[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 2491 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 670
117th CONGRESS
  2d Session
                                S. 2491

                          [Report No. 117-271]

 To amend the Homeland Security Act of 2002 to establish the National 
Cyber Resilience Assistance Fund, to improve the ability of the Federal 
    Government to assist in enhancing critical infrastructure cyber 
  resilience, to improve security in the national cyber ecosystem, to 
 address Systemically Important Critical Infrastructure, and for other 
                               purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             July 27, 2021

 Mr. King (for himself, Mr. Rounds, Mr. Sasse, Ms. Rosen, Ms. Hassan, 
and Mr. Ossoff) introduced the following bill; which was read twice and 
referred to the Committee on Homeland Security and Governmental Affairs

                           December 19, 2022

               Reported by Mr. Peters, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
 To amend the Homeland Security Act of 2002 to establish the National 
Cyber Resilience Assistance Fund, to improve the ability of the Federal 
    Government to assist in enhancing critical infrastructure cyber 
  resilience, to improve security in the national cyber ecosystem, to 
 address Systemically Important Critical Infrastructure, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE; TABLE OF CONTENTS.</DELETED>

<DELETED>    (a) Short Title.--This Act may be cited as the ``Defense 
of United States Infrastructure Act of 2021''.</DELETED>
<DELETED>    (b) Table of Contents.--The table of contents for this Act 
is as follows:</DELETED>

<DELETED>Sec. 1. Short title; table of contents.
      <DELETED>TITLE I--INVESTING IN CYBER RESILIENCY IN CRITICAL 
                             INFRASTRUCTURE

<DELETED>Sec. 101. Establishment of the National Cyber Resilience 
                            Assistance Fund.
 <DELETED>TITLE II--IMPROVING THE ABILITY OF THE FEDERAL GOVERNMENT TO 
      ASSIST IN ENHANCING CRITICAL INFRASTRUCTURE CYBER RESILIENCE

<DELETED>Sec. 201. Institute a 5-year term for the cybersecurity and 
                            infrastructure security director.
<DELETED>Sec. 202. Create a joint collaborative environment.
<DELETED>Sec. 203. Designate three critical technology security 
                            centers.
 <DELETED>TITLE III--IMPROVING SECURITY IN THE NATIONAL CYBER ECOSYSTEM

<DELETED>Sec. 301. Establish a National Cybersecurity Certification and 
                            Labeling Authority.
<DELETED>Sec. 302. Establish the Bureau of Cybersecurity Statistics.
<DELETED>Sec. 303. Secure foundational internet protocols.
   <DELETED>TITLE IV--SYSTEMICALLY IMPORTANT CRITICAL INFRASTRUCTURE

<DELETED>Sec. 401. Definitions.
<DELETED>Sec. 402. Systemically Important Critical Infrastructure.
<DELETED>Sec. 403. Plan for enhancement of Systemically Important 
                            Critical Infrastructure methodology and 
                            capability.
         <DELETED>TITLE V--ENABLING THE NATIONAL CYBER DIRECTOR

<DELETED>Sec. 501. Establishment of hiring authorities for the Office 
                            of the National Cyber Director.

      <DELETED>TITLE I--INVESTING IN CYBER RESILIENCY IN CRITICAL 
                        INFRASTRUCTURE</DELETED>

<DELETED>SEC. 101. ESTABLISHMENT OF THE NATIONAL CYBER RESILIENCE 
              ASSISTANCE FUND.</DELETED>

<DELETED>    (a) Sense of Congress.--It is the sense of Congress that--
</DELETED>
        <DELETED>    (1) the United States now operates in a cyber 
        landscape that requires a level of data security, resilience, 
        and trustworthiness that neither the United States Government 
        nor the private sector alone is currently equipped to 
        provide;</DELETED>
        <DELETED>    (2) the United States must deny benefits to 
        adversaries who have long exploited cyberspace to their 
        advantage, to the disadvantage of the United States, and at 
        little cost to themselves;</DELETED>
        <DELETED>    (3) this new approach requires securing critical 
        networks in collaboration with the private sector to promote 
        national resilience and increase the security of the cyber 
        ecosystem;</DELETED>
        <DELETED>    (4) reducing the vulnerabilities adversaries can 
        target denies them opportunities to attack the interests of the 
        United States through cyberspace;</DELETED>
        <DELETED>    (5) the public and private sectors struggle to 
        coordinate cyber defenses, leaving gaps that decrease national 
        resilience and create systemic risk;</DELETED>
        <DELETED>    (6) new technology continues to emerge that 
        further compounds these challenges;</DELETED>
        <DELETED>    (7) while the Homeland Security Grant Program and 
        resourcing for national preparedness under the Federal 
        Emergency Management Agency are well-established, the United 
        States Government has no equivalent for cybersecurity 
        preparation or prevention;</DELETED>
        <DELETED>    (8) the lack of a consistent, resourced fund for 
        investing in resilience in key areas inhibits the United States 
        Government from conveying its understanding of risk into 
        strategy, planning, and action in furtherance of core 
        objectives for the security and resilience of critical 
        infrastructure;</DELETED>
        <DELETED>    (9) Congress has worked diligently to establish 
        the Cybersecurity and Infrastructure Security Agency, creating 
        a new agency that can leverage broad authorities to receive and 
        share information, provide technical assistance to operators, 
        and partner with stakeholders across the executive branch, 
        State and local communities, and the private sector;</DELETED>
        <DELETED>    (10) the Cybersecurity and Infrastructure Security 
        Agency requires strengthening in its mission to ensure the 
        national resilience of critical infrastructure, promote a more 
        secure cyber ecosystem, and serve as the central coordinating 
        element to support and integrate Federal, State, local, and 
        private-sector cybersecurity efforts; and</DELETED>
        <DELETED>    (11) the Cybersecurity and Infrastructure Security 
        Agency requires further resource investment and clear 
        authorities to realize its full potential.</DELETED>
<DELETED>    (b) Amendments.--Subtitle A of title XXII of the Homeland 
Security Act of 2002 (6 U.S.C. 651 et seq.) is amended--</DELETED>
        <DELETED>    (1) in section 2202(c) (6 U.S.C. 652(c))--
        </DELETED>
                <DELETED>    (A) in paragraph (11), by striking ``and'' 
                at the end;</DELETED>
                <DELETED>    (B) in the first paragraph designated as 
                paragraph (12), relating to the Cybersecurity State 
                Coordinator--</DELETED>
                        <DELETED>    (i) by striking ``section 2215'' 
                        and inserting ``section 2217''; and</DELETED>
                        <DELETED>    (ii) by striking ``and'' at the 
                        end; and</DELETED>
                <DELETED>    (C) by redesignating the second and third 
                paragraphs designated as paragraph (12) as paragraphs 
                (13) and (14), respectively;</DELETED>
        <DELETED>    (2) by redesignating section 2217 (6 U.S.C. 665f) 
        as section 2220;</DELETED>
        <DELETED>    (3) by redesignating section 2216 (6 U.S.C. 665e) 
        as section 2219;</DELETED>
        <DELETED>    (4) by redesignating the fourth section 2215 
        (relating to Sector Risk Management Agencies) (6 U.S.C. 665d) 
        as section 2218;</DELETED>
        <DELETED>    (5) by redesignating the third section 2215 
        (relating to the Cybersecurity State Coordinator) (6 U.S.C. 
        665c) as section 2217;</DELETED>
        <DELETED>    (6) by redesignating the second section 2215 
        (relating to the Joint Cyber Planning Office) (6 U.S.C. 665b) 
        as section 2216; and</DELETED>
        <DELETED>    (7) by adding at the end the following:</DELETED>

