[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 2540 Introduced in Senate (IS)]

<DOC>






117th CONGRESS
  1st Session
                                S. 2540

 To make technical corrections to title XXII of the Homeland Security 
                  Act of 2002, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             July 29, 2021

Mr. Portman (for himself and Mr. Peters) introduced the following bill; 
which was read twice and referred to the Committee on Homeland Security 
                        and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
 To make technical corrections to title XXII of the Homeland Security 
                  Act of 2002, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``CISA Technical Corrections and 
Improvements Act of 2021''.

SEC. 2. REDESIGNATIONS.

    (a) In General.--Subtitle A of title XXII of the Homeland Security 
Act of 2002 (6 U.S.C. 651 et seq.) is amended--
            (1) by striking section 2201 (6 U.S.C. 651);
            (2) by redesignating sections 2202 through 2214 as sections 
        2201 through 2213, respectively;
            (3) by redesignating section 2217 (6 U.S.C. 665f) as 
        section 2219;
            (4) by redesignating section 2216 (6 U.S.C. 665e) as 
        section 2218;
            (5) by redesignating the fourth section 2215 (relating to 
        Sector Risk Management Agencies) (6 U.S.C. 665d) as section 
        2217;
            (6) by redesignating the third section 2215 (relating to 
        the Cybersecurity State Coordinator) (6 U.S.C. 665c) as section 
        2216; and
            (7) by redesignating the first section 2215 (relating to 
        Duties and Authorities Relating to .GOV Internet Domain) (6 
        U.S.C. 665) as section 2214.
    (b) Technical and Conforming Amendments.--The Homeland Security Act 
of 2002 (6 U.S.C. 101 et seq.) is amended--
            (1) in section 320(d)(3)(C) (6 U.S.C. 195f(d)(3)(C)) by 
        striking ``section 2201'' and inserting ``section 2200'';
            (2) in section 846(1) (6 U.S.C. 417(1)), by striking 
        ``section 2209'' and inserting ``section 2208'';
            (3) in section 1801(c)(16) (6 U.S.C. 571(c)(16)) by 
        striking ``section 2202(c)(7)'' and inserting ``section 
        2201(c)(7)'';
            (4) in section 2001(4)(A)(iii)(II) (6 U.S.C. 
        601(4)(A)(iii)(II)), by striking ``section 2214(a)(2)'' and 
        inserting ``section 2213(a)(2)'';
            (5) in section 2008(a)(3) (6 U.S.C. 609(a)(3)), by striking 
        ``section 2214(a)(2)'' and inserting ``section 2213(a)(2);''
            (6) in section 2201, as so redesignated--
                    (A) in subsection (c)--
                            (i) in the first paragraph (12), by 
                        striking ``section 2215'' and inserting 
                        ``section 2216'';
                            (ii) by redesignating the second and third 
                        paragraphs (12) as paragraphs (13) and (14), 
                        respectively; and
                            (iii) in paragraph (13), as so 
                        redesignated, by striking ``section 2215'' and 
                        inserting ``section 2214''; and
                    (B) in subsection (e)(2), by striking ``sections 
                2203(b) and 2204(b)'' and inserting ``sections 2202(b) 
                and 2203(b)'';
            (7) in section 2202(b)(3), as so redesignated, by striking 
        ``section 2202(c)(7)'' and inserting ``section 2201(c)(7)'';
            (8) in section 2203(b)(3), as so redesignated, by striking 
        ``section 2202(c)(7)'' and inserting ``section 2201(c)(7)'';
            (9) in section 2204, as so redesignated, in the matter 
        preceding paragraph (1), by striking ``section 2202'' and 
        inserting ``section 2201'';
            (10) in section 2210(b)(2)(A), as so redesignated, by 
        striking ``section 2209'' and inserting ``section 2208''; and
            (11) in section 2217(c)(4)(A), by striking ``section 2209'' 
        and inserting ``section 2208''.
    (c) Table of Contents.--The table of contents in section 1(b) of 
the Homeland Security Act of 2002 (Public Law 107-296; 116 Stat. 2135) 
is amended--
            (1) by striking inserting before the item relating to 
        subtitle A of title XXII the following:

``Sec. 2200. Definitions.'';
        and
            (2) by striking the items relating to sections 2201 through 
        2217 and inserting the following:

``Sec. 2201. Cybersecurity and Infrastructure Security Agency.
``Sec. 2202. Cybersecurity Division.
``Sec. 2203. Infrastructure Security Division.
``Sec. 2204. Enhancement of Federal and non-Federal cybersecurity.
``Sec. 2205. Net guard.
``Sec. 2206. Cyber Security Enhancement Act of 2002.
``Sec. 2207. Cybersecurity recruitment and retention.
``Sec. 2208. National cybersecurity and communications integration 
                            center.
``Sec. 2209. Cybersecurity plans.
``Sec. 2210. Cybersecurity strategy.
``Sec. 2211. Clearances.
``Sec. 2212. Federal intrusion detection and prevention system.
``Sec. 2213. National Asset Database.
``Sec. 2214. Duties and authorities relating to .gov internet domain.
``Sec. 2215. Joint Cyber Planning Office.
``Sec. 2216. Cybersecurity State Coordinator.
``Sec. 2217. Sector Risk Management Agencies.
``Sec. 2218. Cybersecurity Advisory Committee.
``Sec. 2219. Cybersecurity education and training programs.''.
    (d) Additional Technical Amendment.--
            (1) Amendment.--Section 904(b)(1) of the DOTGOV Act of 2020 
        (title IX of division U of Public Law 116-260) is amended, in 
        the matter preceding subparagraph (A), by striking ``Homeland 
        Security Act'' and inserting ``Homeland Security Act of 2002''.
            (2) Effective date.--The amendment made by paragraph (1) 
        shall take effect as if enacted as part of the DOTGOV Act of 
        2020 (title IX of division U of Public Law 116-260).

SEC. 3. CONSOLIDATION OF DEFINITIONS.

    (a) In General.--Title XXII of the Homeland Security Act of 2002 (6 
U.S.C. 651) is amended--
            (1) by striking section 2201; and
            (2) by inserting before the subtitle A heading the 
        following:

``SEC. 2200. DEFINITIONS.

