[Congressional Record Volume 167, Number 198 (Monday, November 15, 2021)]
[Senate]
[Pages S8091-S8094]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

  SA 4561. Mr. KING (for himself, Mr. Rounds, Mr. Sasse, Ms. Rosen, Ms. 
Hassan, and Mr. Ossoff) submitted an amendment intended to be proposed 
to amendment SA 3867 submitted by Mr. Reed and intended to be proposed 
to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 
for military activities of the Department of Defense, for military 
construction, and for defense activities of the Department of Energy, 
to prescribe military personnel strengths for such fiscal year, and for 
other purposes; which was ordered to lie on the table; as follows:

        At the end, add the following:

          DIVISION E--DEFENSE OF UNITED STATES INFRASTRUCTURE

     SEC. 5001. SHORT TITLE.

       This division may be cited as the ``Defense of United 
     States Infrastructure Act of 2021''.

     SEC. 5002. DEFINITIONS.

       In this division:
       (1) Critical infrastructure.--The term ``critical 
     infrastructure'' has the meaning given such term in section 
     1016(e) of the Critical Infrastructure Protection Act of 2001 
     (42 U.S.C. 5195c(e)).
       (2) Cybersecurity risk.--The term ``cybersecurity risk'' 
     has the meaning given such term in section 2209 of the 
     Homeland Security Act of 2002 (6 U.S.C. 659).
       (3) Department.--The term ``Department'' means the 
     Department of Homeland Security.
       (4) Secretary.--The term ``Secretary'' means the Secretary 
     of Homeland Security.

[[Page S8092]]

  


   TITLE LI--INVESTING IN CYBER RESILIENCY IN CRITICAL INFRASTRUCTURE

     SEC. 5101. NATIONAL RISK MANAGEMENT CYCLE AND CRITICAL 
                   INFRASTRUCTURE RESILIENCE STRATEGY.

       (a) Amendments.--Subtitle A of title XXII of the Homeland 
     Security Act of 2002 (6 U.S.C. 651 et seq.) is amended--
       (1) in section 2202(c) (6 U.S.C. 652(c))--
       (A) in paragraph (11), by striking ``and'' at the end;
       (B) in the first paragraph designated as paragraph (12), 
     relating to the Cybersecurity State Coordinator--
       (i) by striking ``section 2215'' and inserting ``section 
     2217''; and
       (ii) by striking ``and'' at the end; and
       (C) by redesignating the second and third paragraphs 
     designated as paragraph (12) as paragraphs (13) and (14), 
     respectively;
       (2) by redesignating section 2217 (6 U.S.C. 665f) as 
     section 2220;
       (3) by redesignating section 2216 (6 U.S.C. 665e) as 
     section 2219;
       (4) by redesignating the fourth section 2215 (relating to 
     Sector Risk Management Agencies) (6 U.S.C. 665d) as section 
     2218;
       (5) by redesignating the third section 2215 (relating to 
     the Cybersecurity State Coordinator) (6 U.S.C. 665c) as 
     section 2217;
       (6) by redesignating the second section 2215 (relating to 
     the Joint Cyber Planning Office) (6 U.S.C. 665b) as section 
     2216; and
       (7) by adding at the end the following:

     ``SEC. 2220A. NATIONAL RISK MANAGEMENT CYCLE AND CRITICAL 
                   INFRASTRUCTURE RESILIENCE STRATEGY.

