117 S2491 IS: Defense of United States Infrastructure Act of 2021
U.S. Senate
2021-07-27
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.
1.Short title; table of contents
(a)This Act may be cited as the Defense of United States Infrastructure Act of 2021
. (b)The table of contents for this Act is as follows:
Sec. 1. Short title; table of contents.
TITLE I—Investing in cyber resiliency in critical infrastructure
Sec. 101. Establishment of the National Cyber Resilience Assistance Fund.
TITLE II—Improving the ability of the Federal Government to assist in enhancing critical infrastructure cyber resilience
Sec. 201. Institute a 5-year term for the cybersecurity and infrastructure security director.
Sec. 202. Create a joint collaborative environment.
Sec. 203. Designate three critical technology security centers.
TITLE III—Improving security in the national cyber ecosystem
Sec. 301. Establish a National Cybersecurity Certification and Labeling Authority.
Sec. 302. Establish the Bureau of Cybersecurity Statistics.
Sec. 303. Secure foundational internet protocols.
TITLE IV—Systemically Important Critical Infrastructure
Sec. 401. Definitions.
Sec. 402. Systemically Important Critical Infrastructure.
Sec. 403. Plan for enhancement of Systemically Important Critical Infrastructure methodology and capability.
TITLE V—Enabling the National Cyber Director
Sec. 501. Establishment of hiring authorities for the Office of the National Cyber Director.
<enum>I</enum><header>Investing in cyber resiliency in critical infrastructure</header>
<section id="id686eb3b073524de18931108c3b1e8799"><enum>101.</enum><header>Establishment of the National Cyber Resilience Assistance Fund</header>
<subsection id="idcf349af6153f4d449f994622834639e5"><enum>(a)</enum><header>Sense of congress</header><text>It is the sense of Congress that—</text> <paragraph id="id17a38043c16e4049a32da7c9961d9da2"><enum>(1)</enum><text>the United States now operates in a cyber landscape that requires a level of data security, resilience, and trustworthiness that neither the United States Government nor the private sector alone is currently equipped to provide;</text></paragraph>
<paragraph id="idc33f0e767e0c49299e3fba829fa0b2b3"><enum>(2)</enum><text>the United States must deny benefits to adversaries who have long exploited cyberspace to their advantage, to the disadvantage of the United States, and at little cost to themselves;</text></paragraph> <paragraph id="id5d91244c27f14a05826bb83c71f24199"><enum>(3)</enum><text>this new approach requires securing critical networks in collaboration with the private sector to promote national resilience and increase the security of the cyber ecosystem;</text></paragraph>
<paragraph id="id815ffe31063049bab9c02c6d6e5bef17"><enum>(4)</enum><text>reducing the vulnerabilities adversaries can target denies them opportunities to attack the interests of the United States through cyberspace;</text></paragraph> <paragraph id="idb5e7874f526c48fd9ceb15b678b01005"><enum>(5)</enum><text>the public and private sectors struggle to coordinate cyber defenses, leaving gaps that decrease national resilience and create systemic risk;</text></paragraph>
<paragraph id="idd6b04c6eef914e65919d72f3947e973c"><enum>(6)</enum><text>new technology continues to emerge that further compounds these challenges;</text></paragraph> <paragraph id="id9cea12919e904abc8fc0950a37f44c44"><enum>(7)</enum><text>while the Homeland Security Grant Program and resourcing for national preparedness under the Federal Emergency Management Agency are well-established, the United States Government has no equivalent for cybersecurity preparation or prevention;</text></paragraph>
<paragraph id="ida0be5b95c813474d8b693174fa87ad94"><enum>(8)</enum><text>the lack of a consistent, resourced fund for investing in resilience in key areas inhibits the United States Government from conveying its understanding of risk into strategy, planning, and action in furtherance of core objectives for the security and resilience of critical infrastructure; </text></paragraph> <paragraph id="idce55fee844104ca3b564ec920756446e"><enum>(9)</enum><text>Congress has worked diligently to establish the Cybersecurity and Infrastructure Security Agency, creating a new agency that can leverage broad authorities to receive and share information, provide technical assistance to operators, and partner with stakeholders across the executive branch, State and local communities, and the private sector;</text></paragraph>
<paragraph id="id8ade8b5895f144a0a128b7852d33dc63"><enum>(10)</enum><text>the Cybersecurity and Infrastructure Security Agency requires strengthening in its mission to ensure the national resilience of critical infrastructure, promote a more secure cyber ecosystem, and serve as the central coordinating element to support and integrate Federal, State, local, and private-sector cybersecurity efforts; and</text></paragraph> <paragraph id="id16835d31f1c44588ba14bbbd27a2f4f1"><enum>(11)</enum><text>the Cybersecurity and Infrastructure Security Agency requires further resource investment and clear authorities to realize its full potential.</text></paragraph></subsection>
<subsection id="id6aeb5fa6c51d4660bca6e459d9bd61a6"><enum>(b)</enum><header>Amendments</header><text>Subtitle A of title XXII of the Homeland Security Act of 2002 (<external-xref legal-doc="usc" parsable-cite="usc/6/651">6 U.S.C. 651 et seq.</external-xref>) is amended—</text> <paragraph id="idbf770d089d6e4e7281cae7dc14c4519d"><enum>(1)</enum><text>in section 2202(c) (<external-xref legal-doc="usc" parsable-cite="usc/6/652">6 U.S.C. 652(c)</external-xref>)—</text>
<subparagraph id="id60a4117eea5c4ed39ca18360faa2fa76"><enum>(A)</enum><text>in paragraph (11), by striking <quote>and</quote> at the end;</text></subparagraph> <subparagraph id="id743eca54925d46f1a365f7fd10223274"><enum>(B)</enum><text>in the first paragraph designated as paragraph (12), relating to the Cybersecurity State Coordinator—</text>
<clause id="idfb5f1b3b08704177b72c06cf5100fd66"><enum>(i)</enum><text>by striking <quote>section 2215</quote> and inserting <quote>section 2217</quote>; and</text></clause> <clause id="id477980abaae74597bab225a11397eb52"><enum>(ii)</enum><text>by striking <quote>and</quote> at the end; and</text></clause></subparagraph>
<subparagraph id="idfe9fcbfe3ff74b7bbddb77942382d7c2"><enum>(C)</enum><text>by redesignating the second and third paragraphs designated as paragraph (12) as paragraphs (13) and (14), respectively;</text></subparagraph></paragraph> <paragraph id="id4f36734e4a324be89c89b9dd49483713"><enum>(2)</enum><text>by redesignating section 2217 (<external-xref legal-doc="usc" parsable-cite="usc/6/665f">6 U.S.C. 665f</external-xref>) as section 2220;</text></paragraph>
<paragraph id="id43733f54d33c42cc9de9315fba50e62e"><enum>(3)</enum><text>by redesignating section 2216 (<external-xref legal-doc="usc" parsable-cite="usc/6/665e">6 U.S.C. 665e</external-xref>) as section 2219;</text></paragraph> <paragraph id="idf98c83f1cd1e494d843e0e0b46dca0af"><enum>(4)</enum><text>by redesignating the fourth section 2215 (relating to Sector Risk Management Agencies) (<external-xref legal-doc="usc" parsable-cite="usc/6/665d">6 U.S.C. 665d</external-xref>) as section 2218;</text></paragraph>
<paragraph id="id318e171c796445a8a17d3db79164cecd"><enum>(5)</enum><text>by redesignating the third section 2215 (relating to the Cybersecurity State Coordinator) (<external-xref legal-doc="usc" parsable-cite="usc/6/665c">6 U.S.C. 665c</external-xref>) as section 2217;</text></paragraph> <paragraph id="idda9e7fff3cb84edda379108671f5769c"><enum>(6)</enum><text>by redesignating the second section 2215 (relating to the Joint Cyber Planning Office) (<external-xref legal-doc="usc" parsable-cite="usc/6/665b">6 U.S.C. 665b</external-xref>) as section 2216; and</text></paragraph>
<paragraph id="idf39b541eeb3d4f7baa0d0e43b7eef5df"><enum>(7)</enum><text>by adding at the end the following:</text> <quoted-block style="OLC" display-inline="no-display-inline" id="idb144ea6e18dc42278fc47656beba9d0e"> <section id="ide04c91fb76094f4ea11d9cbd3525fec9"><enum>2220A.</enum><header>National Cyber Resilience Assistance Fund</header> <subsection id="id59fc3732adff4dee98a5677ad4bd6bdc"><enum>(a)</enum><header>Definitions</header><text>In this section:</text>
<paragraph id="id9c6a8ab047ea4047a17413162c44b8fa"><enum>(1)</enum><header>Cybersecurity risk</header><text>The term <term>cybersecurity risk</term> has the meaning given that term in section 2209.</text></paragraph> <paragraph id="id7e6543459e2446218f811c4801708b47"><enum>(2)</enum><header>Eligible entity</header><text>The term <term>eligible entity</term> means an entity that meets the guidelines and requirements for eligible entities established by the Secretary under subsection (d)(4).</text></paragraph>
<paragraph id="idcab678645ee6443fbcc9f48ba49a3ecc"><enum>(3)</enum><header>Fund</header><text>The term <term>Fund</term> means the National Cyber Resilience Assistance Fund established under subsection (c).</text></paragraph> <paragraph id="id1bf13270115b4d1b909d464d90502cdb"><enum>(4)</enum><header>National critical functions</header><text>The term <term>national critical functions</term> means the functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.</text></paragraph></subsection>
<subsection id="idf8f44a12dba44d6db58ca052908c059b"><enum>(b)</enum><header>Creation of a critical infrastructure resilience strategy and a national risk management cycle</header>
<paragraph id="id0119e3eb79ab4076a55385269bf358f3"><enum>(1)</enum><header>Initial risk identification and assessment</header>
<subparagraph id="iddaec278a6b874dfa87d3bea63b5d7b04"><enum>(A)</enum><header>In general</header><text>The Secretary, acting through the Director, shall establish a process by which to identify, assess, and prioritize risks to critical infrastructure, considering both cyber and physical threats, vulnerabilities, and consequences.</text></subparagraph> <subparagraph id="id5e1b6f81869848668baf9fa2533841ad"><enum>(B)</enum><header>Consultation</header><text>In establishing the process required under subparagraph (A), the Secretary shall consult with Sector Risk Management Agencies, critical infrastructure owners and operators, and the National Cyber Director.</text></subparagraph>
<subparagraph id="id5ab7adf249334baf9b029dc7a8d7ff81"><enum>(C)</enum><header>Publication</header><text>Not later than 180 days after the date of enactment of this section, the Secretary shall publish in the Federal Register procedures for the process established under subparagraph (A).</text></subparagraph> <subparagraph id="id045c385931134253afcb1101418ee00e"><enum>(D)</enum><header>Report</header><text>Not later than 1 year after the date of enactment of this section, the Secretary shall submit to the President, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a report on the risks identified by the process established under subparagraph (A).</text></subparagraph></paragraph>
<paragraph id="id4be3686ed4c0492ab64e5f6df004eab7"><enum>(2)</enum><header>Initial national critical infrastructure resilience strategy</header>
<subparagraph id="ida177ff97cd444326acbbe8fe11cf4a50"><enum>(A)</enum><header>In general</header><text>Not later than 1 year after the date on which the Secretary delivers the report required under paragraph (1)(D), the President shall deliver to majority and minority leaders of the Senate, the Speaker and minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a national critical infrastructure resilience strategy designed to address the risks identified by the Secretary.</text></subparagraph> <subparagraph id="id14059e31962049019b4e955db8de30dc"><enum>(B)</enum><header>Elements</header><text>In the strategy delivered under subparagraph (A), the President shall—</text>
<clause id="idf4689339a82149e88a34b211693d009b"><enum>(i)</enum><text>identify, assess, and prioritize areas of risk to critical infrastructure that would compromise, disrupt, or impede the ability of the critical infrastructure to support the national critical functions of national security, economic security, or public health and safety;</text></clause> <clause id="id9f90cd4f97824ab98c46a81cd46d4c10"><enum>(ii)</enum><text>identify and outline current and proposed national-level actions, programs, and efforts to be taken to address the risks identified;</text></clause>
<clause id="idbed9734128564824bef15dd41204b209"><enum>(iii)</enum><text>identify the Federal departments or agencies responsible for leading each national-level action, program, or effort and the relevant critical infrastructure sectors for each;</text></clause> <clause id="id4085d76fc9144496ae03984a218498a8"><enum>(iv)</enum><text>outline the budget plan required to provide sufficient resources to successfully execute the full range of activities proposed or described by the strategy; and</text></clause>
<clause id="id1dbeac0f2ca04179965648bf349a92c3"><enum>(v)</enum><text>request any additional authorities or resources necessary to successfully execute the strategy.</text></clause></subparagraph> <subparagraph id="id98d37cc9b3464350b88b5bb11ed08eb3"><enum>(C)</enum><header>Form</header><text>The strategy delivered under subparagraph (A) shall be unclassified, but may contain a classified annex.</text></subparagraph></paragraph>
<paragraph id="id314fc6cb65b6422ea314027c9f1dc4d1"><enum>(3)</enum><header>Congressional briefing</header><text>Not later than 1 year after the date on which the President delivers the strategy under subparagraph (A), and every year thereafter, the Secretary, in coordination with Sector Risk Management Agencies, shall brief the appropriate congressional committees on the national risk management cycle activities undertaken pursuant to the strategy.</text></paragraph> <paragraph id="idcfa518d7ed5243de9cc93fa257a1d5e9"><enum>(4)</enum><header>Five year risk management cycle</header> <subparagraph id="idA185A838E6DB4731954ACEEC4A93506C"><enum>(A)</enum><header>Risk identification and assessment</header><text>Under procedures established by the Secretary, the Secretary shall repeat the conducting and reporting of the risk identification and assessment required under paragraph (1), in accordance with the requirements in paragraph (1), every 5 years.</text></subparagraph>
<subparagraph id="id11AC5D3CA1404289A81B8D73106783CF"><enum>(B)</enum><header>Strategy</header><text>Under procedures established by the President, the President shall repeat the preparation and delivery of the critical infrastructure resilience strategy required under paragraph (2), in accordance with the requirements in paragraph (2), every 5 years, which shall also include assessing the implementation of the previous national critical infrastructure resilience strategy.</text></subparagraph></paragraph></subsection> <subsection id="id420c2bb34e7448a98801bf438628a2cc"><enum>(c)</enum><header>Establishment of the National Cyber Resilience Assistance Fund</header><text>There is established in the Treasury of the United States a fund, to be known as the <quote>National Cyber Resilience Assistance Fund</quote>, which shall be available for the cost of risk-based grant programs focused on systematically increasing the resilience of public and private critical infrastructure against cybersecurity risk, thereby increasing the overall resilience of the United States.</text></subsection>
