[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 1350 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 652
117th CONGRESS
  2d Session
                                S. 1350

                          [Report No. 117-261]

 To require the Secretary of Homeland Security to establish a national 
             risk management cycle, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             April 22, 2021

 Ms. Hassan (for herself and Mr. Sasse) introduced the following bill; 
which was read twice and referred to the Committee on Homeland Security 
                        and Governmental Affairs

                           December 15, 2022

               Reported by Mr. Peters, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
 To require the Secretary of Homeland Security to establish a national 
             risk management cycle, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``National Risk Management 
Act of 2021''.</DELETED>

<DELETED>SEC. 2. NATIONAL RISK MANAGEMENT CYCLE.</DELETED>

<DELETED>    (a) In General.--Subtitle A of title XXII of the Homeland 
Security Act of 2002 (6 U.S.C. 651 et seq.), is amended by adding at 
the end the following:</DELETED>

<DELETED>``SEC. 2218. NATIONAL RISK MANAGEMENT CYCLE.</DELETED>

<DELETED>    ``(a) Definitions.--In this section:</DELETED>
        <DELETED>    ``(1) Critical infrastructure.--The term `critical 
        infrastructure' has the meaning given the term in section 
        1016(e) of the Critical Infrastructures Protection Act of 2001 
        (42 U.S.C. 5195c(e)).</DELETED>
        <DELETED>    ``(2) National critical functions.--The term 
        `national critical functions' means the functions of government 
        and the private sector so vital to the United States that their 
        disruption, corruption, or dysfunction would have a 
        debilitating effect on security, national economic security, 
        national public health or safety, or any combination 
        thereof.</DELETED>
<DELETED>    ``(b) National Risk Management Cycle.--</DELETED>
        <DELETED>    ``(1) Risk identification and assessment.--
        </DELETED>
                <DELETED>    ``(A) In general.--The Secretary, acting 
                through the Director, shall establish a process by 
                which to identify, assess, and prioritize risks to 
                critical infrastructure, considering both cyber and 
                physical threats, vulnerabilities, and 
                consequences.</DELETED>
                <DELETED>    ``(B) Consultation.--In establishing the 
                process required under subparagraph (A), the Secretary 
                shall consult with Sector Risk Management Agencies, 
                critical infrastructure owners and operators, and the 
                National Cyber Director.</DELETED>
                <DELETED>    ``(C) Publication.--Not later than 180 
                days after the date of enactment of this section, the 
                Secretary shall publish in the Federal Register 
                procedures for the process established under 
                subparagraph (A).</DELETED>
                <DELETED>    ``(D) Report.--The Secretary shall submit 
                to the President, the Committee on Homeland Security 
                and Governmental Affairs of the Senate, and the 
                Committee on Homeland Security of the House of 
                Representatives a report on the risks identified by the 
                process established under subparagraph (A)--</DELETED>
                        <DELETED>    ``(i) not later than 1 year after 
                        the date of enactment of this section; 
                        and</DELETED>
                        <DELETED>    ``(ii) not later than 1 year after 
                        the date on which the Secretary submits a 
                        periodic evaluation described in section 
                        9002(b)(2) of title XC of division H of the 
                        William M. (Mac) Thornberry National Defense 
                        Authorization Act for Fiscal Year 2021 (Public 
                        Law 116-283).</DELETED>
        <DELETED>    ``(2) National critical infrastructure resilience 
        strategy.--</DELETED>
                <DELETED>    ``(A) In general.--Not later than 1 year 
                after the date on which the Secretary delivers each 
                report required under paragraph (1), the President 
                shall deliver to majority and minority leaders of the 
                Senate, the Speaker and minority leader of the House of 
                Representatives, the Committee on Homeland Security and 
                Governmental Affairs of the Senate, and the Committee 
                on Homeland Security of the House of Representatives a 
                national critical infrastructure resilience strategy 
                designed to address the risks identified by the 
                Secretary.</DELETED>
                <DELETED>    ``(B) Elements.--In each strategy 
                delivered under subparagraph (A), the President shall--
                </DELETED>
                        <DELETED>    ``(i) identify, assess, and 
                        prioritize areas of risk to critical 
                        infrastructure that would compromise, disrupt, 
                        or impede their ability to support the national 
                        critical functions of national security, 
                        economic security, or public health and 
                        safety;</DELETED>
                        <DELETED>    ``(ii) assess the implementation 
                        of the previous national critical 
                        infrastructure resilience strategy, as 
                        applicable;</DELETED>
                        <DELETED>    ``(iii) identify and outline 
                        current and proposed national-level actions, 
                        programs, and efforts to be taken to address 
                        the risks identified;</DELETED>
                        <DELETED>    ``(iv) identify the Federal 
                        departments or agencies responsible for leading 
                        each national-level action, program, or effort 
                        and the relevant critical infrastructure 
                        sectors for each;</DELETED>
                        <DELETED>    ``(v) outline the budget plan 
                        required to provide sufficient resources to 
                        successfully execute the full range of 
                        activities proposed or described by the 
                        strategy; and</DELETED>
                        <DELETED>    ``(vi) request any additional 
                        authorities or resources necessary to 
                        successfully execute the strategy.</DELETED>
                <DELETED>    ``(C) Form.--Each strategy delivered under 
                subparagraph (A) shall be unclassified, but may contain 
                a classified annex.</DELETED>
        <DELETED>    ``(3) Congressional briefing.--Not later than 1 
        year after the date on which the President delivers a strategy 
        under this section, and every year thereafter, the Secretary, 
        in coordination with Sector Risk Management Agencies, shall 
        brief the appropriate committees of Congress on the national 
        risk management cycle activities undertaken pursuant to the 
        strategy.''.</DELETED>
<DELETED>    (b) Technical and Conforming Amendment.--The table of 
contents in section 1(b) of the Homeland Security Act of 2002 (Public 
Law 107-296; 116 Stat. 2135) is amended by inserting after the item 
relating to section 2217 the following:</DELETED>

<DELETED>``Sec. 2218. National risk management cycle.''.