       ``(a) Definition.--In this section, the term `cybersecurity 
     risk' has the meaning given such term in section 2209.
       ``(b) Creation of a Critical Infrastructure Resilience 
     Strategy and a National Risk Management Cycle.--
       ``(1) Initial risk identification and assessment.--
       ``(A) In general.--The Secretary, acting through the 
     Director, shall establish a process by which to identify, 
     assess, and prioritize risks to critical infrastructure, 
     considering both cyber and physical threats, vulnerabilities, 
     and consequences.
       ``(B) Consultation.--In establishing the process required 
     under subparagraph (A), the Secretary shall--
       ``(i) coordinate with the heads of Sector Risk Management 
     Agencies and the National Cyber Director;
       ``(ii) consult with the Director of National Intelligence 
     and the Attorney General; and
       ``(iii) consult with the owners and operators of critical 
     infrastructure.
       ``(C) Publication.--Not later than 180 days after the date 
     of enactment of this section, the Secretary shall publish in 
     the Federal Register procedures for the process established 
     under subparagraph (A).
       ``(D) Report.--Not later than 1 year after the date of 
     enactment of this section, the Secretary shall submit to the 
     President, the Committee on Homeland Security and 
     Governmental Affairs of the Senate, and the Committee on 
     Homeland Security of the House of Representatives a report on 
     the risks identified by the process established under 
     subparagraph (A).
       ``(2) Initial national critical infrastructure resilience 
     strategy.--
       ``(A) In general.--Not later than 1 year after the date on 
     which the Secretary delivers the report required under 
     paragraph (1)(D), the President shall deliver to the majority 
     and minority leaders of the Senate, the Speaker and minority 
     leader of the House of Representatives, the Committee on 
     Homeland Security and Governmental Affairs of the Senate, and 
     the Committee on Homeland Security of the House of 
     Representatives a national critical infrastructure resilience 
     strategy designed to address the risks identified by the 
     Secretary.
       ``(B) Elements.--In the strategy delivered under 
     subparagraph (A), the President shall--
       ``(i) identify, assess, and prioritize areas of risk to 
     critical infrastructure that would compromise, disrupt, or 
     impede the ability of the critical infrastructure to support 
     the national critical functions of national security, 
     economic security, or public health and safety;
       ``(ii) identify and outline current and proposed national-
     level actions, programs, and efforts to be taken to address 
     the risks identified;
       ``(iii) identify the Federal departments or agencies 
     responsible for leading each national-level action, program, 
     or effort and the relevant critical infrastructure sectors 
     for each;
       ``(iv) outline the budget plan required to provide 
     sufficient resources to successfully execute the full range 
     of activities proposed or described by the strategy; and
       ``(v) request any additional authorities or resources 
     necessary to successfully execute the strategy.
       ``(C) Form.--The strategy delivered under subparagraph (A) 
     shall be unclassified, but may contain a classified annex.
       ``(3) Annual reports.--
       ``(A) In general.--Not later than 1 year after the date on 
     which the President delivers the strategy under paragraph 
     (2), and every year thereafter, the Secretary, in 
     coordination with the heads of Sector Risk Management 
     Agencies, shall submit to the appropriate congressional 
     committees a report on the national risk management cycle 
     activities undertaken pursuant to the strategy, including--
       ``(i) all variables included in risk assessments and the 
     weights assigned to each such variable;
       ``(ii) an explanation of how each such variable, as 
     weighted, correlates to risk, and the basis for concluding 
     there is such a correlation; and
       ``(iii) any change in the methodologies since the previous 
     report under this paragraph, including changes in the 
     variables considered, weighting of those variables, and 
     computational methods.
       ``(B) Classified annex.--The reports required under 
     subparagraph (A) shall be submitted in unclassified form to 
     the greatest extent possible, and may include a classified 
     annex if necessary.
       ``(4) Five year risk management cycle.--
       ``(A) Risk identification and assessment.--Under procedures 
     established by the Secretary, the Secretary shall repeat the 
     conducting and reporting of the risk identification and 
     assessment required under paragraph (1), in accordance with 
     the requirements in paragraph (1), every 5 years.
       ``(B) Strategy.--Under procedures established by the 
     President, the President shall repeat the preparation and 
     delivery of the critical infrastructure resilience strategy 
     required under paragraph (2), in accordance with the 
     requirements in paragraph (2), every 5 years, which shall 
     also include assessing the implementation of the previous 
     national critical infrastructure resilience strategy.''.
       (b) Technical and Conforming Amendments.--
       (1) Table of contents.--The table of contents in section 
     1(b) of the Homeland Security Act of 2002 (Public Law 107-
     296; 116 Stat. 2135) is amended by striking the item relating 
     to section 2214 and all that follows through the item 
     relating to section 2217 and inserting the following:

``Sec. 2214. National Asset Database.
``Sec. 2215. Duties and authorities relating to .gov internet domain.
``Sec. 2216. Joint Cyber Planning Office.
``Sec. 2217. Cybersecurity State Coordinator.
``Sec. 2218. Sector Risk Management Agencies.
``Sec. 2219. Cybersecurity Advisory Committee.
``Sec. 2220. Cybersecurity education and training programs.
``Sec. 2220A. National risk management cycle and critical 
              infrastructure resilience strategy.''.
       (2) Additional technical amendment.--
       (A) Amendment.--Section 904(b)(1) of the DOTGOV Act of 2020 
     (title IX of division U of Public Law 116-260) is amended, in 
     the matter preceding subparagraph (A), by striking ``Homeland 
     Security Act'' and inserting ``Homeland Security Act of 
     2002''.
       (B) Effective date.--The amendment made by subparagraph (A) 
     shall take effect as if enacted as part of the DOTGOV Act of 
     2020 (title IX of division U of Public Law 116-260).

