[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 4630 Introduced in Senate (IS)]

<DOC>






118th CONGRESS
  2d Session
                                S. 4630

 To establish an interagency committee to harmonize regulatory regimes 
in the United States relating to cybersecurity, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                              July 8, 2024

  Mr. Peters (for himself and Mr. Lankford) introduced the following 
 bill; which was read twice and referred to the Committee on Homeland 
                   Security and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
 To establish an interagency committee to harmonize regulatory regimes 
in the United States relating to cybersecurity, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Streamlining Federal Cybersecurity 
Regulations Act''.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Agency.--The term ``agency'' has the meaning given that 
        term in section 551 of title 5, United States Code.
            (2) Appropriate congressional committees.--The term 
        ``appropriate congressional committees'' means--
                    (A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;
                    (B) the Committee on Oversight and Accountability 
                of the House of Representatives;
                    (C) each committee of Congress with jurisdiction 
                over the activities of a regulatory agency; and
                    (D) each committee of Congress with jurisdiction 
                over the activities of a Sector Risk Management Agency 
                with respect to a sector regulated by a regulatory 
                agency.
            (3) Committee.--The term ``Committee'' means the 
        Harmonization Committee established under section 3(a).
            (4) Cybersecurity requirement.--The term ``cybersecurity 
        requirement'' means an administrative, technical, or physical 
        safeguard, requirement, or supervisory activity, including 
        regulations, guidance, bulletins or examinations, relating to 
        information security, information technology, cybersecurity, or 
        cyber risk or resilience.
            (5) Harmonization.--
                    (A) Definition.--The term ``harmonization'' means 
                the process of aligning cybersecurity requirements 
                issued by regulatory agencies such that the 
                requirements consist of--
                            (i) a common set of minimum requirements 
                        that apply across sectors and that can be 
                        updated periodically to address new or evolving 
                        risks relating to information security or 
                        cybersecurity; and
                            (ii) sector-specific requirements that--
                                    (I) are necessary to address 
                                sector-specific risks that are not 
                                adequately addressed by the minimum 
                                requirements in clause (i); and
                                    (II) are substantially similar, 
                                where appropriate, to other 
                                requirements in that sector or a 
                                similar sector.
                    (B) Rule of construction.--Nothing in this 
                definition shall be construed to exempt regulatory 
                agencies from any otherwise applicable processes or 
                laws relating to updating regulations, including 
                subchapter II of chapter 5, and chapter 7, of title 5, 
                United States Code (commonly known as the 
                ``Administrative Procedure Act'').
            (6) Independent regulatory agency.--The term ``independent 
        regulatory agency'' has the meaning given that term in section 
        3502 of title 44, United States Code.
            (7) Reciprocity.--The term ``reciprocity'' means the 
        recognition or acceptance by 1 regulatory agency of an 
        assessment, determination, examination, finding, or conclusion 
        of another regulatory agency for determining that a regulated 
        entity has complied with a cybersecurity requirement.
            (8) Regulatory agency.--The term ``regulatory agency'' 
        means--
                    (A) any independent regulatory agency that has the 
                statutory authority to issue or enforce any mandatory 
                cybersecurity requirement; or
                    (B) any other agency that has the statutory 
                authority to issue or enforce any cybersecurity 
                requirement.
            (9) Regulatory framework.--The term ``regulatory 
        framework'' means the framework developed under section 
        3(e)(1).
            (10) Sector risk management agency.--The term ``Sector Risk 
        Management Agency'' has the meaning given that term in section 
        2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).

SEC. 3. ESTABLISHMENT OF INTERAGENCY COMMITTEE TO HARMONIZE REGULATORY 
              REGIMES IN THE UNITED STATES RELATING TO CYBERSECURITY.

