[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 4956 Introduced in Senate (IS)]

<DOC>






118th CONGRESS
  2d Session
                                S. 4956

   To regulate electronic medical device use in secure compartmented 
    information facilities, to require the Director of the National 
Intelligence oversee transparency reporting and related initiatives, to 
      encourage investment in modernization efforts for sensitive 
     compartmented information facilities, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             August 1, 2024

 Mr. Welch (for himself and Mr. Casey) introduced the following bill; 
     which was read twice and referred to the Select Committee on 
                              Intelligence

_______________________________________________________________________

                                 A BILL


 
   To regulate electronic medical device use in secure compartmented 
    information facilities, to require the Director of the National 
Intelligence oversee transparency reporting and related initiatives, to 
      encourage investment in modernization efforts for sensitive 
     compartmented information facilities, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cleared Locations Enabling Access to 
Relevant Essential Devices Act of 2024'' or the ``CLEARED Act of 
2024''.

SEC. 2. ENHANCING NATIONAL ACCESSIBILITY FOR BETTER LONG-TERM 
              EMPLOYMENT ACT OF 2024.

    (a) Definitions.--In this section:
            (1) Covered entity.--The term ``covered entity'' means any 
        entity that--
                    (A) is established under or sponsored by any branch 
                of the United States Government; and
                    (B) manages a secure compartmented information 
                facility.
            (2) Electronic medical device.--The term ``electronic 
        medical device'' has the meaning given that term in 
        Intelligence Community Directive 124.
            (3) Governance board.--The term ``Governance Board'' means 
        the Electronic Medical Device Governance Board described in 
        Intelligence Community Directive 124.
    (b) Device Approval Disclosure.--
            (1) Electronic medical device ledgers.--Beginning on the 
        date of the enactment of this Act, the head of any covered 
        entity shall begin developing and maintaining, for each secure 
        compartmented information facility managed by such covered 
        entity, a ledger to track the approval and denial of requests 
        for electronic medical device use, which shall include--
                    (A) a case-by-case annotation of each approval or 
                denial of an electronic medical device;
                    (B) a justification for each such approval or 
                denial;
                    (C) any relevant details regarding device 
                restrictions or accommodations; and
                    (D) statistics summarizing the number of electronic 
                medical devices approved for unrestricted use and 
                limited use and devices that were denied.
            (2) Approved electronic medical device list.--
                    (A) In general.--Beginning not later than 1 year 
                after the date of the enactment of this Act, the head 
                of any covered entity shall develop and maintain, for 
                each secure compartmented information facility managed 
                by such covered entity, develop and maintain a list 
                that includes the following:
                            (i) Each electronic medical device that is 
                        approved for unrestricted use in the facility.
                            (ii) Each electronic medical device that is 
                        approved for limited use in the facility, 
                        including--
                                    (I) any restrictions or 
                                accommodations required with respect to 
                                each such device;
                                    (II) a description of whether such 
                                restrictions or accommodations vary 
                                from restrictions imposed or 
                                accommodations provided by other 
                                covered entities; and
                                    (III) if applicable, an explanation 
                                of the variability of such restrictions 
                                or accommodations.
                            (iii) Each electronic medical device that 
                        is denied for use in the facility and the 
                        justification for such denial.
                    (B) Form.--
                            (i) Access to unclassified list.--The 
                        relevant list of a covered entity developed 
                        pursuant to subparagraph (A) shall be--
                                    (I) unclassified to the maximum 
                                extent practicable, but may include a 
                                classified annex; and
                                    (II) provided to any applicant or 
                                employee of the covered entity who 
                                seeks a position that requires access 
                                to a secure compartmented information 
                                facility.
                            (ii) Access to classified list.--
                                    (I) Cleared applicants.--On the 
                                date that an applicant or employee 
                                described in clause (i)(II) receives 
                                the security clearance necessary for 
                                access to the secure compartmented 
                                information facility, the head of the 
                                relevant covered entity shall make 
                                available to such applicant or employee 
                                the classified portion of the list 
                                described in clause (i).
                                    (II) Existing employees.--Not later 
                                than 1 year after the date of the 
                                enactment of this Act, the head of each 
                                covered entity shall provide to each 
                                employee of the covered entity who has 
                                the security clearance necessary to 
                                access a secure compartmented 
                                information facility, the list 
                                developed by the head of such covered 
                                entity with respect to such facility, 
                                which shall be unclassified to the 
                                maximum extent practicable, but may 
                                include a classified annex.
            (3) Electronic medical device policy.--
                    (A) In general.--Not later than 180 days after the 
                date of the enactment of this Act, the head of each 
                covered entity shall develop a policy for the use of 
                electronic medical devices in secure compartmented 
                information facilities, which shall include a list of 
