[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5491 Introduced in House (IH)]

<DOC>






117th CONGRESS
  1st Session
                                H. R. 5491

   To authorize the Director of the Cybersecurity and Infrastructure 
       Security Agency to designate certain elements of critical 
   infrastructure as systemically important, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            October 5, 2021

 Mr. Katko (for himself, Ms. Spanberger, and Mr. Garbarino) introduced 
  the following bill; which was referred to the Committee on Homeland 
                                Security

_______________________________________________________________________

                                 A BILL


 
   To authorize the Director of the Cybersecurity and Infrastructure 
       Security Agency to designate certain elements of critical 
   infrastructure as systemically important, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Securing Systemically Important 
Critical Infrastructure Act''.

SEC. 2. DESIGNATION OF SYSTEMICALLY IMPORTANT CRITICAL INFRASTRUCTURE.

    (a) Title XXII Technical and Clerical Amendments.--
            (1) Technical amendments.--
                    (A) Homeland security act of 2002.--Subtitle A of 
                title XXII of the Homeland Security Act of 2002 (6 
                U.S.C. 651 et seq.) is amended--
                            (i) in section 2202 (6 U.S.C. 652)--
                                    (I) in paragraph (11), by striking 
                                ``and'' after the semicolon;
                                    (II) in the first paragraph (12) 
                                (relating to appointment of a 
                                Cybersecurity State Coordinator) by 
                                striking ``as described in section 
                                2215; and'' and inserting ``as 
                                described in section 2217;'';
                                    (III) by redesignating the second 
                                paragraph (12) (relating to the .gov 
                                internet domain) as paragraph (13); and
                                    (IV) by redesignating the third 
                                paragraph (12) (relating to carrying 
                                out such other duties and 
                                responsibilities) as paragraph (14);
                            (ii) in the first section 2215 (6 U.S.C. 
                        665; relating to the duties and authorities 
                        relating to .gov internet domain), by amending 
                        the section enumerator and heading to read as 
                        follows:

``SEC. 2215. DUTIES AND AUTHORITIES RELATING TO .GOV INTERNET 
              DOMAIN.'';

                            (iii) in the second section 2215 (6 U.S.C. 
                        665b; relating to the joint cyber planning 
                        office), by amending the section enumerator and 
                        heading to read as follows:

``SEC. 2216. JOINT CYBER PLANNING OFFICE.'';

                            (iv) in the third section 2215 (6 U.S.C. 
                        665c; relating to the Cybersecurity State 
                        Coordinator), by amending the section 
                        enumerator and heading to read as follows:

``SEC. 2217. CYBERSECURITY STATE COORDINATOR.'';

                            (v) in the fourth section 2215 (6 U.S.C. 
                        665d; relating to Sector Risk Management 
                        Agencies), by amending the section enumerator 
                        and heading to read as follows:

``SEC. 2218. SECTOR RISK MANAGEMENT AGENCIES.'';

                            (vi) in section 2216 (6 U.S.C. 665e; 
                        relating to the Cybersecurity Advisory 
                        Committee), by amending the section enumerator 
                        and heading to read as follows:

``SEC. 2219. CYBERSECURITY ADVISORY COMMITTEE.'';

                         and
                            (vii) in section 2217 (6 U.S.C. 665f; 
                        relating to Cybersecurity Education and 
                        Training Programs), by amending the section 
                        enumerator and heading to read as follows:

``SEC. 2220. CYBERSECURITY EDUCATION AND TRAINING PROGRAMS.''.

                    (B) Consolidated appropriations act, 2021.--
                Paragraph (1) of section 904(b) of division U of the 
                Consolidated Appropriations Act, 2021 (Public Law 116-
                260) is amended, in the matter preceding subparagraph 
                (A), by inserting ``of 2002'' after ``Homeland Security 
                Act''.
            (2) Clerical amendment.--The table of contents in section 
        1(b) of the Homeland Security Act of 2002 is amended by 
        striking the items relating to sections 2214 through 2217 and 
        inserting the following new items:

``Sec. 2214. National Asset Database.
``Sec. 2215. Duties and authorities relating to .gov internet domain.
``Sec. 2216. Joint cyber planning office.
``Sec. 2217. Cybersecurity State Coordinator.
``Sec. 2218. Sector Risk Management Agencies.
``Sec. 2219. Cybersecurity Advisory Committee.
``Sec. 2220. Cybersecurity Education and Training Programs.
``Sec. 2220A. Designation of systemically important critical 
                            infrastructure.''.
    (b) Designation of Systemically Important Critical 
Infrastructure.--Subtitle A of title XXII of the Homeland Security Act 
of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the 
following new section:

``SEC. 2220A. DESIGNATION OF SYSTEMICALLY IMPORTANT CRITICAL 
              INFRASTRUCTURE.

    ``(a) In General.--The Director of the Cybersecurity and 
Infrastructure Security Agency shall designate an element of critical 
infrastructure as systemically important critical infrastructure if--
            ``(1) the Director makes a preliminary determination 
        pursuant to subsection (d)(1), using the methodology 
        established pursuant to subsection (b), that such element 
        satisfies the criteria established pursuant to subsection (c); 
        and
            ``(2) such preliminary determination becomes a final 
        determination pursuant to subsection (d)(2).
    ``(b) Methodology.--The Director, in consultation with the heads of 
Sector Risk Management Agencies and covered stakeholders, shall--
            ``(1) establish a methodology for determining whether an 
        element of critical infrastructure satisfies the criteria 
        established for systemically important critical infrastructure 
        pursuant to subsection (c); and
            ``(2) update such methodology, as necessary.
    ``(c) Criteria.--
            ``(1) In general.--The Director, in consultation with the 
        heads of Sector Risk Management Agencies and covered 
        stakeholders, shall develop objective criteria to determine 
        whether an element of critical infrastructure should be 
        designated as systemically important.
            ``(2) Considerations.--In developing the criteria required 
        under paragraph (1), the Director shall consider the following:
                    ``(A) The likelihood that a disruption to, or 
                compromise of, such element of critical infrastructure 
                would result in a debilitating effect on national 
                security, economic security, public health or safety, 
                or any combination thereof.
                    ``(B) The extent to which damage, disruption, or 
                unauthorized access to such element or collectively to 
                the category of critical infrastructure to which such 
                element belongs--
                            ``(i) would disrupt the reliable operation 
                        of a category of critical infrastructure; and
                            ``(ii) would impede provisioning of a 
                        national critical function.
                    ``(C) The extent to which increasing the risk 
                management coordination between the Federal Government 
                and the owner or operator of the element would enhance 
                the cybersecurity resilience of the United States.
            ``(3) Updates.--The Director, in consultation with the 
        heads of Sector Risk Management Agencies and covered 
        stakeholders, shall update the criteria established pursuant to 
        paragraph (1), as necessary.
    ``(d) Determinations.--
            ``(1) Preliminary determination.--In the case of an element 
        of critical infrastructure that the Director determines 
        satisfies the criteria established under subsection (c), the 
        Director shall--
                    ``(A) use the methodology under subsection (b) to 
                make a preliminary determination with respect to 
                whether such element is systemically important;
                    ``(B) notify the owner or operator of the element 
                of such determination; and
                    ``(C) provide such owner or operator with an 
                opportunity to provide additional information for 
                consideration in the final determination under 
                paragraph (2).
            ``(2) Final determination.--On the date that is 30 days 
        after the date on which the Director provides notice under 
        paragraph (1)(B) with respect to a preliminary determination, 
        such preliminary determination shall become final unless the 
        Director determines, on the basis of additional information, 
        that the element subject to the preliminary determination does 
        not satisfy the criteria under subsection (c).
            ``(3) Periodic review.--Periodically, the Director shall 
        review a final designation made pursuant to paragraph (2) with 
        respect to an element using the same procedures outlined under 
        such paragraph.
            ``(4) Protection of information.--Information obtained by 
        the Director pursuant to paragraph (1)(C) shall be protected 
        under section 2224 or classified, as determined appropriate by 
        the Director.
    ``(e) List of Systemically Important Critical Infrastructure.--
            ``(1) In general.--Not later than 1 year after the date of 
        the enactment of this section, the Director, in coordination 
        with the heads of Sector Risk Management Agencies, shall 
        develop a comprehensive list that includes any element of 