    ``Except as otherwise specifically provided, in this title:
            ``(1) Agency.--The term `Agency' means the Cybersecurity 
        and Infrastructure Security Agency.
            ``(2) Agency information.--The term `agency information' 
        means information collected or maintained by or on behalf of an 
        agency.
            ``(3) Agency information system.--The term `agency 
        information system' means an information system used or 
        operated by an agency or by another entity on behalf of an 
        agency.
            ``(4) Appropriate congressional committees.--The term 
        `appropriate congressional committees' means--
                    ``(A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate; and
                    ``(B) the Committee on Homeland Security of the 
                House of Representatives.
            ``(5) Critical infrastructure information.--The term 
        `critical infrastructure information' means information not 
        customarily in the public domain and related to the security of 
        critical infrastructure or protected systems--
                    ``(A) actual, potential, or threatened interference 
                with, attack on, compromise of, or incapacitation of 
                critical infrastructure or protected systems by either 
                physical or computer-based attack or other similar 
                conduct (including the misuse of or unauthorized access 
                to all types of communications and data transmission 
                systems) that violates Federal, State, or local law, 
                harms interstate commerce of the United States, or 
                threatens public health or safety;
                    ``(B) the ability of any critical infrastructure or 
                protected system to resist such interference, 
                compromise, or incapacitation, including any planned or 
                past assessment, projection, or estimate of the 
                vulnerability of critical infrastructure or a protected 
                system, including security testing, risk evaluation 
                thereto, risk management planning, or risk audit; or
                    ``(C) any planned or past operational problem or 
                solution regarding critical infrastructure or protected 
                systems, including repair, recovery, reconstruction, 
                insurance, or continuity, to the extent it is related 
                to such interference, compromise, or incapacitation.
            ``(6) Cyber threat indicator.--The term `cyber threat 
        indicator' means information that is necessary to describe or 
        identify--
                    ``(A) malicious reconnaissance, including anomalous 
                patterns of communications that appear to be 
                transmitted for the purpose of gathering technical 
                information related to a cybersecurity threat or 
                security vulnerability;
                    ``(B) a method of defeating a security control or 
                exploitation of a security vulnerability;
                    ``(C) a security vulnerability, including anomalous 
                activity that appears to indicate the existence of a 
                security vulnerability;
                    ``(D) a method of causing a user with legitimate 
                access to an information system or information that is 
                stored on, processed by, or transiting an information 
                system to unwittingly enable the defeat of a security 
                control or exploitation of a security vulnerability;
                    ``(E) malicious cyber command and control;
                    ``(F) the actual or potential harm caused by an 
                incident, including a description of the information 
                exfiltrated as a result of a particular cybersecurity 
                threat;
                    ``(G) any other attribute of a cybersecurity 
                threat, if disclosure of such attribute is not 
                otherwise prohibited by law; or
                    ``(H) any combination thereof.
            ``(7) Cybersecurity purpose.--The term `cybersecurity 
        purpose' means the purpose of protecting an information system 
        or information that is stored on, processed by, or transiting 
        an information system from a cybersecurity threat or security 
        vulnerability.
            ``(8) Cybersecurity risk.--The term `cybersecurity risk'--
                    ``(A) means threats to and vulnerabilities of 
                information or information systems and any related 
                consequences caused by or resulting from unauthorized 
                access, use, disclosure, degradation, disruption, 
                modification, or destruction of such information or 
                information systems, including such related 
                consequences caused by an act of terrorism; and
                    ``(B) does not include any action that solely 
                involves a violation of a consumer term of service or a 
                consumer licensing agreement.
            ``(9) Cybersecurity threat.--
                    ``(A) In general.--Except as provided in 
                subparagraph (B), the term `cybersecurity threat' means 
                an action, not protected by the First Amendment to the 
                Constitution of the United States, on or through an 
                information system that may result in an unauthorized 
                effort to adversely impact the security, availability, 
                confidentiality, or integrity of an information system 
                or information that is stored on, processed by, or 
                transiting an information system.
                    ``(B) Exclusion.--The term `cybersecurity threat' 
                does not include any action that solely involves a 
                violation of a consumer term of service or a consumer 
                licensing agreement.
            ``(10) Defensive measure.--
                    ``(A) In general.--Except as provided in 
                subparagraph (B), the term `defensive measure' means an 
                action, device, procedure, signature, technique, or 
                other measure applied to an information system or 
                information that is stored on, processed by, or 
                transiting an information system that detects, 
                prevents, or mitigates a known or suspected 
                cybersecurity threat or security vulnerability.
                    ``(B) Exclusion.--The term `defensive measure' does 
                not include a measure that destroys, renders unusable, 
                provides unauthorized access to, or substantially harms 
                an information system or information stored on, 
                processed by, or transiting such information system not 
                owned by--
                            ``(i) the entity operating the measure; or
                            ``(ii) another entity or Federal entity 
