[Congressional Record Volume 169, Number 120 (Thursday, July 13, 2023)]
[Senate]
[Pages S2805-S2844]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

  SA 706. Mr. PETERS (for himself and Mr. Lankford) submitted an 
amendment intended to be proposed by him to the bill S. 2226, to 
authorize appropriations for fiscal year 2024 for military activities 
of the Department of Defense, for military construction, and for 
defense activities of the Department of Energy, to prescribe military 
personnel strengths for such fiscal year, and for other purposes; which 
was ordered to lie on the table; as follows:

       At the end, the following:

  DIVISION F--COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

            TITLE LX--FEDERAL DATA AND INFORMATION SECURITY

   Subtitle A--Federal Information Security Modernization Act of 2023

     SECTION 6001. SHORT TITLE.

       (a) Short Title.--This subtitle may be cited as the 
     ``Federal Information Security Modernization Act of 2023''.

     SEC. 6002. DEFINITIONS.

       In this subtitle, unless otherwise specified:
       (1) Agency.--The term ``agency'' has the meaning given the 
     term in section 3502 of title 44, United States Code.
       (2) Appropriate congressional committees.--The term 
     ``appropriate congressional committees'' means--
       (A) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       (B) the Committee on Oversight and Accountability of the 
     House of Representatives; and
       (C) the Committee on Homeland Security of the House of 
     Representatives.
       (3) Awardee.--The term ``awardee'' has the meaning given 
     the term in section 3591 of title 44, United States Code, as 
     added by this subtitle.
       (4) Contractor.--The term ``contractor'' has the meaning 
     given the term in section 3591 of title 44, United States 
     Code, as added by this subtitle.
       (5) Director.--The term ``Director'' means the Director of 
     the Office of Management and Budget.
       (6) Federal information system.--The term ``Federal 
     information system'' has the meaning give the term in section 
     3591 of title 44, United States Code, as added by this 
     subtitle.
       (7) Incident.--The term ``incident'' has the meaning given 
     the term in section 3552(b) of title 44, United States Code.
       (8) National security system.--The term ``national security 
     system'' has the meaning given the term in section 3552(b) of 
     title 44, United States Code.
       (9) Penetration test.--The term ``penetration test'' has 
     the meaning given the term in section 3552(b) of title 44, 
     United States Code, as amended by this subtitle.
       (10) Threat hunting.--The term ``threat hunting'' means 
     proactively and iteratively searching systems for threats and 
     vulnerabilities, including threats or vulnerabilities that 
     may evade detection by automated threat detection systems.
       (11) Zero trust architecture.--The term ``zero trust 
     architecture'' has the meaning given the term in Special 
     Publication 800-207 of the National Institute of Standards 
     and Technology, or any successor document.

     SEC. 6003. AMENDMENTS TO TITLE 44.

       (a) Subchapter I Amendments.--Subchapter I of chapter 35 of 
     title 44, United States Code, is amended--
       (1) in section 3504--
       (A) in subsection (a)(1)(B)--
       (i) by striking clause (v) and inserting the following:
       ``(v) privacy, confidentiality, disclosure, and sharing of 
     information;'';
       (ii) by redesignating clause (vi) as clause (vii); and

[[Page S2806]]

       (iii) by inserting after clause (v) the following:
       ``(vi) in consultation with the National Cyber Director, 
     security of information; and''; and
       (B) in subsection (g)--
       (i) by redesignating paragraph (2) as paragraph (3); and
       (ii) by striking paragraph (1) and inserting the following:
       ``(1) develop and oversee the implementation of policies, 
     principles, standards, and guidelines on privacy, 
     confidentiality, disclosure, and sharing of information 
     collected or maintained by or for agencies;
       ``(2) in consultation with the National Cyber Director, 
     oversee the implementation of policies, principles, 
     standards, and guidelines on security, of information 
     collected or maintained by or for agencies; and'';
       (2) in section 3505--
       (A) by striking the first subsection designated as 
     subsection (c);
       (B) in paragraph (2) of the second subsection designated as 
     subsection (c), by inserting ``an identification of internet 
     accessible information systems and'' after ``an inventory 
     under this subsection shall include'';
       (C) in paragraph (3) of the second subsection designated as 
     subsection (c)--
       (i) in subparagraph (B)--

       (I) by inserting ``the Director of the Cybersecurity and 
     Infrastructure Security Agency, the National Cyber Director, 
     and'' before ``the Comptroller General''; and
       (II) by striking ``and'' at the end;

       (ii) in subparagraph (C)(v), by striking the period at the 
     end and inserting ``; and''; and
       (iii) by adding at the end the following:
       ``(D) maintained on a continual basis through the use of 
     automation, machine-readable data, and scanning, wherever 
     practicable.'';
       (3) in section 3506--
       (A) in subsection (a)(3), by inserting ``In carrying out 
     these duties, the Chief Information Officer shall consult, as 
     appropriate, with the Chief Data Officer in accordance with 
     the designated functions under section 3520(c).'' after 
     ``reduction of information collection burdens on the 
     public.'';
       (B) in subsection (b)(1)(C), by inserting ``availability,'' 
     after ``integrity,'';
       (C) in subsection (h)(3), by inserting ``security,'' after 
     ``efficiency,''; and
       (D) by adding at the end the following:
       ``(j)(1) Nothwithstanding paragraphs (2) and (3) of 
     subsection (a), the head of each agency shall designate a 
     Chief Privacy Officer with the necessary skills, knowledge, 
     and expertise, who shall have the authority and 
     responsibility to--
       ``(A) lead the privacy program of the agency; and
       ``(B) carry out the privacy responsibilities of the agency 
     under this chapter, section 552a of title 5, and guidance 
     issued by the Director.
       ``(2) The Chief Privacy Officer of each agency shall--
       ``(A) serve in a central leadership position within the 
     agency;
       ``(B) have visibility into relevant agency operations; and
       ``(C) be positioned highly enough within the agency to 
     regularly engage with other agency leaders and officials, 
     including the head of the agency.
       ``(3) A privacy officer of an agency established under a 
     statute enacted before the date of enactment of the Federal 
     Information Security Modernization Act of 2023 may carry out 
     the responsibilities under this subsection for the agency.''; 
     and
       (4) in section 3513--
       (A) by redesignating subsection (c) as subsection (d); and
       (B) by inserting after subsection (b) the following:
       ``(c) Each agency providing a written plan under subsection 
     (b) shall provide any portion of the written plan addressing 
     information security to the Secretary of Homeland Security 
     and the National Cyber Director.''.
       (b) Subchapter II Definitions.--
       (1) In general.--Section 3552(b) of title 44, United States 
     Code, is amended--
       (A) by redesignating paragraphs (2), (3), (4), (5), (6), 
     and (7) as paragraphs (3), (4), (5), (6), (8), and (10), 
     respectively;
       (B) by inserting after paragraph (1) the following:
       ``(2) The term `high value asset' means information or an 
     information system that the head of an agency, using 
     policies, principles, standards, or guidelines issued by the 
     Director under section 3553(a), determines to be so critical 
     to the agency that the loss or degradation of the 
     confidentiality, integrity, or availability of such 
     information or information system would have a serious impact 
     on the ability of the agency to perform the mission of the 
     agency or conduct business.'';
       (C) by inserting after paragraph (6), as so redesignated, 
     the following:
       ``(7) The term `major incident' has the meaning given the 
     term in guidance issued by the Director under section 
     3598(a).'';
       (D) in paragraph (8)(A), as so redesignated, by striking 
     ``used'' and inserting ``owned, managed,'';
       (E) by inserting after paragraph (8), as so redesignated, 
     the following:
       ``(9) The term `penetration test'--
       ``(A) means an authorized assessment that emulates attempts 
     to gain unauthorized access to, or disrupt the operations of, 
     an information system or component of an information system; 
     and
       ``(B) includes any additional meaning given the term in 
     policies, principles, standards, or guidelines issued by the 
     Director under section 3553(a).''; and
       (F) by inserting after paragraph (10), as so redesignated, 
     the following:
       ``(11) The term `shared service' means a centralized 
     mission capability or consolidated business function that is 
     provided to multiple organizations within an agency or to 
     multiple agencies.
       ``(12) The term `zero trust architecture' has the meaning 
     given the term in Special Publication 800-207 of the National 
     Institute of Standards and Technology, or any successor 
     document.''.
       (2) Conforming amendments.--
       (A) Homeland security act of 2002.--Section 1001(c)(1)(A) 
     of the Homeland Security Act of 2002 (6 U.S.C. 511(c)(1)(A)) 
     is amended by striking ``section 3552(b)(5)'' and inserting 
     ``section 3552(b)''.
       (B) Title 10.--
       (i) Section 2222.--Section 2222(i)(8) of title 10, United 
     States Code, is amended by striking ``section 3552(b)(6)(A)'' 
     and inserting ``section 3552(b)(8)(A)''.
       (ii) Section 2223.--Section 2223(c)(3) of title 10, United 
     States Code, is amended by striking ``section 3552(b)(6)'' 
     and inserting ``section 3552(b)''.
       (iii) Section 2315.--Section 2315 of title 10, United 
     States Code, is amended by striking ``section 3552(b)(6)'' 
     and inserting ``section 3552(b)''.
       (iv) Section 2339a.--Section 2339a(e)(5) of title 10, 
     United States Code, is amended by striking ``section 
     3552(b)(6)'' and inserting ``section 3552(b)''.
       (C) High-performance computing act of 1991.--Section 207(a) 
     of the High-Performance Computing Act of 1991 (15 U.S.C. 
     5527(a)) is amended by striking ``section 3552(b)(6)(A)(i)'' 
     and inserting ``section 3552(b)(8)(A)(i)''.
       (D) Internet of things cybersecurity improvement act of 
     2020.--Section 3(5) of the Internet of Things Cybersecurity 
     Improvement Act of 2020 (15 U.S.C. 278g-3a(5)) is amended by 
     striking ``section 3552(b)(6)'' and inserting ``section 
     3552(b)''.
       (E) National defense authorization act for fiscal year 
     2013.--Section 933(e)(1)(B) of the National Defense 
     Authorization Act for Fiscal Year 2013 (10 U.S.C. 2224 note) 
     is amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552(b)''.
       (F) Ike skelton national defense authorization act for 
     fiscal year 2011.--The Ike Skelton National Defense 
     Authorization Act for Fiscal Year 2011 (Public Law 111-383) 
     is amended--
       (i) in section 806(e)(5) (10 U.S.C. 2304 note), by striking 
     ``section 3542(b)'' and inserting ``section 3552(b)'';
       (ii) in section 931(b)(3) (10 U.S.C. 2223 note), by 
     striking ``section 3542(b)(2)'' and inserting ``section 
     3552(b)''; and
       (iii) in section 932(b)(2) (10 U.S.C. 2224 note), by 
     striking ``section 3542(b)(2)'' and inserting ``section 
     3552(b)''.
       (G) E-government act of 2002.--Section 301(c)(1)(A) of the 
     E-Government Act of 2002 (44 U.S.C. 3501 note) is amended by 
     striking ``section 3542(b)(2)'' and inserting ``section 
     3552(b)''.
       (H) National institute of standards and technology act.--
     Section 20 of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-3) is amended--
       (i) in subsection (a)(2), by striking ``section 
     3552(b)(5)'' and inserting ``section 3552(b)''; and
       (ii) in subsection (f)--

       (I) in paragraph (3), by striking ``section 3532(1)'' and 
     inserting ``section 3552(b)''; and
       (II) in paragraph (5), by striking ``section 3532(b)(2)'' 
     and inserting ``section 3552(b)''.

       (c) Subchapter II Amendments.--Subchapter II of chapter 35 
     of title 44, United States Code, is amended--
       (1) in section 3551--
       (A) in paragraph (4), by striking ``diagnose and improve'' 
     and inserting ``integrate, deliver, diagnose, and improve'';
       (B) in paragraph (5), by striking ``and'' at the end;
       (C) in paragraph (6), by striking the period at the end and 
     inserting a semicolon; and
       (D) by adding at the end the following:
       ``(7) recognize that each agency has specific mission 
     requirements and, at times, unique cybersecurity requirements 
     to meet the mission of the agency;
       ``(8) recognize that each agency does not have the same 
     resources to secure agency systems, and an agency should not 
     be expected to have the capability to secure the systems of 
     the agency from advanced adversaries alone; and
       ``(9) recognize that a holistic Federal cybersecurity model 
     is necessary to account for differences between the missions 
     and capabilities of agencies.'';
       (2) in section 3553--
       (A) in subsection (a)--
       (i) in paragraph (5), by striking ``and'' at the end;
       (ii) in paragraph (6), by striking the period at the end 
     and inserting ``; and''; and
       (iii) by adding at the end the following:
       ``(7) promoting, in consultation with the Director of the 
     Cybersecurity and Infrastructure Security Agency, the 
     National Cyber Director, and the Director of the National 
     Institute of Standards and Technology--
       ``(A) the use of automation to improve Federal 
     cybersecurity and visibility with respect to the 
     implementation of Federal cybersecurity; and
       ``(B) the use of presumption of compromise and least 
     privilege principles, such as zero trust architecture, to 
     improve resiliency and

[[Page S2807]]

     timely response actions to incidents on Federal systems.'';
       (B) in subsection (b)--
       (i) in the matter preceding paragraph (1), by inserting 
     ``and the National Cyber Director'' after ``Director'';
       (ii) in paragraph (2)(A), by inserting ``and reporting 
     requirements under subchapter IV of this chapter'' after 
     ``section 3556'';
       (iii) by redesignating paragraphs (8) and (9) as paragraphs 
     (10) and (11), respectively; and
       (iv) by inserting after paragraph (7) the following:
       ``(8) expeditiously seeking opportunities to reduce costs, 
     administrative burdens, and other barriers to information 
     technology security and modernization for agencies, including 
     through shared services for cybersecurity capabilities 
     identified as appropriate by the Director, in coordination 
     with the Director of the Cybersecurity and Infrastructure 
     Security Agency and other agencies as appropriate;'';
       (C) in subsection (c)--
       (i) in the matter preceding paragraph (1)--

       (I) by striking ``each year'' and inserting ``each year 
     during which agencies are required to submit reports under 
     section 3554(c)'';
       (II) by inserting ``, which shall be unclassified but may 
     include 1 or more annexes that contain classified or other 
     sensitive information, as appropriate'' after ``a report''; 
     and
       (III) by striking ``preceding year'' and inserting 
     ``preceding 2 years'';

       (ii) by striking paragraph (1);
       (iii) by redesignating paragraphs (2), (3), and (4) as 
     paragraphs (1), (2), and (3), respectively;
       (iv) in paragraph (3), as so redesignated, by striking 
     ``and'' at the end; and
       (v) by inserting after paragraph (3), as so redesignated, 
     the following:
       ``(4) a summary of the risks and trends identified in the 
     Federal risk assessment required under subsection (i); and'';
       (D) in subsection (h)--
       (i) in paragraph (2)--

       (I) in subparagraph (A), by inserting ``and the National 
     Cyber Director'' after ``in coordination with the Director''; 
     and
       (II) in subparagraph (D), by inserting ``, the National 
     Cyber Director,'' after ``notify the Director''; and

