[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 2540 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 632
117th CONGRESS
  2d Session
                                S. 2540

                          [Report No. 117-248]

 To make technical corrections to title XXII of the Homeland Security 
                  Act of 2002, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             July 29, 2021

 Mr. Portman (for himself, Mr. Peters, and Ms. Hassan) introduced the 
 following bill; which was read twice and referred to the Committee on 
               Homeland Security and Governmental Affairs

                           December 13, 2022

               Reported by Mr. Peters, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
 To make technical corrections to title XXII of the Homeland Security 
                  Act of 2002, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``CISA Technical Corrections 
and Improvements Act of 2021''.</DELETED>

<DELETED>SEC. 2. REDESIGNATIONS.</DELETED>

<DELETED>    (a) In General.--Subtitle A of title XXII of the Homeland 
Security Act of 2002 (6 U.S.C. 651 et seq.) is amended--</DELETED>
        <DELETED>    (1) by striking section 2201 (6 U.S.C. 
        651);</DELETED>
        <DELETED>    (2) by redesignating sections 2202 through 2214 as 
        sections 2201 through 2213, respectively;</DELETED>
        <DELETED>    (3) by redesignating section 2217 (6 U.S.C. 665f) 
        as section 2219;</DELETED>
        <DELETED>    (4) by redesignating section 2216 (6 U.S.C. 665e) 
        as section 2218;</DELETED>
        <DELETED>    (5) by redesignating the fourth section 2215 
        (relating to Sector Risk Management Agencies) (6 U.S.C. 665d) 
        as section 2217;</DELETED>
        <DELETED>    (6) by redesignating the third section 2215 
        (relating to the Cybersecurity State Coordinator) (6 U.S.C. 
        665c) as section 2216; and</DELETED>
        <DELETED>    (7) by redesignating the first section 2215 
        (relating to Duties and Authorities Relating to .GOV Internet 
        Domain) (6 U.S.C. 665) as section 2214.</DELETED>
<DELETED>    (b) Technical and Conforming Amendments.--The Homeland 
Security Act of 2002 (6 U.S.C. 101 et seq.) is amended--</DELETED>
        <DELETED>    (1) in section 320(d)(3)(C) (6 U.S.C. 
        195f(d)(3)(C)) by striking ``section 2201'' and inserting 
        ``section 2200'';</DELETED>
        <DELETED>    (2) in section 846(1) (6 U.S.C. 417(1)), by 
        striking ``section 2209'' and inserting ``section 
        2208'';</DELETED>
        <DELETED>    (3) in section 1801(c)(16) (6 U.S.C. 571(c)(16)) 
        by striking ``section 2202(c)(7)'' and inserting ``section 
        2201(c)(7)'';</DELETED>
        <DELETED>    (4) in section 2001(4)(A)(iii)(II) (6 U.S.C. 
        601(4)(A)(iii)(II)), by striking ``section 2214(a)(2)'' and 
        inserting ``section 2213(a)(2)'';</DELETED>
        <DELETED>    (5) in section 2008(a)(3) (6 U.S.C. 609(a)(3)), by 
        striking ``section 2214(a)(2)'' and inserting ``section 
        2213(a)(2);''</DELETED>
        <DELETED>    (6) in section 2201, as so redesignated--
        </DELETED>
                <DELETED>    (A) in subsection (c)--</DELETED>
                        <DELETED>    (i) in the first paragraph (12), 
                        by striking ``section 2215'' and inserting 
                        ``section 2216'';</DELETED>
                        <DELETED>    (ii) by redesignating the second 
                        and third paragraphs (12) as paragraphs (13) 
                        and (14), respectively; and</DELETED>
                        <DELETED>    (iii) in paragraph (13), as so 
                        redesignated, by striking ``section 2215'' and 
                        inserting ``section 2214''; and</DELETED>
                <DELETED>    (B) in subsection (e)(2), by striking 
                ``sections 2203(b) and 2204(b)'' and inserting 
                ``sections 2202(b) and 2203(b)'';</DELETED>
        <DELETED>    (7) in section 2202(b)(3), as so redesignated, by 
        striking ``section 2202(c)(7)'' and inserting ``section 
        2201(c)(7)'';</DELETED>
        <DELETED>    (8) in section 2203(b)(3), as so redesignated, by 
        striking ``section 2202(c)(7)'' and inserting ``section 
        2201(c)(7)'';</DELETED>
        <DELETED>    (9) in section 2204, as so redesignated, in the 
        matter preceding paragraph (1), by striking ``section 2202'' 
        and inserting ``section 2201'';</DELETED>
        <DELETED>    (10) in section 2210(b)(2)(A), as so redesignated, 
        by striking ``section 2209'' and inserting ``section 2208''; 
        and</DELETED>
        <DELETED>    (11) in section 2217(c)(4)(A), by striking 
        ``section 2209'' and inserting ``section 2208''.</DELETED>
<DELETED>    (c) Table of Contents.--The table of contents in section 
1(b) of the Homeland Security Act of 2002 (Public Law 107-296; 116 
Stat. 2135) is amended--</DELETED>
        <DELETED>    (1) by striking inserting before the item relating 
        to subtitle A of title XXII the following:</DELETED>

<DELETED>``Sec. 2200. Definitions.'';
        <DELETED>and</DELETED>
        <DELETED>    (2) by striking the items relating to sections 
        2201 through 2217 and inserting the following:</DELETED>

<DELETED>``Sec. 2201. Cybersecurity and Infrastructure Security Agency.
<DELETED>``Sec. 2202. Cybersecurity Division.
<DELETED>``Sec. 2203. Infrastructure Security Division.
<DELETED>``Sec. 2204. Enhancement of Federal and non-Federal 
                            cybersecurity.
<DELETED>``Sec. 2205. Net guard.
<DELETED>``Sec. 2206. Cyber Security Enhancement Act of 2002.
<DELETED>``Sec. 2207. Cybersecurity recruitment and retention.
<DELETED>``Sec. 2208. National cybersecurity and communications 
                            integration center.
<DELETED>``Sec. 2209. Cybersecurity plans.
<DELETED>``Sec. 2210. Cybersecurity strategy.
<DELETED>``Sec. 2211. Clearances.
<DELETED>``Sec. 2212. Federal intrusion detection and prevention 
                            system.
<DELETED>``Sec. 2213. National Asset Database.
<DELETED>``Sec. 2214. Duties and authorities relating to .gov internet 
                            domain.
<DELETED>``Sec. 2215. Joint Cyber Planning Office.
<DELETED>``Sec. 2216. Cybersecurity State Coordinator.
<DELETED>``Sec. 2217. Sector Risk Management Agencies.
<DELETED>``Sec. 2218. Cybersecurity Advisory Committee.
<DELETED>``Sec. 2219. Cybersecurity education and training programs.''.
<DELETED>    (d) Additional Technical Amendment.--</DELETED>
        <DELETED>    (1) Amendment.--Section 904(b)(1) of the DOTGOV 
        Act of 2020 (title IX of division U of Public Law 116-260) is 
        amended, in the matter preceding subparagraph (A), by striking 
        ``Homeland Security Act'' and inserting ``Homeland Security Act 
        of 2002''.</DELETED>
        <DELETED>    (2) Effective date.--The amendment made by 
        paragraph (1) shall take effect as if enacted as part of the 
        DOTGOV Act of 2020 (title IX of division U of Public Law 116-
        260).</DELETED>

