[Congressional Record Volume 168, Number 198 (Tuesday, December 20, 2022)]
[Senate]
[Pages S9611-S9612]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
CIVILIAN CYBER SECURITY RESERVE ACT
Mr. HEINRICH. Mr. President, I ask unanimous consent that the Senate
proceed to the immediate consideration of Calendar No. 348, S. 1324.
The PRESIDING OFFICER. The clerk will report the bill by title.
The senior assistant legislative clerk read as follows:
A bill (S. 1324) to establish a Civilian Cyber Security
Reserve as a pilot project to address the cyber security
needs of the United States with respect to national security,
and for other purposes.
There being no objection, the Senate proceeded to consider the bill,
which had been reported from the Committee on Homeland Security and
Governmental Affairs, with an amendment to strike all after the
enacting clause and insert in lieu thereof the following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Civilian Cybersecurity
Reserve Act''.
SEC. 2. CIVILIAN CYBERSECURITY RESERVE PILOT PROJECT.
(a) Definitions.--In this section:
(1) Agency.--The term ``Agency'' means the Cybersecurity
and Infrastructure Security Agency.
(2) Appropriate congressional committees.--The term
``appropriate congressional committees'' means--
(A) the Committee on Homeland Security and Governmental
Affairs of the Senate;
(B) the Committee on Appropriations of the Senate;
(C) the Committee on Homeland Security of the House of
Representatives;
(D) the Committee on Oversight and Reform of the House of
Representatives; and
(E) the Committee on Appropriations of the House of
Representatives.
(3) Competitive service.--The term ``competitive service''
has the meaning given the term in section 2102 of title 5,
United States Code.
(4) Director.--The term ``Director'' means the Director of
the Agency.
(5) Excepted service.--The term ``excepted service'' has
the meaning given the term in section 2103 of title 5, United
States Code.
(6) Significant incident.--The term ``significant
incident''--
(A) means an incident or a group of related incidents that
results, or is likely to result, in demonstrable harm to--
(i) the national security interests, foreign relations, or
economy of the United States; or
(ii) the public confidence, civil liberties, or public
health and safety of the people of the United States; and
(B) does not include an incident or a portion of a group of
related incidents that occurs on--
(i) a national security system, as defined in section 3552
of title 44, United States Code; or
(ii) an information system described in paragraph (2) or
(3) of section 3553(e) of title 44, United States Code.
(7) Temporary position.--The term ``temporary position''
means a position in the competitive or excepted service for a
period of 6 months or less.
(8) Uniformed services.--The term ``uniformed services''
has the meaning given the term in section 2101 of title 5,
United States Code.
(b) Pilot Project.--
(1) In general.--The Director may carry out a pilot project
to establish a Civilian Cybersecurity Reserve at the Agency.
(2) Purpose.--The purpose of a Civilian Cybersecurity
Reserve is to enable the Agency to effectively respond to
significant incidents.
(3) Alternative methods.--Consistent with section 4703 of
title 5, United States Code, in carrying out a pilot project
authorized under paragraph (1), the Director may, without
further authorization from the Office of Personnel
Management, provide for alternative methods of--
(A) establishing qualifications requirements for,
recruitment of, and appointment to positions; and
(B) classifying positions.
(4) Appointments.--Under the pilot project authorized under
paragraph (1), upon occurrence of a significant incident, the
Director--
(A) may activate members of the Civilian Cybersecurity
Reserve by--
(i) noncompetitively appointing members of the Civilian
Cybersecurity Reserve to temporary positions in the
competitive service; or
(ii) appointing members of the Civilian Cybersecurity
Reserve to temporary positions in the excepted service;
(B) shall notify Congress whenever a member is activated
under subparagraph (A); and
(C) may appoint not more than 30 members to the Civilian
Cybersecurity Reserve under subparagraph (A) at any time.
(5) Status as employees.--An individual appointed under
subsection (b)(4) shall be considered a Federal civil service
employee under section 2105 of title 5, United States Code.
(6) Additional employees.--Individuals appointed under
subsection (b)(4) shall be in addition to any employees of
the Agency who provide cybersecurity services.
(7) Employment protections.--The Secretary of Labor shall
prescribe such regulations as necessary to ensure the
reemployment, continuation of benefits, and non-
discrimination in reemployment of individuals appointed under
subsection (b)(4), provided that such regulations shall
include, at a minimum, those rights and obligations set forth
under chapter 43 of title 38, United States Code.
(8) Status in reserve.--During the period beginning on the
date on which an individual is recruited by the Agency to
serve in the Civilian Cybersecurity Reserve and ending on the
date on which the individual is appointed under subsection
(b)(4), and during any period in between any such
appointments, the individual shall not be considered a
Federal employee.
(c) Eligibility; Application and Selection.--
(1) In general.--Under the pilot project authorized under
subsection (b), the Director shall establish criteria for--
(A) individuals to be eligible for the Civilian
Cybersecurity Reserve; and
(B) the application and selection processes for the
Civilian Cybersecurity Reserve.
(2) Requirements for individuals.--The criteria established
under paragraph (1)(A) with respect to an individual shall
include--
(A) previous employment--
(i) by the executive branch;
(ii) within the uniformed services;
(iii) as a Federal contractor within the executive branch;
or
(iv) by a State, local, Tribal, or territorial government;
(B) if the individual has previously served as a member of
the Civilian Cybersecurity Reserve of the Agency, that the
previous appointment ended not less than 60 days before the
individual may be appointed for a subsequent temporary
position in the Civilian Cybersecurity Reserve of the Agency;
and
(C) cybersecurity expertise.
(3) Prescreening.--The Agency shall--
(A) conduct a prescreening of each individual prior to
appointment under subsection (b)(4) for any topic or product
that would create a conflict of interest; and
(B) require each individual appointed under subsection
(b)(4) to notify the Agency if a potential conflict of
interest arises during the appointment.
