[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 1324 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 348
117th CONGRESS
  2d Session
                                S. 1324

                          [Report No. 117-97]

 To establish a Civilian Cyber Security Reserve as a pilot project to 
 address the cyber security needs of the United States with respect to 
               national security, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             April 22, 2021

  Ms. Rosen (for herself and Mrs. Blackburn) introduced the following 
 bill; which was read twice and referred to the Committee on Homeland 
                   Security and Governmental Affairs

                             April 27, 2022

               Reported by Mr. Peters, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
 To establish a Civilian Cyber Security Reserve as a pilot project to 
 address the cyber security needs of the United States with respect to 
               national security, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``Civilian Cyber Security 
Reserve Act''.</DELETED>

<DELETED>SEC. 2. CIVILIAN CYBER SECURITY RESERVE PILOT 
              PROJECT.</DELETED>

<DELETED>    (a) Definitions.--In this section:</DELETED>
        <DELETED>    (1) Appropriate agency head.--The term 
        ``appropriate agency head'' means--</DELETED>
                <DELETED>    (A) in the case of the Department of 
                Homeland Security, the Secretary of Homeland Security; 
                and</DELETED>
                <DELETED>    (B) in the case of the Department of 
                Defense, the Secretary of Defense.</DELETED>
        <DELETED>    (2) Competitive service.--The term ``competitive 
        service'' has the meaning given the term in section 2102 of 
        title 5, United States Code.</DELETED>
        <DELETED>    (3) Covered agency.--The term ``covered agency'' 
        means the Department of Homeland Security or the Department of 
        Defense.</DELETED>
        <DELETED>    (4) Excepted service.--The term ``excepted 
        service'' has the meaning given the term in section 2103 of 
        title 5, United States Code.</DELETED>
        <DELETED>    (5) Temporary.--The term ``temporary'' means a 
        period of not more than 6 months.</DELETED>
        <DELETED>    (6) Uniformed services.--The term ``uniformed 
        services'' has the meaning given the term in section 2101 of 
        title 5, United States Code.</DELETED>
<DELETED>    (b) Pilot Project.--</DELETED>
        <DELETED>    (1) In general.--Each appropriate agency head may 
        carry out a pilot project to establish a Civilian Cyber 
        Security Reserve at the covered agency to address the cyber 
        security needs of the United States with respect to national 
        security.</DELETED>
        <DELETED>    (2) Appointments.--Under a pilot project 
        authorized under paragraph (1), the appropriate agency head may 
        noncompetitively appoint members of the Civilian Cyber Security 
        Reserve to temporary positions in the competitive or excepted 
        service.</DELETED>
        <DELETED>    (3) Status as employees.--An individual appointed 
        under paragraph (2) shall be considered a Federal civil service 
        employee under section 2105 of title 5, United States 
        Code.</DELETED>
        <DELETED>    (4) Additional employees.--Individuals appointed 
        under paragraph (2) shall be in addition to any employees of 
        the covered agency who provide cyber security 
        services.</DELETED>
        <DELETED>    (5) Employment protections.--The Secretary of 
        Labor shall prescribe such regulations as necessary to ensure 
        the reemployment, continuation of benefits, and non-
        discrimination in reemployment of individuals appointed under 
        paragraph (2), provided that such regulations shall include, at 
        a minimum, those rights and obligations set forth under chapter 
        43 of title 38, United States Code.</DELETED>
<DELETED>    (c) Eligibility; Application and Selection.--</DELETED>
        <DELETED>    (1) In general.--Under a pilot project authorized 
        under subsection (b), the appropriate agency head shall 
        establish criteria for--</DELETED>
                <DELETED>    (A) individuals to be eligible for the 
                Civilian Cyber Security Reserve in the covered agency; 
                and</DELETED>
                <DELETED>    (B) the application and selection 
                processes for the Reserve.</DELETED>
        <DELETED>    (2) Requirements for individuals.--The criteria 
        established under paragraph (1)(A) with respect to an 
        individual shall include--</DELETED>
                <DELETED>    (A) previous employment by the Federal 
                Government or within the uniformed services; 
                and</DELETED>
                <DELETED>    (B) cyber security expertise.</DELETED>
        <DELETED>    (3) Agreement required.--An individual may become 
        a member of the Civilian Cyber Security Reserve only if the 
        individual enters into an agreement with the appropriate agency 