<subsection id="id0b65f9dd34474e2189caa613362ed87f"><enum>(d)</enum><header>Administration of grants from the National Cyber Resilience Assistance Fund</header>
<paragraph id="id9afe2ece6b8948a1a65a8d15e6ff2940"><enum>(1)</enum><header>In general</header><text>In accordance with this section, the Secretary, acting through the Administrator of the Federal Emergency Management Agency and the Director, shall develop and administer processes to—</text> <subparagraph id="id5ea3124d54ce4ea599a52057ffebfc5c"><enum>(A)</enum><text>establish focused grant programs to address identified areas of cybersecurity risk to, and bolster the resilience of, critical infrastructure;</text></subparagraph>
<subparagraph id="id45c423bc60e74ff5b6ba0388cd023197"><enum>(B)</enum><text>accept and evaluate applications for each such grant program;</text></subparagraph> <subparagraph id="idb81e308fe5244dddb187ce27dbe25028"><enum>(C)</enum><text>award grants under each such grant program; and</text></subparagraph>
<subparagraph id="id2d013c9766374c74b069d2a10be79b42"><enum>(D)</enum><text>disburse amounts from the Fund.</text></subparagraph></paragraph> <paragraph id="id4652ca16c2b2499c96dcfdc329f8abb4"><enum>(2)</enum><header>Establishment of risk-focused grant programs</header> <subparagraph id="id1776c8f0efe64a178dcaffb648782d76"><enum>(A)</enum><header>Establishment</header> <clause id="ida79737db44d44830ba9a88b7c90e82de"><enum>(i)</enum><header>In general</header><text>The Secretary, acting through the Director and the Administrator of the Federal Emergency Management Agency, may establish not less than 1 grant program focused on mitigating an identified category of cybersecurity risk identified under the national risk management cycle and critical infrastructure resilience strategy under subsection (b) in order to bolster the resilience of critical infrastructure within the United States.</text></clause>
<clause id="id527364853ae14b9398a67af73134c5d3"><enum>(ii)</enum><header>Selection of focus area</header><text>Before selecting a focus area for a grant program pursuant to this subparagraph, the Director shall ensure—</text> <subclause id="id3be5ccd5fda7453589cec4dacdd5f9c3"><enum>(I)</enum><text>there is a clearly defined cybersecurity risk identified through the national risk management cycle and critical infrastructure resilience strategy under subsection (b) to be mitigated;</text></subclause>
<subclause id="id248679c993344c6da3b34e7d685b3fe0"><enum>(II)</enum><text>market forces do not provide sufficient private-sector incentives to mitigate the risk without Government investment; and</text></subclause> <subclause id="idec164d5a71c54cef85a0703b145874ee"><enum>(III)</enum><text>there is clear Federal need, role, and responsibility to mitigate the risk in order to bolster the resilience of critical infrastructure.</text></subclause></clause></subparagraph>
<subparagraph id="idff683b184c224b85be68ae874b734e42"><enum>(B)</enum><header>Funding</header>
<clause id="id1fa159ef8cb34649b6f4bed4330ef32f"><enum>(i)</enum><header>Recommendation</header><text>Beginning in the first fiscal year following the establishment of the Fund and each fiscal year thereafter, the Director shall—</text> <subclause id="id924885335a3d4de391606d38c342010f"><enum>(I)</enum><text>assess the funds available in the Fund for the fiscal year; and</text></subclause>
<subclause id="idc7622127231d48f29f68f44eaf0db78e"><enum>(II)</enum><text>recommend to the Secretary the total amount to be made available from the Fund under each grant program established under this subsection.</text></subclause></clause> <clause id="idf373aa6b58034cb6951fe7df229e2f2c"><enum>(ii)</enum><header>Allocation</header><text>After considering the recommendations made by the Director under clause (i) for a fiscal year, the Director shall allocate amounts from the Fund to each active grant program established under this subsection for the fiscal year.</text></clause></subparagraph></paragraph>
<paragraph id="ide87e8ae83dfd47108b2b7433b7383d35"><enum>(3)</enum><header>Use of funds</header><text>Amounts in the Fund shall be used to mitigate risks identified through the national risk management cycle and critical infrastructure resilience strategy under subsection (b).</text></paragraph> <paragraph id="ide0fcceb80a354437ae494cd3f54cec16"><enum>(4)</enum><header>Eligible entities</header> <subparagraph id="id07b85bd8fa6541349ff43bd5fa802185"><enum>(A)</enum><header>Guidelines and requirements</header> <clause id="id7DEC6D2AE7CD4AACBA2458B394627946"><enum>(i)</enum><header>In general</header><text>In accordance with clause (ii), the Secretary shall submit to the Committee on Homeland Security and Governmental Affairs and the Committee on Appropriations of the Senate and the Committee on Homeland Security and the Committee on Appropriations of the House of Representatives a set of guidelines and requirements for determining the entities that are eligible entities.</text></clause>
<clause id="idEB812469F38D4755AAEE46DEB82ADCC4"><enum>(ii)</enum><header>Deadlines</header><text>The Secretary shall submit the guidelines and requirements under clause (i)—</text> <subclause id="id50811302D9E2426DA86D052520259077"><enum>(I)</enum><text>not later than 180 days after the date of enactment of this section, and every 2 years thereafter; and</text></subclause>
<subclause id="id491D6356AE7E4BF39B0A84DBB07D01FE"><enum>(II)</enum><text>not later than 30 days before the date on which the Secretary implements the guidelines and requirements. </text></subclause></clause></subparagraph> <subparagraph id="idcb4f885ccf974d64a65271c8256ae614"><enum>(B)</enum><header>Considerations</header><text>In developing guidelines and requirements for eligible entities under subparagraph (A), the Secretary shall consider—</text>
<clause id="id09b49268eecb47c684939527c1a70d97"><enum>(i)</enum><text>number of employees;</text></clause> <clause id="id1ed60bee98c940bea20254aa5e7dd72b"><enum>(ii)</enum><text>annual revenue;</text></clause>
<clause id="idb050a91e00a44672a64a7e8ecfb5c336"><enum>(iii)</enum><text>existing entity cybersecurity spending;</text></clause> <clause id="id41fac3d1180f4b38b3e3ab4ebc0c6d62"><enum>(iv)</enum><text>current cyber risk assessments, including credible threats, vulnerabilities, and consequences; and</text></clause>
<clause id="id9e387a63a539438c831810384e8e0a60"><enum>(v)</enum><text>entity capacity to invest in mitigating cybersecurity risk absent assistance from the Federal Government.</text></clause></subparagraph></paragraph> <paragraph id="id68f1bb8d54eb46968ea2778214b0f746"><enum>(5)</enum><header>Limitation</header><text>For any fiscal year, an eligible entity may not receive more than 1 grant from each grant program established under this subsection.</text></paragraph>
<paragraph id="id54745c19f7694fd6a68662381b7dbb95"><enum>(6)</enum><header>Grant processes</header><text>The Secretary, acting through the Administrator of the Federal Emergency Management Agency, shall require the submission of such information as the Secretary determines is necessary to—</text> <subparagraph id="idf773f4ad33f44452a58a7c3ac31f9a17"><enum>(A)</enum><text>evaluate a grant application against the criteria established under this section;</text></subparagraph>
<subparagraph id="id05b7a5f0b0e04a2a81e4c42f74c13813"><enum>(B)</enum><text>disburse grant funds;</text></subparagraph> <subparagraph id="id658857bd0fd54d02a0721bee1c4c4891"><enum>(C)</enum><text>provide oversight of disbursed grant funds; and</text></subparagraph>
<subparagraph id="id13d3c7f1806949a48ea733af790ac22c"><enum>(D)</enum><text>evaluate the effectiveness of the funded project in increasing the overall resilience of the United States with respect to cybersecurity risks.</text></subparagraph></paragraph> <paragraph id="idc934f951dae04a6daceb38c26716357e"><enum>(7)</enum><header>Grant criteria</header><text>For each grant program established under this subsection, the Director, in coordination with the Administrator of the Federal Emergency Management Agency, shall develop and publish criteria for evaluating applications for funding, which shall include—</text>
<subparagraph id="id6a57af831d6e4a77923a50a1d8b4243d"><enum>(A)</enum><text>whether the application identifies a clearly defined cybersecurity risk;</text></subparagraph> <subparagraph id="id48faf6e7a71846fd93750967200a3fd9"><enum>(B)</enum><text>whether the cybersecurity risk identified in the grant application poses a substantial threat to critical infrastructure;</text></subparagraph>
<subparagraph id="id2cda908e599c424687ee2b087b59e172"><enum>(C)</enum><text>whether the application identifies a program or project clearly designed to mitigate a cybersecurity risk;</text></subparagraph> <subparagraph id="id5bcc9d48dce24ea28149d02ddee75658"><enum>(D)</enum><text>the potential consequences of leaving the identified cybersecurity risk unmitigated, including the potential impact to the critical functions and overall resilience of the nation; and</text></subparagraph>
<subparagraph id="ide1e6a9329ec346099b67afd1acf10ef0"><enum>(E)</enum><text>other appropriate factors identified by the Director.</text></subparagraph></paragraph> <paragraph id="ideba90b84a2fe4dc7a9b03cb6f714e734"><enum>(8)</enum><header>Evaluation of grants applications</header> <subparagraph id="ideab8bffeca77438e88b37b42a0593775"><enum>(A)</enum><header>In general</header><text>Utilizing the criteria established under paragraph (7), the Director, in coordination with the Administrator of the Federal Emergency Management Agency, shall evaluate grant applications made under each grant program established under this subsection.</text></subparagraph>
<subparagraph id="id09ff23b20bbc4e9b8e1e709e46119708"><enum>(B)</enum><header>Recommendation</header><text>Following the evaluations required under subparagraph (A), the Director shall recommend to the Secretary applications for approval, including the amount of funding recommended for each such approval.</text></subparagraph></paragraph> <paragraph id="id085869ae187d41088d2a1f47ee4ead78"><enum>(9)</enum><header>Award of grant funding</header><text>The Secretary shall—</text>
<subparagraph id="idc966fcfef5ed4cb98392b9b380229b2f"><enum>(A)</enum><text>review the recommendations of the Director prepared pursuant to paragraph (8); and</text></subparagraph> <subparagraph id="id1d7d586555634730b62b5f9a27918c41"><enum>(B)</enum><text>provide a final determination of grant awards to the Administrator of the Federal Emergency Management Agency to be disbursed and administered under the process established under paragraph (6).</text></subparagraph></paragraph></subsection>
<subsection id="idf1cc7676a23d4e6fb300f5455142f4cd"><enum>(e)</enum><header>Evaluation of grant programs utilizing the National Cyber Resilience Assistance Fund</header>
<paragraph id="id9c20e214d0d540e185b4edfe2fe96081"><enum>(1)</enum><header>Evaluation</header><text>The Secretary shall establish a process to evaluate the effectiveness and efficiency of grants distributed under this section and develop appropriate updates, as needed, to the grant programs.</text></paragraph> <paragraph id="id9e95e1d204c24a8f82779348c365bd88"><enum>(2)</enum><header>Annual report</header><text>Not later than 180 days after the conclusion of the first fiscal year in which grants are awarded under this section, and every fiscal year thereafter, the Secretary shall submit to the Committee on Homeland Security and Governmental Affairs and the Committee on Appropriations of the Senate and the Committee on Homeland Security and the Committee on Appropriations of the House of Representatives a report detailing the grants awarded from the Fund, the status of projects undertaken with the grant funds, any planned changes to the disbursement methodology of the Fund, measurements of success, and total outlays from the Fund.</text></paragraph>
<paragraph id="id6e11318b7f6d471e93688fd72a9b1117"><enum>(3)</enum><header>Grant program review</header>
<subparagraph id="id46785ffd4cd9404da0a2725c66b46b1d"><enum>(A)</enum><header>Annual assessment</header><text>Before the start of the second fiscal year in which grants are awarded under this section, and every fiscal year thereafter, the Director shall assess the grant programs established under this section and determine— </text> <clause id="id450F3336561F4DFEA556604197C7CFD3"><enum>(i)</enum><text>for the coming fiscal year—</text>
<subclause id="id9cf139b7441546d68a0bb92979df3e84"><enum>(I)</enum><text>whether new grant programs with additional focus areas should be created;</text></subclause> <subclause id="idb29771612a2f451e962ca20500538c22"><enum>(II)</enum><text>whether any existing grant program should be discontinued; and</text></subclause>
<subclause id="ide62454cfae124a348640b60088ac912d"><enum>(III)</enum><text>whether the scope of any existing grant program should be modified; and</text></subclause></clause> <clause id="id0872af99f78e4df39003b6e104b5289a"><enum>(ii)</enum><text>the success of the grant programs in the prior fiscal year.</text></clause></subparagraph>
<subparagraph id="id25f9047f04b34eec90a528047f194309"><enum>(B)</enum><header>Submission to Congress</header><text>Not later than 90 days before the start of the second fiscal year in which grants are awarded under this section, and every fiscal year thereafter, the Secretary shall submit to the Committee on Homeland Security and Governmental Affairs and the Committee on Appropriations of the Senate and the Committee on Homeland Security and the Committee on Appropriations of the House of Representatives the assessment conducted pursuant to subparagraph (A) and any planned alterations to the grant program for the coming fiscal year.</text></subparagraph></paragraph></subsection> <subsection id="id10dc499764664056bdd91b8ba8d60551"><enum>(f)</enum><header>Limitation on use of grant funds</header><text>Funds awarded pursuant to this section—</text>
<paragraph id="idde858eebe8d94768a4bb43a9651457d5"><enum>(1)</enum><text>shall supplement and not supplant State or local funds or, as applicable, funds supplied by the Bureau of Indian Affairs; and</text></paragraph> <paragraph id="idb1c4ec925a8242b5ad93ba529afac1b3"><enum>(2)</enum><text>may not be used—</text>
<subparagraph id="idba3cd6d90fb349c8903464f3fb774705"><enum>(A)</enum><text>to provide any Federal cost-sharing contribution on behalf of a State or local government;</text></subparagraph> <subparagraph id="id46aa00f18d894ef69c85cf14ef241510"><enum>(B)</enum><text>to pay a ransom;</text></subparagraph>
<subparagraph id="id143bceee1ae04225b801c6839ab1a49f"><enum>(C)</enum><text>by or for a non-United States entity; or</text></subparagraph> <subparagraph id="id2bc76ccd5d92485d8a1064a0fb394d28"><enum>(D)</enum><text>for any recreational or social purpose.</text></subparagraph></paragraph></subsection>