<DELETED>``SEC. 2220A. NATIONAL CYBER RESILIENCE ASSISTANCE 
              FUND.</DELETED>

<DELETED>    ``(a) Definitions.--In this section:</DELETED>
        <DELETED>    ``(1) Cybersecurity risk.--The term `cybersecurity 
        risk' has the meaning given that term in section 
        2209.</DELETED>
        <DELETED>    ``(2) Eligible entity.--The term `eligible entity' 
        means an entity that meets the guidelines and requirements for 
        eligible entities established by the Secretary under subsection 
        (d)(4).</DELETED>
        <DELETED>    ``(3) Fund.--The term `Fund' means the National 
        Cyber Resilience Assistance Fund established under subsection 
        (c).</DELETED>
        <DELETED>    ``(4) National critical functions.--The term 
        `national critical functions' means the functions of government 
        and the private sector so vital to the United States that their 
        disruption, corruption, or dysfunction would have a 
        debilitating effect on security, national economic security, 
        national public health or safety, or any combination 
        thereof.</DELETED>
<DELETED>    ``(b) Creation of a Critical Infrastructure Resilience 
Strategy and a National Risk Management Cycle.--</DELETED>
        <DELETED>    ``(1) Initial risk identification and 
        assessment.--</DELETED>
                <DELETED>    ``(A) In general.--The Secretary, acting 
                through the Director, shall establish a process by 
                which to identify, assess, and prioritize risks to 
                critical infrastructure, considering both cyber and 
                physical threats, vulnerabilities, and 
                consequences.</DELETED>
                <DELETED>    ``(B) Consultation.--In establishing the 
                process required under subparagraph (A), the Secretary 
                shall consult with Sector Risk Management Agencies, 
                critical infrastructure owners and operators, and the 
                National Cyber Director.</DELETED>
                <DELETED>    ``(C) Publication.--Not later than 180 
                days after the date of enactment of this section, the 
                Secretary shall publish in the Federal Register 
                procedures for the process established under 
                subparagraph (A).</DELETED>
                <DELETED>    ``(D) Report.--Not later than 1 year after 
                the date of enactment of this section, the Secretary 
                shall submit to the President, the Committee on 
                Homeland Security and Governmental Affairs of the 
                Senate, and the Committee on Homeland Security of the 
                House of Representatives a report on the risks 
                identified by the process established under 
                subparagraph (A).</DELETED>
        <DELETED>    ``(2) Initial national critical infrastructure 
        resilience strategy.--</DELETED>
                <DELETED>    ``(A) In general.--Not later than 1 year 
                after the date on which the Secretary delivers the 
                report required under paragraph (1)(D), the President 
                shall deliver to majority and minority leaders of the 
                Senate, the Speaker and minority leader of the House of 
                Representatives, the Committee on Homeland Security and 
                Governmental Affairs of the Senate, and the Committee 
                on Homeland Security of the House of Representatives a 
                national critical infrastructure resilience strategy 
                designed to address the risks identified by the 
                Secretary.</DELETED>
                <DELETED>    ``(B) Elements.--In the strategy delivered 
                under subparagraph (A), the President shall--</DELETED>
                        <DELETED>    ``(i) identify, assess, and 
                        prioritize areas of risk to critical 
                        infrastructure that would compromise, disrupt, 
                        or impede the ability of the critical 
                        infrastructure to support the national critical 
                        functions of national security, economic 
                        security, or public health and 
                        safety;</DELETED>
                        <DELETED>    ``(ii) identify and outline 
                        current and proposed national-level actions, 
                        programs, and efforts to be taken to address 
                        the risks identified;</DELETED>
                        <DELETED>    ``(iii) identify the Federal 
                        departments or agencies responsible for leading 
                        each national-level action, program, or effort 
                        and the relevant critical infrastructure 
                        sectors for each;</DELETED>
                        <DELETED>    ``(iv) outline the budget plan 
                        required to provide sufficient resources to 
                        successfully execute the full range of 
                        activities proposed or described by the 
                        strategy; and</DELETED>
                        <DELETED>    ``(v) request any additional 
                        authorities or resources necessary to 
                        successfully execute the strategy.</DELETED>
                <DELETED>    ``(C) Form.--The strategy delivered under 
                subparagraph (A) shall be unclassified, but may contain 
                a classified annex.</DELETED>
        <DELETED>    ``(3) Congressional briefing.--Not later than 1 
        year after the date on which the President delivers the 
        strategy under subparagraph (A), and every year thereafter, the 
        Secretary, in coordination with Sector Risk Management 
        Agencies, shall brief the appropriate congressional committees 
        on the national risk management cycle activities undertaken 
        pursuant to the strategy.</DELETED>
        <DELETED>    ``(4) Five year risk management cycle.--</DELETED>
                <DELETED>    ``(A) Risk identification and 
                assessment.--Under procedures established by the 
                Secretary, the Secretary shall repeat the conducting 
                and reporting of the risk identification and assessment 
                required under paragraph (1), in accordance with the 
                requirements in paragraph (1), every 5 years.</DELETED>
                <DELETED>    ``(B) Strategy.--Under procedures 
                established by the President, the President shall 
                repeat the preparation and delivery of the critical 
                infrastructure resilience strategy required under 
                paragraph (2), in accordance with the requirements in 
                paragraph (2), every 5 years, which shall also include 
                assessing the implementation of the previous national 
                critical infrastructure resilience strategy.</DELETED>
<DELETED>    ``(c) Establishment of the National Cyber Resilience 
Assistance Fund.--There is established in the Treasury of the United 
States a fund, to be known as the `National Cyber Resilience Assistance 
Fund', which shall be available for the cost of risk-based grant 
programs focused on systematically increasing the resilience of public 
and private critical infrastructure against cybersecurity risk, thereby 
increasing the overall resilience of the United States.</DELETED>
<DELETED>    ``(d) Administration of Grants From the National Cyber 
Resilience Assistance Fund.--</DELETED>
        <DELETED>    ``(1) In general.--In accordance with this 
        section, the Secretary, acting through the Administrator of the 
        Federal Emergency Management Agency and the Director, shall 
        develop and administer processes to--</DELETED>
                <DELETED>    ``(A) establish focused grant programs to 
                address identified areas of cybersecurity risk to, and 
                bolster the resilience of, critical 
                infrastructure;</DELETED>
                <DELETED>    ``(B) accept and evaluate applications for 
                each such grant program;</DELETED>
                <DELETED>    ``(C) award grants under each such grant 
                program; and</DELETED>
                <DELETED>    ``(D) disburse amounts from the 
                Fund.</DELETED>
        <DELETED>    ``(2) Establishment of risk-focused grant 
        programs.--</DELETED>
                <DELETED>    ``(A) Establishment.--</DELETED>
                        <DELETED>    ``(i) In general.--The Secretary, 
                        acting through the Director and the 
                        Administrator of the Federal Emergency 
                        Management Agency, may establish not less than 
                        1 grant program focused on mitigating an 
                        identified category of cybersecurity risk 
                        identified under the national risk management 
                        cycle and critical infrastructure resilience 
                        strategy under subsection (b) in order to 
                        bolster the resilience of critical 
                        infrastructure within the United 
                        States.</DELETED>
                        <DELETED>    ``(ii) Selection of focus area.--
                        Before selecting a focus area for a grant 
                        program pursuant to this subparagraph, the 
                        Director shall ensure--</DELETED>
                                <DELETED>    ``(I) there is a clearly 
                                defined cybersecurity risk identified 
                                through the national risk management 
                                cycle and critical infrastructure 
                                resilience strategy under subsection 
                                (b) to be mitigated;</DELETED>
                                <DELETED>    ``(II) market forces do 
                                not provide sufficient private-sector 
                                incentives to mitigate the risk without 
                                Government investment; and</DELETED>
                                <DELETED>    ``(III) there is clear 
                                Federal need, role, and responsibility 
                                to mitigate the risk in order to 
                                bolster the resilience of critical 
                                infrastructure.</DELETED>
                <DELETED>    ``(B) Funding.--</DELETED>
                        <DELETED>    ``(i) Recommendation.--Beginning 
                        in the first fiscal year following the 
                        establishment of the Fund and each fiscal year 
                        thereafter, the Director shall--</DELETED>
                                <DELETED>    ``(I) assess the funds 
                                available in the Fund for the fiscal 
                                year; and</DELETED>
                                <DELETED>    ``(II) recommend to the 
                                Secretary the total amount to be made 
                                available from the Fund under each 
                                grant program established under this 
                                subsection.</DELETED>
                        <DELETED>    ``(ii) Allocation.--After 
                        considering the recommendations made by the 
                        Director under clause (i) for a fiscal year, 
                        the Director shall allocate amounts from the 
                        Fund to each active grant program established 
                        under this subsection for the fiscal 
                        year.</DELETED>
        <DELETED>    ``(3) Use of funds.--Amounts in the Fund shall be 
        used to mitigate risks identified through the national risk 
        management cycle and critical infrastructure resilience 
        strategy under subsection (b).</DELETED>
        <DELETED>    ``(4) Eligible entities.--</DELETED>
                <DELETED>    ``(A) Guidelines and requirements.--
                </DELETED>
                        <DELETED>    ``(i) In general.--In accordance 
                        with clause (ii), the Secretary shall submit to 
                        the Committee on Homeland Security and 
                        Governmental Affairs and the Committee on 
                        Appropriations of the Senate and the Committee 
                        on Homeland Security and the Committee on 
                        Appropriations of the House of Representatives 
                        a set of guidelines and requirements for 
                        determining the entities that are eligible 
                        entities.</DELETED>
                        <DELETED>    ``(ii) Deadlines.--The Secretary 
                        shall submit the guidelines and requirements 
                        under clause (i)--</DELETED>
                                <DELETED>    ``(I) not later than 180 
                                days after the date of enactment of 
                                this section, and every 2 years 
                                thereafter; and</DELETED>
                                <DELETED>    ``(II) not later than 30 
                                days before the date on which the 
                                Secretary implements the guidelines and 
                                requirements.</DELETED>
                <DELETED>    ``(B) Considerations.--In developing 
                guidelines and requirements for eligible entities under 
                subparagraph (A), the Secretary shall consider--
                </DELETED>
                        <DELETED>    ``(i) number of 
                        employees;</DELETED>
                        <DELETED>    ``(ii) annual revenue;</DELETED>
                        <DELETED>    ``(iii) existing entity 
                        cybersecurity spending;</DELETED>
                        <DELETED>    ``(iv) current cyber risk 
                        assessments, including credible threats, 
                        vulnerabilities, and consequences; 
                        and</DELETED>
                        <DELETED>    ``(v) entity capacity to invest in 
                        mitigating cybersecurity risk absent assistance 
                        from the Federal Government.</DELETED>
        <DELETED>    ``(5) Limitation.--For any fiscal year, an 
        eligible entity may not receive more than 1 grant from each 
        grant program established under this subsection.</DELETED>
        <DELETED>    ``(6) Grant processes.--The Secretary, acting 
        through the Administrator of the Federal Emergency Management 
        Agency, shall require the submission of such information as the 
        Secretary determines is necessary to--</DELETED>
                <DELETED>    ``(A) evaluate a grant application against 
                the criteria established under this section;</DELETED>
                <DELETED>    ``(B) disburse grant funds;</DELETED>
                <DELETED>    ``(C) provide oversight of disbursed grant 
                funds; and</DELETED>
                <DELETED>    ``(D) evaluate the effectiveness of the 
                funded project in increasing the overall resilience of 
                the United States with respect to cybersecurity 
                risks.</DELETED>
        <DELETED>    ``(7) Grant criteria.--For each grant program 
        established under this subsection, the Director, in 
        coordination with the Administrator of the Federal Emergency 
        Management Agency, shall develop and publish criteria for 
        evaluating applications for funding, which shall include--
        </DELETED>
                <DELETED>    ``(A) whether the application identifies a 
                clearly defined cybersecurity risk;</DELETED>
                <DELETED>    ``(B) whether the cybersecurity risk 
                identified in the grant application poses a substantial 
                threat to critical infrastructure;</DELETED>
                <DELETED>    ``(C) whether the application identifies a 
                program or project clearly designed to mitigate a 
                cybersecurity risk;</DELETED>
                <DELETED>    ``(D) the potential consequences of 
                leaving the identified cybersecurity risk unmitigated, 
                including the potential impact to the critical 
                functions and overall resilience of the nation; 
                and</DELETED>
                <DELETED>    ``(E) other appropriate factors identified 
                by the Director.</DELETED>
        <DELETED>    ``(8) Evaluation of grants applications.--
        </DELETED>
                <DELETED>    ``(A) In general.--Utilizing the criteria 
                established under paragraph (7), the Director, in 
                coordination with the Administrator of the Federal 
                Emergency Management Agency, shall evaluate grant 
                applications made under each grant program established 
                under this subsection.</DELETED>
                <DELETED>    ``(B) Recommendation.--Following the 
                evaluations required under subparagraph (A), the 
                Director shall recommend to the Secretary applications 
                for approval, including the amount of funding 
                recommended for each such approval.</DELETED>
        <DELETED>    ``(9) Award of grant funding.--The Secretary 
        shall--</DELETED>
                <DELETED>    ``(A) review the recommendations of the 
                Director prepared pursuant to paragraph (8); 
                and</DELETED>
                <DELETED>    ``(B) provide a final determination of 
                grant awards to the Administrator of the Federal 
                Emergency Management Agency to be disbursed and 
                administered under the process established under 
                paragraph (6).</DELETED>
<DELETED>    ``(e) Evaluation of Grant Programs Utilizing the National 
Cyber Resilience Assistance Fund.--</DELETED>
        <DELETED>    ``(1) Evaluation.--The Secretary shall establish a 
        process to evaluate the effectiveness and efficiency of grants 
        distributed under this section and develop appropriate updates, 
        as needed, to the grant programs.</DELETED>
        <DELETED>    ``(2) Annual report.--Not later than 180 days 
        after the conclusion of the first fiscal year in which grants 
        are awarded under this section, and every fiscal year 
        thereafter, the Secretary shall submit to the Committee on 
        Homeland Security and Governmental Affairs and the Committee on 
        Appropriations of the Senate and the Committee on Homeland 
        Security and the Committee on Appropriations of the House of 
        Representatives a report detailing the grants awarded from the 
        Fund, the status of projects undertaken with the grant funds, 
        any planned changes to the disbursement methodology of the 
        Fund, measurements of success, and total outlays from the 
        Fund.</DELETED>
        <DELETED>    ``(3) Grant program review.--</DELETED>
                <DELETED>    ``(A) Annual assessment.--Before the start 
                of the second fiscal year in which grants are awarded 
                under this section, and every fiscal year thereafter, 
                the Director shall assess the grant programs 
                established under this section and determine--
                </DELETED>
                        <DELETED>    ``(i) for the coming fiscal year--
                        </DELETED>
                                <DELETED>    ``(I) whether new grant 
                                programs with additional focus areas 
                                should be created;</DELETED>
                                <DELETED>    ``(II) whether any 
                                existing grant program should be 
                                discontinued; and</DELETED>
                                <DELETED>    ``(III) whether the scope 
                                of any existing grant program should be 
                                modified; and</DELETED>
                        <DELETED>    ``(ii) the success of the grant 
                        programs in the prior fiscal year.</DELETED>
                <DELETED>    ``(B) Submission to congress.--Not later 
                than 90 days before the start of the second fiscal year 
                in which grants are awarded under this section, and 
                every fiscal year thereafter, the Secretary shall 
                submit to the Committee on Homeland Security and 
                Governmental Affairs and the Committee on 
                Appropriations of the Senate and the Committee on 
                Homeland Security and the Committee on Appropriations 
                of the House of Representatives the assessment 
                conducted pursuant to subparagraph (A) and any planned 
                alterations to the grant program for the coming fiscal 
                year.</DELETED>
<DELETED>    ``(f) Limitation on Use of Grant Funds.--Funds awarded 
pursuant to this section--</DELETED>
        <DELETED>    ``(1) shall supplement and not supplant State or 
        local funds or, as applicable, funds supplied by the Bureau of 
        Indian Affairs; and</DELETED>
        <DELETED>    ``(2) may not be used--</DELETED>
                <DELETED>    ``(A) to provide any Federal cost-sharing 
                contribution on behalf of a State or local 
                government;</DELETED>
                <DELETED>    ``(B) to pay a ransom;</DELETED>
                <DELETED>    ``(C) by or for a non-United States 
                entity; or</DELETED>
                <DELETED>    ``(D) for any recreational or social 
                purpose.</DELETED>
<DELETED>    ``(g) Authorization of Appropriations.--There are 
authorized to be appropriated to carry out this section $75,000,000 for 
each of fiscal years 2022 through 2026.</DELETED>
<DELETED>    ``(h) Transfers Authorized.--During a fiscal year, the 
Secretary or the head of any component of the Department that 
administers the State and Local Cybersecurity Grant Program may 
transfer not more than 5 percent of the amounts appropriated pursuant 
to subsection (g) or other amounts appropriated to carry out the 
National Cyber Resilience Assistance Fund for that fiscal year to an 
account of the Department for salaries, expenses, and other 
administrative costs incurred for the management, administration, or 
evaluation of this section.''.</DELETED>
<DELETED>    (c) Technical and Conforming Amendments.--</DELETED>
        <DELETED>    (1) Table of contents.--The table of contents in 
        section 1(b) of the Homeland Security Act of 2002 (Public Law 
        107-296; 116 Stat. 2135) is amended by striking the item 
        relating to section 2214 and all that follows through the item 
        relating to section 2217 and inserting the following:</DELETED>

<DELETED>``Sec. 2214. National Asset Database.
<DELETED>``Sec. 2215. Duties and authorities relating to .gov internet 
                            domain.
<DELETED>``Sec. 2216. Joint Cyber Planning Office.
<DELETED>``Sec. 2217. Cybersecurity State Coordinator.
<DELETED>``Sec. 2218. Sector Risk Management Agencies.
<DELETED>``Sec. 2219. Cybersecurity Advisory Committee.
<DELETED>``Sec. 2220. Cybersecurity education and training programs.
<DELETED>``Sec. 2220A. National Cyber Resilience Assistance Fund.''.
        <DELETED>    (2) Additional technical amendment.--</DELETED>
                <DELETED>    (A) Amendment.--Section 904(b)(1) of the 
                DOTGOV Act of 2020 (title IX of division U of Public 
                Law 116-260) is amended, in the matter preceding 
                subparagraph (A), by striking ``Homeland Security Act'' 
                and inserting ``Homeland Security Act of 
                2002''.</DELETED>
                <DELETED>    (B) Effective date.--The amendment made by 
                subparagraph (A) shall take effect as if enacted as 
                part of the DOTGOV Act of 2020 (title IX of division U 
                of Public Law 116-260).</DELETED>

