[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 7629 Introduced in House (IH)]

<DOC>






117th CONGRESS
  2d Session
                                H. R. 7629

    To require a report on Federal support to the cybersecurity of 
 commercial satellite systems, establish a commercial satellite system 
  cybersecurity clearinghouse in the Cybersecurity and Infrastructure 
                Security Agency, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             April 28, 2022

Mr. Malinowski (for himself and Mr. Garbarino) introduced the following 
bill; which was referred to the Committee on Homeland Security, and in 
  addition to the Committee on Science, Space, and Technology, for a 
 period to be subsequently determined by the Speaker, in each case for 
consideration of such provisions as fall within the jurisdiction of the 
                          committee concerned

_______________________________________________________________________

                                 A BILL


 
    To require a report on Federal support to the cybersecurity of 
 commercial satellite systems, establish a commercial satellite system 
  cybersecurity clearinghouse in the Cybersecurity and Infrastructure 
                Security Agency, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Satellite Cybersecurity Act''.

SEC. 2. REPORT ON COMMERCIAL SATELLITE CYBERSECURITY; CISA COMMERCIAL 
              SATELLITE SYSTEM CYBERSECURITY CLEARINGHOUSE.

    (a) Study.--
            (1) In general.--The Comptroller General of the United 
        States shall conduct a study on the actions the Federal 
        Government has taken to support the cybersecurity of commercial 
        satellite systems, including as part of any action to address 
        the cybersecurity of critical infrastructure sectors.
            (2) Report.--Not later than two years after the date of the 
        enactment of this Act, the Comptroller General of the United 
        States shall report to Congress on the study conducted under 
        paragraph (1), which shall include information on--
                    (A) the effectiveness of efforts of the Federal 
                Government in improving the cybersecurity of commercial 
                satellite systems;
                    (B) the resources made available to the public, as 
                of the date of the enactment of this Act, by Federal 
                agencies to address cybersecurity risks and 
                cybersecurity threats to commercial satellite systems;
                    (C) the extent to which commercial satellite 
                systems are reliant on or are relied on by critical 
                infrastructure and an analysis of how commercial 
                satellite systems, and the cybersecurity threats to 
                such systems, are integrated into Federal and non-
                Federal critical infrastructure risk analyses and 
                protection plans;
                    (D) the extent to which Federal agencies are 
                reliant on commercial satellite systems and how Federal 
                agencies mitigate cybersecurity risks associated with 
                those systems; and
                    (E) the extent to which Federal agencies coordinate 
                or duplicate authorities and take other actions focused 
                on the cybersecurity of commercial satellite systems.
            (3) Consultation.--In carrying out paragraphs (1) and (2), 
        the Comptroller General of the United States shall coordinate 
        with appropriate Federal agencies, including--
                    (A) the Department of Homeland Security;
                    (B) the Department of Commerce;
                    (C) the Department of Defense;
                    (D) the Department of Transportation;
                    (E) the Federal Communications Commission;
                    (F) the National Aeronautics and Space 
                Administration; and
                    (G) the National Executive Committee for Space-
                Based Positioning, Navigation, and Timing.
            (4) Briefing.--Not later than one year after the date of 
        the enactment of this Act, the Comptroller General of the 
        United States shall provide a briefing to Congress relating to 
        carrying out paragraphs (1) and (2).
            (5) Classification.--The report under paragraph (2) shall 
        be unclassified but may include a classified annex.
    (b) CISA Commercial Satellite System Cybersecurity Clearinghouse.--
            (1) Establishment.--
                    (A) In general.--Not later than 180 days after the 
                date of the enactment of this Act, the Director shall 
                establish a commercial satellite system cybersecurity 
                clearinghouse.
                    (B) Requirements.--The clearinghouse shall--
                            (i) be publicly available online;
                            (ii) contain current, relevant, and 
                        publicly available commercial satellite system 
                        cybersecurity resources, including the 
                        recommendations consolidated under paragraph 
                        (2), and any other appropriate materials for 
                        reference by entities that develop commercial 
