[Congressional Record Volume 167, Number 201 (Thursday, November 18, 2021)]
[Senate]
[Pages S8456-S8458]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

  SA 4784. Mr. KING (for himself, Mr. Rounds, Mr. Sasse, Ms. Rosen, Ms. 
Hassan, and Mr. Ossoff) submitted an amendment intended to be proposed 
to amendment SA 3867 submitted by Mr. Reed and intended to be proposed 
to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 
for military activities of the Department of Defense, for military 
construction, and for defense activities of the Department of Energy, 
to prescribe military personnel strengths for such fiscal year, and for 
other purposes; which was ordered to lie on the table; as follows:

        At the end, add the following:

          DIVISION E--DEFENSE OF UNITED STATES INFRASTRUCTURE

     SEC. 5001. SHORT TITLE.

       This division may be cited as the ``Defense of United 
     States Infrastructure Act of 2021''.

     SEC. 5002. DEFINITIONS.

       In this division:
       (1) Critical infrastructure.--The term ``critical 
     infrastructure'' has the meaning given such term in section 
     1016(e) of the Critical Infrastructure Protection Act of 2001 
     (42 U.S.C. 5195c(e)).
       (2) Cybersecurity risk.--The term ``cybersecurity risk'' 
     has the meaning given such term in section 2209 of the 
     Homeland Security Act of 2002 (6 U.S.C. 659).
       (3) Department.--The term ``Department'' means the 
     Department of Homeland Security.
       (4) Secretary.--The term ``Secretary'' means the Secretary 
     of Homeland Security.

   TITLE LI--INVESTING IN CYBER RESILIENCY IN CRITICAL INFRASTRUCTURE

     SEC. 5101. NATIONAL RISK MANAGEMENT CYCLE.

       (a) Amendments.--Subtitle A of title XXII of the Homeland 
     Security Act of 2002 (6 U.S.C. 651 et seq.) is amended--
       (1) in section 2202(c) (6 U.S.C. 652(c))--
       (A) in paragraph (11), by striking ``and'' at the end;
       (B) in the first paragraph designated as paragraph (12), 
     relating to the Cybersecurity State Coordinator--
       (i) by striking ``section 2215'' and inserting ``section 
     2217''; and
       (ii) by striking ``and'' at the end; and
       (C) by redesignating the second and third paragraphs 
     designated as paragraph (12) as paragraphs (13) and (14), 
     respectively;
       (2) by redesignating section 2217 (6 U.S.C. 665f) as 
     section 2220;
       (3) by redesignating section 2216 (6 U.S.C. 665e) as 
     section 2219;
       (4) by redesignating the fourth section 2215 (relating to 
     Sector Risk Management Agencies) (6 U.S.C. 665d) as section 
     2218;
       (5) by redesignating the third section 2215 (relating to 
     the Cybersecurity State Coordinator) (6 U.S.C. 665c) as 
     section 2217;
       (6) by redesignating the second section 2215 (relating to 
     the Joint Cyber Planning Office) (6 U.S.C. 665b) as section 
     2216; and
       (7) by adding at the end the following:

     ``SEC. 2220A. NATIONAL RISK MANAGEMENT CYCLE.

       ``(a) National Critical Functions Defined.--In this 
     section, the term `national critical functions' means the 
     functions of

[[Page S8457]]