(4) Agreement required.--An individual may become a member
of the Civilian Cybersecurity Reserve only if the individual
enters into an agreement with the Director to become such a
member, which shall set forth the rights and obligations of
the individual and the Agency.
(5) Exception for continuing military service
commitments.--A member of the Selected Reserve under section
10143 of title 10, United States Code, may not be a member of
the Civilian Cybersecurity Reserve.
(6) Priority.--In appointing individuals to the Civilian
Cybersecurity Reserve, the Agency shall prioritize the
appointment of individuals described in clause (i) or (ii) of
paragraph (2)(A) before considering individuals described in
clause (iii) or (iv) of paragraph (2)(A).
(7) Prohibition.--Any individual who is an employee of the
executive branch may not be recruited or appointed to serve
in the Civilian Cybersecurity Reserve.
(d) Security Clearances.--
(1) In general.--The Director shall ensure that all members
of the Civilian Cybersecurity Reserve undergo the appropriate
personnel vetting and adjudication commensurate with the
duties of the position, including a determination of
eligibility for access to classified information where a
security clearance is necessary, according to applicable
policy and authorities.
(2) Cost of sponsoring clearances.--If a member of the
Civilian Cybersecurity Reserve requires a security clearance
in order to carry out their duties, the Agency shall be
responsible for the cost of sponsoring the security clearance
of a member of the Civilian Cybersecurity Reserve.
(e) Study and Implementation Plan.--
(1) Study.--Not later than 60 days after the date of
enactment of this Act, the Agency shall
[[Page S9612]]
begin a study on the design and implementation of the pilot
project authorized under subsection (b)(1) at the Agency,
including--
(A) compensation and benefits for members of the Civilian
Cybersecurity Reserve;
(B) activities that members may undertake as part of their
duties;
(C) methods for identifying and recruiting members,
including alternatives to traditional qualifications
requirements;
(D) methods for preventing conflicts of interest or other
ethical concerns as a result of participation in the pilot
project and details of mitigation efforts to address any
conflict of interest concerns;
(E) resources, including additional funding, needed to
carry out the pilot project;
(F) possible penalties for individuals who do not respond
to activation when called, in accordance with the rights and
procedures set forth under title 5, Code of Federal
Regulations; and
(G) processes and requirements for training and onboarding
members.
(2) Implementation plan.--Not later than 1 year after
beginning the study required under paragraph (1), the Agency
shall--
(A) submit to the appropriate congressional committees an
implementation plan for the pilot project authorized under
subsection (b)(1); and
(B) provide to the appropriate congressional committees a
briefing on the implementation plan.
(3) Prohibition.--The Agency may not take any action to
begin implementation of the pilot project authorized under
subsection (b)(1) until the Agency fulfills the requirements
under paragraph (2).
(f) Project Guidance.--Not later than 2 years after the
date of enactment of this Act, the Director shall, in
consultation with the Office of Personnel Management and the
Office of Government Ethics, issue guidance establishing and
implementing the pilot project authorized under subsection
(b)(1) at the Agency.
(g) Briefings and Report.--
(1) Briefings.--Not later than 1 year after the date of
enactment of this Act, and every year thereafter, the Agency
shall provide to the appropriate congressional committees a
briefing on activities carried out under the pilot project of
the Agency, including--
(A) participation in the Civilian Cybersecurity Reserve,
including the number of participants, the diversity of
participants, and any barriers to recruitment or retention of
members;
(B) an evaluation of the ethical requirements of the pilot
project;
(C) whether the Civilian Cybersecurity Reserve has been
effective in providing additional capacity to the Agency
during significant incidents; and
(D) an evaluation of the eligibility requirements for the
pilot project.
(2) Report.--Not earlier than 6 months and not later than 3
months before the date on which the pilot project of the
Agency terminates under subsection (i), the Agency shall
submit to the appropriate congressional committees a report
and provide a briefing on recommendations relating to the
pilot project, including recommendations for--
(A) whether the pilot project should be modified, extended
in duration, or established as a permanent program, and if
so, an appropriate scope for the program;
(B) how to attract participants, ensure a diversity of
participants, and address any barriers to recruitment or
retention of members of the Civilian Cybersecurity Reserve;
(C) the ethical requirements of the pilot project and the
effectiveness of mitigation efforts to address any conflict
of interest concerns; and
(D) an evaluation of the eligibility requirements for the
pilot project.
(h) Evaluation.--Not later than 3 years after the pilot
project authorized under subsection (b) is established in the
Agency, the Comptroller General of the United States shall--
(1) conduct a study evaluating the pilot project at the
Agency; and
(2) submit to Congress--
(A) a report on the results of the study; and
(B) a recommendation with respect to whether the pilot
project should be modified, extended in duration, or
established as a permanent program.
(i) Sunset.--The pilot project authorized under this
section shall terminate on the date that is 4 years after the
date on which the pilot project is established.
(j) No Additional Funds.--
(1) In general.--No additional funds are authorized to be
appropriated for the purpose of carrying out this Act.
(2) Existing authorized amounts.--Funds to carry out this
Act may, as provided in advance in appropriations Acts, only
come from amounts authorized to be appropriated to the
Agency.
Mr. HEINRICH. I ask unanimous consent that the committee-reported
substitute amendment be agreed to; that the bill, as amended, be
considered read a third time and passed; and that the motion to
reconsider be considered made and laid upon the table.
The PRESIDING OFFICER. Without objection, it is so ordered.
The committee-reported amendment in the nature of a substitute was
agreed to.
The bill (S. 1324), as amended, was ordered to be engrossed for a
third reading, was read the third time, and passed.
____________________