<subsection id="id80d7c31a1402432e9702b233e650ccf2"><enum>(g)</enum><header>Authorization of appropriations</header><text>There are authorized to be appropriated to carry out this section $75,000,000 for each of fiscal years 2022 through 2026.</text></subsection> <subsection id="id556843cafa374da7af625f6b8cf19956"><enum>(h)</enum><header>Transfers authorized</header><text>During a fiscal year, the Secretary or the head of any component of the Department that administers the State and Local Cybersecurity Grant Program may transfer not more than 5 percent of the amounts appropriated pursuant to subsection (g) or other amounts appropriated to carry out the National Cyber Resilience Assistance Fund for that fiscal year to an account of the Department for salaries, expenses, and other administrative costs incurred for the management, administration, or evaluation of this section.</text></subsection></section><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection>
<subsection id="id454f9e1e30524b7785d8a150f64c5e00"><enum>(c)</enum><header>Technical and conforming amendments</header>
<paragraph id="idFD8965782D194857984440BEA3F678D7"><enum>(1)</enum><header>Table of contents</header><text>The table of contents in section 1(b) of the Homeland Security Act of 2002 (<external-xref legal-doc="public-law" parsable-cite="pl/107/296">Public Law 107–296</external-xref>; 116 Stat. 2135) is amended by striking the item relating to section 2214 and all that follows through the item relating to section 2217 and inserting the following:</text> <quoted-block style="OLC" display-inline="no-display-inline" id="id5958869A33154365ADF93450865450B5"> <toc> <toc-entry level="section" bold="off">Sec. 2214. National Asset Database.</toc-entry> <toc-entry level="section" bold="off">Sec. 2215. Duties and authorities relating to .gov internet domain.</toc-entry> <toc-entry level="section" bold="off">Sec. 2216. Joint Cyber Planning Office. </toc-entry> <toc-entry level="section" bold="off">Sec. 2217. Cybersecurity State Coordinator.</toc-entry> <toc-entry level="section" bold="off">Sec. 2218. Sector Risk Management Agencies. </toc-entry> <toc-entry level="section" bold="off">Sec. 2219. Cybersecurity Advisory Committee.</toc-entry> <toc-entry level="section" bold="off">Sec. 2220. Cybersecurity education and training programs.</toc-entry> <toc-entry level="section" bold="off">Sec. 2220A. National Cyber Resilience Assistance Fund.</toc-entry></toc><after-quoted-block>.</after-quoted-block></quoted-block></paragraph> <paragraph id="idF38425473D924696A23F5A4A8C8BD5C3"><enum>(2)</enum><header>Additional technical amendment</header> <subparagraph id="idb9b94a41d83a478fa9824335a2cf637c"><enum>(A)</enum><header>Amendment</header><text>Section 904(b)(1) of the DOTGOV Act of 2020 (title IX of division U of <external-xref legal-doc="public-law" parsable-cite="pl/116/260">Public Law 116–260</external-xref>) is amended, in the matter preceding subparagraph (A), by striking <quote>Homeland Security Act</quote> and inserting <quote>Homeland Security Act of 2002</quote>.</text></subparagraph>
<subparagraph id="id86b7f2fddcdb483aa63cc3686956951b"><enum>(B)</enum><header>Effective date</header><text>The amendment made by subparagraph (A) shall take effect as if enacted as part of the DOTGOV Act of 2020 (title IX of division U of <external-xref legal-doc="public-law" parsable-cite="pl/116/260">Public Law 116–260</external-xref>).</text></subparagraph></paragraph></subsection></section> <enum>II</enum><header>Improving the ability of the Federal Government to assist in enhancing critical infrastructure cyber resilience</header> <section id="id6c6c9a3d6f7a4b74bb92bd61d960a69a"><enum>201.</enum><header>Institute a 5-year term for the cybersecurity and infrastructure security director</header> <subsection id="idb7277e6ee6ec4aaa9b7178ab344e397b"><enum>(a)</enum><header>In general</header><text>Subsection (b)(1) of section 2202 of the Homeland Security Act of 2002 (<external-xref legal-doc="usc" parsable-cite="usc/6/652">6 U.S.C. 652</external-xref>), is amended by inserting <quote>The Director shall be appointed for a term of 5 years.</quote> after <quote>who shall report to the Secretary.</quote>.</text></subsection>
<subsection id="id6e50228860444ab5a5042fce8fcbe696"><enum>(b)</enum><header>Transition rules</header><text>The amendment made by subsection (a) shall take effect on the earlier of—</text> <paragraph id="idee293a427d5b4e088af3e50c8c2f54d7"><enum>(1)</enum><text>the first appointment of an individual to the position of Director of the Cybersecurity and Infrastructure Protection Agency of the Department of Homeland Security, by and with the advice and consent of the Senate, that is made on or after the date of enactment of this Act; or</text></paragraph>
<paragraph id="id60a8b0bc000e4fe29e139f6679b163a1"><enum>(2)</enum><text>January 1, 2022.</text></paragraph></subsection></section> <section id="idaccd1a08eca04f30b35c5013fd45408d"><enum>202.</enum><header>Create a joint collaborative environment</header> <subsection id="id9f93df1cac7c4b06811c183a2d6ad0a8"><enum>(a)</enum><header>In general</header><text>The Director of the Cybersecurity and Infrastructure Security Agency shall establish a joint, cloud-based, information sharing environment to—</text>
<paragraph id="id744ff94c583142a59aadf54591578e35"><enum>(1)</enum><text>integrate the Federal Government’s unclassified and classified cyber threat information, malware forensics, and data related to cybersecurity risks (as defined in section 2209 of the Homeland Security Act of 2002 (<external-xref legal-doc="usc" parsable-cite="usc/6/659">6 U.S.C. 659</external-xref>)) that is derived from network sensor programs;</text></paragraph> <paragraph id="id3e82fbe69e3f4c76ae470c28137e00ff"><enum>(2)</enum><text>enable cross-correlation of threat data at the speed and scale necessary for rapid detection and identification;</text></paragraph>
<paragraph id="id2f3fed8b61f04d6f94e47c3b9a8f74a9"><enum>(3)</enum><text>enable query and analysis by appropriate operators across the Federal Government;</text></paragraph> <paragraph id="id4685ac26d3ab400c8b5e4c9edaaeff12"><enum>(4)</enum><text>facilitate a whole-of-Government, comprehensive understanding of the cyber threats to the resilience of the Federal Government and national critical infrastructure networks;</text></paragraph>
<paragraph id="idf55b6971df36466d9df449e5d6532fb6"><enum>(5)</enum><text>enable and support the private-public cybersecurity collaboration efforts of the Federal Government, whose successes will be directly dependent on the accuracy, comprehensiveness, and timeliness of threat information collected and held by the Federal Government; and</text></paragraph> <paragraph id="idde5589e5b7fd4c16be64b44bcee99af6"><enum>(6)</enum><text>enable data curation for artificial intelligence models and provide an environment to enable the Federal Government to curate data and build applications.</text></paragraph></subsection>
<subsection id="ida1b078b2a92641e2afcd8e4252b09c66"><enum>(b)</enum><header>Development</header>
<paragraph id="id8bfb253f5dde4e50a09b9455e50f7b0e"><enum>(1)</enum><header>Initial evaluation</header><text>Not later than 180 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Director shall—</text> <subparagraph id="id71afa2b05d8643d2b3b138d99741de5a"><enum>(A)</enum><text>identify all Federal sources of classified and unclassified cyber threat information;</text></subparagraph>
<subparagraph id="idb4f632c09340403f9ab26dce337e45a6"><enum>(B)</enum><text>evaluate all programs, applications, or platforms of the Federal Government that are intended to detect, identify, analyze, or monitor cyber threats against the resiliency of the Federal Government or critical infrastructure; and</text></subparagraph> <subparagraph id="iddd0085a1b2664675909224b0860964c0"><enum>(C)</enum><text>submit a recommendation to the President identifying Federal programs to be designated and required to participate in the Information Sharing Environment, including—</text>
<clause id="id320396149e7e417886b74d7d5efdd052"><enum>(i)</enum><text>Government network-monitoring and intrusion detection programs;</text></clause> <clause id="id4b244a5e976541cd861ca74930a30005"><enum>(ii)</enum><text>cyber threat indicator-sharing programs and Government-sponsored network sensors or network-monitoring programs for the private sector or for State, local, tribal, and territorial governments;</text></clause>
<clause id="id9c946af495e546fca53fe535f3bd6d3b"><enum>(iii)</enum><text>incident response and cybersecurity technical assistance programs; and</text></clause> <clause id="idcd285a53d8714f34b57af93e72070e73"><enum>(iv)</enum><text>malware forensics and reverse-engineering programs.</text></clause></subparagraph></paragraph>
<paragraph id="idcc21d2a2556c414099e17ad02bdbd18f"><enum>(2)</enum><header>Designation of participating programs</header><text>Not later than 60 days after completion of the evaluation required under paragraph (1), the President shall issue a determination designating the departments, agencies, Federal programs, and corresponding systems and assets that are required to be a part of the Information Sharing Environment.</text></paragraph> <paragraph id="idd6da79e91e93447e9acdc1d98b75f93d"><enum>(3)</enum><header>Design</header><text>Not later than 1 year after completion of the evaluation required under paragraph (1), the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, shall design the structure of a common platform for sharing and fusing existing Government information, insights, and data related to cyber threats and threat actors, which, at a minimum, shall—</text>
<subparagraph id="id94cacfbf18654b4088c8cb67fc75598e"><enum>(A)</enum><text>account for appropriate data standards and interoperability requirements;</text></subparagraph> <subparagraph id="id3b563163b3e04428b61d8dbc531e80aa"><enum>(B)</enum><text>enable integration of existing applications, platforms, data, and information, to include classified information;</text></subparagraph>
<subparagraph id="id5589fe93cbfb495b94acbde21e43288f"><enum>(C)</enum><text>ensure access by such Federal departments and agencies as the Director of the Cybersecurity and Infrastructure Security Agency determines necessary;</text></subparagraph> <subparagraph id="idef6be55dc2e742a1bb7f8c227386d3d2"><enum>(D)</enum><text>account for potential private sector participation and partnerships;</text></subparagraph>
<subparagraph id="idf94b897f40984aca8ad27154efadbd6e"><enum>(E)</enum><text>enable unclassified data to be integrated with classified data;</text></subparagraph> <subparagraph id="id7949f25d2ebb40e89af602575d17ddda"><enum>(F)</enum><text>anticipate the deployment of analytic tools across classification levels to leverage all relevant data sets, as appropriate;</text></subparagraph>
<subparagraph id="ida2324d6ec2734f84814102a74e23a483"><enum>(G)</enum><text>identify tools and analytical software that can be applied and shared to manipulate, transform, and display data and other identified needs;</text></subparagraph> <subparagraph id="id2a43b5d6e418496eb40a27f829b1c0c1"><enum>(H)</enum><text>anticipate the integration of new technologies and data streams, including data related to cybersecurity risks derived from Government-sponsored voluntary network sensors or network-monitoring programs for the private sector or for State, local, Tribal, and territorial governments; and</text></subparagraph>
<subparagraph id="id4d6a8fbe8144400098f2f4cea4402a80"><enum>(I)</enum><text>appropriately account for departments, agencies, programs, and systems and assets determined to be required to participate by the President under paragraph (2) in the Information Sharing Environment.</text></subparagraph></paragraph></subsection> <subsection id="id507b29c8704b4ead868058c3b1b31b1d"><enum>(c)</enum><header>Operation</header><text>The Information Sharing Environment shall be managed by the Director of the Cybersecurity and Infrastructure Security Agency.</text></subsection>
<subsection id="idfbc2d2ca901143df9773def99754e314"><enum>(d)</enum><header>Post-Deployment assessment</header><text>Not later than 1 year after the date on which the Information Sharing Environment is established, the Director of the Cybersecurity and Infrastructure Security Agency and the Director shall assess the means by which the Information Sharing Environment may be expanded to include the private sector and critical infrastructure information sharing organizations and, to the maximum extent practicable, begin the process of such expansion.</text></subsection> <subsection id="id6a8d49ffc5c74c3ea1958daae9f25c7a"><enum>(e)</enum><header>Private sector sharing information sharing protections</header><text>To the extent any private entity shares cyber threat indicators and defensive measures through or with the Information Sharing Environment and in a manner that is consistent with all requirements under section 1752 of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (<external-xref legal-doc="usc" parsable-cite="usc/6/1500">6 U.S.C. 1500</external-xref>), the Cybersecurity Information Sharing Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1501">6 U.S.C. 1501 et seq.</external-xref>), and any applicable guidelines promulgated under subsection (f), such activities shall be considered to be authorized by and in accordance with section 1752 of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 and the Cybersecurity Information Sharing Act of 2015. </text></subsection>
<subsection id="id813acd1e2c4949f4b82ef503a413ef51"><enum>(f)</enum><header>Privacy and civil liberties</header>
<paragraph id="ide939f602cc004646868f809ab607ab41"><enum>(1)</enum><header>Guidelines of attorney general</header><text>Not later than 60 days after the date of enactment of this Act, the Secretary of Homeland Security (acting through the Director of the Cybersecurity and Infrastructure Security Agency) and the Attorney General, shall jointly, and in coordination with heads of the appropriate Federal entities and in consultation with officers designated under section 1062 of the National Security Intelligence Reform Act of 2004 (<external-xref legal-doc="usc" parsable-cite="usc/42/2000ee-1">42 U.S.C. 2000ee–1</external-xref>), develop, submit to Congress, and make available to the public interim guidelines relating to privacy and civil liberties which shall govern the receipt, retention, use, and dissemination of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this section.</text></paragraph> <paragraph id="idab79d9dcb91b40e5b8ddfecbeec429cb"><enum>(2)</enum><header>Final guidelines</header> <subparagraph id="idb00bbf063b8542fa84bb778762284197"><enum>(A)</enum><header>In general</header><text>Not later than 180 days after the date of enactment of this Act, the Secretary of Homeland Security (acting through the Director of the Cybersecurity and Infrastructure Security Agency) and the Attorney General, shall jointly, in coordination with heads of the appropriate Federal entities and in consultation with officers designated under section 1062 of the National Security Intelligence Reform Act of 2004 (<external-xref legal-doc="usc" parsable-cite="usc/42/2000ee-1">42 U.S.C. 2000ee–1</external-xref>) and such private entities with industry expertise as the Secretary and the Attorney General consider relevant, promulgate final guidelines relating to privacy and civil liberties which shall govern the receipt, retention, use, and dissemination of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this section.</text></subparagraph>
