[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 2491 Introduced in Senate (IS)]
<DOC>
117th CONGRESS
1st Session
S. 2491
To amend the Homeland Security Act of 2002 to establish the National
Cyber Resilience Assistance Fund, to improve the ability of the Federal
Government to assist in enhancing critical infrastructure cyber
resilience, to improve security in the national cyber ecosystem, to
address Systemically Important Critical Infrastructure, and for other
purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
July 27, 2021
Mr. King (for himself, Mr. Rounds, and Mr. Sasse) introduced the
following bill; which was read twice and referred to the Committee on
Homeland Security and Governmental Affairs
_______________________________________________________________________
A BILL
To amend the Homeland Security Act of 2002 to establish the National
Cyber Resilience Assistance Fund, to improve the ability of the Federal
Government to assist in enhancing critical infrastructure cyber
resilience, to improve security in the national cyber ecosystem, to
address Systemically Important Critical Infrastructure, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Defense of United
States Infrastructure Act of 2021''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
TITLE I--INVESTING IN CYBER RESILIENCY IN CRITICAL INFRASTRUCTURE
Sec. 101. Establishment of the National Cyber Resilience Assistance
Fund.
TITLE II--IMPROVING THE ABILITY OF THE FEDERAL GOVERNMENT TO ASSIST IN
ENHANCING CRITICAL INFRASTRUCTURE CYBER RESILIENCE
Sec. 201. Institute a 5-year term for the cybersecurity and
infrastructure security director.
Sec. 202. Create a joint collaborative environment.
Sec. 203. Designate three critical technology security centers.
TITLE III--IMPROVING SECURITY IN THE NATIONAL CYBER ECOSYSTEM
Sec. 301. Establish a National Cybersecurity Certification and Labeling
Authority.
Sec. 302. Establish the Bureau of Cybersecurity Statistics.
Sec. 303. Secure foundational internet protocols.
TITLE IV--SYSTEMICALLY IMPORTANT CRITICAL INFRASTRUCTURE
Sec. 401. Definitions.
Sec. 402. Systemically Important Critical Infrastructure.
Sec. 403. Plan for enhancement of Systemically Important Critical
Infrastructure methodology and capability.
TITLE V--ENABLING THE NATIONAL CYBER DIRECTOR
Sec. 501. Establishment of hiring authorities for the Office of the
National Cyber Director.
TITLE I--INVESTING IN CYBER RESILIENCY IN CRITICAL INFRASTRUCTURE
SEC. 101. ESTABLISHMENT OF THE NATIONAL CYBER RESILIENCE ASSISTANCE
FUND.
(a) Sense of Congress.--It is the sense of Congress that--
(1) the United States now operates in a cyber landscape
that requires a level of data security, resilience, and
trustworthiness that neither the United States Government nor
the private sector alone is currently equipped to provide;
(2) the United States must deny benefits to adversaries who
have long exploited cyberspace to their advantage, to the
disadvantage of the United States, and at little cost to
themselves;
(3) this new approach requires securing critical networks
in collaboration with the private sector to promote national
resilience and increase the security of the cyber ecosystem;
(4) reducing the vulnerabilities adversaries can target
denies them opportunities to attack the interests of the United
States through cyberspace;
(5) the public and private sectors struggle to coordinate
cyber defenses, leaving gaps that decrease national resilience
and create systemic risk;
(6) new technology continues to emerge that further
compounds these challenges;
(7) while the Homeland Security Grant Program and
resourcing for national preparedness under the Federal
Emergency Management Agency are well-established, the United
States Government has no equivalent for cybersecurity
preparation or prevention;
(8) the lack of a consistent, resourced fund for investing
in resilience in key areas inhibits the United States
Government from conveying its understanding of risk into
strategy, planning, and action in furtherance of core
objectives for the security and resilience of critical
infrastructure;
(9) Congress has worked diligently to establish the
Cybersecurity and Infrastructure Security Agency, creating a
new agency that can leverage broad authorities to receive and
share information, provide technical assistance to operators,
and partner with stakeholders across the executive branch,
State and local communities, and the private sector;
(10) the Cybersecurity and Infrastructure Security Agency
requires strengthening in its mission to ensure the national
resilience of critical infrastructure, promote a more secure
cyber ecosystem, and serve as the central coordinating element
to support and integrate Federal, State, local, and private-
sector cybersecurity efforts; and
(11) the Cybersecurity and Infrastructure Security Agency
requires further resource investment and clear authorities to
realize its full potential.
(b) Amendments.--Subtitle A of title XXII of the Homeland Security
Act of 2002 (6 U.S.C. 651 et seq.) is amended--
(1) in section 2202(c) (6 U.S.C. 652(c))--
(A) in paragraph (11), by striking ``and'' at the
end;
(B) in the first paragraph designated as paragraph
(12), relating to the Cybersecurity State Coordinator--
(i) by striking ``section 2215'' and
inserting ``section 2217''; and
(ii) by striking ``and'' at the end; and
(C) by redesignating the second and third
paragraphs designated as paragraph (12) as paragraphs
(13) and (14), respectively;
(2) by redesignating section 2217 (6 U.S.C. 665f) as
section 2220;
(3) by redesignating section 2216 (6 U.S.C. 665e) as
section 2219;
(4) by redesignating the fourth section 2215 (relating to
Sector Risk Management Agencies) (6 U.S.C. 665d) as section
2218;
(5) by redesignating the third section 2215 (relating to
the Cybersecurity State Coordinator) (6 U.S.C. 665c) as section
2217;
(6) by redesignating the second section 2215 (relating to
the Joint Cyber Planning Office) (6 U.S.C. 665b) as section
2216; and
(7) by adding at the end the following:
``SEC. 2220A. NATIONAL CYBER RESILIENCE ASSISTANCE FUND.
``(a) Definitions.--In this section:
``(1) Cybersecurity risk.--The term `cybersecurity risk'
has the meaning given that term in section 2209.
``(2) Eligible entity.--The term `eligible entity' means an
entity that meets the guidelines and requirements for eligible
entities established by the Secretary under subsection (d)(4).
``(3) Fund.--The term `Fund' means the National Cyber
Resilience Assistance Fund established under subsection (c).
``(4) National critical functions.--The term `national
critical functions' means the functions of government and the
private sector so vital to the United States that their
disruption, corruption, or dysfunction would have a
debilitating effect on security, national economic security,
national public health or safety, or any combination thereof.
``(b) Creation of a Critical Infrastructure Resilience Strategy and
a National Risk Management Cycle.--
``(1) Initial risk identification and assessment.--
``(A) In general.--The Secretary, acting through
the Director, shall establish a process by which to
identify, assess, and prioritize risks to critical
infrastructure, considering both cyber and physical
threats, vulnerabilities, and consequences.
``(B) Consultation.--In establishing the process
required under subparagraph (A), the Secretary shall
consult with Sector Risk Management Agencies, critical
infrastructure owners and operators, and the National
Cyber Director.
``(C) Publication.--Not later than 180 days after
the date of enactment of this section, the Secretary
shall publish in the Federal Register procedures for
the process established under subparagraph (A).
``(D) Report.--Not later than 1 year after the date
of enactment of this section, the Secretary shall
submit to the President, the Committee on Homeland
Security and Governmental Affairs of the Senate, and
the Committee on Homeland Security of the House of
Representatives a report on the risks identified by the
process established under subparagraph (A).
``(2) Initial national critical infrastructure resilience
strategy.--
``(A) In general.--Not later than 1 year after the
date on which the Secretary delivers the report
required under paragraph (1)(D), the President shall
deliver to majority and minority leaders of the Senate,
the Speaker and minority leader of the House of
Representatives, the Committee on Homeland Security and
Governmental Affairs of the Senate, and the Committee
on Homeland Security of the House of Representatives a
national critical infrastructure resilience strategy
designed to address the risks identified by the
Secretary.
