[Congressional Record Volume 167, Number 194 (Thursday, November 4, 2021)]
[Senate]
[Pages S7889-S7892]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

  SA 4368. Mr. RUBIO (for himself, Mrs. Feinstein, and Mr. Blunt) 
submitted an amendment intended to be proposed to amendment SA 3867 
submitted by Mr. Reed and intended to be proposed to the bill H.R. 
4350, to authorize appropriations for fiscal year 2022 for military 
activities of the Department of Defense, for military construction, and 
for defense activities of the Department of Energy, to prescribe 
military personnel strengths for such fiscal year, and for other 
purposes; which was ordered to lie on the table; as follows:

        At the appropriate place, insert the following:

     SEC. ___. SANCTIONING AND STOPPING RANSOMWARE.

       (a) Cybersecurity Standards for Critical Infrastructure.--
       (1) In general.--Title XXII of the Homeland Security Act of 
     2002 (6 U.S.C. 651 et seq.) is amended by adding at the end 
     the following:

   ``Subtitle C--Cybersecurity Standards for Critical Infrastructure

     ``SEC. 2231. DEFINITION OF CRITICAL INFRASTRUCTURE ENTITY.

       ``In this subtitle, the term `critical infrastructure 
     entity' means an owner or operator of critical 
     infrastructure.

     ``SEC. 2232 CYBERSECURITY STANDARDS.

       ``(a) In General.--The Secretary, in consultation with the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency, shall develop and promulgate mandatory cybersecurity 
     standards for critical infrastructure entities.
       ``(b) Harmonization and Incorporation.--In developing the 
     cybersecurity standards required under subsection (a), the 
     Secretary shall--
       ``(1) to the greatest extent practicable, ensure the 
     cybersecurity standards are consistent with Federal 
     regulations existing as of the date on enactment of this 
     section; and
       ``(2) in coordination with the Director of the National 
     Institute of Standards and Technology, ensure that the 
     cybersecurity standards incorporate, to the greatest extent 
     practicable, the standards developed with facilitation and 
     support from the Director of the National Institute of 
     Standards and Technology under section 2(c)(15) of the 
     National Institute of Standards and Technology Act (15 U.S.C. 
     272(c)(15)).
       ``(c) Compliance Assessment.--Not less frequently than 
     annually, the Secretary, in coordination with the heads of 
     Sector Risk Management Agencies, shall assess the compliance 
     of each critical infrastructure entity with the cybersecurity 
     standards developed under subsection (a).''.
       (2) Technical and conforming amendment.--The table of 
     contents in section 1(b)

[[Page S7890]]

     of the Homeland Security Act of 2002 (Public Law 107-296; 116 
     Stat. 2135) is amended by adding at the end the following:

   ``Subtitle C--Cybersecurity Standards for Critical Infrastructure

``Sec. 2231. Definition of critical infrastructure entity.
``Sec. 2232. Cybersecurity standards.''.
       (b) Regulation of Cryptocurrency Exchanges.--
       (1) Secretary of the treasury.--Not later than 180 days 
     after the date of enactment of this Act, the Secretary of the 
     Treasury shall--
       (A) develop and institute regulatory requirements for 
     cryptocurrency exchanges operating within the United States 
     to reduce the anonymity of users and accounts suspected of 
     ransomware activity and make records available to the Federal 
     Government in connection with ransomware incidents; and
       (B) submit to Congress a report with any recommendations 
     that may be necessary regarding cryptocurrency exchanges used 
     in conjunction with ransomware.
       (2) Attorney general.--The Attorney General shall determine 
     what information should be preserved by cryptocurrency 
     exchanges to facilitate law enforcement investigations.
       (c) Designation of State Sponsors of Ransomware and 
     Reporting Requirements.--
       (1) Designation of state sponsors of ransomware.--
       (A) In general.--Not later than 180 days after the date of 
     the enactment of this Act, and annually thereafter, the 
     Secretary of State, in consultation with the Director of 
     National Intelligence, shall--
       (i) designate as a state sponsor of ransomware any country 
     the government of which the Secretary has determined has 
     provided support for ransomware demand schemes (including by 
     providing safe haven for individuals engaged in such 
     schemes);
       (ii) submit to Congress a report listing the countries 
     designated under clause (i); and
       (iii) in making designations under clause (i), take into 
     consideration the report submitted to Congress under 
     subsection (d)(3)(A).
       (B) Sanctions and penalties.--The President shall impose 
     with respect to each state sponsor of ransomware designated 
     under subparagraph (A)(i) the sanctions and penalties imposed 
     with respect to a state sponsor of terrorism.
       (C) State sponsor of terrorism defined.--In this paragraph, 
     the term ``state sponsor of terrorism'' means a country the 
     government of which the Secretary of State has determined has 
     repeatedly provided support for acts of international 
     terrorism, for purposes of--
       (i) section 1754(c)(1)(A)(i) of the Export Control Reform 
     Act of 2018 (50 U.S.C. 4813(c)(1)(A)(i));
       (ii) section 620A of the Foreign Assistance Act of 1961 (22 
     U.S.C. 2371);
       (iii) section 40(d) of the Arms Export Control Act (22 
     U.S.C. 2780(d)); or
       (iv) any other provision of law.
       (2) Reporting requirements.--
       (A) Sanctions relating to ransomware report.--Not later 
     than 180 days after the date of the enactment of this Act, 
     the Secretary of the Treasury shall submit a report to 
     Congress that describes, for each of the 5 fiscal years 
     immediately preceding the date of such report, the number and 
     geographic locations of individuals, groups, and entities 
     subject to sanctions imposed by the Office of Foreign Assets 
     Control who were subsequently determined to have been 
     involved in a ransomware demand scheme.
       (B) Country of origin report.--The Secretary of State, in 
     consultation with the Director of National Intelligence and 
     the Director of the Federal Bureau of Investigation, shall--
       (i) submit a report, with a classified annex, to the 
     Committee on Foreign Relations of the Senate, the Select 
     Committee on Intelligence of the Senate, the Committee on 
     Foreign Affairs of the House of Representatives, and the 
     Permanent Select Committee on Intelligence of the House of 
     Representatives that identifies the country of origin of 
     foreign-based ransomware attacks; and
       (ii) make the report described in clause (i) (excluding the 
     classified annex) available to the public.
       (C) Investigative authorities report.--Not later than 180 
     days after the date of the enactment of this Act, the 
     Comptroller General of the United States shall issue a report 
     that outlines the authorities available to the Federal Bureau 
     of Investigation, the United States Secret Service, the 
     Cybersecurity and Infrastructure Security Agency, the 
     Homeland Security Investigations, and the Office of Foreign 
     Assets Control to respond to foreign-based ransomware 
     attacks.
       (d) Deeming Ransomware Threats to Critical Infrastructure 
     as a National Intelligence Priority.--
       (1) Critical infrastructure defined.--In this subsection, 
     the term ``critical infrastructure'' has the meaning given 
     such term in subsection (e) of the Critical Infrastructures 
     Protection Act of 2001 (42 U.S.C. 5195c(e)).
       (2) Ransomware threats to critical infrastructure as 
     national intelligence priority.--The Director of National 
     Intelligence, pursuant to the provisions of the National 
     Security Act of 1947 (50 U.S.C. 3001 et seq.), the 
     Intelligence Reform and Terrorism Prevention Act of 2004 
     (Public Law 108-458), section 1.3(b)(17) of Executive Order 
     12333 (50 U.S.C. 3001 note; relating to United States 
     intelligence activities), as in effect on the day before the 
     date of the enactment of this Act, and National Security 
     Presidential Directive-26 (February 24, 2003; relating to 
     intelligence priorities), as in effect on the day before the 
     date of the enactment of this Act, shall deem ransomware 
     threats to critical infrastructure a national intelligence 
     priority component to the National Intelligence Priorities 
     Framework.
       (3) Report.--
       (A) In general.--Not later than 180 days after the date of 
     the enactment of this Act, the Director of National 
     Intelligence shall, in consultation with the Director of the 
     Federal Bureau of Investigation, submit to the Select 
     Committee on Intelligence of the Senate and the Permanent 
     Select Committee on Intelligence of the House of 
     Representatives a report on the implications of the 
     ransomware threat to United States national security.
       (B) Contents.--The report submitted under subparagraph (A) 
     shall address the following:
       (i) Identification of individuals, groups, and entities who 
     pose the most significant threat, including attribution to 
     individual ransomware attacks whenever possible.
       (ii) Locations from where individuals, groups, and entities 
     conduct ransomware attacks.
       (iii) The infrastructure, tactics, and techniques 
     ransomware actors commonly use.
       (iv) Any relationships between the individuals, groups, and 
     entities that conduct ransomware attacks and their 
     governments or countries of origin that could impede the 
     ability to counter ransomware threats.
       (v) Intelligence gaps that have, or currently are, impeding 
     the ability to counter ransomware threats.
       (C) Form.--The report submitted under subparagraph (A) 
     shall be submitted in unclassified form, but may include a 
     classified annex.
       (e) Ransomware Operation Reporting Capabilities.--
       (1) In general.--Title XXII of the Homeland Security Act of 
     2002 (6 U.S.C. 651 et seq.), as amended by subsection (a)(1) 
     of this section, is amended by adding at the end the 
     following:

       ``Subtitle D--Ransomware Operation Reporting Capabilities

     ``SEC. 2241. DEFINITIONS.