<subparagraph id="ida5103b359d074acaa7635ded3c7771c2"><enum>(B)</enum><header>Periodic review</header><text>The Secretary of Homeland Security (acting through the Director of the Cybersecurity and Infrastructure Security Agency) and the Attorney General, shall jointly, in coordination with heads of the appropriate Federal entities and in consultation with officers and private entities described in subparagraph (A), periodically, but not less frequently than once every 2 years, review the guidelines promulgated under subparagraph (A).</text></subparagraph></paragraph> <paragraph id="id87d722b3750b489a8414288070681b0b"><enum>(3)</enum><header>Content</header><text>The guidelines required by paragraphs (1) and (2) shall, consistent with the need to bolster the resilience of information systems and mitigate cybersecurity threats—</text>
<subparagraph id="ide6f94b7ee7a44c27a9b454d76acf36ae"><enum>(A)</enum><text>limit the effect on privacy and civil liberties of activities by the Federal Government under this section;</text></subparagraph> <subparagraph id="id574aa945897f4192a2c5be9643be057a"><enum>(B)</enum><text>limit the receipt, retention, use, and dissemination of cyber threat indicators containing personal information or information that identifies specific persons, including by establishing—</text>
<clause id="idd0cf7b6d61284e97a8d6df2a71f02770"><enum>(i)</enum><text>a process for the timely destruction of such information that is known not to be directly related to uses authorized under this section; and</text></clause> <clause id="id3d1e158e0cca4072ab0907f859c24522"><enum>(ii)</enum><text>specific limitations on the length of any period in which a cyber threat indicator may be retained;</text></clause></subparagraph>
<subparagraph id="id463b1e09b31c4828913eb655c9df91dd"><enum>(C)</enum><text>include requirements to safeguard cyber threat indicators containing personal information or information that identifies specific persons from unauthorized access or acquisition, including appropriate sanctions for activities by officers, employees, or agents of the Federal Government in contravention of such guidelines;</text></subparagraph> <subparagraph id="idcb5310d57b544f3cbe4df40ffe667fef"><enum>(D)</enum><text>include procedures for notifying entities and Federal entities if information received pursuant to this subsection is known or determined by a Federal entity receiving such information not to constitute a cyber threat indicator;</text></subparagraph>
<subparagraph id="idc3bd759c5c3c49e19dc9be974066ed11"><enum>(E)</enum><text>protect the confidentiality of cyber threat indicators containing personal information or information that identifies specific persons to the greatest extent practicable and require recipients to be informed that such indicators may only be used for purposes authorized under this section; and</text></subparagraph> <subparagraph id="id1cd10d2fa96648c09a292ce0594bede2"><enum>(F)</enum><text>include steps that may be needed so that dissemination of cyber threat indicators is consistent with the protection of classified and other sensitive national security information.</text></subparagraph></paragraph></subsection>
<subsection id="id976b2234ddf64ceaad422b04403f93ac"><enum>(g)</enum><header>Oversight of government activities</header>
<paragraph id="id62cc62f066434beabd214b113799a7b5"><enum>(1)</enum><header>Biennial report on privacy and civil liberties</header><text>Not later than 2 years after the date of enactment of this Act, and not less frequently than once every year thereafter, the Privacy and Civil Liberties Oversight Board shall submit to Congress and the President a report providing—</text> <subparagraph id="id0f5826d318404667bfbceb0d471db742"><enum>(A)</enum><text>an assessment of the effect on privacy and civil liberties by the type of activities carried out under this section; and</text></subparagraph>
<subparagraph id="id1f4835adada84517b5666e794f2d4d31"><enum>(B)</enum><text>an assessment of the sufficiency of the guidelines established pursuant to subsection (f) in addressing concerns relating to privacy and civil liberties.</text></subparagraph></paragraph> <paragraph id="id43947a619a4548848e9b97443ff7086d"><enum>(2)</enum><header>Biennial report by inspectors general</header> <subparagraph id="id4af2b4d5031042ceaed6c70046217e27"><enum>(A)</enum><header>In general</header><text>Not later than 2 years after the date of enactment of this Act, and not less frequently than once every 2 years thereafter, the Inspector General of the Department of Homeland Security, the Inspector General of the Intelligence Community, the Inspector General of the Department of Justice, the Inspector General of the Department of Defense, and the Inspector General of the Department of Energy shall, in consultation with the Council of Inspectors General on Integrity and Efficiency, jointly submit to Congress a report on the receipt, use, and dissemination of cyber threat indicators and defensive measures that have been shared with Federal entities under this section.</text></subparagraph>
<subparagraph id="ided26777c53174a4a8bb63043dc48e4f3"><enum>(B)</enum><header>Contents</header><text>Each report submitted under subparagraph (A) shall include the following:</text> <clause id="idf81484a862d541199ba6d50d374f5df3"><enum>(i)</enum><text>A review of the types of cyber threat indicators shared with Federal entities.</text></clause>
<clause id="id3e85785222ea44ff8a3cad028e47477c"><enum>(ii)</enum><text>A review of the actions taken by Federal entities as a result of the receipt of such cyber threat indicators.</text></clause> <clause id="id30aa041b1fc244eea7299c1b2f688b3d"><enum>(iii)</enum><text>A list of Federal entities receiving such cyber threat indicators.</text></clause>
<clause id="id938c5d3b249a4cc1aa0db8cdb8f524fc"><enum>(iv)</enum><text>A review of the sharing of such cyber threat indicators among Federal entities to identify inappropriate barriers to sharing information.</text></clause></subparagraph></paragraph> <paragraph id="id0b2361731546424e82b751d43cea9841"><enum>(3)</enum><header>Recommendations</header><text>Each report submitted under this subsection may include such recommendations as the Privacy and Civil Liberties Oversight Board, with respect to a report submitted under paragraph (1), or the Inspectors General referred to in paragraph (2)(A), with respect to a report submitted under paragraph (2), may have for improvements or modifications to the authorities under this section.</text></paragraph>
<paragraph id="id2b4e6c9b27bc42f795a549c15bee1ed5"><enum>(4)</enum><header>Form</header><text>Each report required under this subsection shall be submitted in unclassified form, but may include a classified annex.</text></paragraph></subsection> <subsection id="id93107872e38546eab42a65705cf03f94"><enum>(h)</enum><header>Authorization of appropriations</header><text>There are authorized to be appropriated to carry out this section $100,000,000 for each of fiscal years 2022 through 2026.</text></subsection>
<subsection id="id5ce6730bd66b4b98bc79e5e1d76ef955"><enum>(i)</enum><header>Definitions</header><text>In this section:</text> <paragraph id="id9602c02fe156435c83acb9aa400bc398"><enum>(1)</enum><header>Critical infrastructure</header><text>The term <term>critical infrastructure</term> has the meaning given that term in section 1016(e) of the Critical Infrastructure Protection Act of 2001 (<external-xref legal-doc="usc" parsable-cite="usc/42/5195c">42 U.S.C. 5195c(e)</external-xref>).</text></paragraph>
<paragraph id="idbfdc8de80a204a97b102dd1d6b9e1b35"><enum>(2)</enum><header>Director</header><text>The term <term>Director</term> means the National Cyber Director. </text></paragraph> <paragraph id="id0a5f907402b24d05a156c153fa91981c"><enum>(3)</enum><header>Information sharing environment</header><text>The term <term>Information Sharing Environment</term> means the information sharing environment established under subsection (a).</text></paragraph></subsection></section>
<section id="id686e0be07b494f309d48f96c504deb46"><enum>203.</enum><header>Designate three critical technology security centers</header>
<subsection id="idccc38479c25f45728246a60b0656d36d"><enum>(a)</enum><header>In general</header><text>Section 307(b)(3) of the Homeland Security Act of 2002 (<external-xref legal-doc="usc" parsable-cite="usc/6/187">6 U.S.C. 187(b)(3)</external-xref>), is amended—</text> <paragraph id="idf132305522134ebfa3a8f11c47fa08f4"><enum>(1)</enum><text>in the matter preceding subparagraph (A), by inserting <quote>national laboratories,</quote> before <quote>and universities</quote>; </text></paragraph>
<paragraph id="id888D6EB5C6E240569F63300428B25D75"><enum>(2)</enum><text>in subparagraph (C), by striking <quote>and</quote> at the end; </text></paragraph> <paragraph id="id29A3234516A14B8BBDC9B497542F4BE2"><enum>(3)</enum><text>in subparagraph (D), by striking the period at the end and inserting <quote>; and</quote>; and</text></paragraph>
<paragraph id="iddf2c0bba82f8422e916140147c764480"><enum>(4)</enum><text>by adding at the end the following:</text> <quoted-block style="OLC" display-inline="no-display-inline" id="iddb71eb22cc9945dd9e588aef52e17ceb"> <subparagraph id="id397ea2f91ec94fbaaac4c165528e5128"><enum>(E)</enum><text>establish not less than 1, and not more than 3, cybersecurity-focused critical technology security centers, in order to bolster the overall resilience of the networks and critical infrastructure of the United States, to perform—</text>
<clause id="idfd77efa5845b4594afd13a9616fe0f73"><enum>(i)</enum><text>network technology security testing, to test the security of cyber-related hardware and software;</text></clause> <clause id="id89e0fa1a38b345ef85bda829b0a2f43e"><enum>(ii)</enum><text>connected industrial control system security testing, to test the security of connected programmable data logic controllers, supervisory control and data acquisition servers, and other cyber connected industrial equipment; and</text></clause>
<clause id="ide1fcea8fe0cf40e69663d06341bf5819"><enum>(iii)</enum><text>open source software security testing, to test and coordinate efforts to fix vulnerabilities in open-source software.</text></clause></subparagraph><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection> <subsection id="idb641e8289bd44823b141928dab24a2c1"><enum>(b)</enum><header>Authorization of appropriations</header><text>There are authorized to be appropriated to carry out the amendments made by this section $15,000,000 for each of fiscal years 2022 through 2026.</text></subsection></section>
<enum>III</enum><header>Improving security in the national cyber ecosystem</header>
<section id="id5f463744bba846fdb783b59333bad1f9"><enum>301.</enum><header>Establish a National Cybersecurity Certification and Labeling Authority</header>
<subsection id="id4b271f206027441d8ab7357f79026433"><enum>(a)</enum><header>Definitions</header><text>In this section:</text> <paragraph id="id955fdf88fbe54dcabcae52dfc5dffe8b"><enum>(1)</enum><header>Accredited certifying agent</header><text>The term <term>accredited certifying agent</term> means any person who is accredited by the Authority as a certifying agent for the purposes of certifying a specific class of critical information and communications technology.</text></paragraph>
<paragraph id="idE01E92C0D25C4E3892CF9B753C1D8F51"><enum>(2)</enum><header>Authority</header><text>The term <term>Authority</term> means the National Cybersecurity Certification and Labeling Authority established under subsection (b)(1). </text></paragraph> <paragraph id="ideb3366864bed4e20a52374993c40417b"><enum>(3)</enum><header>Certification</header><text>The term <term>certification</term> means a seal or symbol provided by the Authority or an accredited certifying agent, that results from passage of a comprehensive evaluation of an information and communications technology that establishes the extent to which a particular design and implementation meets a set of specified security standards.</text></paragraph>
<paragraph id="idede7fc24da1a4b20bd7cf7babf5c012a"><enum>(4)</enum><header>Critical information and communications technology</header><text>The term <term>critical information and communications technology</term> means information and communications technology that is in use in critical infrastructure sectors and that underpins the resilience of national critical functions, as determined by the Secretary.</text></paragraph> <paragraph id="id7264a054d8f04a409b88ed03244fde2e"><enum>(5)</enum><header>Critical infrastructure</header><text>The term <term>critical infrastructure</term> has the meaning given that term in section 1016(e) of the Critical Infrastructure Protection Act of 2001 (<external-xref legal-doc="usc" parsable-cite="usc/42/5195c">42 U.S.C. 5195c(e)</external-xref>). </text></paragraph>
<paragraph id="id975C776A01C341CB9270B13E4593C540"><enum>(6)</enum><header>Label</header><text>The term <term>label</term> means a clear, visual, and easy to understand symbol or list that conveys specific information about a product’s security attributes, characteristics, functionality, components, or other features.</text></paragraph> <paragraph id="idC56C1F5E54BF43FC85AD0390D40E91BC"><enum>(7)</enum><header>Program</header><text>The term <term>Program</term> means the program administered under subsection (b)(1).</text></paragraph>
<paragraph id="idD73926CEF6C941998C32294E370A5D6B"><enum>(8)</enum><header>Secretary</header><text>The term <term>Secretary</term> means the Secretary of Homeland Security.</text></paragraph></subsection> <subsection id="id68fdacc4e83e458887bec05e766789eb"><enum>(b)</enum><header>National cybersecurity certification and labeling authority</header> <paragraph id="idd04474643d564ecf99a44f0e50bc3c85"><enum>(1)</enum><header>Establishment</header><text>There is established a National Cybersecurity Certification and Labeling Authority for the purpose of establishing and administering a voluntary national cybersecurity certification and labeling program for critical information and communications technology in order to bolster the resilience of the networks and critical infrastructure of the United States.</text></paragraph>
<paragraph id="id4bf1add4c73646fa874fc7530f429302"><enum>(2)</enum><header>Programs</header>
<subparagraph id="id1a6a9b2b53f041599b333be9ea6e342c"><enum>(A)</enum><header>Accreditation of certifying agents</header><text>As part of the Program, the Authority shall define and publish a process whereby governmental and nongovernmental entities may apply to become accredited certifying agents for the certification of specific critical information and communications technology, including—</text> <clause id="id685ea5f18436488b82e1a77caf4247d9"><enum>(i)</enum><text>smartphones;</text></clause>
<clause id="idf54cc981919641ee82940d4e47021ddf"><enum>(ii)</enum><text>tablets;</text></clause> <clause id="idc9cf06c4caaf4801b4cd181df0bb8be4"><enum>(iii)</enum><text>laptop computers;</text></clause>
<clause id="id25a738aea2214b69bc5c46b8415dfab6"><enum>(iv)</enum><text>operating systems;</text></clause> <clause id="id1310199c878b424f881a57d53ed02418"><enum>(v)</enum><text>routers;</text></clause>
