[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 8403 Introduced in House (IH)]

<DOC>






117th CONGRESS
  2d Session
                                H. R. 8403

 To encourage and improve Federal proactive cybersecurity initiatives, 
                        and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             July 15, 2022

 Mr. Swalwell introduced the following bill; which was referred to the 
Committee on Oversight and Reform, and in addition to the Committee on 
   Armed Services, for a period to be subsequently determined by the 
  Speaker, in each case for consideration of such provisions as fall 
           within the jurisdiction of the committee concerned

_______________________________________________________________________

                                 A BILL


 
 To encourage and improve Federal proactive cybersecurity initiatives, 
                        and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Proactive Cyber 
Initiatives Act of 2022''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. Increasing proactive cybersecurity initiatives.
Sec. 4. Strengthening Office of National Cyber Director.
Sec. 5. Penetration testing reports.
Sec. 6. Report on active defense techniques.
Sec. 7. Study on innovative uses of proactive cybersecurity 
                            initiatives.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Active defense technique.--The term ``active defense 
        technique'' means an action taken on an information system of 
        an agency to increase the security of such system against an 
        attacker, including--
                    (A) the use of a deception technology or other 
                purposeful feeding of false or misleading information 
                to an attacker accessing such system; and
                    (B) proportional action taken in response to an 
                unlawful breach.
            (2) Agency.--The term ``agency'' means any Government 
        corporation, Government-controlled corporation, or other 
        establishment of the executive branch of the Government 
        (including the Executive Office of the President), or any 
        independent regulatory agency, but does not include the 
        following:
                    (A) The Government Accountability Office.
                    (B) The Federal Election Commission.
                    (C) The governments of the District of Columbia and 
                of the territories and possessions of the United 
                States, and their various subdivisions.
                    (D) Government-owned contractor-operated 
                facilities, including laboratories engaged in national 
                defense research and production activities.
            (3) Continuous monitoring.--The term ``continuous 
        monitoring'' means continuous experimentation conducted by an 
        agency on an information system of such agency to evaluate the 
        resilience of such system against a malicious attack or 
        condition that could compromise such system for the purpose of 
        improving design, resilience, or incident response with respect 
        to such system.
            (4) Deception technology.--The term ``deception 
        technology'' means an isolated digital environment, system, or 
        platform containing a replication of an active information 
        system with realistic data flows used to attract, mislead, or 
        observe an attacker.
            (5) Department.--The term ``department'' means the 
        following:
                    (A) The Department of State.
                    (B) The Department of the Treasury.
                    (C) The Department of Defense.
                    (D) The Department of Justice.
                    (E) The Department of the Interior.
                    (F) The Department of Agriculture.
                    (G) The Department of Commerce.
                    (H) The Department of Labor.
                    (I) The Department of Health and Human Services.
                    (J) The Department of Housing and Urban 
                Development.
                    (K) The Department of Transportation.
                    (L) The Department of Energy.
                    (M) The Department of Education.
                    (N) The Department of Veterans Affairs.
                    (O) The Department of Homeland Security.
            (6) Director.--The term ``Director'' means the Director of 
        the Cybersecurity and Infrastructure Security Agency of the 
        Department of Homeland Security.
            (7) Information system.--The term ``information system'' 
        has the meaning given the term in section 3502 of title 44, 
        United States Code.
            (8) National laboratory.--The term ``national laboratory'' 
        has the meaning given the term in section 2 of the Energy 
        Policy Act of 2005 (42 U.S.C. 15801).
            (9) Penetration test; penetration testing.--The terms 
        ``penetration test'' and ``penetration testing'' mean an 
        assessment conducted on an information system of an agency that 
        emulates an attack or other exploitation capability to identify 
        and test vulnerabilities that could be exploited.
            (10) Rules of engagement.--The term ``rules of engagement'' 
        means a set of rules established by an agency for use during 
        penetration testing.

SEC. 3. INCREASING PROACTIVE CYBERSECURITY INITIATIVES.

