[Congressional Record Volume 163, Number 18 (Thursday, February 2, 2017)]
[Senate]
[Pages S657-S658]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
By Mr. DAINES (for himself and Mr. Warner):
S. 278. A bill to amend the Homeland Security Act of 2002 to provide
for innovative research and development, and for other purposes; to the
Committee on Homeland Security and Governmental Affairs.
Mr. DAINES. Mr. President, in recent years we have seen the inability
of the Federal Government to quickly adapt to changing technology and
emerging threats. In June of 2015 the Office of Personnel Management,
OPM, was infiltrated with a major cyber breach, affecting more than 22
million current and former Federal employees, including myself. In
January of 2016, another nearly half a million Americans had their
social security numbers stolen when the Internal Revenue Service was
hacked.
I spent 28 years in the private sector, 12 years with a global cloud
computing company. We faced cyber threats daily, and our customers
expected security of their data. We delivered, not once was our data
compromised. Until I came to the Federal Government and received the
letters from OPM, my data had been secured too.
I know firsthand that industry has the talent and incentive to keep
their information systems secure. The Federal Government should
continue to innovate and utilize industries' expertise and learn from
their best practices.
That is why I am introducing the Support for Rapid Innovation Act.
This
[[Page S658]]
legislation will extend the authorization for the Secretary of Homeland
Security to carry out innovative research and development projects that
will enhance our Nation's cyber security. It will focus efforts on
developing more secure information systems, technologies for detecting
and containing attacks in real-time, and develop cyber forensics to
identify perpetrators. This will be done by leveraging private sectors'
innovation and ingenuity.
I want to thank Senator Warner for being an original cosponsor of
this bill and Representative Ratcliffe of Texas for leading
introduction of companion legislation in the House of Representatives.
I ask my Senate colleagues to join us in support of this important
legislation.
Mr. President, I ask unanimous consent that the text of the bill be
printed in the Record.
There being no objection, the text of the bill was ordered to be
printed in the Record, as follows:
S. 278
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Support for Rapid Innovation
Act of 2017''.
SEC. 2. CYBERSECURITY RESEARCH AND DEVELOPMENT PROJECTS.
(a) Cybersecurity Research and Development.--
(1) In general.--Title III of the Homeland Security Act of
2002 (6 U.S.C. 181 et seq.) is amended by adding at the end
the following new section:
``SEC. 321. CYBERSECURITY RESEARCH AND DEVELOPMENT.
``(a) In General.--The Under Secretary for Science and
Technology shall support the research, development, testing,
evaluation, and transition of cybersecurity technologies,
including fundamental research to improve the sharing of
information, information security, analytics, and
methodologies related to cybersecurity risks and incidents,
consistent with current law.
``(b) Activities.--The research and development supported
under subsection (a) shall serve the components of the
Department and shall--
``(1) advance the development and accelerate the deployment
of more secure information systems;
``(2) improve and create technologies for detecting and
preventing attacks or intrusions, including real-time
continuous diagnostics, real-time analytic technologies, and
full lifecycle information protection;
``(3) improve and create mitigation and recovery
methodologies, including techniques and policies for real-
time containment of attacks, and development of resilient
networks and information systems;
``(4) support, in coordination with non-Federal entities,
the review of source code that underpins critical
infrastructure information systems;
``(5) assist the development and support infrastructure and
tools to support cybersecurity research and development
efforts, including modeling, testbeds, and data sets for
assessment of new cybersecurity technologies;
``(6) assist the development and support of technologies to
reduce vulnerabilities in industrial control systems;
``(7) assist the development and support cyber forensics
and attack attribution capabilities;
``(8) assist the development and accelerate the deployment
of full information lifecycle security technologies to
enhance protection, control, and privacy of information to
detect and prevent cybersecurity risks and incidents;
``(9) assist the development and accelerate the deployment
of information security measures, in addition to perimeter-
based protections;
``(10) assist the development and accelerate the deployment
of technologies to detect improper information access by
authorized users;
``(11) assist the development and accelerate the deployment
of cryptographic technologies to protect information at rest,
in transit, and in use;
``(12) assist the development and accelerate the deployment
of methods to promote greater software assurance;
``(13) assist the development and accelerate the deployment
of tools to securely and automatically update software and
firmware in use, with limited or no necessary intervention by
users and limited impact on concurrently operating systems
and processes; and
``(14) assist in identifying and addressing unidentified or
future cybersecurity threats.