<clause id="id61423be6a9de4d4587ed1b8a47e10c34"><enum>(vi)</enum><text>software-as-a-service;</text></clause> <clause id="id350999daac00432da8fa649c69922d56"><enum>(vii)</enum><text>infrastructure-as-a-service;</text></clause>
<clause id="iddff36ae92bf74922a6bfff72227b1865"><enum>(viii)</enum><text>platform-as-a-service;</text></clause> <clause id="id285c3192bbb644d592df2532e60a5136"><enum>(ix)</enum><text>programmable logic controllers;</text></clause>
<clause id="id7cd27390e33743dba04873ef4ada3f17"><enum>(x)</enum><text>intelligent electronic devices; and</text></clause> <clause id="id70a7a5d57e1e44b19c3d35827807c477"><enum>(xi)</enum><text>programmable automation controllers.</text></clause></subparagraph>
<subparagraph id="iddb46738439f844fe9e2a666a0ab7c48b"><enum>(B)</enum><header>Identification of standards, frameworks, and benchmarks</header><text>As part of the Program, the Authority shall work in coordination with accredited certifying agents, the Secretary, and subject matter experts from the Federal Government, academia, nongovernmental organizations, and the private sector to identify and harmonize common security standards, frameworks, and benchmarks against which the security of critical information and communications technologies may be measured.</text></subparagraph> <subparagraph id="id22524431dcd843baaa06ddaaad497934"><enum>(C)</enum><header>Product certification</header><text>As part of the Program, the Authority, in consultation with the Secretary and other experts from the Federal Government, academia, nongovernmental organizations, and the private sector, shall—</text>
<clause id="id218861ff203d4eb99a8a71fb0874154d"><enum>(i)</enum><text>develop, and disseminate to accredited certifying agents, guidelines to standardize the presentation of certifications to communicate the level of security for critical information and communications technologies;</text></clause> <clause id="id28ef9e90a2844fae9f3e421cd6f43181"><enum>(ii)</enum><text>develop, or permit accredited certifying agents to develop, certification criteria for critical information and communications technologies based on identified security standards, frameworks, and benchmarks, through the work conducted under subparagraph (B);</text></clause>
<clause id="idbcc02a983916456d82e92244810ae625"><enum>(iii)</enum><text>issue, or permit accredited certifying agents to issue, certifications for critical information and communications technology that meet and comply with security standards, frameworks, and benchmarks identified through the work conducted under subparagraph (B);</text></clause> <clause id="id05aa89ac551540399c18ac4df50902f3"><enum>(iv)</enum><text>permit a manufacturer or distributor of critical information and communications technology to display a certificate reflecting the extent to which the critical information and communications technology meets security standards, frameworks, and benchmarks identified through the work conducted under subparagraph (B);</text></clause>
<clause id="iddc5ed1940f9d4bb084202a326a73574f"><enum>(v)</enum><text>remove the certification of a critical information and communications technology as a critical information and communications technology certified under the Program if the manufacturer of the certified critical information and communications technology falls out of conformity with the benchmarks <italic></italic>security standards, frameworks, or benchmarks identified through the work conducted under subparagraph (B) for the critical information and communications technology; </text></clause> <clause id="id91dba2925f974c4aa68c5714429fa710"><enum>(vi)</enum><text>work to enhance public awareness of the certification and labeling efforts of the Authority and accredited certifying agents, including through public outreach, education, research and development, and other means; and</text></clause>
<clause id="id44f455a3818c455ea133b9e52096b4bf"><enum>(vii)</enum><text>publicly display a list of labels and certified critical information and communications technology, along with their respective certification information.</text></clause></subparagraph> <subparagraph id="id488f273529594af59a9b4d296f814fc7"><enum>(D)</enum><header>Certifications</header> <clause id="id59f77d60d0db42179d0b3d60cff0e78d"><enum>(i)</enum><header>In general</header><text>A certification shall remain valid for 1 year from the date of issuance.</text></clause>
<clause id="id12345d8c3e274e19add9230efd738fc8"><enum>(ii)</enum><header>Classes of certification</header><text>In developing the guidelines and criteria required under subparagraph (C)(i), the Authority shall designate at least 3 classes of certifications, including the following:</text> <subclause id="id075ad0ea7ce645a0a83355877cb8a8f2"><enum>(I)</enum><text>For critical information and communications technology which the product manufacturer or service provider attests meets the criteria for a certification, attestation-based certification.</text></subclause>
<subclause id="id6b1ea398f4bb4b64bf25c92763a5961a"><enum>(II)</enum><text>For critical information and communications technology products and services that have undergone third-party accreditation of criteria for certification, accreditation-based certification.</text></subclause> <subclause id="id2ea399bf47874683af4e487c630daaa5"><enum>(III)</enum><text> For critical information and communications technology that has undergone a security evaluation and testing process by a qualifying third party, as determined by the Authority, test-based certification.</text></subclause></clause></subparagraph>
<subparagraph id="id7b1d97ab1b1e40658556f87e6e17b5ec"><enum>(E)</enum><header>Product labeling</header><text>The Authority, in consultation with the Secretary and other experts from the Federal Government, academia, nongovernmental organizations, and the private sector, shall—</text> <clause id="id946dcb329201409d80246c9f0586c389"><enum>(i)</enum><text>collaborate with the private sector to standardize language and define a labeling schema to provide transparent information on the security characteristics and constituent components of a software or hardware product; and</text></clause>
<clause id="idcbc752aac39b458e8db910756b2ad663"><enum>(ii)</enum><text>establish a mechanism by which product developers can provide this information for both product labeling and public posting.</text></clause></subparagraph></paragraph> <paragraph id="id7E78620288F6440D9BF075C74E6E4AA3" commented="no"><enum>(3)</enum><header>Enforcement</header> <subparagraph commented="no" id="id95229EBF9F424D84B48745E4EFDCA5C2"><enum>(A)</enum><header>In general</header><text>It shall be unlawful for a product manufacturer, distributor, or seller to—</text>
<clause id="idDD55597E49474025A755EF62E2084336" commented="no"><enum>(i)</enum><text>falsely attest to, or falsify an audit or test for, a security standard, framework, or benchmark for certification;</text></clause> <clause id="id739A85B5166F484AADC4854815188A1D" commented="no"><enum>(ii)</enum><text>intentionally mislabel a product; or</text></clause>
<clause id="idB38C900A16FD488687C785AFD8A1E97F" commented="no"><enum>(iii)</enum><text>fail to maintain the security standard, framework, or benchmark to which the manufacturer, distributor, or seller attested. </text></clause></subparagraph> <subparagraph id="id4CEF759EB7824082A510E8160236590D" commented="no"><enum>(B)</enum><header>Enforcement by Federal Trade Commission</header> <clause id="idF5CCE3E0362C4BC18F50836A7C03BFC0" commented="no"><enum>(i)</enum><header>Unfair or deceptive acts or practices</header><text>A violation of subparagraph (A) shall be treated as an unfair and deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/57a">15 U.S.C. 57a(a)(1)(B)</external-xref>) regarding unfair or deceptive acts or practices.</text></clause>
<clause id="id1EDF806D9B08474693E10D7BC74B3B30" commented="no"><enum>(ii)</enum><header>Powers of Commission</header>
<subclause id="id7AAB61279418434591F51FE00E5DB745" commented="no"><enum>(I)</enum><header>In general</header><text>The Federal Trade Commission shall enforce this paragraph in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>) were incorporated into and made a part of this paragraph.</text></subclause> <subclause id="id22A746F97C78497FA3E2653CB518BCD9" commented="no" display-inline="no-display-inline"><enum>(II)</enum><header>Privileges and immunities</header><text>Any person who violates this paragraph shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>). </text></subclause></clause></subparagraph></paragraph></subsection>
<subsection id="idb180843950d445a097d63baeafebd808"><enum>(c)</enum><header>Selection of the authority</header>
<paragraph id="id22d5bd79ffaa4e52a0fd43bba86d5f37"><enum>(1)</enum><header>Selection</header><text>The Secretary shall issue a notice of funding opportunity and select, on a competitive basis, a nonprofit, nongovernmental organization to serve as the Authority for a period of 5 years.</text></paragraph> <paragraph id="id5c7d1a0a5f9440bbab90b1141e7bc37f"><enum>(2)</enum><header>Eligibility for selection</header><text>The Secretary may only select an organization to serve as the Authority if such organization—</text>
<subparagraph id="idee9bd027f54a4759956d79b61f458c56"><enum>(A)</enum><text>is a nongovernmental, nonprofit organization that is—</text> <clause id="id979c9a0931914da5bc60c77f335fd158"><enum>(i)</enum><text>exempt from taxation under <external-xref legal-doc="usc" parsable-cite="usc/26/501">section 501(a)</external-xref> of the Internal Revenue Code of 1986; and</text></clause>
<clause id="idd09972e1e5754f85a66cd012064976f8"><enum>(ii)</enum><text>described in sections 501(c)(3) and 170(b)(1)(A)(vi) of that Code; </text></clause></subparagraph> <subparagraph id="id84e5acc73fcb490cbeb0672d66d0bfef"><enum>(B)</enum><text>has a demonstrable track record of work on cybersecurity and information security standards, frameworks, and benchmarks; and</text></subparagraph>
<subparagraph id="id93f9137934b94c8983c5391e186d02b2"><enum>(C)</enum><text>possesses requisite staffing and expertise, with demonstrable prior experience in technology security or safety standards, frameworks, and benchmarks, as well as certification.</text></subparagraph></paragraph> <paragraph id="id16496ddc149b435380c2c9f4dd9134db"><enum>(3)</enum><header>Application</header><text>The Secretary shall establish a process by which a nonprofit, nongovernmental organization that seeks to be selected as the Authority may apply for consideration.</text></paragraph>
<paragraph id="idf2255b34b3ce4741846752210f2f33de"><enum>(4)</enum><header>Program evaluation</header><text>Not later than the date that is 4 years after the initial selection pursuant paragraph (1), and every 4 years thereafter, the Secretary shall—</text> <subparagraph id="ide85e1350574e4f5b955333db60675eb2"><enum>(A)</enum><text>assess the effectiveness of the labels and certificates produced by the Authority, including—</text>
<clause id="id65e2e60377b749638a8d61366a9d7bb5"><enum>(i)</enum><text>assessing the costs to businesses that manufacture critical information and communications technology participating in the Program;</text></clause> <clause id="id450dafb043bd4d02b914ea9de2f11cb7"><enum>(ii)</enum><text>evaluating the level of participation in the Program by businesses that manufacture critical information and communications technology; and</text></clause>
<clause id="id52325b72bfa943cc97c81f2463d262a1"><enum>(iii)</enum><text>assessing the level of public awareness and consumer awareness of the label;</text></clause></subparagraph> <subparagraph id="id47c578952c124750b03105143b116813"><enum>(B)</enum><text>audit the impartiality and fairness of the Authority’s activities conducted under this section;</text></subparagraph>
<subparagraph id="id285b1e8a071d4638a9093631fa018ec0"><enum>(C)</enum><text>issue a public report on the assessment most recently carried out under subparagraph (A) and the audit most recently carried out under subparagraph (B); and</text></subparagraph> <subparagraph id="ide70c9f97d7ff4353837b6b90822feaab"><enum>(D)</enum><text>brief Congress on the findings of the Secretary with respect to the most recent assessment under subparagraph (A) and the most recent audit under subparagraph (B).</text></subparagraph></paragraph>
<paragraph id="id81eee4400e3e44449893ec715f95f0a3"><enum>(5)</enum><header>Renewal</header><text>After the initial selection pursuant to paragraph (1), the Secretary shall, every 5 years—</text> <subparagraph id="id425893b25a12421bbe92a47c703a56bd"><enum>(A)</enum><text>accept applications from nonprofit, nongovernmental organizations seeking selection as the Authority; and</text></subparagraph>
<subparagraph id="id7e3cdd84b4e04e5f89c21d0906cfb112"><enum>(B)</enum><text>following competitive consideration of all applications—</text> <clause id="idcbf6ae7d50af4399a5f61864ad204ed9"><enum>(i)</enum><text>renew the selection of the organization serving as the Authority; or</text></clause>
<clause id="id94f7607493d0400cb59664eb1062834a"><enum>(ii)</enum><text>select another applicant organization to serve as the Authority.</text></clause></subparagraph></paragraph></subsection> <subsection id="id24e83d111b6042d0ae87a5389ccc0ab8"><enum>(d)</enum><header>Authorization of appropriations</header><text>There are authorized to be appropriated to carry out this section $25,000,000 for each of fiscal years 2022 through 2026.</text></subsection></section>
<section id="idffc22de5733247ddadd9827b51fa9851"><enum>302.</enum><header>Establish the Bureau of Cybersecurity Statistics</header>
<subsection id="id81397b035f0442c1a4b0ac1b08d2984e"><enum>(a)</enum><header>Definitions</header><text>In this section:</text> <paragraph id="idB9D3B72F7F9C4176AD9CF241091B5259"><enum>(1)</enum><header>Bureau</header><text>The term <term>Bureau</term> means the Bureau of Cybersecurity Statistics established under subsection (b).</text></paragraph>
<paragraph id="id6caeda2457fd4695ac22c7d114a1112a" commented="no" display-inline="no-display-inline"><enum>(2)</enum><header>Covered entity</header><text>The term <term>covered entity</term> means any nongovernmental organization, corporation, trust, partnership, sole proprietorship, unincorporated association, or venture (without regard to whether it is established for profit) that is engaged in or affecting interstate commerce and that provides cybersecurity incident response services or cybersecurity insurance products. </text></paragraph> <paragraph id="id3fd515ce95ef432dbb0eca64f032e0a3"><enum>(3)</enum><header>Cyber incident</header><text>The term cyber incident includes each of the following:</text>
<subparagraph id="idaec1bf5f0a2f41198b85c8969f38ff02"><enum>(A)</enum><text>Unauthorized access to an information system or network that leads to loss of confidentiality, integrity, or availability of that information system or network.</text></subparagraph> <subparagraph id="id8b8b019ca2224f64838264a3b11da5e0"><enum>(B)</enum><text>Disruption of business operations due to a distributed denial of service attack against an information system or network.</text></subparagraph>
