116 HR 5491 IH: Securing Systemically Important Critical Infrastructure Act
U.S. House of Representatives
2021-10-05
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.
1.This Act may be cited as the Securing Systemically Important Critical Infrastructure Act
.2.Designation of systemically important critical infrastructure(a)Title XXII technical and clerical amendments(1)(A)Homeland Security Act of 2002Subtitle A of title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is amended—(i)in section 2202 (6 U.S.C. 652)—(I)in paragraph (11), by striking and
after the semicolon;(II)in the first paragraph (12) (relating to appointment of a Cybersecurity State Coordinator) by striking as described in section 2215; and
and inserting as described in section 2217;
;(III)by redesignating the second paragraph (12) (relating to the .gov internet domain) as paragraph (13); and(IV)by redesignating the third paragraph (12) (relating to carrying out such other duties and responsibilities) as paragraph (14);(ii)in the first section 2215 (6 U.S.C. 665; relating to the duties and authorities relating to .gov internet domain), by amending the section enumerator and heading to read as follows:2215.Duties and authorities relating to .gov internet domain;(iii)in the second section 2215 (6 U.S.C. 665b; relating to the joint cyber planning office), by amending the section enumerator and heading to read as follows:2216.Joint cyber planning office;(iv)in the third section 2215 (6 U.S.C. 665c; relating to the Cybersecurity State Coordinator), by amending the section enumerator and heading to read as follows:2217.Cybersecurity State Coordinator;(v)in the fourth section 2215 (6 U.S.C. 665d; relating to Sector Risk Management Agencies), by amending the section enumerator and heading to read as follows:2218.Sector Risk Management Agencies;(vi)in section 2216 (6 U.S.C. 665e; relating to the Cybersecurity Advisory Committee), by amending the section enumerator and heading to read as follows:2219.Cybersecurity Advisory Committee; and(vii)in section 2217 (6 U.S.C. 665f; relating to Cybersecurity Education and Training Programs), by amending the section enumerator and heading to read as follows:2220.Cybersecurity Education and Training Programs.(B)Consolidated Appropriations Act, 2021Paragraph (1) of section 904(b) of division U of the Consolidated Appropriations Act, 2021 (Public Law 116–260) is amended, in the matter preceding subparagraph (A), by inserting of 2002
after Homeland Security Act
.(2)The table of contents in section 1(b) of the Homeland Security Act of 2002 is amended by striking the items relating to sections 2214 through 2217 and inserting the following new items:Sec. 2214. National Asset Database. Sec. 2215. Duties and authorities relating to .gov internet domain. Sec. 2216. Joint cyber planning office. Sec. 2217. Cybersecurity State Coordinator. Sec. 2218. Sector Risk Management Agencies. Sec. 2219. Cybersecurity Advisory Committee. Sec. 2220. Cybersecurity Education and Training Programs. Sec. 2220A. Designation of systemically important critical infrastructure..(b)Designation of systemically important critical infrastructureSubtitle A of title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the following new section:2220A.Designation of systemically important critical infrastructure(a)The Director of the Cybersecurity and Infrastructure Security Agency shall designate an element of critical infrastructure as systemically important critical infrastructure if—(1)the Director makes a preliminary determination pursuant to subsection (d)(1), using the methodology established pursuant to subsection (b), that such element satisfies the criteria established pursuant to subsection (c); and(2)such preliminary determination becomes a final determination pursuant to subsection (d)(2).(b)The Director, in consultation with the heads of Sector Risk Management Agencies and covered stakeholders, shall—(1)establish a methodology for determining whether an element of critical infrastructure satisfies the criteria established for systemically important critical infrastructure pursuant to subsection (c); and(2)update such methodology, as necessary.(c)(1)The Director, in consultation with the heads of Sector Risk Management Agencies and covered stakeholders, shall develop objective criteria to determine whether an element of critical infrastructure should be designated as systemically important.(2)In developing the criteria required under paragraph (1), the Director shall consider the following:(A)The likelihood that a disruption to, or compromise of, such element of critical infrastructure would result in a debilitating effect on national security, economic security, public health or safety, or any combination thereof.(B)The extent to which damage, disruption, or unauthorized access to such element or collectively to the category of critical infrastructure to which such element belongs—(i)would disrupt the reliable operation of a category of critical infrastructure; and(ii)would impede provisioning of a national critical function.