 <DELETED>TITLE II--IMPROVING THE ABILITY OF THE FEDERAL GOVERNMENT TO 
 ASSIST IN ENHANCING CRITICAL INFRASTRUCTURE CYBER RESILIENCE</DELETED>

<DELETED>SEC. 201. INSTITUTE A 5-YEAR TERM FOR THE CYBERSECURITY AND 
              INFRASTRUCTURE SECURITY DIRECTOR.</DELETED>

<DELETED>    (a) In General.--Subsection (b)(1) of section 2202 of the 
Homeland Security Act of 2002 (6 U.S.C. 652), is amended by inserting 
``The Director shall be appointed for a term of 5 years.'' after ``who 
shall report to the Secretary.''.</DELETED>
<DELETED>    (b) Transition Rules.--The amendment made by subsection 
(a) shall take effect on the earlier of--</DELETED>
        <DELETED>    (1) the first appointment of an individual to the 
        position of Director of the Cybersecurity and Infrastructure 
        Protection Agency of the Department of Homeland Security, by 
        and with the advice and consent of the Senate, that is made on 
        or after the date of enactment of this Act; or</DELETED>
        <DELETED>    (2) January 1, 2022.</DELETED>

<DELETED>SEC. 202. CREATE A JOINT COLLABORATIVE ENVIRONMENT.</DELETED>

<DELETED>    (a) In General.--The Director of the Cybersecurity and 
Infrastructure Security Agency shall establish a joint, cloud-based, 
information sharing environment to--</DELETED>
        <DELETED>    (1) integrate the Federal Government's 
        unclassified and classified cyber threat information, malware 
        forensics, and data related to cybersecurity risks (as defined 
        in section 2209 of the Homeland Security Act of 2002 (6 U.S.C. 
        659)) that is derived from network sensor programs;</DELETED>
        <DELETED>    (2) enable cross-correlation of threat data at the 
        speed and scale necessary for rapid detection and 
        identification;</DELETED>
        <DELETED>    (3) enable query and analysis by appropriate 
        operators across the Federal Government;</DELETED>
        <DELETED>    (4) facilitate a whole-of-Government, 
        comprehensive understanding of the cyber threats to the 
        resilience of the Federal Government and national critical 
        infrastructure networks;</DELETED>
        <DELETED>    (5) enable and support the private-public 
        cybersecurity collaboration efforts of the Federal Government, 
        whose successes will be directly dependent on the accuracy, 
        comprehensiveness, and timeliness of threat information 
        collected and held by the Federal Government; and</DELETED>
        <DELETED>    (6) enable data curation for artificial 
        intelligence models and provide an environment to enable the 
        Federal Government to curate data and build 
        applications.</DELETED>
<DELETED>    (b) Development.--</DELETED>
        <DELETED>    (1) Initial evaluation.--Not later than 180 days 
        after the date of enactment of this Act, the Director of the 
        Cybersecurity and Infrastructure Security Agency, in 
        coordination with the Director shall--</DELETED>
                <DELETED>    (A) identify all Federal sources of 
                classified and unclassified cyber threat 
                information;</DELETED>
                <DELETED>    (B) evaluate all programs, applications, 
                or platforms of the Federal Government that are 
                intended to detect, identify, analyze, or monitor cyber 
                threats against the resiliency of the Federal 
                Government or critical infrastructure; and</DELETED>
                <DELETED>    (C) submit a recommendation to the 
                President identifying Federal programs to be designated 
                and required to participate in the Information Sharing 
                Environment, including--</DELETED>
                        <DELETED>    (i) Government network-monitoring 
                        and intrusion detection programs;</DELETED>
                        <DELETED>    (ii) cyber threat indicator-
                        sharing programs and Government-sponsored 
                        network sensors or network-monitoring programs 
                        for the private sector or for State, local, 
                        tribal, and territorial governments;</DELETED>
                        <DELETED>    (iii) incident response and 
                        cybersecurity technical assistance programs; 
                        and</DELETED>
                        <DELETED>    (iv) malware forensics and 
                        reverse-engineering programs.</DELETED>
        <DELETED>    (2) Designation of participating programs.--Not 
        later than 60 days after completion of the evaluation required 
        under paragraph (1), the President shall issue a determination 
        designating the departments, agencies, Federal programs, and 
        corresponding systems and assets that are required to be a part 
        of the Information Sharing Environment.</DELETED>
        <DELETED>    (3) Design.--Not later than 1 year after 
        completion of the evaluation required under paragraph (1), the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, in consultation with the Director, shall design the 
        structure of a common platform for sharing and fusing existing 
        Government information, insights, and data related to cyber 
        threats and threat actors, which, at a minimum, shall--
        </DELETED>
                <DELETED>    (A) account for appropriate data standards 
                and interoperability requirements;</DELETED>
                <DELETED>    (B) enable integration of existing 
                applications, platforms, data, and information, to 
                include classified information;</DELETED>
                <DELETED>    (C) ensure access by such Federal 
                departments and agencies as the Director of the 
                Cybersecurity and Infrastructure Security Agency 
                determines necessary;</DELETED>
                <DELETED>    (D) account for potential private sector 
                participation and partnerships;</DELETED>
                <DELETED>    (E) enable unclassified data to be 
                integrated with classified data;</DELETED>
                <DELETED>    (F) anticipate the deployment of analytic 
                tools across classification levels to leverage all 
                relevant data sets, as appropriate;</DELETED>
                <DELETED>    (G) identify tools and analytical software 
                that can be applied and shared to manipulate, 
                transform, and display data and other identified 
                needs;</DELETED>
                <DELETED>    (H) anticipate the integration of new 
                technologies and data streams, including data related 
                to cybersecurity risks derived from Government-
                sponsored voluntary network sensors or network-
                monitoring programs for the private sector or for 
                State, local, Tribal, and territorial governments; 
                and</DELETED>
                <DELETED>    (I) appropriately account for departments, 
                agencies, programs, and systems and assets determined 
                to be required to participate by the President under 
                paragraph (2) in the Information Sharing 
                Environment.</DELETED>
<DELETED>    (c) Operation.--The Information Sharing Environment shall 
be managed by the Director of the Cybersecurity and Infrastructure 
Security Agency.</DELETED>
<DELETED>    (d) Post-Deployment Assessment.--Not later than 1 year 
after the date on which the Information Sharing Environment is 
established, the Director of the Cybersecurity and Infrastructure 
Security Agency and the Director shall assess the means by which the 
Information Sharing Environment may be expanded to include the private 
sector and critical infrastructure information sharing organizations 
and, to the maximum extent practicable, begin the process of such 
expansion.</DELETED>
<DELETED>    (e) Private Sector Sharing Information Sharing 
Protections.--To the extent any private entity shares cyber threat 
indicators and defensive measures through or with the Information 
Sharing Environment and in a manner that is consistent with all 
requirements under section 1752 of the William M. (Mac) Thornberry 
National Defense Authorization Act for Fiscal Year 2021 (6 U.S.C. 
1500), the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501 
et seq.), and any applicable guidelines promulgated under subsection 
(f), such activities shall be considered to be authorized by and in 
accordance with section 1752 of the William M. (Mac) Thornberry 
National Defense Authorization Act for Fiscal Year 2021 and the 
Cybersecurity Information Sharing Act of 2015.</DELETED>
<DELETED>    (f) Privacy and Civil Liberties.--</DELETED>
        <DELETED>    (1) Guidelines of attorney general.--Not later 
        than 60 days after the date of enactment of this Act, the 
        Secretary of Homeland Security (acting through the Director of 
        the Cybersecurity and Infrastructure Security Agency) and the 
        Attorney General, shall jointly, and in coordination with heads 
        of the appropriate Federal entities and in consultation with 
        officers designated under section 1062 of the National Security 
        Intelligence Reform Act of 2004 (42 U.S.C. 2000ee-1), develop, 
        submit to Congress, and make available to the public interim 
        guidelines relating to privacy and civil liberties which shall 
        govern the receipt, retention, use, and dissemination of cyber 
        threat indicators by a Federal entity obtained in connection 
        with activities authorized in this section.</DELETED>
        <DELETED>    (2) Final guidelines.--</DELETED>
                <DELETED>    (A) In general.--Not later than 180 days 
                after the date of enactment of this Act, the Secretary 
                of Homeland Security (acting through the Director of 
                the Cybersecurity and Infrastructure Security Agency) 
                and the Attorney General, shall jointly, in 
                coordination with heads of the appropriate Federal 
                entities and in consultation with officers designated 
                under section 1062 of the National Security 
                Intelligence Reform Act of 2004 (42 U.S.C. 2000ee-1) 
                and such private entities with industry expertise as 
                the Secretary and the Attorney General consider 
                relevant, promulgate final guidelines relating to 
                privacy and civil liberties which shall govern the 
                receipt, retention, use, and dissemination of cyber 
                threat indicators by a Federal entity obtained in 
                connection with activities authorized in this 
                section.</DELETED>
                <DELETED>    (B) Periodic review.--The Secretary of 
                Homeland Security (acting through the Director of the 
                Cybersecurity and Infrastructure Security Agency) and 
                the Attorney General, shall jointly, in coordination 
                with heads of the appropriate Federal entities and in 
                consultation with officers and private entities 
                described in subparagraph (A), periodically, but not 
                less frequently than once every 2 years, review the 
                guidelines promulgated under subparagraph 
                (A).</DELETED>
        <DELETED>    (3) Content.--The guidelines required by 
        paragraphs (1) and (2) shall, consistent with the need to 
        bolster the resilience of information systems and mitigate 
        cybersecurity threats--</DELETED>
                <DELETED>    (A) limit the effect on privacy and civil 
                liberties of activities by the Federal Government under 
                this section;</DELETED>
                <DELETED>    (B) limit the receipt, retention, use, and 
                dissemination of cyber threat indicators containing 
                personal information or information that identifies 
                specific persons, including by establishing--</DELETED>
                        <DELETED>    (i) a process for the timely 
                        destruction of such information that is known 
                        not to be directly related to uses authorized 
                        under this section; and</DELETED>
                        <DELETED>    (ii) specific limitations on the 
                        length of any period in which a cyber threat 
                        indicator may be retained;</DELETED>
                <DELETED>    (C) include requirements to safeguard 
                cyber threat indicators containing personal information 
                or information that identifies specific persons from 
                unauthorized access or acquisition, including 
                appropriate sanctions for activities by officers, 
                employees, or agents of the Federal Government in 
                contravention of such guidelines;</DELETED>
                <DELETED>    (D) include procedures for notifying 
                entities and Federal entities if information received 
                pursuant to this subsection is known or determined by a 
                Federal entity receiving such information not to 
                constitute a cyber threat indicator;</DELETED>
                <DELETED>    (E) protect the confidentiality of cyber 
                threat indicators containing personal information or 
                information that identifies specific persons to the 
                greatest extent practicable and require recipients to 
                be informed that such indicators may only be used for 
                purposes authorized under this section; and</DELETED>
                <DELETED>    (F) include steps that may be needed so 
                that dissemination of cyber threat indicators is 
                consistent with the protection of classified and other 
                sensitive national security information.</DELETED>
<DELETED>    (g) Oversight of Government Activities.--</DELETED>
        <DELETED>    (1) Biennial report on privacy and civil 
        liberties.--Not later than 2 years after the date of enactment 
        of this Act, and not less frequently than once every year 
        thereafter, the Privacy and Civil Liberties Oversight Board 
        shall submit to Congress and the President a report providing--
        </DELETED>
                <DELETED>    (A) an assessment of the effect on privacy 
                and civil liberties by the type of activities carried 
                out under this section; and</DELETED>
                <DELETED>    (B) an assessment of the sufficiency of 
                the guidelines established pursuant to subsection (f) 
                in addressing concerns relating to privacy and civil 
                liberties.</DELETED>
        <DELETED>    (2) Biennial report by inspectors general.--
        </DELETED>
                <DELETED>    (A) In general.--Not later than 2 years 
                after the date of enactment of this Act, and not less 
                frequently than once every 2 years thereafter, the 
                Inspector General of the Department of Homeland 
                Security, the Inspector General of the Intelligence 
                Community, the Inspector General of the Department of 
                Justice, the Inspector General of the Department of 
                Defense, and the Inspector General of the Department of 
                Energy shall, in consultation with the Council of 
                Inspectors General on Integrity and Efficiency, jointly 
                submit to Congress a report on the receipt, use, and 
                dissemination of cyber threat indicators and defensive 
                measures that have been shared with Federal entities 
                under this section.</DELETED>
                <DELETED>    (B) Contents.--Each report submitted under 
                subparagraph (A) shall include the following:</DELETED>
                        <DELETED>    (i) A review of the types of cyber 
                        threat indicators shared with Federal 
                        entities.</DELETED>
                        <DELETED>    (ii) A review of the actions taken 
                        by Federal entities as a result of the receipt 
                        of such cyber threat indicators.</DELETED>
                        <DELETED>    (iii) A list of Federal entities 
                        receiving such cyber threat 
                        indicators.</DELETED>
                        <DELETED>    (iv) A review of the sharing of 
                        such cyber threat indicators among Federal 
                        entities to identify inappropriate barriers to 
                        sharing information.</DELETED>
        <DELETED>    (3) Recommendations.--Each report submitted under 
        this subsection may include such recommendations as the Privacy 
        and Civil Liberties Oversight Board, with respect to a report 
        submitted under paragraph (1), or the Inspectors General 
        referred to in paragraph (2)(A), with respect to a report 
        submitted under paragraph (2), may have for improvements or 
        modifications to the authorities under this section.</DELETED>
        <DELETED>    (4) Form.--Each report required under this 
        subsection shall be submitted in unclassified form, but may 
        include a classified annex.</DELETED>
<DELETED>    (h) Authorization of Appropriations.--There are authorized 
to be appropriated to carry out this section $100,000,000 for each of 
fiscal years 2022 through 2026.</DELETED>
<DELETED>    (i) Definitions.--In this section:</DELETED>
        <DELETED>    (1) Critical infrastructure.--The term ``critical 
        infrastructure'' has the meaning given that term in section 
        1016(e) of the Critical Infrastructure Protection Act of 2001 
        (42 U.S.C. 5195c(e)).</DELETED>
        <DELETED>    (2) Director.--The term ``Director'' means the 
        National Cyber Director.</DELETED>
        <DELETED>    (3) Information sharing environment.--The term 
        ``Information Sharing Environment'' means the information 
        sharing environment established under subsection (a).</DELETED>