       (ii) in paragraph (3)(A)(iv), by inserting ``, the National 
     Cyber Director,'' after ``the Secretary provides prior notice 
     to the Director'';
       (E) by amending subsection (i) to read as follows:
       ``(i) Federal Risk Assessment.--On an ongoing and 
     continuous basis, the Director of the Cybersecurity and 
     Infrastructure Security Agency shall assess the Federal risk 
     posture using any available information on the cybersecurity 
     posture of agencies, and brief the Director and National 
     Cyber Director on the findings of such assessment, 
     including--
       ``(1) the status of agency cybersecurity remedial actions 
     for high value assets described in section 3554(b)(7);
       ``(2) any vulnerability information relating to the systems 
     of an agency that is known by the agency;
       ``(3) analysis of incident information under section 3597;
       ``(4) evaluation of penetration testing performed under 
     section 3559A;
       ``(5) evaluation of vulnerability disclosure program 
     information under section 3559B;
       ``(6) evaluation of agency threat hunting results;
       ``(7) evaluation of Federal and non-Federal cyber threat 
     intelligence;
       ``(8) data on agency compliance with standards issued under 
     section 11331 of title 40;
       ``(9) agency system risk assessments required under section 
     3554(a)(1)(A);
       ``(10) relevant reports from inspectors general of agencies 
     and the Government Accountability Office; and
       ``(11) any other information the Director of the 
     Cybersecurity and Infrastructure Security Agency determines 
     relevant.''; and
       (F) by adding at the end the following:
       ``(m) Directives.--
       ``(1) Emergency directive updates.--If the Secretary issues 
     an emergency directive under this section, the Director of 
     the Cybersecurity and Infrastructure Security Agency shall 
     submit to the Director, the National Cyber Director, the 
     Committee on Homeland Security and Governmental Affairs of 
     the Senate, and the Committees on Oversight and 
     Accountability and Homeland Security of the House of 
     Representatives an update on the status of the implementation 
     of the emergency directive at agencies not later than 7 days 
     after the date on which the emergency directive requires an 
     agency to complete a requirement specified by the emergency 
     directive, and every 30 days thereafter until--
       ``(A) the date on which every agency has fully implemented 
     the emergency directive;
       ``(B) the Secretary determines that an emergency directive 
     no longer requires active reporting from agencies or 
     additional implementation; or
       ``(C) the date that is 1 year after the issuance of the 
     directive.
       ``(2) Binding operational directive updates.--If the 
     Secretary issues a binding operational directive under this 
     section, the Director of the Cybersecurity and Infrastructure 
     Security Agency shall submit to the Director, the National 
     Cyber Director, the Committee on Homeland Security and 
     Governmental Affairs of the Senate, and the Committees on 
     Oversight and Accountability and Homeland Security of the 
     House of Representatives an update on the status of the 
     implementation of the binding operational directive at 
     agencies not later than 30 days after the issuance of the 
     binding operational directive, and every 90 days thereafter 
     until--
       ``(A) the date on which every agency has fully implemented 
     the binding operational directive;
       ``(B) the Secretary determines that a binding operational 
     directive no longer requires active reporting from agencies 
     or additional implementation; or
       ``(C) the date that is 1 year after the issuance or 
     substantive update of the directive.
       ``(3) Report.--If the Director of the Cybersecurity and 
     Infrastructure Security Agency ceases submitting updates 
     required under paragraphs (1) or (2) on the date described in 
     paragraph (1)(C) or (2)(C), the Director of the Cybersecurity 
     and Infrastructure Security Agency shall submit to the 
     Director, the National Cyber Director, the Committee on 
     Homeland Security and Governmental Affairs of the Senate, and 
     the Committees on Oversight and Accountability and Homeland 
     Security of the House of Representatives a list of every 
     agency that, at the time of the report--
       ``(A) has not completed a requirement specified by an 
     emergency directive; or
       ``(B) has not implemented a binding operational directive.
       ``(n) Review of Office of Management and Budget Guidance 
     and Policy.--
       ``(1) Conduct of review.--Not less frequently than once 
     every 3 years, the Director of the Office of Management and 
     Budget shall review the efficacy of the guidance and policy 
     promulgated by the Director in reducing cybersecurity risks, 
     including a consideration of reporting and compliance burden 
     on agencies.
       ``(2) Congressional notification.--The Director of the 
     Office of Management and Budget shall notify the Committee on 
     Homeland Security and Governmental Affairs of the Senate and 
     the Committee on Oversight and Accountability of the House of 
     Representatives of changes to guidance or policy resulting 
     from the review under paragraph (1).
       ``(3) GAO review.--The Government Accountability Office 
     shall review guidance and policy promulgated by the Director 
     to assess its efficacy in risk reduction and burden on 
     agencies.
       ``(o) Automated Standard Implementation Verification.--When 
     the Director of the National Institute of Standards and 
     Technology issues a proposed standard or guideline pursuant 
     to paragraphs (2) or (3) of section 20(a) of the National 
     Institute of Standards and Technology Act (15 U.S.C. 278g-
     3(a)), the Director of the National Institute of Standards 
     and Technology shall consider developing and, if appropriate 
     and practical, develop specifications to enable the automated 
     verification of the implementation of the controls.
       ``(p) Inspectors General Access to Federal Risk 
     Assessments.--The Director of the Cybersecurity and 
     Infrastructure Security Agency shall, upon request, make 
     available Federal risk assessment information under 
     subsection (i) to the Inspector General of the Department of 
     Homeland Security and the inspector general of any agency 
     that was included in the Federal risk assessment.'';
       (3) in section 3554--
       (A) in subsection (a)--
       (i) in paragraph (1)--

       (I) by redesignating subparagraphs (A), (B), and (C) as 
     subparagraphs (B), (C), and (D), respectively;
       (II) by inserting before subparagraph (B), as so 
     redesignated, the following:

       ``(A) on an ongoing and continuous basis, assessing agency 
     system risk, as applicable, by--
       ``(i) identifying and documenting the high value assets of 
     the agency using guidance from the Director;
       ``(ii) evaluating the data assets inventoried under section 
     3511 for sensitivity to compromises in confidentiality, 
     integrity, and availability;
       ``(iii) identifying whether the agency is participating in 
     federally offered cybersecurity shared services programs;
       ``(iv) identifying agency systems that have access to or 
     hold the data assets inventoried under section 3511;
       ``(v) evaluating the threats facing agency systems and 
     data, including high value assets, based on Federal and non-
     Federal cyber threat intelligence products, where available;
       ``(vi) evaluating the vulnerability of agency systems and 
     data, including high value assets, including by analyzing--

       ``(I) the results of penetration testing performed by the 
     Department of Homeland Security under section 3553(b)(9);
       ``(II) the results of penetration testing performed under 
     section 3559A;
       ``(III) information provided to the agency through the 
     vulnerability disclosure program of the agency under section 
     3559B;
       ``(IV) incidents; and
       ``(V) any other vulnerability information relating to 
     agency systems that is known to the agency;

       ``(vii) assessing the impacts of potential agency incidents 
     to agency systems, data, and operations based on the 
     evaluations described in clauses (ii) and (v) and the agency 
     systems identified under clause (iv); and

[[Page S2808]]

       ``(viii) assessing the consequences of potential incidents 
     occurring on agency systems that would impact systems at 
     other agencies, including due to interconnectivity between 
     different agency systems or operational reliance on the 
     operations of the system or data in the system;'';

       (III) in subparagraph (B), as so redesignated, in the 
     matter preceding clause (i), by striking ``providing 
     information'' and inserting ``using information from the 
     assessment required under subparagraph (A), providing 
     information'';
       (IV) in subparagraph (C), as so redesignated--

       (aa) in clause (ii) by inserting ``binding'' before 
     ``operational''; and
       (bb) in clause (vi), by striking ``and'' at the end; and

       (V) by adding at the end the following:

       ``(E) providing an update on the ongoing and continuous 
     assessment required under subparagraph (A)--
       ``(i) upon request, to the inspector general of the agency 
     or the Comptroller General of the United States; and
       ``(ii) at intervals determined by guidance issued by the 
     Director, and to the extent appropriate and practicable using 
     automation, to--

       ``(I) the Director;
       ``(II) the Director of the Cybersecurity and Infrastructure 
     Security Agency; and
       ``(III) the National Cyber Director;'';

       (ii) in paragraph (2)--

       (I) in subparagraph (A), by inserting ``in accordance with 
     the agency system risk assessment required under paragraph 
     (1)(A)'' after ``information systems'';
       (II) in subparagraph (D), by inserting ``, through the use 
     of penetration testing, the vulnerability disclosure program 
     established under section 3559B, and other means,'' after 
     ``periodically'';

       (iii) in paragraph (3)(A)--

       (I) in the matter preceding clause (i), by striking 
     ``senior agency information security officer'' and inserting 
     ``Chief Information Security Officer'';
       (II) in clause (i), by striking ``this section'' and 
     inserting ``subsections (a) through (c)'';
       (III) in clause (ii), by striking ``training and'' and 
     inserting ``skills, training, and'';
       (IV) by redesignating clauses (iii) and (iv) as (iv) and 
     (v), respectively;
       (V) by inserting after clause (ii) the following:

       ``(iii) manage information security, cybersecurity budgets, 
     and risk and compliance activities and explain those concepts 
     to the head of the agency and the executive team of the 
     agency;''; and

       (VI) in clause (iv), as so redesignated, by striking 
     ``information security duties as that official's primary 
     duty'' and inserting ``information, computer network, and 
     technology security duties as the Chief Information Security 
     Officers' primary duty'';

       (iv) in paragraph (5), by striking ``annually'' and 
     inserting ``not less frequently than quarterly''; and
       (v) in paragraph (6), by striking ``official delegated'' 
     and inserting ``Chief Information Security Officer 
     delegated''; and
       (B) in subsection (b)--
       (i) by striking paragraph (1) and inserting the following:
       ``(1) the ongoing and continuous assessment of agency 
     system risk required under subsection (a)(1)(A), which may 
     include using guidance and automated tools consistent with 
     standards and guidelines promulgated under section 11331 of 
     title 40, as applicable;'';
       (ii) in paragraph (2)--

       (I) by striking subparagraph (B);
       (II) by redesignating subparagraphs (C) and (D) as 
     subparagraphs (B) and (C), respectively;
       (III) in subparagraph (B), as so redesignated, by striking 
     ``and'' at the end; and
       (IV) in subparagraph (C), as so redesignated--

       (aa) by redesignating clauses (iii) and (iv) as clauses 
     (iv) and (v), respectively;
       (bb) by inserting after clause (ii) the following:
       ``(iii) binding operational directives and emergency 
     directives issued by the Secretary under section 3553;''; and
       (cc) in clause (iv), as so redesignated, by striking ``as 
     determined by the agency; and'' and inserting ``as determined 
     by the agency, considering the agency risk assessment 
     required under subsection (a)(1)(A);
       (iii) in paragraph (5)(A), by inserting ``, including 
     penetration testing, as appropriate,'' after ``shall include 
     testing'';
       (iv) by redesignating paragraphs (7) and (8) as paragraphs 
     (8) and (9), respectively;
       (v) by inserting after paragraph (6) the following:
       ``(7) a secure process for providing the status of every 
     remedial action and unremediated identified system 
     vulnerability of a high value asset to the Director and the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency, using automation and machine-readable data to the 
     greatest extent practicable;''; and
       (vi) in paragraph (8)(C), as so redesignated--

       (I) by striking clause (ii) and inserting the following:

       ``(ii) notifying and consulting with the Federal 
     information security incident center established under 
     section 3556 pursuant to the requirements of section 3594;'';

       (II) by redesignating clause (iii) as clause (iv);
       (III) by inserting after clause (ii) the following:

       ``(iii) performing the notifications and other activities 
     required under subchapter IV of this chapter; and''; and

       (IV) in clause (iv), as so redesignated--

       (aa) in subclause (II), by adding ``and'' at the end;
       (bb) by striking subclause (III); and
       (cc) by redesignating subclause (IV) as subclause (III); 
     and
       (C) in subsection (c)--
       (i) by redesignating paragraph (2) as paragraph (5);
       (ii) by striking paragraph (1) and inserting the following:
       ``(1) Biennial report.--Not later than 2 years after the 
     date of enactment of the Federal Information Security 
     Modernization Act of 2023 and not less frequently than once 
     every 2 years thereafter, using the continuous and ongoing 
     agency system risk assessment required under subsection 
     (a)(1)(A), the head of each agency shall submit to the 
     Director, the National Cyber Director, the Director of the 
     Cybersecurity and Infrastructure Security Agency, the 
     Comptroller General of the United States, the majority and 
     minority leaders of the Senate, the Speaker and minority 
     leader of the House of Representatives, the Committee on 
     Homeland Security and Governmental Affairs of the Senate, the 
     Committee on Oversight and Accountability of the House of 
     Representatives, the Committee on Homeland Security of the 
     House of Representatives, the Committee on Commerce, Science, 
     and Transportation of the Senate, the Committee on Science, 
     Space, and Technology of the House of Representatives, and 
     the appropriate authorization and appropriations committees 
     of Congress a report that--
       ``(A) summarizes the agency system risk assessment required 
     under subsection (a)(1)(A);
       ``(B) evaluates the adequacy and effectiveness of 
     information security policies, procedures, and practices of 
     the agency to address the risks identified in the agency 
     system risk assessment required under subsection (a)(1)(A), 
     including an analysis of the agency's cybersecurity and 
     incident response capabilities using the metrics established 
     under section 224(c) of the Cybersecurity Act of 2015 (6 
     U.S.C. 1522(c)); and
       ``(C) summarizes the status of remedial actions identified 
     by inspector general of the agency, the Comptroller General 
     of the United States, and any other source determined 
     appropriate by the head of the agency.
       ``(2) Unclassified reports.--Each report submitted under 
     paragraph (1)--
       ``(A) shall be, to the greatest extent practicable, in an 
     unclassified and otherwise uncontrolled form; and
       ``(B) may include 1 or more annexes that contain classified 
     or other sensitive information, as appropriate.
       ``(3) Briefings.--During each year during which a report is 
     not required to be submitted under paragraph (1), the 
     Director shall provide to the congressional committees 
     described in paragraph (1) a briefing summarizing current 
     agency and Federal risk postures.''; and
       (iii) in paragraph (5), as so redesignated, by striking the 
     period at the end and inserting ``, including the reporting 
     procedures established under section 11315(d) of title 40 and 
     subsection (a)(3)(A)(v) of this section'';
       (4) in section 3555--
       (A) in the section heading, by striking ``annual 
     independent'' and inserting ``independent'';
       (B) in subsection (a)--
       (i) in paragraph (1), by inserting ``during which a report 
     is required to be submitted under section 3553(c),'' after 
     ``Each year'';
       (ii) in paragraph (2)(A), by inserting ``, including by 
     performing, or reviewing the results of, agency penetration 
     testing and analyzing the vulnerability disclosure program of 
     the agency'' after ``information systems''; and
       (iii) by adding at the end the following:
       ``(3) An evaluation under this section may include 
     recommendations for improving the cybersecurity posture of 
     the agency.'';
       (C) in subsection (b)(1), by striking ``annual'';
       (D) in subsection (e)(1), by inserting ``during which a 
     report is required to be submitted under section 3553(c)'' 
     after ``Each year'';
       (E) in subsection (g)(2)--
       (i) by striking ``this subsection shall'' and inserting 
     ``this subsection--
       ``(A) shall'';
       (ii) in subparagraph (A), as so designated, by striking the 
     period at the end and inserting ``; and''; and
       (iii) by adding at the end the following:
       ``(B) identify any entity that performs an independent 
     evaluation under subsection (b).''; and
       (F) by striking subsection (j) and inserting the following:
       ``(j) Guidance.--
       ``(1) In general.--The Director, in consultation with the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency, the Chief Information Officers Council, the Council 
     of the Inspectors General on Integrity and Efficiency, and 
     other interested parties as appropriate, shall ensure the 
     development of risk-based guidance for evaluating the 
     effectiveness of an information security program and 
     practices.
       ``(2) Priorities.--The risk-based guidance developed under 
     paragraph (1) shall include--

[[Page S2809]]

       ``(A) the identification of the most common successful 
     threat patterns;
       ``(B) the identification of security controls that address 
     the threat patterns described in subparagraph (A);
       ``(C) any other security risks unique to Federal systems; 
     and
       ``(D) any other element the Director determines 
     appropriate.''; and
       (5) in section 3556(a)--
       (A) in the matter preceding paragraph (1), by inserting 
     ``within the Cybersecurity and Infrastructure Security 
     Agency'' after ``incident center''; and
       (B) in paragraph (4), by striking ``3554(b)'' and inserting 
     ``3554(a)(1)(A)''.
       (d) Conforming Amendments.--
       (1) Table of sections.--The table of sections for chapter 
     35 of title 44, United States Code, is amended by striking 
     the item relating to section 3555 and inserting the 
     following:

