[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 3511 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 428
117th CONGRESS
  2d Session
                                S. 3511

                          [Report No. 117-122]

    To require a report on Federal support to the cybersecurity of 
         commercial satellite systems, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

             January 13 (legislative day, January 10), 2022

Mr. Peters (for himself and Mr. Cornyn) introduced the following bill; 
which was read twice and referred to the Committee on Homeland Security 
                        and Governmental Affairs

                             June 21, 2022

               Reported by Mr. Peters, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
    To require a report on Federal support to the cybersecurity of 
         commercial satellite systems, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``Satellite Cybersecurity 
Act''.</DELETED>

<DELETED>SEC. 2. DEFINITIONS.</DELETED>

<DELETED>    In this Act:</DELETED>
        <DELETED>    (1) Commercial satellite system.--The term 
        ``commercial satellite system'' means an earth satellite owned 
        and operated by a non-Federal entity.</DELETED>
        <DELETED>    (2) Critical infrastructure.--The term ``critical 
        infrastructure'' has the meaning given the term in subsection 
        (e) of the Critical Infrastructure Protection Act of 2001 (42 
        U.S.C. 5195c(e)).</DELETED>
        <DELETED>    (3) Cybersecurity risk.--The term ``cybersecurity 
        risk'' has the meaning given the term in section 2209 of the 
        Homeland Security Act of 2002 (6 U.S.C. 659).</DELETED>
        <DELETED>    (4) Cybersecurity threat.--The term 
        ``cybersecurity threat'' has the meaning given the term in 
        section 102 of the Cybersecurity Information Sharing Act of 
        2015 (6 U.S.C. 1501).</DELETED>

<DELETED>SEC. 3. REPORT ON COMMERCIAL SATELLITE 
              CYBERSECURITY.</DELETED>

<DELETED>    (a) Study.--The Comptroller General of the United States 
shall conduct a study on the actions the Federal Government has taken 
to support the cybersecurity of commercial satellite systems, including 
as part of any action to address the cybersecurity of critical 
infrastructure sectors.</DELETED>
<DELETED>    (b) Report.--Not later than 1 year after the date of 
enactment of this Act, the Comptroller General of the United States 
shall report to Congress on the study conducted under subsection (a), 
which shall include information on--</DELETED>
        <DELETED>    (1) the effectiveness of efforts of the Federal 
        Government in improving the cybersecurity of commercial 
        satellite systems;</DELETED>
        <DELETED>    (2) the resources made available to the public by 
        Federal agencies to address cybersecurity threats to commercial 
        satellite systems;</DELETED>
        <DELETED>    (3) the extent to which commercial satellite 
        systems are reliant on or are relied on by critical 
        infrastructure and an analysis of how commercial satellite 
        systems, and the threats to such systems, are integrated into 
        Federal and non-Federal critical infrastructure risk analyses 
        and protection plans;</DELETED>
        <DELETED>    (4) the extent to which Federal agencies are 
        reliant on commercial satellite systems and how Federal 
        agencies mitigate cybersecurity risks associated with those 
        systems; and</DELETED>
        <DELETED>    (5) the extent to which Federal agencies 
        coordinate or duplicate authorities and take other actions 
        focused on the cybersecurity of commercial satellite 
        systems.</DELETED>
<DELETED>    (c) Consultation.--In carrying out subsections (a) and 
(b), the Comptroller General of the United States shall coordinate 
with--</DELETED>
        <DELETED>    (1) the Secretary of Homeland Security;</DELETED>
        <DELETED>    (2) the Director of the National Institute of 
        Standards and Technology;</DELETED>
        <DELETED>    (3) the Secretary of Defense;</DELETED>
        <DELETED>    (4) the Federal Communications 
        Commission;</DELETED>
        <DELETED>    (5) the National Oceanic and Atmospheric 
        Administration;</DELETED>
        <DELETED>    (6) the National Aeronautics and Space 
        Administration;</DELETED>
        <DELETED>    (7) the Federal Aviation Administration; 
        and</DELETED>
        <DELETED>    (8) the head of any other Federal agency 
        determined appropriate by the Comptroller General of the United 
        States.</DELETED>