        critical infrastructure designated as systemically important 
        under this section.
            ``(2) Update of list and notification to owners and 
        operators.--Not later than 7 days after the date on which the 
        Director makes a final determination pursuant to paragraph (2) 
        or (3) of subsection (d), the Director shall--
                    ``(A) update the list required under paragraph (1); 
                and
                    ``(B) notify the appropriate owner or operator of 
                the element of critical infrastructure of the addition, 
                modification, or removal of such element from such 
                list.
            ``(3) Congressional notification.--Not later than 30 days 
        after the list is updated pursuant to paragraph (2), the 
        Director shall submit to the appropriate congressional 
        committees such updated list.
            ``(4) Limitation on dissemination of list.--The Director 
        shall limit the dissemination of the list required under 
        paragraph (1) to individuals who need access to such list to 
        carry out official duties or responsibilities.
    ``(f) Prioritization of Agency Resources.--
            ``(1) In general.--The Director shall--
                    ``(A) seek to enter into enhanced risk management 
                coordination with the owners and operators of elements 
                of critical infrastructure designated as systemically 
                important under this section; and
                    ``(B) in allocating Agency resources to such owners 
                and operators, prioritize owners and operators who 
                coordinate with the Director pursuant to subparagraph 
                (A).
            ``(2) Prioritized representation in the office for joint 
        cyber planning.--The head of the office for joint cyber 
        planning established pursuant to section 2216, in carrying out 
        the responsibilities of such office with respect to relevant 
        cyber defense planning, joint cyber operations, cybersecurity 
        exercises, and information-sharing practices, shall, to the 
        extent practicable, prioritize the involvement of owners and 
        operators of elements of critical infrastructure designated as 
        systemically important under this section.
            ``(3) Continuous monitoring services.--The Director shall, 
        to the extent practicable, encourage the participation of the 
        owners and operators of elements of critical infrastructure 
        designated as systemically important pursuant to this section 
        in voluntary programs to provide technical assistance in the 
        form of continuous monitoring and detection of cybersecurity 
        risks.
    ``(g) Reports.--
            ``(1) Initial report.--Not later than 180 days after the 
        date of the enactment of this section, the Director, in 
        consultation with the heads of Sector Risk Management Agencies 
        and covered stakeholders, shall submit to the appropriate 
        congressional committees a report that includes the following:
                    ``(A) A description of the capabilities of the 
                Agency that exist immediately before the date of the 
                enactment of this section with respect to identifying 
                critical infrastructure.
                    ``(B) Information relating to the criteria and 
                methodology established pursuant to subsections (b) and 
                (c) to identify an element of critical infrastructure 
                as systemically important pursuant to this section.
                    ``(C) Information relating to--
                            ``(i) the capabilities of the Agency to 
                        identify systems, assets, and facilities as 
                        systemically important pursuant to this 
                        section; and
                            ``(ii) any updates relating to the 
                        capabilities referred to in clause (i).
                    ``(D) Information relating to--
                            ``(i) the interactions between the Agency, 
                        the heads of Sector Risk Management Agencies, 
                        and covered stakeholders with respect to 
                        carrying out this section, including processes 
                        used for incorporation of industry feedback and 
                        any associated challenges;
                            ``(ii) critical infrastructure 
                        identification programs within the Department 
                        and how such programs are being incorporated 
                        into the process to identify such 
                        infrastructure, including--
                                    ``(I) section 9 of Executive Order 
                                13636;
                                    ``(II) the National Asset Database 
                                established under section 2214; and
                                    ``(III) section 4 of Executive 
                                Order 14028;
                            ``(iii) any identified gaps in authorities 
                        or any additional resources required to carry 
                        out this section, including necessary 
                        legislation;
                            ``(iv) any resources the Agency is 
                        authorized to provide to the owners and 
                        operators of an element of critical 
                        infrastructure designated as systemically 