TITLE LII--IMPROVING THE ABILITY OF THE FEDERAL GOVERNMENT TO ASSIST IN 
           ENHANCING CRITICAL INFRASTRUCTURE CYBER RESILIENCE

     SEC. 5201. INSTITUTE A 5-YEAR TERM FOR THE DIRECTOR OF THE 
                   CYBERSECURITY AND INFRASTRUCTURE SECURITY 
                   AGENCY.

       (a) In General.--Subsection (b)(1) of section 2202 of the 
     Homeland Security Act of 2002 (6 U.S.C. 652), is amended by 
     inserting ``The term of office of an individual serving as 
     Director shall be 5 years.'' after ``who shall report to the 
     Secretary.''.
       (b) Transition Rules.--The amendment made by subsection (a) 
     shall take effect on the first appointment of an individual 
     to the position of Director of the Cybersecurity and 
     Infrastructure Security Agency, by and with the advice and 
     consent of the Senate, that is made on or after the date of 
     enactment of this Act.

     SEC. 5202. CYBER THREAT INFORMATION COLLABORATION ENVIRONMENT 
                   PROGRAM.

       (a) Definitions.--In this section:
       (1) Critical infrastructure information.--The term 
     ``critical infrastructure information'' has the meaning given 
     such term in section 2222 of the Homeland Security Act of 
     2002 (6 U.S.C. 671).
       (2) Cyber threat indicator.--The term ``cyber threat 
     indicator'' has the meaning given such term in section 102 of 
     the Cybersecurity Act of 2015 (6 U.S.C. 1501).
       (3) Cybersecurity threat.--The term ``cybersecurity 
     threat'' has the meaning given such term in section 102 of 
     the Cybersecurity Act of 2015 (6 U.S.C. 1501).
       (4) Environment.--The term ``environment'' means the 
     information collaboration environment established under 
     subsection (b).
       (5) Information sharing and analysis organization.--The 
     term ``information sharing and analysis organization'' has 
     the meaning given such term in section 2222 of the Homeland 
     Security Act of 2002 (6 U.S.C. 671).
       (6) Non-federal entity.--The term ``non-Federal entity'' 
     has the meaning given such term in section 102 of the 
     Cybersecurity Act of 2015 (6 U.S.C. 1501).
       (b) Program.--The Secretary, in coordination with the 
     Secretary of Defense, the Director of National Intelligence, 
     and the Attorney General, shall carry out a program under 
     which the Secretary shall develop an information 
     collaboration environment consisting of a digital environment 
     containing technical tools for information analytics and a 
     portal through which relevant parties may submit and automate 
     information inputs and

[[Page S8093]]