``3555. Independent evaluation.''.
       (2) OMB reports.--Section 226(c) of the Cybersecurity Act 
     of 2015 (6 U.S.C. 1524(c)) is amended--
       (A) in paragraph (1)(B), in the matter preceding clause 
     (i), by striking ``annually thereafter'' and inserting 
     ``thereafter during the years during which a report is 
     required to be submitted under section 3553(c) of title 44, 
     United States Code''; and
       (B) in paragraph (2)(B), in the matter preceding clause 
     (i)--
       (i) by striking ``annually thereafter'' and inserting 
     ``thereafter during the years during which a report is 
     required to be submitted under section 3553(c) of title 44, 
     United States Code''; and
       (ii) by striking ``the report required under section 
     3553(c) of title 44, United States Code'' and inserting 
     ``that report''.
       (3) NIST responsibilities.--Section 20(d)(3)(B) of the 
     National Institute of Standards and Technology Act (15 U.S.C. 
     278g-3(d)(3)(B)) is amended by striking ``annual''.
       (e) Federal System Incident Response.--
       (1) In general.--Chapter 35 of title 44, United States 
     Code, is amended by adding at the end the following:

           ``SUBCHAPTER IV--FEDERAL SYSTEM INCIDENT RESPONSE

     ``Sec. 3591. Definitions

       ``(a) In General.--Except as provided in subsection (b), 
     the definitions under sections 3502 and 3552 shall apply to 
     this subchapter.
       ``(b) Additional Definitions.--As used in this subchapter:
       ``(1) Appropriate reporting entities.--The term 
     `appropriate reporting entities' means--
       ``(A) the majority and minority leaders of the Senate;
       ``(B) the Speaker and minority leader of the House of 
     Representatives;
       ``(C) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       ``(D) the Committee on Commerce, Science, and 
     Transportation of the Senate;
       ``(E) the Committee on Oversight and Accountability of the 
     House of Representatives;
       ``(F) the Committee on Homeland Security of the House of 
     Representatives;
       ``(G) the Committee on Science, Space, and Technology of 
     the House of Representatives;
       ``(H) the appropriate authorization and appropriations 
     committees of Congress;
       ``(I) the Director;
       ``(J) the Director of the Cybersecurity and Infrastructure 
     Security Agency;
       ``(K) the National Cyber Director;
       ``(L) the Comptroller General of the United States; and
       ``(M) the inspector general of any impacted agency.
       ``(2) Awardee.--The term `awardee', with respect to an 
     agency--
       ``(A) means--
       ``(i) the recipient of a grant from an agency;
       ``(ii) a party to a cooperative agreement with an agency; 
     and
       ``(iii) a party to an other transaction agreement with an 
     agency; and
       ``(B) includes a subawardee of an entity described in 
     subparagraph (A).
       ``(3) Breach.--The term `breach'--
       ``(A) means the compromise, unauthorized disclosure, 
     unauthorized acquisition, or loss of control of personally 
     identifiable information or any similar occurrence; and
       ``(B) includes any additional meaning given the term in 
     policies, principles, standards, or guidelines issued by the 
     Director.
       ``(4) Contractor.--The term `contractor' means a prime 
     contractor of an agency or a subcontractor of a prime 
     contractor of an agency that creates, collects, stores, 
     processes, maintains, or transmits Federal information on 
     behalf of an agency.
       ``(5) Federal information.--The term `Federal information' 
     means information created, collected, processed, maintained, 
     disseminated, disclosed, or disposed of by or for the Federal 
     Government in any medium or form.
       ``(6) Federal information system.--The term `Federal 
     information system' means an information system owned, 
     managed, or operated by an agency, or on behalf of an agency 
     by a contractor, an awardee, or another organization.
       ``(7) Intelligence community.--The term `intelligence 
     community' has the meaning given the term in section 3 of the 
     National Security Act of 1947 (50 U.S.C. 3003).
       ``(8) Nationwide consumer reporting agency.--The term 
     `nationwide consumer reporting agency' means a consumer 
     reporting agency described in section 603(p) of the Fair 
     Credit Reporting Act (15 U.S.C. 1681a(p)).
       ``(9) Vulnerability disclosure.--The term `vulnerability 
     disclosure' means a vulnerability identified under section 
     3559B.

     ``Sec. 3592. Notification of breach

       ``(a) Definition.--In this section, the term `covered 
     breach' means a breach--
       ``(1) involving not less than 50,000 potentially affected 
     individuals; or
       ``(2) the result of which the head of an agency determines 
     that notifying potentially affected individuals is necessary 
     pursuant to subsection (b)(1), regardless of whether--
       ``(A) the number of potentially affected individuals is 
     less than 50,000; or
       ``(B) the notification is delayed under subsection (d).
       ``(b) Notification.--As expeditiously as practicable and 
     without unreasonable delay, and in any case not later than 45 
     days after an agency has a reasonable basis to conclude that 
     a breach has occurred, the head of the agency, in 
     consultation with the Chief Information Officer and Chief 
     Privacy Officer of the agency, shall--
       ``(1) determine whether notice to any individual 
     potentially affected by the breach is appropriate, including 
     by conducting an assessment of the risk of harm to the 
     individual that considers--
       ``(A) the nature and sensitivity of the personally 
     identifiable information affected by the breach;
       ``(B) the likelihood of access to and use of the personally 
     identifiable information affected by the breach;
       ``(C) the type of breach; and
       ``(D) any other factors determined by the Director; and
       ``(2) if the head of the agency determines notification is 
     necessary pursuant to paragraph (1), provide written 
     notification in accordance with subsection (c) to each 
     individual potentially affected by the breach--
       ``(A) to the last known mailing address of the individual; 
     or
       ``(B) through an appropriate alternative method of 
     notification.
       ``(c) Contents of Notification.--Each notification of a 
     breach provided to an individual under subsection (b)(2) 
     shall include, to the maximum extent practicable--
       ``(1) a brief description of the breach;
       ``(2) if possible, a description of the types of personally 
     identifiable information affected by the breach;
       ``(3) contact information of the agency that may be used to 
     ask questions of the agency, which--
       ``(A) shall include an e-mail address or another digital 
     contact mechanism; and
       ``(B) may include a telephone number, mailing address, or a 
     website;
       ``(4) information on any remedy being offered by the 
     agency;
       ``(5) any applicable educational materials relating to what 
     individuals can do in response to a breach that potentially 
     affects their personally identifiable information, including 
     relevant contact information for the appropriate Federal law 
     enforcement agencies and each nationwide consumer reporting 
     agency; and
       ``(6) any other appropriate information, as determined by 
     the head of the agency or established in guidance by the 
     Director.
       ``(d) Delay of Notification.--
       ``(1) In general.--The head of an agency, in coordination 
     with the Director and the National Cyber Director, and as 
     appropriate, the Attorney General, the Director of National 
     Intelligence, or the Secretary of Homeland Security, may 
     delay a notification required under subsection (b) or (e) if 
     the notification would--
       ``(A) impede a criminal investigation or a national 
     security activity;
       ``(B) cause an adverse result (as described in section 
     2705(a)(2) of title 18);
       ``(C) reveal sensitive sources and methods;
       ``(D) cause damage to national security; or
       ``(E) hamper security remediation actions.
       ``(2) Renewal.--A delay under paragraph (1) shall be for a 
     period of 60 days and may be renewed.
       ``(3) National security systems.--The head of an agency 
     delaying notification under this subsection with respect to a 
     breach exclusively of a national security system shall 
     coordinate such delay with the Secretary of Defense.
       ``(e) Update Notification.--If an agency determines there 
     is a significant change in the reasonable basis to conclude 
     that a breach occurred, a significant change to the 
     determination made under subsection (b)(1), or that it is 
     necessary to update the details of the information provided 
     to potentially affected individuals as described in 
     subsection (c), the agency shall as expeditiously as 
     practicable and without unreasonable delay, and in any case 
     not later than 30 days after such a determination, notify 
     each individual who received a notification pursuant to 
     subsection (b) of those changes.
       ``(f) Delay of Notification Report.--
       ``(1) In general.--Not later than 1 year after the date of 
     enactment of the Federal Information Security Modernization 
     Act of 2023, and annually thereafter, the head of an agency, 
     in coordination with any official who delays a notification 
     under subsection (d), shall submit to the appropriate 
     reporting entities a report on each delay that occurred 
     during the previous 2 years.
       ``(2) Component of other report.--The head of an agency may 
     submit the report required under paragraph (1) as a component 
     of the report submitted under section 3554(c).
       ``(g) Congressional Reporting Requirements.--

[[Page S2810]]

       ``(1) Review and update.--On a periodic basis, the Director 
     of the Office of Management and Budget shall review, and 
     update as appropriate, breach notification policies and 
     guidelines for agencies.
       ``(2) Required notice from agencies.--Subject to paragraph 
     (4), the Director of the Office of Management and Budget 
     shall require the head of an agency affected by a covered 
     breach to expeditiously and not later than 30 days after the 
     date on which the agency discovers the covered breach give 
     notice of the breach, which may be provided electronically, 
     to--
       ``(A) each congressional committee described in section 
     3554(c)(1); and
       ``(B) the Committee on the Judiciary of the Senate and the 
     Committee on the Judiciary of the House of Representatives.
       ``(3) Contents of notice.--Notice of a covered breach 
     provided by the head of an agency pursuant to paragraph (2) 
     shall include, to the extent practicable--
       ``(A) information about the covered breach, including a 
     summary of any information about how the covered breach 
     occurred known by the agency as of the date of the notice;
       ``(B) an estimate of the number of individuals affected by 
     covered the breach based on information known by the agency 
     as of the date of the notice, including an assessment of the 
     risk of harm to affected individuals;
       ``(C) a description of any circumstances necessitating a 
     delay in providing notice to individuals affected by the 
     covered breach in accordance with subsection (d); and
       ``(D) an estimate of when the agency will provide notice to 
     individuals affected by the covered breach, if applicable.
       ``(4) Exception.--Any agency that is required to provide 
     notice to Congress pursuant to paragraph (2) due to a covered 
     breach exclusively on a national security system shall only 
     provide such notice to--
       ``(A) the majority and minority leaders of the Senate;
       ``(B) the Speaker and minority leader of the House of 
     Representatives;
       ``(C) the appropriations committees of Congress;
       ``(D) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       ``(E) the Select Committee on Intelligence of the Senate;
       ``(F) the Committee on Oversight and Accountability of the 
     House of Representatives; and
       ``(G) the Permanent Select Committee on Intelligence of the 
     House of Representatives.
       ``(5) Rule of construction.--Nothing in paragraphs (1) 
     through (3) shall be construed to alter any authority of an 
     agency.
       ``(h) Rule of Construction.--Nothing in this section shall 
     be construed to--
       ``(1) limit--
       ``(A) the authority of the Director to issue guidance 
     relating to notifications of, or the head of an agency to 
     notify individuals potentially affected by, breaches that are 
     not determined to be covered breaches or major incidents;
       ``(B) the authority of the Director to issue guidance 
     relating to notifications and reporting of breaches, covered 
     breaches, or major incidents;
       ``(C) the authority of the head of an agency to provide 
     more information than required under subsection (b) when 
     notifying individuals potentially affected by a breach;
       ``(D) the timing of incident reporting or the types of 
     information included in incident reports provided, pursuant 
     to this subchapter, to--
       ``(i) the Director;
       ``(ii) the National Cyber Director;
       ``(iii) the Director of the Cybersecurity and 
     Infrastructure Security Agency; or
       ``(iv) any other agency;
       ``(E) the authority of the head of an agency to provide 
     information to Congress about agency breaches, including--
       ``(i) breaches that are not covered breaches; and
       ``(ii) additional information beyond the information 
     described in subsection (g)(3); or
       ``(F) any Congressional reporting requirements of agencies 
     under any other law; or
       ``(2) limit or supersede any existing privacy protections 
     in existing law.

     ``Sec. 3593. Congressional and Executive Branch reports on 
       major incidents

       ``(a) Appropriate Congressional Entities.--In this section, 
     the term `appropriate congressional entities' means--
       ``(1) the majority and minority leaders of the Senate;
       ``(2) the Speaker and minority leader of the House of 
     Representatives;
       ``(3) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       ``(4) the Committee on Commerce, Science, and 
     Transportation of the Senate;
       ``(5) the Committee on Oversight and Accountability of the 
     House of Representatives;
       ``(6) the Committee on Homeland Security of the House of 
     Representatives;
       ``(7) the Committee on Science, Space, and Technology of 
     the House of Representatives; and
       ``(8) the appropriate authorization and appropriations 
     committees of Congress
       ``(b) Initial Notification.--
       ``(1) In general.--Not later than 72 hours after an agency 
     has a reasonable basis to conclude that a major incident 
     occurred, the head of the agency impacted by the major 
     incident shall submit to the appropriate reporting entities a 
     written notification, which may be submitted electronically 
     and include 1 or more annexes that contain classified or 
     other sensitive information, as appropriate.
       ``(2) Contents.--A notification required under paragraph 
     (1) with respect to a major incident shall include the 
     following, based on information available to agency officials 
     as of the date on which the agency submits the notification:
       ``(A) A summary of the information available about the 
     major incident, including how the major incident occurred and 
     the threat causing the major incident.
       ``(B) If applicable, information relating to any breach 
     associated with the major incident, regardless of whether--
       ``(i) the breach was the reason the incident was determined 
     to be a major incident; and
       ``(ii) head of the agency determined it was appropriate to 
     provide notification to potentially impacted individuals 
     pursuant to section 3592(b)(1).
       ``(C) A preliminary assessment of the impacts to--
       ``(i) the agency;
       ``(ii) the Federal Government;
       ``(iii) the national security, foreign relations, homeland 
     security, and economic security of the United States; and
       ``(iv) the civil liberties, public confidence, privacy, and 
     public health and safety of the people of the United States.
       ``(D) If applicable, whether any ransom has been demanded 
     or paid, or is expected to be paid, by any entity operating a 
     Federal information system or with access to Federal 
     information or a Federal information system, including, as 
     available, the name of the entity demanding ransom, the date 
     of the demand, and the amount and type of currency demanded, 
     unless disclosure of such information will disrupt an active 
     Federal law enforcement or national security operation.
       ``(c) Supplemental Update.--Within a reasonable amount of 
     time, but not later than 30 days after the date on which the 
     head of an agency submits a written notification under 
     subsection (a), the head of the agency shall provide to the 
     appropriate congressional entities an unclassified and 
     written update, which may include 1 or more annexes that 
     contain classified or other sensitive information, as 
     appropriate, on the major incident, based on information 
     available to agency officials as of the date on which the 
     agency provides the update, on--
       ``(1) system vulnerabilities relating to the major 
     incident, where applicable, means by which the major incident 
     occurred, the threat causing the major incident, where 
     applicable, and impacts of the major incident to--
       ``(A) the agency;
       ``(B) other Federal agencies, Congress, or the judicial 
     branch;
       ``(C) the national security, foreign relations, homeland 
     security, or economic security of the United States; or
       ``(D) the civil liberties, public confidence, privacy, or 
     public health and safety of the people of the United States;
       ``(2) the status of compliance of the affected Federal 
     information system with applicable security requirements at 
     the time of the major incident;
       ``(3) if the major incident involved a breach, a 
     description of the affected information, an estimate of the 
     number of individuals potentially impacted, and any 
     assessment to the risk of harm to such individuals;
       ``(4) an update to the assessment of the risk to agency 
     operations, or to impacts on other agency or non-Federal 
     entity operations, affected by the major incident; and
       ``(5) the detection, response, and remediation actions of 
     the agency, including any support provided by the 
     Cybersecurity and Infrastructure Security Agency under 
     section 3594(d), if applicable.
       ``(d) Additional Update.--If the head of an agency, the 
     Director, or the National Cyber Director determines that 
     there is any significant change in the understanding of the 
     scope, scale, or consequence of a major incident for which 
     the head of the agency submitted a written notification and 
     update under subsections (b) and (c), the head of the agency 
     shall submit to the appropriate congressional entities a 
     written update that includes information relating to the 
     change in understanding.
       ``(e) Biennial Report.--Each agency shall submit as part of 
     the biennial report required under section 3554(c)(1) a 
     description of each major incident that occurred during the 
     2-year period preceding the date on which the biennial report 
     is submitted.
       ``(f) Report Delivery.--
       ``(1) In general.--Any written notification or update 
     required to be submitted under this section--
       ``(A) shall be submitted in an electronic format; and
       ``(B) may be submitted in a paper format.
       ``(2) Classification status.--Any written notification or 
     update required to be submitted under this section--
       ``(A) shall be--
       ``(i) unclassified; and
       ``(ii) submitted through unclassified electronic means 
     pursuant to paragraph (1)(A); and
       ``(B) may include classified annexes, as appropriate.
       ``(g) Report Consistency.--To achieve consistent and 
     coherent agency reporting to Congress, the National Cyber 
     Director, in coordination with the Director, shall--
       ``(1) provide recommendations to agencies on formatting and 
     the contents of information to be included in the reports 
     required under this section, including recommendations for 
     consistent formats for presenting any associated metrics; and