                the types of electronic medical devices that are 
                approved for use in each such facility managed by the 
                covered entity.
                    (B) Annual review.--The head of each covered entity 
                shall annually review any policy developed pursuant to 
                subparagraph (A).
            (4) Submission to director of national intelligence and 
        governance board.--Not later than 180 days after the date of 
        the enactment of this Act, and annually thereafter, the head of 
        each covered entity shall submit to the Director of National 
        Intelligence and the Governance Board--
                    (A) any ledger developed pursuant to paragraph (1);
                    (B) any list published pursuant to paragraph 
                (2)(A); and
                    (C) any policy developed pursuant to paragraph 
                (3)(A).
    (c) Review of Electronic Medical Device Security.--
            (1) In general.--The Governance Board shall review 
        electronic medical device security and equity concerns for 
        covered agencies.
            (2) Duties.--The Governance Board shall--
                    (A) review the policies of covered agencies 
                regarding the use of electronic medical devices in 
                secure compartmented information facilities;
                    (B) review each ledger or list submitted in 
                accordance with subsection (b)(4);
                    (C) identify and resolve discrepancies in such 
                ledgers and lists, with respect to both variation in 
                justifications for restrictions and accommodations and 
                denials within each covered entity and across all 
                covered entities;
                    (D) facilitate and direct security research and 
                technical risk assessments on electronic medical 
                devices and determine threats to national security 
                posed by such devices;
                    (E) for electronic medical devices that have been 
                researched pursuant to subparagraph (D), evaluate 
                threat mitigation measures available and the efficacy 
                ratings of such measures; and
                    (F) provide recommendations for risk management of 
                electronic medical devices in secure compartmented 
                information facilities.
            (3) Electronic medical ledger database.--
                    (A) In general.--Using each ledger and list 
                submitted to the Governance Board in accordance with 
                subsection (b)(4), the Governance Board shall develop 
                and maintain a publicly accessible database of 
                electronic medical devices that have been approved or 
                denied for use at any secure compartmented information 
                facility, including, to the extent practicable--
                            (i) approval rates;
                            (ii) accommodations or restrictions for 
                        usage; and
                            (iii) for each covered entity, specific 
                        processes for electronic medical device 
                        approval.
                    (B) Public availability of information.--The 
                Governance Board shall make available on the website of 
                the Office of the Director of National Intelligence the 
                following:
                            (i) General approval and denial rates for 
                        devices described in subparagraph (A) of 
                        different types.
                            (ii) Points of contact for teams 
                        responsible for approvals and denials of 
                        devices described in subparagraph (A).
                    (C) Ledger discrepancies.--The Governance Board 
                shall include in such database any discrepancy 
                identified pursuant to paragraph (2), including, for 
                each such discrepancy--
                            (i) a detailed description of the 
                        discrepancy; and
                            (ii) proposed remediations.
                    (D) Form.--The database shall be unclassified, but 
                may include a classified annex as the Director of 
                National Intelligence considers appropriate.
            (4) Report.--
                    (A) In general.--Not later than 1 year after the 
                date of the enactment of this Act, and annually 
                thereafter, the Governance Board shall submit to the 
                Director of National Intelligence a report on the state 
                of electronic medical device usage in secure 
                compartmented information facilities.
                    (B) Content.--Each report submitted pursuant to 
                subparagraph (A) shall include--
                            (i) a description of the research efforts, 
                        risk management recommendations, and strategic 
                        approaches of the Governance Board to support 
                        changes or innovations that improve the use of 
                        electronic medical devices in secure 
                        compartmented information facilities;
                            (ii) a description of any barriers to 
                        resolving discrepancies under paragraph (2)(C);
                            (iii) a summary of statistics describing 
                        approval rates gleaned from the database 
                        developed pursuant to paragraph (3); and
                            (iv) any other information the Governance 
                        Board determines is relevant for the Director 
                        of National Intelligence to consider regarding 
                        the use of electronic medical devices in secure 
                        compartmented information facilities.
            (5) Annual evaluations.--Not later than 180 days after 
        receiving a report under paragraph (4), the Director of 
        National Intelligence shall--
                    (A) evaluate the findings and recommendations of 
                the Governance Board in such report; and
                    (B) submit to Congress a report that includes--
                            (i) the results of the evaluation conducted 
                        under subparagraph (A);
                            (ii) a description of current approval 
                        rates for electronic medical devices;
                            (iii) a description of research efforts and 
                        risk mitigation strategies with respect to 
                        electronic medical devices; and
                            (iv) recommendations for updating 
                        electronic medical device requirements in 
                        secure compartmented information facilities.
    (d) Protection of Information.--In carrying out this section, the 
head of each covered entity shall ensure the protection of personally 
identifiable information, including medical information, in accordance 
with all applicable laws and policies with respect to confidentiality 
and privacy.
                                 <all>