     access the environment in order to enable interoperable data 
     flow that enable Federal and non-Federal entities to 
     identify, mitigate, and prevent malicious cyber activity to--
       (1) provide limited access to appropriate and operationally 
     relevant data from unclassified and classified intelligence 
     about cybersecurity risks and cybersecurity threats, as well 
     as malware forensics and data from network sensor programs, 
     on a platform that enables query and analysis;
       (2) enable cross-correlation of data on cybersecurity risks 
     and cybersecurity threats at the speed and scale necessary 
     for rapid detection and identification;
       (3) facilitate a comprehensive understanding of 
     cybersecurity risks and cybersecurity threats; and
       (4) facilitate collaborative analysis between the Federal 
     Government and public and private sector critical 
     infrastructure entities and information and analysis 
     organizations.
       (c) Implementation of Information Collaboration 
     Environment.--
       (1) Evaluation.--Not later than 180 days after the date of 
     enactment of this Act, the Secretary, acting through the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency, and in coordination with the Secretary of Defense, 
     the Director of National Intelligence, and the Attorney 
     General, shall--
       (A) identify, inventory, and evaluate existing Federal 
     sources of classified and unclassified information on 
     cybersecurity threats;
       (B) evaluate current programs, applications, or platforms 
     intended to detect, identify, analyze, and monitor 
     cybersecurity risks and cybersecurity threats;
       (C) consult with public and private sector critical 
     infrastructure entities to identify public and private 
     critical infrastructure cyber threat capabilities, needs, and 
     gaps; and
       (D) identify existing tools, capabilities, and systems that 
     may be adapted to achieve the purposes of the environment in 
     order to maximize return on investment and minimize cost.
       (2) Implementation.--
       (A) In general.--Not later than 1 year after completing the 
     evaluation required under paragraph (1)(B), the Secretary, 
     acting through the Director of the Cybersecurity and 
     Infrastructure Security Agency, and in coordination with the 
     Secretary of Defense, the Director of National Intelligence, 
     and the Attorney General, shall begin implementation of the 
     environment to enable participants in the environment to 
     develop and run analytic tools referred to in subsection (b) 
     on specified data sets for the purpose of identifying, 
     mitigating, and preventing malicious cyber activity that is a 
     threat to public and private critical infrastructure.
       (B) Requirements.--The environment and the use of analytic 
     tools referred to in subsection (b) shall--
       (i) operate in a manner consistent with relevant privacy, 
     civil rights, and civil liberties policies and protections, 
     including such policies and protections established pursuant 
     to section 1016 of the Intelligence Reform and Terrorism 
     Prevention Act of 2004 (6 U.S.C. 485);
       (ii) account for appropriate data interoperability 
     requirements;
       (iii) enable integration of current applications, 
     platforms, data, and information, including classified 
     information, in a manner that supports integration of 
     unclassified and classified information on cybersecurity 
     risks and cybersecurity threats;
       (iv) incorporate tools to manage access to classified and 
     unclassified data, as appropriate;
       (v) ensure accessibility by entities the Secretary, in 
     consultation with the Secretary of Defense, the Director of 
     National Intelligence, and the Attorney General, determines 
     appropriate;
       (vi) allow for access by critical infrastructure 
     stakeholders and other private sector partners, at the 
     discretion of the Secretary, in consultation with the 
     Secretary of Defense;
       (vii) deploy analytic tools across classification levels to 
     leverage all relevant data sets, as appropriate;
       (viii) identify tools and analytical software that can be 
     applied and shared to manipulate, transform, and display data 
     and other identified needs; and
       (ix) anticipate the integration of new technologies and 
     data streams, including data from government-sponsored 
     network sensors or network-monitoring programs deployed in 
     support of non-Federal entities.
       (3) Annual report requirement on the implementation, 
     execution, and effectiveness of the program.--Not later than 
     1 year after the date of enactment of this Act, and every 
     year thereafter until the date that is 1 year after the 
     program under this section terminates under subsection (g), 
     the Secretary shall submit to the Committee on Homeland 
     Security and Governmental Affairs, the Committee on the 
     Judiciary, the Committee on Armed Services, and the Select 
     Committee on Intelligence of the Senate and the Committee on 
     Homeland Security, the Committee on the Judiciary, the 
     Committee on Armed Services, and the Permanent Select 
     Committee on Intelligence of the House of Representatives a 
     report that details--
       (A) Federal Government participation in the environment, 
     including the Federal entities participating in the 
     environment and the volume of information shared by Federal 
     entities into the environment;
       (B) non-Federal entities' participation in the environment, 
     including the non-Federal entities participating in the 
     environment and the volume of information shared by non-
     Federal entities into the environment;
       (C) the impact of the environment on positive security 
     outcomes for the Federal Government and non-Federal entities;
       (D) barriers identified to fully realizing the benefit of 
     the environment both for the Federal Government and non-
     Federal entities;
       (E) additional authorities or resources necessary to 
     successfully execute the environment; and
       (F) identified shortcomings or risks to data security and 
     privacy, and the steps necessary to improve the mitigation of 
     the shortcomings or risks.
       (d) Cyber Threat Data Interoperability.--
       (1) Establishment.--The Secretary, in coordination with the 
     Secretary of Defense, the Director of National Intelligence, 
     and the Attorney General, shall identify or establish data 
     interoperability requirements for non-Federal entities to 
     participate in the environment.
       (2) Data streams.--The Secretary shall identify, designate, 
     and periodically update programs that shall participate in or 
     be interoperable with the environment, which may include--
       (A) network-monitoring and intrusion detection programs;
       (B) cyber threat indicator sharing programs;
       (C) certain government-sponsored network sensors or 
     network-monitoring programs;
       (D) incident response and cybersecurity technical 
     assistance programs; or
       (E) malware forensics and reverse-engineering programs.
       (3) Data governance.--The Secretary, in coordination with 
     the Secretary of Defense, the Director of National 
     Intelligence, and the Attorney General, shall establish 
     procedures and data governance structures, as necessary, to 
     protect sensitive data, comply with Federal regulations and 
     statutes, and respect existing consent agreements with 
     private sector critical infrastructure entities that apply to 
     critical infrastructure information.
       (4) Rule of construction.--Nothing in this subsection shall 
     change existing ownership or protection of, or policies and 
     processes for access to, agency data.
       (e) National Security Systems.--Nothing in this section 
     shall apply to national security systems, as defined in 
     section 3552 of title 44, United States Code, or to 
     cybersecurity threat intelligence related to such systems, 
     without the consent of the relevant element of the 
     intelligence community, as defined in section 3 of the 
     National Security Act of 1947 (50 U.S.C. 3003).
       (f) Protection of Intelligence Sources and Methods.--The 
     Director of National Intelligence shall ensure that any 
     information sharing conducted under this section shall 
     protect intelligence sources and methods from unauthorized 
     disclosure in accordance with section 102A(i) of the National 
     Security Act (50 U.S.C. 3024(i)).
       (g) Duration.--The program under this section shall 
     terminate on the date that is 5 years after the date of 
     enactment of this Act.

