 
                        of business or industrial operations due to 
                        loss of service facilitated through, or caused 
                        by a compromise of, a cloud service provider, 
                        managed service provider, other third-party 
                        data hosting provider, or supply chain attack.
            ``(5) Reports.--
                    ``(A) Timing.--
                            ``(i) In general.--The Director, in 
                        consultation with Sector Risk Management 
                        Agencies and the heads of other Federal 
                        departments and agencies, as appropriate, shall 
                        establish reporting timelines for covered 
                        entities to submit promptly to the Office 
                        covered cybersecurity incident reports, as the 
                        Director determines reasonable and appropriate 
                        based on relevant factors, such as the nature, 
                        severity, and complexity of the covered 
                        cybersecurity incident at issue and the time 
                        required for investigation, but in no case may 
                        the Director require reporting by a covered 
                        entity earlier than 72 hours after confirmation 
                        that a covered cybersecurity incident has 
                        occurred.
                            ``(ii) Considerations.--In determining 
                        reporting timelines under clause (i), the 
                        Director shall--
                                    ``(I) consider any existing 
                                regulatory reporting requirements, 
                                similar in scope purpose, and timing to 
                                the reporting requirements under this 
                                section, to which a covered entity may 
                                also be subject, and make efforts to 
                                harmonize the timing and contents of 
                                any such reports to the maximum extent 
                                practicable; and
                                    ``(II) balance the Agency's need 
                                for situational awareness with a 
                                covered entity's ability to conduct 
                                incident response and investigations.
                    ``(B) Third-party reporting.--
                            ``(i) In general.--A covered entity may 
                        submit a covered cybersecurity incident report 
                        through a third-party entity or Information 
                        Sharing and Analysis Organization.
                            ``(ii) Duty to ensure compliance.--Third-
                        party reporting under this subparagraph does 
                        not relieve a covered entity of the duty to 
                        ensure compliance with the requirements of this 
                        paragraph.
                    ``(C) Supplemental reporting.--A covered entity 
                shall submit promptly to the Office, until such date 
                that such covered entity notifies the Office that the 
                cybersecurity incident investigation at issue has 
                concluded and the associated covered cybersecurity 
                incident has been fully mitigated and resolved, 
                periodic updates or supplements to a previously 
                submitted covered cybersecurity incident report if new 
                or different information becomes available that would 
                otherwise have been required to have been included in 
                such previously submitted report. In determining 
                reporting timelines, the Director may choose to 
                establish a flexible, phased reporting timeline for 
                covered entities to report information in a manner that 
                aligns with investigative timelines and allows covered 
                entities to prioritize incident response efforts over 
                compliance.
                    ``(D) Contents.--Covered cybersecurity incident 
                reports submitted pursuant to this section shall 
                contain such information as the Director prescribes, 
                including the following information, to the extent 
                applicable and available, with respect to a covered 
                cybersecurity incident:
                            ``(i) A description of the covered 
                        cybersecurity incident, including 
                        identification of the affected information 
                        systems, networks, or devices that were, or are 
                        reasonably believed to have been, affected by 
                        such incident, and the estimated date range of 
                        such incident.
                            ``(ii) Where applicable, a description of 
                        the vulnerabilities exploited and the security 
                        defenses that were in place, as well as the 
                        tactics, techniques, and procedures relevant to 
                        such incident.
                            ``(iii) Where applicable, any identifying 
                        information related to the actor reasonably 
                        believed to be responsible for such incident.
                            ``(iv) Where applicable, identification of 
                        the category or categories of information that 
                        was, or is reasonably believed to have been, 
                        accessed or acquired by an unauthorized person.
                            ``(v) Contact information, such as 
                        telephone number or electronic mail address, 
                        that the Office may use to contact the covered 
                        entity or, where applicable, an authorized 
                        agent of such covered entity, or, where 
                        applicable, the service provider, acting with 
                        the express permission, and at the direction, 
