[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 2993 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 674
117th CONGRESS
  2d Session
                                S. 2993

                          [Report No. 117-275]

    To amend the Homeland Security Act of 2002 to establish in the 
  Cybersecurity and Infrastructure Security Agency the National Cyber 
               Exercise Program, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            October 19, 2021

    Ms. Rosen (for herself, Mr. Sasse, and Mr. King) introduced the 
 following bill; which was read twice and referred to the Committee on 
               Homeland Security and Governmental Affairs

                           December 19, 2022

               Reported by Mr. Peters, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
    To amend the Homeland Security Act of 2002 to establish in the 
  Cybersecurity and Infrastructure Security Agency the National Cyber 
               Exercise Program, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``CISA Cyber Exercise 
Act''.</DELETED>

<DELETED>SEC. 2. NATIONAL CYBER EXERCISE PROGRAM.</DELETED>

<DELETED>    (a) In General.--Subtitle A of title XXII of the Homeland 
Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the 
end the following new section:</DELETED>

<DELETED>``SEC. 2220A. NATIONAL CYBER EXERCISE PROGRAM.</DELETED>

<DELETED>    ``(a) Establishment of Program.--</DELETED>
        <DELETED>    ``(1) In general.--There is established in the 
        Agency the National Cyber Exercise Program (referred to in this 
        section as the `Exercise Program') to evaluate the National 
        Cyber Incident Response Plan, and other related plans and 
        strategies.</DELETED>
        <DELETED>    ``(2) Requirements.--</DELETED>
                <DELETED>    ``(A) In general.--The Exercise Program 
                shall be--</DELETED>
                        <DELETED>    ``(i) based on current risk 
                        assessments, including credible threats, 
                        vulnerabilities, and consequences;</DELETED>
                        <DELETED>    ``(ii) designed, to the extent 
                        practicable, to simulate the partial or 
                        complete incapacitation of a government or 
                        critical infrastructure network resulting from 
                        a cyber incident;</DELETED>
                        <DELETED>    ``(iii) designed to provide for 
                        the systematic evaluation of cyber readiness 
                        and enhance operational understanding of the 
                        cyber incident response system and relevant 
                        information sharing agreements; and</DELETED>
                        <DELETED>    ``(iv) designed to promptly 
                        develop after-action reports and plans that can 
                        quickly incorporate lessons learned into future 
                        operations.</DELETED>
                <DELETED>    ``(B) Model exercise selection.--The 
                Exercise Program shall--</DELETED>
                        <DELETED>    ``(i) include a selection of model 
                        exercises that government and private entities 
                        can readily adapt for use; and</DELETED>
                        <DELETED>    ``(ii) aid such governments and 
                        private entities with the design, 
                        implementation, and evaluation of exercises 
                        that--</DELETED>
                                <DELETED>    ``(I) conform to the 
                                requirements described in subparagraph 
                                (A);</DELETED>
                                <DELETED>    ``(II) are consistent with 
                                any applicable national, State, local, 
                                or Tribal strategy or plan; 
                                and</DELETED>
                                <DELETED>    ``(III) provide for 
                                systematic evaluation of 
                                readiness.</DELETED>
        <DELETED>    ``(3) Consultation.--In carrying out the Exercise 
        Program, the Director may consult with appropriate 
        representatives from Sector Risk Management Agencies, the 
        Office of the National Cyber Director, cybersecurity research 
        stakeholders, and Sector Coordinating Councils.</DELETED>
<DELETED>    ``(b) Definitions.--In this section:</DELETED>
        <DELETED>    ``(1) State.--The term `State' means any State of 
        the United States, the District of Columbia, the Commonwealth 
        of Puerto Rico, the Northern Mariana Islands, the United States 
        Virgin Islands, Guam, American Samoa, and any other territory 
        or possession of the United States.</DELETED>
        <DELETED>    ``(2) Private entity.--The term `private entity' 
        has the meaning given such term in section 102 of the 
        Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 
        1501).''.</DELETED>
<DELETED>    (b) Technical Amendments.--</DELETED>
        <DELETED>    (1) Homeland security act of 2002.--Subtitle A of 
        title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 
        et seq.) is amended--</DELETED>
                <DELETED>    (A) in the first section 2215 (6 U.S.C. 
                665; relating to the duties and authorities relating to 
                .gov internet domain), by amending the section 
                enumerator and heading to read as follows:</DELETED>

<DELETED>``SEC. 2215. DUTIES AND AUTHORITIES RELATING TO .GOV INTERNET 
              DOMAIN.'';</DELETED>

                <DELETED>    (B) in the second section 2215 (6 U.S.C. 
                665b; relating to the joint cyber planning office), by 
                amending the section enumerator and heading to read as 
                follows:</DELETED>

<DELETED>``SEC. 2216. JOINT CYBER PLANNING OFFICE.'';</DELETED>

                <DELETED>    (C) in the third section 2215 (6 U.S.C. 
                665c; relating to the Cybersecurity State Coordinator), 
                by amending the section enumerator and heading to read 
                as follows:</DELETED>

<DELETED>``SEC. 2217. CYBERSECURITY STATE COORDINATOR.'';</DELETED>

                <DELETED>    (D) in the fourth section 2215 (6 U.S.C. 
                665d; relating to Sector Risk Management Agencies), by 
                amending the section enumerator and heading to read as 
                follows:</DELETED>