<DELETED>SEC. 4. RESPONSIBILITIES OF THE CYBERSECURITY AND 
              INFRASTRUCTURE SECURITY AGENCY.</DELETED>

<DELETED>    (a) Definitions.--In this section:</DELETED>
        <DELETED>    (1) Clearinghouse.--The term ``clearinghouse'' 
        means the commercial satellite system cybersecurity 
        clearinghouse required to be developed and maintained under 
        subsection (b)(1).</DELETED>
        <DELETED>    (2) Director.--The term ``Director'' means the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency.</DELETED>
        <DELETED>    (3) Small business concern.--The term ``small 
        business concern'' has the meaning given the term in section 3 
        of the Small Business Act (15 U.S.C. 632).</DELETED>
<DELETED>    (b) Establishment of Commercial Satellite System 
Cybersecurity Clearinghouse.--</DELETED>
        <DELETED>    (1) In general.--Not later than 180 days after the 
        date of enactment of this Act, the Director shall develop and 
        maintain a commercial satellite system cybersecurity 
        clearinghouse.</DELETED>
        <DELETED>    (2) Requirements.--The clearinghouse shall--
        </DELETED>
                <DELETED>    (A) be publicly available 
                online;</DELETED>
                <DELETED>    (B) contain publicly available commercial 
                satellite system cybersecurity resources, including the 
                recommendations developed under subsection (c), and any 
                other materials developed by entities in the Federal 
                Government, for reference by entities that develop 
                commercial satellite systems; and</DELETED>
                <DELETED>    (C) include materials specifically aimed 
                at assisting small business concerns with the secure 
                development, operation, and maintenance of commercial 
                satellite systems.</DELETED>
        <DELETED>    (3) Content maintenance.--The Director shall 
        maintain current and relevant cybersecurity information on the 
        clearinghouse.</DELETED>
        <DELETED>    (4) Existing platform or website.--The Director 
        may establish and maintain the clearinghouse on an online 
        platform or a website that is in existence as of the date of 
        enactment of this Act.</DELETED>
<DELETED>    (c) Development of Commercial Satellite System 
Cybersecurity Recommendations.--</DELETED>
        <DELETED>    (1) In general.--The Director shall develop 
        voluntary cybersecurity recommendations designed to assist in 
        the development, maintenance, and operation of commercial 
        satellite systems.</DELETED>
        <DELETED>    (2) Requirements.--The recommendations required 
        under paragraph (1) shall include materials addressing the 
        following:</DELETED>
                <DELETED>    (A) Risk-based, cybersecurity-informed 
                engineering, including continuous monitoring and 
                resiliency.</DELETED>
                <DELETED>    (B) Planning for retention or recovery of 
                positive control of commercial satellite systems in the 
                event of a cybersecurity incident.</DELETED>
                <DELETED>    (C) Protection against unauthorized access 
                to vital commercial satellite system 
                functions.</DELETED>
                <DELETED>    (D) Physical protection measures designed 
                to reduce the vulnerabilities of a commercial satellite 
                system's command, control, and telemetry receiver 
                systems.</DELETED>
                <DELETED>    (E) Protection against communications 
                jamming and spoofing.</DELETED>
                <DELETED>    (F) Security against threats throughout a 
                commercial satellite system's mission 
                lifetime.</DELETED>
                <DELETED>    (G) Management of supply chain risks that 
                affect cybersecurity of commercial satellite 
                systems.</DELETED>
                <DELETED>    (H) As appropriate, the findings and 
                recommendations from the study conducted by the 
                Comptroller General of the United States under section 
                3(a).</DELETED>
                <DELETED>    (I) Any other recommendations to ensure 
                the confidentiality, availability, and integrity of 
                data residing on or in transit through commercial 
                satellite systems.</DELETED>
<DELETED>    (d) Consultation.--With respect to the collation and 
development of clearinghouse content under subsection (b)(2) and the 
recommendations developed pursuant to subsection (c), the Director 
shall consult with--</DELETED>
        <DELETED>    (1) the heads of appropriate Federal agencies with 
        expertise and experience in satellite operations; and</DELETED>
        <DELETED>    (2) non-Federal entities developing commercial 
        satellite systems or otherwise supporting the cybersecurity of 
        commercial satellite systems.</DELETED>

