107 S1350 IS: National Risk Management Act of 2021 U.S. Senate 2021-04-22 text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.

II117th CONGRESS1st SessionS. 1350IN THE SENATE OF THE UNITED STATESApril 22, 2021Ms. Hassan (for herself and Mr. Sasse) introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental AffairsA BILLTo require the Secretary of Homeland Security to establish a national risk management cycle, and for other purposes.

1.

Short title

This Act may be cited as the National Risk Management Act of 2021.

2.

National risk management cycle

(a)

In general

Subtitle A of title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.), is amended by adding at the end the following:

2218.

National risk management cycle

(a)

Definitions

In this section:(1)

Critical infrastructure

The term critical infrastructure has the meaning given the term in section 1016(e) of the Critical Infrastructures Protection Act of 2001 (42 U.S.C. 5195c(e)).(2)

National critical functions

The term national critical functions means the functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.(b)

National risk management cycle

(1)

Risk identification and assessment

(A)

In general

The Secretary, acting through the Director, shall establish a process by which to identify, assess, and prioritize risks to critical infrastructure, considering both cyber and physical threats, vulnerabilities, and consequences.(B)

Consultation

In establishing the process required under subparagraph (A), the Secretary shall consult with Sector Risk Management Agencies, critical infrastructure owners and operators, and the National Cyber Director.(C)

Publication

Not later than 180 days after the date of enactment of this section, the Secretary shall publish in the Federal Register procedures for the process established under subparagraph (A).(D)

Report

The Secretary shall submit to the President, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a report on the risks identified by the process established under subparagraph (A)— (i)not later than 1 year after the date of enactment of this section; and(ii)not later than 1 year after the date on which the Secretary submits a periodic evaluation described in section 9002(b)(2) of title XC of division H of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (Public Law 116–283).(2)

National critical infrastructure resilience strategy

(A)

In general

Not later than 1 year after the date on which the Secretary delivers each report required under paragraph (1), the President shall deliver to majority and minority leaders of the Senate, the Speaker and minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a national critical infrastructure resilience strategy designed to address the risks identified by the Secretary.(B)

Elements

In each strategy delivered under subparagraph (A), the President shall—(i)identify, assess, and prioritize areas of risk to critical infrastructure that would compromise, disrupt, or impede their ability to support the national critical functions of national security, economic security, or public health and safety;(ii)assess the implementation of the previous national critical infrastructure resilience strategy, as applicable;(iii)identify and outline current and proposed national-level actions, programs, and efforts to be taken to address the risks identified;(iv)identify the Federal departments or agencies responsible for leading each national-level action, program, or effort and the relevant critical infrastructure sectors for each;(v)outline the budget plan required to provide sufficient resources to successfully execute the full range of activities proposed or described by the strategy; and(vi)request any additional authorities or resources necessary to successfully execute the strategy.(C)

Form

Each strategy delivered under subparagraph (A) shall be unclassified, but may contain a classified annex.(3)

Congressional briefing

Not later than 1 year after the date on which the President delivers a strategy under this section, and every year thereafter, the Secretary, in coordination with Sector Risk Management Agencies, shall brief the appropriate committees of Congress on the national risk management cycle activities undertaken pursuant to the strategy.

.(b)

Technical and conforming amendment

The table of contents in section 1(b) of the Homeland Security Act of 2002 (Public Law 107–296; 116 Stat. 2135) is amended by inserting after the item relating to section 2217 the following:Sec. 2218. National risk management cycle..