    (a) Penetration Testing.--
            (1) In general.--The head of each department or agency 
        shall carry out the following:
                    (A) Conduct regular penetration testing on the 
                information systems (as described in paragraph (2)) of 
                such department or agency.
                    (B) Provide to the Director, the National Cyber 
                Director, and the Director of the Office of Management 
                and Budget a report on the results of such testing, 
                including--
                            (i) an identification of any risks 
                        discovered; and
                            (ii) a description of how cybersecurity at 
                        such department or agency may be improved.
            (2) Information systems described.--For purposes of 
        paragraph (1)(A), an information system of an agency to be 
        tested is one described as moderate- or high-impact in the 
        document titled ``Risk Management Framework for Information 
        Systems and Organizations: A System Life Cycle Approach for 
        Security and Privacy'' (National Institute of Standards and 
        Technology Special Publication 800-37, Revision 2; December 
        2018) or in a successor document.
    (b) Guidance.--Not later than one year after the date of the 
enactment of this Act, the Director, in consultation with the Secretary 
of Defense, the National Cyber Director, the Director of National 
Intelligence, the Secretary of Homeland Security, and the head of any 
other department or agency the Director determines appropriate, shall 
issue guidance to facilitate the implementation of subsection (a), 
which shall include the following:
            (1) Information regarding how departments and agencies are 
        to utilize independent penetration testing carried out by 
        another department or agency, a national laboratory, or a 
        private entity.
            (2) Recommendations regarding how best to utilize, within 
        the budget of an agency, penetration testing, including 
        independent penetration testing.
            (3) Recommendations for minimum rules of engagement.
    (c) Report.--
            (1) In general.--Not later than one year after the date of 
        the enactment of this Act, the Director shall submit to the 
        appropriate congressional committees a report that includes the 
        following:
                    (A) An analysis of whether increased engagement is 
                needed from national laboratories and the private 
                sector to assist with the protection of the information 
                systems of agencies through the use of the following:
                            (i) Active defense techniques.
                            (ii) Deception technologies.
                            (iii) Penetration testing.
                    (B) An analysis of the feasibility and benefits of 
                consolidating within the Cybersecurity and 
                Infrastructure Security Agency of the Department of 
                Homeland Security proactive cybersecurity initiatives.
                    (C) An analysis of whether the Director requires 
                additional authorities or resources to carry out 
                proactive cybersecurity initiatives for agencies.
            (2) Appropriate congressional committees defined.--In this 
        subsection, the term ``appropriate congressional committees'' 
        means--
                    (A) with respect to the House of Representatives--
                            (i) the Committee on Appropriations;
                            (ii) the Committee on Armed Services;
                            (iii) the Committee on Homeland Security;
                            (iv) the Committee on the Judiciary;
                            (v) the Committee on Oversight and Reform; 
                        and
                            (vi) the Permanent Select Committee on 
                        Intelligence; and
                    (B) with respect to the Senate--
                            (i) the Committee on Appropriations;
                            (ii) the Committee on Armed Services;
                            (iii) the Committee on Homeland Security 
                        and Governmental Affairs;
                            (iv) the Committee on the Judiciary; and
                            (v) the Select Committee on Intelligence.

SEC. 4. STRENGTHENING THE OFFICE OF THE NATIONAL CYBER DIRECTOR.

    (a) Deconfliction.--Section 1752(c)(1)(D) of the William M. (Mac) 
Thornberry National Defense Authorization Act for Fiscal Year 2021 (6 
U.S.C. 1500(c)(1)(D)) is amended--
            (1) in clause (iii), by striking ``and'' at the end;
            (2) in clause (iv), by inserting ``and'' at the end; and
            (3) by adding at the end the following:
                            ``(v) deconflicting overlapping 
                        jurisdiction between agencies regarding 
                        cybersecurity activities and authority to 
                        mitigate risks;''.
    (b) Information Sharing.--Section 1752(c)(1) of the William M. 
(Mac) Thornberry National Defense Authorization Act for Fiscal Year 
2021 (6 U.S.C. 1500(c)(1)) is amended--
            (1) in subparagraph (C)(vi), by inserting ``the Secretary 
        of Homeland Security, the Director of the Office of Management 
        and Budget,'' after ``the Assistant to the President for 
        National Security Affairs,''; and
            (2) in subparagraph (G), by inserting ``the Secretary of 
        Homeland Security, the Director of the Office of Management and 
        Budget, and'' after ``annually report to''.

SEC. 5. PENETRATION TESTING REPORTS.

    (a) Cybersecurity and Infrastructure Security Agency.--
            (1) Aggregation of penetration testing results.--Not later 
        than one year after the date of the enactment of this Act and 
        annually thereafter, the Director shall aggregate and review 
        the results of the penetration testing provided to the Director 
        under section 3(a)(1)(B).
            (2) Interagency reports.--Not later than 180 days after 
        each review under paragraph (1), the Director, based on such 
        review, shall provide to each agency a report containing the 
        following:
                    (A) A summary of the results of such review, 
                including an identification of risks and other results 
                common across agencies.
                    (B) An assessment, based on the document entitled 
                ``Risk Management Framework for Information Systems and 
                Organizations: A System Life Cycle Approach for 
                Security and Privacy'' (National Institute of Standards 
                and Technology Special Publication 800-37, Revision 2; 
                December 2018) or a successor document, of the severity 
                of risks identified under subparagraph (A).
                    (C) An analysis of the duration of time that such 
                risks have existed.
                    (D) Recommendations for mitigating such risks, 
                which prioritize risks assessed as the highest severity 
                pursuant to subparagraph (B).
            (3) Congressional report.--Not later than 180 days after 
        each report provided under paragraph (2), the Director shall 
        submit to Congress a report that contains--
                    (A) a summary of the report provided under such 
                paragraph; and
                    (B) recommendations for legislative action relating 
                to the matters referred to in such paragraph.
    (b) Government Accountability Office.--Not later than 180 days 
after the date of the enactment of this Act, the Comptroller General of 
the United States shall submit to Congress a report on penetration 
testing, which shall include the following:
            (1) An identification of which departments or agencies are 
        obligating and expending funds on penetration testing and how 
        such funds are being used, including whether such funds are 
        being used on independent penetration testing.
            (2) Recommendations for legislative action regarding 
        additional authority or resources needed by departments or 
        agencies to conduct penetration testing more effectively, 
        including with respect to independent penetration testing.