``(c) Coordination.--In carrying out this section, the
Under Secretary for Science and Technology shall coordinate
activities with--
``(1) the Under Secretary appointed pursuant to section
103(a)(1)(H);
``(2) the heads of other relevant Federal departments and
agencies, as appropriate; and
``(3) industry and academia.
``(d) Transition to Practice.--The Under Secretary for
Science and Technology shall support projects carried out
under this title through the full life cycle of such
projects, including research, development, testing,
evaluation, pilots, and transitions. The Under Secretary
shall identify mature technologies that address existing or
imminent cybersecurity gaps in public or private information
systems and networks of information systems, protect
sensitive information within and outside networks of
information systems, identify and support necessary
improvements identified during pilot programs and testing and
evaluation activities, and introduce new cybersecurity
technologies throughout the homeland security enterprise
through partnerships and commercialization. The Under
Secretary shall target Federally funded cybersecurity
research that demonstrates a high probability of successful
transition to the commercial market within two years and that
is expected to have a notable impact on the public or private
information systems and networks of information systems.
``(e) Definitions.--In this section:
``(1) Cybersecurity risk.--The term `cybersecurity risk'
has the meaning given such term in section 227.
``(2) Homeland security enterprise.--The term `homeland
security enterprise' means relevant governmental and
nongovernmental entities involved in homeland security,
including Federal, State, local, and tribal government
officials, private sector representatives, academics, and
other policy experts.
``(3) Incident.--The term `incident' has the meaning given
such term in section 227.
``(4) Information system.--The term `information system'
has the meaning given such term in section 3502(8) of title
44, United States Code.
``(5) Software assurance.--The term `software assurance'
means confidence that software--
``(A) is free from vulnerabilities, either intentionally
designed into the software or accidentally inserted at any
time during the lifecycle of the software; and
``(B) functioning in the intended manner.''.
(2) Clerical amendment.--The table of contents in section
1(b) of the Homeland Security Act of 2002 is amended by
inserting after the item relating to second section 319 the
following new item:
``Sec. 321. Cybersecurity research and development.''.
(b) Research and Development Projects.--Section 831 of the
Homeland Security Act of 2002 (6 U.S.C. 391) is amended--
(1) in subsection (a)--
(A) in the matter preceding paragraph (1), by striking
``2016'' and inserting ``2021'';
(B) in paragraph (1), by striking the last sentence; and
(C) by adding at the end the following new paragraph:
``(3) Prior approval.--In any case in which the head of a
component or office of the Department seeks to utilize the
authority under this section, such head shall first receive
prior approval from the Secretary by providing to the
Secretary a proposal that includes the rationale for the
utilization of such authority, the funds to be spent on the
use of such authority, and the expected outcome for each
project that is the subject of the use of such authority. In
such a case, the authority for evaluating the proposal may
not be delegated by the Secretary to anyone other than the
Under Secretary for Management.'';
(2) in subsection (c)--
(A) in paragraph (1), in the matter preceding subparagraph
(A), by striking ``2016'' and inserting ``2021''; and
(B) by amending paragraph (2) to read as follows:
``(2) Report.--The Secretary shall annually submit to the
Committee on Homeland Security and the Committee on Science,
Space, and Technology of the House of Representatives and the
Committee on Homeland Security and Governmental Affairs of
the Senate a report detailing the projects for which the
authority granted by subsection (a) was utilized, the
rationale for such utilizations, the funds spent utilizing
such authority, the extent of cost-sharing for such projects
among Federal and non-Federal sources, the extent to which
utilization of such authority has addressed a homeland
security capability gap or threat to the homeland identified
by the Department, the total amount of payments, if any, that
were received by the Federal Government as a result of the
utilization of such authority during the period covered by
each such report, the outcome of each project for which such
authority was utilized, and the results of any audits of such
projects.''; and
(3) by adding at the end the following new subsection:
``(e) Training.--The Secretary shall develop a training
program for acquisitions staff on the utilization of the
authority provided under subsection (a) to ensure
accountability and effective management of projects
consistent with the Program Management Improvement
Accountability Act (Public Law 114-264) and the amendments
made by such Act.''.
(c) No Additional Funds Authorized.--No additional funds
are authorized to carry out the requirements of this Act and
the amendments made by this Act. Such requirements shall be
carried out using amounts otherwise authorized.
______