[Congressional Record Volume 167, Number 127 (Tuesday, July 20, 2021)]
[House]
[Pages H3701-H3703]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                        CISA CYBER EXERCISE ACT

  Ms. CLARKE of New York. Madam Speaker, I move to suspend the rules

[[Page H3702]]

and pass the bill (H.R. 3223) to amend the Homeland Security Act of 
2002 to establish in the Cybersecurity and Infrastructure Security 
Agency the National Cyber Exercise Program, and for other purposes.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 3223

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``CISA Cyber Exercise Act''.

     SEC. 2. NATIONAL CYBER EXERCISE PROGRAM.

       (a)In General.--Subtitle A of title XXII of the Homeland 
     Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by 
     adding at the end the following new section:

     ``SEC. 2220A. NATIONAL CYBER EXERCISE PROGRAM.

       ``(a)Establishment of Program.--
       ``(1)In general.--There is established in the Agency the 
     National Cyber Exercise Program (referred to in this section 
     as the `Exercise Program') to evaluate the National Cyber 
     Incident Response Plan, and other related plans and 
     strategies.
       ``(2)Requirements.--
       ``(A)In general.--The Exercise Program shall be--
       ``(i) based on current risk assessments, including credible 
     threats, vulnerabilities, and consequences;
       ``(ii) designed, to the extent practicable, to simulate the 
     partial or complete incapacitation of a government or 
     critical infrastructure network resulting from a cyber 
     incident;
       ``(iii) designed to provide for the systematic evaluation 
     of cyber readiness and enhance operational understanding of 
     the cyber incident response system and relevant information 
     sharing agreements; and
       ``(iv) designed to promptly develop after-action reports 
     and plans that can quickly incorporate lessons learned into 
     future operations.
       ``(B)Model exercise selection.--The Exercise Program 
     shall--
       ``(i) include a selection of model exercises that 
     government and private entities can readily adapt for use; 
     and--
       ``(ii) aid such governments and private entities with the 
     design, implementation, and evaluation of exercises that--

       ``(I) conform to the requirements described in subparagraph 
     (A);
       ``(II) are consistent with any applicable national, State, 
     local, or Tribal strategy or plan; and
       ``(III) provide for systematic evaluation of readiness.

       ``(3)Consultation.--In carrying out the Exercise Program, 
     the Director may consult with appropriate representatives 
     from Sector Risk Management Agencies, cybersecurity research 
     stakeholders, and Sector Coordinating Councils.
       ``(b)Definitions.--In this section:
       ``(1)State.--The term `State' means any State of the United 
     States, the District of Columbia, the Commonwealth of Puerto 
     Rico, the Northern Mariana Islands, the United States Virgin 
     Islands, Guam, American Samoa, and any other territory or 
     possession of the United States.
       ``(2)Private entity.--The term `private entity' has the 
     meaning given such term in section 102 of the Cybersecurity 
     Information Sharing Act of 2015 (6 U.S.C. 1501).''.
       (b)Technical Amendments.--
       (1)Homeland security act of 2002.--Subtitle A of title XXII 
     of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) 
     is amended--
       (A) in the first section 2215 (6 U.S.C. 665; relating to 
     the duties and authorities relating to .gov internet domain), 
     by amending the section enumerator and heading to read as 
     follows:

     ``SEC. 2215. DUTIES AND AUTHORITIES RELATING TO .GOV INTERNET 
                   DOMAIN.'';

       (B) in the second section 2215 (6 U.S.C. 665b; relating to 
     the joint cyber planning office), by amending the section 
     enumerator and heading to read as follows:

     ``SEC. 2216. JOINT CYBER PLANNING OFFICE.'';

       (C) in the third section 2215 (6 U.S.C. 665c; relating to 
     the Cybersecurity State Coordinator), by amending the section 
     enumerator and heading to read as follows:

     ``SEC. 2217. CYBERSECURITY STATE COORDINATOR.'';

       (D) in the fourth section 2215 (6 U.S.C. 665d; relating to 
     Sector Risk Management Agencies), by amending the section 
     enumerator and heading to read as follows:

     ``SEC. 2218. SECTOR RISK MANAGEMENT AGENCIES.'';

       (E) in section 2216 (6 U.S.C. 665e; relating to the 
     Cybersecurity Advisory Committee), by amending the section 
     enumerator and heading to read as follows:

     ``SEC. 2219. CYBERSECURITY ADVISORY COMMITTEE.'';

     and
       (F) in section 2217 (6 U.S.C. 665f; relating to 
     Cybersecurity Education and Training Programs), by amending 
     the section enumerator and heading to read as follows:

     ``SEC. 2220. CYBERSECURITY EDUCATION AND TRAINING 
                   PROGRAMS.''.