``(B) Elements.--In the strategy delivered under
subparagraph (A), the President shall--
``(i) identify, assess, and prioritize
areas of risk to critical infrastructure that
would compromise, disrupt, or impede the
ability of the critical infrastructure to
support the national critical functions of
national security, economic security, or public
health and safety;
``(ii) identify and outline current and
proposed national-level actions, programs, and
efforts to be taken to address the risks
identified;
``(iii) identify the Federal departments or
agencies responsible for leading each national-
level action, program, or effort and the
relevant critical infrastructure sectors for
each;
``(iv) outline the budget plan required to
provide sufficient resources to successfully
execute the full range of activities proposed
or described by the strategy; and
``(v) request any additional authorities or
resources necessary to successfully execute the
strategy.
``(C) Form.--The strategy delivered under
subparagraph (A) shall be unclassified, but may contain
a classified annex.
``(3) Congressional briefing.--Not later than 1 year after
the date on which the President delivers the strategy under
subparagraph (A), and every year thereafter, the Secretary, in
coordination with Sector Risk Management Agencies, shall brief
the appropriate congressional committees on the national risk
management cycle activities undertaken pursuant to the
strategy.
``(4) Five year risk management cycle.--
``(A) Risk identification and assessment.--Under
procedures established by the Secretary, the Secretary
shall repeat the conducting and reporting of the risk
identification and assessment required under paragraph
(1), in accordance with the requirements in paragraph
(1), every 5 years.
``(B) Strategy.--Under procedures established by
the President, the President shall repeat the
preparation and delivery of the critical infrastructure
resilience strategy required under paragraph (2), in
accordance with the requirements in paragraph (2),
every 5 years, which shall also include assessing the
implementation of the previous national critical
infrastructure resilience strategy.
``(c) Establishment of the National Cyber Resilience Assistance
Fund.--There is established in the Treasury of the United States a
fund, to be known as the `National Cyber Resilience Assistance Fund',
which shall be available for the cost of risk-based grant programs
focused on systematically increasing the resilience of public and
private critical infrastructure against cybersecurity risk, thereby
increasing the overall resilience of the United States.
``(d) Administration of Grants From the National Cyber Resilience
Assistance Fund.--
``(1) In general.--In accordance with this section, the
Secretary, acting through the Administrator of the Federal
Emergency Management Agency and the Director, shall develop and
administer processes to--
``(A) establish focused grant programs to address
identified areas of cybersecurity risk to, and bolster
the resilience of, critical infrastructure;
``(B) accept and evaluate applications for each
such grant program;
``(C) award grants under each such grant program;
and
``(D) disburse amounts from the Fund.
``(2) Establishment of risk-focused grant programs.--
``(A) Establishment.--
``(i) In general.--The Secretary, acting
through the Director and the Administrator of
the Federal Emergency Management Agency, may
establish not less than 1 grant program focused
on mitigating an identified category of
cybersecurity risk identified under the
national risk management cycle and critical
infrastructure resilience strategy under
subsection (b) in order to bolster the
resilience of critical infrastructure within
the United States.
``(ii) Selection of focus area.--Before
selecting a focus area for a grant program
pursuant to this subparagraph, the Director
shall ensure--
``(I) there is a clearly defined
cybersecurity risk identified through
the national risk management cycle and
critical infrastructure resilience
strategy under subsection (b) to be
mitigated;
``(II) market forces do not provide
sufficient private-sector incentives to
mitigate the risk without Government
investment; and
``(III) there is clear Federal
need, role, and responsibility to
mitigate the risk in order to bolster
the resilience of critical
infrastructure.
``(B) Funding.--
``(i) Recommendation.--Beginning in the
first fiscal year following the establishment
of the Fund and each fiscal year thereafter,
the Director shall--
``(I) assess the funds available in
the Fund for the fiscal year; and
``(II) recommend to the Secretary
the total amount to be made available
from the Fund under each grant program
established under this subsection.
``(ii) Allocation.--After considering the
recommendations made by the Director under
clause (i) for a fiscal year, the Director
shall allocate amounts from the Fund to each
active grant program established under this
subsection for the fiscal year.
``(3) Use of funds.--Amounts in the Fund shall be used to
mitigate risks identified through the national risk management
cycle and critical infrastructure resilience strategy under
subsection (b).
``(4) Eligible entities.--
``(A) Guidelines and requirements.--
``(i) In general.--In accordance with
clause (ii), the Secretary shall submit to the
Committee on Homeland Security and Governmental
Affairs and the Committee on Appropriations of
the Senate and the Committee on Homeland
Security and the Committee on Appropriations of
the House of Representatives a set of
guidelines and requirements for determining the
entities that are eligible entities.
``(ii) Deadlines.--The Secretary shall
submit the guidelines and requirements under
clause (i)--
``(I) not later than 180 days after
the date of enactment of this section,
and every 2 years thereafter; and
``(II) not later than 30 days
before the date on which the Secretary
implements the guidelines and
requirements.
``(B) Considerations.--In developing guidelines and
requirements for eligible entities under subparagraph
(A), the Secretary shall consider--
``(i) number of employees;
``(ii) annual revenue;
``(iii) existing entity cybersecurity
spending;
``(iv) current cyber risk assessments,
including credible threats, vulnerabilities,
and consequences; and
``(v) entity capacity to invest in
mitigating cybersecurity risk absent assistance
from the Federal Government.
``(5) Limitation.--For any fiscal year, an eligible entity
may not receive more than 1 grant from each grant program
established under this subsection.
``(6) Grant processes.--The Secretary, acting through the
Administrator of the Federal Emergency Management Agency, shall
require the submission of such information as the Secretary
determines is necessary to--
``(A) evaluate a grant application against the
criteria established under this section;
``(B) disburse grant funds;
``(C) provide oversight of disbursed grant funds;
and
``(D) evaluate the effectiveness of the funded
project in increasing the overall resilience of the
United States with respect to cybersecurity risks.
``(7) Grant criteria.--For each grant program established
under this subsection, the Director, in coordination with the
Administrator of the Federal Emergency Management Agency, shall
develop and publish criteria for evaluating applications for
funding, which shall include--
``(A) whether the application identifies a clearly
defined cybersecurity risk;
``(B) whether the cybersecurity risk identified in
the grant application poses a substantial threat to
critical infrastructure;
``(C) whether the application identifies a program
or project clearly designed to mitigate a cybersecurity
risk;
``(D) the potential consequences of leaving the
identified cybersecurity risk unmitigated, including
the potential impact to the critical functions and
overall resilience of the nation; and
``(E) other appropriate factors identified by the
Director.
``(8) Evaluation of grants applications.--
``(A) In general.--Utilizing the criteria
established under paragraph (7), the Director, in
coordination with the Administrator of the Federal
Emergency Management Agency, shall evaluate grant
applications made under each grant program established
under this subsection.
``(B) Recommendation.--Following the evaluations
required under subparagraph (A), the Director shall
recommend to the Secretary applications for approval,
including the amount of funding recommended for each
such approval.
``(9) Award of grant funding.--The Secretary shall--
``(A) review the recommendations of the Director
prepared pursuant to paragraph (8); and
``(B) provide a final determination of grant awards
to the Administrator of the Federal Emergency
Management Agency to be disbursed and administered
under the process established under paragraph (6).
``(e) Evaluation of Grant Programs Utilizing the National Cyber
Resilience Assistance Fund.--
``(1) Evaluation.--The Secretary shall establish a process
to evaluate the effectiveness and efficiency of grants
distributed under this section and develop appropriate updates,
as needed, to the grant programs.
``(2) Annual report.--Not later than 180 days after the
conclusion of the first fiscal year in which grants are awarded
under this section, and every fiscal year thereafter, the
Secretary shall submit to the Committee on Homeland Security
and Governmental Affairs and the Committee on Appropriations of
the Senate and the Committee on Homeland Security and the
Committee on Appropriations of the House of Representatives a
report detailing the grants awarded from the Fund, the status
of projects undertaken with the grant funds, any planned
changes to the disbursement methodology of the Fund,
measurements of success, and total outlays from the Fund.
``(3) Grant program review.--
``(A) Annual assessment.--Before the start of the
second fiscal year in which grants are awarded under
this section, and every fiscal year thereafter, the
Director shall assess the grant programs established
under this section and determine--
``(i) for the coming fiscal year--
``(I) whether new grant programs
with additional focus areas should be
created;
``(II) whether any existing grant
program should be discontinued; and
``(III) whether the scope of any
existing grant program should be
modified; and
``(ii) the success of the grant programs in
the prior fiscal year.