     government and the private sector so vital to the United 
     States that their disruption, corruption, or dysfunction 
     would have a debilitating effect on security, national 
     economic security, national public health or safety, or any 
     combination thereof.
       ``(b) National Risk Management Cycle.--
       ``(1) Risk identification and assessment.--
       ``(A) In general.--The Secretary, acting through the 
     Director, shall establish a recurring process by which to 
     identify, assess, and prioritize risks to critical 
     infrastructure, considering both cyber and physical threats, 
     the associated likelihoods, vulnerabilities, and 
     consequences, and the resources necessary to address them.
       ``(B) Consultation.--In establishing the process required 
     under subparagraph (A), the Secretary shall consult with, and 
     request and collect information to support analysis from, 
     Sector Risk Management Agencies, critical infrastructure 
     owners and operators, the Assistant to the President for 
     National Security Affairs, the Assistant to the President for 
     Homeland Security, and the National Cyber Director.
       ``(C) Publication.--Not later than 180 days after the date 
     of enactment of this section, the Secretary shall publish in 
     the Federal Register procedures for the process established 
     under subparagraph (A), subject to any redactions the 
     Secretary determines are necessary to protect classified or 
     other sensitive information.
       ``(D) Report.--The Secretary shall submit to the President, 
     the Committee on Homeland Security and Governmental Affairs 
     of the Senate, and the Committee on Homeland Security of the 
     House of Representatives a report on the risks identified by 
     the process established under subparagraph (A)--
       ``(i) not later than 1 year after the date of enactment of 
     this section; and
       ``(ii) not later than 1 year after the date on which the 
     Secretary submits a periodic evaluation described in section 
     9002(b)(2) of title XC of division H of the William M. (Mac) 
     Thornberry National Defense Authorization Act for Fiscal Year 
     2021 (Public Law 116-283).
       ``(2) National critical infrastructure resilience 
     strategy.--
       ``(A) In general.--Not later than 1 year after the date on 
     which the Secretary delivers each report required under 
     paragraph (1), the President shall deliver to majority and 
     minority leaders of the Senate, the Speaker and minority 
     leader of the House of Representatives, the Committee on 
     Homeland Security and Governmental Affairs of the Senate, and 
     the Committee on Homeland Security of the House of 
     Representatives a national critical infrastructure resilience 
     strategy designed to address the risks identified by the 
     Secretary.
       ``(B) Elements.--Each strategy delivered under subparagraph 
     (A) shall--
       ``(i) identify, assess, and prioritize areas of risk to 
     critical infrastructure that would compromise or disrupt 
     national critical functions impacting national security, 
     economic security, or public health and safety;
       ``(ii) assess the implementation of the previous national 
     critical infrastructure resilience strategy, as applicable;
       ``(iii) identify and outline current and proposed national-
     level actions, programs, and efforts to be taken to address 
     the risks identified;
       ``(iv) identify the Federal departments or agencies 
     responsible for leading each national-level action, program, 
     or effort and the relevant critical infrastructure sectors 
     for each; and
       ``(v) request any additional authorities necessary to 
     successfully execute the strategy.
       ``(C) Form.--Each strategy delivered under subparagraph (A) 
     shall be unclassified, but may contain a classified annex.
       ``(3) Congressional briefing.--Not later than 1 year after 
     the date on which the President delivers a strategy under 
     this section, and every year thereafter, the Secretary, in 
     coordination with Sector Risk Management Agencies, shall 
     brief the appropriate committees of Congress on--
       ``(A) the national risk management cycle activities 
     undertaken pursuant to the strategy; and
       ``(B) the amounts and timeline for funding that the 
     Secretary has determined would be necessary to address risks 
     and successfully execute the full range of activities 
     proposed by the strategy.''.
       (b) Technical and Conforming Amendments.--
       (1) Table of contents.--The table of contents in section 
     1(b) of the Homeland Security Act of 2002 (Public Law 107-
     296; 116 Stat. 2135) is amended by striking the item relating 
     to section 2214 and all that follows through the item 
     relating to section 2217 and inserting the following:

``Sec. 2214. National Asset Database.
``Sec. 2215. Duties and authorities relating to .gov internet domain.
``Sec. 2216. Joint Cyber Planning Office.
``Sec. 2217. Cybersecurity State Coordinator.
``Sec. 2218. Sector Risk Management Agencies.
``Sec. 2219. Cybersecurity Advisory Committee.
``Sec. 2220. Cybersecurity education and training programs.
``Sec. 2220A. National risk management cycle.''.
       (2) Additional technical amendment.--
       (A) Amendment.--Section 904(b)(1) of the DOTGOV Act of 2020 
     (title IX of division U of Public Law 116-260) is amended, in 
     the matter preceding subparagraph (A), by striking ``Homeland 
     Security Act'' and inserting ``Homeland Security Act of 
     2002''.
       (B) Effective date.--The amendment made by subparagraph (A) 
     shall take effect as if enacted as part of the DOTGOV Act of 
     2020 (title IX of division U of Public Law 116-260).