<DELETED>SEC. 203. DESIGNATE THREE CRITICAL TECHNOLOGY SECURITY 
              CENTERS.</DELETED>

<DELETED>    (a) In General.--Section 307(b)(3) of the Homeland 
Security Act of 2002 (6 U.S.C. 187(b)(3)), is amended--</DELETED>
        <DELETED>    (1) in the matter preceding subparagraph (A), by 
        inserting ``national laboratories,'' before ``and 
        universities'';</DELETED>
        <DELETED>    (2) in subparagraph (C), by striking ``and'' at 
        the end;</DELETED>
        <DELETED>    (3) in subparagraph (D), by striking the period at 
        the end and inserting ``; and''; and</DELETED>
        <DELETED>    (4) by adding at the end the following:</DELETED>
                <DELETED>    ``(E) establish not less than 1, and not 
                more than 3, cybersecurity-focused critical technology 
                security centers, in order to bolster the overall 
                resilience of the networks and critical infrastructure 
                of the United States, to perform--</DELETED>
                        <DELETED>    ``(i) network technology security 
                        testing, to test the security of cyber-related 
                        hardware and software;</DELETED>
                        <DELETED>    ``(ii) connected industrial 
                        control system security testing, to test the 
                        security of connected programmable data logic 
                        controllers, supervisory control and data 
                        acquisition servers, and other cyber connected 
                        industrial equipment; and</DELETED>
                        <DELETED>    ``(iii) open source software 
                        security testing, to test and coordinate 
                        efforts to fix vulnerabilities in open-source 
                        software.''.</DELETED>
<DELETED>    (b) Authorization of Appropriations.--There are authorized 
to be appropriated to carry out the amendments made by this section 
$15,000,000 for each of fiscal years 2022 through 2026.</DELETED>

     <DELETED>TITLE III--IMPROVING SECURITY IN THE NATIONAL CYBER 
                          ECOSYSTEM</DELETED>

<DELETED>SEC. 301. ESTABLISH A NATIONAL CYBERSECURITY CERTIFICATION AND 
              LABELING AUTHORITY.</DELETED>

<DELETED>    (a) Definitions.--In this section:</DELETED>
        <DELETED>    (1) Accredited certifying agent.--The term 
        ``accredited certifying agent'' means any person who is 
        accredited by the Authority as a certifying agent for the 
        purposes of certifying a specific class of critical information 
        and communications technology.</DELETED>
        <DELETED>    (2) Authority.--The term ``Authority'' means the 
        National Cybersecurity Certification and Labeling Authority 
        established under subsection (b)(1).</DELETED>
        <DELETED>    (3) Certification.--The term ``certification'' 
        means a seal or symbol provided by the Authority or an 
        accredited certifying agent, that results from passage of a 
        comprehensive evaluation of an information and communications 
        technology that establishes the extent to which a particular 
        design and implementation meets a set of specified security 
        standards.</DELETED>
        <DELETED>    (4) Critical information and communications 
        technology.--The term ``critical information and communications 
        technology'' means information and communications technology 
        that is in use in critical infrastructure sectors and that 
        underpins the resilience of national critical functions, as 
        determined by the Secretary.</DELETED>
        <DELETED>    (5) Critical infrastructure.--The term ``critical 
        infrastructure'' has the meaning given that term in section 
        1016(e) of the Critical Infrastructure Protection Act of 2001 
        (42 U.S.C. 5195c(e)).</DELETED>
        <DELETED>    (6) Label.--The term ``label'' means a clear, 
        visual, and easy to understand symbol or list that conveys 
        specific information about a product's security attributes, 
        characteristics, functionality, components, or other 
        features.</DELETED>
        <DELETED>    (7) Program.--The term ``Program'' means the 
        program administered under subsection (b)(1).</DELETED>
        <DELETED>    (8) Secretary.--The term ``Secretary'' means the 
        Secretary of Homeland Security.</DELETED>
<DELETED>    (b) National Cybersecurity Certification and Labeling 
Authority.--</DELETED>
        <DELETED>    (1) Establishment.--There is established a 
        National Cybersecurity Certification and Labeling Authority for 
        the purpose of establishing and administering a voluntary 
        national cybersecurity certification and labeling program for 
        critical information and communications technology in order to 
        bolster the resilience of the networks and critical 
        infrastructure of the United States.</DELETED>
        <DELETED>    (2) Programs.--</DELETED>
                <DELETED>    (A) Accreditation of certifying agents.--
                As part of the Program, the Authority shall define and 
                publish a process whereby governmental and 
                nongovernmental entities may apply to become accredited 
                certifying agents for the certification of specific 
                critical information and communications technology, 
                including--</DELETED>
                        <DELETED>    (i) smartphones;</DELETED>
                        <DELETED>    (ii) tablets;</DELETED>
                        <DELETED>    (iii) laptop computers;</DELETED>
                        <DELETED>    (iv) operating systems;</DELETED>
                        <DELETED>    (v) routers;</DELETED>
                        <DELETED>    (vi) software-as-a-
                        service;</DELETED>
                        <DELETED>    (vii) infrastructure-as-a-
                        service;</DELETED>
                        <DELETED>    (viii) platform-as-a-
                        service;</DELETED>
                        <DELETED>    (ix) programmable logic 
                        controllers;</DELETED>
                        <DELETED>    (x) intelligent electronic 
                        devices; and</DELETED>
                        <DELETED>    (xi) programmable automation 
                        controllers.</DELETED>
                <DELETED>    (B) Identification of standards, 
                frameworks, and benchmarks.--As part of the Program, 
                the Authority shall work in coordination with 
                accredited certifying agents, the Secretary, and 
                subject matter experts from the Federal Government, 
                academia, nongovernmental organizations, and the 
                private sector to identify and harmonize common 
                security standards, frameworks, and benchmarks against 
                which the security of critical information and 
                communications technologies may be measured.</DELETED>
                <DELETED>    (C) Product certification.--As part of the 
                Program, the Authority, in consultation with the 
                Secretary and other experts from the Federal 
                Government, academia, nongovernmental organizations, 
                and the private sector, shall--</DELETED>
                        <DELETED>    (i) develop, and disseminate to 
                        accredited certifying agents, guidelines to 
                        standardize the presentation of certifications 
                        to communicate the level of security for 
                        critical information and communications 
                        technologies;</DELETED>
                        <DELETED>    (ii) develop, or permit accredited 
                        certifying agents to develop, certification 
                        criteria for critical information and 
                        communications technologies based on identified 
                        security standards, frameworks, and benchmarks, 
                        through the work conducted under subparagraph 
                        (B);</DELETED>
                        <DELETED>    (iii) issue, or permit accredited 
                        certifying agents to issue, certifications for 
                        critical information and communications 
                        technology that meet and comply with security 
                        standards, frameworks, and benchmarks 
                        identified through the work conducted under 
                        subparagraph (B);</DELETED>
                        <DELETED>    (iv) permit a manufacturer or 
                        distributor of critical information and 
                        communications technology to display a 
                        certificate reflecting the extent to which the 
                        critical information and communications 
                        technology meets security standards, 
                        frameworks, and benchmarks identified through 
                        the work conducted under subparagraph 
                        (B);</DELETED>
                        <DELETED>    (v) remove the certification of a 
                        critical information and communications 
                        technology as a critical information and 
                        communications technology certified under the 
                        Program if the manufacturer of the certified 
                        critical information and communications 
                        technology falls out of conformity with the 
                        benchmarks security standards, frameworks, or 
                        benchmarks identified through the work 
                        conducted under subparagraph (B) for the 
                        critical information and communications 
                        technology;</DELETED>
                        <DELETED>    (vi) work to enhance public 
                        awareness of the certification and labeling 
                        efforts of the Authority and accredited 
                        certifying agents, including through public 
                        outreach, education, research and development, 
                        and other means; and</DELETED>
                        <DELETED>    (vii) publicly display a list of 
                        labels and certified critical information and 
                        communications technology, along with their 
                        respective certification information.</DELETED>
                <DELETED>    (D) Certifications.--</DELETED>
                        <DELETED>    (i) In general.--A certification 
                        shall remain valid for 1 year from the date of 
                        issuance.</DELETED>
                        <DELETED>    (ii) Classes of certification.--In 
                        developing the guidelines and criteria required 
                        under subparagraph (C)(i), the Authority shall 
                        designate at least 3 classes of certifications, 
                        including the following:</DELETED>
                                <DELETED>    (I) For critical 
                                information and communications 
                                technology which the product 
                                manufacturer or service provider 
                                attests meets the criteria for a 
                                certification, attestation-based 
                                certification.</DELETED>
                                <DELETED>    (II) For critical 
                                information and communications 
                                technology products and services that 
                                have undergone third-party 
                                accreditation of criteria for 
                                certification, accreditation-based 
                                certification.</DELETED>
                                <DELETED>    (III) For critical 
                                information and communications 
                                technology that has undergone a 
                                security evaluation and testing process 
                                by a qualifying third party, as 
                                determined by the Authority, test-based 
                                certification.</DELETED>
                <DELETED>    (E) Product labeling.--The Authority, in 
                consultation with the Secretary and other experts from 
                the Federal Government, academia, nongovernmental 
                organizations, and the private sector, shall--
                </DELETED>
                        <DELETED>    (i) collaborate with the private 
                        sector to standardize language and define a 
                        labeling schema to provide transparent 
                        information on the security characteristics and 
                        constituent components of a software or 
                        hardware product; and</DELETED>
                        <DELETED>    (ii) establish a mechanism by 
                        which product developers can provide this 
                        information for both product labeling and 
                        public posting.</DELETED>
        <DELETED>    (3) Enforcement.--</DELETED>
                <DELETED>    (A) In general.--It shall be unlawful for 
                a product manufacturer, distributor, or seller to--
                </DELETED>
                        <DELETED>    (i) falsely attest to, or falsify 
                        an audit or test for, a security standard, 
                        framework, or benchmark for 
                        certification;</DELETED>
                        <DELETED>    (ii) intentionally mislabel a 
                        product; or</DELETED>
                        <DELETED>    (iii) fail to maintain the 
                        security standard, framework, or benchmark to 
                        which the manufacturer, distributor, or seller 
                        attested.</DELETED>
                <DELETED>    (B) Enforcement by federal trade 
                commission.--</DELETED>
                        <DELETED>    (i) Unfair or deceptive acts or 
                        practices.--A violation of subparagraph (A) 
                        shall be treated as an unfair and deceptive act 
                        or practice in violation of a regulation under 
                        section 18(a)(1)(B) of the Federal Trade 
                        Commission Act (15 U.S.C. 57a(a)(1)(B)) 
                        regarding unfair or deceptive acts or 
                        practices.</DELETED>
                        <DELETED>    (ii) Powers of commission.--
                        </DELETED>
                                <DELETED>    (I) In general.--The 
                                Federal Trade Commission shall enforce 
                                this paragraph in the same manner, by 
                                the same means, and with the same 
                                jurisdiction, powers, and duties as 
                                though all applicable terms and 
                                provisions of the Federal Trade 
                                Commission Act (15 U.S.C. 41 et seq.) 
                                were incorporated into and made a part 
                                of this paragraph.</DELETED>
                                <DELETED>    (II) Privileges and 
                                immunities.--Any person who violates 
                                this paragraph shall be subject to the 
                                penalties and entitled to the 
                                privileges and immunities provided in 
                                the Federal Trade Commission Act (15 
                                U.S.C. 41 et seq.).</DELETED>
<DELETED>    (c) Selection of the Authority.--</DELETED>
        <DELETED>    (1) Selection.--The Secretary shall issue a notice 
        of funding opportunity and select, on a competitive basis, a 
        nonprofit, nongovernmental organization to serve as the 
        Authority for a period of 5 years.</DELETED>
        <DELETED>    (2) Eligibility for selection.--The Secretary may 
        only select an organization to serve as the Authority if such 
        organization--</DELETED>
                <DELETED>    (A) is a nongovernmental, nonprofit 
                organization that is--</DELETED>
                        <DELETED>    (i) exempt from taxation under 
                        section 501(a) of the Internal Revenue Code of 
                        1986; and</DELETED>
                        <DELETED>    (ii) described in sections 
                        501(c)(3) and 170(b)(1)(A)(vi) of that 
                        Code;</DELETED>
                <DELETED>    (B) has a demonstrable track record of 
                work on cybersecurity and information security 
                standards, frameworks, and benchmarks; and</DELETED>
                <DELETED>    (C) possesses requisite staffing and 
                expertise, with demonstrable prior experience in 
                technology security or safety standards, frameworks, 
                and benchmarks, as well as certification.</DELETED>
        <DELETED>    (3) Application.--The Secretary shall establish a 
        process by which a nonprofit, nongovernmental organization that 
        seeks to be selected as the Authority may apply for 
        consideration.</DELETED>
        <DELETED>    (4) Program evaluation.--Not later than the date 
        that is 4 years after the initial selection pursuant paragraph 
        (1), and every 4 years thereafter, the Secretary shall--
        </DELETED>
                <DELETED>    (A) assess the effectiveness of the labels 
                and certificates produced by the Authority, including--
                </DELETED>
                        <DELETED>    (i) assessing the costs to 
                        businesses that manufacture critical 
                        information and communications technology 
                        participating in the Program;</DELETED>
                        <DELETED>    (ii) evaluating the level of 
                        participation in the Program by businesses that 
                        manufacture critical information and 
                        communications technology; and</DELETED>
                        <DELETED>    (iii) assessing the level of 
                        public awareness and consumer awareness of the 
                        label;</DELETED>
                <DELETED>    (B) audit the impartiality and fairness of 
                the Authority's activities conducted under this 
                section;</DELETED>
                <DELETED>    (C) issue a public report on the 
                assessment most recently carried out under subparagraph 
                (A) and the audit most recently carried out under 
                subparagraph (B); and</DELETED>
                <DELETED>    (D) brief Congress on the findings of the 
                Secretary with respect to the most recent assessment 
                under subparagraph (A) and the most recent audit under 
                subparagraph (B).</DELETED>
        <DELETED>    (5) Renewal.--After the initial selection pursuant 
        to paragraph (1), the Secretary shall, every 5 years--
        </DELETED>
                <DELETED>    (A) accept applications from nonprofit, 
                nongovernmental organizations seeking selection as the 
                Authority; and</DELETED>
                <DELETED>    (B) following competitive consideration of 
                all applications--</DELETED>
                        <DELETED>    (i) renew the selection of the 
                        organization serving as the Authority; 
                        or</DELETED>
                        <DELETED>    (ii) select another applicant 
                        organization to serve as the 
                        Authority.</DELETED>
<DELETED>    (d) Authorization of Appropriations.--There are authorized 
to be appropriated to carry out this section $25,000,000 for each of 
fiscal years 2022 through 2026.</DELETED>