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Satellite Cybersecurity Act''.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Commercial satellite system.--The term ``commercial 
        satellite system'' means an earth satellite owned and operated 
        by a non-Federal entity.
            (2) Critical infrastructure.--The term ``critical 
        infrastructure'' has the meaning given the term in subsection 
        (e) of the Critical Infrastructure Protection Act of 2001 (42 
        U.S.C. 5195c(e)).
            (3) Cybersecurity risk.--The term ``cybersecurity risk'' 
        has the meaning given the term in section 2209 of the Homeland 
        Security Act of 2002 (6 U.S.C. 659).
            (4) Cybersecurity threat.--The term ``cybersecurity 
        threat'' has the meaning given the term in section 102 of the 
        Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).

SEC. 3. REPORT ON COMMERCIAL SATELLITE CYBERSECURITY.

    (a) Study.--The Comptroller General of the United States shall 
conduct a study on the actions the Federal Government has taken to 
support the cybersecurity of commercial satellite systems, including as 
part of any action to address the cybersecurity of critical 
infrastructure sectors.
    (b) Report.--Not later than 2 years after the date of enactment of 
this Act, the Comptroller General of the United States shall report to 
Congress on the study conducted under subsection (a), which shall 
include information on--
            (1) the effectiveness of efforts of the Federal Government 
        in improving the cybersecurity of commercial satellite systems;
            (2) the resources made available to the public, as of the 
        date of enactment of this Act, by Federal agencies to address 
        cybersecurity risks and threats to commercial satellite 
        systems;
            (3) the extent to which commercial satellite systems are 
        reliant on or are relied on by critical infrastructure and an 
        analysis of how commercial satellite systems, and the threats 
        to such systems, are integrated into Federal and non-Federal 
        critical infrastructure risk analyses and protection plans;
            (4) the extent to which Federal agencies are reliant on 
        commercial satellite systems and how Federal agencies mitigate 
        cybersecurity risks associated with those systems;
            (5) the extent to which Federal agencies are reliant on 
        commercial satellite systems owned wholly or in part or 
        controlled by foreign entities, and how Federal agencies 
        mitigate associated cybersecurity risks;
            (6) the extent to which Federal agencies are reliant on 
        commercial satellite systems with physical structures, such as 
        satellite ground control systems, in foreign countries, and how 
        Federal agencies mitigate associated cybersecurity risks; and
            (7) the extent to which Federal agencies coordinate or 
        duplicate authorities and take other actions focused on the 
        cybersecurity of commercial satellite systems.
    (c) Consultation.--In carrying out subsections (a) and (b), the 
Comptroller General of the United States shall coordinate with 
appropriate Federal agencies, including--
            (1) the Department of Homeland Security;
            (2) the Department of Commerce;
            (3) the Department of Defense;
            (4) the Department of Transportation;
            (5) the Federal Communications Commission;
            (6) the National Aeronautics and Space Administration; and
            (7) the National Executive Committee for Space-Based 
        Positioning, Navigation, and Timing.
    (d) Briefing.--Not later than 1 year after the date of enactment of 
this Act, the Comptroller General of the United States shall provide a 
briefing to the appropriate congressional committees.
    (e) Classification.--The report made under subsection (b) shall be 
unclassified but may include a classified annex.

SEC. 4. RESPONSIBILITIES OF THE CYBERSECURITY AND INFRASTRUCTURE 
              SECURITY AGENCY.