       ``In this subtitle:
       ``(1) Definitions from section 2201.--The definitions in 
     section 2201 shall apply to this subtitle, except as 
     otherwise provided.
       ``(2) Agency.--The term `Agency' means the Cybersecurity 
     and Infrastructure Security Agency.
       ``(3) Appropriate congressional committees.--The term 
     `appropriate congressional committees' means--
       ``(A) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       ``(B) the Select Committee on Intelligence of the Senate;
       ``(C) the Committee on the Judiciary of the Senate;
       ``(D) the Committee on Homeland Security of the House of 
     Representatives;
       ``(E) the Permanent Select Committee on Intelligence of the 
     House of Representatives; and
       ``(F) the Committee on the Judiciary of the House of 
     Representatives.
       ``(4) Covered entity.--The term `covered entity' means--
       ``(A) a Federal contractor;
       ``(B) an owner or operator of critical infrastructure;
       ``(C) a non-government entity that provides cybersecurity 
     incident response services; and
       ``(D) any other entity determined appropriate by the 
     Secretary, in coordination with the head of any other 
     appropriate department or agency.
       ``(5) Critical function.--The term `critical function' 
     means any action or operation that is necessary to maintain 
     critical infrastructure.
       ``(6) Director.--The term `Director' means the Director of 
     the Cybersecurity and Infrastructure Security Agency.
       ``(7) Federal agency.--The term `Federal agency' has the 
     meaning given the term `agency' in section 3502 of title 44, 
     United States Code.
       ``(8) Federal contractor.--The term `Federal contractor'--
       ``(A) means a contractor or subcontractor (at any tier) of 
     the United States Government; and
       ``(B) does not include a contractor or subcontractor that 
     is a party only to--
       ``(i) a service contract to provide housekeeping or 
     custodial services; or
       ``(ii) a contract to provide products or services unrelated 
     to information technology that is below the micro-purchase 
     threshold (as defined in section 2.101 of title 48, Code of 
     Federal Regulations, or any successor thereto).
       ``(9) Information technology.--The term `information 
     technology' has the meaning given the term in section 11101 
     of title 40, United States Code.
       ``(10) Ransomware.--The term `ransomware' means any type of 
     malicious software that--
       ``(A) prevents the legitimate owner or operator of an 
     information system or network from accessing electronic data, 
     files, systems, or networks; and
       ``(B) demands the payment of a ransom for the return of 
     access to the electronic data,

[[Page S7891]]

     files, systems, or networks described in subparagraph (A).
       ``(11) Ransomware notification.--The term `ransomware 
     notification' means a notification of a ransomware operation.
       ``(12) Ransomware operation.--The term `ransomware 
     operation' means a specific instance in which ransomware 
     affects the information systems or networks owned or operated 
     by--
       ``(A) a covered entity; or
       ``(B) a Federal agency.
       ``(13) System.--The term `System' means the ransomware 
     operation reporting capabilities established under section 
     2242(b).

     ``SEC. 2242. ESTABLISHMENT OF RANSOMWARE OPERATION REPORTING 
                   SYSTEM.