        head to become such a member, which shall set forth the rights 
        and obligations of the individual and the covered 
        agency.</DELETED>
        <DELETED>    (4) Exception for continuing military service 
        commitments.--A member of the Selected Reserve under section 
        10143 of title 10, United States Code, may not be a member of 
        the Civilian Cyber Security Reserve.</DELETED>
<DELETED>    (d) Components of the Civilian Cyber Security Reserve.--
The appropriate agency head may consider, in carrying out a pilot 
project authorized under subsection (b), developing different 
components of the Civilian Cyber Security Reserve in the covered 
agency, one with an obligation to respond when called into activation 
at the direction of the appropriate agency head and one that is not 
compelled to so respond, with appropriate corresponding differing 
benefits for each such component.</DELETED>
<DELETED>    (e) Security Clearances.--</DELETED>
        <DELETED>    (1) In general.--The appropriate agency head shall 
        ensure that all members of the Civilian Cyber Security Reserve 
        in the covered agency undergo the appropriate personnel vetting 
        and adjudication commensurate with the duties of the position, 
        including a determination of eligibility for access to 
        classified information where a security clearance is necessary, 
        in accordance with Executive Order 12968 (50 U.S.C. 3161 note; 
        relating to access to classified information) and Executive 
        Order 13467 (50 U.S.C. 3161 note; relating to reforming 
        processes related to suitability for Government employment, 
        fitness for contractor employees, and eligibility for access to 
        classified national security information).</DELETED>
        <DELETED>    (2) Cost of maintaining clearances.--The original 
        sponsor of a security clearance of a member of a Civilian Cyber 
        Security Reserve at a covered agency shall be responsible for 
        the cost of maintaining that security clearance.</DELETED>
<DELETED>    (f) Project Guidance.--</DELETED>
        <DELETED>    (1) In general.--Not later than 180 days after the 
        date of enactment of this Act, each appropriate agency head may 
        issue guidance establishing and implementing a pilot project 
        authorized under subsection (b) at the covered 
        agency.</DELETED>
        <DELETED>    (2) Penalties.--</DELETED>
                <DELETED>    (A) In general.--In developing guidance 
                under paragraph (1), an appropriate agency head may 
                provide for penalties for individuals who do not 
                respond to activation when called, such as recoupment 
                of pay or benefits earned as a member of the Civilian 
                Cyber Security Reserve or recoupment of civilian 
                service creditable under section 8411 of title 5, 
                United States Code.</DELETED>
                <DELETED>    (B) Procedures.--In the case of a proposed 
                penalty or action under this paragraph, the individual 
                shall be entitled to the applicable procedures set 
                forth in title 5, Code of Federal Regulations, or as 
                otherwise specified in applicable guidance.</DELETED>
<DELETED>    (g) Evaluation.--Not later than 5 years after the pilot 
project authorized under subsection (b) is established in each covered 
agency, the Comptroller General of the United States shall--</DELETED>
        <DELETED>    (1) conduct a study evaluating the pilot project 
        at the covered agency; and</DELETED>
        <DELETED>    (2) submit to Congress--</DELETED>
                <DELETED>    (A) a report on the results of the study; 
                and</DELETED>
                <DELETED>    (B) a recommendation with respect to 
                whether the pilot project should be modified, extended 
                in duration, or established as a permanent 
                program.</DELETED>
<DELETED>    (h) Report.--Not later than 5 years after the pilot 
project authorized under subsection (b) is established in a covered 
agency, the appropriate agency head shall submit to the Committee on 
Homeland Security and Governmental Affairs and the Committee on Armed 
Services of the Senate and the Committee on Homeland Security and the 
Committee on Armed Services of the House of Representatives a report--
</DELETED>
        <DELETED>    (1) on the activities carried out under the pilot 
        project; and</DELETED>
        <DELETED>    (2) that includes a recommendation with respect to 
        whether the pilot project should be modified, extended in 
        duration, or established as a permanent program.</DELETED>
<DELETED>    (i) Sunset.--A pilot project authorized under this section 
shall terminate on the date that is 6 years after the date on which the 
pilot project is established.</DELETED>
<DELETED>    (j) Authorization of Appropriations.--There are authorized 
to be appropriated to each appropriate agency head such sums as may be 
necessary to carry out this section.</DELETED>

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Civilian Cybersecurity Reserve 
Act''.