<DELETED>SEC. 3. CONSOLIDATION OF DEFINITIONS.</DELETED>

<DELETED>    (a) In General.--Title XXII of the Homeland Security Act 
of 2002 (6 U.S.C. 651) is amended--</DELETED>
        <DELETED>    (1) by striking section 2201; and</DELETED>
        <DELETED>    (2) by inserting before the subtitle A heading the 
        following:</DELETED>

<DELETED>``SEC. 2200. DEFINITIONS.</DELETED>

<DELETED>    ``Except as otherwise specifically provided, in this 
title:</DELETED>
        <DELETED>    ``(1) Agency.--The term `Agency' means the 
        Cybersecurity and Infrastructure Security Agency.</DELETED>
        <DELETED>    ``(2) Agency information.--The term `agency 
        information' means information collected or maintained by or on 
        behalf of an agency.</DELETED>
        <DELETED>    ``(3) Agency information system.--The term `agency 
        information system' means an information system used or 
        operated by an agency or by another entity on behalf of an 
        agency.</DELETED>
        <DELETED>    ``(4) Appropriate congressional committees.--The 
        term `appropriate congressional committees' means--</DELETED>
                <DELETED>    ``(A) the Committee on Homeland Security 
                and Governmental Affairs of the Senate; and</DELETED>
                <DELETED>    ``(B) the Committee on Homeland Security 
                of the House of Representatives.</DELETED>
        <DELETED>    ``(5) Critical infrastructure information.--The 
        term `critical infrastructure information' means information 
        not customarily in the public domain and related to the 
        security of critical infrastructure or protected systems--
        </DELETED>
                <DELETED>    ``(A) actual, potential, or threatened 
                interference with, attack on, compromise of, or 
                incapacitation of critical infrastructure or protected 
                systems by either physical or computer-based attack or 
                other similar conduct (including the misuse of or 
                unauthorized access to all types of communications and 
                data transmission systems) that violates Federal, 
                State, or local law, harms interstate commerce of the 
                United States, or threatens public health or 
                safety;</DELETED>
                <DELETED>    ``(B) the ability of any critical 
                infrastructure or protected system to resist such 
                interference, compromise, or incapacitation, including 
                any planned or past assessment, projection, or estimate 
                of the vulnerability of critical infrastructure or a 
                protected system, including security testing, risk 
                evaluation thereto, risk management planning, or risk 
                audit; or</DELETED>
                <DELETED>    ``(C) any planned or past operational 
                problem or solution regarding critical infrastructure 
                or protected systems, including repair, recovery, 
                reconstruction, insurance, or continuity, to the extent 
                it is related to such interference, compromise, or 
                incapacitation.</DELETED>
        <DELETED>    ``(6) Cyber threat indicator.--The term `cyber 
        threat indicator' means information that is necessary to 
        describe or identify--</DELETED>
                <DELETED>    ``(A) malicious reconnaissance, including 
                anomalous patterns of communications that appear to be 
                transmitted for the purpose of gathering technical 
                information related to a cybersecurity threat or 
                security vulnerability;</DELETED>
                <DELETED>    ``(B) a method of defeating a security 
                control or exploitation of a security 
                vulnerability;</DELETED>
                <DELETED>    ``(C) a security vulnerability, including 
                anomalous activity that appears to indicate the 
                existence of a security vulnerability;</DELETED>
                <DELETED>    ``(D) a method of causing a user with 
                legitimate access to an information system or 
                information that is stored on, processed by, or 
                transiting an information system to unwittingly enable 
                the defeat of a security control or exploitation of a 
                security vulnerability;</DELETED>
                <DELETED>    ``(E) malicious cyber command and 
                control;</DELETED>
                <DELETED>    ``(F) the actual or potential harm caused 
                by an incident, including a description of the 
                information exfiltrated as a result of a particular 
                cybersecurity threat;</DELETED>
                <DELETED>    ``(G) any other attribute of a 
                cybersecurity threat, if disclosure of such attribute 
                is not otherwise prohibited by law; or</DELETED>
                <DELETED>    ``(H) any combination thereof.</DELETED>
        <DELETED>    ``(7) Cybersecurity purpose.--The term 
        `cybersecurity purpose' means the purpose of protecting an 
        information system or information that is stored on, processed 
        by, or transiting an information system from a cybersecurity 
        threat or security vulnerability.</DELETED>
        <DELETED>    ``(8) Cybersecurity risk.--The term `cybersecurity 
        risk'--</DELETED>
                <DELETED>    ``(A) means threats to and vulnerabilities 
                of information or information systems and any related 
                consequences caused by or resulting from unauthorized 
                access, use, disclosure, degradation, disruption, 
                modification, or destruction of such information or 
                information systems, including such related 
                consequences caused by an act of terrorism; 
                and</DELETED>
                <DELETED>    ``(B) does not include any action that 
                solely involves a violation of a consumer term of 
                service or a consumer licensing agreement.</DELETED>
        <DELETED>    ``(9) Cybersecurity threat.--</DELETED>
                <DELETED>    ``(A) In general.--Except as provided in 
                subparagraph (B), the term `cybersecurity threat' means 
                an action, not protected by the First Amendment to the 
                Constitution of the United States, on or through an 
                information system that may result in an unauthorized 
                effort to adversely impact the security, availability, 
                confidentiality, or integrity of an information system 
                or information that is stored on, processed by, or 
                transiting an information system.</DELETED>
                <DELETED>    ``(B) Exclusion.--The term `cybersecurity 
                threat' does not include any action that solely 
                involves a violation of a consumer term of service or a 
                consumer licensing agreement.</DELETED>
        <DELETED>    ``(10) Defensive measure.--</DELETED>
                <DELETED>    ``(A) In general.--Except as provided in 
                subparagraph (B), the term `defensive measure' means an 
                action, device, procedure, signature, technique, or 
                other measure applied to an information system or 
                information that is stored on, processed by, or 
                transiting an information system that detects, 
                prevents, or mitigates a known or suspected 
                cybersecurity threat or security 
                vulnerability.</DELETED>
                <DELETED>    ``(B) Exclusion.--The term `defensive 
                measure' does not include a measure that destroys, 
                renders unusable, provides unauthorized access to, or 
                substantially harms an information system or 
                information stored on, processed by, or transiting such 
                information system not owned by--</DELETED>
                        <DELETED>    ``(i) the entity operating the 
                        measure; or</DELETED>