``(B) Submission to congress.--Not later than 90
days before the start of the second fiscal year in
which grants are awarded under this section, and every
fiscal year thereafter, the Secretary shall submit to
the Committee on Homeland Security and Governmental
Affairs and the Committee on Appropriations of the
Senate and the Committee on Homeland Security and the
Committee on Appropriations of the House of
Representatives the assessment conducted pursuant to
subparagraph (A) and any planned alterations to the
grant program for the coming fiscal year.
``(f) Limitation on Use of Grant Funds.--Funds awarded pursuant to
this section--
``(1) shall supplement and not supplant State or local
funds or, as applicable, funds supplied by the Bureau of Indian
Affairs; and
``(2) may not be used--
``(A) to provide any Federal cost-sharing
contribution on behalf of a State or local government;
``(B) to pay a ransom;
``(C) by or for a non-United States entity; or
``(D) for any recreational or social purpose.
``(g) Authorization of Appropriations.--There are authorized to be
appropriated to carry out this section $75,000,000 for each of fiscal
years 2022 through 2026.
``(h) Transfers Authorized.--During a fiscal year, the Secretary or
the head of any component of the Department that administers the State
and Local Cybersecurity Grant Program may transfer not more than 5
percent of the amounts appropriated pursuant to subsection (g) or other
amounts appropriated to carry out the National Cyber Resilience
Assistance Fund for that fiscal year to an account of the Department
for salaries, expenses, and other administrative costs incurred for the
management, administration, or evaluation of this section.''.
(c) Technical and Conforming Amendments.--
(1) Table of contents.--The table of contents in section
1(b) of the Homeland Security Act of 2002 (Public Law 107-296;
116 Stat. 2135) is amended by striking the item relating to
section 2214 and all that follows through the item relating to
section 2217 and inserting the following:
``Sec. 2214. National Asset Database.
``Sec. 2215. Duties and authorities relating to .gov internet domain.
``Sec. 2216. Joint Cyber Planning Office.
``Sec. 2217. Cybersecurity State Coordinator.
``Sec. 2218. Sector Risk Management Agencies.
``Sec. 2219. Cybersecurity Advisory Committee.
``Sec. 2220. Cybersecurity education and training programs.
``Sec. 2220A. National Cyber Resilience Assistance Fund.''.
(2) Additional technical amendment.--
(A) Amendment.--Section 904(b)(1) of the DOTGOV Act
of 2020 (title IX of division U of Public Law 116-260)
is amended, in the matter preceding subparagraph (A),
by striking ``Homeland Security Act'' and inserting
``Homeland Security Act of 2002''.
(B) Effective date.--The amendment made by
subparagraph (A) shall take effect as if enacted as
part of the DOTGOV Act of 2020 (title IX of division U
of Public Law 116-260).
TITLE II--IMPROVING THE ABILITY OF THE FEDERAL GOVERNMENT TO ASSIST IN
ENHANCING CRITICAL INFRASTRUCTURE CYBER RESILIENCE
SEC. 201. INSTITUTE A 5-YEAR TERM FOR THE CYBERSECURITY AND
INFRASTRUCTURE SECURITY DIRECTOR.
(a) In General.--Subsection (b)(1) of section 2202 of the Homeland
Security Act of 2002 (6 U.S.C. 652), is amended by inserting ``The
Director shall be appointed for a term of 5 years.'' after ``who shall
report to the Secretary.''.
(b) Transition Rules.--The amendment made by subsection (a) shall
take effect on the earlier of--
(1) the first appointment of an individual to the position
of Director of the Cybersecurity and Infrastructure Protection
Agency of the Department of Homeland Security, by and with the
advice and consent of the Senate, that is made on or after the
date of enactment of this Act; or
(2) January 1, 2022.
SEC. 202. CREATE A JOINT COLLABORATIVE ENVIRONMENT.
(a) In General.--The Director of the Cybersecurity and
Infrastructure Security Agency shall establish a joint, cloud-based,
information sharing environment to--
(1) integrate the Federal Government's unclassified and
classified cyber threat information, malware forensics, and
data related to cybersecurity risks (as defined in section 2209
of the Homeland Security Act of 2002 (6 U.S.C. 659)) that is
derived from network sensor programs;
(2) enable cross-correlation of threat data at the speed
and scale necessary for rapid detection and identification;
(3) enable query and analysis by appropriate operators
across the Federal Government;
(4) facilitate a whole-of-Government, comprehensive
understanding of the cyber threats to the resilience of the
Federal Government and national critical infrastructure
networks;
(5) enable and support the private-public cybersecurity
collaboration efforts of the Federal Government, whose
successes will be directly dependent on the accuracy,
comprehensiveness, and timeliness of threat information
collected and held by the Federal Government; and
(6) enable data curation for artificial intelligence models
and provide an environment to enable the Federal Government to
curate data and build applications.
(b) Development.--
(1) Initial evaluation.--Not later than 180 days after the
date of enactment of this Act, the Director of the
Cybersecurity and Infrastructure Security Agency, in
coordination with the Director shall--
(A) identify all Federal sources of classified and
unclassified cyber threat information;
(B) evaluate all programs, applications, or
platforms of the Federal Government that are intended
to detect, identify, analyze, or monitor cyber threats
against the resiliency of the Federal Government or
critical infrastructure; and
(C) submit a recommendation to the President
identifying Federal programs to be designated and
required to participate in the Information Sharing
Environment, including--
(i) Government network-monitoring and
intrusion detection programs;
(ii) cyber threat indicator-sharing
programs and Government-sponsored network
sensors or network-monitoring programs for the
private sector or for State, local, tribal, and
territorial governments;
(iii) incident response and cybersecurity
technical assistance programs; and
(iv) malware forensics and reverse-
engineering programs.
(2) Designation of participating programs.--Not later than
60 days after completion of the evaluation required under
paragraph (1), the President shall issue a determination
designating the departments, agencies, Federal programs, and
corresponding systems and assets that are required to be a part
of the Information Sharing Environment.
(3) Design.--Not later than 1 year after completion of the
evaluation required under paragraph (1), the Director of the
Cybersecurity and Infrastructure Security Agency, in
consultation with the Director, shall design the structure of a
common platform for sharing and fusing existing Government
information, insights, and data related to cyber threats and
threat actors, which, at a minimum, shall--
(A) account for appropriate data standards and
interoperability requirements;
(B) enable integration of existing applications,
platforms, data, and information, to include classified
information;
(C) ensure access by such Federal departments and
agencies as the Director of the Cybersecurity and
Infrastructure Security Agency determines necessary;
(D) account for potential private sector
participation and partnerships;
(E) enable unclassified data to be integrated with
classified data;
(F) anticipate the deployment of analytic tools
across classification levels to leverage all relevant
data sets, as appropriate;
(G) identify tools and analytical software that can
be applied and shared to manipulate, transform, and
display data and other identified needs;
(H) anticipate the integration of new technologies
and data streams, including data related to
cybersecurity risks derived from Government-sponsored
voluntary network sensors or network-monitoring
programs for the private sector or for State, local,
Tribal, and territorial governments; and
(I) appropriately account for departments,
agencies, programs, and systems and assets determined
to be required to participate by the President under
paragraph (2) in the Information Sharing Environment.
(c) Operation.--The Information Sharing Environment shall be
managed by the Director of the Cybersecurity and Infrastructure
Security Agency.
(d) Post-Deployment Assessment.--Not later than 1 year after the
date on which the Information Sharing Environment is established, the
Director of the Cybersecurity and Infrastructure Security Agency and
the Director shall assess the means by which the Information Sharing
Environment may be expanded to include the private sector and critical
infrastructure information sharing organizations and, to the maximum
extent practicable, begin the process of such expansion.
(e) Private Sector Sharing Information Sharing Protections.--To the
extent any private entity shares cyber threat indicators and defensive
measures through or with the Information Sharing Environment and in a
manner that is consistent with all requirements under section 1752 of
the William M. (Mac) Thornberry National Defense Authorization Act for
Fiscal Year 2021 (6 U.S.C. 1500), the Cybersecurity Information Sharing
Act of 2015 (6 U.S.C. 1501 et seq.), and any applicable guidelines
promulgated under subsection (f), such activities shall be considered
to be authorized by and in accordance with section 1752 of the William
M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year
2021 and the Cybersecurity Information Sharing Act of 2015.