    (a) Definitions.--In this section:
            (1) Clearinghouse.--The term ``clearinghouse'' means the 
        commercial satellite system cybersecurity clearinghouse 
        required to be developed and maintained under subsection 
        (b)(1).
            (2) Director.--The term ``Director'' means the Director of 
        the Cybersecurity and Infrastructure Security Agency.
            (3) Small business concern.--The term ``small business 
        concern'' has the meaning given the term in section 3 of the 
        Small Business Act (15 U.S.C. 632).
    (b) Establishment of Commercial Satellite System Cybersecurity 
Clearinghouse.--
            (1) In general.--Not later than 180 days after the date of 
        enactment of this Act, the Director shall develop and maintain 
        a commercial satellite system cybersecurity clearinghouse.
            (2) Requirements.--The clearinghouse shall--
                    (A) be publicly available online;
                    (B) contain publicly available commercial satellite 
                system cybersecurity resources, including the 
                recommendations consolidated under subsection (c)(1), 
                and any other appropriate materials for reference by 
                entities that develop commercial satellite systems; and
                    (C) include materials specifically aimed at 
                assisting small business concerns with the secure 
                development, operation, and maintenance of commercial 
                satellite systems.
            (3) Content maintenance.--The Director shall maintain 
        current and relevant cybersecurity information on the 
        clearinghouse.
            (4) Existing platform or website.--The Director may 
        establish and maintain the clearinghouse on an online platform 
        or a website that is in existence as of the date of enactment 
        of this Act.
    (c) Consolidation of Commercial Satellite System Cybersecurity 
Recommendations.--
            (1) In general.--The Director shall consolidate voluntary 
        cybersecurity recommendations designed to assist in the 
        development, maintenance, and operation of commercial satellite 
        systems.
            (2) Requirements.--The recommendations consolidated under 
        paragraph (1) shall include, to the greatest extent 
        practicable, materials addressing the following:
                    (A) Risk-based, cybersecurity-informed engineering, 
                including continuous monitoring and resiliency.
                    (B) Planning for retention or recovery of positive 
                control of commercial satellite systems in the event of 
                a cybersecurity incident.
                    (C) Protection against unauthorized access to vital 
                commercial satellite system functions.
                    (D) Physical protection measures designed to reduce 
                the vulnerabilities of a commercial satellite system's 
                command, control, and telemetry receiver systems.
                    (E) Protection against jamming and spoofing.
                    (F) Security against threats throughout a 
                commercial satellite system's mission lifetime.
                    (G) Management of supply chain risks that affect 
                the cybersecurity of commercial satellite systems.
                    (H) Protection against vulnerabilities posed by 
                ownership of commercial satellite systems or commercial 
                satellite system companies by foreign entities.
                    (I) Protection against vulnerabilities posed by 
                locating physical infrastructure, such as satellite 
                ground control systems, in foreign countries.
                    (J) As appropriate, and as applicable pursuant to 
                the maintenance requirement under subsection (b)(3), 
                the findings and recommendations from the study 
                conducted by the Comptroller General of the United 
                States under section 3(a).
                    (K) Any other recommendations to ensure the 
                confidentiality, availability, and integrity of data 
                residing on or in transit through commercial satellite 
                systems.
    (d) Implementation.--In implementing this Act, the Director shall--
            (1) to the extent practicable, carry out the implementation 
        as a public-private partnership;
            (2) coordinate with the heads of appropriate Federal 
        agencies with expertise and experience in satellite operations, 
        including the entities described in section 3(c); and
            (3) consult with non-Federal entities developing commercial 
        satellite systems or otherwise supporting the cybersecurity of 
        commercial satellite systems, including private, consensus 
        organizations that develop relevant standards.
                                                       Calendar No. 428

117th CONGRESS

  2d Session

                                S. 3511

                          [Report No. 117-122]

_______________________________________________________________________

                                 A BILL

    To require a report on Federal support to the cybersecurity of 
         commercial satellite systems, and for other purposes.

_______________________________________________________________________

                             June 21, 2022

                       Reported with an amendment