<subparagraph id="id342a25ba0115407e89800eeb84b037ef"><enum>(C)</enum><text>Unauthorized access or disruption of business operations due to loss of service facilitated through, or caused by a cloud service provider, managed service provider, or other data hosting provider.</text></subparagraph> <subparagraph id="id7c7207ad464a4fa5a64d1c5af46510a2" commented="no" display-inline="no-display-inline"><enum>(D)</enum><text>Fraudulent or malicious use of a cloud service account, data hosting account, internet service account, or any other digital service.</text></subparagraph></paragraph>
<paragraph commented="no" display-inline="no-display-inline" id="id407757B4D5704C5A8D44DAB64CD1CB7F"><enum>(4)</enum><header>Director</header><text>The term <term>Director</term> means the Director of the Bureau.</text></paragraph> <paragraph id="id93863c9199d34932a7b45bd76edb5917"><enum>(5)</enum><header>Statistical purpose</header><text>The term <term>statistical purpose</term>— </text>
<subparagraph id="id0CDE43E9F519494B9B4E0817D1DA8E8C"><enum>(A)</enum><text>means the description, estimation, or analysis of the characteristics of groups, without identifying the individuals or organizations that comprise such groups; and </text></subparagraph> <subparagraph id="id5B19D020EB8C425789834CE914C01EFE"><enum>(B)</enum><text>includes the development, implementation, or maintenance of methods, technical or administrative procedures, or information resources that support the purposes described in subsection (e).</text></subparagraph></paragraph></subsection>
<subsection id="id70225e8269984c18baa81ad4d0a78f64"><enum>(b)</enum><header>Establishment</header><text>There is established within the Department of Homeland Security a Bureau of Cybersecurity Statistics. </text></subsection> <subsection id="id069c36f9c87c47d3a6db1dda0cf2beb7"><enum>(c)</enum><header>Director</header> <paragraph id="id4c39c10aca3e4a44b0ed87f3e253351e"><enum>(1)</enum><header>In general</header><text>The Bureau shall be headed by a Director, who shall—</text>
<subparagraph id="id182c9507a9144157a2ba859b9f2f696a"><enum>(A)</enum><text>report to the Secretary of Homeland Security; and</text></subparagraph> <subparagraph id="id3b6b875a460b43ff96b479e560b9b365"><enum>(B)</enum><text>be appointed by the President.</text></subparagraph></paragraph>
<paragraph id="iddb2fae78d26c46408d22258063e15456"><enum>(2)</enum><header>Authority</header><text>The Director shall—</text> <subparagraph id="id30e530e5e3344015857bcdd523a07559"><enum>(A)</enum><text>have final authority for all cooperative agreements and contracts awarded by the Bureau;</text></subparagraph>
<subparagraph id="id864ba4328dce4ff4a74c9caa05b57c52"><enum>(B)</enum><text>be responsible for the integrity of data and statistics collected or issued by the Bureau; and</text></subparagraph> <subparagraph id="idfa093dc219cc491698327a526a5db34c"><enum>(C)</enum><text>protect against improper or illegal use or disclosure of information furnished for exclusively statistical purposes under this section, consistent with the requirements of subsection (f).</text></subparagraph></paragraph>
<paragraph id="idc67b03af839d4b5f9bdd5a6c0081285e"><enum>(3)</enum><header>Qualifications</header><text>The Director—</text> <subparagraph id="ida7e599e781994734b1ff3eb07ccae9db"><enum>(A)</enum><text>shall have experience in statistical programs; and</text></subparagraph>
<subparagraph id="idd5ad40e2564546b4bbfca7fff83d0ca9"><enum>(B)</enum><text>shall not—</text> <clause id="id6a55d8b878f644de9406bfd565a35e91"><enum>(i)</enum><text>engage in any other employment; or</text></clause>
<clause id="id31663ee9f6d94dd69777aa534b9a419a"><enum>(ii)</enum><text>hold any office in, or act in any capacity for, any organization, agency, or institution with which the Bureau makes any contract or other arrangement under this section.</text></clause></subparagraph></paragraph> <paragraph id="idb7bfe35d5c16414fb914119fb124f28d"><enum>(4)</enum><header>Duties and functions</header><text>The Director shall—</text>
<subparagraph id="idcb2c4ad799624d178685d428335bdd17"><enum>(A)</enum><text>collect and analyze information concerning cybersecurity, including data related to cyber incidents, cyber crime, and any other area the Director determines appropriate;</text></subparagraph> <subparagraph id="id019f7ec082ba4adcaf19d4cd4e9e75e4"><enum>(B)</enum><text>collect and analyze data that will serve as a continuous and comparable national indication of the prevalence, incidents, rates, extent, distribution, and attributes of all relevant cyber incidents, as determined by the Director, in support of national policy and decision making;</text></subparagraph>
<subparagraph id="id71eaf1354152434f8ed2b9461a7d51be"><enum>(C)</enum><text>compile, collate, analyze, publish, and disseminate uniform national cyber statistics concerning any area that the Director determines appropriate;</text></subparagraph> <subparagraph id="ida09d065ef96047148c1c6c426a67473f"><enum>(D)</enum><text>in coordination with the National Institute of Standards and Technology, recommend national standards, metrics, and measurement criteria for cyber statistics and for ensuring the reliability and validity of statistics collected pursuant to this subsection;</text></subparagraph>
<subparagraph id="idbc9f5c05e6e84cffb37837409894fb9f"><enum>(E)</enum><text>conduct or support research relating to methods of gathering or analyzing cyber statistics;</text></subparagraph> <subparagraph id="idd397e3e350514dc48b167725fea22637"><enum>(F)</enum><text>enter into cooperative agreements or contracts with public agencies, institutions of higher education, or private organizations for purposes related to this subsection;</text></subparagraph>
<subparagraph id="id23a81fe39d3c424a855fa0380ec6203d"><enum>(G)</enum><text>provide appropriate information to the President, the Congress, Federal agencies, the private sector, and the general public on cyber statistics;</text></subparagraph> <subparagraph id="ida2933360813349a1ac8ceb06737662f5"><enum>(H)</enum><text>maintain liaison with State and local governments concerning cyber statistics;</text></subparagraph>
<subparagraph id="idb1264dc4f1d3479c8931458f0389dea9"><enum>(I)</enum><text>confer and cooperate with Federal statistical agencies as needed to carry out the purposes of this section, including by entering into cooperative data sharing agreements in conformity with all laws and regulations applicable to the disclosure and use of data; and</text></subparagraph> <subparagraph id="id134c432db35e4e88ad3162d9003be878"><enum>(J)</enum><text>request from any person or entity information, data, and reports as may be required to carry out the purposes of this subsection.</text></subparagraph></paragraph></subsection>
<subsection id="id14dd5df1d15846ada7f2f00071ca51d5"><enum>(d)</enum><header>Furnishment of information, data, or reports by Federal departments and agencies</header><text>Federal departments and agencies requested by the Director to furnish information, data, or reports pursuant to subsection (c)(4)(J) shall provide to the Bureau such information as the Director determines necessary to carry out the purposes of this section.</text></subsection> <subsection id="id83beaedd4d5d4850895af44dd82935e2"><enum>(e)</enum><header>Furnishment of cyber incident information, data, or reports to the bureau by the private sector</header> <paragraph id="id72978C0D561642DAA3BD3881B2C7A26C"><enum>(1)</enum><header>In general</header><text>Not later than 180 days after the date of enactment of this Act, and every 180 days thereafter<italic></italic>, each covered entity shall submit to the Bureau a report containing such data and information as the Director determines necessary to carry out the purposes of this section.</text></paragraph>
<paragraph id="id3e5e8deb58304974b876fb277c331d44"><enum>(2)</enum><header>Determination of data and information necessary to carry out the purposes of this section</header><text>Not later than 90 days after the date of enactment of this Act, and annually thereafter, the Director shall publish a list of data and information determined necessary to carry out the purposes of this section, including individual descriptions of cyber incidents, which shall include—</text> <subparagraph id="ida19335e0740a407caa4e03032a595b08"><enum>(A)</enum><text>identification of the affected databases, information systems, or devices that were, or are reasonably believed to have been accessed by an unauthorized person;</text></subparagraph>
<subparagraph id="idefde52515f1c444e8709959ab41cb28e"><enum>(B)</enum><text>where applicable, a description of the vulnerabilities, tactics, techniques, and procedures used;</text></subparagraph> <subparagraph id="id59a370427847425ab2d77c83baccfbe1"><enum>(C)</enum><text>where applicable, any identifying information related to the malicious actors who perpetrated the incident;</text></subparagraph>
<subparagraph id="id5702016b142b45a9864c4332fb0fcd59"><enum>(D)</enum><text>where applicable any cybersecurity controls implemented by the victim organization; and</text></subparagraph> <subparagraph id="idd50f2ddc28354e21b54fe956e7cd6ca6"><enum>(E)</enum><text>the industrial sectors, regions, and size of affected entities (as determined by number of employees) without providing any information that can reasonably be expected to identify such entities.</text></subparagraph></paragraph>
<paragraph id="id751ce2a8082245b0bbb86e221ceba64a"><enum>(3)</enum><header>Standards for submission of information and data</header><text>Not later than 180 days after the date of enactment of this Act, the Director shall, in consultation with covered entities, develop standardized procedures for the submission of data and information the Director determines necessary to carry out the purposes of this section.</text></paragraph> <paragraph id="id0ae9cb347ff04ed6934e81b1fc2a7b30"><enum>(4)</enum><header>Private sector reporting</header><text>Not later than 90 days after the date on which the Director develops the standards required under paragraph (3), the Director shall— </text>
<subparagraph id="idDA8006C25E034A57A7B3A9896D094E96"><enum>(A)</enum><text>publish the processes for submission of information, data, and reports by covered entities; and </text></subparagraph> <subparagraph id="idE10FD1FCF0274218BE123B6532870408"><enum>(B)</enum><text>begin accepting reporting required under paragraph (1).</text></subparagraph></paragraph>
<paragraph id="idf2714c04fc4e439791745d0bdfba2c54"><enum>(5)</enum><header>Regulatory use</header><text>Information disclosed to the Bureau under this section that is not otherwise available, shall not be used by the Federal Government or any State, local, tribal, or territorial government to sanction or otherwise punish the entity disclosing the information, or the entity in which the cyber incident initially occurred.</text></paragraph> <paragraph id="id50d81b152d724b8999598e7134c2bef1"><enum>(6)</enum><header>Preservation of privilege</header><text>Disclosure of information pursuant to this section or by a covered entity to the Bureau shall not waive any otherwise applicable privilege, immunity, or protection provided by law.</text></paragraph>
<paragraph id="id0cdd5773299a4858ac7941dc762ae2b8"><enum>(7)</enum><header>Preservation of existing obligations</header><text>Nothing in this section shall modify, prevent, or abrogate any notice or notification obligations under Federal contracts, enforceable agreements with the government, or other Federal law.</text></paragraph> <paragraph id="id871599ad5c094b53bc4e44238a610718" commented="no"><enum>(8)</enum><header>Enforcement</header> <subparagraph id="id78C6744D78B644D6993DA1B966AFCA94" commented="no"><enum>(A)</enum><header>Unfair or deceptive acts or practices</header><text>Compliance with the requirements imposed under this subsection by covered entities shall be enforced by the Federal Trade Commission under the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>). For the purpose of the exercise by the Federal Trade Commission of its functions and powers under the Federal Trade Commission Act, a violation of any requirement or prohibition imposed under this subsection shall be treated as an unfair and deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/57a">15 U.S.C. 57a(a)(1)(B)</external-xref>) regarding unfair or deceptive acts or practices.</text></subparagraph>
<subparagraph id="id8C79B0B3BFEC48699A25DEC65DA21A02" commented="no"><enum>(B)</enum><header>Powers of Commission</header><text>Subject to subparagraph (C), the Federal Trade Commission shall enforce this subsection in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>) were incorporated into and made a part of this subsection.</text></subparagraph> <subparagraph commented="no" id="id62AC3E4CAD0944CF82F75B9A4DFBBA0F"><enum>(C)</enum><header>Additional entities</header> <clause commented="no" id="idB90FACA86A684DF5ADC90485761EC577"><enum>(i)</enum><header>In general</header><text>Notwithstanding sections 4, 5(a)(2), or 6 of the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/44">15 U.S.C. 44</external-xref>, 45(a)(2), 46) or any jurisdictional limitation of the Federal Trade Commission, the Federal Trade Commission shall also enforce this subsection, in the same manner provided in subparagraph (A) of this paragraph, with respect to—</text>
<subclause id="idDD4439C17BC14D719AF743A352D1AC59" commented="no"><enum>(I)</enum><text>organizations not organized to carry on business for their own profit or that of their members; and</text></subclause> <subclause id="id237112AEE3F44A91888A4918CE400EEB" commented="no"><enum>(II)</enum><text>common carriers subject to the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/151">47 U.S.C. 151 et seq.</external-xref>).</text></subclause></clause>
<clause commented="no" id="id48BDA54E21294232BD88F399AA7553EB"><enum>(ii)</enum><header>Coordination and notice</header><text>The Federal Trade Commission shall—</text> <subclause id="id6831b89ae4de45298fbcdc0f6ed698ac" commented="no"><enum>(I)</enum><text>coordinate with the Federal Communications Commission regarding enforcement of this subsection with respect to common carriers subject to the Communications Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/47/151">47 U.S.C. 151 et seq.</external-xref>); </text></subclause>
<subclause id="id617127cf07d74afda0e284242ae21ecc" commented="no"><enum>(II)</enum><text>notify the Bureau of Consumer Financial Protection regarding enforcement of this subsection with respect to information associated with the provision of financial products or services by an entity that provides a consumer financial product or service (as defined in section 1002 of the Consumer Financial Protection Act of 2010 (<external-xref legal-doc="usc" parsable-cite="usc/12/5481">12 U.S.C. 5481</external-xref>)); and</text></subclause> <subclause id="id30e8d021cbe246eeba91dda808c3e3a4" commented="no" display-inline="no-display-inline"><enum>(III)</enum><text>for enforcement of this subsection with respect to matters implicating the jurisdiction or authorities of another Federal agency, notify that agency as appropriate. </text></subclause></clause></subparagraph>