    (a) Harmonization Committee.--
            (1) In general.--The National Cyber Director shall 
        establish an interagency committee to be known as the 
        Harmonization Committee to enhance the harmonization of 
        cybersecurity requirements that are applicable within the 
        United States.
            (2) Support.--The National Cyber Director shall provide the 
        Committee with administrative and management support as 
        appropriate.
    (b) Members.--
            (1) In general.--The Committee shall be composed of--
                    (A) the National Cyber Director;
                    (B) the head of each regulatory agency;
                    (C) the head of the Office of Information and 
                Regulatory Affairs of the Office of Management and 
                Budget; and
                    (D) the head of other appropriate agencies, as 
                determined by the chair of the Committee.
            (2) Publication of list of members.--The Committee shall 
        maintain a list of the agencies that are represented on the 
        Committee on a publicly available website.
    (c) Chair.--The National Cyber Director shall be the chair of the 
Committee.
    (d) Charter.--The Committee shall develop, deliver to Congress, and 
make publicly available a charter, which shall--
            (1) include the processes and rules of the Committee; and
            (2) detail--
                    (A) the objective and scope of the Committee; and
                    (B) other items as necessary.
    (e) Regulatory Framework for Harmonization.--
            (1) In general.--
                    (A) Framework.--Not later than 1 year after the 
                date of enactment of this Act, the Committee shall 
                develop a regulatory framework for achieving 
                harmonization of the cybersecurity requirements of each 
                regulatory agency.
                    (B) Factors.--In developing the framework under 
                subparagraph (A), the Committee shall account for 
                existing sector-specific cybersecurity requirements 
                that are identified as unique or critical to a sector.
            (2) Minimum requirements.--The framework shall contain, at 
        a minimum, processes for--
                    (A) establishing a reciprocal compliance mechanism 
                for minimum requirements relating to information 
                security or cybersecurity for entities regulated by 
                more than 1 regulatory agency;
                    (B) identifying cybersecurity requirements that are 
                overly burdensome, inconsistent, or contradictory, as 
                determined by the Committee; and
                    (C) developing recommendations for updating 
                regulations, guidance, and examinations to address 
                overly burdensome, inconsistent, or contradictory 
                cybersecurity requirements identified under 
                subparagraph (B) to achieve harmonization.
            (3) Publication.--Upon completion of the regulatory 
        framework, the Committee shall publish the regulatory framework 
        in the Federal Register.
    (f) Pilot Program on Implementation of Regulatory Framework.--
            (1) In general.--Not fewer than 3 regulatory agencies, 
        selected by the Committee, shall carry out a pilot program to 
        implement the regulatory framework established under subsection 
        (e) with respect to not fewer than 3 cybersecurity 
        requirements.
            (2) Participation by regulatory agencies and regulated 
        entities.--
                    (A) Regulatory agencies.--Participation in the 
                pilot program by a regulatory agency shall be voluntary 
                and subject to the consent of the regulatory agency 
                following selection by the Committee under paragraph 
                (1).
                    (B) Regulated entities.--Participation in the pilot 
                program by a regulated entity shall be voluntary.
            (3) Selection of cybersecurity requirements.--Cybersecurity 
        requirements selected for the pilot program under paragraph (1) 
        shall contain substantially similar or substantially related 
        requirements such that not fewer than 2 of the selected 
        cybersecurity requirements govern the same regulated entity 
        with substantially similar or substantially related 
        requirements relating to information security or cybersecurity.
            (4) Waivers.--Notwithstanding any provision of subchapter 
        II of chapter 5, and chapter 7, of title 5, United States Code 
        (commonly known as the ``Administrative Procedure Act'') and 
        subject to the consent of any participating regulated entity, 
        in implementing the pilot program under paragraph (1), a 
        regulatory agency participating in the pilot program shall have 
        the authority to issue waivers and establish alternative 
        procedures for regulated entities participating in the pilot 
        program with respect to the cybersecurity requirements included 
        under the pilot program.
    (g) Consultation With the Committee.--
            (1) In general.--Notwithstanding any other provision of 
        law--
                    (A) before prescribing any cybersecurity 
                requirement, the head of a regulatory agency shall 
                consult with the Committee regarding such requirement 
                and the regulatory framework established under 
                subsection (e); and
                    (B) independent regulatory agencies, when updating 
                any existing cybersecurity requirement or issuing a 
                potential new cybersecurity requirement, shall consult 
                the Committee during the development of the updated 
                cybersecurity requirement or the new cybersecurity 
                requirement to ensure that the requirement is aligned 
                to the greatest extent possible with the regulatory 
                framework.
            (2) Determination.--Following a consultation under 
        paragraph (1), the Committee shall make a determination in 
        writing to the agency, in coordination with the Office of 
        Management and Budget as necessary, that shall--
                    (A) include to what degree the proposed 
                cybersecurity requirement or update to the 
                cybersecurity requirement aligns with the regulatory 
                framework; and
                    (B) provide a list of recommendations to improve 
                the cybersecurity requirement and align it with the 
                regulatory framework.
    (h) Consultation With Sector Risk Management Agencies.--The 
Committee shall consult with appropriate Sector Risk Management 
Agencies in the development of the regulatory framework under 
subsection (e) and the implementation of the pilot program under 
subsection (f).
    (i) Reports.--
            (1) Annual report.--Not later than 12 months after the date 
        of enactment of this Act, and annually thereafter, the 
        Committee shall submit to the appropriate congressional 
        committees a report detailing--
                    (A) member participation; and
                    (B) the application of the regulatory framework, 
                once developed, on cybersecurity requirements, 
                including consultations or discussions with regulators.
            (2) Pilot program report.--Not later than 12 months after 
        the date on which the pilot program begins, the Committee shall 
        submit to the appropriate congressional committees a report 
        detailing--
                    (A) the cybersecurity requirements selected for the 
                program, including the reasons that the regulatory 
                agency and cybersecurity requirement were selected;
                    (B) the information learned from the program;
                    (C) any obstacles encountered during the program; 
                and
                    (D) an assessment of the applicability of expanding 
                the program to other agencies and cybersecurity 
                requirements.

SEC. 4. STATUS UPDATES ON INCIDENT REPORTING.

    (a) Status Update on Memoranda of Agreement.--Not later than 180 
days after the date of enactment of this Act, and not less frequently 
than every 180 days thereafter, the Director of the Cybersecurity and 
Infrastructure Security Agency shall provide to the appropriate 
congressional committees a status update on the development and 
implementation of memoranda of agreement between agencies required 
under section 104(a)(5) of the Cyber Incident Reporting for Critical 
Infrastructure Act of 2022 (6 U.S.C. 681g(a)(5)).
    (b) Status Update on Efforts of the Cyber Incident Reporting 
Council.--Not later than 180 days after the date of enactment of this 
Act, and not less frequently than every 180 days thereafter, the 
Secretary of Homeland Security shall provide to the appropriate 
congressional committees a status update on the efforts of the Cyber 
Incident Reporting Council established under section 2246 of the 
Homeland Security Act of 2002 (6 U.S.C. 681f).

SEC. 5. RULE OF CONSTRUCTION.

    Nothing in this Act shall be construed--
            (1) to expand or alter the existing regulatory authorities 
        of any agency, including any independent regulatory agency, 
        except for exemptions under section 3(f) to implement the pilot 
        program established under that section;
            (2) to provide any such agency any new or additional 
        regulatory authorities; or
            (3) to address security incident reporting requirements 
        subject to coordination by the Cyber Incident Reporting Council 
        established under section 2246 of the Homeland Security Act of 
        2022 (6 U.S.C. 681f), except for the required status updates 
        under section 4.
                                 <all>