       (2)Consolidated appropriations act, 2021.--Paragraph (1) of 
     section 904(b) of division U of the Consolidated 
     Appropriations Act, 2021 (Public Law 116-260) is amended, in 
     the matter preceding subparagraph (A), by inserting ``of 
     2002'' after ``Homeland Security Act''.
       (c)Clerical Amendment.--The table of contents in section 
     1(b) of the Homeland Security Act of 2002 is amended by 
     striking the items relating to sections 2214 through 2217 and 
     inserting the following new items:

``Sec. 2214. National Asset Database.
``Sec. 2215. Duties and authorities relating to .gov internet domain.
``Sec. 2216. Joint cyber planning office.
``Sec. 2217. Cybersecurity State Coordinator.
``Sec. 2218. Sector Risk Management Agencies.
``Sec. 2219. Cybersecurity Advisory Committee.
``Sec. 2220. Cybersecurity Education and Training Programs.
``Sec. 2220A. National Cyber Exercise Program.''.

  The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from 
New York (Ms. Clarke) and the gentleman from New York (Mr. Katko) each 
will control 20 minutes.
  The Chair recognizes the gentlewoman from New York.


                             General Leave

  Ms. CLARKE of New York. Madam Speaker, I ask unanimous consent that 
all Members may have 5 legislative days to revise and extend their 
remarks and to include extraneous material on this measure.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentlewoman from New York?
  There was no objection.
  Ms. CLARKE of New York. Madam Speaker, I yield myself such time as I 
may consume.
  Madam Speaker, as Americans prepared for their 4th of July holiday 
weekends, a Russian-based cybercrime crime group launched a ransomware 
attack that would affect up to 1,500 small- and medium-sized businesses 
and local governments.
  The Kaseya ransomware attacks followed a series of cyberattacks, 
including one that resulted in the shutdown of 5,500 miles of pipeline 
on the East Coast.
  The unfortunate reality is that the rate and ferocity of cyberattacks 
show no signs of ebbing.
  State actors and cybercriminals alike use cyber tools to advance 
their goals, regardless of whether they are driven by geopolitical 
considerations or profiteering.
  Together, the Federal Government and its State, local, and private 
sector partners must do everything in their power to defend our 
networks while deterring and raising the cost of cyberattacks.
  At the same time, we must have tested, exercised cyber-incident 
response plans in place in the event a malicious hacker successfully 
gains access to a victim network.
  Last year's National Defense Authorization Act included language 
directing DHS, in coordination with interagency partners, to conduct 
four exercises over the next 12 years to test the resiliency, response, 
and recovery of the U.S. to a significant cyber incident impacting 
critical infrastructure.
  Such exercises are critical to understanding our national resilience 
to cyberattacks and where we need to invest in improving capability.
  H.R. 3223 would complement the capstone exercise program authorized 
last year.
  It directs the Cybersecurity and Infrastructure Security Agency, or 
CISA, together with sector risk management agencies, to develop an 
exercise program that is designed to more regularly test and assess 
systemic preparedness and resilience to cyberattacks against critical 
infrastructure.
  The authorization includes requirements for the development of model 
exercises that State and local governments or private sector entities 
could readily adapt.
  Our collective resilience to cyberattacks demands that we regularly 
assess and improve our ability to respond to cyberattacks.
  The exercise program authorized by H.R. 3223 will help State and 
local governments and private sector critical infrastructure entities 
to do just that.
  So I urge my colleagues to support H.R. 3223, and I reserve the 
balance of my time
  Mr. KATKO. Madam Speaker, I yield myself such time as I may consume.
  I rise today in support of H.R. 3223, the CISA Cyber Exercise Act. I 
thank my friend and colleague, Ms. Slotkin, for her leadership on this 
bill, which establishes a cyber exercise program