(f) Privacy and Civil Liberties.--
(1) Guidelines of attorney general.--Not later than 60 days
after the date of enactment of this Act, the Secretary of
Homeland Security (acting through the Director of the
Cybersecurity and Infrastructure Security Agency) and the
Attorney General, shall jointly, and in coordination with heads
of the appropriate Federal entities and in consultation with
officers designated under section 1062 of the National Security
Intelligence Reform Act of 2004 (42 U.S.C. 2000ee-1), develop,
submit to Congress, and make available to the public interim
guidelines relating to privacy and civil liberties which shall
govern the receipt, retention, use, and dissemination of cyber
threat indicators by a Federal entity obtained in connection
with activities authorized in this section.
(2) Final guidelines.--
(A) In general.--Not later than 180 days after the
date of enactment of this Act, the Secretary of
Homeland Security (acting through the Director of the
Cybersecurity and Infrastructure Security Agency) and
the Attorney General, shall jointly, in coordination
with heads of the appropriate Federal entities and in
consultation with officers designated under section
1062 of the National Security Intelligence Reform Act
of 2004 (42 U.S.C. 2000ee-1) and such private entities
with industry expertise as the Secretary and the
Attorney General consider relevant, promulgate final
guidelines relating to privacy and civil liberties
which shall govern the receipt, retention, use, and
dissemination of cyber threat indicators by a Federal
entity obtained in connection with activities
authorized in this section.
(B) Periodic review.--The Secretary of Homeland
Security (acting through the Director of the
Cybersecurity and Infrastructure Security Agency) and
the Attorney General, shall jointly, in coordination
with heads of the appropriate Federal entities and in
consultation with officers and private entities
described in subparagraph (A), periodically, but not
less frequently than once every 2 years, review the
guidelines promulgated under subparagraph (A).
(3) Content.--The guidelines required by paragraphs (1) and
(2) shall, consistent with the need to bolster the resilience
of information systems and mitigate cybersecurity threats--
(A) limit the effect on privacy and civil liberties
of activities by the Federal Government under this
section;
(B) limit the receipt, retention, use, and
dissemination of cyber threat indicators containing
personal information or information that identifies
specific persons, including by establishing--
(i) a process for the timely destruction of
such information that is known not to be
directly related to uses authorized under this
section; and
(ii) specific limitations on the length of
any period in which a cyber threat indicator
may be retained;
(C) include requirements to safeguard cyber threat
indicators containing personal information or
information that identifies specific persons from
unauthorized access or acquisition, including
appropriate sanctions for activities by officers,
employees, or agents of the Federal Government in
contravention of such guidelines;
(D) include procedures for notifying entities and
Federal entities if information received pursuant to
this subsection is known or determined by a Federal
entity receiving such information not to constitute a
cyber threat indicator;
(E) protect the confidentiality of cyber threat
indicators containing personal information or
information that identifies specific persons to the
greatest extent practicable and require recipients to
be informed that such indicators may only be used for
purposes authorized under this section; and
(F) include steps that may be needed so that
dissemination of cyber threat indicators is consistent
with the protection of classified and other sensitive
national security information.
(g) Oversight of Government Activities.--
(1) Biennial report on privacy and civil liberties.--Not
later than 2 years after the date of enactment of this Act, and
not less frequently than once every year thereafter, the
Privacy and Civil Liberties Oversight Board shall submit to
Congress and the President a report providing--
(A) an assessment of the effect on privacy and
civil liberties by the type of activities carried out
under this section; and
(B) an assessment of the sufficiency of the
guidelines established pursuant to subsection (f) in
addressing concerns relating to privacy and civil
liberties.
(2) Biennial report by inspectors general.--
(A) In general.--Not later than 2 years after the
date of enactment of this Act, and not less frequently
than once every 2 years thereafter, the Inspector
General of the Department of Homeland Security, the
Inspector General of the Intelligence Community, the
Inspector General of the Department of Justice, the
Inspector General of the Department of Defense, and the
Inspector General of the Department of Energy shall, in
consultation with the Council of Inspectors General on
Integrity and Efficiency, jointly submit to Congress a
report on the receipt, use, and dissemination of cyber
threat indicators and defensive measures that have been
shared with Federal entities under this section.
(B) Contents.--Each report submitted under
subparagraph (A) shall include the following:
(i) A review of the types of cyber threat
indicators shared with Federal entities.
(ii) A review of the actions taken by
Federal entities as a result of the receipt of
such cyber threat indicators.
(iii) A list of Federal entities receiving
such cyber threat indicators.
(iv) A review of the sharing of such cyber
threat indicators among Federal entities to
identify inappropriate barriers to sharing
information.
(3) Recommendations.--Each report submitted under this
subsection may include such recommendations as the Privacy and
Civil Liberties Oversight Board, with respect to a report
submitted under paragraph (1), or the Inspectors General
referred to in paragraph (2)(A), with respect to a report
submitted under paragraph (2), may have for improvements or
modifications to the authorities under this section.
(4) Form.--Each report required under this subsection shall
be submitted in unclassified form, but may include a classified
annex.
(h) Authorization of Appropriations.--There are authorized to be
appropriated to carry out this section $100,000,000 for each of fiscal
years 2022 through 2026.
(i) Definitions.--In this section:
(1) Critical infrastructure.--The term ``critical
infrastructure'' has the meaning given that term in section
1016(e) of the Critical Infrastructure Protection Act of 2001
(42 U.S.C. 5195c(e)).
(2) Director.--The term ``Director'' means the National
Cyber Director.
(3) Information sharing environment.--The term
``Information Sharing Environment'' means the information
sharing environment established under subsection (a).
SEC. 203. DESIGNATE THREE CRITICAL TECHNOLOGY SECURITY CENTERS.
(a) In General.--Section 307(b)(3) of the Homeland Security Act of
2002 (6 U.S.C. 187(b)(3)), is amended--
(1) in the matter preceding subparagraph (A), by inserting
``national laboratories,'' before ``and universities'';
(2) in subparagraph (C), by striking ``and'' at the end;
(3) in subparagraph (D), by striking the period at the end
and inserting ``; and''; and
(4) by adding at the end the following:
``(E) establish not less than 1, and not more than
3, cybersecurity-focused critical technology security
centers, in order to bolster the overall resilience of
the networks and critical infrastructure of the United
States, to perform--
``(i) network technology security testing,
to test the security of cyber-related hardware
and software;
``(ii) connected industrial control system
security testing, to test the security of
connected programmable data logic controllers,
supervisory control and data acquisition
servers, and other cyber connected industrial
equipment; and
``(iii) open source software security
testing, to test and coordinate efforts to fix
vulnerabilities in open-source software.''.
(b) Authorization of Appropriations.--There are authorized to be
appropriated to carry out the amendments made by this section
$15,000,000 for each of fiscal years 2022 through 2026.
TITLE III--IMPROVING SECURITY IN THE NATIONAL CYBER ECOSYSTEM
SEC. 301. ESTABLISH A NATIONAL CYBERSECURITY CERTIFICATION AND LABELING
AUTHORITY.
(a) Definitions.--In this section:
(1) Accredited certifying agent.--The term ``accredited
certifying agent'' means any person who is accredited by the
Authority as a certifying agent for the purposes of certifying
a specific class of critical information and communications
technology.
(2) Authority.--The term ``Authority'' means the National
Cybersecurity Certification and Labeling Authority established
under subsection (b)(1).
(3) Certification.--The term ``certification'' means a seal
or symbol provided by the Authority or an accredited certifying
agent, that results from passage of a comprehensive evaluation
of an information and communications technology that
establishes the extent to which a particular design and
implementation meets a set of specified security standards.
(4) Critical information and communications technology.--
The term ``critical information and communications technology''
means information and communications technology that is in use
in critical infrastructure sectors and that underpins the
resilience of national critical functions, as determined by the
Secretary.
