[Congressional Record Volume 167, Number 87 (Wednesday, May 19, 2021)]
[Senate]
[Pages S3111-S3112]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

  SA 1581. Mr. MANCHIN (for himself and Ms. Murkowski) submitted an 
amendment intended to be proposed to amendment SA 1502 proposed by Mr. 
Schumer to the bill S. 1260, to establish a new Directorate for 
Technology and Innovation in the National Science Foundation, to 
establish a regional technology hub program, to require a strategy and 
report on economic security, science, research, innovation, 
manufacturing, and job creation, to establish a critical supply chain 
resiliency program, and for other purposes; which was ordered to lie on 
the table; as follows:

        Strike section 4252(a) and insert the following:
       (a) In General.--Title XXII of the Homeland Security Act of 
     2002 (6 U.S.C. 651 et seq.) is amended by adding at the end 
     the following:

          ``Subtitle C--Declaration of a Significant Incident

     ``SEC. 2231. SENSE OF CONGRESS.

       ``It is the sense of Congress that--
       ``(1) the purpose of this subtitle is to authorize the 
     Secretary to declare that a significant incident has occurred 
     and to establish the authorities that are provided under the 
     declaration to respond to and recover from the significant 
     incident; and
       ``(2) the authorities established under this subtitle are 
     intended to enable the Secretary to provide voluntary 
     assistance to non-Federal entities impacted by a significant 
     incident.

     ``SEC. 2232. DEFINITIONS.

       ``For the purposes of this subtitle:
       ``(1) Asset response activity.--The term `asset response 
     activity' means an activity to support an entity impacted by 
     an incident with the response to, remediation of, or recovery 
     from, the incident, including--
       ``(A) furnishing technical and advisory assistance to the 
     entity to protect the assets of the entity, mitigate 
     vulnerabilities, and reduce the related impacts;
       ``(B) assessing potential risks to the critical 
     infrastructure sector or geographic region impacted by the 
     incident, including potential cascading effects of the 
     incident on other critical infrastructure sectors or 
     geographic regions;
       ``(C) developing courses of action to mitigate the risks 
     assessed under subparagraph (B);
       ``(D) facilitating information sharing and operational 
     coordination with entities performing threat response 
     activities; and
       ``(E) providing guidance on how best to use Federal 
     resources and capabilities in a timely, effective manner to 
     speed recovery from the incident.
       ``(2) Declaration.--The term `declaration' means a 
     declaration of the Secretary under section 2233(a)(1).
       ``(3) Director.--The term `Director' means the Director of 
     the Cybersecurity and Infrastructure Security Agency.
       ``(4) Federal agency.--The term `Federal agency' has the 
     meaning given the term `agency' in section 3502 of title 44, 
     United States Code.
       ``(5) Fund.--The term `Fund' means the Cyber Response and 
     Recovery Fund established under section 2234(a).
       ``(6) Incident.--The term `incident' has the meaning given 
     the term in section 3552 of title 44, United States Code.
       ``(7) Renewal.--The term `renewal' means a renewal of a 
     declaration under section 2233(d).
       ``(8) Sector risk management agency.--The term `Sector Risk 
     Management Agency' has the meaning given the term in section 
     2201.
       ``(9) Significant incident.--The term `significant 
     incident'--
       ``(A) means an incident or a group of related incidents 
     that results, or is likely to result, in demonstrable harm 
     to--
       ``(i) the national security interests, foreign relations, 
     or economy of the United States; or
       ``(ii) the public confidence, civil liberties, or public 
     health and safety of the people of the United States; and
       ``(B) does not include an incident or a portion of a group 
     of related incidents that occurs on--
       ``(i) a national security system (as defined in section 
     3552 of title 44, United States Code); or
       ``(ii) an information system described in paragraph (2) or 
     (3) of section 3553(e) of title 44, United States Code.

     ``SEC. 2233. DECLARATION.

