[Congressional Record Volume 163, Number 18 (Thursday, February 2, 2017)]
[Senate]
[Pages S657-S658]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. DAINES (for himself and Mr. Warner):
  S. 278. A bill to amend the Homeland Security Act of 2002 to provide 
for innovative research and development, and for other purposes; to the 
Committee on Homeland Security and Governmental Affairs.
  Mr. DAINES. Mr. President, in recent years we have seen the inability 
of the Federal Government to quickly adapt to changing technology and 
emerging threats. In June of 2015 the Office of Personnel Management, 
OPM, was infiltrated with a major cyber breach, affecting more than 22 
million current and former Federal employees, including myself. In 
January of 2016, another nearly half a million Americans had their 
social security numbers stolen when the Internal Revenue Service was 
hacked.
  I spent 28 years in the private sector, 12 years with a global cloud 
computing company. We faced cyber threats daily, and our customers 
expected security of their data. We delivered, not once was our data 
compromised. Until I came to the Federal Government and received the 
letters from OPM, my data had been secured too.
  I know firsthand that industry has the talent and incentive to keep 
their information systems secure. The Federal Government should 
continue to innovate and utilize industries' expertise and learn from 
their best practices.
  That is why I am introducing the Support for Rapid Innovation Act. 
This

[[Page S658]]

legislation will extend the authorization for the Secretary of Homeland 
Security to carry out innovative research and development projects that 
will enhance our Nation's cyber security. It will focus efforts on 
developing more secure information systems, technologies for detecting 
and containing attacks in real-time, and develop cyber forensics to 
identify perpetrators. This will be done by leveraging private sectors' 
innovation and ingenuity.
  I want to thank Senator Warner for being an original cosponsor of 
this bill and Representative Ratcliffe of Texas for leading 
introduction of companion legislation in the House of Representatives. 
I ask my Senate colleagues to join us in support of this important 
legislation.
  Mr. President, I ask unanimous consent that the text of the bill be 
printed in the Record.
  There being no objection, the text of the bill was ordered to be 
printed in the Record, as follows:

                                 S. 278

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Support for Rapid Innovation 
     Act of 2017''.

     SEC. 2. CYBERSECURITY RESEARCH AND DEVELOPMENT PROJECTS.

       (a) Cybersecurity Research and Development.--
       (1) In general.--Title III of the Homeland Security Act of 
     2002 (6 U.S.C. 181 et seq.) is amended by adding at the end 
     the following new section:

     ``SEC. 321. CYBERSECURITY RESEARCH AND DEVELOPMENT.

       ``(a) In General.--The Under Secretary for Science and 
     Technology shall support the research, development, testing, 
     evaluation, and transition of cybersecurity technologies, 
     including fundamental research to improve the sharing of 
     information, information security, analytics, and 
     methodologies related to cybersecurity risks and incidents, 
     consistent with current law.
       ``(b) Activities.--The research and development supported 
     under subsection (a) shall serve the components of the 
     Department and shall--
       ``(1) advance the development and accelerate the deployment 
     of more secure information systems;
       ``(2) improve and create technologies for detecting and 
     preventing attacks or intrusions, including real-time 
     continuous diagnostics, real-time analytic technologies, and 
     full lifecycle information protection;
       ``(3) improve and create mitigation and recovery 
     methodologies, including techniques and policies for real-
     time containment of attacks, and development of resilient 
     networks and information systems;
       ``(4) support, in coordination with non-Federal entities, 
     the review of source code that underpins critical 
     infrastructure information systems;
       ``(5) assist the development and support infrastructure and 
     tools to support cybersecurity research and development 
     efforts, including modeling, testbeds, and data sets for 
     assessment of new cybersecurity technologies;
       ``(6) assist the development and support of technologies to 
     reduce vulnerabilities in industrial control systems;
       ``(7) assist the development and support cyber forensics 
     and attack attribution capabilities;
       ``(8) assist the development and accelerate the deployment 
     of full information lifecycle security technologies to 
     enhance protection, control, and privacy of information to 
     detect and prevent cybersecurity risks and incidents;
       ``(9) assist the development and accelerate the deployment 
     of information security measures, in addition to perimeter-
     based protections;
       ``(10) assist the development and accelerate the deployment 
     of technologies to detect improper information access by 
     authorized users;
       ``(11) assist the development and accelerate the deployment 
     of cryptographic technologies to protect information at rest, 
     in transit, and in use;
       ``(12) assist the development and accelerate the deployment 
     of methods to promote greater software assurance;
       ``(13) assist the development and accelerate the deployment 
     of tools to securely and automatically update software and 
     firmware in use, with limited or no necessary intervention by 
     users and limited impact on concurrently operating systems 
     and processes; and
       ``(14) assist in identifying and addressing unidentified or 
     future cybersecurity threats.
       ``(c) Coordination.--In carrying out this section, the 
     Under Secretary for Science and Technology shall coordinate 
     activities with--
       ``(1) the Under Secretary appointed pursuant to section 
     103(a)(1)(H);
       ``(2) the heads of other relevant Federal departments and 
     agencies, as appropriate; and
       ``(3) industry and academia.
       ``(d) Transition to Practice.--The Under Secretary for 
     Science and Technology shall support projects carried out 
     under this title through the full life cycle of such 
     projects, including research, development, testing, 
     evaluation, pilots, and transitions. The Under Secretary 
     shall identify mature technologies that address existing or 
     imminent cybersecurity gaps in public or private information 
     systems and networks of information systems, protect 
     sensitive information within and outside networks of 
     information systems, identify and support necessary 
     improvements identified during pilot programs and testing and 
     evaluation activities, and introduce new cybersecurity 
     technologies throughout the homeland security enterprise 
     through partnerships and commercialization. The Under 
     Secretary shall target Federally funded cybersecurity 
     research that demonstrates a high probability of successful 
     transition to the commercial market within two years and that 
     is expected to have a notable impact on the public or private 
     information systems and networks of information systems.
       ``(e) Definitions.--In this section:
       ``(1) Cybersecurity risk.--The term `cybersecurity risk' 
     has the meaning given such term in section 227.
       ``(2) Homeland security enterprise.--The term `homeland 
     security enterprise' means relevant governmental and 
     nongovernmental entities involved in homeland security, 
     including Federal, State, local, and tribal government 
     officials, private sector representatives, academics, and 
     other policy experts.
       ``(3) Incident.--The term `incident' has the meaning given 
     such term in section 227.
       ``(4) Information system.--The term `information system' 
     has the meaning given such term in section 3502(8) of title 
     44, United States Code.
       ``(5) Software assurance.--The term `software assurance' 
     means confidence that software--
       ``(A) is free from vulnerabilities, either intentionally 
     designed into the software or accidentally inserted at any 
     time during the lifecycle of the software; and
       ``(B) functioning in the intended manner.''.
       (2) Clerical amendment.--The table of contents in section 
     1(b) of the Homeland Security Act of 2002 is amended by 
     inserting after the item relating to second section 319 the 
     following new item:

``Sec. 321. Cybersecurity research and development.''.

       (b) Research and Development Projects.--Section 831 of the 
     Homeland Security Act of 2002 (6 U.S.C. 391) is amended--
       (1) in subsection (a)--
       (A) in the matter preceding paragraph (1), by striking 
     ``2016'' and inserting ``2021'';
       (B) in paragraph (1), by striking the last sentence; and
       (C) by adding at the end the following new paragraph:
       ``(3) Prior approval.--In any case in which the head of a 
     component or office of the Department seeks to utilize the 
     authority under this section, such head shall first receive 
     prior approval from the Secretary by providing to the 
     Secretary a proposal that includes the rationale for the 
     utilization of such authority, the funds to be spent on the 
     use of such authority, and the expected outcome for each 
     project that is the subject of the use of such authority. In 
     such a case, the authority for evaluating the proposal may 
     not be delegated by the Secretary to anyone other than the 
     Under Secretary for Management.'';
       (2) in subsection (c)--
       (A) in paragraph (1), in the matter preceding subparagraph 
     (A), by striking ``2016'' and inserting ``2021''; and
       (B) by amending paragraph (2) to read as follows:
       ``(2) Report.--The Secretary shall annually submit to the 
     Committee on Homeland Security and the Committee on Science, 
     Space, and Technology of the House of Representatives and the 
     Committee on Homeland Security and Governmental Affairs of 
     the Senate a report detailing the projects for which the 
     authority granted by subsection (a) was utilized, the 
     rationale for such utilizations, the funds spent utilizing 
     such authority, the extent of cost-sharing for such projects 
     among Federal and non-Federal sources, the extent to which 
     utilization of such authority has addressed a homeland 
     security capability gap or threat to the homeland identified 
     by the Department, the total amount of payments, if any, that 
     were received by the Federal Government as a result of the 
     utilization of such authority during the period covered by 
     each such report, the outcome of each project for which such 
     authority was utilized, and the results of any audits of such 
     projects.''; and
       (3) by adding at the end the following new subsection:
       ``(e) Training.--The Secretary shall develop a training 
     program for acquisitions staff on the utilization of the 
     authority provided under subsection (a) to ensure 
     accountability and effective management of projects 
     consistent with the Program Management Improvement 
     Accountability Act (Public Law 114-264) and the amendments 
     made by such Act.''.
       (c) No Additional Funds Authorized.--No additional funds 
     are authorized to carry out the requirements of this Act and 
     the amendments made by this Act. Such requirements shall be 
     carried out using amounts otherwise authorized.
                                 ______