[Congressional Record Volume 168, Number 158 (Thursday, September 29, 2022)]
[Senate]
[Pages S5680-S5681]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

  SA 6136. Mr. PETERS (for himself and Mr. Cornyn) submitted an 
amendment intended to be proposed to amendment SA 5499 submitted by Mr. 
Reed (for himself and Mr. Inhofe) and intended to be proposed to the 
bill H.R. 7900, to authorize appropriations for fiscal year 2023 for 
military activities of the Department of Defense, for military 
construction, and for defense activities of the Department of Energy, 
to prescribe military personnel strengths for such fiscal year, and for 
other purposes; which was ordered to lie on the table; as follows:

       At the appropriate place, insert the following:

                  TITLE ____--SATELLITE CYBERSECURITY

     SEC. __01. SHORT TITLE.

       This title may be cited as the ``Satellite Cybersecurity 
     Act''.

     SEC. __02. DEFINITIONS.

       In this title:
       (1) Clearinghouse.--The term ``clearinghouse'' means the 
     commercial satellite system cybersecurity clearinghouse 
     required to be developed and maintained under section 
     __04(b)(1) of this title.
       (2) Commercial satellite system.--The term ``commercial 
     satellite system''--
       (A) means a system that--
       (i) is owned or operated by a non-Federal entity based in 
     the United States; and
       (ii) is composed of not less than 1 earth satellite; and
       (B) includes--
       (i) any ground support infrastructure for each satellite in 
     the system; and
       (ii) any transmission link among and between any satellite 
     in the system and any ground support infrastructure in the 
     system.
       (3) Critical infrastructure.--The term ``critical 
     infrastructure'' has the meaning given the term in subsection 
     (e) of the Critical Infrastructure Protection Act of 2001 (42 
     U.S.C. 5195c(e)).
       (4) Cybersecurity risk.--The term ``cybersecurity risk'' 
     has the meaning given the term in section 2209 of the 
     Homeland Security Act of 2002 (6 U.S.C. 659).
       (5) Cybersecurity threat.--The term ``cybersecurity 
     threat'' has the meaning given the term in section 102 of the 
     Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 
     1501).

     SEC. __03. REPORT ON COMMERCIAL SATELLITE CYBERSECURITY.

       (a) Study.--The Comptroller General of the United States 
     shall conduct a study on the actions the Federal Government 
     has taken to support the cybersecurity of commercial 
     satellite systems, including as part of any action to address 
     the cybersecurity of critical infrastructure sectors.
       (b) Report.--Not later than 2 years after the date of 
     enactment of this Act, the Comptroller General of the United 
     States shall report to the Committee on Homeland Security and 
     Governmental Affairs and the Committee on Commerce, Science, 
     and Transportation of the Senate and the Committee on 
     Homeland Security and the Committee on Space, Science, and 
     Technology of the House of Representatives on the study 
     conducted under subsection (a), which shall include 
     information on--
       (1) efforts of the Federal Government to--
       (A) address or improve the cybersecurity of commercial 
     satellite systems; and
       (B) support related efforts with international entities or 
     the private sector;
       (2) the resources made available to the public by Federal 
     agencies to address cybersecurity risks and threats to 
     commercial satellite systems, including resources made 
     available through the clearinghouse;
       (3) the extent to which commercial satellite systems and 
     the cybersecurity threats to such systems are addressed in 
     Federal and non-Federal critical infrastructure risk analyses 
     and protection plans;
       (4) the extent to which Federal agencies are reliant on 
     satellite systems owned wholly or in part or controlled by 
     foreign entities, and how Federal agencies mitigate 
     associated cybersecurity risks;
       (5) the extent to which Federal agencies coordinate or 
     duplicate authorities and take other actions focused on the 
     cybersecurity of commercial satellite systems; and
       (6) as determined appropriate by the Comptroller General of 
     the United States, recommendations for further Federal action 
     to support the cybersecurity of commercial satellite systems, 
     including recommendations on information that should be 
     shared through the clearinghouse.
       (c) Consultation.--In carrying out subsections (a) and (b), 
     the Comptroller General of the United States shall coordinate 
     with appropriate Federal agencies and organizations, 
     including--
       (1) the Department of Homeland Security;
       (2) the Department of Commerce;
       (3) the Department of Defense;
       (4) the Department of Transportation;
       (5) the Federal Communications Commission;
       (6) the National Aeronautics and Space Administration;
       (7) the National Executive Committee for Space-Based 
     Positioning, Navigation, and Timing; and
       (8) the National Space Council.
       (d) Briefing.--Not later than 2 years after the date of 
     enactment of this Act, the Comptroller General of the United 
     States shall provide a briefing to the appropriate 
     congressional committees on the study conducted under 
     subsection (a).
       (e) Classification.--The report made under subsection (b) 
     shall be unclassified but may include a classified annex.

     SEC. __04. RESPONSIBILITIES OF THE CYBERSECURITY AND 
                   INFRASTRUCTURE SECURITY AGENCY.