(C)The extent to which increasing the risk management coordination between the Federal Government and the owner or operator of the element would enhance the cybersecurity resilience of the United States.(3)The Director, in consultation with the heads of Sector Risk Management Agencies and covered stakeholders, shall update the criteria established pursuant to paragraph (1), as necessary.(d)(1)Preliminary determinationIn the case of an element of critical infrastructure that the Director determines satisfies the criteria established under subsection (c), the Director shall—(A)use the methodology under subsection (b) to make a preliminary determination with respect to whether such element is systemically important;(B)notify the owner or operator of the element of such determination; and(C)provide such owner or operator with an opportunity to provide additional information for consideration in the final determination under paragraph (2).(2)On the date that is 30 days after the date on which the Director provides notice under paragraph (1)(B) with respect to a preliminary determination, such preliminary determination shall become final unless the Director determines, on the basis of additional information, that the element subject to the preliminary determination does not satisfy the criteria under subsection (c).(3)Periodically, the Director shall review a final designation made pursuant to paragraph (2) with respect to an element using the same procedures outlined under such paragraph.(4)Protection of informationInformation obtained by the Director pursuant to paragraph (1)(C) shall be protected under section 2224 or classified, as determined appropriate by the Director.(e)List of systemically important critical infrastructure(1)Not later than 1 year after the date of the enactment of this section, the Director, in coordination with the heads of Sector Risk Management Agencies, shall develop a comprehensive list that includes any element of critical infrastructure designated as systemically important under this section.(2)Update of list and notification to owners and operatorsNot later than 7 days after the date on which the Director makes a final determination pursuant to paragraph (2) or (3) of subsection (d), the Director shall—(A)update the list required under paragraph (1); and(B)notify the appropriate owner or operator of the element of critical infrastructure of the addition, modification, or removal of such element from such list.(3)Congressional notificationNot later than 30 days after the list is updated pursuant to paragraph (2), the Director shall submit to the appropriate congressional committees such updated list.(4)Limitation on dissemination of listThe Director shall limit the dissemination of the list required under paragraph (1) to individuals who need access to such list to carry out official duties or responsibilities.(f)Prioritization of Agency resources(1)The Director shall—(A)seek to enter into enhanced risk management coordination with the owners and operators of elements of critical infrastructure designated as systemically important under this section; and(B)in allocating Agency resources to such owners and operators, prioritize owners and operators who coordinate with the Director pursuant to subparagraph (A).(2)Prioritized representation in the office for joint cyber planningThe head of the office for joint cyber planning established pursuant to section 2216, in carrying out the responsibilities of such office with respect to relevant cyber defense planning, joint cyber operations, cybersecurity exercises, and information-sharing practices, shall, to the extent practicable, prioritize the involvement of owners and operators of elements of critical infrastructure designated as systemically important under this section. (3)Continuous monitoring servicesThe Director shall, to the extent practicable, encourage the participation of the owners and operators of elements of critical infrastructure designated as systemically important pursuant to this section in voluntary programs to provide technical assistance in the form of continuous monitoring and detection of cybersecurity risks.(g)(1)Not later than 180 days after the date of the enactment of this section, the Director, in consultation with the heads of Sector Risk Management Agencies and covered stakeholders, shall submit to the appropriate congressional committees a report that includes the following:(A)A description of the capabilities of the Agency that exist immediately before the date of the enactment of this section with respect to identifying critical infrastructure.(B)Information relating to the criteria and methodology established pursuant to subsections (b) and (c) to identify an element of critical infrastructure as systemically important pursuant to this section.(C)Information relating to—(i)the capabilities of the Agency to identify systems, assets, and facilities as systemically important pursuant to this section; and(ii)any updates relating to the capabilities referred to in clause (i).