[Congressional Record Volume 168, Number 158 (Thursday, September 29, 2022)]
[Senate]
[Pages S5910-S5911]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

  SA 6388. Ms. HASSAN (for herself and Mr. Rounds) submitted an 
amendment intended to be proposed to amendment SA 5499 submitted by Mr. 
Reed (for himself and Mr. Inhofe) and intended to be proposed to the 
bill H.R. 7900, to authorize appropriations for fiscal year 2023 for 
military activities of the Department of Defense, for military 
construction, and for defense activities of the Department of Energy, 
to prescribe military personnel strengths for such fiscal year, and for 
other purposes; which was ordered to lie on the table; as follows:

        At the appropriate place, insert the following:

     SEC. __. NATIONAL RISK MANAGEMENT CYCLE.

       (a) In General.--Subtitle A of title XXII of the Homeland 
     Security Act of 2002 (6 U.S.C. 651 et seq.), is amended by 
     adding at the end the following:

     ``SEC. 2220E. NATIONAL RISK MANAGEMENT CYCLE.

       ``(a) National Critical Functions Defined.--In this 
     section, the term `national critical functions' means the 
     functions of government and the private sector so vital to 
     the United States that their disruption, corruption, or 
     dysfunction would have a debilitating effect on security, 
     national economic security, national public health or safety, 
     or any combination thereof.
       ``(b) National Risk Management Cycle.--
       ``(1) Risk identification and assessment.--
       ``(A) In general.--The Secretary, acting through the 
     Director, shall establish a recurring process by which to 
     identify, assess, and prioritize risks to critical 
     infrastructure, considering both cyber and physical threats, 
     the associated likelihoods, vulnerabilities, and 
     consequences, and the resources necessary to address them.
       ``(B) Consultation.--In establishing the process required 
     under subparagraph (A), the Secretary shall consult with, and 
     request and collect information to support analysis from, 
     Sector Risk Management Agencies, critical infrastructure 
     owners and operators, the Assistant to the President for 
     National Security Affairs, the Assistant to the President for 
     Homeland Security, and the National Cyber Director.
       ``(C) Publication.--Not later than 180 days after the date 
     of enactment of this section, the Secretary shall publish in 
     the Federal Register procedures for the process established 
     under subparagraph (A), subject to any redactions the 
     Secretary determines are necessary to protect classified or 
     other sensitive information.
       ``(D) Report.--The Secretary shall submit to the President, 
     the Committee on Homeland Security and Governmental Affairs 
     of the Senate, and the Committee on Homeland Security of the 
     House of Representatives a report on the risks identified by 
     the process established under subparagraph (A)--
       ``(i) not later than 1 year after the date of enactment of 
     this section; and

[[Page S5911]]

       ``(ii) not later than 1 year after the date on which the 
     Secretary submits a periodic evaluation described in section 
     9002(b)(2) of title XC of division H of the William M. (Mac) 
     Thornberry National Defense Authorization Act for Fiscal Year 
     2021 (Public Law 116-283).
       ``(2) National critical infrastructure resilience 
     strategy.--
       ``(A) In general.--Not later than 1 year after the date on 
     which the Secretary delivers each report required under 
     paragraph (1), the President shall deliver to majority and 
     minority leaders of the Senate, the Speaker and minority 
     leader of the House of Representatives, the Committee on 
     Homeland Security and Governmental Affairs of the Senate, and 
     the Committee on Homeland Security of the House of 
     Representatives a national critical infrastructure resilience 
     strategy designed to address the risks identified by the 
     Secretary.
       ``(B) Elements.--Each strategy delivered under subparagraph 
     (A) shall--
       ``(i) identify, assess, and prioritize areas of risk to 
     critical infrastructure that would compromise or disrupt 
     national critical functions impacting national security, 
     economic security, or public health and safety;
       ``(ii) assess the implementation of the previous national 
     critical infrastructure resilience strategy, as applicable;
       ``(iii) identify and outline current and proposed national-
     level actions, programs, and efforts to be taken to address 
     the risks identified;
       ``(iv) identify the Federal departments or agencies 
     responsible for leading each national-level action, program, 
     or effort and the relevant critical infrastructure sectors 
     for each; and
       ``(v) request any additional authorities necessary to 
     successfully execute the strategy.
       ``(C) Form.--Each strategy delivered under subparagraph (A) 
     shall be unclassified, but may contain a classified annex.
       ``(3) Congressional briefing.--Not later than 1 year after 
     the date on which the President delivers a strategy under 
     this section, and every year thereafter, the Secretary, in 
     coordination with Sector Risk Management Agencies, shall 
     brief the appropriate committees of Congress on--
       ``(A) the national risk management cycle activities 
     undertaken pursuant to the strategy; and
       ``(B) the amounts and timeline for funding that the 
     Secretary has determined would be necessary to address risks 
     and successfully execute the full range of activities 
     proposed by the strategy.''.
       (b) Technical and Conforming Amendment.--The table of 
     contents in section 1(b) of the Homeland Security Act of 2002 
     (Public Law 107-296; 116 Stat. 2135) is amended--
       (1) by moving the item relating to section 2220D to appear 
     after the item relating to section 2220C; and
       (2) by inserting after the item relating to section 2220D 
     the following:

``Sec. 2220E. National risk management cycle.''.
                                 ______