SEC. 6. REPORT ON ACTIVE DEFENSE TECHNIQUES.

    (a) Report.--Not later than 18 months after the date of the 
enactment of this Act, the Director, in consultation with the National 
Cyber Director and representatives of appropriate private sector 
entities, shall submit to the appropriate congressional committees a 
report regarding active defense techniques.
    (b) Contents.--The report described in subsection (a) shall include 
the following:
            (1) An assessment of the effectiveness of active defense 
        techniques to protect the information systems of departments or 
        agencies.
            (2) Recommendations regarding how such techniques can be 
        better utilized to protect such systems, including best 
        practices with respect to such techniques.
            (3) An analysis of whether there are legislative, 
        regulatory, or resource burdens that prevent such techniques 
        from being effectively utilized, including the resources 
        necessary to implement such techniques.
            (4) An identification of resources necessary to carry out 
        the recommendations under paragraph (2).
            (5) An identification of other techniques that should be 
        evaluated to protect such systems.
    (c) Appropriate Congressional Committees Defined.--In this 
subsection, the term ``appropriate congressional committees'' means--
            (1) with respect to the House of Representatives--
                    (A) the Committee on Appropriations;
                    (B) the Committee on Armed Services;
                    (C) the Committee on Homeland Security;
                    (D) the Committee on the Judiciary;
                    (E) the Committee on Oversight and Reform; and
                    (F) the Permanent Select Committee on Intelligence; 
                and
            (2) with respect to the Senate--
                    (A) the Committee on Appropriations;
                    (B) the Committee on Armed Services;
                    (C) the Committee on Homeland Security and 
                Governmental Affairs;
                    (D) the Committee on the Judiciary; and
                    (E) the Select Committee on Intelligence.

SEC. 7. STUDY ON INNOVATIVE USES OF PROACTIVE CYBERSECURITY 
              INITIATIVES.

    (a) Study.--The Secretary of Defense, in consultation with the 
Director of National Intelligence, the Secretary of Homeland Security, 
the Attorney General, and the head of any other department or agency 
the Director determines appropriate, shall conduct a study on 
innovative uses of proactive cybersecurity initiatives, including the 
following:
            (1) The use of deception technologies.
            (2) The use of continuous monitoring to generate evidence 
        regarding how an information system--
                    (A) operates under normal or intended use; and
                    (B) behaves under a variety of adverse conditions 
                or scenarios.
            (3) The feasibility of department or agency adoption of a 
        set of continuous monitoring procedures.
    (b) Reports.--
            (1) Classified report.--Not later than two years after the 
        date of the enactment of this Act, the Secretary of Defense 
        shall submit to the Permanent Select Committee on Intelligence 
        of the House of Representatives and the Select Committee on 
        Intelligence of the Senate a classified report describing the 
        results of the study required under subsection (a), including 
        examples of any successes against attackers who unlawfully 
        breached an information system of a department or agency.
            (2) Unclassified report.--Not later than two years after 
        the date of the enactment of this Act, the Secretary shall 
        submit to the appropriate congressional committees an 
        unclassified report describing the results of the study 
        required under subsection (a), including legislative 
        recommendations relating thereto.
    (c) Appropriate Congressional Committees Defined.--In this section, 
the term ``appropriate congressional committees'' means--
            (1) with respect to the House of Representatives--
                    (A) the Committee on Armed Services;
                    (B) the Committee on Homeland Security;
                    (C) the Committee on the Judiciary;
                    (D) the Committee on Oversight and Reform; and
                    (E) the Permanent Select Committee on Intelligence; 
                and
            (2) with respect to the Senate--
                    (A) the Committee on Armed Services;
                    (B) the Committee on Homeland Security and 
                Governmental Affairs;
                    (C) the Committee on the Judiciary; and
                    (D) the Select Committee on Intelligence.
                                 <all>