                        satellite systems; and
                            (iii) include materials specifically aimed 
                        at assisting small business concerns with the 
                        secure development, operation, and maintenance 
                        of commercial satellite systems.
                    (C) Existing platform or website.--The Director may 
                establish the clearinghouse on an online platform or a 
                website that is in existence as of the date of the 
                enactment of this Act.
            (2) Consolidation of commercial satellite system 
        cybersecurity recommendations.--
                    (A) In general.--The Director shall consolidate 
                voluntary cybersecurity recommendations designed to 
                assist in the development, maintenance, and operation 
                of commercial satellite systems.
                    (B) Requirements.--The recommendations consolidated 
                under subparagraph (A) shall include, to the greatest 
                extent practicable, materials addressing the following:
                            (i) Risk-based, cybersecurity-informed 
                        engineering, including continuous monitoring 
                        and resiliency.
                            (ii) Planning for retention or recovery of 
                        positive control of commercial satellite 
                        systems in the event of a cybersecurity 
                        incident.
                            (iii) Protection against unauthorized 
                        access to vital commercial satellite system 
                        functions.
                            (iv) Physical protection measures designed 
                        to reduce the vulnerabilities of a commercial 
                        satellite system's command, control, or 
                        telemetry receiver systems.
                            (v) Protection against jamming or spoofing.
                            (vi) Security against threats throughout a 
                        commercial satellite system's mission lifetime.
                            (vii) Management of supply chain risks that 
                        affect the cybersecurity of commercial 
                        satellite systems.
                            (viii) As appropriate, and as applicable 
                        pursuant to the requirement under paragraph 
                        (1)(b)(ii) (relating to the clearinghouse 
                        containing current, relevant, and publicly 
                        available commercial satellite system 
                        cybersecurity resources), the findings and 
                        recommendations from the study conducted by the 
                        Comptroller General of the United States under 
                        subsection (a)(1).
                            (ix) Any other recommendations to ensure 
                        the confidentiality, availability, and 
                        integrity of data residing on or in transit 
                        through commercial satellite systems.
            (3) Implementation.--In implementing this subsection, the 
        Director shall--
                    (A) to the extent practicable, carry out such 
                implementation as a public-private partnership;
                    (B) coordinate with the heads of appropriate 
                Federal agencies with expertise and experience in 
                satellite operations, including the entities described 
                in subsection (a)(3); and
                    (C) consult with non-Federal entities developing 
                commercial satellite systems or otherwise supporting 
                the cybersecurity of commercial satellite systems, 
                including private, consensus organizations that develop 
                relevant standards.
    (c) Definitions.--In this section:
            (1) Clearinghouse.--The term ``clearinghouse'' means the 
        commercial satellite system cybersecurity clearinghouse 
        required to be developed and maintained under subsection 
        (b)(1).
            (2) Commercial satellite system.--The term ``commercial 
        satellite system'' means an earth satellite owned and operated 
        by a non-Federal entity.
            (3) Critical infrastructure.--The term ``critical 
        infrastructure'' has the meaning given such term in section 
        1016(e) of Public Law 107-56 (42 U.S.C. 5195c(e)).
            (4) Cybersecurity risk.--The term ``cybersecurity risk'' 
        has the meaning given such term in section 2209 of the Homeland 
        Security Act of 2002 (6 U.S.C. 659).
            (5) Cybersecurity threat.--The term ``cybersecurity 
        threat'' has the meaning given such term in section 102 of the 
        Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).
            (6) Director.--The term ``Director'' means the Director of 
        the Cybersecurity and Infrastructure Security Agency.
            (7) Small business concern.--The term ``small business 
        concern'' has the meaning given the term in section 3 of the 
        Small Business Act (15 U.S.C. 632).
                                 <all>