[[Page S2811]]

       ``(2) maintain a comprehensive record of each major 
     incident notification, update, and briefing provided under 
     this section, which shall--
       ``(A) include, at a minimum--
       ``(i) the full contents of the written notification or 
     update;
       ``(ii) the identity of the reporting agency; and
       ``(iii) the date of submission; and
       ``(iv) a list of the recipient congressional entities; and
       ``(B) be made available upon request to the majority and 
     minority leaders of the Senate, the Speaker and minority 
     leader of the House of Representatives, the Committee on 
     Homeland Security and Governmental Affairs of the Senate, and 
     the Committee on Oversight and Accountability of the House of 
     Representatives.
       ``(h) National Security Systems Congressional Reporting 
     Exemption.--With respect to a major incident that occurs 
     exclusively on a national security system, the head of the 
     affected agency shall submit the notifications and reports 
     required to be submitted to Congress under this section only 
     to--
       ``(1) the majority and minority leaders of the Senate;
       ``(2) the Speaker and minority leader of the House of 
     Representatives;
       ``(3) the appropriations committees of Congress;
       ``(4) the appropriate authorization committees of Congress;
       ``(5) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       ``(6) the Select Committee on Intelligence of the Senate;
       ``(7) the Committee on Oversight and Accountability of the 
     House of Representatives; and
       ``(8) the Permanent Select Committee on Intelligence of the 
     House of Representatives.
       ``(i) Major Incidents Including Breaches.--If a major 
     incident constitutes a covered breach, as defined in section 
     3592(a), information on the covered breach required to be 
     submitted to Congress pursuant to section 3592(g) may--
       ``(1) be included in the notifications required under 
     subsection (b) or (c); or
       ``(2) be reported to Congress under the process established 
     under section 3592(g).
       ``(j) Rule of Construction.--Nothing in this section shall 
     be construed to--
       ``(1) limit--
       ``(A) the ability of an agency to provide additional 
     reports or briefings to Congress;
       ``(B) Congress from requesting additional information from 
     agencies through reports, briefings, or other means;
       ``(C) any congressional reporting requirements of agencies 
     under any other law; or
       ``(2) limit or supersede any privacy protections under any 
     other law.

     ``Sec. 3594. Government information sharing and incident 
       response

       ``(a) In General.--
       ``(1) Incident sharing.--Subject to paragraph (4) and 
     subsection (b), and in accordance with the applicable 
     requirements pursuant to section 3553(b)(2)(A) for reporting 
     to the Federal information security incident center 
     established under section 3556, the head of each agency shall 
     provide to the Cybersecurity and Infrastructure Security 
     Agency information relating to any incident affecting the 
     agency, whether the information is obtained by the Federal 
     Government directly or indirectly.
       ``(2) Contents.--A provision of information relating to an 
     incident made by the head of an agency under paragraph (1) 
     shall include, at a minimum--
       ``(A) a full description of the incident, including--
       ``(i) all indicators of compromise and tactics, techniques, 
     and procedures;
       ``(ii) an indicator of how the intruder gained initial 
     access, accessed agency data or systems, and undertook 
     additional actions on the network of the agency; and
       ``(iii) information that would support enabling defensive 
     measures; and
       ``(iv) other information that may assist in identifying 
     other victims;
       ``(B) information to help prevent similar incidents, such 
     as information about relevant safeguards in place when the 
     incident occurred and the effectiveness of those safeguards; 
     and
       ``(C) information to aid in incident response, such as--
       ``(i) a description of the affected systems or networks;
       ``(ii) the estimated dates of when the incident occurred; 
     and
       ``(iii) information that could reasonably help identify any 
     malicious actor that may have conducted or caused the 
     incident, subject to appropriate privacy protections.
       ``(3) Information sharing.--The Director of the 
     Cybersecurity and Infrastructure Security Agency shall--
       ``(A) make incident information provided under paragraph 
     (1) available to the Director and the National Cyber 
     Director;
       ``(B) to the greatest extent practicable, share information 
     relating to an incident with--
       ``(i) the head of any agency that may be--

       ``(I) impacted by the incident;
       ``(II) particularly susceptible to the incident; or
       ``(III) similarly targeted by the incident; and

       ``(ii) appropriate Federal law enforcement agencies to 
     facilitate any necessary threat response activities, as 
     requested;
       ``(C) coordinate any necessary information sharing efforts 
     relating to a major incident with the private sector; and
       ``(D) notify the National Cyber Director of any efforts 
     described in subparagraph (C).
       ``(4) National security systems exemption.--
       ``(A) In general.--Notwithstanding paragraphs (1) and (3), 
     each agency operating or exercising control of a national 
     security system shall share information about an incident 
     that occurs exclusively on a national security system with 
     the Secretary of Defense, the Director, the National Cyber 
     Director, and the Director of the Cybersecurity and 
     Infrastructure Security Agency to the extent consistent with 
     standards and guidelines for national security systems issued 
     in accordance with law and as directed by the President.
       ``(B) Protections.--Any information sharing and handling of 
     information under this paragraph shall be appropriately 
     protected consistent with procedures authorized for the 
     protection of sensitive sources and methods or by procedures 
     established for information that have been specifically 
     authorized under criteria established by an Executive order 
     or an Act of Congress to be kept classified in the interest 
     of national defense or foreign policy.
       ``(b) Automation.--In providing information and selecting a 
     method to provide information under subsection (a), the head 
     of each agency shall implement subsection (a)(1) in a manner 
     that provides such information to the Cybersecurity and 
     Infrastructure Security Agency in an automated and machine-
     readable format, to the greatest extent practicable.
       ``(c) Incident Response.--Each agency that has a reasonable 
     basis to suspect or conclude that a major incident occurred 
     involving Federal information in electronic medium or form 
     that does not exclusively involve a national security system 
     shall coordinate with--
       ``(1) the Cybersecurity and Infrastructure Security Agency 
     to facilitate asset response activities and provide 
     recommendations for mitigating future incidents; and
       ``(2) consistent with relevant policies, appropriate 
     Federal law enforcement agencies to facilitate threat 
     response activities.

     ``Sec. 3595. Responsibilities of contractors and awardees

       ``(a) Reporting.--
       ``(1) In general.--Any contractor or awardee of an agency 
     shall report to the agency if the contractor or awardee has a 
     reasonable basis to conclude that--
       ``(A) an incident or breach has occurred with respect to 
     Federal information the contractor or awardee collected, 
     used, or maintained on behalf of an agency;
       ``(B) an incident or breach has occurred with respect to a 
     Federal information system used, operated, managed, or 
     maintained on behalf of an agency by the contractor or 
     awardee;
       ``(C) a component of any Federal information system 
     operated, managed, or maintained by a contractor or awardee 
     contains a security vulnerability, including a supply chain 
     compromise or an identified software or hardware 
     vulnerability, for which there is reliable evidence of 
     attempted or successful exploitation of the vulnerability by 
     an actor without authorization of the Federal information 
     system owner; or
       ``(D) the contractor or awardee has received personally 
     identifiable information, personal health information, or 
     other clearly sensitive information that is beyond the scope 
     of the contract or agreement with the agency from the agency 
     that the contractor or awardee is not authorized to receive.
       ``(2) Third-party reports of vulnerabilities.--Subject to 
     the guidance issued by the Director pursuant to paragraph 
     (4), any contractor or awardee of an agency shall report to 
     the agency and the Cybersecurity and Infrastructure Security 
     Agency if the contractor or awardee has a reasonable basis to 
     suspect or conclude that a component of any Federal 
     information system operated, managed, or maintained on behalf 
     of an agency by the contractor or awardee on behalf of the 
     agency contains a security vulnerability, including a supply 
     chain compromise or an identified software or hardware 
     vulnerability, that has been reported to the contractor or 
     awardee by a third party, including through a vulnerability 
     disclosure program.
       ``(3) Procedures.--
       ``(A) Sharing with cisa.--As soon as practicable following 
     a report of an incident to an agency by a contractor or 
     awardee under paragraph (1), the head of the agency shall 
     provide, pursuant to section 3594, information about the 
     incident to the Director of the Cybersecurity and 
     Infrastructure Security Agency.
       ``(B) Time for reporting.--Unless a different time for 
     reporting is specified in a contract, grant, cooperative 
     agreement, or other transaction agreement, a contractor or 
     awardee shall--
       ``(i) make a report required under paragraph (1) not later 
     than 1 day after the date on which the contractor or awardee 
     has reasonable basis to suspect or conclude that the criteria 
     under paragraph (1) have been met; and
       ``(ii) make a report required under paragraph (2) within a 
     reasonable time, but not later than 90 days after the date on 
     which the contractor or awardee has reasonable basis to 
     suspect or conclude that the criteria under paragraph (2) 
     have been met.

[[Page S2812]]

       ``(C) Procedures.--Following a report of a breach or 
     incident to an agency by a contractor or awardee under 
     paragraph (1), the head of the agency, in consultation with 
     the contractor or awardee, shall carry out the applicable 
     requirements under sections 3592, 3593, and 3594 with respect 
     to the breach or incident.
       ``(D) Rule of construction.--Nothing in subparagraph (B) 
     shall be construed to allow the negation of the requirements 
     to report vulnerabilities under paragraph (1) or (2) through 
     a contract, grant, cooperative agreement, or other 
     transaction agreement.
       ``(4) Guidance.--The Director shall issue guidance to 
     agencies relating to the scope of vulnerabilities to be 
     reported under paragraph (2), such as the minimum severity of 
     a vulnerability required to be reported or whether 
     vulnerabilities that are already publicly disclosed must be 
     reported.
       ``(b) Regulations; Modifications.--
       ``(1) In general.--Not later than 1 year after the date of 
     enactment of the Federal Information Security Modernization 
     Act of 2023--
       ``(A) the Federal Acquisition Regulatory Council shall 
     promulgate regulations, as appropriate, relating to the 
     responsibilities of contractors and recipients of other 
     transaction agreements and cooperative agreements to comply 
     with this section; and
       ``(B) the Office of Federal Financial Management shall 
     promulgate regulations under title 2, Code Federal 
     Regulations, as appropriate, relating to the responsibilities 
     of grantees to comply with this section.
       ``(2) Implementation.--Not later than 1 year after the date 
     on which the Federal Acquisition Regulatory Council and the 
     Office of Federal Financial Management promulgates 
     regulations under paragraph (1), the head of each agency 
     shall implement policies and procedures, as appropriate, 
     necessary to implement those regulations.
       ``(3) Congressional notification.--
       ``(A) In general.--The head of each agency head shall 
     notify the Director upon implementation of policies and 
     procedures necessary to implement the regulations promulgated 
     under paragraph (1).
       ``(B) OMB notification.-- Not later than 30 days after the 
     date described in paragraph (2), the Director shall notify 
     the Committee on Homeland Security and Governmental Affairs 
     of the Senate and the Committees on Oversight and 
     Accountability and Homeland Security of the House of 
     Representatives on the status of the implementation by each 
     agency of the regulations promulgated under paragraph (1).
       ``(c) National Security Systems Exemption.--Notwithstanding 
     any other provision of this section, a contractor or awardee 
     of an agency that would be required to report an incident or 
     vulnerability pursuant to this section that occurs 
     exclusively on a national security system shall--
       ``(1) report the incident or vulnerability to the head of 
     the agency and the Secretary of Defense; and
       ``(2) comply with applicable laws and policies relating to 
     national security systems.

     ``Sec. 3596. Training

       ``(a) Covered Individual Defined.--In this section, the 
     term `covered individual' means an individual who obtains 
     access to a Federal information system because of the status 
     of the individual as--
       ``(1) an employee, contractor, awardee, volunteer, or 
     intern of an agency; or
       ``(2) an employee of a contractor or awardee of an agency.
       ``(b) Best Practices and Consistency.--The Director of the 
     Cybersecurity and Infrastructure Security Agency, in 
     consultation with the Director, the National Cyber Director, 
     and the Director of the National Institute of Standards and 
     Technology, shall develop best practices to support 
     consistency across agencies in cybersecurity incident 
     response training, including--
       ``(1) information to be collected and shared with the 
     Cybersecurity and Infrastructure Security Agency pursuant to 
     section 3594(a) and processes for sharing such information; 
     and
       ``(2) appropriate training and qualifications for cyber 
     incident responders.
       ``(c) Agency Training.--The head of each agency shall 
     develop training for covered individuals on how to identify 
     and respond to an incident, including--
       ``(1) the internal process of the agency for reporting an 
     incident; and
       ``(2) the obligation of a covered individual to report to 
     the agency any suspected or confirmed incident involving 
     Federal information in any medium or form, including paper, 
     oral, and electronic.
       ``(d) Inclusion in Annual Training.--The training developed 
     under subsection (c) may be included as part of an annual 
     privacy, security awareness, or other appropriate training of 
     an agency.

