[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 3894 Introduced in Senate (IS)]

<DOC>






117th CONGRESS
  2d Session
                                S. 3894

 To amend the Homeland Security Act of 2002 to authorize the Secretary 
    of Homeland Security to establish a continuous diagnostics and 
  mitigation program in the Cybersecurity and Infrastructure Security 
 Agency of the Department of Homeland Security, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             March 22, 2022

Mr. Cornyn (for himself and Ms. Hassan) introduced the following bill; 
which was read twice and referred to the Committee on Homeland Security 
                        and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
 To amend the Homeland Security Act of 2002 to authorize the Secretary 
    of Homeland Security to establish a continuous diagnostics and 
  mitigation program in the Cybersecurity and Infrastructure Security 
 Agency of the Department of Homeland Security, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Advancing Cybersecurity Through 
Continuous Diagnostics and Mitigation Act''.

SEC. 2. ESTABLISHMENT OF FEDERAL INTRUSION DETECTION AND PREVENTION 
              SYSTEM AND CONTINUOUS DIAGNOSTICS AND MITIGATION PROGRAM 
              IN THE CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY.

    (a) In General.--Section 2213 of the Homeland Security Act of 2002 
(6 U.S.C. 663) is amended by adding at the end the following:
    ``(g) Continuous Diagnostics and Mitigation.--
            ``(1) Program.--
                    ``(A) In general.--The Secretary, acting through 
                the Director, shall, with or without reimbursement, 
                deploy, operate, and maintain a continuous diagnostics 
                and mitigation program for agencies under which the 
                Secretary shall--
                            ``(i) assist agencies to continuously 
                        diagnose and mitigate cyber threats and 
                        vulnerabilities;
                            ``(ii) develop and provide the capability 
                        to collect, analyze, and visualize information 
                        relating to security data and cybersecurity 
                        risks at agencies;
                            ``(iii) employ shared services, collective 
                        purchasing, blanket purchase agreements, and 
                        any other economic or procurement models the 
                        Secretary determines appropriate to maximize 
                        the costs savings associated with implementing 
                        the program;
                            ``(iv) assist agencies in setting 
                        information security priorities and assessing 
                        and managing cybersecurity risks;
                            ``(v) develop policies and procedures for 
                        reporting systemic cybersecurity risks and 
                        potential incidents based upon data collected 
                        under the program; and
                            ``(vi) promote the adoption of a zero trust 
                        security model in improving agency 
                        cybersecurity readiness.
                    ``(B) Regular improvement.--The Secretary shall 
                regularly--
                            ``(i) deploy new technologies and modify 
                        existing technologies to the continuous 
                        diagnostics and mitigation program required 
                        under subparagraph (A), as appropriate, to 
                        improve the program; and
                            ``(ii) update the technical requirements 
                        documentation of the continuous diagnostics and 
                        mitigation program required under subparagraph 
                        (A) to account for emerging technology 
                        capabilities such as cloud computing and 
                        comprehensive cloud security controls.
            ``(2) Agency responsibilities.--Notwithstanding any other 
        provision of law, each agency that uses the continuous 
        diagnostics and mitigation program under paragraph (1) shall, 
        continuously and in real time, provide to and allow access for 
        the Secretary to collect all information, assessments, 
        analyses, and raw data collected by the program, in a manner 
        specified by the Secretary.
            ``(3) Responsibilities of the secretary.--In carrying out 
        the continuous diagnostics and mitigation program under 
        paragraph (1), the Secretary, acting through the Director, 
        shall--
                    ``(A) share with agencies relevant analysis and 
                products developed under the program;
                    ``(B) provide regular reports on cybersecurity 
                risks to agencies;
                    ``(C) provide comparative assessments of 
                cybersecurity risks for agencies;
                    ``(D) oversee the integration of continuous 
                diagnostics and mitigation products and services into 
                agency systems;
                    ``(E) establish performance requirements for 
                product integrators;
                    ``(F) at the request of an agency, provide 
                technical assistance in selecting, procuring, and 
                integrating continuous diagnostics and mitigation 
                products and services;
                    ``(G) not less than once each fiscal year, submit 
                to the appropriate committees of Congress a report that 
                includes--
                            ``(i) the progress made by each agency to 
                        meet continuous diagnostics and mitigation 
                        benchmarks from the beginning of the 
                        implementation through the date of the report; 
                        and
                            ``(ii) a summary of the efforts of each 
                        agency to account for emerging technology 
                        capabilities; and
                    ``(H) take steps to ensure that the security data 
                collected through the program is aggregated with other 
                Government-wide cybersecurity programs to better 
                automate defensive capabilities.''.
    (b) Continuous Diagnostics and Mitigation Strategy.--
            (1) In general.--Not later than 180 days after the date of 
        the enactment of this Act, the Secretary of Homeland Security 
        shall develop a comprehensive continuous diagnostics and 
        mitigation strategy to carry out the continuous diagnostics and 
        mitigation program required under subsection (g) of section 
        2213 of the Homeland Security Act of 2002 (6 U.S.C. 663), as 
        added by subsection (a).
            (2) Scope.--The strategy required under paragraph (1) shall 
        include the following:
                    (A) A description of the coordination and funding 
                required to deploy, install, and maintain the tools, 
                capabilities, and services that the Secretary of 
                Homeland Security determines to be necessary to satisfy 
                the requirements of such program.
                    (B) A description of any obstacles facing the 
                deployment, installation, and maintenance of tools, 
                capabilities, and services under such program.
                    (C) Guidelines to help maintain and continuously 
                upgrade tools, capabilities, and services provided 
                under such program.
                    (D) A plan for using the data collected by such 
                program for creating a common framework for data 
                analytics, visualization of enterprise-wide risks, and 
                real-time reporting, and comparative assessments for 
                cybersecurity risks.
                    (E) Recommendations for using the data to enable 
                the Cybersecurity and Infrastructure Security Agency to 
                engage in cyber hunt and detection and response 
                activities.
                    (F) Recommendations for future efforts and 
                activities, including for the rollout of new and 
                emerging tools, capabilities and services, proposed 
                timelines for delivery, and whether to continue the use 
                of phased rollout plans, related to securing networks, 
                devices, data, and information and operational 
                technology assets through the use of such program.
                    (G) Recommendations for improving the integration 
                process of continuous diagnostics and mitigation 
                products and capabilities within agency systems.
            (3) Form.--The strategy required under paragraph (1) shall 
        be submitted in an unclassified form, but may contain a 
        classified annex.