SEC. 2. CIVILIAN CYBERSECURITY RESERVE PILOT PROJECT.

    (a) Definitions.--In this section:
            (1) Agency.--The term ``Agency'' means the Cybersecurity 
        and Infrastructure Security Agency.
            (2) Appropriate congressional committees.--The term 
        ``appropriate congressional committees'' means--
                    (A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;
                    (B) the Committee on Appropriations of the Senate;
                    (C) the Committee on Homeland Security of the House 
                of Representatives;
                    (D) the Committee on Oversight and Reform of the 
                House of Representatives; and
                    (E) the Committee on Appropriations of the House of 
                Representatives.
            (3) Competitive service.--The term ``competitive service'' 
        has the meaning given the term in section 2102 of title 5, 
        United States Code.
            (4) Director.--The term ``Director'' means the Director of 
        the Agency.
            (5) Excepted service.--The term ``excepted service'' has 
        the meaning given the term in section 2103 of title 5, United 
        States Code.
            (6) Significant incident.--The term ``significant 
        incident''--
                    (A) means an incident or a group of related 
                incidents that results, or is likely to result, in 
                demonstrable harm to--
                            (i) the national security interests, 
                        foreign relations, or economy of the United 
                        States; or
                            (ii) the public confidence, civil 
                        liberties, or public health and safety of the 
                        people of the United States; and
                    (B) does not include an incident or a portion of a 
                group of related incidents that occurs on--
                            (i) a national security system, as defined 
                        in section 3552 of title 44, United States 
                        Code; or
                            (ii) an information system described in 
                        paragraph (2) or (3) of section 3553(e) of 
                        title 44, United States Code.
            (7) Temporary position.--The term ``temporary position'' 
        means a position in the competitive or excepted service for a 
        period of 6 months or less.
            (8) Uniformed services.--The term ``uniformed services'' 
        has the meaning given the term in section 2101 of title 5, 
        United States Code.
    (b) Pilot Project.--
            (1) In general.--The Director may carry out a pilot project 
        to establish a Civilian Cybersecurity Reserve at the Agency.
            (2) Purpose.--The purpose of a Civilian Cybersecurity 
        Reserve is to enable the Agency to effectively respond to 
        significant incidents.
            (3) Alternative methods.--Consistent with section 4703 of 
        title 5, United States Code, in carrying out a pilot project 
        authorized under paragraph (1), the Director may, without 
        further authorization from the Office of Personnel Management, 
        provide for alternative methods of--
                    (A) establishing qualifications requirements for, 
                recruitment of, and appointment to positions; and
                    (B) classifying positions.
            (4) Appointments.--Under the pilot project authorized under 
        paragraph (1), upon occurrence of a significant incident, the 
        Director--
                    (A) may activate members of the Civilian 
                Cybersecurity Reserve by--
                            (i) noncompetitively appointing members of 
                        the Civilian Cybersecurity Reserve to temporary 
                        positions in the competitive service; or
                            (ii) appointing members of the Civilian 
                        Cybersecurity Reserve to temporary positions in 
                        the excepted service;
                    (B) shall notify Congress whenever a member is 
                activated under subparagraph (A); and
                    (C) may appoint not more than 30 members to the 
                Civilian Cybersecurity Reserve under subparagraph (A) 
                at any time.
            (5) Status as employees.--An individual appointed under 
        subsection (b)(4) shall be considered a Federal civil service 
        employee under section 2105 of title 5, United States Code.
            (6) Additional employees.--Individuals appointed under 
        subsection (b)(4) shall be in addition to any employees of the 
        Agency who provide cybersecurity services.
            (7) Employment protections.--The Secretary of Labor shall 
        prescribe such regulations as necessary to ensure the 
        reemployment, continuation of benefits, and non-discrimination 
        in reemployment of individuals appointed under subsection 
        (b)(4), provided that such regulations shall include, at a 
        minimum, those rights and obligations set forth under chapter 
        43 of title 38, United States Code.