(5) Critical infrastructure.--The term ``critical
infrastructure'' has the meaning given that term in section
1016(e) of the Critical Infrastructure Protection Act of 2001
(42 U.S.C. 5195c(e)).
(6) Label.--The term ``label'' means a clear, visual, and
easy to understand symbol or list that conveys specific
information about a product's security attributes,
characteristics, functionality, components, or other features.
(7) Program.--The term ``Program'' means the program
administered under subsection (b)(1).
(8) Secretary.--The term ``Secretary'' means the Secretary
of Homeland Security.
(b) National Cybersecurity Certification and Labeling Authority.--
(1) Establishment.--There is established a National
Cybersecurity Certification and Labeling Authority for the
purpose of establishing and administering a voluntary national
cybersecurity certification and labeling program for critical
information and communications technology in order to bolster
the resilience of the networks and critical infrastructure of
the United States.
(2) Programs.--
(A) Accreditation of certifying agents.--As part of
the Program, the Authority shall define and publish a
process whereby governmental and nongovernmental
entities may apply to become accredited certifying
agents for the certification of specific critical
information and communications technology, including--
(i) smartphones;
(ii) tablets;
(iii) laptop computers;
(iv) operating systems;
(v) routers;
(vi) software-as-a-service;
(vii) infrastructure-as-a-service;
(viii) platform-as-a-service;
(ix) programmable logic controllers;
(x) intelligent electronic devices; and
(xi) programmable automation controllers.
(B) Identification of standards, frameworks, and
benchmarks.--As part of the Program, the Authority
shall work in coordination with accredited certifying
agents, the Secretary, and subject matter experts from
the Federal Government, academia, nongovernmental
organizations, and the private sector to identify and
harmonize common security standards, frameworks, and
benchmarks against which the security of critical
information and communications technologies may be
measured.
(C) Product certification.--As part of the Program,
the Authority, in consultation with the Secretary and
other experts from the Federal Government, academia,
nongovernmental organizations, and the private sector,
shall--
(i) develop, and disseminate to accredited
certifying agents, guidelines to standardize
the presentation of certifications to
communicate the level of security for critical
information and communications technologies;
(ii) develop, or permit accredited
certifying agents to develop, certification
criteria for critical information and
communications technologies based on identified
security standards, frameworks, and benchmarks,
through the work conducted under subparagraph
(B);
(iii) issue, or permit accredited
certifying agents to issue, certifications for
critical information and communications
technology that meet and comply with security
standards, frameworks, and benchmarks
identified through the work conducted under
subparagraph (B);
(iv) permit a manufacturer or distributor
of critical information and communications
technology to display a certificate reflecting
the extent to which the critical information
and communications technology meets security
standards, frameworks, and benchmarks
identified through the work conducted under
subparagraph (B);
(v) remove the certification of a critical
information and communications technology as a
critical information and communications
technology certified under the Program if the
manufacturer of the certified critical
information and communications technology falls
out of conformity with the benchmarks security
standards, frameworks, or benchmarks identified
through the work conducted under subparagraph
(B) for the critical information and
communications technology;
(vi) work to enhance public awareness of
the certification and labeling efforts of the
Authority and accredited certifying agents,
including through public outreach, education,
research and development, and other means; and
(vii) publicly display a list of labels and
certified critical information and
communications technology, along with their
respective certification information.
(D) Certifications.--
(i) In general.--A certification shall
remain valid for 1 year from the date of
issuance.
(ii) Classes of certification.--In
developing the guidelines and criteria required
under subparagraph (C)(i), the Authority shall
designate at least 3 classes of certifications,
including the following:
(I) For critical information and
communications technology which the
product manufacturer or service
provider attests meets the criteria for
a certification, attestation-based
certification.
(II) For critical information and
communications technology products and
services that have undergone third-
party accreditation of criteria for
certification, accreditation-based
certification.
(III) For critical information and
communications technology that has
undergone a security evaluation and
testing process by a qualifying third
party, as determined by the Authority,
test-based certification.
(E) Product labeling.--The Authority, in
consultation with the Secretary and other experts from
the Federal Government, academia, nongovernmental
organizations, and the private sector, shall--
(i) collaborate with the private sector to
standardize language and define a labeling
schema to provide transparent information on
the security characteristics and constituent
components of a software or hardware product;
and
(ii) establish a mechanism by which product
developers can provide this information for
both product labeling and public posting.
(3) Enforcement.--
(A) In general.--It shall be unlawful for a product
manufacturer, distributor, or seller to--
(i) falsely attest to, or falsify an audit
or test for, a security standard, framework, or
benchmark for certification;
(ii) intentionally mislabel a product; or
(iii) fail to maintain the security
standard, framework, or benchmark to which the
manufacturer, distributor, or seller attested.
(B) Enforcement by federal trade commission.--
(i) Unfair or deceptive acts or
practices.--A violation of subparagraph (A)
shall be treated as an unfair and deceptive act
or practice in violation of a regulation under
section 18(a)(1)(B) of the Federal Trade
Commission Act (15 U.S.C. 57a(a)(1)(B))
regarding unfair or deceptive acts or
practices.
(ii) Powers of commission.--
(I) In general.--The Federal Trade
Commission shall enforce this paragraph
in the same manner, by the same means,
and with the same jurisdiction, powers,
and duties as though all applicable
terms and provisions of the Federal
Trade Commission Act (15 U.S.C. 41 et
seq.) were incorporated into and made a
part of this paragraph.
(II) Privileges and immunities.--
Any person who violates this paragraph
shall be subject to the penalties and
entitled to the privileges and
immunities provided in the Federal
Trade Commission Act (15 U.S.C. 41 et
seq.).
(c) Selection of the Authority.--
(1) Selection.--The Secretary shall issue a notice of
funding opportunity and select, on a competitive basis, a
nonprofit, nongovernmental organization to serve as the
Authority for a period of 5 years.
(2) Eligibility for selection.--The Secretary may only
select an organization to serve as the Authority if such
organization--
(A) is a nongovernmental, nonprofit organization
that is--
(i) exempt from taxation under section
501(a) of the Internal Revenue Code of 1986;
and
(ii) described in sections 501(c)(3) and
170(b)(1)(A)(vi) of that Code;
(B) has a demonstrable track record of work on
cybersecurity and information security standards,
frameworks, and benchmarks; and
(C) possesses requisite staffing and expertise,
with demonstrable prior experience in technology
security or safety standards, frameworks, and
benchmarks, as well as certification.
(3) Application.--The Secretary shall establish a process
by which a nonprofit, nongovernmental organization that seeks
to be selected as the Authority may apply for consideration.
(4) Program evaluation.--Not later than the date that is 4
years after the initial selection pursuant paragraph (1), and
every 4 years thereafter, the Secretary shall--
(A) assess the effectiveness of the labels and
certificates produced by the Authority, including--
(i) assessing the costs to businesses that
manufacture critical information and
communications technology participating in the
Program;
(ii) evaluating the level of participation
in the Program by businesses that manufacture
critical information and communications
technology; and
(iii) assessing the level of public
awareness and consumer awareness of the label;
(B) audit the impartiality and fairness of the
Authority's activities conducted under this section;
(C) issue a public report on the assessment most
recently carried out under subparagraph (A) and the
audit most recently carried out under subparagraph (B);
and
(D) brief Congress on the findings of the Secretary
with respect to the most recent assessment under
subparagraph (A) and the most recent audit under
subparagraph (B).
(5) Renewal.--After the initial selection pursuant to
paragraph (1), the Secretary shall, every 5 years--
(A) accept applications from nonprofit,
nongovernmental organizations seeking selection as the
Authority; and
(B) following competitive consideration of all
applications--
(i) renew the selection of the organization
serving as the Authority; or
(ii) select another applicant organization
to serve as the Authority.
(d) Authorization of Appropriations.--There are authorized to be
appropriated to carry out this section $25,000,000 for each of fiscal
years 2022 through 2026.
SEC. 302. ESTABLISH THE BUREAU OF CYBERSECURITY STATISTICS.
(a) Definitions.--In this section:
(1) Bureau.--The term ``Bureau'' means the Bureau of
Cybersecurity Statistics established under subsection (b).
