[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5439 Introduced in House (IH)]

<DOC>






118th CONGRESS
  1st Session
                                H. R. 5439

To amend the Homeland Security Act of 2002 to require the Secretary of 
Homeland Security to establish a national risk management process, and 
                          for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           September 13, 2023

Mr. Gallagher (for himself and Ms. Spanberger) introduced the following 
     bill; which was referred to the Committee on Homeland Security

_______________________________________________________________________

                                 A BILL


 
To amend the Homeland Security Act of 2002 to require the Secretary of 
Homeland Security to establish a national risk management process, and 
                          for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``National Risk Management Act of 
2023''.

SEC. 2. NATIONAL RISK MANAGEMENT PROCESS.

    (a) In General.--Subtitle A of title XXII of the Homeland Security 
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the 
following new section:

``SEC. 2220F. NATIONAL RISK MANAGEMENT PROCESS.

    ``(a) National Critical Functions Defined.--In this section, the 
term `national critical functions' means the functions of government 
and the private sector so vital to the United States that their 
disruption, corruption, or dysfunction would have a debilitating effect 
on security, national economic security, national public health or 
safety, or any combination thereof.
    ``(b) National Risk Management Process.--
            ``(1) Risk identification and assessment.--
                    ``(A) In general.--The Secretary, acting through 
                the Director, shall establish a recurring process to 
                identify and assess risks to critical infrastructure, 
                considering both cybersecurity threats and physical 
                threats, the associated likelihoods of such threats, 
                vulnerabilities within systems rendering such systems 
                susceptible to such threats, and consequences of such 
                threats to critical functions.
                    ``(B) Consultation.--In establishing the process 
                required under subparagraph (A), the Secretary shall 
                consult the following:
                            ``(i) Sector Risk Management Agencies.
                            ``(ii) Critical infrastructure owners and 
                        operators.
                            ``(iii) The Assistant to the President for 
                        National Security Affairs.
                            ``(iv) The Assistant to the President for 
                        Homeland Security.
                            ``(v) The National Cyber Director.
                    ``(C) Process elements.--The process established 
                under subparagraph (A) shall include elements to--
                            ``(i) collect relevant information, 
                        collected pursuant to section 2218, from Sector 
                        Risk Management Agencies relating to the 
                        threats, vulnerabilities, and consequences 
                        related to the particular sectors of those 
                        Sector Risk Management Agencies;
                            ``(ii) allow critical infrastructure owners 
                        and operators to submit relevant information to 
                        the Secretary for consideration; and
                            ``(iii) outline how the Secretary will 
                        solicit input from other Federal departments 
                        and agencies.
                    ``(D) Publication.--Not later than 180 days after 
                the date of the enactment of this section, the 
                Secretary shall publish in the Federal Register 
                procedures for the process established under 
                subparagraph (A).
                    ``(E) Reports.--The Secretary shall submit to the 
                President, the Committee on Homeland Security and 
                Governmental Affairs of the Senate, and the Committee 
                on Homeland Security of the House of Representatives a 
                report on the risks from cybersecurity threats and 
                physical threats identified by the process established 
                under subparagraph (A)--
                            ``(i) not later than one year after the 
                        date of the enactment of this section; and
                            ``(ii) not later than one year after the 
                        date on which the Secretary submits a periodic 
                        evaluation described in section 9002(b)(2) of 
                        title XC of division H of the William M. (Mac) 
                        Thornberry National Defense Authorization Act 
                        for Fiscal Year 2021 (6 U.S.C. 652a(b)(2)).
            ``(2) National critical infrastructure resilience 
        strategy.--
                    ``(A) In general.--Not later than one year after 
                the date on which the Secretary submits each report 
                required under paragraph (1), the President shall 
                transmit to the majority and minority leaders of the 
                Senate, the Speaker and minority leader of the House of 
                Representatives, the Committee on Homeland Security and 
                Governmental Affairs of the Senate, and the Committee 
                on Homeland Security of the House of Representatives a 
                national critical infrastructure resilience strategy to 
                address the risks identified by the Secretary.
                    ``(B) Elements.--Each strategy under subparagraph 
                (A) shall--
                            ``(i) prioritize areas of risk to critical 
                        infrastructure that would compromise or disrupt 
                        national critical functions impacting national 
                        security, economic security, or public health 
                        and safety;
                            ``(ii) assess the implementation of the 
                        previous national critical infrastructure 
                        resilience strategy, as applicable;
                            ``(iii) identify and outline current and 
                        proposed national-level actions, programs, and 
                        efforts, including resource requirements, to be 
                        taken to address the risks identified;
                            ``(iv) identify the Federal departments or 
                        agencies responsible for leading each national-
                        level action, program, or effort, and the 
                        relevant critical infrastructure sectors for 
                        each; and
                            ``(v) request any additional authorities 
                        necessary to successfully execute the strategy.
                    ``(C) Form.--Each strategy under subparagraph (A) 
                shall be unclassified but may contain a classified 
                annex.
            ``(3) Congressional briefing.--Not later than one year 
        after the date on which the President transmits the first 
        strategy required under paragraph (2)(A) and each year 
        thereafter, the Secretary, in coordination with Sector Risk 
        Management Agencies, shall brief the Committee on Homeland 
        Security and Governmental Affairs of the Senate and the 
        Committee on Homeland Security of the House of Representatives 
        on--
                    ``(A) the national risk management process 
                activities undertaken pursuant to the strategy 
                transmitted in accordance with paragraph (2)(A); and
                    ``(B) the amounts and timeline for funding that the 
                Secretary has determined would be necessary to address 
                risks of cybersecurity threats and physical threats and 
                successfully execute the full range of activities 
                proposed by such strategy.''.
    (b) Clerical Amendment.--The table of contents in section 1(b) of 
the Homeland Security Act of 2002 is amended by inserting after the 
item relating to section 2220E the following new item:

``Sec. 2220F. National risk management process.''.
                                 <all>