     ``Sec. 3597. Analysis and report on Federal incidents

       ``(a) Analysis of Federal Incidents.--
       ``(1) Quantitative and qualitative analyses.--The Director 
     of the Cybersecurity and Infrastructure Security Agency shall 
     perform and, in coordination with the Director and the 
     National Cyber Director, develop, continuous monitoring and 
     quantitative and qualitative analyses of incidents at 
     agencies, including major incidents, including--
       ``(A) the causes of incidents, including--
       ``(i) attacker tactics, techniques, and procedures; and
       ``(ii) system vulnerabilities, including zero days, 
     unpatched systems, and information system misconfigurations;
       ``(B) the scope and scale of incidents at agencies;
       ``(C) common root causes of incidents across multiple 
     agencies;
       ``(D) agency incident response, recovery, and remediation 
     actions and the effectiveness of those actions, as 
     applicable;
       ``(E) lessons learned and recommendations in responding to, 
     recovering from, remediating, and mitigating future 
     incidents; and
       ``(F) trends across multiple agencies to address intrusion 
     detection and incident response capabilities using the 
     metrics established under section 224(c) of the Cybersecurity 
     Act of 2015 (6 U.S.C. 1522(c)).
       ``(2) Automated analysis.--The analyses developed under 
     paragraph (1) shall, to the greatest extent practicable, use 
     machine readable data, automation, and machine learning 
     processes.
       ``(3) Sharing of data and analysis.--
       ``(A) In general.--The Director of the Cybersecurity and 
     Infrastructure Security Agency shall share on an ongoing 
     basis the analyses and underlying data required under this 
     subsection with agencies, the Director, and the National 
     Cyber Director to--
       ``(i) improve the understanding of cybersecurity risk of 
     agencies; and
       ``(ii) support the cybersecurity improvement efforts of 
     agencies.
       ``(B) Format.--In carrying out subparagraph (A), the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency shall share the analyses--
       ``(i) in human-readable written products; and
       ``(ii) to the greatest extent practicable, in machine-
     readable formats in order to enable automated intake and use 
     by agencies.
       ``(C) Exemption.--This subsection shall not apply to 
     incidents that occur exclusively on national security 
     systems.
       ``(b) Annual Report on Federal Incidents.--Not later than 2 
     years after the date of enactment of this section, and not 
     less frequently than annually thereafter, the Director of the 
     Cybersecurity and Infrastructure Security Agency, in 
     consultation with the Director, the National Cyber Director 
     and the heads of other agencies, as appropriate, shall submit 
     to the appropriate reporting entities a report that 
     includes--
       ``(1) a summary of causes of incidents from across the 
     Federal Government that categorizes those incidents as 
     incidents or major incidents;
       ``(2) the quantitative and qualitative analyses of 
     incidents developed under subsection (a)(1) on an agency-by-
     agency basis and comprehensively across the Federal 
     Government, including--
       ``(A) a specific analysis of breaches; and
       ``(B) an analysis of the Federal Government's performance 
     against the metrics established under section 224(c) of the 
     Cybersecurity Act of 2015 (6 U.S.C. 1522(c)); and
       ``(3) an annex for each agency that includes--
       ``(A) a description of each major incident;
       ``(B) the total number of incidents of the agency; and
       ``(C) an analysis of the agency's performance against the 
     metrics established under section 224(c) of the Cybersecurity 
     Act of 2015 (6 U.S.C. 1522(c)).
       ``(c) Publication.--
       ``(1) In general.--The Director of the Cybersecurity and 
     Infrastructure Security Agency shall make a version of each 
     report submitted under subsection (b) publicly available on 
     the website of the Cybersecurity and Infrastructure Security 
     Agency during the year during which the report is submitted.
       ``(2) Exemption.--The publication requirement under 
     paragraph (1) shall not apply to a portion of a report that 
     contains content that should be protected in the interest of 
     national security, as determined by the Director, the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency, or the National Cyber Director.
       ``(3) Limitation on exemption.--The exemption under 
     paragraph (2) shall not apply to any version of a report 
     submitted to the appropriate reporting entities under 
     subsection (b).
       ``(4) Requirement for compiling information.--
       ``(A) Compilation.--Subject to subparagraph (B), in making 
     a report publicly available under paragraph (1), the Director 
     of the Cybersecurity and Infrastructure Security Agency shall 
     sufficiently compile information so that no specific incident 
     of an agency can be identified.
       ``(B) Exception.--The Director of the Cybersecurity and 
     Infrastructure Security Agency may include information that 
     enables a specific incident of an agency to be identified in 
     a publicly available report--
       ``(i) with the concurrence of the Director and the National 
     Cyber Director;
       ``(ii) in consultation with the impacted agency; and
       ``(iii) in consultation with the inspector general of the 
     impacted agency.
       ``(d) Information Provided by Agencies.--
       ``(1) In general.--The analysis required under subsection 
     (a) and each report submitted under subsection (b) shall use 
     information provided by agencies under section 3594(a).
       ``(2) Noncompliance reports.--During any year during which 
     the head of an agency does not provide data for an incident 
     to the Cybersecurity and Infrastructure Security Agency in 
     accordance with section 3594(a), the head of the agency, in 
     coordination with

[[Page S2813]]

     the Director of the Cybersecurity and Infrastructure Security 
     Agency and the Director, shall submit to the appropriate 
     reporting entities a report that includes the information 
     described in subsection (b) with respect to the agency.
       ``(e) National Security System Reports.--
       ``(1) In general.--Notwithstanding any other provision of 
     this section, the Secretary of Defense, in consultation with 
     the Director, the National Cyber Director, the Director of 
     National Intelligence, and the Director of Cybersecurity and 
     Infrastructure Security shall annually submit a report that 
     includes the information described in subsection (b) with 
     respect to national security systems, to the extent that the 
     submission is consistent with standards and guidelines for 
     national security systems issued in accordance with law and 
     as directed by the President, to--
       ``(A) the majority and minority leaders of the Senate,
       ``(B) the Speaker and minority leader of the House of 
     Representatives;
       ``(C) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       ``(D) the Select Committee on Intelligence of the Senate;
       ``(E) the Committee on Armed Services of the Senate;
       ``(F) the Committee on Appropriations of the Senate;
       ``(G) the Committee on Oversight and Accountability of the 
     House of Representatives;
       ``(H) the Committee on Homeland Security of the House of 
     Representatives;
       ``(I) the Permanent Select Committee on Intelligence of the 
     House of Representatives;
       ``(J) the Committee on Armed Services of the House of 
     Representatives; and
       ``(K) the Committee on Appropriations of the House of 
     Representatives.
       ``(2) Classified form.--A report required under paragraph 
     (1) may be submitted in a classified form.

     ``Sec. 3598. Major incident definition

       ``(a) In General.--Not later than 1 year after the later of 
     the date of enactment of the Federal Information Security 
     Modernization Act of 2023 and the most recent publication by 
     the Director of guidance to agencies regarding major 
     incidents as of the date of enactment of the Federal 
     Information Security Modernization Act of 2023, the Director 
     shall develop, in coordination with the National Cyber 
     Director, and promulgate guidance on the definition of the 
     term `major incident' for the purposes of subchapter II and 
     this subchapter.
       ``(b) Requirements.--With respect to the guidance issued 
     under subsection (a), the definition of the term `major 
     incident' shall--
       ``(1) include, with respect to any information collected or 
     maintained by or on behalf of an agency or a Federal 
     information system--
       ``(A) any incident the head of the agency determines is 
     likely to result in demonstrable harm to--
       ``(i) the national security interests, foreign relations, 
     homeland security, or economic security of the United States; 
     or
       ``(ii) the civil liberties, public confidence, privacy, or 
     public health and safety of the people of the United States;
       ``(B) any incident the head of the agency determines likely 
     to result in an inability or substantial disruption for the 
     agency, a component of the agency, or the Federal Government, 
     to provide 1 or more critical services;
       ``(C) any incident the head of the agency determines 
     substantially disrupts or substantially degrades the 
     operations of a high value asset owned or operated by the 
     agency;
       ``(D) any incident involving the exposure to a foreign 
     entity of sensitive agency information, such as the 
     communications of the head of the agency, the head of a 
     component of the agency, or the direct reports of the head of 
     the agency or the head of a component of the agency; and
       ``(E) any other type of incident determined appropriate by 
     the Director;
       ``(2) stipulate that the National Cyber Director, in 
     consultation with the Director and the Director of the 
     Cybersecurity and Infrastructure Security Agency, may declare 
     a major incident at any agency, and such a declaration shall 
     be considered if it is determined that an incident--
       ``(A) occurs at not less than 2 agencies; and
       ``(B) is enabled by--
       ``(i) a common technical root cause, such as a supply chain 
     compromise, or a common software or hardware vulnerability; 
     or
       ``(ii) the related activities of a common threat actor;
       ``(3) stipulate that, in determining whether an incident 
     constitutes a major incident under the standards described in 
     paragraph (1), the head of the agency shall consult with the 
     National Cyber Director; and
       ``(4) stipulate that the mere report of a vulnerability 
     discovered or disclosed without a loss of confidentiality, 
     integrity, or availability shall not on its own constitute a 
     major incident.
       ``(c) Evaluation and Updates.--Not later than 60 days after 
     the date on which the Director first promulgates the guidance 
     required under subsection (a), and not less frequently than 
     once during the first 90 days of each evenly numbered 
     Congress thereafter, the Director shall provide to the 
     Committee on Homeland Security and Governmental Affairs of 
     the Senate and the Committees on Oversight and Accountability 
     and Homeland Security of the House of Representatives a 
     briefing that includes--
       ``(1) an evaluation of any necessary updates to the 
     guidance;
       ``(2) an evaluation of any necessary updates to the 
     definition of the term `major incident' included in the 
     guidance; and
       ``(3) an explanation of, and the analysis that led to, the 
     definition described in paragraph (2).''.
       (2) Clerical amendment.--The table of sections for chapter 
     35 of title 44, United States Code, is amended by adding at 
     the end the following:

            ``subchapter iv--federal system incident response

``3591. Definitions.
``3592. Notification of breach.
``3593. Congressional and Executive Branch reports.
``3594. Government information sharing and incident response.
``3595. Responsibilities of contractors and awardees.
``3596. Training.
``3597. Analysis and report on Federal incidents.
``3598. Major incident definition.''.

     SEC. 6004. AMENDMENTS TO SUBTITLE III OF TITLE 40.

       (a) Modernizing Government Technology.--Subtitle G of title 
     X of division A of the National Defense Authorization Act for 
     Fiscal Year 2018 (40 U.S.C. 11301 note) is amended in section 
     1078--
       (1) by striking subsection (a) and inserting the following:
       ``(a) Definitions.--In this section:
       ``(1) Agency.--The term `agency' has the meaning given the 
     term in section 551 of title 5, United States Code.
       ``(2) High value asset.--The term `high value asset' has 
     the meaning given the term in section 3552 of title 44, 
     United States Code.'';
       (2) in subsection (b), by adding at the end the following:
       ``(8) Proposal evaluation.--The Director shall--
       ``(A) give consideration for the use of amounts in the Fund 
     to improve the security of high value assets; and
       ``(B) require that any proposal for the use of amounts in 
     the Fund includes, as appropriate--
       ``(i) a cybersecurity risk management plan; and
       ``(ii) a supply chain risk assessment in accordance with 
     section 1326 of title 41.''; and
       (3) in subsection (c)--
       (A) in paragraph (2)(A)(i), by inserting ``, including a 
     consideration of the impact on high value assets'' after 
     ``operational risks'';
       (B) in paragraph (5)--
       (i) in subparagraph (A), by striking ``and'' at the end;
       (ii) in subparagraph (B), by striking the period at the end 
     and inserting ``and''; and
       (iii) by adding at the end the following:
       ``(C) a senior official from the Cybersecurity and 
     Infrastructure Security Agency of the Department of Homeland 
     Security, appointed by the Director.''; and
       (C) in paragraph (6)(A), by striking ``shall be--'' and all 
     that follows through ``4 employees'' and inserting ``shall be 
     4 employees''.
       (b) Subchapter I.--Subchapter I of chapter 113 of subtitle 
     III of title 40, United States Code, is amended--
       (1) in section 11302--
       (A) in subsection (b), by striking ``use, security, and 
     disposal of'' and inserting ``use, and disposal of, and, in 
     consultation with the Director of the Cybersecurity and 
     Infrastructure Security Agency and the National Cyber 
     Director, promote and improve the security of,''; and
       (B) in subsection (h), by inserting ``, including 
     cybersecurity performances,'' after ``the performances''; and
       (2) in section 11303(b)(2)(B)--
       (A) in clause (i), by striking ``or'' at the end;
       (B) in clause (ii), by adding ``or'' at the end; and
       (C) by adding at the end the following:
       ``(iii) whether the function should be performed by a 
     shared service offered by another executive agency;''.
       (c) Subchapter II.--Subchapter II of chapter 113 of 
     subtitle III of title 40, United States Code, is amended--
       (1) in section 11312(a), by inserting ``, including 
     security risks'' after ``managing the risks'';
       (2) in section 11313(1), by striking ``efficiency and 
     effectiveness'' and inserting ``efficiency, security, and 
     effectiveness'';
       (3) in section 11317, by inserting ``security,'' before 
     ``or schedule''; and
       (4) in section 11319(b)(1), in the paragraph heading, by 
     striking ``CIOS'' and inserting ``Chief information 
     officers''.

     SEC. 6005. ACTIONS TO ENHANCE FEDERAL INCIDENT TRANSPARENCY.

       (a) Responsibilities of the Cybersecurity and 
     Infrastructure Security Agency.--
       (1) In general.--Not later than 180 days after the date of 
     enactment of this Act, the Director of the Cybersecurity and 
     Infrastructure Security Agency shall--
       (A) develop a plan for the development of the analysis 
     required under section 3597(a) of title 44, United States 
     Code, as added by this subtitle, and the report required 
     under subsection (b) of that section that includes--
       (i) a description of any challenges the Director of the 
     Cybersecurity and Infrastructure Security Agency anticipates 
     encountering; and
       (ii) the use of automation and machine-readable formats for 
     collecting, compiling, monitoring, and analyzing data; and

[[Page S2814]]

       (B) provide to the appropriate congressional committees a 
     briefing on the plan developed under subparagraph (A).
       (2) Briefing.--Not later than 1 year after the date of 
     enactment of this Act, the Director of the Cybersecurity and 
     Infrastructure Security Agency shall provide to the 
     appropriate congressional committees a briefing on--
       (A) the execution of the plan required under paragraph 
     (1)(A); and
       (B) the development of the report required under section 
     3597(b) of title 44, United States Code, as added by this 
     subtitle.
       (b) Responsibilities of the Director of the Office of 
     Management and Budget.--
       (1) Updating fisma 2014.--Section 2 of the Federal 
     Information Security Modernization Act of 2014 (Public Law 
     113-283; 128 Stat. 3073) is amended--
       (A) by striking subsections (b) and (d); and
       (B) by redesignating subsections (c), (e), and (f) as 
     subsections (b), (c), and (d), respectively.
       (2) Incident data sharing.--
       (A) In general.--The Director, in coordination with the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency, shall develop, and as appropriate update, guidance, 
     on the content, timeliness, and format of the information 
     provided by agencies under section 3594(a) of title 44, 
     United States Code, as added by this subtitle.
       (B) Requirements.--The guidance developed under 
     subparagraph (A) shall--
       (i) enable the efficient development of--

       (I) lessons learned and recommendations in responding to, 
     recovering from, remediating, and mitigating future 
     incidents; and
       (II) the report on Federal incidents required under section 
     3597(b) of title 44, United States Code, as added by this 
     subtitle; and

       (ii) include requirements for the timeliness of data 
     production.
       (C) Automation.--The Director, in coordination with the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency, shall promote, as feasible, the use of automation and 
     machine-readable data for data sharing under section 3594(a) 
     of title 44, United States Code, as added by this subtitle.
       (3) Contractor and awardee guidance.--
       (A) In general.--Not later than 1 year after the date of 
     enactment of this subtitle, the Director shall issue guidance 
     to agencies on how to deconflict, to the greatest extent 
     practicable, existing regulations, policies, and procedures 
     relating to the responsibilities of contractors and awardees 
     established under section 3595 of title 44, United States 
     Code, as added by this subtitle.
       (B) Existing processes.--To the greatest extent 
     practicable, the guidance issued under subparagraph (A) shall 
     allow contractors and awardees to use existing processes for 
     notifying agencies of incidents involving information of the 
     Federal Government.
       (c) Update to the Privacy Act of 1974.--Section 552a(b) of 
     title 5, United States Code (commonly known as the ``Privacy 
     Act of 1974'') is amended--
       (1) in paragraph (11), by striking ``or'' at the end;
       (2) in paragraph (12), by striking the period at the end 
     and inserting ``; or''; and
       (3) by adding at the end the following:
       ``(13) to another agency, to the extent necessary, to 
     assist the recipient agency in responding to an incident (as 
     defined in section 3552 of title 44) or breach (as defined in 
     section 3591 of title 44) or to fulfill the information 
     sharing requirements under section 3594 of title 44.''.

     SEC. 6006. ADDITIONAL GUIDANCE TO AGENCIES ON FISMA UPDATES.

       (a) In General.--Not later than 1 year after the date of 
     enactment of this Act, the Director shall issue guidance for 
     agencies on--
       (1) performing the ongoing and continuous agency system 
     risk assessment required under section 3554(a)(1)(A) of title 
     44, United States Code, as amended by this subtitle; and
       (2) establishing a process for securely providing the 
     status of each remedial action for high value assets under 
     section 3554(b)(7) of title 44, United States Code, as 
     amended by this Act, to the Director and the Director of the 
     Cybersecurity and Infrastructure Security Agency using 
     automation and machine-readable data, as practicable, which 
     shall include--
       (A) specific guidance for the use of automation and 
     machine-readable data; and
       (B) templates for providing the status of the remedial 
     action.
       (b) Coordination.--The head of each agency shall coordinate 
     with the inspector general of the agency, as applicable, to 
     ensure consistent understanding of agency policies for the 
     purpose of evaluations conducted by the inspector general.

     SEC. 6007. AGENCY REQUIREMENTS TO NOTIFY PRIVATE SECTOR 
                   ENTITIES IMPACTED BY INCIDENTS.