SEC. 3. FEDERAL INTRUSION DETECTION AND PREVENTION SYSTEM AND 
              CONTINUOUS DIAGNOSTICS AND MITIGATION PILOT PROGRAM FOR 
              STATE, LOCAL, TRIBAL, AND TERRITORIAL GOVERNMENTS.

    (a) Definitions.--In this section--
            (1) the terms ``local government'' and ``State'' have the 
        meanings given those terms in section 3 of the Homeland 
        Security Act of 2002 (6 U.S.C. 101);
            (2) the term ``Secretary'' means the Secretary of Homeland 
        Security; and
            (3) the term ``Tribal government'' means the recognized 
        governing body of any Indian or Alaska Native Tribe, band, 
        nation, pueblo, village, community, component band, or 
        component reservation, that is individually identified 
        (including parenthetically) in the most recent list published 
        pursuant to section 104 of the Federally Recognized Indian 
        Tribe List Act of 1994 (25 U.S.C. 5131).
    (b) Establishment.--The Secretary shall conduct a Continuous 
Diagnostics and Mitigation Pilot Program with not less than 5 State, 
local, Tribal, or territorial governments to--
            (1) promote the use of technologies and services in the 
        continuous diagnostics and mitigation program described in 
        subsection (g) of section 2213 of the Homeland Security Act of 
        2002 (6 U.S.C. 663), as added by section 2 of this Act, at the 
        State, local, Tribal, and territorial government level;
            (2) with or without reimbursement, make accessing the 
        technologies and services described in paragraph (1) by State, 
        local, Tribal, and territorial governments as affordable and 
        simple as possible;
            (3) promote the adoption of a zero trust security model in 
        improving cybersecurity readiness at the State, local, Tribal, 
        and territorial government level; and
            (4) provide technical assistance in integrating continuous 
        diagnostics and mitigation technologies and products into 
        State, local, Tribal, and territorial government systems.
    (c) Considerations.--In selecting a State, local, or Tribal 
government for participation in the pilot program established under 
subsection (b), the Secretary shall consider--
            (1) the extent to which the State, local, Tribal, or 
        territorial government aligns its cybersecurity policies with 
        the Center for Internet Security Critical Security Controls, 
        the National Institute of Standards and Technology 
        Cybersecurity Framework, or other widely accepted cybersecurity 
        frameworks; and
            (2) the capability of the State, local, Tribal, or 
        territorial government to deploy and maintain over time 
        continuous diagnostics and mitigation products and services.
    (d) Program Requirements.--The pilot program established under this 
section--
            (1) may not require participants to utilize certain 
        strategies or tools, and shall allow participants to select and 
        integrate tools for meeting the objectives of the pilot 
        program; and
            (2) shall include comprehensive training curriculum and 
        integration assistance to close the technical expertise gap 
        between employees of State, local, Tribal, and territorial 
        governments and employees of the Cybersecurity and 
        Infrastructure Security Agency.
    (e) Report.--Not later than 180 days after the date on which the 
pilot program terminates under this section, the Secretary shall submit 
to Congress a report that includes--
            (1) an assessment of the replicability and the costs and 
        benefits of conducting a permanent State, local, Tribal, and 
        territorial government continuous diagnostics and mitigation 
        program as described in subsection (g) of section 2213 of the 
        Homeland Security Act of 2002 (6 U.S.C. 663), as added by 
        section 2 of this Act;
            (2) the extent to which State, local, Tribal, and 
        territorial governments in the pilot program adhere to widely 
        accepted cybersecurity standards and frameworks and the impact 
        that those policies have on potential widespread sub-Federal 
        continuous diagnostics and mitigation integration; and
            (3) an assessment of the cybersecurity readiness of 
        participants in the pilot program established under this 
        section prior to participation in the pilot program as compared 
        to after completion of the pilot program.
    (f) Termination.--The authority to conduct the pilot program under 
subsections (a) through (d) shall terminate on the date that is 3 years 
after the date of enactment of this Act.
                                 <all>