     TITLE LIII--IMPROVING SECURITY IN THE NATIONAL CYBER ECOSYSTEM

     SEC. 5301. REPORT ON CYBERSECURITY CERTIFICATIONS AND 
                   LABELING.

       Not later than October 1, 2022, the National Cyber 
     Director, in consultation with the Director of the National 
     Institute of Standards and Technology and the Director of the 
     Cybersecurity and Infrastructure Security Agency, shall 
     submit to the Committee on Homeland Security and Governmental 
     Affairs and the Committee on Commerce, Science, and 
     Transportation of the Senate and the Committee on Homeland 
     Security and the Committee on Science, Space, and Technology 
     of the House of Representatives a report that--
       (1) identifies and assesses existing efforts by the Federal 
     Government to create, administer, or otherwise support the 
     use of certifications or labels to communicate the security 
     or security characteristics of information technology or 
     operational technology products and services; and
       (2) assesses the viability of and need for a new program at 
     the Department, or at other Federal agencies as appropriate, 
     to better address information technology and operational 
     technology product and service security certification and 
     labeling efforts across the Federal Government and between 
     the Federal Government and the private sector.

            TITLE LIV--ENABLING THE NATIONAL CYBER DIRECTOR

     SEC. 5401. ESTABLISHMENT OF HIRING AUTHORITIES FOR THE OFFICE 
                   OF THE NATIONAL CYBER DIRECTOR.

       (a) Definitions.--In this section:
       (1) Director.--The term ``Director'' means the National 
     Cyber Director.
       (2) Excepted service.--The term ``excepted service'' has 
     the meaning given such term in section 2103 of title 5, 
     United States Code.
       (3) Office.--The term ``Office'' means the Office of the 
     National Cyber Director.
       (4) Qualified position.--The term ``qualified position'' 
     means a position identified by the Director under subsection 
     (b)(1)(A), in which the individual occupying such position 
     performs, manages, or supervises functions

[[Page S8094]]

     that execute the responsibilities of the Office.
       (b) Hiring Plan.--The Director shall, for purposes of 
     carrying out the functions of the Office--
       (1) craft an implementation plan for positions in the 
     excepted service in the Office, which shall propose--
       (A) qualified positions in the Office, as the Director 
     determines necessary to carry out the responsibilities of the 
     Office; and
       (B) subject to the requirements of paragraph (2), rates of 
     compensation for an individual serving in a qualified 
     position;
       (2) propose rates of basic pay for qualified positions, 
     which shall--
       (A) be determined in relation to the rates of pay provided 
     for employees in comparable positions in the Office, in which 
     the employee occupying the comparable position performs, 
     manages, or supervises functions that execute the mission of 
     the Office; and
       (B) subject to the same limitations on maximum rates of pay 
     and consistent with section 5341 of title 5, United States 
     Code, adopt such provisions of that title to provide for 
     prevailing rate systems of basic pay and apply those 
     provisions to qualified positions for employees in or under 
     which the Office may employ individuals described by section 
     5342(a)(2)(A) of such title; and
       (3) craft proposals to provide--
       (A) employees in qualified positions compensation (in 
     addition to basic pay), including benefits, incentives, and 
     allowances, consistent with, and not in excess of the level 
     authorized for, comparable positions authorized by title 5, 
     United States Code; and
       (B) employees in a qualified position for which the 
     Director proposes a rate of basic pay under paragraph (2) an 
     allowance under section 5941 of title 5, United States Code, 
     on the same basis and to the same extent as if the employee 
     was an employee covered by such section, including 
     eligibility conditions, allowance rates, and all other terms 
     and conditions in law or regulation.
                                 ______