[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2866 Introduced in House (IH)]

<DOC>






118th CONGRESS
  1st Session
                                H. R. 2866

   To amend the Homeland Security Act of 2002 to establish Critical 
 Technology Security Centers in the Department of Homeland Security to 
 evaluate and test the security of critical technology, and for other 
                               purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             April 25, 2023

    Mr. Torres of New York introduced the following bill; which was 
             referred to the Committee on Homeland Security

_______________________________________________________________________

                                 A BILL


 
   To amend the Homeland Security Act of 2002 to establish Critical 
 Technology Security Centers in the Department of Homeland Security to 
 evaluate and test the security of critical technology, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Critical Technology Security Centers 
Act of 2023''.

SEC. 2. CRITICAL TECHNOLOGY SECURITY CENTERS.

    (a) Critical Technology Security Centers.--Title III of the 
Homeland Security Act of 2002 (6 U.S.C. 181 et seq.) is amended by 
adding at the end the following new section:

``SEC. 324. CRITICAL TECHNOLOGY SECURITY CENTERS.

    ``(a) Establishment.--Not later than 180 days after the date of the 
enactment of this section, the Secretary, acting through the Under 
Secretary for Science and Technology, and in coordination with the 
Director, shall award grants, contracts, or cooperative agreements to 
covered entities for the establishment of not fewer than two 
cybersecurity-focused Critical Technology Security Centers (in this 
section referred to as `Centers') to evaluate and test the security of 
critical technology.
    ``(b) Evaluation and Testing.--In carrying out the evaluation and 
testing of the security of critical technology pursuant to subsection 
(a), the Centers shall address the following technologies:
            ``(1) The security of information and communications 
        technology that underpins national critical functions related 
        to communications.
            ``(2) The security of networked industrial equipment, such 
        as connected programmable data logic controllers and 
        supervisory control and data acquisition servers.
            ``(3) The security of open source software that underpins 
        national critical functions.
            ``(4) The security of critical software used by the Federal 
        Government.
    ``(c) Addition or Termination of Centers.--
            ``(1) In general.--The Under Secretary for Science and 
        Technology may, in coordination with the Director, award or 
        terminate grants, contracts, or cooperative agreements to 
        covered entities for the establishment of additional or 
        termination of existing Centers to evaluate and test the 
        security of critical technologies.
            ``(2) Limitation.--The authority provided under paragraph 
        (1) may be exercised except if such exercise would result in 
        the operation at any time of fewer than two Centers.
    ``(d) Selection of Critical Technologies.--
            ``(1) In general.--Before awarding a grant, contract, or 
        cooperative agreement to a covered entity to establish a 
        Center, the Under Secretary for Science and Technology shall 
        coordinate with the Director, who shall provide the Under 
        Secretary a list of critical technologies or guidance on such 
        technologies that would be within the remit of any such Center.
            ``(2) Expansion and modification.--The Under Secretary for 
        Science and Technology, in coordination with the Director, is 
        authorized to expand or modify at any time the list of critical 
        technologies or guidance on technologies referred to in 
        paragraph (1) that is within the remit of a proposed or 
        established Center.
    ``(e) Responsibilities.--In carrying out the evaluation and testing 
of the security of critical technology pursuant to subsection (a), the 
Centers shall each have the following responsibilities:
            ``(1) Conducting rigorous security testing to identify 
        vulnerabilities in such technologies.
            ``(2) Utilizing the coordinated vulnerability disclosure 
        processes established under subsection (g) to report to the 
        developers of such technologies and, as appropriate, to the 
        Director, information relating to vulnerabilities discovered 
        and any information necessary to reproduce such 
        vulnerabilities.
            ``(3) Developing new capabilities for improving the 
        security of such technologies, including vulnerability 
        discovery, management, mitigation, and remediation.
            ``(4) Assessing the security of software, firmware, and 
        hardware that underpin national critical functions.