       ``(a) Designation.--The Agency shall be the designated 
     agency within the Federal Government to receive ransomware 
     operation notifications from other Federal agencies and 
     covered entities in accordance with this subtitle.
       ``(b) Establishment.--Not later than 180 days after the 
     date of enactment of this subtitle, the Director shall 
     establish ransomware operation reporting capabilities to 
     facilitate the submission of timely, secure, and confidential 
     ransomware notifications by Federal agencies and covered 
     entities to the Agency.
       ``(c) Security Assessment.--The Director shall--
       ``(1) assess the security of the System not less frequently 
     than once every 2 years; and
       ``(2) as soon as is practicable after conducting an 
     assessment under paragraph (1), make any necessary corrective 
     measures to the System.
       ``(d) Requirements.--The System shall have the ability--
       ``(1) to accept classified submissions and notifications; 
     and
       ``(2) to accept a ransomware notification from any entity, 
     regardless of whether the entity is a covered entity.
       ``(e) Limitations on Use of Information.--Any ransomware 
     notification submitted to the System--
       ``(1) shall be exempt from disclosure under--
       ``(A) section 552 of title 5, United States Code (commonly 
     referred to as the ``Freedom of Information Act''), in 
     accordance with subsection (b)(3)(B) of such section 552; and
       ``(B) any State, Tribal, or local law requiring the 
     disclosure of information or records; and
       ``(2) may not be--
       ``(A) admitted as evidence in any civil or criminal action 
     brought against the victim of the ransomware operation; or
       ``(B) subject to a subpoena, unless the subpoena is issued 
     by Congress for congressional oversight purposes.
       ``(f) Privacy and Protection.--
       ``(1) In general.--Not later than the date on which the 
     Director establishes the System, Director shall adopt privacy 
     and protection procedures for any information submitted to 
     the System that, at the time of the submission, is known to 
     contain--
       ``(A) the personal information of a specific individual; or
       ``(B) information that identifies a specific individual 
     that is not directly related to a ransomware operation.
       ``(2) Model for protections.--The Director shall base the 
     privacy and protection procedures adopted under paragraph (1) 
     on the privacy and protection procedures developed for 
     information received and shared pursuant to the Cybersecurity 
     Information Sharing Act of 2015 (6 U.S.C. 1501 et seq.).
       ``(g) Annual Reports.--
       ``(1) Director reporting requirement.--Not later than 1 
     year after the date on which the System is established and 
     once each year thereafter, the Director shall submit to the 
     appropriate congressional committees a report on the System, 
     which shall include, with respect to the 1-year period 
     preceding the report--
       ``(A) the number of notifications received through the 
     System; and
       ``(B) the actions taken in connection with the 
     notifications described in subparagraph (A).
       ``(2) Secretary reporting requirement.--Not later than 1 
     year after the date on which the System is established, and 
     once each year thereafter, the Secretary shall submit to the 
     appropriate congressional committees a report on the types of 
     ransomware operation information and incidents in which 
     ransom is requested that are required to be submitted as a 
     ransomware notification, noting any changes from the previous 
     submission.
       ``(3) Form.--Any report required under this subsection may 
     be submitted in a classified form, if necessary.

     ``SEC. 2243. REQUIRED NOTIFICATIONS.

       ``(a) In General.--
       ``(1) Ransomware notification.--Not later than 24 hours 
     after the discovery of a ransomware operation that 
     compromises, is reasonably likely to compromise, or otherwise 
     materially affects the performance of a critical function by 
     a Federal agency or covered entity, the Federal agency or 
     covered entity that discovered the ransomware operation shall 
     submit a ransomware notification to the System.
       ``(2) Inclusion.--A Federal agency or covered entity shall 
     submit a ransomware notification under paragraph (1) of a 
     ransomware operation discovered by the Federal agency or 
     covered entity even if the ransomware operation does not 
     occur on a system of the Federal agency or covered entity.
       ``(b) Required Updates.--A Federal agency or covered entity 
     that submits a ransomware notification under subsection (a) 
     shall, upon discovery of new information and not less 
     frequently than once every 5 days until the date on which the 
     ransomware operation is mitigated and any follow-up 
     investigation is completed, submit updated ransomware threat 
     information to the System.
       ``(c) Payment Disclosure.--Not later than 24 hours after a 
     Federal agency or covered entity issues a ransom payment 
     relating to a ransomware operation, the Federal agency or 
     covered entity shall submit to the System details of the 
     ransom payment, including--
       ``(1) the method of payment;
       ``(2) the amount of the payment; and
       ``(3) the recipient of the payment.
       ``(d) Required Rulemaking.--Notwithstanding any provision 
     of this title that may limit or restrict the promulgation of 
     rules, not later than 180 days after the date of enactment of 
     this subtitle, the Secretary, acting through the Director, in 
     coordination with the Director of National Intelligence and 
     the Attorney General, without regard to the notice and 
     comment rule making requirements under section 553 of title 
     5, United States Code, and accepting comments after the 
     effective date, shall promulgate interim final rules that 
     define--
       ``(1) the conditions under which a ransomware notification 
     is required to be submitted under subsection (a)(1);
       ``(2) the ransomware operation information that shall be 
     included in a ransomware notification required under this 
     section; and
       ``(3) the information that shall be included in a ransom 
     payment disclosure required under subsection (c).
       ``(e) Required Coordination With Sector Risk Management 
     Agencies.--The Secretary, in coordination with the head of 
     each Sector Risk Management Agency, shall--
       ``(1) establish a set of reporting criteria for Sector Risk 
     Management Agencies to submit ransomware notifications to the 
     System; and
       ``(2) take steps to harmonize the criteria described in 
     paragraph (1) with the regulatory reporting requirements in 
     effect on the date of enactment of this subtitle.
       ``(f) Protection From Liability.--Section 106 of the 
     Cybersecurity Act of 2015 (6 U.S.C. 1505) shall apply to a 
     Federal agency or covered entity required to submit a 
     ransomware notification to the System.
       ``(g) Enforcement.--
       ``(1) Covered entities.--If a covered entity violates the 
     requirements of this subtitle, the covered entity shall be 
     subject to penalties determined by the Administrator of the 
     General Services Administration, which may include removal 
     from the Federal Contracting Schedules.
       ``(2) Federal agencies.--If a Federal agency violates the 
     requirements of this subtitle, the violation shall be 
     referred to the inspector general for the agency, and shall 
     be treated as a matter of urgent concern.''.
       (2) Table of contents.--The table of contents in section 
     1(b) of the Homeland Security Act of 2002 (Public Law 107-
     296; 116 Stat. 2135), as amended by subsection (a)(2) of this 
     section, is further amended by adding at the end the 
     following:

       ``Subtitle D--Ransomware Operation Reporting Capabilities

``Sec. 2241. Definitions.
``Sec. 2242. Establishment of ransomware operation reporting system.
``Sec. 2243. Required notifications.''.
       (3) Technical and conforming amendments.--Section 2202(c) 
     of the Homeland Security Act of 2002 (6 U.S.C. 652(c)) is 
     amended--
       (A) by redesignating the second and third paragraphs (12) 
     as paragraphs (14) and (15), respectively; and
       (B) by inserting before paragraph (14), as so redesignated, 
     the following:
       ``(13) carry out the responsibilities described in subtitle 
     D relating to the ransomware operation reporting system;''.
       (f) Duties of the Cybersecurity and Infrastructure Security 
     Agency.--
       (1) In general.--Subtitle A of title XXII of the Homeland 
     Security Act of 2002 (6 U.S.C. 651 et seq.) is amended--
       (A) by redesignating section 2217 (6 U.S.C. 665f) as 
     section 2220;
       (B) by redesignating section 2216 (6 U.S.C. 665e) as 
     section 2219;
       (C) by redesignating the fourth section 2215 (relating to 
     Sector Risk Management Agencies) (6 U.S.C. 665d) as section 
     2218;
       (D) by redesignating the third section 2215 (relating to 
     the Cybersecurity State Coordinator) (6 U.S.C. 665c) as 
     section 2217;
       (E) by redesignating the second section 2215 (relating to 
     the Joint Cyber Planning Office) (6 U.S.C. 665b) as section 
     2216; and
       (F) by adding after section 2220, as so redesignated, the 
     following:

     ``SEC. 2220A. INFORMATION SYSTEM AND NETWORK SECURITY FUND.

       ``(a) Definitions.--In this section:
       ``(1) Covered entity.--The term `covered entity' has the 
     meaning given the term in section 2241.
       ``(2) Eligible entity.--The term `eligible entity'--
       ``(A) means a covered entity; and
       ``(B) does not include an owner or operator of critical 
     infrastructure that is not in compliance with the 
     cybersecurity standards developed under section 2232(a).
       ``(3) Fund.--The term `Fund' means the Information System 
     and Network Security Fund established under subsection 
     (b)(1).
       ``(b) Information System and Network Security Fund.--

[[Page S7892]]