<DELETED>SEC. 302. ESTABLISH THE BUREAU OF CYBERSECURITY 
              STATISTICS.</DELETED>

<DELETED>    (a) Definitions.--In this section:</DELETED>
        <DELETED>    (1) Bureau.--The term ``Bureau'' means the Bureau 
        of Cybersecurity Statistics established under subsection 
        (b).</DELETED>
        <DELETED>    (2) Covered entity.--The term ``covered entity'' 
        means any nongovernmental organization, corporation, trust, 
        partnership, sole proprietorship, unincorporated association, 
        or venture (without regard to whether it is established for 
        profit) that is engaged in or affecting interstate commerce and 
        that provides cybersecurity incident response services or 
        cybersecurity insurance products.</DELETED>
        <DELETED>    (3) Cyber incident.--The term cyber incident 
        includes each of the following:</DELETED>
                <DELETED>    (A) Unauthorized access to an information 
                system or network that leads to loss of 
                confidentiality, integrity, or availability of that 
                information system or network.</DELETED>
                <DELETED>    (B) Disruption of business operations due 
                to a distributed denial of service attack against an 
                information system or network.</DELETED>
                <DELETED>    (C) Unauthorized access or disruption of 
                business operations due to loss of service facilitated 
                through, or caused by a cloud service provider, managed 
                service provider, or other data hosting 
                provider.</DELETED>
                <DELETED>    (D) Fraudulent or malicious use of a cloud 
                service account, data hosting account, internet service 
                account, or any other digital service.</DELETED>
        <DELETED>    (4) Director.--The term ``Director'' means the 
        Director of the Bureau.</DELETED>
        <DELETED>    (5) Statistical purpose.--The term ``statistical 
        purpose''--</DELETED>
                <DELETED>    (A) means the description, estimation, or 
                analysis of the characteristics of groups, without 
                identifying the individuals or organizations that 
                comprise such groups; and</DELETED>
                <DELETED>    (B) includes the development, 
                implementation, or maintenance of methods, technical or 
                administrative procedures, or information resources 
                that support the purposes described in subsection 
                (e).</DELETED>
<DELETED>    (b) Establishment.--There is established within the 
Department of Homeland Security a Bureau of Cybersecurity 
Statistics.</DELETED>
<DELETED>    (c) Director.--</DELETED>
        <DELETED>    (1) In general.--The Bureau shall be headed by a 
        Director, who shall--</DELETED>
                <DELETED>    (A) report to the Secretary of Homeland 
                Security; and</DELETED>
                <DELETED>    (B) be appointed by the 
                President.</DELETED>
        <DELETED>    (2) Authority.--The Director shall--</DELETED>
                <DELETED>    (A) have final authority for all 
                cooperative agreements and contracts awarded by the 
                Bureau;</DELETED>
                <DELETED>    (B) be responsible for the integrity of 
                data and statistics collected or issued by the Bureau; 
                and</DELETED>
                <DELETED>    (C) protect against improper or illegal 
                use or disclosure of information furnished for 
                exclusively statistical purposes under this section, 
                consistent with the requirements of subsection 
                (f).</DELETED>
        <DELETED>    (3) Qualifications.--The Director--</DELETED>
                <DELETED>    (A) shall have experience in statistical 
                programs; and</DELETED>
                <DELETED>    (B) shall not--</DELETED>
                        <DELETED>    (i) engage in any other 
                        employment; or</DELETED>
                        <DELETED>    (ii) hold any office in, or act in 
                        any capacity for, any organization, agency, or 
                        institution with which the Bureau makes any 
                        contract or other arrangement under this 
                        section.</DELETED>
        <DELETED>    (4) Duties and functions.--The Director shall--
        </DELETED>
                <DELETED>    (A) collect and analyze information 
                concerning cybersecurity, including data related to 
                cyber incidents, cyber crime, and any other area the 
                Director determines appropriate;</DELETED>
                <DELETED>    (B) collect and analyze data that will 
                serve as a continuous and comparable national 
                indication of the prevalence, incidents, rates, extent, 
                distribution, and attributes of all relevant cyber 
                incidents, as determined by the Director, in support of 
                national policy and decision making;</DELETED>
                <DELETED>    (C) compile, collate, analyze, publish, 
                and disseminate uniform national cyber statistics 
                concerning any area that the Director determines 
                appropriate;</DELETED>
                <DELETED>    (D) in coordination with the National 
                Institute of Standards and Technology, recommend 
                national standards, metrics, and measurement criteria 
                for cyber statistics and for ensuring the reliability 
                and validity of statistics collected pursuant to this 
                subsection;</DELETED>
                <DELETED>    (E) conduct or support research relating 
                to methods of gathering or analyzing cyber 
                statistics;</DELETED>
                <DELETED>    (F) enter into cooperative agreements or 
                contracts with public agencies, institutions of higher 
                education, or private organizations for purposes 
                related to this subsection;</DELETED>
                <DELETED>    (G) provide appropriate information to the 
                President, the Congress, Federal agencies, the private 
                sector, and the general public on cyber 
                statistics;</DELETED>
                <DELETED>    (H) maintain liaison with State and local 
                governments concerning cyber statistics;</DELETED>
                <DELETED>    (I) confer and cooperate with Federal 
                statistical agencies as needed to carry out the 
                purposes of this section, including by entering into 
                cooperative data sharing agreements in conformity with 
                all laws and regulations applicable to the disclosure 
                and use of data; and</DELETED>
                <DELETED>    (J) request from any person or entity 
                information, data, and reports as may be required to 
                carry out the purposes of this subsection.</DELETED>
<DELETED>    (d) Furnishment of Information, Data, or Reports by 
Federal Departments and Agencies.--Federal departments and agencies 
requested by the Director to furnish information, data, or reports 
pursuant to subsection (c)(4)(J) shall provide to the Bureau such 
information as the Director determines necessary to carry out the 
purposes of this section.</DELETED>
<DELETED>    (e) Furnishment of Cyber Incident Information, Data, or 
Reports to the Bureau by the Private Sector.--</DELETED>
        <DELETED>    (1) In general.--Not later than 180 days after the 
        date of enactment of this Act, and every 180 days thereafter, 
        each covered entity shall submit to the Bureau a report 
        containing such data and information as the Director determines 
        necessary to carry out the purposes of this section.</DELETED>
        <DELETED>    (2) Determination of data and information 
        necessary to carry out the purposes of this section.--Not later 
        than 90 days after the date of enactment of this Act, and 
        annually thereafter, the Director shall publish a list of data 
        and information determined necessary to carry out the purposes 
        of this section, including individual descriptions of cyber 
        incidents, which shall include--</DELETED>
                <DELETED>    (A) identification of the affected 
                databases, information systems, or devices that were, 
                or are reasonably believed to have been accessed by an 
                unauthorized person;</DELETED>
                <DELETED>    (B) where applicable, a description of the 
                vulnerabilities, tactics, techniques, and procedures 
                used;</DELETED>
                <DELETED>    (C) where applicable, any identifying 
                information related to the malicious actors who 
                perpetrated the incident;</DELETED>
                <DELETED>    (D) where applicable any cybersecurity 
                controls implemented by the victim organization; 
                and</DELETED>
                <DELETED>    (E) the industrial sectors, regions, and 
                size of affected entities (as determined by number of 
                employees) without providing any information that can 
                reasonably be expected to identify such 
                entities.</DELETED>
        <DELETED>    (3) Standards for submission of information and 
        data.--Not later than 180 days after the date of enactment of 
        this Act, the Director shall, in consultation with covered 
        entities, develop standardized procedures for the submission of 
        data and information the Director determines necessary to carry 
        out the purposes of this section.</DELETED>
        <DELETED>    (4) Private sector reporting.--Not later than 90 
        days after the date on which the Director develops the 
        standards required under paragraph (3), the Director shall--
        </DELETED>
                <DELETED>    (A) publish the processes for submission 
                of information, data, and reports by covered entities; 
                and</DELETED>
                <DELETED>    (B) begin accepting reporting required 
                under paragraph (1).</DELETED>
        <DELETED>    (5) Regulatory use.--Information disclosed to the 
        Bureau under this section that is not otherwise available, 
        shall not be used by the Federal Government or any State, 
        local, tribal, or territorial government to sanction or 
        otherwise punish the entity disclosing the information, or the 
        entity in which the cyber incident initially 
        occurred.</DELETED>
        <DELETED>    (6) Preservation of privilege.--Disclosure of 
        information pursuant to this section or by a covered entity to 
        the Bureau shall not waive any otherwise applicable privilege, 
        immunity, or protection provided by law.</DELETED>
        <DELETED>    (7) Preservation of existing obligations.--Nothing 
        in this section shall modify, prevent, or abrogate any notice 
        or notification obligations under Federal contracts, 
        enforceable agreements with the government, or other Federal 
        law.</DELETED>
        <DELETED>    (8) Enforcement.--</DELETED>
                <DELETED>    (A) Unfair or deceptive acts or 
                practices.--Compliance with the requirements imposed 
                under this subsection by covered entities shall be 
                enforced by the Federal Trade Commission under the 
                Federal Trade Commission Act (15 U.S.C. 41 et seq.). 
                For the purpose of the exercise by the Federal Trade 
                Commission of its functions and powers under the 
                Federal Trade Commission Act, a violation of any 
                requirement or prohibition imposed under this 
                subsection shall be treated as an unfair and deceptive 
                act or practice in violation of a regulation under 
                section 18(a)(1)(B) of the Federal Trade Commission Act 
                (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive 
                acts or practices.</DELETED>
                <DELETED>    (B) Powers of commission.--Subject to 
                subparagraph (C), the Federal Trade Commission shall 
                enforce this subsection in the same manner, by the same 
                means, and with the same jurisdiction, powers, and 
                duties as though all applicable terms and provisions of 
                the Federal Trade Commission Act (15 U.S.C. 41 et seq.) 
                were incorporated into and made a part of this 
                subsection.</DELETED>
                <DELETED>    (C) Additional entities.--</DELETED>
                        <DELETED>    (i) In general.--Notwithstanding 
                        sections 4, 5(a)(2), or 6 of the Federal Trade 
                        Commission Act (15 U.S.C. 44, 45(a)(2), 46) or 
                        any jurisdictional limitation of the Federal 
                        Trade Commission, the Federal Trade Commission 
                        shall also enforce this subsection, in the same 
                        manner provided in subparagraph (A) of this 
                        paragraph, with respect to--</DELETED>
                                <DELETED>    (I) organizations not 
                                organized to carry on business for 
                                their own profit or that of their 
                                members; and</DELETED>
                                <DELETED>    (II) common carriers 
                                subject to the Communications Act of 
                                1934 (47 U.S.C. 151 et seq.).</DELETED>
                        <DELETED>    (ii) Coordination and notice.--The 
                        Federal Trade Commission shall--</DELETED>
                                <DELETED>    (I) coordinate with the 
                                Federal Communications Commission 
                                regarding enforcement of this 
                                subsection with respect to common 
                                carriers subject to the Communications 
                                Act of 1934 (47 U.S.C. 151 et 
                                seq.);</DELETED>
                                <DELETED>    (II) notify the Bureau of 
                                Consumer Financial Protection regarding 
                                enforcement of this subsection with 
                                respect to information associated with 
                                the provision of financial products or 
                                services by an entity that provides a 
                                consumer financial product or service 
                                (as defined in section 1002 of the 
                                Consumer Financial Protection Act of 
                                2010 (12 U.S.C. 5481)); and</DELETED>
                                <DELETED>    (III) for enforcement of 
                                this subsection with respect to matters 
                                implicating the jurisdiction or 
                                authorities of another Federal agency, 
                                notify that agency as 
                                appropriate.</DELETED>
                <DELETED>    (D) Privileges and immunities.--Any 
                covered entity that violates the requirements imposed 
                under this subsection shall be subject to the penalties 
                and entitled to the privileges and immunities provided 
                in the Federal Trade Commission Act (15 U.S.C. 41 et 
                seq.).</DELETED>
                <DELETED>    (E) Construction.--Nothing in this 
                paragraph shall be construed to limit the authority of 
                the Federal Trade Commission under any other provision 
                of law.</DELETED>
<DELETED>    (f) Protection of Information.--</DELETED>
        <DELETED>    (1) In general.--No officer or employee of the 
        Federal Government or agent of the Federal Government may, 
        without the consent of the individual, entity, agency, or other 
        person who is the subject of the submission or provides the 
        submission--</DELETED>
                <DELETED>    (A) use any submission that is furnished 
                for exclusively statistical purposes under this section 
                for any purpose other than the statistical purposes for 
                which the submission is furnished;</DELETED>
                <DELETED>    (B) make any publication or media 
                transmittal of the data contained in a submission 
                described in subparagraph (A) that permits information 
                concerning individual entities or individual incidents 
                to be reasonably inferred by either direct or indirect 
                means; or</DELETED>
                <DELETED>    (C) permit anyone other than a sworn 
                officer, employee, agent, or contractor of the Bureau 
                to examine an individual submission described in 
                subsection (e).</DELETED>
        <DELETED>    (2) Immunity from legal process.--Any submission 
        (including any data derived from the submission) that is 
        collected and retained by the Bureau, or an officer, employee, 
        agent, or contractor of the Bureau, for exclusively statistical 
        purposes under this section shall be immune from the legal 
        process and shall not, without the consent of the individual, 
        entity, agency, or other person who is the subject of the 
        submission or provides the submission, be admitted as evidence 
        or used for any purpose in any action, suit, or other judicial 
        or administrative proceeding.</DELETED>
        <DELETED>    (3) Rule of construction.--Nothing in this 
        subsection shall be construed to provide immunity from the 
        legal process for a submission (including any data derived from 
        the submission) if the submission is in the possession of any 
        person, agency, or entity other than the Bureau or an officers, 
        employee, agent, or contractor of the Bureau, or if the 
        submission is independently collected, retained, or produced 
        for purposes other than the purposes of this section.</DELETED>
<DELETED>    (g) Authorization of Appropriation.--There are authorized 
to be appropriated such sums as may be necessary to carry out this 
section. Such funds shall remain available until expended.</DELETED>