            ``(5) Supporting existing communities of interest, 
        including through grant making, in mitigating and remediating 
        vulnerabilities discovered within such technologies.
            ``(6) Sharing findings to inform and support the future 
        work of the Cybersecurity and Infrastructure Security Agency.
    ``(f) Risk-Based Evaluations.--Unless otherwise directed pursuant 
to guidance issued by the Under Secretary for Science and Technology or 
Director under subsection (d), to the greatest extent practicable 
activities carried out pursuant to the responsibilities specified in 
subsection (e) shall leverage risk-based evaluations to focus on 
activities that have the greatest effect on the security of the 
critical technologies within each Center's remit, such as the 
following:
            ``(1) Developing capabilities that can detect or eliminate 
        entire classes of vulnerabilities.
            ``(2) Testing for vulnerabilities in the most widely used 
        critical technologies, or vulnerabilities that affect many such 
        critical technologies.
    ``(g) Coordinated Vulnerability Disclosure Processes.--Each Center 
shall establish, in coordination with the Director, coordinated 
vulnerability disclosure processes regarding the disclosure of 
vulnerabilities that--
            ``(1) are adhered to when a vulnerability is discovered or 
        disclosed by each such Center, consistent with international 
        standards and coordinated vulnerability disclosure best 
        practices; and
            ``(2) are published on the website of each such Center.
    ``(h) Application.--To be eligible for an award of a grant, 
contract, or cooperative agreement as a Center, a covered entity shall 
submit to the Secretary an application at such time, in such manner, 
and including such information as the Secretary may require.
    ``(i) Public Reporting of Vulnerabilities.--The Under Secretary for 
Science and Technology shall ensure that vulnerabilities discovered by 
a Center are reported to the National Vulnerability Database of the 
National Institute of Standards and Technology, as appropriate and 
using the coordinated vulnerability disclosure processes established 
under subsection (g).
    ``(j) Additional Guidance.--The Under Secretary for Science and 
Technology, in coordination with the Director, shall develop, and 
periodically update, guidance, including eligibility and any additional 
requirements, relating to how Centers may award grants to communities 
of interest pursuant to subsection (e)(5) to mitigate and remediate 
vulnerabilities and take other actions under such subsection and 
subsection (k).
    ``(k) Open Source Software Security Grants.--
            ``(1) In general.--Any Center addressing open source 
        software security may, in consultation with the Under Secretary 
        for Science and Technology and Director, award grants to 
        individual open source software developers and maintainers, 
        nonprofit organizations, and other non-Federal entities as 
        determined appropriate by any such Center, to fund improvements 
        in the security of the open source software ecosystem.
            ``(2) Improvements.--A grant awarded under paragraph (1) 
        may include improvements such as the following:
                    ``(A) Security audits.
                    ``(B) Funding for developers to patch 
                vulnerabilities.
                    ``(C) Addressing code, infrastructure, and 
                structural weaknesses, including rewrites of open 
                source software components in memory-safe programming 
                languages.
                    ``(D) Research and tools to assess and improve the 
                overall security of the open source software ecosystem, 
                such as improved software fault isolation techniques.
                    ``(E) Training and other tools to aid open source 
                software developers in the secure development of open 
                source software, including secure coding practices and 
                secure systems architecture.
            ``(3) Priority.--In awarding grants under paragraph (1), a 
        Center shall prioritize, to the greatest extent practicable, 
        the following:
                    ``(A) Where applicable, open source software 
                components identified in guidance from the Director, or 
                if no such guidance is so provided, utilizing the risk-
                based evaluation described in subsection (f).
                    ``(B) Activities that most promote the long-term 
                security of the open source software ecosystem.
    ``(l) Biennial Reports to Under Secretary.--Not later than one year 
after the date of the enactment of this section and every two years 
thereafter, each Center shall submit to the Under Secretary for Science 
and Technology, Director, and the appropriate congressional committees 
a report that includes the following:
            ``(1) A summary of the work performed by such Center.
            ``(2) Information relating to the allocation of Federal 
        funds at such Center.
            ``(3) A list of critical technologies studied by such 
        Center.
            ``(4) A description of each vulnerability that has been 
        publicly disclosed pursuant to subsection (g), including 
        information relating to the corresponding software weakness.
            ``(5) An assessment of the criticality of each such 
        vulnerability.
            ``(6) An overview of the methodologies used by such Center, 
        such as tactics, techniques, and procedures.
            ``(7) A description of such Center's development of 
        capabilities for vulnerability discovery, management, and 
        mitigation.
            ``(8) A summary of such Center's support to existing 
        communities of interest, including an accounting of dispersed 
        grant funds.
            ``(9) For such Center, if applicable, a summary of any 
        grants awarded during the period covered by the report that 
        includes the following:
                    ``(A) An identification of the entity to which each 
                such grant was awarded.
                    ``(B) The amount of each such grant.
                    ``(C) The purpose of each such grant.
                    ``(D) The expected impact of each such grant.
            ``(10) The coordinated vulnerability disclosure processes 
        established by such Center.
    ``(m) Reports to Congress.--Upon receiving the reports required 
under subsection (l), the Under Secretary for Science and Technology 
shall submit to the appropriate congressional committees a summary of 
such reports, and, where applicable, an explanation for any deviations 
in the list of critical technologies studied by a Center from the list 
of critical technologies or guidance relating to such technologies 
provided by the Director pursuant to subsection (d).
    ``(n) Consultation With Relevant Agencies.--In carrying out this 
section, the Under Secretary shall consult with the heads of other 
Federal agencies conducting cybersecurity research, including the 
following:
            ``(1) The National Institute of Standards and Technology.
            ``(2) The National Science Foundation.
            ``(3) Relevant agencies of the Department of Energy.
            ``(4) Relevant agencies of the Department of Defense.
    ``(o) Authorization of Appropriations.--There are authorized to be 
appropriated to carry out this section the following:
            ``(1) $42,000,000 for fiscal year 2024.
            ``(2) $44,000,000 for fiscal year 2025.
            ``(3) $46,000,000 for fiscal year 2026.
            ``(4) $49,000,000 for fiscal year 2027.
            ``(5) $52,000,000 for fiscal year 2028.
    ``(p) Definitions.--In this section:
            ``(1) Appropriate congressional committees.--The term 
        `appropriate congressional committees' means--
                    ``(A) the Committee on Homeland Security of the 
                House of Representatives; and
                    ``(B) the Committee on Homeland Security and 
                Governmental Affairs of the Senate.
            ``(2) Covered entity.--The term `covered entity' means a 
        university or federally-funded research and development center, 
        including a national laboratory, or a consortia thereof.
            ``(3) Critical technology.--The term `critical technology' 
        means technology that underpins one or more national critical 
        functions.
            ``(4) Critical software.--The term `critical software' has 
        the meaning given such term by the National Institute of 
        Standards and Technology pursuant to Executive Order 14028 or 
        any successor provision.
            ``(5) Open source software.--The term `open source 
        software' means software for which the human-readable source 
        code is made available to the public for use, study, re-use, 
        modification, enhancement, and redistribution.
            ``(6) Director.--The term `Director' means the Director of 
        the Cybersecurity and Infrastructure Security Agency.''.
    (b) Identification of Certain Technology.--Paragraph (1) of section 
2202(e) of the Homeland Security Act of 2002 (6 U.S.C. 652(e)) is 
amended by adding at the end the following new subparagraph:
                    ``(S) To identify the critical technologies (as 
                such term is defined in section 324) or develop 
                guidance relating to such technologies within the 
                remits of the Critical Technology Security Centers as 
                described in such section.''.
    (c) Clerical Amendment.--The table of contents in section 1(b) of 
the Homeland Security Act of 2002 is amended by inserting after the 
item relating to section 323 the following new item:

``Sec. 324. Critical Technology Security Centers.''.
                                 <all>