(D)Information relating to—(i)the interactions between the Agency, the heads of Sector Risk Management Agencies, and covered stakeholders with respect to carrying out this section, including processes used for incorporation of industry feedback and any associated challenges;(ii)critical infrastructure identification programs within the Department and how such programs are being incorporated into the process to identify such infrastructure, including—(I)section 9 of Executive Order 13636;(II)the National Asset Database established under section 2214; and(III)section 4 of Executive Order 14028;(iii)any identified gaps in authorities or any additional resources required to carry out this section, including necessary legislation;(iv)any resources the Agency is authorized to provide to the owners and operators of an element of critical infrastructure designated as systemically important pursuant to this section; and(v)opportunities for enhanced risk management coordination between the Federal Government and the owners and operators of an element of critical infrastructure designated as systemically important pursuant to this section.(2)Not later than 2 years after the date on which the initial report is submitted pursuant to paragraph (1), and once every 2 years thereafter for 10 years, the Director, in consultation with the heads of Sector Risk Management Agencies and covered stakeholders, shall submit to the appropriate congressional committees a report that includes the updated information required under subparagraphs (B) through (D) of paragraph (1).(3)Each of the reports required under paragraphs (1) and (2) shall be submitted in unclassified form, but may contain a classified annex.(h)Subchapter I of chapter 35 of title 44, United States Code, shall not apply to any action by the Director to implement this section.(i)Covered stakeholders describedIn this section, the term covered stakeholders means individuals identified by the Director. Such individuals shall include—(1)representatives from the Critical Infrastructure Partnership Advisory Council, established pursuant to section 871;(2)representatives from the Cybersecurity Advisory Committee established under section 2219;(3)individuals representing critical infrastructure industries, the elements of which are subject to, or likely to be subject to, a preliminary determination under subsection (d)(1); (4)representatives from trade organizations whose memberships include a concentration of owners and operators of critical infrastructure industries, the elements of which are subject to, or likely to be subject to, a preliminary determination under subsection (d)(1); and(5)any other individual determined appropriate by the Director.(j)In this section:(1)Appropriate congressional committeesThe term appropriate congressional committees means—(A)the Committee on Homeland Security of the House of Representatives; and(B)the Committee on Homeland Security and Governmental Affairs of the Senate.(2)National critical functionThe term national critical function means a function of the Federal Government or a United States private sector entity, as determined by the Director, that the disruption, corruption, or dysfunction of such function would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. .(c)Assessment of risk management coordination(1)Not later than 120 days after the date of the enactment of this Act, the Director, in consultation with the heads of Sector Risk Management Agencies and covered stakeholders, shall conduct an assessment of potential processes for, and benefits of, enhanced risk management coordination between the Federal Government and the owners and operators of elements of critical infrastructure designated as systemically important pursuant to section 2220A of the Homeland Security Act of 2002, as added by subsection (b) of this Act.(2)The assessment required under paragraph (1) shall include a consideration of—(A)opportunities for enhanced intelligence support and information-sharing;(B)prioritized Federal technical assistance; (C)any other process for, or benefit of, enhanced risk management coordination determined appropriate by the Director; and(D)any additional resources or authorization required to conduct enhanced risk management coordination between the Federal Government and owners and operators of elements of critical infrastructure designated as systemically important pursuant to section 2220A of the Homeland Security Act of 2002, as added by subsection (b) of this Act, including the prevention of duplicative requirements for regulated sectors and entities.(3)Covered stakeholders describedThe term covered stakeholders
has the meaning given such term in section 2220A(i) of the Homeland Security Act of 2002, as added by subsection (b) of this Act.3.Prioritization of clearances for systemically important critical infrastructureSection 2212 of the Homeland Security Act of 2002 (6 U.S.C. 662) is amended by adding at the end the following new sentence: In carrying out this section, the Secretary shall prioritize the applications of owners and operators of elements of critical infrastructure designated as systemically important pursuant to section 2220A.
.