TITLE LII--IMPROVING THE ABILITY OF THE FEDERAL GOVERNMENT TO ASSIST IN 
           ENHANCING CRITICAL INFRASTRUCTURE CYBER RESILIENCE

     SEC. 5201. INSTITUTE A 5-YEAR TERM FOR THE DIRECTOR OF THE 
                   CYBERSECURITY AND INFRASTRUCTURE SECURITY 
                   AGENCY.

       (a) In General.--Subsection (b)(1) of section 2202 of the 
     Homeland Security Act of 2002 (6 U.S.C. 652), is amended by 
     inserting ``The term of office of an individual serving as 
     Director shall be 5 years.'' after ``who shall report to the 
     Secretary.''.
       (b) Transition Rules.--The amendment made by subsection (a) 
     shall take effect on the first appointment of an individual 
     to the position of Director of the Cybersecurity and 
     Infrastructure Security Agency, by and with the advice and 
     consent of the Senate, that is made on or after the date of 
     enactment of this Act.

     SEC. 5202. CYBER THREAT INFORMATION COLLABORATION ENVIRONMENT 
                   PROGRAM.

       (a) Definitions.--In this section:
       (1) Critical infrastructure information.--The term 
     ``critical infrastructure information'' has the meaning given 
     such term in section 2222 of the Homeland Security Act of 
     2002 (6 U.S.C. 671).
       (2) Cyber threat indicator.--The term ``cyber threat 
     indicator'' has the meaning given such term in section 102 of 
     the Cybersecurity Act of 2015 (6 U.S.C. 1501).
       (3) Cybersecurity threat.--The term ``cybersecurity 
     threat'' has the meaning given such term in section 102 of 
     the Cybersecurity Act of 2015 (6 U.S.C. 1501).
       (4) Environment.--The term ``environment'' means the 
     information collaboration environment established under 
     subsection (b).
       (5) Information sharing and analysis organization.--The 
     term ``information sharing and analysis organization'' has 
     the meaning given such term in section 2222 of the Homeland 
     Security Act of 2002 (6 U.S.C. 671).
       (6) Non-federal entity.--The term ``non-Federal entity'' 
     has the meaning given such term in section 102 of the 
     Cybersecurity Act of 2015 (6 U.S.C. 1501).
       (b) Program.--The Secretary, in consultation with the 
     Secretary of Defense, the Director of National Intelligence, 
     and the Attorney General, shall carry out a program under 
     which the Secretary shall develop an information 
     collaboration environment consisting of a digital environment 
     containing technical tools for information analytics and a 
     portal through which relevant parties may submit and automate 
     information inputs and access the environment in order to 
     enable interoperable data flow that enable Federal and non-
     Federal entities to identify, mitigate, and prevent malicious 
     cyber activity to--
       (1) provide limited access to appropriate and operationally 
     relevant data from unclassified and classified intelligence 
     about cybersecurity risks and cybersecurity threats, as well 
     as malware forensics and data from network sensor programs, 
     on a platform that enables query and analysis;
       (2) enable cross-correlation of data on cybersecurity risks 
     and cybersecurity threats at the speed and scale necessary 
     for rapid detection and identification;
       (3) facilitate a comprehensive understanding of 
     cybersecurity risks and cybersecurity threats; and
       (4) facilitate collaborative analysis between the Federal 
     Government and public and private sector critical 
     infrastructure entities and information and analysis 
     organizations.
       (c) Implementation of Information Collaboration 
     Environment.--
       (1) Evaluation.--Not later than 180 days after the date of 
     enactment of this Act, the Secretary, acting through the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency, and in coordination with the Secretary of Defense, 
     the Director of National Intelligence, and the Attorney 
     General, shall--
       (A) identify, inventory, and evaluate existing Federal 
     sources of classified and unclassified information on 
     cybersecurity threats;
       (B) evaluate current programs, applications, or platforms 
     intended to detect, identify, analyze, and monitor 
     cybersecurity risks and cybersecurity threats;
       (C) consult with public and private sector critical 
     infrastructure entities to identify public and private 
     critical infrastructure cyber threat capabilities, needs, and 
     gaps; and
       (D) identify existing tools, capabilities, and systems that 
     may be adapted to achieve the purposes of the environment in 
     order to maximize return on investment and minimize cost.
       (2) Implementation.--
       (A) In general.--Not later than 1 year after completing the 
     evaluation required under paragraph (1)(B), the Secretary, 
     acting through the Director of the Cybersecurity and 
     Infrastructure Security Agency, and in consultation with the 
     Secretary of Defense, the Director of National Intelligence, 
     and