       (a) Definitions.--In this section:
       (1) Reporting entity.--The term ``reporting entity'' means 
     private organization or governmental unit that is required by 
     statute or regulation to submit sensitive information to an 
     agency.
       (2) Sensitive information.--The term ``sensitive 
     information'' has the meaning given the term by the Director 
     in guidance issued under subsection (b).
       (b) Guidance on Notification of Reporting Entities.--Not 
     later than 1 year after the date of enactment of this 
     subtitle, the Director shall develop, in consultation with 
     the National Cyber Director, and issue guidance requiring the 
     head of each agency to notify a reporting entity, and take 
     into consideration the need to coordinate with Sector Risk 
     Management Agencies (as defined in section 2200 of the 
     Homeland Security Act of 2002 (6 U.S.C. 650)), as 
     appropriate, of an incident at the agency that is likely to 
     substantially affect--
       (1) the confidentiality or integrity of sensitive 
     information submitted by the reporting entity to the agency 
     pursuant to a statutory or regulatory requirement; or
       (2) any information system (as defined in section 3502 of 
     title 44, United States Code) used in the transmission or 
     storage of the sensitive information described in paragraph 
     (1).

     SEC. 6008. MOBILE SECURITY BRIEFINGS.

       (a) In General.--Not later than 180 days after the date of 
     enactment of this subtitle, the Director shall provide to the 
     appropriate congressional committees--
       (1) a briefing on the compliance of agencies with the No 
     TikTok on Government Devices Act (44 U.S.C. 3553 note; Public 
     Law 117-328); and
       (2) as a component of the briefing required under paragraph 
     (1), a list of each exception of an agency from the No TikTok 
     on Government Devices Act (44 U.S.C. 3553 note; Public Law 
     117-328), which may include a classified annex.
       (b) Additional Briefing.--Not later than 1 year after the 
     date of the briefing required under subsection (a)(1), the 
     Director shall provide to the appropriate congressional 
     committees--
       (1) a briefing on the compliance of any agency that was not 
     compliant with the No TikTok on Government Devices Act (44 
     U.S.C. 3553 note; Public Law 117-328) at the time of the 
     briefing required under subsection (a)(1); and
       (2) as a component of the briefing required under paragraph 
     (1), an update to the list required under subsection (a)(2).

     SEC. 6009. DATA AND LOGGING RETENTION FOR INCIDENT RESPONSE.

       (a) Guidance.--Not later than 2 years after the date of 
     enactment of this subtitle the Director, in consultation with 
     the National Cyber Director and the Director of the 
     Cybersecurity and Infrastructure Security Agency, shall 
     update guidance to agencies regarding requirements for 
     logging, log retention, log management, sharing of log data 
     with other appropriate agencies, or any other logging 
     activity determined to be appropriate by the Director.
       (b) National Security Systems.--The Secretary of Defense 
     shall issue guidance that meets or exceeds the standards 
     required in guidance issued under subsection (a) for National 
     Security Systems.

     SEC. 6010. CISA AGENCY LIAISONS.

       (a) In General.--Not later than 120 days after the date of 
     enactment of this subtitle, the Director of the Cybersecurity 
     and Infrastructure Security Agency shall assign not less than 
     1 cybersecurity professional employed by the Cybersecurity 
     and Infrastructure Security Agency to be the Cybersecurity 
     and Infrastructure Security Agency liaison to the Chief 
     Information Security Officer of each agency.
       (b) Qualifications.--Each liaison assigned under subsection 
     (a) shall have knowledge of--
       (1) cybersecurity threats facing agencies, including any 
     specific threats to the assigned agency;
       (2) risk assessments of agency systems; and
       (3) other Federal cybersecurity initiatives.
       (c) Duties.--The duties of each liaison assigned under 
     subsection (a) shall include--
       (1) providing, as requested, assistance and advice to the 
     agency Chief Information Security Officer;
       (2) supporting, as requested, incident response 
     coordination between the assigned agency and the 
     Cybersecurity and Infrastructure Security Agency;
       (3) becoming familiar with assigned agency systems, 
     processes, and procedures to better facilitate support to the 
     agency; and
       (4) other liaison duties to the assigned agency solely in 
     furtherance of Federal cybersecurity or support to the 
     assigned agency as a Sector Risk Management Agency, as 
     assigned by the Director of the Cybersecurity and 
     Infrastructure Security Agency in consultation with the head 
     of the assigned agency.
       (d) Limitation.--A liaison assigned under subsection (a) 
     shall not be a contractor.
       (e) Multiple Assignments.--One individual liaison may be 
     assigned to multiple agency Chief Information Security 
     Officers under subsection (a).
       (f) Coordination of Activities.--The Director of the 
     Cybersecurity and Infrastructure Security Agency shall 
     consult with the Director on the execution of the duties of 
     the Cybersecurity and Infrastructure Security Agency liaisons 
     to ensure that there is no inappropriate duplication of 
     activities among--
       (1) Federal cybersecurity support to agencies of the Office 
     of Management and Budget; and
       (2) the Cybersecurity and Infrastructure Security Agency 
     liaison.
       (g) Rule of Construction.--Nothing in this section shall be 
     construed impact the ability of the Director to support 
     agency implementation of Federal cybersecurity requirements 
     pursuant to subchapter II of

[[Page S2815]]

     chapter 35 of title 44, United States Code, as amended by 
     this Act.

     SEC. 6011. FEDERAL PENETRATION TESTING POLICY.

       (a) In General.--Subchapter II of chapter 35 of title 44, 
     United States Code, is amended by adding at the end the 
     following:

     ``Sec. 3559A. Federal penetration testing

       ``(a) Guidance.--The Director, in consultation with the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency, shall issue guidance to agencies that--
       ``(1) requires agencies to perform penetration testing on 
     information systems, as appropriate, including on high value 
     assets;
       ``(2) provides policies governing the development of--
       ``(A) rules of engagement for using penetration testing; 
     and
       ``(B) procedures to use the results of penetration testing 
     to improve the cybersecurity and risk management of the 
     agency;
       ``(3) ensures that operational support or a shared service 
     is available; and
       ``(4) in no manner restricts the authority of the Secretary 
     of Homeland Security or the Director of the Cybersecurity and 
     Infrastructure Agency to conduct threat hunting pursuant to 
     section 3553 of title 44, United States Code, or penetration 
     testing under this chapter.
       ``(b) Exception for National Security Systems.--The 
     guidance issued under subsection (a) shall not apply to 
     national security systems.
       ``(c) Delegation of Authority for Certain Systems.--The 
     authorities of the Director described in subsection (a) shall 
     be delegated to--
       ``(1) the Secretary of Defense in the case of a system 
     described in section 3553(e)(2); and
       ``(2) the Director of National Intelligence in the case of 
     a system described in section 3553(e)(3).''.
       (b) Existing Guidance.--
       (1) In general.--Compliance with guidance issued by the 
     Director relating to penetration testing before the date of 
     enactment of this subtitle shall be deemed to be compliance 
     with section 3559A of title 44, United States Code, as added 
     by this Act.
       (2) Immediate new guidance not required.--Nothing in 
     section 3559A of title 44, United States Code, as added by 
     this subtitle, shall be construed to require the Director to 
     issue new guidance to agencies relating to penetration 
     testing before the date described in paragraph (3).
       (3) Guidance updates.--Notwithstanding paragraphs (1) and 
     (2), not later than 2 years after the date of enactment of 
     this Act, the Director shall review and, as appropriate, 
     update existing guidance requiring penetration testing by 
     agencies.
       (c) Clerical Amendment.--The table of sections for chapter 
     35 of title 44, United States Code, is amended by adding 
     after the item relating to section 3559 the following:

``3559A. Federal penetration testing.''.
       (d) Penetration Testing by the Secretary of Homeland 
     Security.--Section 3553(b) of title 44, United States Code, 
     as amended by this subtitle, is further amended by inserting 
     after paragraph (8) the following:
       ``(9) performing penetration testing that may leverage 
     manual expert analysis to identify threats and 
     vulnerabilities within information systems--
       ``(A) without consent or authorization from agencies; and
       ``(B) with prior notification to the head of the agency;''.

     SEC. 6012. VULNERABILITY DISCLOSURE POLICIES.

       (a) In General.--Chapter 35 of title 44, United States 
     Code, is amended by inserting after section 3559A, as added 
     by this subtitle, the following:

     ``Sec. 3559B. Federal vulnerability disclosure policies

       ``(a) Purpose; Sense of Congress.--
       ``(1) Purpose.--The purpose of Federal vulnerability 
     disclosure policies is to create a mechanism to enable the 
     public to inform agencies of vulnerabilities in Federal 
     information systems.
       ``(2) Sense of congress.--It is the sense of Congress that, 
     in implementing the requirements of this section, the Federal 
     Government should take appropriate steps to reduce real and 
     perceived burdens in communications between agencies and 
     security researchers.
       ``(b) Definitions.--In this section:
       ``(1) Contractor.--The term `contractor' has the meaning 
     given the term in section 3591.
       ``(2) Internet of things.--The term `internet of things' 
     has the meaning given the term in Special Publication 800-213 
     of the National Institute of Standards and Technology, 
     entitled `IoT Device Cybersecurity Guidance for the Federal 
     Government: Establishing IoT Device Cybersecurity 
     Requirements', or any successor document.
       ``(3) Security vulnerability.--The term `security 
     vulnerability' has the meaning given the term in section 102 
     of the Cybersecurity Information Sharing Act of 2015 (6 
     U.S.C. 1501).
       ``(4) Submitter.--The term `submitter' means an individual 
     that submits a vulnerability disclosure report pursuant to 
     the vulnerability disclosure process of an agency.
       ``(5) Vulnerability disclosure report.--The term 
     `vulnerability disclosure report' means a disclosure of a 
     security vulnerability made to an agency by a submitter.
       ``(c) Guidance.--The Director shall issue guidance to 
     agencies that includes--
       ``(1) use of the information system security 
     vulnerabilities disclosure process guidelines established 
     under section 4(a)(1) of the IoT Cybersecurity Improvement 
     Act of 2020 (15 U.S.C. 278g-3b(a)(1));
       ``(2) direction to not recommend or pursue legal action 
     against a submitter or an individual that conducts a security 
     research activity that--
       ``(A) represents a good faith effort to identify and report 
     security vulnerabilities in information systems; or
       ``(B) otherwise represents a good faith effort to follow 
     the vulnerability disclosure policy of the agency developed 
     under subsection (f)(2);
       ``(3) direction on sharing relevant information in a 
     consistent, automated, and machine readable manner with the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency;
       ``(4) the minimum scope of agency systems required to be 
     covered by the vulnerability disclosure policy of an agency 
     required under subsection (f)(2), including exemptions under 
     subsection (g);
       ``(5) requirements for providing information to the 
     submitter of a vulnerability disclosure report on the 
     resolution of the vulnerability disclosure report;
       ``(6) a stipulation that the mere identification by a 
     submitter of a security vulnerability, without a significant 
     compromise of confidentiality, integrity, or availability, 
     does not constitute a major incident; and
       ``(7) the applicability of the guidance to Internet of 
     things devices owned or controlled by an agency.
       ``(d) Consultation.--In developing the guidance required 
     under subsection (c)(3), the Director shall consult with the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency.
       ``(e) Responsibilities of CISA.--The Director of the 
     Cybersecurity and Infrastructure Security Agency shall--
       ``(1) provide support to agencies with respect to the 
     implementation of the requirements of this section;
       ``(2) develop tools, processes, and other mechanisms 
     determined appropriate to offer agencies capabilities to 
     implement the requirements of this section;
       ``(3) upon a request by an agency, assist the agency in the 
     disclosure to vendors of newly identified security 
     vulnerabilities in vendor products and services; and
       ``(4) as appropriate, implement the requirements of this 
     section, in accordance with the authority under section 
     3553(b)(8), as a shared service available to agencies.
       ``(f) Responsibilities of Agencies.--
       ``(1) Public information.--The head of each agency shall 
     make publicly available, with respect to each internet domain 
     under the control of the agency that is not a national 
     security system and to the extent consistent with the 
     security of information systems but with the presumption of 
     disclosure--
       ``(A) an appropriate security contact; and
       ``(B) the component of the agency that is responsible for 
     the internet accessible services offered at the domain.
       ``(2) Vulnerability disclosure policy.--The head of each 
     agency shall develop and make publicly available a 
     vulnerability disclosure policy for the agency, which shall--
       ``(A) describe--
       ``(i) the scope of the systems of the agency included in 
     the vulnerability disclosure policy, including for Internet 
     of things devices owned or controlled by the agency;
       ``(ii) the type of information system testing that is 
     authorized by the agency;
       ``(iii) the type of information system testing that is not 
     authorized by the agency;
       ``(iv) the disclosure policy for a contractor; and
       ``(v) the disclosure policy of the agency for sensitive 
     information;
       ``(B) with respect to a vulnerability disclosure report to 
     an agency, describe--
       ``(i) how the submitter should submit the vulnerability 
     disclosure report; and
       ``(ii) if the report is not anonymous, when the reporter 
     should anticipate an acknowledgment of receipt of the report 
     by the agency;
       ``(C) include any other relevant information; and
       ``(D) be mature in scope and cover every internet 
     accessible information system used or operated by that agency 
     or on behalf of that agency.
       ``(3) Identified security vulnerabilities.--The head of 
     each agency shall--
       ``(A) consider security vulnerabilities reported in 
     accordance with paragraph (2);
       ``(B) commensurate with the risk posed by the security 
     vulnerability, address such security vulnerability using the 
     security vulnerability management process of the agency; and
       ``(C) in accordance with subsection (c)(5), provide 
     information to the submitter of a vulnerability disclosure 
     report.
       ``(g) Exemptions.--
       ``(1) In general.--The Director and the head of each agency 
     shall carry out this section in a manner consistent with the 
     protection of national security information.
       ``(2) Limitation.--The Director and the head of each agency 
     may not publish under subsection (f)(1) or include in a 
     vulnerability disclosure policy under subsection (f)(2) host 
     names, services, information systems, or other information 
     that the Director or the head of an agency, in coordination 
     with the

[[Page S2816]]

     Director and other appropriate heads of agencies, determines 
     would--
       ``(A) disrupt a law enforcement investigation;
       ``(B) endanger national security or intelligence 
     activities; or
       ``(C) impede national defense activities or military 
     operations.
       ``(3) National security systems.--This section shall not 
     apply to national security systems.
       ``(h) Delegation of Authority for Certain Systems.--The 
     authorities of the Director and the Director of the 
     Cybersecurity and Infrastructure Security Agency described in 
     this section shall be delegated--
       ``(1) to the Secretary of Defense in the case of systems 
     described in section 3553(e)(2); and
       ``(2) to the Director of National Intelligence in the case 
     of systems described in section 3553(e)(3).
       ``(i) Revision of Federal Acquisition Regulation.--The 
     Federal Acquisition Regulation shall be revised as necessary 
     to implement the provisions under this section.''.
       (b) Clerical Amendment.--The table of sections for chapter 
     35 of title 44, United States Code, is amended by adding 
     after the item relating to section 3559A, as added by this 
     subtitle, the following:

``3559B. Federal vulnerability disclosure policies.''.
       (c) Conforming Update and Repeal.--
       (1) Guidelines on the disclosure process for security 
     vulnerabilities relating to information systems, including 
     internet of things devices.--Section 5 of the IoT 
     Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-3c) is 
     amended by striking subsections (d) and (e).
       (2) Implementation and contractor compliance.--The IoT 
     Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-3a et 
     seq.) is amended--
       (A) by striking section 6 (15 U.S.C. 278g-3d); and
       (B) by striking section 7 (15 U.S.C. 278g-3e).

     SEC. 6013. IMPLEMENTING ZERO TRUST ARCHITECTURE.