            (8) Status in reserve.--During the period beginning on the 
        date on which an individual is recruited by the Agency to serve 
        in the Civilian Cybersecurity Reserve and ending on the date on 
        which the individual is appointed under subsection (b)(4), and 
        during any period in between any such appointments, the 
        individual shall not be considered a Federal employee.
    (c) Eligibility; Application and Selection.--
            (1) In general.--Under the pilot project authorized under 
        subsection (b), the Director shall establish criteria for--
                    (A) individuals to be eligible for the Civilian 
                Cybersecurity Reserve; and
                    (B) the application and selection processes for the 
                Civilian Cybersecurity Reserve.
            (2) Requirements for individuals.--The criteria established 
        under paragraph (1)(A) with respect to an individual shall 
        include--
                    (A) previous employment--
                            (i) by the executive branch;
                            (ii) within the uniformed services;
                            (iii) as a Federal contractor within the 
                        executive branch; or
                            (iv) by a State, local, Tribal, or 
                        territorial government;
                    (B) if the individual has previously served as a 
                member of the Civilian Cybersecurity Reserve of the 
                Agency, that the previous appointment ended not less 
                than 60 days before the individual may be appointed for 
                a subsequent temporary position in the Civilian 
                Cybersecurity Reserve of the Agency; and
                    (C) cybersecurity expertise.
            (3) Prescreening.--The Agency shall--
                    (A) conduct a prescreening of each individual prior 
                to appointment under subsection (b)(4) for any topic or 
                product that would create a conflict of interest; and
                    (B) require each individual appointed under 
                subsection (b)(4) to notify the Agency if a potential 
                conflict of interest arises during the appointment.
            (4) Agreement required.--An individual may become a member 
        of the Civilian Cybersecurity Reserve only if the individual 
        enters into an agreement with the Director to become such a 
        member, which shall set forth the rights and obligations of the 
        individual and the Agency.
            (5) Exception for continuing military service 
        commitments.--A member of the Selected Reserve under section 
        10143 of title 10, United States Code, may not be a member of 
        the Civilian Cybersecurity Reserve.
            (6) Priority.--In appointing individuals to the Civilian 
        Cybersecurity Reserve, the Agency shall prioritize the 
        appointment of individuals described in clause (i) or (ii) of 
        paragraph (2)(A) before considering individuals described in 
        clause (iii) or (iv) of paragraph (2)(A).
            (7) Prohibition.--Any individual who is an employee of the 
        executive branch may not be recruited or appointed to serve in 
        the Civilian Cybersecurity Reserve.
    (d) Security Clearances.--
            (1) In general.--The Director shall ensure that all members 
        of the Civilian Cybersecurity Reserve undergo the appropriate 
        personnel vetting and adjudication commensurate with the duties 
        of the position, including a determination of eligibility for 
        access to classified information where a security clearance is 
        necessary, according to applicable policy and authorities.
            (2) Cost of sponsoring clearances.--If a member of the 
        Civilian Cybersecurity Reserve requires a security clearance in 
        order to carry out their duties, the Agency shall be 
        responsible for the cost of sponsoring the security clearance 
        of a member of the Civilian Cybersecurity Reserve.
    (e) Study and Implementation Plan.--
            (1) Study.--Not later than 60 days after the date of 
        enactment of this Act, the Agency shall begin a study on the 
        design and implementation of the pilot project authorized under 
        subsection (b)(1) at the Agency, including--
                    (A) compensation and benefits for members of the 
                Civilian Cybersecurity Reserve;
                    (B) activities that members may undertake as part 
                of their duties;
                    (C) methods for identifying and recruiting members, 
                including alternatives to traditional qualifications 
                requirements;
                    (D) methods for preventing conflicts of interest or 
                other ethical concerns as a result of participation in 
                the pilot project and details of mitigation efforts to 
                address any conflict of interest concerns;
                    (E) resources, including additional funding, needed 
                to carry out the pilot project;
                    (F) possible penalties for individuals who do not 