(2) Covered entity.--The term ``covered entity'' means any
nongovernmental organization, corporation, trust, partnership,
sole proprietorship, unincorporated association, or venture
(without regard to whether it is established for profit) that
is engaged in or affecting interstate commerce and that
provides cybersecurity incident response services or
cybersecurity insurance products.
(3) Cyber incident.--The term cyber incident includes each
of the following:
(A) Unauthorized access to an information system or
network that leads to loss of confidentiality,
integrity, or availability of that information system
or network.
(B) Disruption of business operations due to a
distributed denial of service attack against an
information system or network.
(C) Unauthorized access or disruption of business
operations due to loss of service facilitated through,
or caused by a cloud service provider, managed service
provider, or other data hosting provider.
(D) Fraudulent or malicious use of a cloud service
account, data hosting account, internet service
account, or any other digital service.
(4) Director.--The term ``Director'' means the Director of
the Bureau.
(5) Statistical purpose.--The term ``statistical
purpose''--
(A) means the description, estimation, or analysis
of the characteristics of groups, without identifying
the individuals or organizations that comprise such
groups; and
(B) includes the development, implementation, or
maintenance of methods, technical or administrative
procedures, or information resources that support the
purposes described in subsection (e).
(b) Establishment.--There is established within the Department of
Homeland Security a Bureau of Cybersecurity Statistics.
(c) Director.--
(1) In general.--The Bureau shall be headed by a Director,
who shall--
(A) report to the Secretary of Homeland Security;
and
(B) be appointed by the President.
(2) Authority.--The Director shall--
(A) have final authority for all cooperative
agreements and contracts awarded by the Bureau;
(B) be responsible for the integrity of data and
statistics collected or issued by the Bureau; and
(C) protect against improper or illegal use or
disclosure of information furnished for exclusively
statistical purposes under this section, consistent
with the requirements of subsection (f).
(3) Qualifications.--The Director--
(A) shall have experience in statistical programs;
and
(B) shall not--
(i) engage in any other employment; or
(ii) hold any office in, or act in any
capacity for, any organization, agency, or
institution with which the Bureau makes any
contract or other arrangement under this
section.
(4) Duties and functions.--The Director shall--
(A) collect and analyze information concerning
cybersecurity, including data related to cyber
incidents, cyber crime, and any other area the Director
determines appropriate;
(B) collect and analyze data that will serve as a
continuous and comparable national indication of the
prevalence, incidents, rates, extent, distribution, and
attributes of all relevant cyber incidents, as
determined by the Director, in support of national
policy and decision making;
(C) compile, collate, analyze, publish, and
disseminate uniform national cyber statistics
concerning any area that the Director determines
appropriate;
(D) in coordination with the National Institute of
Standards and Technology, recommend national standards,
metrics, and measurement criteria for cyber statistics
and for ensuring the reliability and validity of
statistics collected pursuant to this subsection;
(E) conduct or support research relating to methods
of gathering or analyzing cyber statistics;
(F) enter into cooperative agreements or contracts
with public agencies, institutions of higher education,
or private organizations for purposes related to this
subsection;
(G) provide appropriate information to the
President, the Congress, Federal agencies, the private
sector, and the general public on cyber statistics;
(H) maintain liaison with State and local
governments concerning cyber statistics;
(I) confer and cooperate with Federal statistical
agencies as needed to carry out the purposes of this
section, including by entering into cooperative data
sharing agreements in conformity with all laws and
regulations applicable to the disclosure and use of
data; and
(J) request from any person or entity information,
data, and reports as may be required to carry out the
purposes of this subsection.
(d) Furnishment of Information, Data, or Reports by Federal
Departments and Agencies.--Federal departments and agencies requested
by the Director to furnish information, data, or reports pursuant to
subsection (c)(4)(J) shall provide to the Bureau such information as
the Director determines necessary to carry out the purposes of this
section.
(e) Furnishment of Cyber Incident Information, Data, or Reports to
the Bureau by the Private Sector.--
(1) In general.--Not later than 180 days after the date of
enactment of this Act, and every 180 days thereafter, each
covered entity shall submit to the Bureau a report containing
such data and information as the Director determines necessary
to carry out the purposes of this section.
(2) Determination of data and information necessary to
carry out the purposes of this section.--Not later than 90 days
after the date of enactment of this Act, and annually
thereafter, the Director shall publish a list of data and
information determined necessary to carry out the purposes of
this section, including individual descriptions of cyber
incidents, which shall include--
(A) identification of the affected databases,
information systems, or devices that were, or are
reasonably believed to have been accessed by an
unauthorized person;
(B) where applicable, a description of the
vulnerabilities, tactics, techniques, and procedures
used;
(C) where applicable, any identifying information
related to the malicious actors who perpetrated the
incident;
(D) where applicable any cybersecurity controls
implemented by the victim organization; and
(E) the industrial sectors, regions, and size of
affected entities (as determined by number of
employees) without providing any information that can
reasonably be expected to identify such entities.
(3) Standards for submission of information and data.--Not
later than 180 days after the date of enactment of this Act,
the Director shall, in consultation with covered entities,
develop standardized procedures for the submission of data and
information the Director determines necessary to carry out the
purposes of this section.
(4) Private sector reporting.--Not later than 90 days after
the date on which the Director develops the standards required
under paragraph (3), the Director shall--
(A) publish the processes for submission of
information, data, and reports by covered entities; and
(B) begin accepting reporting required under
paragraph (1).
(5) Regulatory use.--Information disclosed to the Bureau
under this section that is not otherwise available, shall not
be used by the Federal Government or any State, local, tribal,
or territorial government to sanction or otherwise punish the
entity disclosing the information, or the entity in which the
cyber incident initially occurred.
(6) Preservation of privilege.--Disclosure of information
pursuant to this section or by a covered entity to the Bureau
shall not waive any otherwise applicable privilege, immunity,
or protection provided by law.
(7) Preservation of existing obligations.--Nothing in this
section shall modify, prevent, or abrogate any notice or
notification obligations under Federal contracts, enforceable
agreements with the government, or other Federal law.
(8) Enforcement.--
(A) Unfair or deceptive acts or practices.--
Compliance with the requirements imposed under this
subsection by covered entities shall be enforced by the
Federal Trade Commission under the Federal Trade
Commission Act (15 U.S.C. 41 et seq.). For the purpose
of the exercise by the Federal Trade Commission of its
functions and powers under the Federal Trade Commission
Act, a violation of any requirement or prohibition
imposed under this subsection shall be treated as an
unfair and deceptive act or practice in violation of a
regulation under section 18(a)(1)(B) of the Federal
Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding
unfair or deceptive acts or practices.
(B) Powers of commission.--Subject to subparagraph
(C), the Federal Trade Commission shall enforce this
subsection in the same manner, by the same means, and
with the same jurisdiction, powers, and duties as
though all applicable terms and provisions of the
Federal Trade Commission Act (15 U.S.C. 41 et seq.)
were incorporated into and made a part of this
subsection.
(C) Additional entities.--
(i) In general.--Notwithstanding sections
4, 5(a)(2), or 6 of the Federal Trade
Commission Act (15 U.S.C. 44, 45(a)(2), 46) or
any jurisdictional limitation of the Federal
Trade Commission, the Federal Trade Commission
shall also enforce this subsection, in the same
manner provided in subparagraph (A) of this
paragraph, with respect to--
(I) organizations not organized to
carry on business for their own profit
or that of their members; and
(II) common carriers subject to the
Communications Act of 1934 (47 U.S.C.
151 et seq.).
(ii) Coordination and notice.--The Federal
Trade Commission shall--
(I) coordinate with the Federal
Communications Commission regarding
enforcement of this subsection with
respect to common carriers subject to
the Communications Act of 1934 (47
U.S.C. 151 et seq.);
(II) notify the Bureau of Consumer
Financial Protection regarding
enforcement of this subsection with
respect to information associated with
the provision of financial products or
services by an entity that provides a
consumer financial product or service
(as defined in section 1002 of the
Consumer Financial Protection Act of
2010 (12 U.S.C. 5481)); and
(III) for enforcement of this
subsection with respect to matters
implicating the jurisdiction or
authorities of another Federal agency,
notify that agency as appropriate.