       (a) Briefings.--Not later than 1 year after the date of 
     enactment of this Act, the Director shall provide to the 
     Committee on Homeland Security and Governmental Affairs of 
     the Senate and the Committees on Oversight and Accountability 
     and Homeland Security of the House of Representatives a 
     briefing on progress in increasing the internal defenses of 
     agency systems, including--
       (1) shifting away from trusted networks to implement 
     security controls based on a presumption of compromise, 
     including through the transition to zero trust architecture;
       (2) implementing principles of least privilege in 
     administering information security programs;
       (3) limiting the ability of entities that cause incidents 
     to move laterally through or between agency systems;
       (4) identifying incidents quickly;
       (5) isolating and removing unauthorized entities from 
     agency systems as quickly as practicable, accounting for 
     intelligence or law enforcement purposes; and
       (6) otherwise increasing the resource costs for entities 
     that cause incidents to be successful.
       (b) Progress Report.--As a part of each report required to 
     be submitted under section 3553(c) of title 44, United States 
     Code, during the period beginning on the date that is 4 years 
     after the date of enactment of this Act and ending on the 
     date that is 10 years after the date of enactment of this 
     Act, the Director shall include an update on agency 
     implementation of zero trust architecture, which shall 
     include--
       (1) a description of steps agencies have completed, 
     including progress toward achieving any requirements issued 
     by the Director, including the adoption of any models or 
     reference architecture;
       (2) an identification of activities that have not yet been 
     completed and that would have the most immediate security 
     impact; and
       (3) a schedule to implement any planned activities.
       (c) Classified Annex.--Each update required under 
     subsection (b) may include 1 or more annexes that contain 
     classified or other sensitive information, as appropriate.
       (d) National Security Systems.--
       (1) Briefing.--Not later than 1 year after the date of 
     enactment of this Act, the Secretary of Defense shall provide 
     to the Committee on Homeland Security and Governmental 
     Affairs of the Senate, the Committee on Oversight and 
     Accountability of the House of Representatives, the Committee 
     on Armed Services of the Senate, the Committee on Armed 
     Services of the House of Representatives, the Select 
     Committee on Intelligence of the Senate, and the Permanent 
     Select Committee on Intelligence of the House of 
     Representatives a briefing on the implementation of zero 
     trust architecture with respect to national security systems.
       (2) Progress report.--Not later than the date on which each 
     update is required to be submitted under subsection (b), the 
     Secretary of Defense shall submit to the congressional 
     committees described in paragraph (1) a progress report on 
     the implementation of zero trust architecture with respect to 
     national security systems.

     SEC. 6014. AUTOMATION AND ARTIFICIAL INTELLIGENCE.

       (a) Definition.--In this section, the term ``information 
     system'' has the meaning given the term in section 3502 of 
     title 44, United States Code.
       (b) Use of Artificial Intelligence.--
       (1) In general.--As appropriate, the Director shall issue 
     guidance on the use of artificial intelligence by agencies to 
     improve the cybersecurity of information systems.
       (2) Considerations.--The Director and head of each agency 
     shall consider the use and capabilities of artificial 
     intelligence systems wherever automation is used in 
     furtherance of the cybersecurity of information systems.
       (3) Report.--Not later than 1 year after the date of 
     enactment of this Act, and annually thereafter until the date 
     that is 5 years after the date of enactment of this Act, the 
     Director shall submit to the appropriate congressional 
     committees a report on the use of artificial intelligence to 
     further the cybersecurity of information systems.
       (c) Comptroller General Reports.--
       (1) In general.--Not later than 2 years after the date of 
     enactment of this Act, the Comptroller General of the United 
     States shall submit to the appropriate congressional 
     committees a report on the risks to the privacy of 
     individuals and the cybersecurity of information systems 
     associated with the use by Federal agencies of artificial 
     intelligence systems or capabilities.
       (2) Study.--Not later than 2 years after the date of 
     enactment of this Act, the Comptroller General of the United 
     States shall perform a study, and submit to the Committees on 
     Homeland Security and Governmental Affairs and Commerce, 
     Science, and Transportation of the Senate and the Committees 
     on Oversight and Accountability, Homeland Security, and 
     Science, Space, and Technology of the House of 
     Representatives a report, on the use of automation, including 
     artificial intelligence, and machine-readable data across the 
     Federal Government for cybersecurity purposes, including the 
     automated updating of cybersecurity tools, sensors, or 
     processes employed by agencies under paragraphs (1), (5)(C), 
     and (8)(B) of section 3554(b) of title 44, United States 
     Code, as amended by this subtitle.

     SEC. 6015. EXTENSION OF CHIEF DATA OFFICER COUNCIL.

       Section 3520A(e)(2) of title 44, United States Code, is 
     amended by striking ``upon the expiration of the 2-year 
     period that begins on the date the Comptroller General 
     submits the report under paragraph (1) to Congress'' and 
     inserting ``December 31, 2031''.

     SEC. 6016. COUNCIL OF THE INSPECTORS GENERAL ON INTEGRITY AND 
                   EFFICIENCY DASHBOARD.

       (a) Dashboard Required.--Section 424(e) of title 5, United 
     States Code, is amended--
       (1) in paragraph (2)--
       (A) in subparagraph (A), by striking ``and'' at the end;
       (B) by redesignating subparagraph (B) as subparagraph (C);
       (C) by inserting after subparagraph (A) the following:
       ``(B) that shall include a dashboard of open information 
     security recommendations identified in the independent 
     evaluations required by section 3555(a) of title 44; and''; 
     and
       (2) by adding at the end the following:
       ``(5) Rule of construction.--Nothing in this subsection 
     shall be construed to require the publication of information 
     that is exempted from disclosure under section 552 of this 
     title.''.

     SEC. 6017. SECURITY OPERATIONS CENTER SHARED SERVICE.

       (a) Briefing.--Not later than 180 days after the date of 
     enactment of this Act, the Director of the Cybersecurity and 
     Infrastructure Security Agency shall provide to the Committee 
     on Homeland Security and Governmental Affairs of the Senate 
     and the Committee on Homeland Security and the Committee on 
     Oversight and Accountability of the House of Representatives 
     a briefing on--
       (1) existing security operations center shared services;
       (2) the capability for such shared service to offer 
     centralized and simultaneous support to multiple agencies;
       (3) the capability for such shared service to integrate 
     with or support agency threat hunting activities authorized 
     under section 3553 of title 44, United States Code, as 
     amended by this subtitle;
       (4) the capability for such shared service to integrate 
     with or support Federal vulnerability management activities; 
     and
       (5) future plans for expansion and maturation of such 
     shared service.
       (b) GAO Report.--Not less than 540 days after the date of 
     enactment of this Act, the Comptroller General of the United 
     States shall submit to the appropriate congressional 
     committees a report on Federal cybersecurity security 
     operations centers that--
       (1) identifies Federal agency best practices for efficiency 
     and effectiveness;
       (2) identifies non-Federal best practices used by large 
     entity operations centers and entities providing operation 
     centers as a service; and
       (3) includes recommendations for the Cybersecurity and 
     Infrastructure Security Agency and any other relevant agency 
     to improve the efficiency and effectiveness of security 
     operations centers shared service offerings.

     SEC. 6018. FEDERAL CYBERSECURITY REQUIREMENTS.

       (a) Codifying Federal Cybersecurity Requirements in Title 
     44.--
       (1) Amendment to federal cybersecurity enhancement act of 
     2015.--Section 225 of the Federal Cybersecurity Enhancement 
     Act of 2015 (6 U.S.C. 1523) is amended by striking 
     subsections (b) and (c).
       (2) Title 44.--Section 3554 of title 44, United States 
     Code, as amended by this subtitle, is further amended by 
     adding at the end the following:

[[Page S2817]]

       ``(f) Specific Cybersecurity Requirements at Agencies.--
       ``(1) In general.--Consistent with policies, standards, 
     guidelines, and directives on information security under this 
     subchapter, and except as provided under paragraph (3), the 
     head of each agency shall--
       ``(A) identify sensitive and mission critical data stored 
     by the agency consistent with the inventory required under 
     section 3505(c);
       ``(B) assess access controls to the data described in 
     subparagraph (A), the need for readily accessible storage of 
     the data, and the need of individuals to access the data;
       ``(C) encrypt or otherwise render indecipherable to 
     unauthorized users the data described in subparagraph (A) 
     that is stored on or transiting agency information systems;
       ``(D) implement a single sign-on trusted identity platform 
     for individuals accessing each public website of the agency 
     that requires user authentication, as developed by the 
     Administrator of General Services in collaboration with the 
     Secretary; and
       ``(E) implement identity management consistent with section 
     504 of the Cybersecurity Enhancement Act of 2014 (15 U.S.C. 
     7464), including multi-factor authentication, for--
       ``(i) remote access to a information system; and
       ``(ii) each user account with elevated privileges on a 
     information system.
       ``(2) Prohibition.--
       ``(A) Definition.--In this paragraph, the term `Internet of 
     things' has the meaning given the term in section 3559B.
       ``(B) Prohibition.--Consistent with policies, standards, 
     guidelines, and directives on information security under this 
     subchapter, and except as provided under paragraph (3), the 
     head of an agency may not procure, obtain, renew a contract 
     to procure or obtain in any amount, notwithstanding section 
     1905 of title 41, United States Code, or use an Internet of 
     things device if the Chief Information Officer of the agency 
     determines during a review required under section 
     11319(b)(1)(C) of title 40 of a contract for an Internet of 
     things device that the use of the device prevents compliance 
     with the standards and guidelines developed under section 4 
     of the IoT Cybersecurity Improvement Act (15 U.S.C. 278g-3b) 
     with respect to the device.
       ``(3) Exception.--The requirements under paragraph (1) 
     shall not apply to a information system for which--
       ``(A) the head of the agency, without delegation, has 
     certified to the Director with particularity that--
       ``(i) operational requirements articulated in the 
     certification and related to the information system would 
     make it excessively burdensome to implement the cybersecurity 
     requirement;
       ``(ii) the cybersecurity requirement is not necessary to 
     secure the information system or agency information stored on 
     or transiting it; and
       ``(iii) the agency has taken all necessary steps to secure 
     the information system and agency information stored on or 
     transiting it; and
       ``(B) the head of the agency has submitted the 
     certification described in subparagraph (A) to the 
     appropriate congressional committees and the authorizing 
     committees of the agency.
       ``(4) Duration of certification.--
       ``(A) In general.--A certification and corresponding 
     exemption of an agency under paragraph (3) shall expire on 
     the date that is 4 years after the date on which the head of 
     the agency submits the certification under paragraph (3)(A).
       ``(B) Renewal.--Upon the expiration of a certification of 
     an agency under paragraph (3), the head of the agency may 
     submit an additional certification in accordance with that 
     paragraph.
       ``(5) Rules of construction.--Nothing in this subsection 
     shall be construed--
       ``(A) to alter the authority of the Secretary, the 
     Director, or the Director of the National Institute of 
     Standards and Technology in implementing subchapter II of 
     this title;
       ``(B) to affect the standards or process of the National 
     Institute of Standards and Technology;
       ``(C) to affect the requirement under section 3553(a)(4); 
     or
       ``(D) to discourage continued improvements and advancements 
     in the technology, standards, policies, and guidelines used 
     to promote Federal information security.
       ``(g) Exception.--
       ``(1) Requirements.--The requirements under subsection 
     (f)(1) shall not apply to--
       ``(A) the Department of Defense;
       ``(B) a national security system; or
       ``(C) an element of the intelligence community.
       ``(2) Prohibition.--The prohibition under subsection (f)(2) 
     shall not apply to--
       ``(A) Internet of things devices that are or comprise a 
     national security system;
       ``(B) national security systems; or
       ``(C) a procured Internet of things device described in 
     subsection (f)(2)(B) that the Chief Information Officer of an 
     agency determines is--
       ``(i) necessary for research purposes; or
       ``(ii) secured using alternative and effective methods 
     appropriate to the function of the Internet of things 
     device.''.
       (b) Report on Exemptions.--Section 3554(c)(1) of title 44, 
     United States Code, as amended by this subtitle, is further 
     amended--
       (1) in subparagraph (C), by striking ``and'' at the end;
       (2) in subparagraph (D), by striking the period at the end 
     and inserting ``; and''; and
       (3) by adding at the end the following:
       ``(E) with respect to any exemption from the requirements 
     of subsection (f)(3) that is effective on the date of 
     submission of the report, the number of information systems 
     that have received an exemption from those requirements.''.
       (c) Duration of Certification Effective Date.--Paragraph 
     (3) of section 3554(f) of title 44, United States Code, as 
     added by this subtitle, shall take effect on the date that is 
     1 year after the date of enactment of this Act.
       (d) Federal Cybersecurity Enhancement Act of 2015 Update.--
     Section 222(3)(B) of the Federal Cybersecurity Enhancement 
     Act of 2015 (6 U.S.C. 1521(3)(B)) is amended by inserting 
     ``and the Committee on Oversight and Accountability'' before 
     ``of the House of Representatives.''

     SEC. 6019. FEDERAL CHIEF INFORMATION SECURITY OFFICER.

       (a) Amendment.--Chapter 36 of title 44, United States Code, 
     is amended by adding at the end the following:

     ``Sec. 3617. Federal chief information security officer

       ``(a) Establishment.--There is established a Federal Chief 
     Information Security Officer, who shall serve in--
       ``(1) the Office of the Federal Chief Information Officer 
     of the Office of Management and Budget; and
       ``(2) the Office of the National Cyber Director.
       ``(b) Appointment.--The Federal Chief Information Security 
     Officer shall be appointed by the President.
       ``(c) OMB Duties.--The Federal Chief Information Security 
     Officer shall report to the Federal Chief Information Officer 
     and assist the Federal Chief Information Officer in carrying 
     out--
       ``(1) every function under this chapter;
       ``(2) every function assigned to the Director under title 
     II of the E-Government Act of 2002 (44 U.S.C. 3501 note; 
     Public Law 107-347);
       ``(3) other electronic government initiatives consistent 
     with other statutes; and
       ``(4) other Federal cybersecurity initiatives determined by 
     the Federal Chief Information Officer.
       ``(d) Additional Duties.--The Federal Chief Information 
     Security Officer shall--
       ``(1) support the Federal Chief Information Officer in 
     overseeing and implementing Federal cybersecurity under the 
     E-Government Act of 2002 (Public Law 107-347; 116 Stat. 2899) 
     and other relevant statutes in a manner consistent with law; 
     and
       ``(2) perform every function assigned to the Director under 
     sections 1321 through 1328 of title 41, United States Code.
       ``(e) Coordination With ONCD.--The Federal Chief 
     Information Security Officer shall support initiatives 
     determined by the Federal Chief Information Officer necessary 
     to coordinate with the Office of the National Cyber 
     Director.''.
       (b) National Cyber Director Duties.--Section 1752 of the 
     William M. (Mac) Thornberry National Defense Authorization 
     Act for Fiscal Year 2021 (6 U.S.C. 1500) is amended--
       (1) by redesignating subsection (g) as subsection (h); and
       (2) by inserting after subsection (f) the following:
       ``(g) Senior Federal Cybersecurity Officer.--The Federal 
     Chief Information Security Officer appointed by the President 
     under section 3617 of title 44, United States Code, shall be 
     a senior official within the Office and carry out duties 
     applicable to the protection of information technology (as 
     defined in section 11101 of title 40, United States Code), 
     including initiatives determined by the Director necessary to 
     coordinate with the Office of the Federal Chief Information 
     Officer.''.
       (c) Treatment of Incumbent.--The individual serving as the 
     Federal Chief Information Security Officer appointed by the 
     President as of the date of the enactment of this Act may 
     serve as the Federal Chief Information Security Officer under 
     section 3617 of title 44, United States Code, as added by 
     this subtitle, beginning on the date of enactment of this 
     Act, without need for a further or additional appointment 
     under such section.
       (d) Clerical Amendment.--The table of sections for chapter 
     36 of title 44, United States Code, is amended by adding at 
     the end the following:

``Sec. 3617. Federal chief information security officer''.

     SEC. 6020. RENAMING OFFICE OF THE FEDERAL CHIEF INFORMATION 
                   OFFICER.