       ``(a) In General.--
       ``(1) Declaration.--The Secretary, in consultation with the 
     National Cyber Director and the heads of Sector Risk 
     Management Agencies, may make a declaration of a significant 
     incident in accordance with this section for the purpose of 
     enabling the activities described in this subtitle if the 
     Secretary determines that--
       ``(A) a specific significant incident--
       ``(i) has occurred; or
       ``(ii) is likely to occur imminently; and
       ``(B) otherwise available resources, other than the Fund, 
     are likely insufficient to respond effectively to, or to 
     mitigate effectively, the specific significant incident 
     described in subparagraph (A).
       ``(2) Prohibition on delegation.--The Secretary may not 
     delegate the authority provided to the Secretary under 
     paragraph (1).
       ``(b) Asset Response Activities.--Upon a declaration, the 
     Director shall coordinate--
       ``(1) the asset response activities of each Federal agency 
     in response to the specific significant incident associated 
     with the declaration; and
       ``(2) with the heads of appropriate Sector Risk Management 
     Agencies and appropriate entities, which may include--
       ``(A) public and private entities and State and local 
     governments with respect to the asset response activities of 
     those entities and governments; and
       ``(B) Federal, State, local, and Tribal law enforcement 
     agencies with respect to investigations and threat response 
     activities of those law enforcement agencies; and
       ``(3) Federal, State, local, and Tribal emergency 
     management and response agencies.
       ``(c) Duration.--Subject to subsection (d), a declaration 
     shall terminate upon the earlier of--
       ``(1) a determination by the Secretary that the declaration 
     is no longer necessary; or
       ``(2) the expiration of the 120-day period beginning on the 
     date on which the Secretary makes the declaration.
       ``(d) Renewal.--The Secretary, without delegation, may 
     renew a declaration as necessary.
       ``(e) Publication.--
       ``(1) In general.--Not later than 72 hours after a 
     declaration or a renewal, the Secretary shall publish the 
     declaration or renewal in the Federal Register.
       ``(2) Prohibition.--A declaration or renewal published 
     under paragraph (1) may not include the name of any affected 
     individual or private company.
       ``(f) Advance Actions.--
       ``(1) In general.--The Secretary--
       ``(A) shall assess the resources available to respond to a 
     potential declaration; and
       ``(B) may take actions before and while a declaration is in 
     effect to arrange or procure additional resources for asset 
     response activities or technical assistance the Secretary 
     determines necessary, which may include entering into standby 
     contracts with private entities for cybersecurity services or 
     incident responders in the event of a declaration.
       ``(2) Expenditure of funds.--Any expenditure from the Fund 
     for the purpose of paragraph (1)(B) shall be made from 
     amounts available in the Fund, and amounts available in the 
     Fund shall be in addition to any other appropriations 
     available to the Cybersecurity and Infrastructure Security 
     Agency for such purpose.

     ``SEC. 2234. CYBER RESPONSE AND RECOVERY FUND.

       ``(a) In General.--There is established a Cyber Response 
     and Recovery Fund, which shall be available for--
       ``(1) the coordination of activities described in section 
     2233(b);
       ``(2) response and recovery support for the specific 
     significant incident associated with a declaration to 
     Federal, State, local, and Tribal, entities and public and 
     private entities on a reimbursable or non-reimbursable basis, 
     including through asset response activities and technical 
     assistance, such as--
       ``(A) vulnerability assessments and mitigation;
       ``(B) technical incident mitigation;
       ``(C) malware analysis;
       ``(D) analytic support;
       ``(E) threat detection and hunting; and
       ``(F) network protections;
       ``(3) as the Director determines appropriate, grants for, 
     or cooperative agreements

[[Page S3112]]

     with, Federal, State, local, and Tribal public and private 
     entities to respond to, and recover from, the specific 
     significant incident associated with a declaration, such as--
       ``(A) hardware or software to replace, update, improve, 
     harden, or enhance the functionality of existing hardware, 
     software, or systems; and
       ``(B) technical contract personnel support; and
       ``(4) advance actions taken by the Secretary under section 
     2233(f)(1)(B).
       ``(b) Deposits and Expenditures.--
       ``(1) In general.--Amounts shall be deposited into the Fund 
     from--
       ``(A) appropriations to the Fund for activities of the 
     Fund; and
       ``(B) reimbursement from Federal agencies for the 
     activities described in paragraphs (1), (2), and (4) of 
     subsection (a), which shall only be from amounts made 
     available in advance in appropriations Acts for such 
     reimbursement.
       ``(2) Expenditures.--Any expenditure from the Fund for the 
     purposes of this subtitle shall be made from amounts 
     available in the Fund from a deposit described in paragraph 
     (1), and amounts available in the Fund shall be in addition 
     to any other appropriations available to the Cybersecurity 
     and Infrastructure Security Agency for such purposes.
       ``(c) Supplement Not Supplant.--Amounts in the Fund shall 
     be used to supplement, not supplant, other Federal, State, 
     local, or Tribal funding for activities in response to a 
     declaration.
       ``(d) Reporting.--The Secretary shall require an entity 
     that receives amounts from the Fund to submit a report to the 
     Secretary that details the specific use of the amounts.