                        <DELETED>    ``(ii) another entity or Federal 
                        entity that is authorized to provide consent 
                        and has provided consent to that private entity 
                        for operation of such measure.</DELETED>
        <DELETED>    ``(11) Homeland security enterprise.--The term 
        `Homeland Security Enterprise' means relevant governmental and 
        nongovernmental entities involved in homeland security, 
        including Federal, State, local, and tribal government 
        officials, private sector representatives, academics, and other 
        policy experts.</DELETED>
        <DELETED>    ``(12) Incident.--The term `incident' means an 
        occurrence that actually or imminently jeopardizes, without 
        lawful authority, the integrity, confidentiality, or 
        availability of information on an information system, or 
        actually or imminently jeopardizes, without lawful authority, 
        an information system.</DELETED>
        <DELETED>    ``(13) Information sharing and analysis 
        organization.--The term `Information Sharing and Analysis 
        Organization' means any formal or informal entity or 
        collaboration created or employed by public or private sector 
        organizations, for purposes of--</DELETED>
                <DELETED>    ``(A) gathering and analyzing critical 
                infrastructure information, including information 
                related to cybersecurity risks and incidents, in order 
                to better understand security problems and 
                interdependencies related to critical infrastructure, 
                including cybersecurity risks and incidents, and 
                protected systems, so as to ensure the availability, 
                integrity, and reliability thereof;</DELETED>
                <DELETED>    ``(B) communicating or disclosing critical 
                infrastructure information, including cybersecurity 
                risks and incidents, to help prevent, detect, mitigate, 
                or recover from the effects of a interference, 
                compromise, or a incapacitation problem related to 
                critical infrastructure, including cybersecurity risks 
                and incidents, or protected systems; and</DELETED>
                <DELETED>    ``(C) voluntarily disseminating critical 
                infrastructure information, including cybersecurity 
                risks and incidents, to its members, State, local, and 
                Federal Governments, or any other entities that may be 
                of assistance in carrying out the purposes specified in 
                subparagraphs (A) and (B).</DELETED>
        <DELETED>    ``(14) Information system.--The term `information 
        system' has the meaning given the term in section 3502 of title 
        44, United States Code.</DELETED>
        <DELETED>    ``(15) Intelligence community.--The term 
        `intelligence community' has the meaning given the term in 
        section 3(4) of the National Security Act of 1947 (50 U.S.C. 
        3003(4)).</DELETED>
        <DELETED>    ``(16) Monitor.--The term `monitor' means to 
        acquire, identify, or scan, or to possess, information that is 
        stored on, processed by, or transiting an information 
        system.</DELETED>
        <DELETED>    ``(17) National cybersecurity asset response 
        activities.--The term `national cybersecurity asset response 
        activities' means--</DELETED>
                <DELETED>    ``(A) furnishing cybersecurity technical 
                assistance to entities affected by cybersecurity risks 
                to protect assets, mitigate vulnerabilities, and reduce 
                impacts of cyber incidents;</DELETED>
                <DELETED>    ``(B) identifying other entities that may 
                be at risk of an incident and assessing risk to the 
                same or similar vulnerabilities;</DELETED>
                <DELETED>    ``(C) assessing potential cybersecurity 
                risks to a sector or region, including potential 
                cascading effects, and developing courses of action to 
                mitigate such risks;</DELETED>
                <DELETED>    ``(D) facilitating information sharing and 
                operational coordination with threat response; 
                and</DELETED>
                <DELETED>    ``(E) providing guidance on how best to 
                utilize Federal resources and capabilities in a timely, 
                effective manner to speed recovery from cybersecurity 
                risks.</DELETED>
        <DELETED>    ``(18) National security system.--The term 
        `national security system' has the meaning given the term in 
        section 11103 of title 40, United States Code.</DELETED>
        <DELETED>    ``(19) Sector risk management agency.--The term 
        `Sector Risk Management Agency' means a Federal department or 
        agency, designated by law or Presidential directive, with 
        responsibility for providing institutional knowledge and 
        specialized expertise of a sector, as well as leading, 
        facilitating, or supporting programs and associated activities 
        of its designated critical infrastructure sector in the all 
        hazards environment in coordination with the 
        Department.</DELETED>
        <DELETED>    ``(20) Security vulnerability.--The term `security 
        vulnerability' means any attribute of hardware, software, 
        process, or procedure that could enable or facilitate the 
        defeat of a security control.</DELETED>
        <DELETED>    ``(21) Sharing.--The term `sharing' (including all 
        conjugations thereof) means providing, recieving, and 
        disseminating (including all conjugations of each such 
        terms).''.</DELETED>
<DELETED>    (b) Technical and Conforming Amendments.--The Homeland 
Security Act of 2002 (6 U.S.C. 101 et seq.) is amended--</DELETED>
        <DELETED>    (1) in section 2201, as so redesignated--
        </DELETED>
                <DELETED>    (A) in subsection (a)(1), by striking 
                ``(in this subtitle referred to as the 
                Agency)'';</DELETED>
                <DELETED>    (B) in subsection (f)--</DELETED>
                        <DELETED>    (i) in paragraph (1), by inserting 
                        ``Executive'' before ``Assistant Director''; 
                        and</DELETED>
                        <DELETED>    (ii) in paragraph (2), by 
                        inserting ``Executive'' before ``Assistant 
                        Director'';</DELETED>
        <DELETED>    (2) in section 2202(a)(2), as so redesignated, by 
        striking ``as the `Assistant Director''' and inserting ``as the 
        `Executive Assistant Director''';</DELETED>
        <DELETED>    (3) in section 2203(a)(2), as so redesignated, by 
        striking ``as the `Assistant Director''' and inserting ``as the 
        `Executive Assistant Director''';</DELETED>
        <DELETED>    (4) in section 2208, as so redesignated--
        </DELETED>
                <DELETED>    (A) by striking subsection (a);</DELETED>
                <DELETED>    (B) by redesignating subsections (b) 
                through subsection (o) as subsections (a) through (n), 
                respectively;</DELETED>
                <DELETED>    (C) in subsection (c)(1)(A)(iii), as so 
                redesignated, by striking ``, as that term is defined 
                under section 3(4) of the National Security Act of 1947 
                (50 U.S.C. 3003(4))'';</DELETED>
                <DELETED>    (D) in subsection (d), as so redesignated, 
                in the matter preceding paragraph (1), by striking 
                ``subsection (c)'' and inserting ``subsection 
                (b)'';</DELETED>
                <DELETED>    (E) in subsection (j), as so redesignated, 
                by striking ``subsection (c)(8)'' and inserting 
                ``subsection (b)(8)''; and</DELETED>
                <DELETED>    (F) in subsection (n), as so 
                redesignated--</DELETED>
                        <DELETED>    (i) in paragraph (2)(A), by 