                        that is authorized to provide consent and has 
                        provided consent to that private entity for 
                        operation of such measure.
            ``(11) Homeland security enterprise.--The term `Homeland 
        Security Enterprise' means relevant governmental and 
        nongovernmental entities involved in homeland security, 
        including Federal, State, local, and tribal government 
        officials, private sector representatives, academics, and other 
        policy experts.
            ``(12) Incident.--The term `incident' means an occurrence 
        that actually or imminently jeopardizes, without lawful 
        authority, the integrity, confidentiality, or availability of 
        information on an information system, or actually or imminently 
        jeopardizes, without lawful authority, an information system.
            ``(13) Information sharing and analysis organization.--The 
        term `Information Sharing and Analysis Organization' means any 
        formal or informal entity or collaboration created or employed 
        by public or private sector organizations, for purposes of--
                    ``(A) gathering and analyzing critical 
                infrastructure information, including information 
                related to cybersecurity risks and incidents, in order 
                to better understand security problems and 
                interdependencies related to critical infrastructure, 
                including cybersecurity risks and incidents, and 
                protected systems, so as to ensure the availability, 
                integrity, and reliability thereof;
                    ``(B) communicating or disclosing critical 
                infrastructure information, including cybersecurity 
                risks and incidents, to help prevent, detect, mitigate, 
                or recover from the effects of a interference, 
                compromise, or a incapacitation problem related to 
                critical infrastructure, including cybersecurity risks 
                and incidents, or protected systems; and
                    ``(C) voluntarily disseminating critical 
                infrastructure information, including cybersecurity 
                risks and incidents, to its members, State, local, and 
                Federal Governments, or any other entities that may be 
                of assistance in carrying out the purposes specified in 
                subparagraphs (A) and (B).
            ``(14) Information system.--The term `information system' 
        has the meaning given the term in section 3502 of title 44, 
        United States Code.
            ``(15) Intelligence community.--The term `intelligence 
        community' has the meaning given the term in section 3(4) of 
        the National Security Act of 1947 (50 U.S.C. 3003(4)).
            ``(16) Monitor.--The term `monitor' means to acquire, 
        identify, or scan, or to possess, information that is stored 
        on, processed by, or transiting an information system.
            ``(17) National cybersecurity asset response activities.--
        The term `national cybersecurity asset response activities' 
        means--
                    ``(A) furnishing cybersecurity technical assistance 
                to entities affected by cybersecurity risks to protect 
                assets, mitigate vulnerabilities, and reduce impacts of 
                cyber incidents;
                    ``(B) identifying other entities that may be at 
                risk of an incident and assessing risk to the same or 
                similar vulnerabilities;
                    ``(C) assessing potential cybersecurity risks to a 
                sector or region, including potential cascading 
                effects, and developing courses of action to mitigate 
                such risks;
                    ``(D) facilitating information sharing and 
                operational coordination with threat response; and
                    ``(E) providing guidance on how best to utilize 
                Federal resources and capabilities in a timely, 
                effective manner to speed recovery from cybersecurity 
                risks.
            ``(18) National security system.--The term `national 
        security system' has the meaning given the term in section 
        11103 of title 40, United States Code.
            ``(19) Sector risk management agency.--The term `Sector 
        Risk Management Agency' means a Federal department or agency, 
        designated by law or Presidential directive, with 
        responsibility for providing institutional knowledge and 
        specialized expertise of a sector, as well as leading, 
        facilitating, or supporting programs and associated activities 
        of its designated critical infrastructure sector in the all 
        hazards environment in coordination with the Department.
            ``(20) Security vulnerability.--The term `security 
        vulnerability' means any attribute of hardware, software, 
        process, or procedure that could enable or facilitate the 
        defeat of a security control.
            ``(21) Sharing.--The term `sharing' (including all 
        conjugations thereof) means providing, recieving, and 
        disseminating (including all conjugations of each such 
        terms).''.
    (b) Technical and Conforming Amendments.--The Homeland Security Act 
of 2002 (6 U.S.C. 101 et seq.) is amended--
            (1) in section 2201, as so redesignated--
                    (A) in subsection (a)(1), by striking ``(in this 
                subtitle referred to as the Agency)'';
                    (B) in subsection (f)--
                            (i) in paragraph (1), by inserting 
                        ``Executive'' before ``Assistant Director''; 
                        and
                            (ii) in paragraph (2), by inserting 
                        ``Executive'' before ``Assistant Director'';
            (2) in section 2202(a)(2), as so redesignated, by striking 
        ``as the `Assistant Director''' and inserting ``as the 
        `Executive Assistant Director''';
            (3) in section 2203(a)(2), as so redesignated, by striking 
        ``as the `Assistant Director''' and inserting ``as the 
        `Executive Assistant Director''';
            (4) in section 2208, as so redesignated--
                    (A) by striking subsection (a);
                    (B) by redesignating subsections (b) through 
                subsection (o) as subsections (a) through (n), 
                respectively;
                    (C) in subsection (c)(1)(A)(iii), as so 
                redesignated, by striking ``, as that term is defined 
                under section 3(4) of the National Security Act of 1947 
                (50 U.S.C. 3003(4))'';
                    (D) in subsection (d), as so redesignated, in the 
                matter preceding paragraph (1), by striking 
                ``subsection (c)'' and inserting ``subsection (b)'';
                    (E) in subsection (j), as so redesignated, by 