<DELETED>SEC. 303. SECURE FOUNDATIONAL INTERNET PROTOCOLS.</DELETED>

<DELETED>    (a) Definitions.--In this section:</DELETED>
        <DELETED>    (1) Border gateway protocol.--The term ``border 
        gateway protocol'' means a protocol designed to optimize 
        routing of information exchanged through the 
        internet.</DELETED>
        <DELETED>    (2) Domain name system.--The term ``domain name 
        system'' means a system that stores information associated with 
        domain names in a distributed database on networks.</DELETED>
        <DELETED>    (3) Information and communications technology 
        infrastructure providers.--The term ``information and 
        communications technology infrastructure providers'' means all 
        systems that enable connectivity and operability of internet 
        service, backbone, cloud, web hosting, content delivery, domain 
        name system, and software-defined networks and other systems 
        and services.</DELETED>
<DELETED>    (b) Creation of a Strategy To Secure Foundational Internet 
Protocols.--</DELETED>
        <DELETED>    (1) Protocol security strategy.--In order to 
        secure foundational internet protocols, not later than December 
        31, 2021, the National Telecommunications and Information 
        Administration and the Department of Homeland Security shall 
        submit to Congress a strategy to secure the border gateway 
        protocol and the domain name system.</DELETED>
        <DELETED>    (2) Strategy requirements.--The strategy required 
        under paragraph (1) shall--</DELETED>
                <DELETED>    (A) articulate the security and privacy 
                benefits of implementing security for the border 
                gateway protocol and the domain name system and the 
                burdens of implementation and the entities on whom 
                those burdens will most likely fall;</DELETED>
                <DELETED>    (B) identify key United States and 
                international stakeholders;</DELETED>
                <DELETED>    (C) outline identified security measures 
                that could be used to secure or provide authentication 
                for the border gateway protocol and the domain name 
                system;</DELETED>
                <DELETED>    (D) identify any barriers to implementing 
                security for the border gateway protocol and the domain 
                name system at scale;</DELETED>
                <DELETED>    (E) propose a strategy to implement 
                identified security measures at scale, accounting for 
                barriers to implementation and balancing benefits and 
                burdens, where feasible; and</DELETED>
                <DELETED>    (F) provide an initial estimate of the 
                total cost to the Government and implementing entities 
                in the private sector of implementing security for the 
                border gateway protocol and the domain name system and 
                propose recommendations for defraying these costs, if 
                applicable.</DELETED>
        <DELETED>    (3) Consultation.--In developing the strategy 
        required under paragraph (1) the National Telecommunications 
        and Information Administration and the Department of Homeland 
        Security shall consult with information and communications 
        technology infrastructure providers, civil society 
        organizations, relevant nonprofit organizations, and academic 
        experts.</DELETED>

          <DELETED>TITLE IV--SYSTEMICALLY IMPORTANT CRITICAL 
                        INFRASTRUCTURE</DELETED>

<DELETED>SEC. 401. DEFINITIONS.</DELETED>

<DELETED>    In this title:</DELETED>
        <DELETED>    (1) Appropriate congressional committees.--The 
        term ``appropriate congressional committees'' means the 
        Committee on Homeland Security and Governmental Affairs of the 
        Senate and the Committee on Homeland Security of the House of 
        Representatives.</DELETED>
        <DELETED>    (2) Critical infrastructure.--The term ``critical 
        infrastructure'' has the meaning given that term in section 
        1016(e) of the Critical Infrastructure Protection Act of 2001 
        (42 U.S.C. 5195c(e)).</DELETED>
        <DELETED>    (3) Department.--The term ``Department'' means the 
        Department of Homeland Security.</DELETED>
        <DELETED>    (4) Entity.--The term ``entity'' means a non-
        Federal entity and a private entity, as such terms are defined 
        under section 102 of the Cybersecurity Information Sharing Act 
        of 2015 (6 U.S.C. 1501).</DELETED>
        <DELETED>    (5) National critical functions.--The term 
        ``national critical functions'' means functions of government 
        and the private sector so vital to the United States that their 
        disruption, corruption, or dysfunction would have a 
        debilitating effect on security, national economic security, 
        national public health or safety, or any combination 
        thereof.</DELETED>
        <DELETED>    (6) Secretary.--The term ``Secretary'' means the 
        Secretary of Homeland Security.</DELETED>
        <DELETED>    (7) Stakeholders.--The term ``stakeholders'' means 
        persons or groups whose consultation may aid the Secretary in 
        exercising the authority of the Secretary under this title, 
        including--</DELETED>
                <DELETED>    (A) Sector Coordinating Councils within 
                the Critical Infrastructure Partnership Advisory 
                Council, established under section 871 of the Homeland 
                Security Act of 2002 (6 U.S.C. 451);</DELETED>
                <DELETED>    (B) the State, Local, Tribal and 
                Territorial Government Coordinating Council, within the 
                Critical Infrastructure Partnership Advisory Council, 
                established under section 871 of the Homeland Security 
                Act of 2002 (6.U.S.C. 451);</DELETED>
                <DELETED>    (C) the Cybersecurity Advisory Committee 
                established under section 2219 of the Homeland Security 
                Act of 2002 (6 U.S.C. 665e), as so redesignated by 
                section 101 of this Act;</DELETED>
                <DELETED>    (D) the National Security 
                Telecommunications Advisory Committee established 
                pursuant to Executive Order 12382 (47 Fed. Reg. 40531); 
                and</DELETED>
                <DELETED>    (E) the National Infrastructure Advisory 
                Council, established pursuant to Executive Order 13231 
                (66 Fed. Reg. 53063).</DELETED>
        <DELETED>    (8) Systemically important critical 
        infrastructure.--The term ``Systemically Important Critical 
        Infrastructure'' means an entity that has been designated as 
        such by the Secretary through the process and procedures 
        established under section 402.</DELETED>

<DELETED>SEC. 402. SYSTEMICALLY IMPORTANT CRITICAL 
              INFRASTRUCTURE.</DELETED>

<DELETED>    (a) In General.--The Secretary may designate entities as 
Systemically Important Critical Infrastructure.</DELETED>
<DELETED>    (b) Establishment of Methodology and Criteria.--Prior to 
designating any entities as Systemically Important Critical 
Infrastructure, the Secretary, in consultation with the National Cyber 
Director, Sector Risk Management Agencies, and appropriate stakeholders 
shall develop--</DELETED>
        <DELETED>    (1) a methodology for identifying Systemically 
        Important Critical Infrastructure; and</DELETED>
        <DELETED>    (2) criteria for determining whether an entity 
        qualifies as Systemically Important Critical 
        Infrastructure.</DELETED>
<DELETED>    (c) Considerations.--In establishing criteria for 
determining whether an entity qualifies as Systemically Important 
Critical Infrastructure, the Secretary shall consider--</DELETED>
        <DELETED>    (1) the likelihood that disruption to or 
        compromise of such an entity could cause a debilitating effect 
        on national security, economic security, public health or 
        safety, or any combination thereof;</DELETED>
        <DELETED>    (2) the extent to which damage, disruption, or 
        unauthorized access to such an entity either separately or 
        collectively, will disrupt the reliable operation of other 
        critical infrastructure assets, or impede provisioning of one 
        or more national critical functions;</DELETED>
        <DELETED>    (3) the extent to which national cybersecurity 
        resilience would be enhanced by deeper risk management 
        integration between Systemically Important Critical 
        Infrastructure entities and the Federal Government; 
        and</DELETED>
        <DELETED>    (4) the extent to which compromise or unauthorized 
        access of such an entity could separately or collectively 
        create widespread compromise of the cyber ecosystem, 
        significant portions of critical infrastructure, or multiple 
        critical infrastructure sectors.</DELETED>
<DELETED>    (d) List.--</DELETED>
        <DELETED>    (1) In general.--Not later than 1 year after the 
        date of enactment of this Act, the Secretary shall complete an 
        initial list of entities designated as Systemically Important 
        Critical Infrastructure.</DELETED>
        <DELETED>    (2) Maintenance of list.--The Secretary shall 
        maintain a comprehensive list of entities designated as 
        Systemically Important Critical Infrastructure, which shall be 
        updated within 7 days of a change in whether an entity 
        qualifies as Systemically Important Critical 
        Infrastructure.</DELETED>
<DELETED>    (e) Entity Notifications.--Not later than 90 days after 
designating an entity as Systemically Important Critical Infrastructure 
or removing the designation of an entity as Systemically Important 
Critical Infrastructure, the Secretary shall notify the 
entity.</DELETED>
<DELETED>    (f) Congressional Notifications.--The Secretary shall--
</DELETED>
        <DELETED>    (1) not later than 30 days after the date of any 
        addition, modification, or removal of an entity from the list 
        of Significantly Important Critical Infrastructure maintained 
        under subsection (d), notify the appropriate Congressional 
        committees; and</DELETED>
        <DELETED>    (2) at least every 2 years, submit to the 
        appropriate Congressional committees an updated comprehensive 
        list of entities designated as Systemically Important Critical 
        Infrastructure, in conjunction with each plan required pursuant 
        to section 403.</DELETED>

<DELETED>SEC. 403. PLAN FOR ENHANCEMENT OF SYSTEMICALLY IMPORTANT 
              CRITICAL INFRASTRUCTURE METHODOLOGY AND 
              CAPABILITY.</DELETED>

