[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 824 Introduced in Senate (IS)]

<DOC>






118th CONGRESS
  1st Session
                                 S. 824

 To require the Secretary of Homeland Security to establish a national 
             risk management cycle, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             March 15, 2023

Ms. Hassan (for herself and Mr. Romney) introduced the following bill; 
which was read twice and referred to the Committee on Homeland Security 
                        and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
 To require the Secretary of Homeland Security to establish a national 
             risk management cycle, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``National Risk Management Act of 
2023''.

SEC. 2. NATIONAL RISK MANAGEMENT CYCLE.

    (a) In General.--Subtitle A of title XXII of the Homeland Security 
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the 
following:

``SEC. 2220F. NATIONAL RISK MANAGEMENT CYCLE.

    ``(a) National Critical Functions Defined.--In this section, the 
term `national critical functions' means the functions of government 
and the private sector so vital to the United States that their 
disruption, corruption, or dysfunction would have a debilitating effect 
on security, national economic security, national public health or 
safety, or any combination thereof.
    ``(b) National Risk Management Cycle.--
            ``(1) Risk identification and assessment.--
                    ``(A) In general.--The Secretary, acting through 
                the Director, shall establish a recurring process by 
                which to identify and assess risks to critical 
                infrastructure, considering both cyber and physical 
                threats and the associated likelihoods, 
                vulnerabilities, and consequences.
                    ``(B) Consultation.--In establishing the process 
                required under subparagraph (A), the Secretary shall 
                consult--
                            ``(i) Sector Risk Management Agencies;
                            ``(ii) critical infrastructure owners and 
                        operators;
                            ``(iii) the Assistant to the President for 
                        National Security Affairs;
                            ``(iv) the Assistant to the President for 
                        Homeland Security; and
                            ``(v) the National Cyber Director.
                    ``(C) Process elements.--The process established 
                under subparagraph (A) shall include elements to--
                            ``(i) collect relevant information, 
                        collected pursuant to section 2218, from Sector 
                        Risk Management Agencies relating to the 
                        threats, vulnerabilities, and consequences 
                        related to the particular sectors of those 
                        Sector Risk Management Agencies;
                            ``(ii) allow critical infrastructure owners 
                        and operators to submit relevant information to 
                        the Secretary for consideration; and
                            ``(iii) outline how the Secretary will 
                        solicit input from other Federal departments 
                        and agencies.
                    ``(D) Publication.--Not later than 180 days after 
                the date of enactment of this section, the Secretary 
                shall publish in the Federal Register procedures for 
                the process established under subparagraph (A), subject 
                to any redactions the Secretary determines are 
                necessary to protect classified or other sensitive 
                information.
                    ``(E) Report.--The Secretary shall submit to the 
                President, the Committee on Homeland Security and 
                Governmental Affairs of the Senate, and the Committee 
                on Homeland Security of the House of Representatives a 
                report on the risks identified by the process 
                established under subparagraph (A)--
                            ``(i) not later than 1 year after the date 
                        of enactment of this section; and
                            ``(ii) not later than 1 year after the date 
                        on which the Secretary submits a periodic 
                        evaluation described in section 9002(b)(2) of 
                        title XC of division H of the William M. (Mac) 
                        Thornberry National Defense Authorization Act 
                        for Fiscal Year 2021 (6 U.S.C. 652a(b)(2)).
            ``(2) National critical infrastructure resilience 
        strategy.--
                    ``(A) In general.--Not later than 1 year after the 
                date on which the Secretary delivers each report 
                required under paragraph (1), the President shall 
                deliver to majority and minority leaders of the Senate, 
                the Speaker and minority leader of the House of 
                Representatives, the Committee on Homeland Security and 
                Governmental Affairs of the Senate, and the Committee 
                on Homeland Security of the House of Representatives a 
                national critical infrastructure resilience strategy 
                designed to address the risks identified by the 
                Secretary.
                    ``(B) Elements.--Each strategy delivered under 
                subparagraph (A) shall--
                            ``(i) prioritize areas of risk to critical 
                        infrastructure that would compromise or disrupt 
                        national critical functions impacting national 
                        security, economic security, or public health 
                        and safety;
                            ``(ii) assess the implementation of the 
                        previous national critical infrastructure 
                        resilience strategy, as applicable;
                            ``(iii) identify and outline current and 
                        proposed national-level actions, programs, and 
                        efforts, including resource requirements, to be 
                        taken to address the risks identified;
                            ``(iv) identify the Federal departments or 
                        agencies responsible for leading each national-
                        level action, program, or effort and the 
                        relevant critical infrastructure sectors for 
                        each; and
                            ``(v) request any additional authorities 
                        necessary to successfully execute the strategy.
                    ``(C) Form.--Each strategy delivered under 
                subparagraph (A) shall be unclassified, but may contain 
                a classified annex.
            ``(3) Congressional briefing.--Not later than 1 year after 
        the date on which the President delivers the first strategy 
        required under paragraph (2)(A), and each year thereafter, the 
        Secretary, in coordination with Sector Risk Management 
        Agencies, shall brief the Committee on Homeland Security and 
        Governmental Affairs of the Senate and the Committee on 
        Homeland Security of the House of Representatives on--
                    ``(A) the national risk management cycle activities 
                undertaken pursuant to the strategy delivered under 
                subparagraph (A); and
                    ``(B) the amounts and timeline for funding that the 
                Secretary has determined would be necessary to address 
                risks and successfully execute the full range of 
                activities proposed by the strategy delivered 
                subparagraph (A).''.
    (b) Technical and Conforming Amendment.--The table of contents in 
section 1(b) of the Homeland Security Act of 2002 (Public Law 107-296; 
116 Stat. 2135) is amended by inserting after the item relating to 
section 2220E the following:

``Sec. 2220F. National risk management cycle.''.
                                 <all>