                striking ``subsection (c)(8)'' and inserting 
                ``subsection (b)(8)''; and
                    (F) in subsection (n), as so redesignated--
                            (i) in paragraph (2)(A), by striking 
                        ``subsection (c)(12)'' and inserting 
                        ``subsection (b)(12)''; and
                            (ii) in paragraph (3)(B)(i), by striking 
                        ``subsection (c)(12)'' and inserting 
                        ``subsection (b)(12)'';
            (5) in section 2209, as so redesignated--
                    (A) by striking subsection (a);
                    (B) by redesignating subsections (b) through (d) as 
                subsections (a) through (c), respectively;
                    (C) in subsection (b), as so redesignated--
                            (i) by striking ``information sharing and 
                        analysis organizations (as defined in section 
                        2222(5))'' and inserting ``Information Sharing 
                        and Analysis Organizations''; and
                            (ii) by striking ``(as defined in section 
                        2209)''; and
                    (D) in subsection (c), as so redesignated, by 
                striking ``subsection (c)'' and inserting ``subsection 
                (b)'';
            (6) in section 2210, as so redesignated, by striking 
        subsection (h);
            (7) in section 2211, as so redesignated, by striking 
        ``information sharing and analysis organizations (as defined in 
        section 2222(5))'' and inserting ``Information Sharing and 
        Analysis Organizations'';
            (8) in section 2212, as so redesignated--
                    (A) by striking subsection (a);
                    (B) by redesignating subsections (b) through (f) as 
                subsections (a) through (e); respectively;
                    (C) in subsection (b), as so redesignated, by 
                striking ``subsection (b)'' each place it appears and 
                inserting ``subsection (a)'';
                    (D) in subsection (c), as so redesignated, in the 
                matter preceding paragraph (1), by striking 
                ``subsection (b)'' and inserting ``subsection (a)''; 
                and
                    (E) in subsection (d), as so redesignated--
                            (i) in paragraph (1)--
                                    (I) in the matter preceding 
                                subparagraph (A), by striking 
                                ``subsection (c)(2)'' and inserting 
                                ``subsection (b)(2)'';
                                    (II) in subparagraph (A), by 
                                striking ``subsection (c)(1)'' and 
                                inserting ``subsection (b)(1)''; and
                                    (III) in subparagraph (B), by 
                                striking ``subsection (c)(2)'' and 
                                inserting ``subsection (b)(2)''; and
                            (ii) in paragraph (2), by striking 
                        ``subsection (c)(2)'' and inserting 
                        ``subsection (b)(2)'';
            (9) in section 2215 (6 U.S.C. 665b)--
                    (A) by striking subsection (a);
                    (B) by redesignating subsections (b) through (h) as 
                subsections (a) through (g), respectively;
                    (C) in subsection (a), as so redesignated--
                            (i) in the matter preceding paragraph (1), 
                        by striking ``subsection (e)'' and inserting 
                        ``subsection (d)'';
                            (ii) in paragraph (1), by striking 
                        ``subsection (c)'' and inserting ``subsection 
                        (b)''; and
                            (iii) in paragraph (2), by striking 
                        ``subsection (c)'' and inserting ``subsection 
                        (b)'';
                    (D) in subsection (b)(4), as so redesignated--
                            (i) by striking ``subsection (e)'' and 
                        inserting ``subsection (d)''; and
                            (ii) by striking ``subsection (h)'' and 
                        inserting ``subsection (g)'';
                    (E) in subsection (d), as so redesignated, by 
                striking ``subsection (b)(1)'' each place it appears 
                and inserting ``subsection (a)(1)'';
                    (F) in subsection (e), as so redesignated--
                            (i) by striking ``subsection (b)'' and 
                        inserting ``subsection (a)'';
                            (ii) by striking ``subsection (e)'' and 
                        inserting ``subsection (d)''; and
                            (iii) by striking ``subsection (b)(1)'' and 
                        inserting ``subsection (a)(1)''; and
                    (G) in subsection (f), as so redesignated, by 
                striking ``subsection (c)'' and inserting ``subsection 
                (b)'';
            (10) in section 2216, as so redesignated, by striking 
        subsection (f) and inserting the following:
    ``(f) Cyber Defense Operation Defined.--In this section, the term 
`cyber defense operation' means the use of a defensive measure.''; and
            (11) in section 2222--
                    (A) by striking paragraphs (3), (5), and (8);
                    (B) by redesignating paragraph (4) as paragraph 
                (3); and
                    (C) by redesignating paragraphs (6) and (7) as 
                paragraphs (4) and (5), respectively.
    (c) Cybersecurity Act of 2015 Definitions.--Section 102 of the 
Cybersecurity Act of 2015 (6 U.S.C. 1501) is amended--
            (1) by striking paragraphs (4) through (7) and inserting 
        the following:
            ``(4) Cybersecurity purpose.--The term `cybersecurity 
        purpose' has the meaning given the term in section 2200 of the 
        Homeland Security Act of 2002.
            ``(5) Cybersecurity threat.--The term `cybersecurity 
        threat' has the meaning given the term in section 2200 of the 
        Homeland Security Act of 2002.
            ``(6) Cyber theat indicator.--The term `cyber threat 
        indicator' has the meaning given the term in section 2200 of 
        the Homeland Security Act of 2002.
            ``(7) Defensive measure.--The term `defensive measure' has 
        the meaning given the term in section 2200 of the Homeland 
        Security Act of 2002.'';
            (2) by striking paragraph (13) and inserting the following:
            ``(13) Monitor.-- The term `monitor' has the meaning given 
        the term in section 2200 of the Homeland Security Act of 
        2002.''; and
            (3) by striking paragraph (17) and inserting the following:
            ``(17) Security vulnerability.--The term `security 
        vulnerability' has the meaning given the term in section 2200 
        of the Homeland Security Act of 2002.''.