                        of such covered entity, to assist with 
                        compliance with the requirements of this 
                        section.
            ``(6) Responsibilities of covered entities.--Covered 
        entities that experience a covered cybersecurity incident shall 
        coordinate with the Office to the extent necessary to comply 
        with this section, and, to the extent practicable, cooperate 
        with the Office in a manner that supports enhancing the 
        Agency's situational awareness of cybersecurity threats across 
        critical infrastructure sectors.
            ``(7) Harmonizing reporting requirements.--In establishing 
        the reporting requirements and procedures under paragraph (1), 
        the Director shall, to the maximum extent practicable--
                    ``(A) review existing regulatory requirements, 
                including the information required in such reports, to 
                report cybersecurity incidents that may apply to 
                covered entities, and ensure that any such reporting 
                requirements and procedures avoid conflicting, 
                duplicative, or burdensome requirements; and
                    ``(B) coordinate with other regulatory authorities 
                that receive reports relating to cybersecurity 
                incidents to identify opportunities to streamline 
                reporting processes, and where feasible, enter into 
                agreements with such authorities to permit the sharing 
                of such reports with the Office, consistent with 
                applicable law and policy, without impacting the 
                Office's ability to gain timely situational awareness 
                of a covered cybersecurity incident or significant 
                cyber incident.
    ``(e) Disclosure, Retention, and Use of Incident Reports.--
            ``(1) Authorized activities.--No information provided to 
        the Office in accordance with subsections (d) or (h) may be 
        disclosed to, retained by, or used by any Federal department or 
        agency, or any component, officer, employee, or agent of the 
        Federal Government, except if the Director determines such 
        disclosure, retention, or use is necessary for--
                    ``(A) a cybersecurity purpose;
                    ``(B) the purpose of identifying--
                            ``(i) a cybersecurity threat, including the 
                        source of such threat; or
                            ``(ii) a security vulnerability;
                    ``(C) the purpose of responding to, or otherwise 
                preventing, or mitigating a specific threat of--
                            ``(i) death;
                            ``(ii) serious bodily harm; or
                            ``(iii) serious economic harm, including a 
                        terrorist act or a use of a weapon of mass 
                        destruction;
                    ``(D) the purpose of responding to, investigating, 
                prosecuting, or otherwise preventing or mitigating a 
                serious threat to a minor, including sexual 
                exploitation or threats to physical safety; or
                    ``(E) the purpose of preventing, investigating, 
                disrupting, or prosecuting an offense related to a 
                threat--
                            ``(i) described in subparagraphs (B) 
                        through (D); or
                            ``(ii) specified in section 105(d)(5)(A)(v) 
                        of the Cybersecurity Act of 2015 (enacted as 
                        division N of the Consolidated Appropriations 
                        Act, 2016 (Public Law 114-113; 6 U.S.C. 
                        1504(d)(5)(A)(v))).
            ``(2) Exceptions.--
                    ``(A) Rapid, confidential, bi-directional sharing 
                of cyber threat indicators.--Upon receiving a covered 
                cybersecurity incident report submitted pursuant to 
                this section, the Office shall immediately review such 
                report to determine whether the incident that is the 
                subject of such report is connected to an ongoing 
                cybersecurity threat or security vulnerability and 
                where applicable, use such report to identify, develop, 
                and rapidly disseminate to appropriate stakeholders 
                actionable, anonymized cyber threat indicators and 
                defensive measures.
                    ``(B) Principles for sharing security 
                vulnerabilities.--With respect to information in a 
                covered cybersecurity incident report regarding a 
                security vulnerability referred to in paragraph 
                (1)(B)(ii), the Director shall develop principles that 
                govern the timing and manner in which information 
                relating to security vulnerabilities may be shared, 
                consistent with common industry best practices and 
                United States and international standards.
            ``(3) Privacy and civil liberties.--Information contained 
        in reports submitted to the Office pursuant to subsections (d) 
        and (h) shall be retained, used, and disseminated, where 
        permissible and appropriate, by the Federal Government in a 
        manner consistent with processes for the protection of personal 
        information adopted pursuant to section 105 of the 
        Cybersecurity Act of 2015 (enacted as division N of the 
        Consolidated Appropriations Act, 2016 (Public Law 114-113; 6 
        U.S.C. 1504)).
            ``(4) Prohibition on use of information in regulatory 
        actions.--
                    ``(A) In general.--Information contained in reports 
                submitted to the Office pursuant to subsections (d) and 
                (h) may not be used by any Federal, State, Tribal, or 
                local government to regulate, including through an 
                enforcement action, the lawful activities of any non-
                Federal entity.
                    ``(B) Exception.--A report submitted to the Agency 