<DELETED>    (a) In General.--Not later than 180 days after the date of 
enactment of this Act, and every 2 years thereafter for 10 years, the 
Secretary, in consultation with Sector Risk Management Agencies and 
appropriate stakeholders, shall develop and submit to the appropriate 
congressional committees a plan for enhancing the methodology of the 
Department for identifying Systemically Important Critical 
Infrastructure, including a discussion of the progress of the 
Department as of the date of submission of the plan in implementing the 
plan.</DELETED>
<DELETED>    (b) Contents of Plan.--</DELETED>
        <DELETED>    (1) In general.--The plan required under 
        subsection (a) shall include--</DELETED>
                <DELETED>    (A) the methodology and criteria used for 
                identifying and determining entities that qualify as 
                Systemically Important Critical Infrastructure as 
                described in section 402(b) and the analysis used to 
                establish such methodology and criteria;</DELETED>
                <DELETED>    (B) a proposed timeline for enhancing the 
                capabilities of the Department to expand the list 
                beyond the designated entities to also include 
                facilities, systems, assets, or other relevant units of 
                critical infrastructure that may further enhance the 
                ability to manage risk of Systemically Important 
                Critical Infrastructure;</DELETED>
                <DELETED>    (C) information regarding the outreach by 
                the Department to stakeholders and other Sector Risk 
                Management Agencies on such efforts, including 
                mechanisms for incorporation of industry 
                feedback;</DELETED>
                <DELETED>    (D) information regarding the efforts of 
                the Department, and the associated challenges with such 
                efforts, to access information from stakeholders and 
                other Sector Risk Management Agencies to identify 
                Systemically Important Critical 
                Infrastructure;</DELETED>
                <DELETED>    (E) information regarding other critical 
                infrastructure entity identification programs within 
                the Department and how they are being incorporated into 
                the overarching process to identify Systemically 
                Important Critical Infrastructure, which shall include 
                the efforts of the Department under section 9 of 
                Executive Order 13636 (78 Fed. Reg. 11739), the 
                National Infrastructure Prioritization Program, and 
                section 4 of Executive Order 14028 (86 Fed. Reg. 
                26633);</DELETED>
                <DELETED>    (F) any identified gaps in authorities or 
                resources required to successfully carry out the 
                process of identifying Systemically Important Critical 
                Infrastructure, including facilities, systems, assets, 
                or other relevant units of critical infrastructure, as 
                well as legislative proposals to address such 
                gaps;</DELETED>
                <DELETED>    (G) an assessment of potential benefits 
                for entities designated as Systemically Important 
                Critical Infrastructure, which shall include an 
                assessment of--</DELETED>
                        <DELETED>    (i) enhanced intelligence support 
                        and information sharing;</DELETED>
                        <DELETED>    (ii) prioritized Federal technical 
                        assistance;</DELETED>
                        <DELETED>    (iii) liability protection for 
                        entities designated as Systemically Important 
                        Critical Infrastructure that conform to 
                        identified security standards for damages or 
                        harm directly or indirectly caused by a cyber 
                        incident;</DELETED>
                        <DELETED>    (iv) prioritized emergency 
                        planning;</DELETED>
                        <DELETED>    (v) benefits described in the 
                        final report of the U.S. Cyberspace Solarium 
                        Commission, dated March 2020; and</DELETED>
                        <DELETED>    (vi) additional authorizations or 
                        resources necessary to implement the benefits 
                        assessed under this subparagraph; and</DELETED>
                <DELETED>    (H) an assessment of potential mechanisms 
                to improve the security of entities designated as 
                Systemically Important Critical Infrastructure, which 
                shall include an assessment of--</DELETED>
                        <DELETED>    (i) risk-based cybersecurity 
                        performance standards for all Systemically 
                        Important Critical Infrastructure entities, 
                        incorporating, to the greatest extent possible, 
                        existing industry best practices, standards, 
                        and guidelines;</DELETED>
                        <DELETED>    (ii) sector-specific performance 
                        standards;</DELETED>
                        <DELETED>    (iii) additional regulations to 
                        enhance the security of Systemically Important 
                        Critical Infrastructure against cyber risks, 
                        including how to prevent duplicative 
                        requirements for already regulated 
                        sectors;</DELETED>
                        <DELETED>    (iv) cyber incident reporting 
                        requirements for entities designated as 
                        Systemically Important Critical Infrastructure; 
                        and</DELETED>
                        <DELETED>    (v) additional authorizations or 
                        resources necessary to implement the mechanisms 
                        to improve the security of Systemically 
                        Important Critical Infrastructure assessed 
                        under this subparagraph.</DELETED>
        <DELETED>    (2) Initial plan.--The initial plan submitted 
        under this section shall include a detailed description of the 
        capabilities of the Department with respect to identifying 
        Systemically Important Critical Infrastructure as they were on 
        the date of enactment of this Act.</DELETED>
<DELETED>    (c) Classified Annex.--The plan shall be in unclassified 
form, but may include a classified annex, as the Secretary determines 
necessary.</DELETED>
<DELETED>    (d) Publication.--Not later than 30 days after the date on 
which the Secretary submits a plan to Congress, the Secretary shall 
make the plan available to relevant stakeholders.</DELETED>
<DELETED>    (e) Restriction.--Subchapter I of chapter 35 of title 44, 
United States Code, shall not apply to any action to implement this 
section or to any exercise of the authority of the Secretary pursuant 
to this section.</DELETED>

    <DELETED>TITLE V--ENABLING THE NATIONAL CYBER DIRECTOR</DELETED>

<DELETED>SEC. 501. ESTABLISHMENT OF HIRING AUTHORITIES FOR THE OFFICE 
              OF THE NATIONAL CYBER DIRECTOR.</DELETED>

<DELETED>    Section 1752 of the William M. (Mac) Thornberry National 
Defense Authorization Act for Fiscal Year 2021 (Public Law 116-283) is 
amended--</DELETED>
        <DELETED>    (1) in subsection (e)--</DELETED>
                <DELETED>    (A) in paragraph (1), by inserting ``and 
                in accordance with paragraphs (3) through (7) of this 
                subsection,'' after ``and classification 
                laws,'';</DELETED>
                <DELETED>    (B) in paragraph (2), by inserting 
                ``notwithstanding paragraphs (3) through (7) of this 
                subsection,'' before ``employ experts'';</DELETED>
                <DELETED>    (C) by redesignating paragraphs (3) 
                through (8) as paragraphs (8) through (13), 
                respectively; and</DELETED>
                <DELETED>    (D) by inserting after paragraph (2) the 
                following:</DELETED>
        <DELETED>    ``(3) establish, as positions in the excepted 
        service, such qualified positions in the Office as the Director 
        determines necessary to carry out the responsibilities of the 
        Office, appoint an individual to a qualified position (after 
        taking into consideration the availability of preference 
        eligibles for appointment to the position), and, subject to the 
        requirements of paragraphs (4) and (5), fix the compensation of 
        an individual for service in a qualified position;</DELETED>
        <DELETED>    ``(4) fix the rates of basic pay for any qualified 
        position established under paragraph (3) in relation to the 
        rates of pay provided for employees in comparable positions in 
        the Office, in which the employee occupying the comparable 
        position performs, manages, or supervises functions that 
        execute the mission of the Office, and, subject to the same 
        limitations on maximum rates of pay and consistent with section 
        5341 of title 5, United States Code, adopt such provisions of 
        that title to provide for prevailing rate systems of basic pay 
        and apply those provisions to qualified positions for employees 
        in or under which the Office may employ individuals described 
        by section 5342(a)(2)(A) of such title;</DELETED>
        <DELETED>    ``(5) employ an officer or employee of the United 
        States or member of the Armed Forces detailed to the staff of 
        the Office on a non-reimbursable basis--</DELETED>
                <DELETED>    ``(A) as jointly agreed to by the heads of 
                the receiving and detailing elements, for a period not 
                to exceed 3 years;</DELETED>
                <DELETED>    ``(B) which shall not be construed to 
                limit any other source of authority for reimbursable or 
                non-reimbursable details; and</DELETED>
                <DELETED>    ``(C) which shall not be considered an 
                augmentation of the appropriations of the receiving 
                element of the Office;</DELETED>
        <DELETED>    ``(6) provide--</DELETED>
                <DELETED>    ``(A) employees in qualified positions 
                compensation (in addition to basic pay), including 
                benefits, incentives, and allowances, consistent with, 
                and not in excess of the level authorized for, 
                comparable positions authorized by title 5, United 
                States Code; and</DELETED>
                <DELETED>    ``(B) employees in a qualified position 
                whose rate of basic pay is fixed under paragraph (4) an 
                allowance under section 5941 of title 5, United States 
                Code, on the same basis and to the same extent as if 
                the employee was an employee covered by such section, 
                including eligibility conditions, allowance rates, and 
                all other terms and conditions in law or 
                regulation;</DELETED>
        <DELETED>    ``(7) establish a fellowship program to facilitate 
        a talent exchange program between the private sector and the 
        Office to arrange, with the agreement of a private sector 
        organization and the consent of the employee, for the temporary 
        assignment of an employee to the private sector organization, 
        or from the private sector organization to the Office;''; 
        and</DELETED>
        <DELETED>    (2) in subsection (g)--</DELETED>
                <DELETED>    (A) by redesignating paragraphs (3) 
                through (6) as paragraphs (4) through (7), 
                respectively;</DELETED>
                <DELETED>    (B) by inserting after paragraph (2) the 
                following:</DELETED>
        <DELETED>    ``(3) The term `excepted service' has the meaning 
        given that term in section 2103 of title 5, United States 
        Code.''; and</DELETED>
        <DELETED>    (3) by adding at the end the following:</DELETED>
        <DELETED>    ``(8) The term `preference eligible' has the 
        meaning given that term in section 2108(3) of title 5, United 
        States Code.</DELETED>
        <DELETED>    ``(9) The term `qualified position' means a 
        position, designated by the Director for the purpose of this 
        section, in which the individual occupying such position 
        performs, manages, or supervises functions that execute the 
        responsibilities of the Office.''.</DELETED>

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Defense of United 
States Infrastructure Act of 2021''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Definitions.

 TITLE I--IMPROVING THE ABILITY OF THE FEDERAL GOVERNMENT TO ASSIST IN 
           ENHANCING CRITICAL INFRASTRUCTURE CYBER RESILIENCE

Sec. 101. Institute a 5-year term for the Director of the Cybersecurity 
                            and Infrastructure Security Agency.
Sec. 102. Pilot program on cyber threat information collaboration 
                            environment.

      TITLE II--IMPROVING SECURITY IN THE NATIONAL CYBER ECOSYSTEM

Sec. 201. Report on cybersecurity certifications and labeling.
Sec. 202. Secure foundational internet protocols.

            TITLE III--ENABLING THE NATIONAL CYBER DIRECTOR

Sec. 301. Establishment of hiring authorities for the Office of the 
                            National Cyber Director.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Critical infrastructure.--The term ``critical 
        infrastructure'' has the meaning given such term in section 
        1016(e) of the Critical Infrastructure Protection Act of 2001 
        (42 U.S.C. 5195c(e)).
            (2) Cybersecurity risk.--The term ``cybersecurity risk'' 
        has the meaning given such term in section 2209 of the Homeland 
        Security Act of 2002 (6 U.S.C. 659).
            (3) Department.--The term ``Department'' means the 
        Department of Homeland Security.
            (4) Secretary.--The term ``Secretary'' means the Secretary 
        of Homeland Security.

 TITLE I--IMPROVING THE ABILITY OF THE FEDERAL GOVERNMENT TO ASSIST IN 
           ENHANCING CRITICAL INFRASTRUCTURE CYBER RESILIENCE

SEC. 101. INSTITUTE A 5-YEAR TERM FOR THE DIRECTOR OF THE CYBERSECURITY 
              AND INFRASTRUCTURE SECURITY AGENCY.

    (a) In General.--Subsection (b)(1) of section 2202 of the Homeland 
Security Act of 2002 (6 U.S.C. 652), is amended by inserting ``The term 
of office of an individual serving as Director shall be 5 years.'' 
after ``who shall report to the Secretary.''.
    (b) Transition Rules.--The amendment made by subsection (a) shall 
take effect on the first appointment of an individual to the position 
of Director of the Cybersecurity and Infrastructure Security Agency, by 
and with the advice and consent of the Senate, that is made on or after 
the date of enactment of this Act.

SEC. 102. PILOT PROGRAM ON CYBER THREAT INFORMATION COLLABORATION 
              ENVIRONMENT.

