[Congressional Record Volume 167, Number 198 (Monday, November 15, 2021)]
[Senate]
[Page S8158]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

  SA 4637. Mr. RISCH submitted an amendment intended to be proposed to 
amendment SA 3867 submitted by Mr. Reed and intended to be proposed to 
the bill H.R. 4350, to authorize appropriations for fiscal year 2022 
for military activities of the Department of Defense, for military 
construction, and for defense activities of the Department of Energy, 
to prescribe military personnel strengths for such fiscal year, and for 
other purposes; which was ordered to lie on the table; as follows:

       At the end of subtitle G of title X, add the following:

     SEC. 1064. THINK TANK CYBERSECURITY STANDARDS.

       (a) Regulations.--
       (1) In general.--Not later than 90 days after the date of 
     the enactment of this Act, the Secretary of State shall 
     develop and promulgate regulations--
       (A) requiring covered think tanks and research 
     organizations to develop cybersecurity standards plans and 
     submit them to the Under Secretary of State for Management; 
     and
       (B) requiring the Bureau of Diplomatic Security, in 
     coordination with other competent authorities as necessary, 
     to certify whether the plans required pursuant to 
     subparagraph (A) meet minimum cybersecurity standards for the 
     protection of sensitive data and information.
       (2) Covered think tanks and research organizations.--For 
     purposes of this section, the term ``covered think tanks and 
     research organizations'' means United States think tanks and 
     research organizations that--
       (A) receive or plan to apply for funding from the 
     Department of State;
       (B) participate or intend to participate in more than three 
     Department-hosted events in a calendar year; or
       (C) meet, correspond, or otherwise engage with Department 
     of State personnel more than three times in a calendar year.
       (3) Scope of plan.--The cybersecurity plan required under 
     paragraph (1) shall include--
       (A) a description of the cybersecurity standards, training 
     requirements, and other procedures;
       (B) a description of how the organization intends to 
     safeguard sensitive data and report and remediate any 
     breaches or theft to the Department of State and relevant law 
     enforcement; and
       (C) a description of any other factors the Department deems 
     necessary to bolstering the cybersecurity of think tanks and 
     research organizations.
       (b) Report.--Not later than 60 days after the effective 
     date of the regulations promulgated under subsection (a), the 
     Secretary of State shall submit a report to the appropriate 
     congressional committees describing--
       (1) the progress of the Department of State in 
     implementation of the cybersecurity plan requirement mandated 
     pursuant to subsection (a);
       (2) the officials and offices within the Department 
     responsible for implementing the regulations required under 
     subsection (a);
       (3) any challenges or obstacles to implementation; and
       (4) any recommendations to improve upon the regulations 
     described required under subsection (a) or overcome 
     challenges to implementation.
       (c) Appropriate Congressional Committees Defined.--In this 
     section, the term ``appropriate congressional committees'' 
     means the Committee on Foreign Relations of the Senate and 
     the Committee on Foreign Affairs of the House of 
     Representatives.
                                 ______