                respond to activation when called, in accordance with 
                the rights and procedures set forth under title 5, Code 
                of Federal Regulations; and
                    (G) processes and requirements for training and 
                onboarding members.
            (2) Implementation plan.--Not later than 1 year after 
        beginning the study required under paragraph (1), the Agency 
        shall--
                    (A) submit to the appropriate congressional 
                committees an implementation plan for the pilot project 
                authorized under subsection (b)(1); and
                    (B) provide to the appropriate congressional 
                committees a briefing on the implementation plan.
            (3) Prohibition.--The Agency may not take any action to 
        begin implementation of the pilot project authorized under 
        subsection (b)(1) until the Agency fulfills the requirements 
        under paragraph (2).
    (f) Project Guidance.--Not later than 2 years after the date of 
enactment of this Act, the Director shall, in consultation with the 
Office of Personnel Management and the Office of Government Ethics, 
issue guidance establishing and implementing the pilot project 
authorized under subsection (b)(1) at the Agency.
    (g) Briefings and Report.--
            (1) Briefings.--Not later than 1 year after the date of 
        enactment of this Act, and every year thereafter, the Agency 
        shall provide to the appropriate congressional committees a 
        briefing on activities carried out under the pilot project of 
        the Agency, including--
                    (A) participation in the Civilian Cybersecurity 
                Reserve, including the number of participants, the 
                diversity of participants, and any barriers to 
                recruitment or retention of members;
                    (B) an evaluation of the ethical requirements of 
                the pilot project;
                    (C) whether the Civilian Cybersecurity Reserve has 
                been effective in providing additional capacity to the 
                Agency during significant incidents; and
                    (D) an evaluation of the eligibility requirements 
                for the pilot project.
            (2) Report.--Not earlier than 6 months and not later than 3 
        months before the date on which the pilot project of the Agency 
        terminates under subsection (i), the Agency shall submit to the 
        appropriate congressional committees a report and provide a 
        briefing on recommendations relating to the pilot project, 
        including recommendations for--
                    (A) whether the pilot project should be modified, 
                extended in duration, or established as a permanent 
                program, and if so, an appropriate scope for the 
                program;
                    (B) how to attract participants, ensure a diversity 
                of participants, and address any barriers to 
                recruitment or retention of members of the Civilian 
                Cybersecurity Reserve;
                    (C) the ethical requirements of the pilot project 
                and the effectiveness of mitigation efforts to address 
                any conflict of interest concerns; and
                    (D) an evaluation of the eligibility requirements 
                for the pilot project.
    (h) Evaluation.--Not later than 3 years after the pilot project 
authorized under subsection (b) is established in the Agency, the 
Comptroller General of the United States shall--
            (1) conduct a study evaluating the pilot project at the 
        Agency; and
            (2) submit to Congress--
                    (A) a report on the results of the study; and
                    (B) a recommendation with respect to whether the 
                pilot project should be modified, extended in duration, 
                or established as a permanent program.
    (i) Sunset.--The pilot project authorized under this section shall 
terminate on the date that is 4 years after the date on which the pilot 
project is established.
    (j) No Additional Funds.--
            (1) In general.--No additional funds are authorized to be 
        appropriated for the purpose of carrying out this Act.
            (2) Existing authorized amounts.--Funds to carry out this 
        Act may, as provided in advance in appropriations Acts, only 
        come from amounts authorized to be appropriated to the Agency.
                                                       Calendar No. 348

117th CONGRESS

  2d Session

                                S. 1324

                          [Report No. 117-97]

_______________________________________________________________________

                                 A BILL

 To establish a Civilian Cyber Security Reserve as a pilot project to 
 address the cyber security needs of the United States with respect to 
               national security, and for other purposes.

_______________________________________________________________________

                             April 27, 2022

                       Reported with an amendment