<DELETED>``SEC. 2218. SECTOR RISK MANAGEMENT AGENCIES.'';</DELETED>

                <DELETED>    (E) in section 2216 (6 U.S.C. 665e; 
                relating to the Cybersecurity Advisory Committee), by 
                amending the section enumerator and heading to read as 
                follows:</DELETED>

<DELETED>``SEC. 2219. CYBERSECURITY ADVISORY COMMITTEE.'';</DELETED>

                <DELETED>and</DELETED>
                <DELETED>    (F) in section 2217 (6 U.S.C. 665f; 
                relating to Cybersecurity Education and Training 
                Programs), by amending the section enumerator and 
                heading to read as follows:</DELETED>

<DELETED>``SEC. 2220. CYBERSECURITY EDUCATION AND TRAINING 
              PROGRAMS.''.</DELETED>

        <DELETED>    (2) Consolidated appropriations act, 2021.--
        Paragraph (1) of section 904(b) of division U of the 
        Consolidated Appropriations Act, 2021 (Public Law 116-260) is 
        amended, in the matter preceding subparagraph (A), by inserting 
        ``of 2002'' after ``Homeland Security Act''.</DELETED>
<DELETED>    (c) Clerical Amendment.--The table of contents in section 
1(b) of the Homeland Security Act of 2002 is amended by striking the 
items relating to sections 2214 through 2217 and inserting the 
following new items:</DELETED>

<DELETED>``Sec. 2214. National Asset Database.
<DELETED>``Sec. 2215. Duties and authorities relating to .gov internet 
                            domain.
<DELETED>``Sec. 2216. Joint cyber planning office.
<DELETED>``Sec. 2217. Cybersecurity State Coordinator.
<DELETED>``Sec. 2218. Sector Risk Management Agencies.
<DELETED>``Sec. 2219. Cybersecurity Advisory Committee.
<DELETED>``Sec. 2220. Cybersecurity Education and Training Programs.
<DELETED>``Sec. 2220A. National Cyber Exercise Program.''.

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``CISA Cyber Exercise Act''.

SEC. 2. NATIONAL CYBER EXERCISE PROGRAM.

    (a) In General.--Subtitle A of title XXII of the Homeland Security 
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the 
following new section:

``SEC. 2220A. NATIONAL CYBER EXERCISE PROGRAM.

    ``(a) Establishment of Program.--
            ``(1) In general.--There is established in the Agency the 
        National Cyber Exercise Program (referred to in this section as 
        the `Exercise Program') to evaluate the National Cyber Incident 
        Response Plan, and other related plans and strategies.
            ``(2) Requirements.--
                    ``(A) In general.--The Exercise Program shall be--
                            ``(i) based on current risk assessments, 
                        including credible threats, vulnerabilities, 
                        and consequences;
                            ``(ii) designed, to the extent practicable, 
                        to simulate the partial or complete 
                        incapacitation of a government or critical 
                        infrastructure network resulting from a cyber 
                        incident;
                            ``(iii) designed to provide for the 
                        systematic evaluation of cyber readiness and 
                        enhance operational understanding of the cyber 
                        incident response system and relevant 
                        information sharing agreements; and
                            ``(iv) designed to promptly develop after-
                        action reports and plans that can quickly 
                        incorporate lessons learned into future 
                        operations.
                    ``(B) Model exercise selection.--The Exercise 
                Program shall--
                            ``(i) include a selection of model 
                        exercises that government and private entities 
                        can readily adapt for use; and
                            ``(ii) aid such governments and private 
                        entities with the design, implementation, and 
                        evaluation of exercises that--
                                    ``(I) conform to the requirements 
                                described in subparagraph (A);
                                    ``(II) are consistent with any 
                                applicable national, State, local, or 
                                Tribal strategy or plan; and
                                    ``(III) provide for systematic 
                                evaluation of readiness.
            ``(3) Consultation.--In carrying out the Exercise Program, 
        the Director may consult with appropriate representatives from 
        Sector Risk Management Agencies, the Office of the National 
        Cyber Director, cybersecurity research stakeholders, and Sector 
        Coordinating Councils.
    ``(b) Definitions.--In this section:
            ``(1) State.--The term `State' means any State of the 
        United States, the District of Columbia, the Commonwealth of 
        Puerto Rico, the Northern Mariana Islands, the United States 
        Virgin Islands, Guam, American Samoa, and any other territory 
        or possession of the United States.
            ``(2) Private entity.--The term `private entity' has the 
        meaning given such term in section 102 of the Cybersecurity 
        Information Sharing Act of 2015 (6 U.S.C. 1501).
    ``(c) Rule of Construction.--Nothing in this section shall be 
construed to affect the authority or responsibilities of the 
Administrator of the Federal Emergency Management Agency pursuant to 
section 648 of the Post-Katrina Emergency Management Reform Act of 2006 
(6 U.S.C. 748).''.
    (b) Clerical Amendment.--The table of contents in section 1(b) of 
the Homeland Security Act of 2002 is amended by inserting after the 
item relating to section 2217 the following:

``Sec. 2220A. National Cyber Exercise Program.''.
                                                       Calendar No. 674

117th CONGRESS

  2d Session

                                S. 2993

                          [Report No. 117-275]

_______________________________________________________________________

                                 A BILL

    To amend the Homeland Security Act of 2002 to establish in the 
  Cybersecurity and Infrastructure Security Agency the National Cyber 
               Exercise Program, and for other purposes.

_______________________________________________________________________

                           December 19, 2022

                       Reported with an amendment