(D) Privileges and immunities.--Any covered entity
that violates the requirements imposed under this
subsection shall be subject to the penalties and
entitled to the privileges and immunities provided in
the Federal Trade Commission Act (15 U.S.C. 41 et
seq.).
(E) Construction.--Nothing in this paragraph shall
be construed to limit the authority of the Federal
Trade Commission under any other provision of law.
(f) Protection of Information.--
(1) In general.--No officer or employee of the Federal
Government or agent of the Federal Government may, without the
consent of the individual, entity, agency, or other person who
is the subject of the submission or provides the submission--
(A) use any submission that is furnished for
exclusively statistical purposes under this section for
any purpose other than the statistical purposes for
which the submission is furnished;
(B) make any publication or media transmittal of
the data contained in a submission described in
subparagraph (A) that permits information concerning
individual entities or individual incidents to be
reasonably inferred by either direct or indirect means;
or
(C) permit anyone other than a sworn officer,
employee, agent, or contractor of the Bureau to examine
an individual submission described in subsection (e).
(2) Immunity from legal process.--Any submission (including
any data derived from the submission) that is collected and
retained by the Bureau, or an officer, employee, agent, or
contractor of the Bureau, for exclusively statistical purposes
under this section shall be immune from the legal process and
shall not, without the consent of the individual, entity,
agency, or other person who is the subject of the submission or
provides the submission, be admitted as evidence or used for
any purpose in any action, suit, or other judicial or
administrative proceeding.
(3) Rule of construction.--Nothing in this subsection shall
be construed to provide immunity from the legal process for a
submission (including any data derived from the submission) if
the submission is in the possession of any person, agency, or
entity other than the Bureau or an officers, employee, agent,
or contractor of the Bureau, or if the submission is
independently collected, retained, or produced for purposes
other than the purposes of this section.
(g) Authorization of Appropriation.--There are authorized to be
appropriated such sums as may be necessary to carry out this section.
Such funds shall remain available until expended.
SEC. 303. SECURE FOUNDATIONAL INTERNET PROTOCOLS.
(a) Definitions.--In this section:
(1) Border gateway protocol.--The term ``border gateway
protocol'' means a protocol designed to optimize routing of
information exchanged through the internet.
(2) Domain name system.--The term ``domain name system''
means a system that stores information associated with domain
names in a distributed database on networks.
(3) Information and communications technology
infrastructure providers.--The term ``information and
communications technology infrastructure providers'' means all
systems that enable connectivity and operability of internet
service, backbone, cloud, web hosting, content delivery, domain
name system, and software-defined networks and other systems
and services.
(b) Creation of a Strategy To Secure Foundational Internet
Protocols.--
(1) Protocol security strategy.--In order to secure
foundational internet protocols, not later than December 31,
2021, the National Telecommunications and Information
Administration and the Department of Homeland Security shall
submit to Congress a strategy to secure the border gateway
protocol and the domain name system.
(2) Strategy requirements.--The strategy required under
paragraph (1) shall--
(A) articulate the security and privacy benefits of
implementing security for the border gateway protocol
and the domain name system and the burdens of
implementation and the entities on whom those burdens
will most likely fall;
(B) identify key United States and international
stakeholders;
(C) outline identified security measures that could
be used to secure or provide authentication for the
border gateway protocol and the domain name system;
(D) identify any barriers to implementing security
for the border gateway protocol and the domain name
system at scale;
(E) propose a strategy to implement identified
security measures at scale, accounting for barriers to
implementation and balancing benefits and burdens,
where feasible; and
(F) provide an initial estimate of the total cost
to the Government and implementing entities in the
private sector of implementing security for the border
gateway protocol and the domain name system and propose
recommendations for defraying these costs, if
applicable.
(3) Consultation.--In developing the strategy required
under paragraph (1) the National Telecommunications and
Information Administration and the Department of Homeland
Security shall consult with information and communications
technology infrastructure providers, civil society
organizations, relevant nonprofit organizations, and academic
experts.
TITLE IV--SYSTEMICALLY IMPORTANT CRITICAL INFRASTRUCTURE
SEC. 401. DEFINITIONS.
In this title:
(1) Appropriate congressional committees.--The term
``appropriate congressional committees'' means the Committee on
Homeland Security and Governmental Affairs of the Senate and
the Committee on Homeland Security of the House of
Representatives.
(2) Critical infrastructure.--The term ``critical
infrastructure'' has the meaning given that term in section
1016(e) of the Critical Infrastructure Protection Act of 2001
(42 U.S.C. 5195c(e)).
(3) Department.--The term ``Department'' means the
Department of Homeland Security.
(4) Entity.--The term ``entity'' means a non-Federal entity
and a private entity, as such terms are defined under section
102 of the Cybersecurity Information Sharing Act of 2015 (6
U.S.C. 1501).
(5) National critical functions.--The term ``national
critical functions'' means functions of government and the
private sector so vital to the United States that their
disruption, corruption, or dysfunction would have a
debilitating effect on security, national economic security,
national public health or safety, or any combination thereof.
(6) Secretary.--The term ``Secretary'' means the Secretary
of Homeland Security.
(7) Stakeholders.--The term ``stakeholders'' means persons
or groups whose consultation may aid the Secretary in
exercising the authority of the Secretary under this title,
including--
(A) Sector Coordinating Councils within the
Critical Infrastructure Partnership Advisory Council,
established under section 871 of the Homeland Security
Act of 2002 (6 U.S.C. 451);
(B) the State, Local, Tribal and Territorial
Government Coordinating Council, within the Critical
Infrastructure Partnership Advisory Council,
established under section 871 of the Homeland Security
Act of 2002 (6.U.S.C. 451);
(C) the Cybersecurity Advisory Committee
established under section 2219 of the Homeland Security
Act of 2002 (6 U.S.C. 665e), as so redesignated by
section 101 of this Act;
(D) the National Security Telecommunications
Advisory Committee established pursuant to Executive
Order 12382 (47 Fed. Reg. 40531); and
(E) the National Infrastructure Advisory Council,
established pursuant to Executive Order 13231 (66 Fed.
Reg. 53063).
(8) Systemically important critical infrastructure.--The
term ``Systemically Important Critical Infrastructure'' means
an entity that has been designated as such by the Secretary
through the process and procedures established under section
402.
SEC. 402. SYSTEMICALLY IMPORTANT CRITICAL INFRASTRUCTURE.
(a) In General.--The Secretary may designate entities as
Systemically Important Critical Infrastructure.
(b) Establishment of Methodology and Criteria.--Prior to
designating any entities as Systemically Important Critical
Infrastructure, the Secretary, in consultation with the National Cyber
Director, Sector Risk Management Agencies, and appropriate stakeholders
shall develop--
(1) a methodology for identifying Systemically Important
Critical Infrastructure; and
(2) criteria for determining whether an entity qualifies as
Systemically Important Critical Infrastructure.
(c) Considerations.--In establishing criteria for determining
whether an entity qualifies as Systemically Important Critical
Infrastructure, the Secretary shall consider--
(1) the likelihood that disruption to or compromise of such
an entity could cause a debilitating effect on national
security, economic security, public health or safety, or any
combination thereof;
(2) the extent to which damage, disruption, or unauthorized
access to such an entity either separately or collectively,
will disrupt the reliable operation of other critical
infrastructure assets, or impede provisioning of one or more
national critical functions;
(3) the extent to which national cybersecurity resilience
would be enhanced by deeper risk management integration between
Systemically Important Critical Infrastructure entities and the
Federal Government; and
(4) the extent to which compromise or unauthorized access
of such an entity could separately or collectively create
widespread compromise of the cyber ecosystem, significant
portions of critical infrastructure, or multiple critical
infrastructure sectors.
(d) List.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act, the Secretary shall complete an initial
list of entities designated as Systemically Important Critical
Infrastructure.
(2) Maintenance of list.--The Secretary shall maintain a
comprehensive list of entities designated as Systemically
Important Critical Infrastructure, which shall be updated
within 7 days of a change in whether an entity qualifies as
Systemically Important Critical Infrastructure.
(e) Entity Notifications.--Not later than 90 days after designating
an entity as Systemically Important Critical Infrastructure or removing
the designation of an entity as Systemically Important Critical
Infrastructure, the Secretary shall notify the entity.