                        important pursuant to this section; and
                            ``(v) opportunities for enhanced risk 
                        management coordination between the Federal 
                        Government and the owners and operators of an 
                        element of critical infrastructure designated 
                        as systemically important pursuant to this 
                        section.
            ``(2) Subsequent reports.--Not later than 2 years after the 
        date on which the initial report is submitted pursuant to 
        paragraph (1), and once every 2 years thereafter for 10 years, 
        the Director, in consultation with the heads of Sector Risk 
        Management Agencies and covered stakeholders, shall submit to 
        the appropriate congressional committees a report that includes 
        the updated information required under subparagraphs (B) 
        through (D) of paragraph (1).
            ``(3) Form.--Each of the reports required under paragraphs 
        (1) and (2) shall be submitted in unclassified form, but may 
        contain a classified annex.
    ``(h) Restriction.--Subchapter I of chapter 35 of title 44, United 
States Code, shall not apply to any action by the Director to implement 
this section.
    ``(i) Covered Stakeholders Described.--In this section, the term 
`covered stakeholders' means individuals identified by the Director. 
Such individuals shall include--
            ``(1) representatives from the Critical Infrastructure 
        Partnership Advisory Council, established pursuant to section 
        871;
            ``(2) representatives from the Cybersecurity Advisory 
        Committee established under section 2219;
            ``(3) individuals representing critical infrastructure 
        industries, the elements of which are subject to, or likely to 
        be subject to, a preliminary determination under subsection 
        (d)(1);
            ``(4) representatives from trade organizations whose 
        memberships include a concentration of owners and operators of 
        critical infrastructure industries, the elements of which are 
        subject to, or likely to be subject to, a preliminary 
        determination under subsection (d)(1); and
            ``(5) any other individual determined appropriate by the 
        Director.
    ``(j) Definitions.--In this section:
            ``(1) Appropriate congressional committees.--The term 
        `appropriate congressional committees' means--
                    ``(A) the Committee on Homeland Security of the 
                House of Representatives; and
                    ``(B) the Committee on Homeland Security and 
                Governmental Affairs of the Senate.
            ``(2) National critical function.--The term `national 
        critical function' means a function of the Federal Government 
        or a United States private sector entity, as determined by the 
        Director, that the disruption, corruption, or dysfunction of 
        such function would have a debilitating effect on security, 
        national economic security, national public health or safety, 
        or any combination thereof.''.
    (c) Assessment of Risk Management Coordination.--
            (1) In general.--Not later than 120 days after the date of 
        the enactment of this Act, the Director, in consultation with 
        the heads of Sector Risk Management Agencies and covered 
        stakeholders, shall conduct an assessment of potential 
        processes for, and benefits of, enhanced risk management 
        coordination between the Federal Government and the owners and 
        operators of elements of critical infrastructure designated as 
        systemically important pursuant to section 2220A of the 
        Homeland Security Act of 2002, as added by subsection (b) of 
        this Act.
            (2) Consideration.--The assessment required under paragraph 
        (1) shall include a consideration of--
                    (A) opportunities for enhanced intelligence support 
                and information-sharing;
                    (B) prioritized Federal technical assistance;
                    (C) any other process for, or benefit of, enhanced 
                risk management coordination determined appropriate by 
                the Director; and
                    (D) any additional resources or authorization 
                required to conduct enhanced risk management 
                coordination between the Federal Government and owners 
                and operators of elements of critical infrastructure 
                designated as systemically important pursuant to 
                section 2220A of the Homeland Security Act of 2002, as 
                added by subsection (b) of this Act, including the 
                prevention of duplicative requirements for regulated 
                sectors and entities.
            (3) Covered stakeholders described.--The term ``covered 
        stakeholders'' has the meaning given such term in section 
        2220A(i) of the Homeland Security Act of 2002, as added by 
        subsection (b) of this Act.

SEC. 3. PRIORITIZATION OF CLEARANCES FOR SYSTEMICALLY IMPORTANT 
              CRITICAL INFRASTRUCTURE.

    Section 2212 of the Homeland Security Act of 2002 (6 U.S.C. 662) is 
amended by adding at the end the following new sentence: ``In carrying 
out this section, the Secretary shall prioritize the applications of 
owners and operators of elements of critical infrastructure designated 
as systemically important pursuant to section 2220A.''.
                                 <all>