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``National Risk Management Act of 
2021''.

SEC. 2. NATIONAL RISK MANAGEMENT CYCLE.

    (a) In General.--Subtitle A of title XXII of the Homeland Security 
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the 
following:

``SEC. 2218. NATIONAL RISK MANAGEMENT CYCLE.

    ``(a) National Critical Functions Defined.--In this section, the 
term `national critical functions' means the functions of government 
and the private sector so vital to the United States that their 
disruption, corruption, or dysfunction would have a debilitating effect 
on security, national economic security, national public health or 
safety, or any combination thereof.
    ``(b) National Risk Management Cycle.--
            ``(1) Risk identification and assessment.--
                    ``(A) In general.--The Secretary, acting through 
                the Director, shall establish a recurring process by 
                which to identify, assess, and prioritize risks to 
                critical infrastructure, considering both cyber and 
                physical threats, the associated likelihoods, 
                vulnerabilities, and consequences, and the resources 
                necessary to address them.
                    ``(B) Consultation.--In establishing the process 
                required under subparagraph (A), the Secretary shall 
                consult with, and request and collect information to 
                support analysis from, Sector Risk Management Agencies, 
                critical infrastructure owners and operators, the 
                Assistant to the President for National Security 
                Affairs, the Assistant to the President for Homeland 
                Security, and the National Cyber Director.
                    ``(C) Publication.--Not later than 180 days after 
                the date of enactment of this section, the Secretary 
                shall publish in the Federal Register procedures for 
                the process established under subparagraph (A), subject 
                to any redactions the Secretary determines are 
                necessary to protect classified or other sensitive 
                information.
                    ``(D) Report.--The Secretary shall submit to the 
                President, the Committee on Homeland Security and 
                Governmental Affairs of the Senate, and the Committee 
                on Homeland Security of the House of Representatives a 
                report on the risks identified by the process 
                established under subparagraph (A)--
                            ``(i) not later than 1 year after the date 
                        of enactment of this section; and
                            ``(ii) not later than 1 year after the date 
                        on which the Secretary submits a periodic 
                        evaluation described in section 9002(b)(2) of 
                        title XC of division H of the William M. (Mac) 
                        Thornberry National Defense Authorization Act 
                        for Fiscal Year 2021 (Public Law 116-283).
            ``(2) National critical infrastructure resilience 
        strategy.--
                    ``(A) In general.--Not later than 1 year after the 
                date on which the Secretary delivers each report 
                required under paragraph (1), the President shall 
                deliver to majority and minority leaders of the Senate, 
                the Speaker and minority leader of the House of 
                Representatives, the Committee on Homeland Security and 
                Governmental Affairs of the Senate, and the Committee 
                on Homeland Security of the House of Representatives a 
                national critical infrastructure resilience strategy 
                designed to address the risks identified by the 
                Secretary.
                    ``(B) Elements.--Each strategy delivered under 
                subparagraph (A) shall--
                            ``(i) identify, assess, and prioritize 
                        areas of risk to critical infrastructure that 
                        would compromise or disrupt national critical 
                        functions impacting national security, economic 
                        security, or public health and safety;
                            ``(ii) assess the implementation of the 
                        previous national critical infrastructure 
                        resilience strategy, as applicable;
                            ``(iii) identify and outline current and 
                        proposed national-level actions, programs, and 
                        efforts to be taken to address the risks 
                        identified;
                            ``(iv) identify the Federal departments or 
                        agencies responsible for leading each national-
                        level action, program, or effort and the 
                        relevant critical infrastructure sectors for 
                        each; and
                            ``(v) request any additional authorities 
                        necessary to successfully execute the strategy.
                    ``(C) Form.--Each strategy delivered under 
                subparagraph (A) shall be unclassified, but may contain 
                a classified annex.
            ``(3) Congressional briefing.--Not later than 1 year after 
        the date on which the President delivers the first strategy 
        required under paragraph (2)(A), and every year thereafter, the 
        Secretary, in coordination with Sector Risk Management 
        Agencies, shall brief the appropriate congressional committees 
        on--
                    ``(A) the national risk management cycle activities 
                undertaken pursuant to the strategy; and
                    ``(B) the amounts and timeline for funding that the 
                Secretary has determined would be necessary to address 
                risks and successfully execute the full range of 
                activities proposed by the strategy.''.
    (b) Technical and Conforming Amendment.--The table of contents in 
section 1(b) of the Homeland Security Act of 2002 (Public Law 107-296; 
116 Stat. 2135) is amended by inserting after the item relating to 
section 2217 the following:

``Sec. 2218. National risk management cycle.''.
                                                       Calendar No. 652

117th CONGRESS

  2d Session

                                S. 1350

                          [Report No. 117-261]

_______________________________________________________________________

                                 A BILL

 To require the Secretary of Homeland Security to establish a national 
             risk management cycle, and for other purposes.

_______________________________________________________________________

                           December 15, 2022

                       Reported with an amendment