(f) Congressional Notifications.--The Secretary shall--
(1) not later than 30 days after the date of any addition,
modification, or removal of an entity from the list of
Significantly Important Critical Infrastructure maintained
under subsection (d), notify the appropriate Congressional
committees; and
(2) at least every 2 years, submit to the appropriate
Congressional committees an updated comprehensive list of
entities designated as Systemically Important Critical
Infrastructure, in conjunction with each plan required pursuant
to section 403.
SEC. 403. PLAN FOR ENHANCEMENT OF SYSTEMICALLY IMPORTANT CRITICAL
INFRASTRUCTURE METHODOLOGY AND CAPABILITY.
(a) In General.--Not later than 180 days after the date of
enactment of this Act, and every 2 years thereafter for 10 years, the
Secretary, in consultation with Sector Risk Management Agencies and
appropriate stakeholders, shall develop and submit to the appropriate
congressional committees a plan for enhancing the methodology of the
Department for identifying Systemically Important Critical
Infrastructure, including a discussion of the progress of the
Department as of the date of submission of the plan in implementing the
plan.
(b) Contents of Plan.--
(1) In general.--The plan required under subsection (a)
shall include--
(A) the methodology and criteria used for
identifying and determining entities that qualify as
Systemically Important Critical Infrastructure as
described in section 402(b) and the analysis used to
establish such methodology and criteria;
(B) a proposed timeline for enhancing the
capabilities of the Department to expand the list
beyond the designated entities to also include
facilities, systems, assets, or other relevant units of
critical infrastructure that may further enhance the
ability to manage risk of Systemically Important
Critical Infrastructure;
(C) information regarding the outreach by the
Department to stakeholders and other Sector Risk
Management Agencies on such efforts, including
mechanisms for incorporation of industry feedback;
(D) information regarding the efforts of the
Department, and the associated challenges with such
efforts, to access information from stakeholders and
other Sector Risk Management Agencies to identify
Systemically Important Critical Infrastructure;
(E) information regarding other critical
infrastructure entity identification programs within
the Department and how they are being incorporated into
the overarching process to identify Systemically
Important Critical Infrastructure, which shall include
the efforts of the Department under section 9 of
Executive Order 13636 (78 Fed. Reg. 11739), the
National Infrastructure Prioritization Program, and
section 4 of Executive Order 14028 (86 Fed. Reg.
26633);
(F) any identified gaps in authorities or resources
required to successfully carry out the process of
identifying Systemically Important Critical
Infrastructure, including facilities, systems, assets,
or other relevant units of critical infrastructure, as
well as legislative proposals to address such gaps;
(G) an assessment of potential benefits for
entities designated as Systemically Important Critical
Infrastructure, which shall include an assessment of--
(i) enhanced intelligence support and
information sharing;
(ii) prioritized Federal technical
assistance;
(iii) liability protection for entities
designated as Systemically Important Critical
Infrastructure that conform to identified
security standards for damages or harm directly
or indirectly caused by a cyber incident;
(iv) prioritized emergency planning;
(v) benefits described in the final report
of the U.S. Cyberspace Solarium Commission,
dated March 2020; and
(vi) additional authorizations or resources
necessary to implement the benefits assessed
under this subparagraph; and
(H) an assessment of potential mechanisms to
improve the security of entities designated as
Systemically Important Critical Infrastructure, which
shall include an assessment of--
(i) risk-based cybersecurity performance
standards for all Systemically Important
Critical Infrastructure entities,
incorporating, to the greatest extent possible,
existing industry best practices, standards,
and guidelines;
(ii) sector-specific performance standards;
(iii) additional regulations to enhance the
security of Systemically Important Critical
Infrastructure against cyber risks, including
how to prevent duplicative requirements for
already regulated sectors;
(iv) cyber incident reporting requirements
for entities designated as Systemically
Important Critical Infrastructure; and
(v) additional authorizations or resources
necessary to implement the mechanisms to
improve the security of Systemically Important
Critical Infrastructure assessed under this
subparagraph.
(2) Initial plan.--The initial plan submitted under this
section shall include a detailed description of the
capabilities of the Department with respect to identifying
Systemically Important Critical Infrastructure as they were on
the date of enactment of this Act.
(c) Classified Annex.--The plan shall be in unclassified form, but
may include a classified annex, as the Secretary determines necessary.
(d) Publication.--Not later than 30 days after the date on which
the Secretary submits a plan to Congress, the Secretary shall make the
plan available to relevant stakeholders.
(e) Restriction.--Subchapter I of chapter 35 of title 44, United
States Code, shall not apply to any action to implement this section or
to any exercise of the authority of the Secretary pursuant to this
section.
TITLE V--ENABLING THE NATIONAL CYBER DIRECTOR
SEC. 501. ESTABLISHMENT OF HIRING AUTHORITIES FOR THE OFFICE OF THE
NATIONAL CYBER DIRECTOR.
Section 1752 of the William M. (Mac) Thornberry National Defense
Authorization Act for Fiscal Year 2021 (Public Law 116-283) is
amended--
(1) in subsection (e)--
(A) in paragraph (1), by inserting ``and in
accordance with paragraphs (3) through (7) of this
subsection,'' after ``and classification laws,'';
(B) in paragraph (2), by inserting
``notwithstanding paragraphs (3) through (7) of this
subsection,'' before ``employ experts'';
(C) by redesignating paragraphs (3) through (8) as
paragraphs (8) through (13), respectively; and
(D) by inserting after paragraph (2) the following:
``(3) establish, as positions in the excepted service, such
qualified positions in the Office as the Director determines
necessary to carry out the responsibilities of the Office,
appoint an individual to a qualified position (after taking
into consideration the availability of preference eligibles for
appointment to the position), and, subject to the requirements
of paragraphs (4) and (5), fix the compensation of an
individual for service in a qualified position;
``(4) fix the rates of basic pay for any qualified position
established under paragraph (3) in relation to the rates of pay
provided for employees in comparable positions in the Office,
in which the employee occupying the comparable position
performs, manages, or supervises functions that execute the
mission of the Office, and, subject to the same limitations on
maximum rates of pay and consistent with section 5341 of title
5, United States Code, adopt such provisions of that title to
provide for prevailing rate systems of basic pay and apply
those provisions to qualified positions for employees in or
under which the Office may employ individuals described by
section 5342(a)(2)(A) of such title;
``(5) employ an officer or employee of the United States or
member of the Armed Forces detailed to the staff of the Office
on a non-reimbursable basis--
``(A) as jointly agreed to by the heads of the
receiving and detailing elements, for a period not to
exceed 3 years;
``(B) which shall not be construed to limit any
other source of authority for reimbursable or non-
reimbursable details; and
``(C) which shall not be considered an augmentation
of the appropriations of the receiving element of the
Office;
``(6) provide--
``(A) employees in qualified positions compensation
(in addition to basic pay), including benefits,
incentives, and allowances, consistent with, and not in
excess of the level authorized for, comparable
positions authorized by title 5, United States Code;
and
``(B) employees in a qualified position whose rate
of basic pay is fixed under paragraph (4) an allowance
under section 5941 of title 5, United States Code, on
the same basis and to the same extent as if the
employee was an employee covered by such section,
including eligibility conditions, allowance rates, and
all other terms and conditions in law or regulation;
``(7) establish a fellowship program to facilitate a talent
exchange program between the private sector and the Office to
arrange, with the agreement of a private sector organization
and the consent of the employee, for the temporary assignment
of an employee to the private sector organization, or from the
private sector organization to the Office;''; and
(2) in subsection (g)--
(A) by redesignating paragraphs (3) through (6) as
paragraphs (4) through (7), respectively;
(B) by inserting after paragraph (2) the following:
``(3) The term `excepted service' has the meaning given
that term in section 2103 of title 5, United States Code.'';
and
(3) by adding at the end the following:
``(8) The term `preference eligible' has the meaning given
that term in section 2108(3) of title 5, United States Code.
``(9) The term `qualified position' means a position,
designated by the Director for the purpose of this section, in
which the individual occupying such position performs, manages,
or supervises functions that execute the responsibilities of
the Office.''.
<all>