       (a) Definitions.--In this section:
       (1) Director.--The term ``Director'' means the Director of 
     the Cybersecurity and Infrastructure Security Agency.
       (2) Small business concern.--The term ``small business 
     concern'' has the meaning given the term in section 3 of the 
     Small Business Act (15 U.S.C. 632).
       (b) Establishment of Commercial Satellite System 
     Cybersecurity Clearinghouse.--
       (1) In general.--Subject to the availability of 
     appropriations, not later than 180 days after the date of 
     enactment of this Act, the Director shall develop and 
     maintain a commercial satellite system cybersecurity 
     clearinghouse.
       (2) Requirements.--The clearinghouse--
       (A) shall be publicly available online;
       (B) shall contain publicly available commercial satellite 
     system cybersecurity resources, including the voluntary 
     recommendations consolidated under subsection (c)(1);
       (C) shall contain appropriate materials for reference by 
     entities that develop, operate, or maintain commercial 
     satellite systems;
       (D) shall contain materials specifically aimed at assisting 
     small business concerns with the secure development, 
     operation, and maintenance of commercial satellite systems; 
     and
       (E) may contain controlled unclassified information 
     distributed to commercial entities through a process 
     determined appropriate by the Director.
       (3) Content maintenance.--The Director shall maintain 
     current and relevant cybersecurity information on the 
     clearinghouse.
       (4) Existing platform or website.--To the extent 
     practicable, the Director shall establish and maintain the 
     clearinghouse using an online platform, a website, or a 
     capability in existence as of the date of enactment of this 
     Act.
       (c) Consolidation of Commercial Satellite System 
     Cybersecurity Recommendations.--
       (1) In general.--The Director shall consolidate voluntary 
     cybersecurity recommendations designed to assist in the 
     development, maintenance, and operation of commercial 
     satellite systems.
       (2) Requirements.--The recommendations consolidated under 
     paragraph (1) shall include materials appropriate for a 
     public resource addressing the following:
       (A) Risk-based, cybersecurity-informed engineering, 
     including continuous monitoring and resiliency.
       (B) Planning for retention or recovery of positive control 
     of commercial satellite systems in the event of a 
     cybersecurity incident.
       (C) Protection against unauthorized access to vital 
     commercial satellite system functions.
       (D) Physical protection measures designed to reduce the 
     vulnerabilities of a commercial satellite system's command, 
     control, and telemetry receiver systems.
       (E) Protection against jamming, eavesdropping, hijacking, 
     computer network exploitation, spoofing, threats to optical 
     satellite communications, and electromagnetic pulse.
       (F) Security against threats throughout a commercial 
     satellite system's mission lifetime.
       (G) Management of supply chain risks that affect the 
     cybersecurity of commercial satellite systems.
       (H) Protection against vulnerabilities posed by ownership 
     of commercial satellite systems or commercial satellite 
     system companies by foreign entities.
       (I) Protection against vulnerabilities posed by locating 
     physical infrastructure, such as satellite ground control 
     systems, in foreign countries.
       (J) As appropriate, and as applicable pursuant to the 
     maintenance requirement under subsection (b)(3), relevant 
     findings and recommendations from the study conducted by the 
     Comptroller General of the United States under section 
     __03(a).
       (K) Any other recommendations to ensure the 
     confidentiality, availability, and integrity of data residing 
     on or in transit through commercial satellite systems.
       (d) Implementation.--In implementing this section, the 
     Director shall--
       (1) to the extent practicable, carry out the implementation 
     in partnership with the private sector;
       (2) coordinate with--
       (A) the National Space Council and the head of any other 
     agency determined appropriate by the National Space Council; 
     and

[[Page S5681]]

       (B) the heads of appropriate Federal agencies with 
     expertise and experience in satellite operations, including 
     the entities described in section __03(c) to enable the 
     alignment of Federal efforts on commercial satellite system 
     cybersecurity and, to the extent practicable, consistency in 
     Federal recommendations relating to commercial satellite 
     system cybersecurity; and
       (3) consult with non-Federal entities developing commercial 
     satellite systems or otherwise supporting the cybersecurity 
     of commercial satellite systems, including private, consensus 
     organizations that develop relevant standards.
       (e) Sunset and Report.--
       (1) In general.--This section shall cease to have force or 
     effect on the date that is 7 years after the date of the 
     enactment of this Act.
       (2) Report.--Not later than 6 years after the date of 
     enactment of this Act, the Director shall submit to the 
     Committee on Homeland Security and Governmental Affairs and 
     the Committee on Commerce, Science, and Transportation of the 
     Senate and the Committee on Homeland Security and the 
     Committee on Space, Science, and Technology of the House of 
     Representatives a report summarizing--
       (A) any partnership with the private sector described in 
     subsection (d)(1);
       (B) any consultation with a non-Federal entity described in 
     subsection (d)(3);
       (C) the coordination carried out pursuant to subsection 
     (d)(2);
       (D) the establishment and maintenance of the clearinghouse 
     pursuant to subsection (b);
       (E) the recommendations consolidated pursuant to subsection 
     (c)(1); and
       (F) any feedback received by the Director on the 
     clearinghouse from non-Federal entities.

     SEC. __05. STRATEGY.

       Not later than 120 days after the date of the enactment of 
     this Act, the National Space Council, in coordination with 
     the Director of the Office of Space Commerce and the heads of 
     other relevant agencies, shall submit to the Committee on 
     Commerce, Science, and Transportation and the Committee on 
     Homeland Security and Governmental Affairs of the Senate and 
     the Committee on Space, Science, and Technology and the 
     Committee on Homeland Security of the House of 
     Representatives a strategy for the activities of Federal 
     agencies to address and improve the cybersecurity of 
     commercial satellite systems, which shall include an 
     identification of--
       (1) proposed roles and responsibilities for relevant 
     agencies; and
       (2) as applicable, the extent to which cybersecurity 
     threats to such systems are addressed in Federal and non-
     Federal critical infrastructure risk analyses and protection 
     plans.

     SEC. __06. RULES OF CONSTRUCTION.

       Nothing in this title shall be construed to--
       (1) designate commercial satellite systems or other space 
     assets as a critical infrastructure sector; or
       (2) infringe upon or alter the authorities of the agencies 
     described in section __03(c) .
                                 ______