     ``SEC. 2235. NOTIFICATION AND REPORTING.

       ``(a) Notification.--Upon a declaration or renewal, the 
     Secretary shall immediately notify the National Cyber 
     Director, the heads of appropriate Sector Risk Management 
     Agencies, and appropriate congressional committees and 
     include in the notification--
       ``(1) an estimation of the planned duration of the 
     declaration;
       ``(2) with respect to a notification of a declaration, the 
     reason for the declaration, including information relating to 
     the specific significant incident or imminent specific 
     significant incident, including--
       ``(A) the operational or mission impact or anticipated 
     impact of the specific significant incident on Federal and 
     non-Federal entities;
       ``(B) if known, the perpetrator of the specific significant 
     incident; and
       ``(C) the scope of the Federal and non-Federal entities 
     impacted or anticipated to be impacted by the specific 
     significant incident;
       ``(3) with respect to a notification of a renewal, the 
     reason for the renewal;
       ``(4) justification as to why available resources, other 
     than the Fund, are insufficient to respond to or mitigate the 
     specific significant incident; and
       ``(5) a description of the coordination activities 
     described in section 2233(b) that the Secretary anticipates 
     the Director to perform.
       ``(b) Report to Congress.--Not later than 180 days after 
     the date of a declaration or renewal, the Secretary shall 
     submit to the appropriate congressional committees a report 
     that includes--
       ``(1) the reason for the declaration or renewal, including 
     information and intelligence relating to the specific 
     significant incident that led to the declaration or renewal;
       ``(2) the use of any funds from the Fund for the purpose of 
     responding to the incident or threat described in paragraph 
     (1);
       ``(3) a description of the actions, initiatives, and 
     projects undertaken by the Department and State and local 
     governments and public and private entities in responding to 
     and recovering from the specific significant incident 
     described in paragraph (1);
       ``(4) an accounting of the specific obligations and outlays 
     of the Fund; and
       ``(5) an analysis of--
       ``(A) the impact of the specific significant incident 
     described in paragraph (1) on Federal and non-Federal 
     entities;
       ``(B) the impact of the declaration or renewal on the 
     response to, and recovery from, the specific significant 
     incident described in paragraph (1); and
       ``(C) the impact of the funds made available from the Fund 
     as a result of the declaration or renewal on the recovery 
     from, and response to, the specific significant incident 
     described in paragraph (1).
       ``(c) Classification.--Each notification made under 
     subsection (a) and each report submitted under subsection 
     (b)--
       ``(1) shall be in an unclassified form with appropriate 
     markings to indicate information that is exempt from 
     disclosure under section 552 of title 5, United States Code 
     (commonly known as the `Freedom of Information Act'); and
       ``(2) may include a classified annex.
       ``(d) Consolidated Report.--The Secretary shall not be 
     required to submit multiple reports under subsection (b) for 
     multiple declarations or renewals if the Secretary determines 
     that the declarations or renewals substantively relate to the 
     same specific significant incident.
       ``(e) Exemption.--The requirements of subchapter I of 
     chapter 35 of title 44 (commonly known as the `Paperwork 
     Reduction Act') shall not apply to the voluntary collection 
     of information by the Department during an investigation of, 
     a response to, or an immediate post-response review of, the 
     specific significant incident leading to a declaration or 
     renewal.

     ``SEC. 2236. RULE OF CONSTRUCTION.

       ``Nothing in this subtitle shall be construed to impair or 
     limit the ability of--
       ``(1) the Director to carry out the authorized activities 
     of the Cybersecurity and Infrastructure Security Agency; or
       ``(2) the Secretary of Energy to carry out the authorities 
     under--
       ``(A) section 61003(c) of the Fixing America's Surface 
     Infrastructure Act (6 U.S.C. 121 note; Public Law 114-194); 
     or
       ``(B) section 215A of the Federal Power Act (16 U.S.C. 
     824o-1).

     ``SEC. 2237. AUTHORIZATION OF APPROPRIATIONS.

       ``There are authorized to be appropriated to the Fund 
     $20,000,000 for fiscal year 2022, which shall remain 
     available until September 30, 2028.

     ``SEC. 2238. SUNSET.

       ``The authorities granted to the Secretary or the Director 
     under this subtitle shall expire on the date that is 7 years 
     after the date of enactment of this subtitle.''.
                                 ______