    (a) Definitions.--In this section:
            (1) Critical infrastructure information.--The term 
        ``critical infrastructure information'' has the meaning given 
        such term in section 2222 of the Homeland Security Act of 2002 
        (6 U.S.C. 671).
            (2) Cyber threat indicator.--The term ``cyber threat 
        indicator'' has the meaning given such term in section 102 of 
        the Cybersecurity Act of 2015 (6 U.S.C. 1501).
            (3) Cybersecurity threat.--The term ``cybersecurity 
        threat'' has the meaning given such term in section 102 of the 
        Cybersecurity Act of 2015 (6 U.S.C. 1501).
            (4) Environment.--The term ``environment'' means the 
        information collaboration environment established under 
        subsection (b).
            (5) Information sharing and analysis organization.--The 
        term ``information sharing and analysis organization'' has the 
        meaning given such term in section 2222 of the Homeland 
        Security Act of 2002 (6 U.S.C. 671).
            (6) Non-federal entity.--The term ``non-Federal entity'' 
        has the meaning given such term in section 102 of the 
        Cybersecurity Act of 2015 (6 U.S.C. 1501).
    (b) Pilot Program.--The Secretary, in consultation with the 
Secretary of Defense, the Director of National Intelligence, the 
Director of the National Security Agency, and the Attorney General 
shall carry out a pilot program under which the Secretary shall develop 
an information collaboration environment and associated analytic tools 
that enable Federal and non-Federal entities to identify, mitigate, and 
prevent malicious cyber activity to--
            (1) provide limited access to appropriate and operationally 
        relevant data from unclassified and classified intelligence 
        about cybersecurity risks and cybersecurity threats, as well as 
        malware forensics and data from network sensor programs, on a 
        platform that enables query and analysis;
            (2) enable cross-correlation of data on cybersecurity risks 
        and cybersecurity threats at the speed and scale necessary for 
        rapid detection and identification;
            (3) facilitate a comprehensive understanding of 
        cybersecurity risks and cybersecurity threats; and
            (4) facilitate collaborative analysis between the Federal 
        Government and public and private sector critical 
        infrastructure entities and information and analysis 
        organizations.
    (c) Implementation of Information Collaboration Environment.--
            (1) Evaluation.--Not later than 180 days after the date of 
        enactment of this Act, the Secretary, acting through the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, and in coordination with the Secretary of Defense, the 
        Director of National Intelligence, the Director of the National 
        Security Agency, and the Attorney General, shall--
                    (A) identify, inventory, and evaluate existing 
                Federal sources of classified and unclassified 
                information on cybersecurity threats;
                    (B) evaluate current programs, applications, or 
                platforms intended to detect, identify, analyze, and 
                monitor cybersecurity risks and cybersecurity threats;
                    (C) consult with public and private sector critical 
                infrastructure entities to identify public and private 
                critical infrastructure cyber threat capabilities, 
                needs, and gaps; and
                    (D) identify existing tools, capabilities, and 
                systems that may be adapted to achieve the purposes of 
                the environment in order to maximize return on 
                investment and minimize cost.
            (2) Implementation.--
                    (A) In general.--Not later than 1 year after 
                completing the evaluation required under paragraph 
                (1)(B), the Secretary, acting through the Director of 
                the Cybersecurity and Infrastructure Security Agency, 
                and in consultation with the Secretary of Defense, the 
                Director of National Intelligence, the Director of the 
                National Security Agency, and the Attorney General, 
                shall begin implementation of the environment to enable 
                participants in the environment to develop and run 
                analytic tools referred to in subsection (b) on 
                specified data sets for the purpose of identifying, 
                mitigating, and preventing malicious cyber activity 
                that is a threat to public and private critical 
                infrastructure.
                    (B) Requirements.--The environment and the use of 
                analytic tools referred to in subsection (b) shall--
                            (i) operate in a manner consistent with 
                        relevant privacy, civil rights, and civil 
                        liberties policies and protections, including 
                        such policies and protections established 
                        pursuant to section 1016 of the Intelligence 
                        Reform and Terrorism Prevention Act of 2004 (6 
                        U.S.C. 485);
                            (ii) account for appropriate data standards 
                        and interoperability requirements, consistent 
                        with the standards set forth in subsection (d);
                            (iii) enable integration of current 
                        applications, platforms, data, and information, 
                        including classified information, in a manner 
                        that supports integration of unclassified and 
                        classified information on cybersecurity risks 
                        and cybersecurity threats;
                            (iv) incorporate tools to manage access to 
                        classified and unclassified data, as 
                        appropriate;
                            (v) ensure accessibility by entities the 
                        Secretary, in consultation with the Secretary 
                        of Defense, the Director of National 
                        Intelligence, the Director of the National 
                        Security Agency, and the Attorney General, 
                        determines appropriate;
                            (vi) allow for access by critical 
                        infrastructure stakeholders and other private 
                        sector partners, at the discretion of the 
                        Secretary, in consultation with the Secretary 
                        of Defense;
                            (vii) deploy analytic tools across 
                        classification levels to leverage all relevant 
                        data sets, as appropriate;
                            (viii) identify tools and analytical 
                        software that can be applied and shared to 
                        manipulate, transform, and display data and 
                        other identified needs; and
                            (ix) anticipate the integration of new 
                        technologies and data streams, including data 
                        from government-sponsored network sensors or 
                        network-monitoring programs deployed in support 
                        of non-Federal entities.
            (3) Annual report requirement on the implementation, 
        execution, and effectiveness of the pilot program.--Not later 
        than 1 year after the date of enactment of this Act, and every 
        year thereafter until the date that is 1 year after the pilot 
        program under this section terminates under subsection (e), the 
        Secretary shall submit to the Committee on Homeland Security 
        and Governmental Affairs, the Committee on the Judiciary, and 
        the Select Committee on Intelligence of the Senate and the 
        Committee on Homeland Security, the Committee on the Judiciary, 
        and the Permanent Select Committee on Intelligence of the House 
        of Representatives a report that details--
                    (A) Federal Government participation in the 
                environment, including the Federal entities 
                participating in the environment and the volume of 
                information shared by Federal entities into the 
                environment;
                    (B) non-Federal entities' participation in the 
                environment, including the non-Federal entities 
                participating in the environment and the volume of 
                information shared by non-Federal entities into the 
                environment;
                    (C) the impact of the environment on positive 
                security outcomes in the Federal Government and non-
                Federal entities;
                    (D) barriers identified to fully realizing the 
                benefit of the environment both for the Federal 
                Government and non-Federal entities; and
                    (E) additional authorities or resources necessary 
                to successfully execute the environment.
    (d) Cyber Threat Data Standards and Interoperability.--
            (1) Establishment.--The Secretary, in coordination with the 
        Secretary of Defense, the Director of National Intelligence, 
        the Director of the National Security Agency, and the Attorney 
        General, shall establish data standards and requirements for 
        non-Federal entities to participate in the environment.
            (2) Data streams.--The Secretary shall identify, designate, 
        and periodically update programs that shall participate in or 
        be interoperable with the environment, which may include--
                    (A) network-monitoring and intrusion detection 
                programs;
                    (B) cyber threat indicator sharing programs;
                    (C) certain government-sponsored network sensors or 
                network-monitoring programs;
                    (D) incident response and cybersecurity technical 
                assistance programs; or
                    (E) malware forensics and reverse-engineering 
                programs.
            (3) Data governance.--The Secretary, in consultation with 
        the Secretary of Defense, the Director of National 
        Intelligence, the Director of the National Security Agency, and 
        the Attorney General shall establish procedures and data 
        governance structures, as necessary, to protect sensitive data, 
        comply with Federal regulations and statutes, and respect 
        existing consent agreements with public and private sector 
        critical infrastructure entities that apply to critical 
        infrastructure information.
            (4) Rule of construction.--Nothing in this subsection shall 
        change existing ownership or protection of, or policies and 
        processes for access to, agency data.
    (e) Duration.--The pilot program under this section shall terminate 
on the date that is 5 years after the date of enactment of this Act.

      TITLE II--IMPROVING SECURITY IN THE NATIONAL CYBER ECOSYSTEM

SEC. 201. REPORT ON CYBERSECURITY CERTIFICATIONS AND LABELING.

    Not later than October 1, 2022, the National Cyber Director, in 
consultation with the Director of the National Institute of Standards 
and Technology and the Director of the Cybersecurity and Infrastructure 
Security Agency, shall submit to the Committee on Homeland Security and 
Governmental Affairs of the Senate and the Committee on Homeland 
Security of the House of Representatives a report that--
            (1) identifies and assesses existing efforts by the Federal 
        Government to create, administer, or otherwise support the use 
        of certifications or labels to communicate the security or 
        security characteristics of information technology or 
        operational technology products and services; and
            (2) assesses the viability of and need for a new program at 
        the Department to harmonize information technology and 
        operational technology product and service security 
        certification and labeling efforts across the Federal 
        Government and between the Federal Government and the private 
        sector.

SEC. 202. SECURE FOUNDATIONAL INTERNET PROTOCOLS.

    (a) Definitions.--In this section:
            (1) Border gateway protocol.--The term ``border gateway 
        protocol'' means a protocol designed to optimize routing of 
        information exchanged through the internet.
            (2) Domain name system.--The term ``domain name system'' 
        means a system that stores information associated with domain 
        names in a distributed database on networks.
            (3) Information and communications technology 
        infrastructure providers.--The term ``information and 
        communications technology infrastructure providers'' means all 
        systems that enable connectivity and operability of internet 
        service, backbone, cloud, web hosting, content delivery, domain 
        name system, and software-defined networks and other systems 
        and services.
    (b) Creation of a Strategy to Encourage Implementation of Measures 
to Secure Foundational Internet Protocols.--
            (1) Protocol security strategy.--In order to encourage 
        implementation of measures to secure foundational internet 
        protocols by information and communications technology 
        infrastructure providers, not later than 180 days after the 
        date of enactment of this Act, the Assistant Secretary for 
        Communications and Information of the Department of Commerce, 
        in coordination with the Director of the National Institute 
        Standards and Technology and the Director of the Cybersecurity 
        and Infrastructure Security Agency, shall establish a working 
        group composed of appropriate stakeholders, including 
        representatives of the Internet Engineering Task Force and 
        information and communications technology infrastructure 
        providers, to prepare and submit to Congress a strategy to 
        encourage implementation of measures to secure the border 
        gateway protocol and the domain name system.
            (2) Strategy requirements.--The strategy required under 
        paragraph (1) shall--
                    (A) articulate the motivation and goal of the 
                strategy to reduce incidents of border gateway protocol 
                hijacking and domain name system hijacking;
                    (B) articulate the security and privacy benefits of 
                implementing the most up-to-date and secure instances 
                of the border gateway protocol and the domain name 
                system and the burdens of implementation and the 
                entities on whom those burdens will most likely fall;
                    (C) identify key United States and international 
                stakeholders;
                    (D) outline varying measures that could be used to 
                implement security or provide authentication for the 
                border gateway protocol and the domain name system;
                    (E) identify any barriers to implementing security 
                for the border gateway protocol and the domain name 
                system at scale;
                    (F) propose a strategy to implement identified 
                security measures at scale, accounting for barriers to 
                implementation and balancing benefits and burdens, 
                where feasible; and
                    (G) provide an initial estimate of the total cost 
                to the Government and implementing entities in the 
                private sector of implementing security for the border 
                gateway protocol and the domain name system and propose 
                recommendations for defraying these costs, if 
                applicable.

            TITLE III--ENABLING THE NATIONAL CYBER DIRECTOR

SEC. 301. ESTABLISHMENT OF HIRING AUTHORITIES FOR THE OFFICE OF THE 
              NATIONAL CYBER DIRECTOR.

    (a) Definitions.--In this section:
            (1) Director.--The term ``Director'' means the National 
        Cyber Director.
            (2) Excepted service.--The term ``excepted service'' has 
        the meaning given such term in section 2103 of title 5, United 
        States Code.
            (3) Office.--The term ``Office'' means the Office of the 
        National Cyber Director.
            (4) Qualified position.--The term ``qualified position'' 
        means a position identified by the Director under subsection 
        (b)(1)(A), in which the individual occupying such position 
        performs, manages, or supervises functions that execute the 
        responsibilities of the Office.
    (b) Hiring Plan.--The Director shall, for purposes of carrying out 
the functions of the Office--
            (1) craft an implementation plan for positions in the 
        excepted service in the Office, which shall propose--
                    (A) qualified positions in the Office, as the 
                Director determines necessary to carry out the 
                responsibilities of the Office; and
                    (B) subject to the requirements of paragraph (2), 
                rates of compensation for an individual serving in a 
                qualified position;
            (2) propose rates of basic pay for qualified positions, 
        which shall--
                    (A) be determined in relation to the rates of pay 
                provided for employees in comparable positions in the 
                Office, in which the employee occupying the comparable 
                position performs, manages, or supervises functions 
                that execute the mission of the Office; and
                    (B) subject to the same limitations on maximum 
                rates of pay and consistent with section 5341 of title 
                5, United States Code, adopt such provisions of that 
                title to provide for prevailing rate systems of basic 
                pay and apply those provisions to qualified positions 
                for employees in or under which the Office may employ 
                individuals described by section 5342(a)(2)(A) of such 
                title; and
            (3) craft proposals to provide--
                    (A) employees in qualified positions compensation 
                (in addition to basic pay), including benefits, 
                incentives, and allowances, consistent with, and not in 
                excess of the level authorized for, comparable 
                positions authorized by title 5, United States Code; 
                and
                    (B) employees in a qualified position for which the 
                Director proposes a rate of basic pay under paragraph 
                (2) an allowance under section 5941 of title 5, United 
                States Code, on the same basis and to the same extent 
                as if the employee was an employee covered by such 
                section, including eligibility conditions, allowance 
                rates, and all other terms and conditions in law or 
                regulation.
                                                       Calendar No. 670

117th CONGRESS

  2d Session

                                S. 2491

                          [Report No. 117-271]

_______________________________________________________________________

                                 A BILL

 To amend the Homeland Security Act of 2002 to establish the National 
Cyber Resilience Assistance Fund, to improve the ability of the Federal 
    Government to assist in enhancing critical infrastructure cyber 
  resilience, to improve security in the national cyber ecosystem, to 
 address Systemically Important Critical Infrastructure, and for other 
                               purposes.

_______________________________________________________________________

                           December 19, 2022

                       Reported with an amendment