[[Page H3703]]

within CISA to elevate the National Cyber Incident Response Plan.
  As cyberattacks affecting our Nation's critical infrastructure 
continue to rise, it is imperative that State and local governments and 
the private sector leverage the free services CISA offers to help 
prevent and mitigate the scourge of ransomware and other cyberattacks 
facing our Nation.
  I am pleased that this legislation will authorize another vital tool 
in CISA's arsenal.
  I urge Members to join me in supporting H.R. 3223, and I reserve the 
balance of my time.
  Ms. CLARKE of New York. Madam Speaker, I yield 2 minutes to the 
gentlewoman from Michigan (Ms. Slotkin).
  Ms. SLOTKIN. Madam Speaker, I rise to urge my colleagues to support 
the CISA Cyber Exercise Act, a bipartisan bill to strengthen our 
preparation for cyber threats, which I introduced following the 
ransomware attacks on the Colonial Pipeline.
  Last month, I happened to have the Secretary of Agriculture, Mr. 
Vilsack join me in Ingham County in my district to talk to farmers 
about protecting family farms, a very important topic in a rural 
community like mine. And when we went to open Q and A what I think 
shocked everybody was that the first man to stand up, the first farmer 
that stood up in his John Deere hat and his overalls wanted to know 
about cybersecurity. That was the first thing on his mind.
  I never imagined that, as a Member of Congress, I would find myself 
standing in a barn talking with local farmers about ransomware, 
cyberattacks, and how we are going to protect ourselves but, in fact, I 
have been having that conversation over and over again in my community. 
And that is because the last few months have made clear to all 
Americans that cybersecurity is not just a tech issue, it has gone 
mainstream. It is at the very heart of protecting our critical 
infrastructure, energy, food, water, and healthcare that drives our 
daily lives, and it affects every single one of us. That is why just a 
week after a ransomware attack struck the world's largest meat 
processor, these Ingham County farmers wanted to know how cyberattacks 
would affect their family farms, their livelihood.
  What would happen if we were struck by ransomware in Michigan? Who 
could they turn to to call for help? And above all, what is our 
government doing to protect citizens who are on the front lines of this 
threat?
  I introduced the CISA Cyber Exercise Act to help answer exactly those 
questions.
  This bill will make sure that our government is preparing for the 
full range of cyber threats and that we are giving our communities and 
businesses the tools they need to be secure and resilient.

  It strengthens CISA, which is literally America's 911 call for 
cybersecurity, by formally establishing a National Cyber Exercise 
Program to test our Nation's response plans for major cyberattacks.
  It also directs CISA to build and expand a set of model cyber 
exercises that can be used by our State and local governments.
  By passing this legislation today, we are helping to ensure our 
Nation and our communities are protected.
  Mr. KATKO. Madam Speaker, I have no further speakers, and I urge 
Members to support this fine bill. I yield back the balance of my time.
  Ms. CLARKE of New York. Madam Speaker, I yield myself the balance of 
my time.
  Madam Speaker, the country is experiencing an unprecedented number of 
significant cyberattacks.
  From hospitals to schools to pipelines and a meat processing plant, 
nothing is immune.
  The key to ensuring we are resilient to cyberattacks is to ensure 
that we have trained and tested cyber incident response plans.
  H.R. 3223, the CISA Cyber Exercise Act, is critical in that effort.
  I urge my colleagues to support H.R. 3223, and I yield back the 
balance of my time.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentlewoman from New York (Ms. Clarke) that the House suspend the rules 
and pass the bill, H.R. 3223.
  The question was taken.
  The SPEAKER pro tempore. In the opinion of the Chair, two-thirds 
being in the affirmative, the ayes have it.
  Mr. BISHOP of North Carolina. Madam Speaker, on that I demand the 
yeas and nays.
  The SPEAKER pro tempore. Pursuant to section 3(s) of House Resolution 
8, the yeas and nays are ordered.
  Pursuant to clause 8 of rule XX, further proceedings on this motion 
are postponed.

                          ____________________