SEC. 4. ADDITIONAL TECHNICAL AND CONFORMING AMENDMENTS.

    (a) Federal Cybersecurity Enhancement Act of 2015.--The Federal 
Cybersecurity Enhancement Act of 2015 (6 U.S.C. 1521 et seq.) is 
amended--
            (1) in section 222 (6 U.S.C. 1521)--
                    (A) in paragraph (2), by striking ``section 2210'' 
                and inserting ``section 2200''; and
                    (B) in paragraph (4), by striking ``section 2209'' 
                and inserting ``section 2200'';
            (2) in section 223 (6 U.S.C. 151 note) is amended by 
        striking ``section 2213(b)(1)'' each place it appears and 
        inserting ``section 2212(a)(1)''; and
            (3) in section 226--
                    (A) in subsection (a)--
                            (i) in paragraph (1), by striking ``section 
                        2213'' and inserting ``section 2200'';
                            (ii) in paragraph (4), by striking 
                        ``section 2210(b)(1)'' and inserting ``section 
                        2209(a)(1)''; and
                            (iii) in paragraph (5), by striking 
                        ``section 2213(b)'' and inserting ``section 
                        2212(a)''; and
                    (B) in subsection (c)(1)(A)(vi), by striking 
                ``section 2213(c)(5)'' and inserting ``section 
                2212(b)(5)''; and
            (4) in section 227 (6 U.S.C. 1525)--
                    (A) in subsection (a), by striking ``section 2213'' 
                and inserting ``section 2212''; and
                    (B) in subsection (b), by striking ``section 
                2213(d)(2)'' and inserting ``section 2212(c)(2)''.
    (b) Public Health Service Act.--Section 2811(b)(4)(D) of the Public 
Health Service Act (42 U.S.C. 300hh-10(b)(4)(D)) is amended by striking 
``section 228(c) of the Homeland Security Act of 2002 (6 U.S.C. 
149(c))'' and inserting ``section 2209(c) of the Homeland Security Act 
of 2002''.
    (c) William M. (Mac) Thornberry National Defense Authorization Act 
of Fiscal Year 2021.--Section 9002 of the William M. (Mac) Thornberry 
National Defense Authorization Act for Fiscal Year 2021 (6 U.S.C. 652a) 
is amended--
            (1) in subsection (a)--
                    (A) in paragraph (5), by striking ``section 2222(5) 
                of the Homeland Security Act of 2002 (6 U.S.C. 
                671(5))'' and inserting ``section 2200 of the Homeland 
                Security Act of 2002''; and
                    (B) in paragraph (7), by striking ``given the 
                term'' and all that follows and inserting ``given the 
                term in section 2200 of the Homeland Security Act of 
                2002'';
            (2) in subsection (b)(1)(A), by striking ``section 
        2202(c)(4) of the Homeland Security Act (6 U.S.C. 652(c)(4))'' 
        and inserting ``section 2201(c)(4)'';
            (3) in subsection (c)(3)(B), by striking ``section 2201(5) 
        of the Homeland Security Act of 2002 (6 U.S.C. 651(5))'' and 
        inserting ``section 2200 of the Homeland Security Act of 
        2002''; and
            (4) in subsection (d)--
                    (A) by striking ``section 2215'' and inserting 
                ``2217''; and
                    (B) by striking ``, as added by this section''.
    (d) National Security Act of 1947.--Section 113B of the National 
Security Act of 1947 (50 U.S.C. 3049a(b)(4)) is amended by striking 
section ``226 of the Homeland Security Act of 2002 (6 U.S.C. 147)'' and 
inserting ``section 2207 of the Homeland Security Act of 2002''.
    (e) Cybersecurity Act of 2015.--Section 404(a) of the Cybersecurity 
Act of 2015 (6 U.S.C. 1532(a)) is amended by striking ``section 2209'' 
and inserting ``section 2208''.
    (f) IoT Cybersecurity Improvement Act of 2020.--Section 5(b)(3) of 
the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-3c) is 
amended by striking ``section 2209(m)'' and inserting ``section 
2208(l)''.
    (g) Small Business Act.--Section 21(a)(8)(B) of the Small Business 
Act (15 U.S.C. 648(a)(8)(B)) is amended by striking ``section 2209(a)'' 
and inserting ``section 2200''.
    (h) Title 46.--Section 70101(2) of title 46, United States Code, is 
amended by striking ``section 227 of the Homeland Security Act of 2002 
(6 U.S.C. 148)'' and inserting ``section 2200 of the Homeland Security 
Act of 2002''.
                                 <all>