       ``(1) Establishment.--There is established in the Treasury 
     of the United States a trust fund to be known as the 
     `Information System and Network Security Fund'.
       ``(2) Contents of fund.--
       ``(A) In general.--The Fund shall consist of such amounts 
     as may be appropriated for deposit in the Fund.
       ``(B) Availability.--
       ``(i) In general.--Amounts deposited in the Fund shall 
     remain available through the end of the tenth fiscal year 
     beginning after the date on which funds are first 
     appropriated to the Fund.
       ``(ii) Remainder to treasury.--Any unobligated balances in 
     the Fund after the date described in clause (i) are rescinded 
     and shall be transferred to the general fund of the Treasury.
       ``(3) Use of fund.--
       ``(A) In general.--Amounts deposited in the Fund shall be 
     available to the Director to distribute to eligible entities 
     pursuant to this subsection, in such amounts as the Director 
     determines appropriate, subject to subparagraph (B).
       ``(B) Distribution.--The amounts distributed to eligible 
     entities under this paragraph shall be made for a specific 
     network security purpose, including to enable network 
     recovery from an event affecting the network cybersecurity of 
     the eligible entity.
       ``(4) Administration of fund.--The Director, in 
     consultation with the Secretary and in coordination with the 
     head of each Sector Risk Management Agency, shall--
       ``(A) establish criteria for distribution of amounts under 
     paragraph (3); and
       ``(B) administer the Fund to support network security for 
     eligible entities.
       ``(5) Report required.--For each fiscal year for which 
     amounts in the Fund are available under this subsection, the 
     Director shall submit to Congress a report that--
       ``(A) describes how, and to which eligible entities, 
     amounts from the Fund have been distributed;
       ``(B) details the criteria established under paragraph 
     (4)(A); and
       ``(C) includes any additional information that the Director 
     determines appropriate, including projected requested 
     appropriations for the next fiscal year.
       ``(c) Authorization of Appropriations.--There are 
     authorized to be appropriated for deposit in the Fund 
     $1,500,000,000, which shall remain available until the last 
     day of the tenth fiscal year beginning after the fiscal year 
     during which funds are first appropriated for deposit in the 
     Fund.

     ``SEC. 2220B. PUBLIC AWARENESS OF CYBERSECURITY OFFERINGS.

       ``(a) In General.--Not later than 180 days after the date 
     of enactment of this section, the Director shall establish a 
     public awareness campaign relating to the cybersecurity 
     services of the Federal Government.
       ``(b) Authorization of Appropriations.--There are 
     authorized to be appropriated to the Director $10,000,000 for 
     each of fiscal years 2022 through 2031 to carry out 
     subsection (a).

     ``SEC. 2220C. DARK WEB ANALYSIS.

       ``(a) Definition of Dark Web.--In this section, the term 
     `dark web' means a part of the internet that--
       ``(1) cannot be accessed through standard web browsers; and
       ``(2) requires specific software, configurations, or 
     authorizations for access.
       ``(b) Authority to Analyze.--The Director may monitor the 
     internet, including the dark web, for evidence of a 
     compromise to critical infrastructure.
       ``(c) Monitoring Capabilities.--The Director shall develop, 
     institute, and oversee capabilities to carry out the 
     authority of the Director under subsection (b).
       ``(d) Notification.--If the Director finds credible 
     evidence of a compromise to critical infrastructure under 
     subsection (c), as soon as is practicable after the finding, 
     the Director shall notify the owner or operator of the 
     compromised critical infrastructure in a manner that protects 
     the sources and methods that led to the finding of the 
     compromise.''.
       (2) Technical and conforming amendments.--Section 2202(c) 
     of the Homeland Security Act of 2002 (6 U.S.C. 652(c)) is 
     amended--
       (A) in the first paragraph (12), by striking ``section 
     2215'' and inserting ``section 2217''; and
       (B) by redesignating the second and third paragraphs (12) 
     as paragraphs (13) and (14), respectively.
       (3) Table of contents.--The table of contents in section 
     1(b) of the Homeland Security Act of 2002 (Public Law 107-
     296; 116 Stat. 2135) is amended by striking the item relating 
     to section 2214 and all that follows through the item 
     relating to section 2217 and inserting the following:
``Sec. 2214. National Asset Database.
``Sec. 2215. Duties and authorities relating to .gov internet domain.
``Sec. 2216. Joint Cyber Planning Office.
``Sec. 2217. Cybersecurity State Coordinator.
``Sec. 2218. Sector Risk Management Agencies.
``Sec. 2219. Cybersecurity Advisory Committee.
``Sec. 2220. Cybersecurity education and training programs.
``Sec. 2220A. Information System and Network Security Fund.
``Sec. 2220B. Public awareness of cybersecurity offerings.
``Sec. 2220C. Dark web analysis.''.
       (4) Additional technical amendment.--
       (A) Amendment.--Section 904(b)(1) of the DOTGOV Act of 2020 
     (title IX of division U of Public Law 116-260) is amended, in 
     the matter preceding subparagraph (A), by striking ``Homeland 
     Security Act'' and inserting ``Homeland Security Act of 
     2002''.
       (B) Effective date.--The amendment made by subparagraph (A) 
     shall take effect as if enacted as part of the DOTGOV Act of 
     2020 (title IX of division U of Public Law 116-260).
                                 ______