                        striking ``subsection (c)(12)'' and inserting 
                        ``subsection (b)(12)''; and</DELETED>
                        <DELETED>    (ii) in paragraph (3)(B)(i), by 
                        striking ``subsection (c)(12)'' and inserting 
                        ``subsection (b)(12)'';</DELETED>
        <DELETED>    (5) in section 2209, as so redesignated--
        </DELETED>
                <DELETED>    (A) by striking subsection (a);</DELETED>
                <DELETED>    (B) by redesignating subsections (b) 
                through (d) as subsections (a) through (c), 
                respectively;</DELETED>
                <DELETED>    (C) in subsection (b), as so 
                redesignated--</DELETED>
                        <DELETED>    (i) by striking ``information 
                        sharing and analysis organizations (as defined 
                        in section 2222(5))'' and inserting 
                        ``Information Sharing and Analysis 
                        Organizations''; and</DELETED>
                        <DELETED>    (ii) by striking ``(as defined in 
                        section 2209)''; and</DELETED>
                <DELETED>    (D) in subsection (c), as so redesignated, 
                by striking ``subsection (c)'' and inserting 
                ``subsection (b)'';</DELETED>
        <DELETED>    (6) in section 2210, as so redesignated, by 
        striking subsection (h);</DELETED>
        <DELETED>    (7) in section 2211, as so redesignated, by 
        striking ``information sharing and analysis organizations (as 
        defined in section 2222(5))'' and inserting ``Information 
        Sharing and Analysis Organizations'';</DELETED>
        <DELETED>    (8) in section 2212, as so redesignated--
        </DELETED>
                <DELETED>    (A) by striking subsection (a);</DELETED>
                <DELETED>    (B) by redesignating subsections (b) 
                through (f) as subsections (a) through (e); 
                respectively;</DELETED>
                <DELETED>    (C) in subsection (b), as so redesignated, 
                by striking ``subsection (b)'' each place it appears 
                and inserting ``subsection (a)'';</DELETED>
                <DELETED>    (D) in subsection (c), as so redesignated, 
                in the matter preceding paragraph (1), by striking 
                ``subsection (b)'' and inserting ``subsection (a)''; 
                and</DELETED>
                <DELETED>    (E) in subsection (d), as so 
                redesignated--</DELETED>
                        <DELETED>    (i) in paragraph (1)--</DELETED>
                                <DELETED>    (I) in the matter 
                                preceding subparagraph (A), by striking 
                                ``subsection (c)(2)'' and inserting 
                                ``subsection (b)(2)'';</DELETED>
                                <DELETED>    (II) in subparagraph (A), 
                                by striking ``subsection (c)(1)'' and 
                                inserting ``subsection (b)(1)''; 
                                and</DELETED>
                                <DELETED>    (III) in subparagraph (B), 
                                by striking ``subsection (c)(2)'' and 
                                inserting ``subsection (b)(2)''; 
                                and</DELETED>
                        <DELETED>    (ii) in paragraph (2), by striking 
                        ``subsection (c)(2)'' and inserting 
                        ``subsection (b)(2)'';</DELETED>
        <DELETED>    (9) in section 2215 (6 U.S.C. 665b)--</DELETED>
                <DELETED>    (A) by striking subsection (a);</DELETED>
                <DELETED>    (B) by redesignating subsections (b) 
                through (h) as subsections (a) through (g), 
                respectively;</DELETED>
                <DELETED>    (C) in subsection (a), as so 
                redesignated--</DELETED>
                        <DELETED>    (i) in the matter preceding 
                        paragraph (1), by striking ``subsection (e)'' 
                        and inserting ``subsection (d)'';</DELETED>
                        <DELETED>    (ii) in paragraph (1), by striking 
                        ``subsection (c)'' and inserting ``subsection 
                        (b)''; and</DELETED>
                        <DELETED>    (iii) in paragraph (2), by 
                        striking ``subsection (c)'' and inserting 
                        ``subsection (b)'';</DELETED>
                <DELETED>    (D) in subsection (b)(4), as so 
                redesignated--</DELETED>
                        <DELETED>    (i) by striking ``subsection (e)'' 
                        and inserting ``subsection (d)''; and</DELETED>
                        <DELETED>    (ii) by striking ``subsection 
                        (h)'' and inserting ``subsection 
                        (g)'';</DELETED>
                <DELETED>    (E) in subsection (d), as so redesignated, 
                by striking ``subsection (b)(1)'' each place it appears 
                and inserting ``subsection (a)(1)'';</DELETED>
                <DELETED>    (F) in subsection (e), as so 
                redesignated--</DELETED>
                        <DELETED>    (i) by striking ``subsection (b)'' 
                        and inserting ``subsection (a)'';</DELETED>
                        <DELETED>    (ii) by striking ``subsection 
                        (e)'' and inserting ``subsection (d)''; 
                        and</DELETED>
                        <DELETED>    (iii) by striking ``subsection 
                        (b)(1)'' and inserting ``subsection (a)(1)''; 
                        and</DELETED>
                <DELETED>    (G) in subsection (f), as so redesignated, 
                by striking ``subsection (c)'' and inserting 
                ``subsection (b)'';</DELETED>
        <DELETED>    (10) in section 2216, as so redesignated, by 
        striking subsection (f) and inserting the following:</DELETED>
<DELETED>    ``(f) Cyber Defense Operation Defined.--In this section, 
the term `cyber defense operation' means the use of a defensive 
measure.''; and</DELETED>
        <DELETED>    (11) in section 2222--</DELETED>
                <DELETED>    (A) by striking paragraphs (3), (5), and 
                (8);</DELETED>
                <DELETED>    (B) by redesignating paragraph (4) as 
                paragraph (3); and</DELETED>
                <DELETED>    (C) by redesignating paragraphs (6) and 
                (7) as paragraphs (4) and (5), respectively.</DELETED>
<DELETED>    (c) Cybersecurity Act of 2015 Definitions.--Section 102 of 
the Cybersecurity Act of 2015 (6 U.S.C. 1501) is amended--</DELETED>
        <DELETED>    (1) by striking paragraphs (4) through (7) and 
        inserting the following:</DELETED>
        <DELETED>    ``(4) Cybersecurity purpose.--The term 
        `cybersecurity purpose' has the meaning given the term in 
        section 2200 of the Homeland Security Act of 2002.</DELETED>
        <DELETED>    ``(5) Cybersecurity threat.--The term 
        `cybersecurity threat' has the meaning given the term in 
        section 2200 of the Homeland Security Act of 2002.</DELETED>
        <DELETED>    ``(6) Cyber theat indicator.--The term `cyber 
        threat indicator' has the meaning given the term in section 
        2200 of the Homeland Security Act of 2002.</DELETED>
        <DELETED>    ``(7) Defensive measure.--The term `defensive 
        measure' has the meaning given the term in section 2200 of the 
        Homeland Security Act of 2002.'';</DELETED>
        <DELETED>    (2) by striking paragraph (13) and inserting the 
        following:</DELETED>
        <DELETED>    ``(13) Monitor.-- The term `monitor' has the 
        meaning given the term in section 2200 of the Homeland Security 
        Act of 2002.''; and</DELETED>
        <DELETED>    (3) by striking paragraph (17) and inserting the 
        following:</DELETED>
        <DELETED>    ``(17) Security vulnerability.--The term `security 
        vulnerability' has the meaning given the term in section 2200 
        of the Homeland Security Act of 2002.''.</DELETED>