[[Page S8458]]

     the Attorney General, shall begin implementation of the 
     environment to enable participants in the environment to 
     develop and run analytic tools referred to in subsection (b) 
     on specified data sets for the purpose of identifying, 
     mitigating, and preventing malicious cyber activity that is a 
     threat to public and private critical infrastructure.
       (B) Requirements.--The environment and the use of analytic 
     tools referred to in subsection (b) shall--
       (i) operate in a manner consistent with relevant privacy, 
     civil rights, and civil liberties policies and protections, 
     including such policies and protections established pursuant 
     to section 1016 of the Intelligence Reform and Terrorism 
     Prevention Act of 2004 (6 U.S.C. 485);
       (ii) account for appropriate data interoperability 
     requirements;
       (iii) enable integration of current applications, 
     platforms, data, and information, including classified 
     information, in a manner that supports the voluntary 
     integration of unclassified and classified information on 
     cybersecurity risks and cybersecurity threats;
       (iv) incorporate tools to manage access to classified and 
     unclassified data, as appropriate;
       (v) ensure accessibility by entities the Secretary, in 
     consultation with the Secretary of Defense, the Director of 
     National Intelligence, and the Attorney General, determines 
     appropriate;
       (vi) allow for access by critical infrastructure 
     stakeholders and other private sector partners, at the 
     discretion of the Secretary, in consultation with the 
     Secretary of Defense, the Director of National Intelligence, 
     and the Attorney General;
       (vii) deploy analytic tools across classification levels to 
     leverage all relevant data sets, as appropriate;
       (viii) identify tools and analytical software that can be 
     applied and shared to manipulate, transform, and display data 
     and other identified needs; and
       (ix) anticipate the integration of new technologies and 
     data streams, including data from government-sponsored 
     network sensors or network-monitoring programs deployed in 
     support of non-Federal entities.
       (3) Annual report requirement on the implementation, 
     execution, and effectiveness of the program.--Not later than 
     1 year after the date of enactment of this Act, and every 
     year thereafter until the date that is 1 year after the 
     program under this section terminates under subsection (g), 
     the Secretary shall submit to the Committee on Homeland 
     Security and Governmental Affairs, the Committee on the 
     Judiciary, the Committee on Armed Services, and the Select 
     Committee on Intelligence of the Senate and the Committee on 
     Homeland Security, the Committee on the Judiciary, the 
     Committee on Armed Services, and the Permanent Select 
     Committee on Intelligence of the House of Representatives a 
     report that details--
       (A) Federal Government participation in the environment, 
     including the Federal entities participating in the 
     environment and the volume of information shared by Federal 
     entities into the environment;
       (B) non-Federal entities' participation in the environment, 
     including the non-Federal entities participating in the 
     environment and the volume of information shared by non-
     Federal entities into the environment;
       (C) the impact of the environment on positive security 
     outcomes for the Federal Government and non-Federal entities;
       (D) barriers identified to fully realizing the benefit of 
     the environment both for the Federal Government and non-
     Federal entities;
       (E) additional authorities or resources necessary to 
     successfully execute the environment; and
       (F) identified shortcomings or risks to data security and 
     privacy, and the steps necessary to improve the mitigation of 
     the shortcomings or risks.
       (d) Cyber Threat Data Interoperability Requirements.--
       (1) Establishment.--The Secretary, in coordination with the 
     Secretary of Defense, the Director of National Intelligence, 
     and the Attorney General, shall identify or establish data 
     interoperability requirements for non-Federal entities to 
     participate in the environment.
       (2) Data streams.--The Secretary, in coordination with the 
     heads of appropriate departments and agencies, shall 
     identify, designate, and periodically update programs that 
     shall participate in or be interoperable with the 
     environment, in a manner consistent with data security 
     standards under Federal law, which may include--
       (A) network-monitoring and intrusion detection programs;
       (B) cyber threat indicator sharing programs;
       (C) certain government-sponsored network sensors or 
     network-monitoring programs;
       (D) incident response and cybersecurity technical 
     assistance programs; or
       (E) malware forensics and reverse-engineering programs.
       (3) Data governance.--The Secretary, in coordination with 
     the Secretary of Defense, the Director of National 
     Intelligence, and the Attorney General, shall establish 
     procedures and data governance structures, as necessary, to 
     protect data shared in the environment, comply with Federal 
     regulations and statutes, and respect existing consent 
     agreements with private sector critical infrastructure 
     entities that apply to critical infrastructure information.
       (4) Rule of construction.--Nothing in this subsection shall 
     change existing ownership or protection of, or policies and 
     processes for access to, agency data.
       (e) National Security Systems.--Nothing in this section 
     shall apply to national security systems, as defined in 
     section 3552 of title 44, United States Code, or to 
     cybersecurity threat intelligence related to such systems, 
     without the consent of the relevant element of the 
     intelligence community, as defined in section 3 of the 
     National Security Act of 1947 (50 U.S.C. 3003).
       (f) Protection of Intelligence Sources and Methods.--The 
     Director of National Intelligence shall ensure that any 
     information sharing conducted under this section shall 
     protect intelligence sources and methods from unauthorized 
     disclosure in accordance with section 102A(i) of the National 
     Security Act (50 U.S.C. 3024(i)).
       (g) Duration.--The program under this section shall 
     terminate on the date that is 5 years after the date of 
     enactment of this Act.