<subparagraph id="id8B83AFD0757449D19D4BF32D1DBFD203" commented="no" display-inline="no-display-inline"><enum>(D)</enum><header>Privileges and immunities</header><text>Any covered entity that violates the requirements imposed under this subsection shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (<external-xref legal-doc="usc" parsable-cite="usc/15/41">15 U.S.C. 41 et seq.</external-xref>). </text></subparagraph> <subparagraph id="ida474f392633f47b294a30774e4d5ea8d" commented="no"><enum>(E)</enum><header>Construction</header><text>Nothing in this paragraph shall be construed to limit the authority of the Federal Trade Commission under any other provision of law.</text></subparagraph></paragraph></subsection>
<subsection id="id604a0c943a654d5598e789f52d013847"><enum>(f)</enum><header>Protection of information</header>
<paragraph id="id42038c6b7dc34d5c839a603c4686ab0b"><enum>(1)</enum><header>In general</header><text>No officer or employee of the Federal Government or agent of the Federal Government may, without the consent of the individual, entity, agency, or other person who is the subject of the submission or provides the submission—</text> <subparagraph id="id02754faf97a042cdaf710760e78f5a49"><enum>(A)</enum><text>use any submission that is furnished for exclusively statistical purposes under this section for any purpose other than the statistical purposes for which the submission is furnished;</text></subparagraph>
<subparagraph id="id2fa4405d6f5043d3ae0e70cfd1c149c6"><enum>(B)</enum><text>make any publication or media transmittal of the data contained in a submission described in subparagraph (A) that permits information concerning individual entities or individual incidents to be reasonably inferred by either direct or indirect means; or</text></subparagraph> <subparagraph id="idbb690d5bc1634bf9985a3f08a88affd2"><enum>(C)</enum><text>permit anyone other than a sworn officer, employee, agent, or contractor of the Bureau to examine an individual submission described in subsection (e).</text></subparagraph></paragraph>
<paragraph id="id0b3992a1e02c49acb91e853416801b92"><enum>(2)</enum><header>Immunity from legal process</header><text>Any submission (including any data derived from the submission) that is collected and retained by the Bureau, or an officer, employee, agent, or contractor of the Bureau, for exclusively statistical purposes under this section shall be immune from the legal process and shall not, without the consent of the individual, entity, agency, or other person who is the subject of the submission or provides the submission, be admitted as evidence or used for any purpose in any action, suit, or other judicial or administrative proceeding.</text></paragraph> <paragraph id="id0242d5358390400d9d88e4219072dcfb"><enum>(3)</enum><header>Rule of construction</header><text>Nothing in this subsection shall be construed to provide immunity from the legal process for a submission (including any data derived from the submission) if the submission is in the possession of any person, agency, or entity other than the Bureau or an officers, employee, agent, or contractor of the Bureau, or if the submission is independently collected, retained, or produced for purposes other than the purposes of this section.</text></paragraph></subsection>
<subsection id="idd5e63ee08fb24aab97d882a88426df1d"><enum>(g)</enum><header>Authorization of appropriation</header><text>There are authorized to be appropriated such sums as may be necessary to carry out this section. Such funds shall remain available until expended.</text></subsection></section> <section id="ide3e16cd9e8ad424ba0ffaf19e4a36bae"><enum>303.</enum><header>Secure foundational internet protocols</header> <subsection id="ide7c81152a3a34c858009748ace49c106"><enum>(a)</enum><header>Definitions</header><text>In this section:</text>
<paragraph id="idd4d9a670ab4449b888bf4f11f4f5cb26"><enum>(1)</enum><header>Border gateway protocol</header><text>The term <term>border gateway protocol</term> means a protocol designed to optimize routing of information exchanged through the internet.</text></paragraph> <paragraph id="idf586c933b1864494bb39e4f6b9c91640"><enum>(2)</enum><header>Domain name system</header><text>The term <term>domain name system</term> means a system that stores information associated with domain names in a distributed database on networks.</text></paragraph>
<paragraph id="id54109fd7e3fe4fa5bf2cb2aced857448" commented="no" display-inline="no-display-inline"><enum>(3)</enum><header>Information and communications technology infrastructure providers</header><text>The term <term>information and communications technology infrastructure providers</term> means all systems that enable connectivity and operability of internet service, backbone, cloud, web hosting, content delivery, domain name system, and software-defined networks and other systems and services.</text></paragraph></subsection> <subsection id="id9f0f1fe2d3c84f3f9cb08d38bde75fce"><enum>(b)</enum><header>Creation of a strategy To secure foundational internet protocols</header> <paragraph id="id2172e2eff6c24caa8c552cec050d4a76"><enum>(1)</enum><header>Protocol security strategy</header><text>In order to secure foundational internet protocols, not later than December 31, 2021, the National Telecommunications and Information Administration and the Department of Homeland Security shall submit to Congress a strategy to secure the border gateway protocol and the domain name system.</text></paragraph>
<paragraph id="id9c5db866eded4a03b92214d5adff88a9"><enum>(2)</enum><header>Strategy requirements</header><text>The strategy required under paragraph (1) shall—</text> <subparagraph id="idf1a670f6c2884df589ed32101ec3c9cc"><enum>(A)</enum><text>articulate the security and privacy benefits of implementing security for the border gateway protocol and the domain name system and the burdens of implementation and the entities on whom those burdens will most likely fall;</text></subparagraph>
<subparagraph id="idb67c7f243703412cb5a5be98564a6f4c"><enum>(B)</enum><text>identify key United States and international stakeholders;</text></subparagraph> <subparagraph id="id156d24513c104f0c8b5d304cf4a4a4cf"><enum>(C)</enum><text>outline identified security measures that could be used to secure or provide authentication for the border gateway protocol and the domain name system;</text></subparagraph>
<subparagraph id="id583a243248d74ef281c8f6586252d457"><enum>(D)</enum><text>identify any barriers to implementing security for the border gateway protocol and the domain name system at scale;</text></subparagraph> <subparagraph id="ide09ea279a91e45ea9390505a0052e2a0"><enum>(E)</enum><text>propose a strategy to implement identified security measures at scale, accounting for barriers to implementation and balancing benefits and burdens, where feasible; and</text></subparagraph>
<subparagraph id="id7f3217121f2f437cb61416fa498a6087"><enum>(F)</enum><text>provide an initial estimate of the total cost to the Government and implementing entities in the private sector of implementing security for the border gateway protocol and the domain name system and propose recommendations for defraying these costs, if applicable.</text></subparagraph></paragraph> <paragraph id="id75d2d9a6e1a04a7ba87a69ae40531d75"><enum>(3)</enum><header>Consultation</header><text>In developing the strategy required under paragraph (1) the National Telecommunications and Information Administration and the Department of Homeland Security shall consult with information and communications technology infrastructure providers, civil society organizations, relevant nonprofit organizations, and academic experts.</text></paragraph></subsection></section>
<enum>IV</enum><header>Systemically Important Critical Infrastructure</header>
<section id="ide5d639ea7ad44d2bb43a575928d7e46f"><enum>401.</enum><header>Definitions</header><text display-inline="no-display-inline">In this title:</text> <paragraph id="id3e973dd5560944718b2cb52fcc29c0cb"><enum>(1)</enum><header>Appropriate congressional committees</header><text>The term <term>appropriate congressional committees</term> means the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives.</text></paragraph>
<paragraph id="idE0C2295C2B134871A0243C815A3D5829"><enum>(2)</enum><header>Critical infrastructure</header><text>The term <term>critical infrastructure</term> has the meaning given that term in section 1016(e) of the Critical Infrastructure Protection Act of 2001 (<external-xref legal-doc="usc" parsable-cite="usc/42/5195c">42 U.S.C. 5195c(e)</external-xref>). </text></paragraph> <paragraph id="idADA747A1805C43499C5C214B958DFA8D"><enum>(3)</enum><header>Department</header><text>The term <term>Department</term> means the Department of Homeland Security.</text></paragraph>
<paragraph id="id6d815983fdaf49919520ac3bb92fe834"><enum>(4)</enum><header>Entity</header><text>The term <term>entity</term> means a non-Federal entity and a private entity, as such terms are defined under section 102 of the Cybersecurity Information Sharing Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1501">6 U.S.C. 1501</external-xref>). </text></paragraph> <paragraph id="id70a2d26d4a5c4ad186ba79782a9d5304"><enum>(5)</enum><header>National critical functions</header><text>The term <term>national critical functions</term> means functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.</text></paragraph>
<paragraph id="idb5dea245e86a48b39be07b3bd2ad9c24"><enum>(6)</enum><header>Secretary</header><text>The term <term>Secretary</term> means the Secretary of Homeland Security.</text></paragraph> <paragraph id="id3d0a261626cd49a59558f495ac0e6657"><enum>(7)</enum><header>Stakeholders</header><text>The term <term>stakeholders</term> means persons or groups whose consultation may aid the Secretary in exercising the authority of the Secretary under this title, including—</text>
<subparagraph id="id3ca096c890ed4146a9cac6fa9c71fc5e"><enum>(A)</enum><text>Sector Coordinating Councils within the Critical Infrastructure Partnership Advisory Council, established under section 871 of the Homeland Security Act of 2002 (<external-xref legal-doc="usc" parsable-cite="usc/6/451">6 U.S.C. 451</external-xref>);</text></subparagraph> <subparagraph id="id6d2ce9b51cad411098fef40f940a6a04"><enum>(B)</enum><text>the State, Local, Tribal and Territorial Government Coordinating Council, within the Critical Infrastructure Partnership Advisory Council, established under section 871 of the Homeland Security Act of 2002 (6.U.S.C. 451);</text></subparagraph>
<subparagraph id="idfa39af9375d14594ac1c9590d1dc81e3"><enum>(C)</enum><text>the Cybersecurity Advisory Committee established under section 2219 of the Homeland Security Act of 2002 (<external-xref legal-doc="usc" parsable-cite="usc/6/665e">6 U.S.C. 665e</external-xref>), as so redesignated by section 101 of this Act;</text></subparagraph> <subparagraph id="id826947fc6d514283a03da387b7dac7ba"><enum>(D)</enum><text>the National Security Telecommunications Advisory Committee established pursuant to Executive Order 12382 (47 Fed. Reg. 40531); and</text></subparagraph>
<subparagraph id="id24d144417700401cba87873be4ef057b" commented="no" display-inline="no-display-inline"><enum>(E)</enum><text>the National Infrastructure Advisory Council, established pursuant to Executive Order 13231 (66 Fed. Reg. 53063).</text></subparagraph></paragraph> <paragraph id="iddf55d514ec7d41768a4d21fbbf68895b"><enum>(8)</enum><header>Systemically important critical infrastructure</header><text>The term <term>Systemically Important Critical Infrastructure</term> means an entity that has been designated as such by the Secretary through the process and procedures established under section 402. </text></paragraph></section>
<section id="id47df0d2488b3482c8e7585661450e6a4"><enum>402.</enum><header>Systemically Important Critical Infrastructure</header>
<subsection id="id4AEEFA27892D464DBB21CE7F19852666"><enum>(a)</enum><header>In general</header><text>The Secretary may designate entities as Systemically Important Critical Infrastructure. </text></subsection> <subsection id="idfccb31e3363442fa95bca6a71cff0739"><enum>(b)</enum><header>Establishment of methodology and criteria</header><text>Prior to designating any entities as Systemically Important Critical Infrastructure, the Secretary, in consultation with the National Cyber Director, Sector Risk Management Agencies, and appropriate stakeholders shall develop—</text>
<paragraph id="id5e31abeeb1934dd6a2a833e3d4992636"><enum>(1)</enum><text>a methodology for identifying Systemically Important Critical Infrastructure; and</text></paragraph> <paragraph id="id2f532721052a4f3196de6f648f61c223"><enum>(2)</enum><text>criteria for determining whether an entity qualifies as Systemically Important Critical Infrastructure.</text></paragraph></subsection>
<subsection id="idf03af167fa344ab2a952f96228fc6e16"><enum>(c)</enum><header>Considerations</header><text>In establishing criteria for determining whether an entity qualifies as Systemically Important Critical Infrastructure, the Secretary shall consider—</text> <paragraph id="id893972ab4b594b399f061cd894169596"><enum>(1)</enum><text>the likelihood that disruption to or compromise of such an entity could cause a debilitating effect on national security, economic security, public health or safety, or any combination thereof;</text></paragraph>
<paragraph id="id3a9a9728a87d4d5b9a023e4c925ea326"><enum>(2)</enum><text>the extent to which damage, disruption, or unauthorized access to such an entity either separately or collectively, will disrupt the reliable operation of other critical infrastructure assets, or impede provisioning of one or more national critical functions;</text></paragraph> <paragraph id="idbdd6e6baa4b94313bce3446514939816"><enum>(3)</enum><text>the extent to which national cybersecurity resilience would be enhanced by deeper risk management integration between Systemically Important Critical Infrastructure entities and the Federal Government; and</text></paragraph>
<paragraph id="id6df561b5524a45f2987d5339ca6999b2"><enum>(4)</enum><text>the extent to which compromise or unauthorized access of such an entity could separately or collectively create widespread compromise of the cyber ecosystem, significant portions of critical infrastructure, or multiple critical infrastructure sectors.</text></paragraph></subsection> <subsection id="id85994ee68e3e4df3999f71af0c9fb444"><enum>(d)</enum><header>List</header> <paragraph id="id75b8d4f2f24d49729dfb788dfa3c5693"><enum>(1)</enum><header>In general</header><text>Not later than 1 year after the date of enactment of this Act, the Secretary shall complete an initial list of entities designated as Systemically Important Critical Infrastructure.</text></paragraph>
<paragraph id="id42B1B64196C149FE872F3F103B9CD2B5"><enum>(2)</enum><header>Maintenance of list</header><text>The Secretary shall maintain a comprehensive list of entities designated as Systemically Important Critical Infrastructure, which shall be updated within 7 days of a change in whether an entity qualifies as Systemically Important Critical Infrastructure.</text></paragraph></subsection> <subsection id="id89c9e806764e465d8cc0392b23872fd8"><enum>(e)</enum><header>Entity notifications</header><text>Not later than 90 days after designating an entity as Systemically Important Critical Infrastructure or removing the designation of an entity as Systemically Important Critical Infrastructure, the Secretary shall notify the entity.</text></subsection>