<DELETED>SEC. 4. ADDITIONAL TECHNICAL AND CONFORMING 
              AMENDMENTS.</DELETED>

<DELETED>    (a) Federal Cybersecurity Enhancement Act of 2015.--The 
Federal Cybersecurity Enhancement Act of 2015 (6 U.S.C. 1521 et seq.) 
is amended--</DELETED>
        <DELETED>    (1) in section 222 (6 U.S.C. 1521)--</DELETED>
                <DELETED>    (A) in paragraph (2), by striking 
                ``section 2210'' and inserting ``section 2200''; 
                and</DELETED>
                <DELETED>    (B) in paragraph (4), by striking 
                ``section 2209'' and inserting ``section 
                2200'';</DELETED>
        <DELETED>    (2) in section 223 (6 U.S.C. 151 note) is amended 
        by striking ``section 2213(b)(1)'' each place it appears and 
        inserting ``section 2212(a)(1)''; and</DELETED>
        <DELETED>    (3) in section 226--</DELETED>
                <DELETED>    (A) in subsection (a)--</DELETED>
                        <DELETED>    (i) in paragraph (1), by striking 
                        ``section 2213'' and inserting ``section 
                        2200'';</DELETED>
                        <DELETED>    (ii) in paragraph (4), by striking 
                        ``section 2210(b)(1)'' and inserting ``section 
                        2209(a)(1)''; and</DELETED>
                        <DELETED>    (iii) in paragraph (5), by 
                        striking ``section 2213(b)'' and inserting 
                        ``section 2212(a)''; and</DELETED>
                <DELETED>    (B) in subsection (c)(1)(A)(vi), by 
                striking ``section 2213(c)(5)'' and inserting ``section 
                2212(b)(5)''; and</DELETED>
        <DELETED>    (4) in section 227 (6 U.S.C. 1525)--</DELETED>
                <DELETED>    (A) in subsection (a), by striking 
                ``section 2213'' and inserting ``section 2212''; 
                and</DELETED>
                <DELETED>    (B) in subsection (b), by striking 
                ``section 2213(d)(2)'' and inserting ``section 
                2212(c)(2)''.</DELETED>
<DELETED>    (b) Public Health Service Act.--Section 2811(b)(4)(D) of 
the Public Health Service Act (42 U.S.C. 300hh-10(b)(4)(D)) is amended 
by striking ``section 228(c) of the Homeland Security Act of 2002 (6 
U.S.C. 149(c))'' and inserting ``section 2209(c) of the Homeland 
Security Act of 2002''.</DELETED>
<DELETED>    (c) William M. (Mac) Thornberry National Defense 
Authorization Act of Fiscal Year 2021.--Section 9002 of the William M. 
(Mac) Thornberry National Defense Authorization Act for Fiscal Year 
2021 (6 U.S.C. 652a) is amended--</DELETED>
        <DELETED>    (1) in subsection (a)--</DELETED>
                <DELETED>    (A) in paragraph (5), by striking 
                ``section 2222(5) of the Homeland Security Act of 2002 
                (6 U.S.C. 671(5))'' and inserting ``section 2200 of the 
                Homeland Security Act of 2002''; and</DELETED>
                <DELETED>    (B) in paragraph (7), by striking ``given 
                the term'' and all that follows and inserting ``given 
                the term in section 2200 of the Homeland Security Act 
                of 2002'';</DELETED>
        <DELETED>    (2) in subsection (b)(1)(A), by striking ``section 
        2202(c)(4) of the Homeland Security Act (6 U.S.C. 652(c)(4))'' 
        and inserting ``section 2201(c)(4)'';</DELETED>
        <DELETED>    (3) in subsection (c)(3)(B), by striking ``section 
        2201(5) of the Homeland Security Act of 2002 (6 U.S.C. 
        651(5))'' and inserting ``section 2200 of the Homeland Security 
        Act of 2002''; and</DELETED>
        <DELETED>    (4) in subsection (d)--</DELETED>
                <DELETED>    (A) by striking ``section 2215'' and 
                inserting ``2217''; and</DELETED>
                <DELETED>    (B) by striking ``, as added by this 
                section''.</DELETED>
<DELETED>    (d) National Security Act of 1947.--Section 113B of the 
National Security Act of 1947 (50 U.S.C. 3049a(b)(4)) is amended by 
striking section ``226 of the Homeland Security Act of 2002 (6 U.S.C. 
147)'' and inserting ``section 2207 of the Homeland Security Act of 
2002''.</DELETED>
<DELETED>    (e) Cybersecurity Act of 2015.--Section 404(a) of the 
Cybersecurity Act of 2015 (6 U.S.C. 1532(a)) is amended by striking 
``section 2209'' and inserting ``section 2208''.</DELETED>
<DELETED>    (f) IoT Cybersecurity Improvement Act of 2020.--Section 
5(b)(3) of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 
278g-3c) is amended by striking ``section 2209(m)'' and inserting 
``section 2208(l)''.</DELETED>
<DELETED>    (g) Small Business Act.--Section 21(a)(8)(B) of the Small 
Business Act (15 U.S.C. 648(a)(8)(B)) is amended by striking ``section 
2209(a)'' and inserting ``section 2200''.</DELETED>
<DELETED>    (h) Title 46.--Section 70101(2) of title 46, United States 
Code, is amended by striking ``section 227 of the Homeland Security Act 
of 2002 (6 U.S.C. 148)'' and inserting ``section 2200 of the Homeland 
Security Act of 2002''.</DELETED>

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``CISA Technical Corrections and 
Improvements Act of 2021''.

SEC. 2. REDESIGNATIONS.

    (a) In General.--Subtitle A of title XXII of the Homeland Security 
Act of 2002 (6 U.S.C. 651 et seq.) is amended--
            (1) by redesignating section 2217 (6 U.S.C. 665f) as 
        section 2220;
            (2) by redesignating section 2216 (6 U.S.C. 665e) as 
        section 2219;
            (3) by redesignating the fourth section 2215 (relating to 
        Sector Risk Management Agencies) (6 U.S.C. 665d) as section 
        2218;
            (4) by redesignating the third section 2215 (relating to 
        the Cybersecurity State Coordinator) (6 U.S.C. 665c) as section 
        2217; and
            (5) by redesignating the second section 2215 (relating to 
        the Joint Cyber Planning Office) (6 U.S.C. 665b) as section 
        2216.
    (b) Technical and Conforming Amendments.--Section 2202(c) of the 
Homeland Security Act of 2002 (6 U.S.C. 652(c)) is amended--
            (1) in paragraph (11), by striking ``and'' at the end;
            (2) in the first paragraph (12)--
                    (A) by striking ``section 2215'' and inserting 
                ``section 2217''; and
                    (B) by striking ``and'' at the end; and
            (3) by redesignating the second and third paragraphs (12) 
        as paragraphs (13) and (14), respectively.
    (c) Additional Technical Amendment.--
            (1) Amendment.--Section 904(b)(1) of the DOTGOV Act of 2020 
        (title IX of division U of Public Law 116-260) is amended, in 
        the matter preceding subparagraph (A), by striking ``Homeland 
        Security Act'' and inserting ``Homeland Security Act of 2002''.
            (2) Effective date.--The amendment made by paragraph (1) 
        shall take effect as if enacted as part of the DOTGOV Act of 
        2020 (title IX of division U of Public Law 116-260).

SEC. 3. CONSOLIDATION OF DEFINITIONS.

    (a) In General.--Title XXII of the Homeland Security Act of 2002 (6 
U.S.C. 651) is amended by inserting before the subtitle A heading the 
following:

``SEC. 2200. DEFINITIONS.