                pursuant to subsection (d) or (h) may, consistent with 
                Federal or State regulatory authority specifically 
                relating to the prevention and mitigation of 
                cybersecurity threats to information systems, inform 
                the development or implementation of regulations 
                relating to such systems.
    ``(f) Protections for Reporting Entities and Information.--Reports 
describing covered cybersecurity incidents submitted to the Office by 
covered entities in accordance with subsection (d), as well as 
voluntarily-submitted cybersecurity incident reports submitted to the 
Office pursuant to subsection (h), shall be--
            ``(1) entitled to the protections against liability 
        described in section 106 of the Cybersecurity Act of 2015 
        (enacted as division N of the Consolidated Appropriations Act, 
        2016 (Public Law 114-113; 6 U.S.C. 1505));
            ``(2) exempt from disclosure under section 552 of title 5, 
        United States Code, as well as any provision of State, Tribal, 
        or local freedom of information law, open government law, open 
        meetings law, open records law, sunshine law, or similar law 
        requiring disclosure of information or records; and
            ``(3) considered the commercial, financial, and proprietary 
        information of the covered entity when so designated by the 
        covered entity.
    ``(g) Noncompliance With Required Reporting.--
            ``(1) Purpose.--In the event a covered entity experiences a 
        cybersecurity incident but does not comply with the reporting 
        requirements under this section, the Director may obtain 
        information about such incident by engaging directly such 
        covered entity in accordance with paragraph (2) to request 
        information about such incident, or, if the Director is unable 
        to obtain such information through such engagement, by issuing 
        a subpoena to such covered entity, subject to paragraph (3), to 
        gather information sufficient to determine whether such 
        incident is a covered cybersecurity incident, and if so, 
        whether additional action is warranted pursuant to paragraph 
        (4).
            ``(2) Initial request for information.--
                    ``(A) In general.--If the Director has reason to 
                believe, whether through public reporting, intelligence 
                gathering, or other information in the Federal 
                Government's possession, that a covered entity has 
                experienced a cybersecurity incident that may be a 
                covered cybersecurity incident but did not submit 
                pursuant to subsection (d) to the Office a covered 
                cybersecurity incident report relating thereto, the 
                Director may request information from such covered 
                entity to confirm whether the cybersecurity incident at 
                issue is a covered cybersecurity incident, and 
                determine whether further examination into the details 
                surrounding such incident are warranted pursuant to 
                paragraph (4).
                    ``(B) Treatment.--Information provided to the 
                Office in response to a request under subparagraph (A) 
                shall be treated as if such information was submitted 
                pursuant to the reporting procedures established in 
                accordance with subsection (d).
            ``(3) Authority to issue subpoenas.--
                    ``(A) In general.--If, after the date that is seven 
                days from the date on which the Director made a request 
                for information in paragraph (2), the Director has 
                received no response from the entity from which such 
                information was requested, or received an inadequate 
                response, the Director may issue to such entity a 
                subpoena to compel disclosure of information the 
                Director considers necessary to determine whether a 
                covered cybersecurity incident has occurred and assess 
                potential impacts to national security, economic 
                security, or public health and safety, determine 
                whether further examination into the details 
                surrounding such incident are warranted pursuant to 
                paragraph (4), and if so, compel disclosure of such 
                information as is necessary to carry out activities 
                described in subsection (c).
                    ``(B) Civil action.--If a covered entity does not 
                comply with a subpoena, the Director may bring a civil 
                action in a district court of the United States to 
                enforce such subpoena. An action under this paragraph 
                may be brought in the judicial district in which the 
                entity against which the action is brought resides, is 
                found, or does business. The court may punish a failure 
                to obey an order of the court to comply with the 
                subpoena as a contempt of court.
                    ``(C) Non-applicability of protections.--The 
                protections described in subsection (f) do not apply to 
                a covered entity that is the recipient of a subpoena 
                under this paragraph (3).
            ``(4) Additional actions.--
                    ``(A) Examination.--If, based on the information 
                provided in response to a subpoena issued pursuant to 
                paragraph (3), the Director determines that the 
                cybersecurity incident at issue is a significant cyber 
                incident, or is part of a group of related 
                cybersecurity incidents that together satisfy the 
                definition of a significant cyber incident, and a more 
                thorough examination of the details surrounding such 
                incident is warranted in order to carry out activities 
                described in subsection (c), the Director may direct 
                the Office to conduct an examination of such incident 
                in order to enhance the Agency's situational awareness 