            TITLE LIII--ENABLING THE NATIONAL CYBER DIRECTOR

     SEC. 5401. ESTABLISHMENT OF HIRING AUTHORITIES FOR THE OFFICE 
                   OF THE NATIONAL CYBER DIRECTOR.

       (a) Definitions.--In this section:
       (1) Director.--The term ``Director'' means the National 
     Cyber Director.
       (2) Excepted service.--The term ``excepted service'' has 
     the meaning given such term in section 2103 of title 5, 
     United States Code.
       (3) Office.--The term ``Office'' means the Office of the 
     National Cyber Director.
       (4) Qualified position.--The term ``qualified position'' 
     means a position identified by the Director under subsection 
     (b)(1)(A), in which the individual occupying such position 
     performs, manages, or supervises functions that execute the 
     responsibilities of the Office.
       (b) Hiring Plan.--The Director shall, for purposes of 
     carrying out the functions of the Office--
       (1) craft an implementation plan for positions in the 
     excepted service in the Office, which shall propose--
       (A) qualified positions in the Office, as the Director 
     determines necessary to carry out the responsibilities of the 
     Office; and
       (B) subject to the requirements of paragraph (2), rates of 
     compensation for an individual serving in a qualified 
     position;
       (2) propose rates of basic pay for qualified positions, 
     which shall--
       (A) be determined in relation to the rates of pay provided 
     for employees in comparable positions in the Office, in which 
     the employee occupying the comparable position performs, 
     manages, or supervises functions that execute the mission of 
     the Office; and
       (B) subject to the same limitations on maximum rates of pay 
     and consistent with section 5341 of title 5, United States 
     Code, adopt such provisions of that title to provide for 
     prevailing rate systems of basic pay and apply those 
     provisions to qualified positions for employees in or under 
     which the Office may employ individuals described by section 
     5342(a)(2)(A) of such title; and
       (3) craft proposals to provide--
       (A) employees in qualified positions compensation (in 
     addition to basic pay), including benefits, incentives, and 
     allowances, consistent with, and not in excess of the level 
     authorized for, comparable positions authorized by title 5, 
     United States Code; and
       (B) employees in a qualified position for which the 
     Director proposes a rate of basic pay under paragraph (2) an 
     allowance under section 5941 of title 5, United States Code, 
     on the same basis and to the same extent as if the employee 
     was an employee covered by such section, including 
     eligibility conditions, allowance rates, and all other terms 
     and conditions in law or regulation.
                                 ______