    ``Except as otherwise specifically provided, in this title:
            ``(1) Agency.--The term `Agency' means the Cybersecurity 
        and Infrastructure Security Agency.
            ``(2) Agency information.--The term `agency information' 
        means information collected or maintained by or on behalf of an 
        agency.
            ``(3) Agency information system.--The term `agency 
        information system' means an information system used or 
        operated by an agency or by another entity on behalf of an 
        agency.
            ``(4) Appropriate congressional committees.--The term 
        `appropriate congressional committees' means--
                    ``(A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate; and
                    ``(B) the Committee on Homeland Security of the 
                House of Representatives.
            ``(5) Critical infrastructure information.--The term 
        `critical infrastructure information' means information not 
        customarily in the public domain and related to the security of 
        critical infrastructure or protected systems--
                    ``(A) actual, potential, or threatened interference 
                with, attack on, compromise of, or incapacitation of 
                critical infrastructure or protected systems by either 
                physical or computer-based attack or other similar 
                conduct (including the misuse of or unauthorized access 
                to all types of communications and data transmission 
                systems) that violates Federal, State, or local law, 
                harms interstate commerce of the United States, or 
                threatens public health or safety;
                    ``(B) the ability of any critical infrastructure or 
                protected system to resist such interference, 
                compromise, or incapacitation, including any planned or 
                past assessment, projection, or estimate of the 
                vulnerability of critical infrastructure or a protected 
                system, including security testing, risk evaluation 
                thereto, risk management planning, or risk audit; or
                    ``(C) any planned or past operational problem or 
                solution regarding critical infrastructure or protected 
                systems, including repair, recovery, reconstruction, 
                insurance, or continuity, to the extent it is related 
                to such interference, compromise, or incapacitation.
            ``(6) Cyber threat indicator.--The term `cyber threat 
        indicator' means information that is necessary to describe or 
        identify--
                    ``(A) malicious reconnaissance, including anomalous 
                patterns of communications that appear to be 
                transmitted for the purpose of gathering technical 
                information related to a cybersecurity threat or 
                security vulnerability;
                    ``(B) a method of defeating a security control or 
                exploitation of a security vulnerability;
                    ``(C) a security vulnerability, including anomalous 
                activity that appears to indicate the existence of a 
                security vulnerability;
                    ``(D) a method of causing a user with legitimate 
                access to an information system or information that is 
                stored on, processed by, or transiting an information 
                system to unwittingly enable the defeat of a security 
                control or exploitation of a security vulnerability;
                    ``(E) malicious cyber command and control;
                    ``(F) the actual or potential harm caused by an 
                incident, including a description of the information 
                exfiltrated as a result of a particular cybersecurity 
                threat;
                    ``(G) any other attribute of a cybersecurity 
                threat, if disclosure of such attribute is not 
                otherwise prohibited by law; or
                    ``(H) any combination thereof.
            ``(7) Cybersecurity purpose.--The term `cybersecurity 
        purpose' means the purpose of protecting an information system 
        or information that is stored on, processed by, or transiting 
        an information system from a cybersecurity threat or security 
        vulnerability.
            ``(8) Cybersecurity risk.--The term `cybersecurity risk'--
                    ``(A) means threats to and vulnerabilities of 
                information or information systems and any related 
                consequences caused by or resulting from unauthorized 
                access, use, disclosure, degradation, disruption, 
                modification, or destruction of such information or 
                information systems, including such related 
                consequences caused by an act of terrorism; and
                    ``(B) does not include any action that solely 
                involves a violation of a consumer term of service or a 
                consumer licensing agreement.
            ``(9) Cybersecurity threat.--
                    ``(A) In general.--Except as provided in 
                subparagraph (B), the term `cybersecurity threat' means 
                an action, not protected by the First Amendment to the 
                Constitution of the United States, on or through an 
                information system that may result in an unauthorized 
                effort to adversely impact the security, availability, 
                confidentiality, or integrity of an information system 
                or information that is stored on, processed by, or 
                transiting an information system.
                    ``(B) Exclusion.--The term `cybersecurity threat' 
                does not include any action that solely involves a 
                violation of a consumer term of service or a consumer 
                licensing agreement.
            ``(10) Defensive measure.--
                    ``(A) In general.--Except as provided in 
                subparagraph (B), the term `defensive measure' means an 
                action, device, procedure, signature, technique, or 
                other measure applied to an information system or 
                information that is stored on, processed by, or 
                transiting an information system that detects, 
                prevents, or mitigates a known or suspected 
                cybersecurity threat or security vulnerability.
                    ``(B) Exclusion.--The term `defensive measure' does 
                not include a measure that destroys, renders unusable, 
                provides unauthorized access to, or substantially harms 
                an information system or information stored on, 
                processed by, or transiting such information system not 
                owned by--
                            ``(i) the entity operating the measure; or
                            ``(ii) another entity or Federal entity 
                        that is authorized to provide consent and has 
                        provided consent to that private entity for 
                        operation of such measure.
            ``(11) Homeland security enterprise.--The term `Homeland 
        Security Enterprise' means relevant governmental and 
        nongovernmental entities involved in homeland security, 
        including Federal, State, local, and tribal government 
        officials, private sector representatives, academics, and other 
        policy experts.
            ``(12) Incident.--The term `incident' means an occurrence 
        that actually or imminently jeopardizes, without lawful 
        authority, the integrity, confidentiality, or availability of 
        information on an information system, or actually or imminently 
        jeopardizes, without lawful authority, an information system.
            ``(13) Information sharing and analysis organization.--The 
        term `Information Sharing and Analysis Organization' means any 
        formal or informal entity or collaboration created or employed 
        by public or private sector organizations, for purposes of--
                    ``(A) gathering and analyzing critical 
                infrastructure information, including information 
                related to cybersecurity risks and incidents, in order 
                to better understand security problems and 
                interdependencies related to critical infrastructure, 
                including cybersecurity risks and incidents, and 
                protected systems, so as to ensure the availability, 
                integrity, and reliability thereof;
                    ``(B) communicating or disclosing critical 
                infrastructure information, including cybersecurity 
                risks and incidents, to help prevent, detect, mitigate, 
                or recover from the effects of a interference, 
                compromise, or a incapacitation problem related to 
                critical infrastructure, including cybersecurity risks 
                and incidents, or protected systems; and
                    ``(C) voluntarily disseminating critical 
                infrastructure information, including cybersecurity 
                risks and incidents, to its members, State, local, and 
                Federal Governments, or any other entities that may be 
                of assistance in carrying out the purposes specified in 
                subparagraphs (A) and (B).
            ``(14) Information system.--The term `information system' 
        has the meaning given the term in section 3502 of title 44, 
        United States Code.
            ``(15) Intelligence community.--The term `intelligence 
        community' has the meaning given the term in section 3(4) of 
        the National Security Act of 1947 (50 U.S.C. 3003(4)).
            ``(16) Monitor.--The term `monitor' means to acquire, 
        identify, or scan, or to possess, information that is stored 
        on, processed by, or transiting an information system.
            ``(17) National cybersecurity asset response activities.--
        The term `national cybersecurity asset response activities' 
        means--
                    ``(A) furnishing cybersecurity technical assistance 
                to entities affected by cybersecurity risks to protect 
                assets, mitigate vulnerabilities, and reduce impacts of 
                cyber incidents;
                    ``(B) identifying other entities that may be at 
                risk of an incident and assessing risk to the same or 
                similar vulnerabilities;
                    ``(C) assessing potential cybersecurity risks to a 
                sector or region, including potential cascading 
                effects, and developing courses of action to mitigate 
                such risks;
                    ``(D) facilitating information sharing and 
                operational coordination with threat response; and
                    ``(E) providing guidance on how best to utilize 
                Federal resources and capabilities in a timely, 
                effective manner to speed recovery from cybersecurity 
                risks.
            ``(18) National security system.--The term `national 
        security system' has the meaning given the term in section 
        11103 of title 40, United States Code.
            ``(19) Sector risk management agency.--The term `Sector 
        Risk Management Agency' means a Federal department or agency, 
        designated by law or Presidential directive, with 
        responsibility for providing institutional knowledge and 
        specialized expertise of a sector, as well as leading, 
        facilitating, or supporting programs and associated activities 
        of its designated critical infrastructure sector in the all 
        hazards environment in coordination with the Department.
            ``(20) Security control.--The term `security control' means 
        the management, operational, and technical controls used to 
        protect against an unauthorized effort to adversely affect the 
        confidentiality, integrity, and availability of an information 
        system or its information.
            ``(21) Security vulnerability.--The term `security 
        vulnerability' means any attribute of hardware, software, 
        process, or procedure that could enable or facilitate the 
        defeat of a security control.
            ``(22) Sharing.--The term `sharing' (including all 
        conjugations thereof) means providing, receiving, and 
        disseminating (including all conjugations of each such 
        terms).''.
    (b) Technical and Conforming Amendments.--The Homeland Security Act 
of 2002 (6 U.S.C. 101 et seq.) is amended--
            (1) by amending section 2201 to read as follows:

``SEC. 2201. DEFINITION.

    ``In this subtitle, the term `Cybersecurity Advisory Committee' 
means the advisory committee established under section 2219(a).'';
            (2) in section 2202--
                    (A) in subsection (a)(1), by striking ``(in this 
                subtitle referred to as the Agency)'';
                    (B) in subsection (f)--
                            (i) in paragraph (1), by inserting 
                        ``Executive'' before ``Assistant Director''; 
                        and
                            (ii) in paragraph (2), by inserting 
                        ``Executive'' before ``Assistant Director'';
            (3) in section 2203(a)(2), by striking ``as the `Assistant 
        Director''' and inserting ``as the `Executive Assistant 
        Director''';
            (4) in section 2204(a)(2), by striking ``as the `Assistant 
        Director''' and inserting ``as the `Executive Assistant 
        Director''';
            (5) in section 2209--
                    (A) by striking subsection (a);
                    (B) by redesignating subsections (b) through 
                subsection (o) as subsections (a) through (n), 
                respectively;
                    (C) in subsection (c)(1)--
                            (i) in subparagraph (A)(iii), as so 
                        redesignated, by striking ``, as that term is 
                        defined under section 3(4) of the National 
                        Security Act of 1947 (50 U.S.C. 3003(4))''; and
                            (ii) in subparagraph (B)(ii), by striking 
                        ``information sharing and analysis 
                        organizations'' and inserting ``Information 
                        Sharing and Analysis Organizations'';
                    (D) in subsection (d), as so redesignated--
                            (i) in the matter preceding paragraph (1), 
                        by striking ``subsection (c)'' and inserting 
                        ``subsection (b)''; and
                            (ii) in paragraph (1)(E)(ii)(II), by 
                        striking ``information sharing and analysis 
                        organizations'' and inserting ``Information 
                        Sharing and Analysis Organizations'';
                    (E) in subsection (j), as so redesignated, by 
                striking ``subsection (c)(8)'' and inserting 
                ``subsection (b)(8)''; and
                    (F) in subsection (n), as so redesignated--
                            (i) in paragraph (2)(A), by striking 
                        ``subsection (c)(12)'' and inserting 
                        ``subsection (b)(12)''; and
                            (ii) in paragraph (3)(B)(i), by striking 
                        ``subsection (c)(12)'' and inserting 
                        ``subsection (b)(12)'';
            (6) in section 2210--
                    (A) by striking subsection (a);
                    (B) by redesignating subsections (b) through (d) as 
                subsections (a) through (c), respectively;
                    (C) in subsection (b), as so redesignated--
                            (i) by striking ``information sharing and 
                        analysis organizations (as defined in section 
                        2222(5))'' and inserting ``Information Sharing 
                        and Analysis Organizations''; and
                            (ii) by striking ``(as defined in section 
                        2209)''; and
                    (D) in subsection (c), as so redesignated, by 
                striking ``subsection (c)'' and inserting ``subsection 
                (b)'';
            (7) in section 2211, by striking subsection (h);
            (8) in section 2212, by striking ``information sharing and 
        analysis organizations (as defined in section 2222(5))'' and 
        inserting ``Information Sharing and Analysis Organizations'';
            (9) in section 2213--
                    (A) by striking subsection (a);
                    (B) by redesignating subsections (b) through (f) as 
                subsections (a) through (e); respectively;
                    (C) in subsection (b), as so redesignated, by 
                striking ``subsection (b)'' each place it appears and 
                inserting ``subsection (a)'';
                    (D) in subsection (c), as so redesignated, in the 
                matter preceding paragraph (1), by striking 
                ``subsection (b)'' and inserting ``subsection (a)''; 
                and
                    (E) in subsection (d), as so redesignated--
                            (i) in paragraph (1)--
                                    (I) in the matter preceding 
                                subparagraph (A), by striking 
                                ``subsection (c)(2)'' and inserting 
                                ``subsection (b)(2)'';
                                    (II) in subparagraph (A), by 
                                striking ``subsection (c)(1)'' and 
                                inserting ``subsection (b)(1)''; and
                                    (III) in subparagraph (B), by 
                                striking ``subsection (c)(2)'' and 
                                inserting ``subsection (b)(2)''; and
                            (ii) in paragraph (2), by striking 
                        ``subsection (c)(2)'' and inserting 
                        ``subsection (b)(2)'';
            (10) in section 2216, as so redesignated--
                    (A) in subsection (d)(2), by striking ``information 
                sharing and analysis organizations'' and inserting 
                ``Information Sharing and Analysis Organizations''; and
                    (B) by striking subsection (f) and inserting the 
                following:
    ``(f) Cyber Defense Operation Defined.--In this section, the term 
`cyber defense operation' means the use of a defensive measure.'';
            (11) in section 2218(c)(4)(A), as so redesignated, by 
        striking ``information sharing and analysis organizations'' and 
        inserting ``Information Sharing and Analysis Organizations''; 
        and
            (12) in section 2222--
                    (A) by striking paragraphs (3), (5), and (8);
                    (B) by redesignating paragraph (4) as paragraph 
                (3); and
                    (C) by redesignating paragraphs (6) and (7) as 
                paragraphs (4) and (5), respectively.
    (c) Table of Contents Amendments.--The table of contents in section 
1(b) of the Homeland Security Act of 2002 (Public Law 107-296; 116 
Stat. 2135) is amended--
            (1) by inserting before the item relating to subtitle A of 
        title XXII the following:

``Sec. 2200. Definitions.'';
            (2) by striking the item relating to section 2201 and 
        insert the following:

``Sec. 2201. Definition.''; and
            (3) by striking the item relating to section 2214 and all 
        that follows through the item relating to section 2217 and 
        inserting the following:

``Sec. 2214. National Asset Database.
``Sec. 2215. Duties and authorities relating to .gov internet domain.
``Sec. 2216. Joint Cyber Planning Office.
``Sec. 2217. Cybersecurity State Coordinator.
``Sec. 2218. Sector Risk Management Agencies.
``Sec. 2219. Cybersecurity Advisory Committee.
``Sec. 2220. Cybersecurity Education and Training Programs.''.
    (d) Cybersecurity Act of 2015 Definitions.--Section 102 of the 
Cybersecurity Act of 2015 (6 U.S.C. 1501) is amended--
            (1) by striking paragraphs (4) through (7) and inserting 
        the following:
            ``(4) Cybersecurity purpose.--The term `cybersecurity 
        purpose' has the meaning given the term in section 2200 of the 
        Homeland Security Act of 2002.
            ``(5) Cybersecurity threat.--The term `cybersecurity 
        threat' has the meaning given the term in section 2200 of the 
        Homeland Security Act of 2002.
            ``(6) Cyber threat indicator.--The term `cyber threat 
        indicator' has the meaning given the term in section 2200 of 
        the Homeland Security Act of 2002.
            ``(7) Defensive measure.--The term `defensive measure' has 
        the meaning given the term in section 2200 of the Homeland 
        Security Act of 2002.'';
            (2) by striking paragraph (13) and inserting the following:
            ``(13) Monitor.-- The term `monitor' has the meaning given 
        the term in section 2200 of the Homeland Security Act of 
        2002.''; and
            (3) by striking paragraphs (16) and (17) and inserting the 
        following:
            ``(16) Security control.--The term `security control' has 
        the meaning given the term in section 2200 of the Homeland 
        Security Act of 2002.
            ``(17) Security vulnerability.--The term `security 
        vulnerability' has the meaning given the term in section 2200 
        of the Homeland Security Act of 2002.''.

SEC. 4. ADDITIONAL TECHNICAL AND CONFORMING AMENDMENTS.

    (a) Federal Cybersecurity Enhancement Act of 2015.--The Federal 
Cybersecurity Enhancement Act of 2015 (6 U.S.C. 1521 et seq.) is 
amended--
            (1) in section 222 (6 U.S.C. 1521)--
                    (A) in paragraph (2), by striking ``section 2210'' 
                and inserting ``section 2200''; and
                    (B) in paragraph (4), by striking ``section 2209'' 
                and inserting ``section 2200'';
            (2) in section 223(b) (6 U.S.C. 151 note), by striking 
        ``section 2213(b)(1)'' each place it appears and inserting 
        ``section 2213(a)(1)'';
            (3) in section 226 (6 U.S.C. 1524)--
                    (A) in subsection (a)--
                            (i) in paragraph (1), by striking ``section 
                        2213'' and inserting ``section 2200'';
                            (ii) in paragraph (2), by striking 
                        ``section 102'' and inserting ``section 2200 of 
                        the Homeland Security Act of 2002'';
                            (iii) in paragraph (4), by striking 
                        ``section 2210(b)(1)'' and inserting ``section 
                        2210(a)(1)''; and
                            (iv) in paragraph (5), by striking 
                        ``section 2213(b)'' and inserting ``section 
                        2213(a)''; and
                    (B) in subsection (c)(1)(A)(vi), by striking 
                ``section 2213(c)(5)'' and inserting ``section 
                2213(b)(5)''; and
            (4) in section 227(b) (6 U.S.C. 1525(b)), by striking 
        ``section 2213(d)(2)'' and inserting ``section 2213(c)(2)''.
    (b) Public Health Service Act.--Section 2811(b)(4)(D) of the Public 
Health Service Act (42 U.S.C. 300hh-10(b)(4)(D)) is amended by striking 
``section 228(c) of the Homeland Security Act of 2002 (6 U.S.C. 
149(c))'' and inserting ``section 2210(b) of the Homeland Security Act 
of 2002 (6 U.S.C. 660(b))''.
    (c) William M. (Mac) Thornberry National Defense Authorization Act 
of Fiscal Year 2021.--Section 9002 of the William M. (Mac) Thornberry 
National Defense Authorization Act for Fiscal Year 2021 (6 U.S.C. 652a) 
is amended--
            (1) in subsection (a)--
                    (A) in paragraph (5), by striking ``section 2222(5) 
                of the Homeland Security Act of 2002 (6 U.S.C. 
                671(5))'' and inserting ``section 2200 of the Homeland 
                Security Act of 2002''; and
                    (B) by amending paragraph (7) to read as follows:
            ``(7) Sector risk management agency.--The term `Sector Risk 
        Management Agency' has the meaning given the term in section 
        2200 of the Homeland Security Act of 2002.'';
            (2) in subsection (c)(3)(B), by striking ``section 
        2201(5)'' and inserting ``section 2200''; and
            (3) in subsection (d)--
                    (A) by striking ``section 2215'' and inserting 
                ``2218''; and
                    (B) by striking ``, as added by this section''.
    (d) National Security Act of 1947.--Section 113B of the National 
Security Act of 1947 (50 U.S.C. 3049a(b)(4)) is amended by striking 
section ``226 of the Homeland Security Act of 2002 (6 U.S.C. 147)'' and 
inserting ``section 2208 of the Homeland Security Act of 2002 (6 U.S.C. 
658)''.
    (e) IoT Cybersecurity Improvement Act of 2020.--Section 5(b)(3) of 
the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-3c) is 
amended by striking ``section 2209(m) of the Homeland Security Act of 
2002 (6 U.S.C. 659(m))'' and inserting ``section 2209(l) of the 
Homeland Security Act of 2002 (6 U.S.C. 659(l))''.
    (f) Small Business Act.--Section 21(a)(8)(B) of the Small Business 
Act (15 U.S.C. 648(a)(8)(B)) is amended by striking ``section 2209(a)'' 
and inserting ``section 2200''.
    (g) Title 46.--Section 70101(2) of title 46, United States Code, is 
amended by striking ``section 227 of the Homeland Security Act of 2002 
(6 U.S.C. 148)'' and inserting ``section 2200 of the Homeland Security 
Act of 2002''.
                                                       Calendar No. 632

117th CONGRESS

  2d Session

                                S. 2540

                          [Report No. 117-248]

_______________________________________________________________________

                                 A BILL

 To make technical corrections to title XXII of the Homeland Security 
                  Act of 2002, and for other purposes.

_______________________________________________________________________

                           December 13, 2022

                       Reported with an amendment