<subsection id="idc167a9d6a5bc4fe3be23fb2821e45674"><enum>(f)</enum><header>Congressional notifications</header><text>The Secretary shall—</text> <paragraph id="id2e62526997b340da8c6faa1c444c95d7"><enum>(1)</enum><text>not later than 30 days after the date of any addition, modification, or removal of an entity from the list of Significantly Important Critical Infrastructure maintained under subsection (d), notify the appropriate Congressional committees; and</text></paragraph>
<paragraph id="id3b34802c7fd243a4aba0537dcef1850c"><enum>(2)</enum><text>at least every 2 years, submit to the appropriate Congressional committees an updated comprehensive list of entities designated as Systemically Important Critical Infrastructure, in conjunction with each plan required pursuant to section 403.</text></paragraph></subsection></section> <section id="id3596ff7be72d42f1bd8d250570a13053"><enum>403.</enum><header>Plan for enhancement of Systemically Important Critical Infrastructure methodology and capability</header> <subsection id="id1b7f4271f371485dba096b8930864093"><enum>(a)</enum><header>In general</header><text>Not later than 180 days after the date of enactment of this Act, and every 2 years thereafter for 10 years, the Secretary, in consultation with Sector Risk Management Agencies and appropriate stakeholders, shall develop and submit to the appropriate congressional committees a plan for enhancing the methodology of the Department for identifying Systemically Important Critical Infrastructure, including a discussion of the progress of the Department as of the date of submission of the plan in implementing the plan.</text></subsection>
<subsection id="id259ace36b8844d79a90dfc3bdde703dc"><enum>(b)</enum><header>Contents of plan</header>
<paragraph id="idD648D5DDF0964CC0B0A30A04520297BE"><enum>(1)</enum><header>In general</header><text>The plan required under subsection (a) shall include—</text> <subparagraph id="idf637793a8a28485c9754fd0283688c48"><enum>(A)</enum><text>the methodology and criteria used for identifying and determining entities that qualify as Systemically Important Critical Infrastructure as described in section 402(b) and the analysis used to establish such methodology and criteria;</text></subparagraph>
<subparagraph id="id560cb05a7c2c4753b7cd41d2527b9adf"><enum>(B)</enum><text>a proposed timeline for enhancing the capabilities of the Department to expand the list beyond the designated entities to also include facilities, systems, assets, or other relevant units of critical infrastructure that may further enhance the ability to manage risk of Systemically Important Critical Infrastructure;</text></subparagraph> <subparagraph id="idf665f178077d4a8c850ee4db42ec199a"><enum>(C)</enum><text>information regarding the outreach by the Department to stakeholders and other Sector Risk Management Agencies on such efforts, including mechanisms for incorporation of industry feedback;</text></subparagraph>
<subparagraph id="id53c127492b964b44a1130a9675b9f775"><enum>(D)</enum><text>information regarding the efforts of the Department, and the associated challenges with such efforts, to access information from stakeholders and other Sector Risk Management Agencies to identify Systemically Important Critical Infrastructure;</text></subparagraph> <subparagraph id="id0b37edfc31f7472e82a78446bcbd2c65"><enum>(E)</enum><text>information regarding other critical infrastructure entity identification programs within the Department and how they are being incorporated into the overarching process to identify Systemically Important Critical Infrastructure, which shall include the efforts of the Department under section 9 of Executive Order 13636 (78 Fed. Reg. 11739), the National Infrastructure Prioritization Program, and section 4 of Executive Order 14028 (86 Fed. Reg. 26633);</text></subparagraph>
<subparagraph id="idde4e4fc73d5c484ea66474aebeda304c"><enum>(F)</enum><text>any identified gaps in authorities or resources required to successfully carry out the process of identifying Systemically Important Critical Infrastructure, including facilities, systems, assets, or other relevant units of critical infrastructure, as well as legislative proposals to address such gaps;</text></subparagraph> <subparagraph id="idf3d236da3f574494a285e5e958c85714"><enum>(G)</enum><text>an assessment of potential benefits for entities designated as Systemically Important Critical Infrastructure, which shall include an assessment of—</text>
<clause id="id827bf2d7cafa4283a8acf8484b519e8a"><enum>(i)</enum><text>enhanced intelligence support and information sharing;</text></clause> <clause id="idda681606fe7b4716bfb7d56fd49e2432"><enum>(ii)</enum><text>prioritized Federal technical assistance;</text></clause>
<clause id="iddae87e6f4b264aaaa76f4997be601641"><enum>(iii)</enum><text>liability protection for entities designated as Systemically Important Critical Infrastructure that conform to identified security standards for damages or harm directly or indirectly caused by a cyber incident;</text></clause> <clause id="id8b2746f943fd49ec98eae24243956bd4"><enum>(iv)</enum><text>prioritized emergency planning;</text></clause>
<clause id="idce821fc59df04885b3f28f94588a5545"><enum>(v)</enum><text>benefits described in the final report of the U.S. Cyberspace Solarium Commission, dated March 2020; and</text></clause> <clause id="id386a2fe29e52440f9f29fa6dbe00da5f"><enum>(vi)</enum><text>additional authorizations or resources necessary to implement the benefits assessed under this subparagraph; and</text></clause></subparagraph>
<subparagraph id="id2ffaa667aaf94734bba1f0f6e77b5227"><enum>(H)</enum><text>an assessment of potential mechanisms to improve the security of entities designated as Systemically Important Critical Infrastructure, which shall include an assessment of—</text> <clause id="id8e8c34246544415087e25ec20f21f46d"><enum>(i)</enum><text>risk-based cybersecurity performance standards for all Systemically Important Critical Infrastructure entities, incorporating, to the greatest extent possible, existing industry best practices, standards, and guidelines;</text></clause>
<clause id="idc758df9790054c5db1123d7a2a0465c8"><enum>(ii)</enum><text>sector-specific performance standards;</text></clause> <clause id="id6d37702deed349789f478a3d050ea1a2"><enum>(iii)</enum><text>additional regulations to enhance the security of Systemically Important Critical Infrastructure against cyber risks, including how to prevent duplicative requirements for already regulated sectors;</text></clause>
<clause id="id483948a2c59d4a11a2ec317d6d0124d2"><enum>(iv)</enum><text>cyber incident reporting requirements for entities designated as Systemically Important Critical Infrastructure; and</text></clause> <clause id="id157bb81eba664b5eb7956936ba761d80"><enum>(v)</enum><text>additional authorizations or resources necessary to implement the mechanisms to improve the security of Systemically Important Critical Infrastructure assessed under this subparagraph.</text></clause></subparagraph></paragraph>
<paragraph id="id458f3719edec44a484cc4de53818cae4"><enum>(2)</enum><header>Initial plan</header><text>The initial plan submitted under this section shall include a detailed description of the capabilities of the Department with respect to identifying Systemically Important Critical Infrastructure as they were on the date of enactment of this Act. </text></paragraph></subsection> <subsection id="id43e7c14f97b147b0a2647ce086e2b2b9"><enum>(c)</enum><header>Classified annex</header><text>The plan shall be in unclassified form, but may include a classified annex, as the Secretary determines necessary.</text></subsection>
<subsection id="id9c3f1269ec71461480ee2311e10f1f50"><enum>(d)</enum><header>Publication</header><text>Not later than 30 days after the date on which the Secretary submits a plan to Congress, the Secretary shall make the plan available to relevant stakeholders.</text></subsection> <subsection id="id687902c601bd4398931e49aea94c8645"><enum>(e)</enum><header>Restriction</header><text>Subchapter I of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code, shall not apply to any action to implement this section or to any exercise of the authority of the Secretary pursuant to this section.</text></subsection></section>
<enum>V</enum><header>Enabling the National Cyber Director</header>
<section id="id426a93a51d9c463bacfba6bdc165e3f9"><enum>501.</enum><header>Establishment of hiring authorities for the Office of the National Cyber Director</header><text display-inline="no-display-inline">Section 1752 of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (<external-xref legal-doc="public-law" parsable-cite="pl/116/283">Public Law 116–283</external-xref>) is amended—</text> <paragraph id="id21BA935B35744FD0AA04089E057C2D23"><enum>(1)</enum><text>in subsection (e)—</text>
<subparagraph id="id84b8bc194e7e4e5d9375747be308fc46"><enum>(A)</enum><text>in paragraph (1), by inserting <quote>and in accordance with paragraphs (3) through (7) of this subsection,</quote> after <quote>and classification laws,</quote>;</text></subparagraph> <subparagraph id="id423835bcfd8a45eabd94e16b4afcce79"><enum>(B)</enum><text>in paragraph (2), by inserting <quote>notwithstanding paragraphs (3) through (7) of this subsection,</quote> before <quote>employ experts</quote>;</text></subparagraph>
<subparagraph id="id8e57be8731264c8da0ca465044f9d3fe"><enum>(C)</enum><text>by redesignating paragraphs (3) through (8) as paragraphs (8) through (13), respectively; and</text></subparagraph> <subparagraph id="idb48d105bb8774c7aa8170967e3bbb339"><enum>(D)</enum><text>by inserting after paragraph (2) the following:</text>
<quoted-block style="OLC" display-inline="no-display-inline" id="idad686eaf5c104d339e233593ef903c8a">
<paragraph id="id90dc8cdad82049daa549a83df3768cd7"><enum>(3)</enum><text>establish, as positions in the excepted service, such qualified positions in the Office as the Director determines necessary to carry out the responsibilities of the Office, appoint an individual to a qualified position (after taking into consideration the availability of preference eligibles for appointment to the position), and, subject to the requirements of paragraphs (4) and (5), fix the compensation of an individual for service in a qualified position;</text></paragraph> <paragraph id="ide0318d250c034d668ea31f630b1664f6"><enum>(4)</enum><text>fix the rates of basic pay for any qualified position established under paragraph (3) in relation to the rates of pay provided for employees in comparable positions in the Office, in which the employee occupying the comparable position performs, manages, or supervises functions that execute the mission of the Office, and, subject to the same limitations on maximum rates of pay and consistent with section 5341 of title 5, United States Code, adopt such provisions of that title to provide for prevailing rate systems of basic pay and apply those provisions to qualified positions for employees in or under which the Office may employ individuals described by section 5342(a)(2)(A) of such title;</text></paragraph>
<paragraph id="id5274671cbc674cbcadada5d80c7fb5d6"><enum>(5)</enum><text>employ an officer or employee of the United States or member of the Armed Forces detailed to the staff of the Office on a non-reimbursable basis— </text> <subparagraph id="idEA5DCA16E34F4164A27EDDFF87A96529"><enum>(A)</enum><text>as jointly agreed to by the heads of the receiving and detailing elements, for a period not to exceed 3 years; </text></subparagraph>
<subparagraph id="id64E4FE8AC0FB4FB3B25EB1557EA716CE"><enum>(B)</enum><text>which shall not be construed to limit any other source of authority for reimbursable or non-reimbursable details; and</text></subparagraph> <subparagraph id="id9C46FF11464C47B49BAE362FA05015B0"><enum>(C)</enum><text>which shall not be considered an augmentation of the appropriations of the receiving element of the Office;</text></subparagraph></paragraph>
<paragraph id="idf505eb0e2ed64543bb1b8b1a2a3add98"><enum>(6)</enum><text>provide— </text> <subparagraph id="id5D893BEFBD334E1D89436DCED7A871D0"><enum>(A)</enum><text>employees in qualified positions compensation (in addition to basic pay), including benefits, incentives, and allowances, consistent with, and not in excess of the level authorized for, comparable positions authorized by title 5, United States Code; and </text></subparagraph>
<subparagraph id="id7959016D07FA4D6DAD08161DC81F083F"><enum>(B)</enum><text>employees in a qualified position whose rate of basic pay is fixed under paragraph (4) an allowance under section 5941 of title 5, United States Code, on the same basis and to the same extent as if the employee was an employee covered by such section, including eligibility conditions, allowance rates, and all other terms and conditions in law or regulation;</text></subparagraph></paragraph> <paragraph id="id612f1a56653d4d888989a76e069a8147"><enum>(7)</enum><text>establish a fellowship program to facilitate a talent exchange program between the private sector and the Office to arrange, with the agreement of a private sector organization and the consent of the employee, for the temporary assignment of an employee to the private sector organization, or from the private sector organization to the Office;</text></paragraph><after-quoted-block>; and</after-quoted-block></quoted-block></subparagraph></paragraph>
<paragraph id="id9e33363c3a2f4a2d86c9695f4e1cfe2e"><enum>(2)</enum><text>in subsection (g)— </text> <subparagraph id="id848924C1BCA841E8A4C6DF37CE0DC1DB"><enum>(A)</enum><text>by redesignating paragraphs (3) through (6) as paragraphs (4) through (7), respectively;</text></subparagraph>
<subparagraph id="idF1A71C6B41D0405E97A60D5CB262FBFE"><enum>(B)</enum><text>by inserting after paragraph (2) the following:</text> <quoted-block style="OLC" display-inline="no-display-inline" id="id44B2334A3A614558A4BBBF0A14463688"> <paragraph id="id4d2b1cf68fba44678e254ce3cdf980a2"><enum>(3)</enum><text>The term <term>excepted service</term> has the meaning given that term in section 2103 of title 5, United States Code.</text></paragraph><after-quoted-block>; and</after-quoted-block></quoted-block></subparagraph></paragraph>
<paragraph id="id15584CD08EDE4FEB8B6473AADF136ACF"><enum>(3)</enum><text>by adding at the end the following:</text> <quoted-block style="OLC" display-inline="no-display-inline" id="idb522bd9ec5dd448daf68061fb13705f0"> <paragraph id="idd42e2f5f07ab4ed29a282be51fb9adc9"><enum>(8)</enum><text>The term <term>preference eligible</term> has the meaning given that term in section 2108(3) of title 5, United States Code.</text></paragraph>
<paragraph id="id1195e3af347748cebcfb286d5f4adcf8"><enum>(9)</enum><text>The term <term>qualified position</term> means a position, designated by the Director for the purpose of this section, in which the individual occupying such position performs, manages, or supervises functions that execute the responsibilities of the Office.</text></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></section>