                of cybersecurity threats across critical infrastructure 
                sectors, in a manner consistent with privacy and civil 
                liberties protections under applicable law.
                    ``(B) Provision of certain information to attorney 
                general.--Notwithstanding subsection (e)(4) and 
                paragraph (2)(B), if the Director determines, based on 
                the information provided in response to a subpoena 
                issued pursuant to paragraph (3) or identified in the 
                course of an examination under subparagraph (A), that 
                the facts relating to the cybersecurity incident at 
                issue may constitute grounds for a regulatory 
                enforcement action or criminal prosecution, the 
                Director may provide such information to the Attorney 
                General or the appropriate regulator, who may use such 
                information for a regulatory enforcement action or 
                criminal prosecution.
    ``(h) Voluntary Reporting of Cyber Incidents.--The Agency shall 
receive cybersecurity incident reports submitted voluntarily by 
entities that are not covered entities, or concerning cybersecurity 
incidents that do not satisfy the definition of covered cybersecurity 
incidents but may nevertheless enhance the Agency's situational 
awareness of cybersecurity threats across critical infrastructure 
sectors. The protections under this section applicable to covered 
cybersecurity incident reports shall apply in the same manner and to 
the same extent to voluntarily-submitted cybersecurity incident reports 
under this subsection.
    ``(i) Notification to Impacted Covered Entities.--If the Director 
receives information regarding a cybersecurity incident impacting a 
Federal agency relating to unauthorized access to data provided to such 
Federal agency by a covered entity, and with respect to which such 
incident is likely to undermine the security of such covered entity or 
cause operational or reputational damage to such covered entity, the 
Director shall, to the extent practicable, notify such covered entity 
and provide to such covered entity such information regarding such 
incident as is necessary to enable such covered entity to address any 
such security risk or operational or reputational damage arising from 
such incident.
    ``(j) Exemption.--Subchapter I of chapter 35 of title 44, United 
States Code, does not apply to any action to carry out this section.
    ``(k) Saving Provision.--Nothing in this section may be construed 
as modifying, superseding, or otherwise affecting in any manner any 
regulatory authority held by a Federal department or agency, including 
Sector Risk Management Agencies, existing on the day before the date of 
the enactment of this section, or any existing regulatory requirements 
or obligations that apply to covered entities.''.
    (b) Reports.--
            (1) On stakeholder engagement.--Not later than 30 days 
        before the date on which that the Director of the Cybersecurity 
        and Infrastructure Security Agency of the Department of 
        Homeland Security intends to issue an interim final rule under 
        subsection (d)(1) of section 2220A of the Homeland Security Act 
        of 2002 (as added by subsection (a)), the Director shall submit 
        to the Committee on Homeland Security of the House of 
        Representatives and the Committee on Homeland Security and 
        Governmental Affairs of the Senate a report that describes how 
        the Director engaged stakeholders in the development of such 
        interim final rules.
            (2) On opportunities to strengthen cybersecurity 
        research.--Not later than one year after the date of the 
        enactment of this Act, the Director of the Cybersecurity and 
        Infrastructure Security Agency of the Department of Homeland 
        Security shall submit to the Committee on Homeland Security of 
        the House of Representatives and the Committee on Homeland 
        Security and Governmental Affairs of the Senate a report 
        describing how the Cyber Incident Review Office of the 
        Department of Homeland Security (established pursuant to 
        section 2220A of the Homeland Security Act of 2002, as added by 
        subsection (a)) has carried out activities under subsection 
        (c)(6) of such section 2220A by proactively identifying 
        opportunities to use cybersecurity incident data to inform and 
        enable cybersecurity research carried out by academic 
        institutions and other private sector organizations.
    (c) Title XXII Technical and Clerical Amendments.--
            (1) Technical amendments.--
                    (A) Homeland security act of 2002.--Subtitle A of 
                title XXII of the Homeland Security Act of 2002 (6 
                U.S.C. 651 et seq.) is amended--
                            (i) in section 2202 (6 U.S.C. 652)--
                                    (I) in paragraph (11), by striking 
                                ``and'' after the semicolon;
                                    (II) in the first paragraph (12) 
                                (relating to appointment of a 
                                Cybersecurity State Coordinator) by 
                                striking ``as described in section 
                                2215; and'' and inserting ``as 
                                described in section 2217;'';
                                    (III) by redesignating the second 
                                paragraph (12) (relating to the .gov 
                                internet domain) as paragraph (13); and
                                    (IV) by redesignating the third 
                                paragraph (12) (relating to carrying 
                                out such other duties and 
                                responsibilities) as paragraph (14);
                            (ii) in the first section 2215 (6 U.S.C. 
                        665; relating to the duties and authorities 
                        relating to .gov internet domain), by amending 
                        the section enumerator and heading to read as 
                        follows:

``SEC. 2215. DUTIES AND AUTHORITIES RELATING TO .GOV INTERNET 
              DOMAIN.'';

                            (iii) in the second section 2215 (6 U.S.C. 
                        665b; relating to the joint cyber planning 
                        office), by amending the section enumerator and 
                        heading to read as follows:

``SEC. 2216. JOINT CYBER PLANNING OFFICE.'';

                            (iv) in the third section 2215 (6 U.S.C. 
                        665c; relating to the Cybersecurity State 
                        Coordinator), by amending the section 
                        enumerator and heading to read as follows:

``SEC. 2217. CYBERSECURITY STATE COORDINATOR.'';

                            (v) in the fourth section 2215 (6 U.S.C. 
                        665d; relating to Sector Risk Management 
                        Agencies), by amending the section enumerator 
                        and heading to read as follows:

``SEC. 2218. SECTOR RISK MANAGEMENT AGENCIES.'';

                            (vi) in section 2216 (6 U.S.C. 665e; 
                        relating to the Cybersecurity Advisory 
                        Committee), by amending the section enumerator 
                        and heading to read as follows:

``SEC. 2219. CYBERSECURITY ADVISORY COMMITTEE.'';

                        and
                            (vii) in section 2217 (6 U.S.C. 665f; 
                        relating to Cybersecurity Education and 
                        Training Programs), by amending the section 
                        enumerator and heading to read as follows:

``SEC. 2220. CYBERSECURITY EDUCATION AND TRAINING PROGRAMS.''.

                    (B) Consolidated appropriations act, 2021.--
                Paragraph (1) of section 904(b) of division U of the 
                Consolidated Appropriations Act, 2021 (Public Law 116-
                260) is amended, in the matter preceding subparagraph 
                (A), by inserting ``of 2002'' after ``Homeland Security 
                Act''.
            (2) Clerical amendment.--The table of contents in section 
        1(b) of the Homeland Security Act of 2002 is amended by 
        striking the items relating to sections 2214 through 2217 and 
        inserting the following new items:

``Sec. 2214. National Asset Database.
``Sec. 2215. Duties and authorities relating to .gov internet domain.
``Sec. 2216. Joint cyber planning office.
``Sec. 2217. Cybersecurity State Coordinator.
``Sec. 2218. Sector Risk Management Agencies.
``Sec. 2219. Cybersecurity Advisory Committee.
``Sec. 2220. Cybersecurity Education and Training Programs.
``Sec. 2220A. Cyber Incident Review Office.''.
                                 <all>