       (a) Definitions.--
       (1) In general.--Section 3601 of title 44, United States 
     Code, is amended--
       (A) by striking paragraph (1); and
       (B) by redesignating paragraphs (2) through (8) as 
     paragraphs (1) through (7), respectively.
       (2) Conforming amendments.--
       (A) Title 10.--Section 2222(i)(6) of title 10, United 
     States Code, is amended by striking ``section 3601(4)'' and 
     inserting ``section 3601''.
       (B) National security act of 1947.--Section 506D(k)(1) of 
     the National Security Act of 1947 (50 U.S.C. 3100(k)(1)) is 
     amended by striking ``section 3601(4)'' and inserting 
     ``section 3601''.
       (b) Office of Electronic Government.--Section 3602 of title 
     44, United States Code, is amended--

[[Page S2818]]

       (1) in the heading, by striking ``office of electronic 
     government'' and inserting ``office of the federal chief 
     information officer'';
       (2) in subsection (a), by striking ``Office of Electronic 
     Government'' and inserting ``Office of the Federal Chief 
     Information Officer'';
       (3) in subsection (b), by striking ``an Administrator'' and 
     inserting ``a Federal Chief Information Officer'';
       (4) in subsection (c), in the matter preceding paragraph 
     (1), by striking ``The Administrator'' and inserting ``The 
     Federal Chief Information Officer'';
       (5) in subsection (d), in the matter preceding paragraph 
     (1), by striking ``The Administrator'' and inserting ``The 
     Federal Chief Information Officer'';
       (6) in subsection (e), in the matter preceding paragraph 
     (1), by striking ``The Administrator'' and inserting ``The 
     Federal Chief Information Officer'';
       (7) in subsection (f)--
       (A) in the matter preceding paragraph (1), by striking 
     ``the Administrator'' and inserting ``the Federal Chief 
     Information Officer''; and
       (B) in paragraph (16), by striking ``the Office of 
     Electronic Government'' and inserting ``the Office of the 
     Federal Chief Information Officer''; and
       (8) in subsection (g), by striking ``the Office of 
     Electronic Government'' and inserting ``the Office of the 
     Federal Chief Information Officer''.
       (c) Chief Information Officers Council.--Section 3603 of 
     title 44, United States Code, is amended--
       (1) in subsection (b)(2), by striking ``The Administrator 
     of the Office of Electronic Government'' and inserting ``The 
     Federal Chief Information Officer'';
       (2) in subsection (c)(1), by striking ``The Administrator 
     of the Office of Electronic Government'' and inserting ``The 
     Federal Chief Information Officer''; and
       (3) in subsection (f)--
       (A) in paragraph (3), by striking ``the Administrator'' and 
     inserting ``the Federal Chief Information Officer''; and
       (B) in paragraph (5), by striking ``the Administrator'' and 
     inserting ``the Federal Chief Information Officer''.
       (d) E-Government Fund.--Section 3604 of title 44, United 
     States Code, is amended--
       (1) in subsection (a)(2), by striking ``the Administrator 
     of the Office of Electronic Government'' and inserting ``the 
     Federal Chief Information Officer'';
       (2) in subsection (b), by striking ``Administrator'' each 
     place it appears and inserting ``Federal Chief Information 
     Officer''; and
       (3) in subsection (c), in the matter preceding paragraph 
     (1), by striking ``the Administrator'' and inserting ``the 
     Federal Chief Information Officer''.
       (e) Program to Encourage Innovative Solutions to Enhance 
     Electronic Government Services and Processes.--Section 3605 
     of title 44, United States Code, is amended--
       (1) in subsection (a), by striking ``The Administrator'' 
     and inserting ``The Federal Chief Information Officer'';
       (2) in subsection (b), by striking ``, the Administrator,'' 
     and inserting ``, the Federal Chief Information Officer,''; 
     and
       (3) in subsection (c)--
       (A) in paragraph (1)--
       (i) by striking ``The Administrator'' and inserting ``The 
     Federal Chief Information Officer''; and
       (ii) by striking ``proposals submitted to the 
     Administrator'' and inserting ``proposals submitted to the 
     Federal Chief Information Officer'';
       (B) in paragraph (2)(B), by striking ``the Administrator'' 
     and inserting ``the Federal Chief Information Officer''; and
       (C) in paragraph (4), by striking ``the Administrator'' and 
     inserting ``the Federal Chief Information Officer''.
       (f) E-Government Report.--Section 3606 of title 44, United 
     States Code, is amended in the section heading by striking 
     ``E-Government'' and inserting ``Annual''.
       (g) Treatment of Incumbent.--The individual serving as the 
     Administrator of the Office of Electronic Government under 
     section 3602 of title 44, United States Code, as of the date 
     of the enactment of this Act, may continue to serve as the 
     Federal Chief Information Officer commencing as of that date, 
     without need for a further or additional appointment under 
     such section.
       (h) Technical and Conforming Amendments.--The table of 
     sections for chapter 36 of title 44, United States Code, is 
     amended--
       (1) by striking the item relating to section 3602 and 
     inserting the following:

``3602. Office of the Federal Chief Information Officer.''; and
       (2) in the item relating to section 3606, by striking ``E-
     Government'' and inserting ``Annual''.
       (i) References.--
       (1) Administrator.--Any reference to the Administrator of 
     the Office of Electronic Government in any law, regulation, 
     map, document, record, or other paper of the United States 
     shall be deemed to be a reference to the Federal Chief 
     Information Officer.
       (2) Office of electronic government.--Any reference to the 
     Office of Electronic Government in any law, regulation, map, 
     document, record, or other paper of the United States shall 
     be deemed to be a reference to the Office of the Federal 
     Chief Information Officer.

     SEC. 6021. RULES OF CONSTRUCTION.

       (a) Agency Actions.--Nothing in this subtitle, or an 
     amendment made by this subtitle, shall be construed to 
     authorize the head of an agency to take an action that is not 
     authorized by this subtitle, an amendment made by this 
     subtitle, or existing law.
       (b) Protection of Rights.--Nothing in this subtitle, or an 
     amendment made by this subtitle, shall be construed to permit 
     the violation of the rights of any individual protected by 
     the Constitution of the United States, including through 
     censorship of speech protected by the Constitution of the 
     United States or unauthorized surveillance.

           Subtitle B--Improving Digital Identity Act of 2023

     SEC. 6031. SHORT TITLE.

       This Act may be cited as the ``Improving Digital Identity 
     Act of 2023''.

     SEC. 6032. FINDINGS.

       Congress finds the following:
       (1) The lack of an easy, affordable, reliable, and secure 
     way for organizations, businesses, and government agencies to 
     identify whether an individual is who they claim to be online 
     creates an attack vector that is widely exploited by 
     adversaries in cyberspace and precludes many high-value 
     transactions from being available online.
       (2) Incidents of identity theft and identity fraud continue 
     to rise in the United States, where more than 293,000,000 
     people were impacted by data breaches in 2021.
       (3) Since 2017, losses resulting from identity fraud have 
     increased by 333 percent, and, in 2020, those losses totaled 
     $56,000,000,000.
       (4) The Director of the Financial Crimes Enforcement 
     Network of the Department of the Treasury has stated that the 
     abuse of personally identifiable information and other 
     building blocks of identity is a key enabler behind much of 
     the fraud and cybercrime affecting the United States today.
       (5) The inadequacy of current digital identity solutions 
     degrades security and privacy for all people in the United 
     States, and next generation solutions are needed that improve 
     security, privacy, equity, and accessibility.
       (6) Government entities, as authoritative issuers of 
     identity in the United States, are uniquely positioned to 
     deliver critical components that address deficiencies in the 
     digital identity infrastructure of the United States and 
     augment private sector digital identity and authentication 
     solutions.
       (7) State governments are particularly well-suited to play 
     a role in enhancing digital identity solutions used by both 
     the public and private sectors, given the role of State 
     governments as the issuers of driver's licenses and other 
     identity documents commonly used today.
       (8) The public and private sectors should collaborate to 
     deliver solutions that promote confidence, privacy, choice, 
     equity, accessibility, and innovation. The private sector 
     drives much of the innovation around digital identity in the 
     United States and has an important role to play in delivering 
     digital identity solutions.
       (9) The bipartisan Commission on Enhancing National 
     Cybersecurity has called for the Federal Government to 
     ``create an interagency task force directed to find secure, 
     user-friendly, privacy-centric ways in which agencies can 
     serve as 1 authoritative source to validate identity 
     attributes in the broader identity market. This action would 
     enable Government agencies and the private sector to drive 
     significant risk out of new account openings and other high-
     risk, high-value online services, and it would help all 
     citizens more easily and securely engage in transactions 
     online.''.
       (10) It should be the policy of the Federal Government to 
     use the authorities and capabilities of the Federal 
     Government, in coordination with State, local, Tribal, and 
     territorial partners and private sector innovators, to 
     enhance the security, reliability, privacy, equity, 
     accessibility, and convenience of consent-based digital 
     identity solutions that support and protect transactions 
     between individuals, government entities, and businesses, and 
     that enable people in the United States to prove who they are 
     online.

     SEC. 6033. DEFINITIONS.

       In this subtitle:
       (1) Appropriate notification entities.--The term 
     ``appropriate notification entities'' means--
       (A) the President;
       (B) the Committee on Homeland Security and Governmental 
     Affairs of the Senate; and
       (C) the Committee on Oversight and Accountability of the 
     House of Representatives.
       (2) Digital identity verification.--The term ``digital 
     identity verification'' means a process to verify the 
     identity or an identity attribute of an individual accessing 
     a service online or through another electronic means.
       (3) Director.--The term ``Director'' means the Director of 
     the Task Force.
       (4) Federal agency.--The term ``Federal agency'' has the 
     meaning given the term in section 102 of the Robert T. 
     Stafford Disaster Relief and Emergency Assistance Act (42 
     U.S.C. 5122).
       (5) Identity attribute.--The term ``identity attribute'' 
     means a data element associated with the identity of an 
     individual, including, the name, address, or date of birth of 
     an individual.
       (6) Identity credential.--The term ``identity credential'' 
     means a document or other

[[Page S2819]]

     evidence of the identity of an individual issued by a 
     government agency that conveys the identity of the 
     individual, including a driver's license or passport.
       (7) Secretary.--The term ``Secretary'' means the Secretary 
     of Homeland Security.
       (8) Task force.--The term ``Task Force'' means the 
     Improving Digital Identity Task Force established under 
     section 6034(a).

     SEC. 6034. IMPROVING DIGITAL IDENTITY TASK FORCE.

       (a) Establishment.--There is established in the Executive 
     Office of the President a task force to be known as the 
     ``Improving Digital Identity Task Force''.
       (b) Purpose.--The purpose of the Task Force shall be to 
     establish and coordinate a government-wide effort to develop 
     secure methods for Federal, State, local, Tribal, and 
     territorial agencies to improve access and enhance security 
     between physical and digital identity credentials, 
     particularly by promoting the development of digital versions 
     of existing physical identity credentials, including driver's 
     licenses, e-Passports, social security credentials, and birth 
     certificates, to--
       (1) protect the privacy and security of individuals;
       (2) support reliable, interoperable digital identity 
     verification in the public and private sectors; and
       (3) in achieving paragraphs (1) and (2), place a particular 
     emphasis on--
       (A) reducing identity theft and fraud;
       (B) enabling trusted transactions; and
       (C) ensuring equitable access to digital identity 
     verification.
       (c) Director.--
       (1) In general.--The Task Force shall have a Director, who 
     shall be appointed by the President.
       (2) Position.--The Director shall serve at the pleasure of 
     the President.
       (3) Pay and allowances.--The Director shall be compensated 
     at the rate of basic pay prescribed for level II of the 
     Executive Schedule under section 5313 of title 5, United 
     States Code.
       (4) Qualifications.--The Director shall have substantive 
     technical expertise and managerial acumen that--
       (A) is in the business of digital identity management, 
     information security, or benefits administration;
       (B) is gained from not less than 1 organization; and
       (C) includes specific expertise gained from academia, 
     advocacy organizations, or the private sector.
       (5) Exclusivity.--The Director may not serve in any other 
     capacity within the Federal Government while serving as 
     Director.
       (6) Term.--The term of the Director, including any official 
     acting in the role of the Director, shall terminate on the 
     date described in subsection (k).
       (d) Membership.--
       (1) Federal government representatives.--The Task Force 
     shall include the following individuals or the designees of 
     such individuals:
       (A) The Secretary.
       (B) The Secretary of the Treasury.
       (C) The Director of the National Institute of Standards and 
     Technology.
       (D) The Director of the Financial Crimes Enforcement 
     Network.
       (E) The Commissioner of Social Security.
       (F) The Secretary of State.
       (G) The Administrator of General Services.
       (H) The Director of the Office of Management and Budget.
       (I) The Postmaster General of the United States Postal 
     Service.
       (J) The National Cyber Director.
       (K) The Attorney General.
       (L) The heads of other Federal agencies or offices as the 
     President may designate or invite, as appropriate.
       (2) State, local, tribal, and territorial government 
     representatives.--The Director shall appoint to the Task 
     Force 6 State, local, Tribal, or territorial government 
     officials who represent agencies that issue identity 
     credentials and who have--
       (A) experience in identity technology and services;
       (B) knowledge of the systems used to provide identity 
     credentials; or
       (C) any other qualifications or competencies that may help 
     achieve balance or otherwise support the mission of the Task 
     Force.
       (3) Nongovernmental experts.--
       (A) In general.--The Director shall appoint to the Task 
     Force 5 nongovernmental experts.
       (B) Specific appointments.--The experts appointed under 
     subparagraph (A) shall include the following:
       (i) A member who is a privacy and civil liberties expert.
       (ii) A member who is a technical expert in identity 
     verification.
       (iii) A member who is a technical expert in cybersecurity 
     focusing on identity verification services.
       (iv) A member who represents the identity verification 
     services industry.
       (v) A member who represents a party that relies on 
     effective identity verification services to conduct business.
       (e) Working Groups.--The Director shall organize the 
     members of the Task Force into appropriate working groups for 
     the purpose of increasing the efficiency and effectiveness of 
     the Task Force, as appropriate.
       (f) Meetings.--The Task Force shall--
       (1) convene at the call of the Director; and
       (2) provide an opportunity for public comment in accordance 
     with section 1009(a)(3) of title 5, United States Code.
       (g) Duties.--In carrying out the purpose described in 
     subsection (b), the Task Force shall--
       (1) identify Federal, State, local, Tribal, and territorial 
     agencies that issue identity credentials or hold information 
     relating to identifying an individual;
       (2) assess restrictions with respect to the abilities of 
     the agencies described in paragraph (1) to verify identity 
     information for other agencies and nongovernmental 
     organizations;
       (3) assess any necessary changes in statutes, regulations, 
     or policy to address any restrictions assessed under 
     paragraph (2);
       (4) recommend a strategy, based on existing standards, to 
     enable agencies to provide services relating to digital 
     identity verification in a way that--
       (A) is secure, protects privacy, and protects individuals 
     against unfair and misleading practices;
       (B) prioritizes equity and accessibility;
       (C) requires individual consent for the provision of 
     digital identify verification services by a Federal, State, 
     local, Tribal, or territorial agency;
       (D) is interoperable among participating Federal, State, 
     local, Tribal, and territorial agencies, as appropriate and 
     in accordance with applicable laws; and
       (E) prioritizes technical standards developed by voluntary 
     consensus standards bodies in accordance with section 12(d) 
     of the National Technology Transfer and Advancement Act of 
     1995 (15 U.S.C. 272 note) and guidance under OMB Circular A-
     119, entitled ``Federal Participation in the Development and 
     Use of Voluntary Consensus Standards and in Conformity 
     Assessment Activities'', or any successor thereto;
       (5) recommend principles to promote policies for shared 
     identity proofing across public sector agencies, which may 
     include single sign-on or broadly accepted attestations;
       (6) identify funding or other resources needed to support 
     the agencies described in paragraph (4) that provide digital 
     identity verification, including recommendations with respect 
     to the need for and the design of a Federal grant program to 
     implement the recommendations of the Task Force and 
     facilitate the development and upgrade of State, local, 
     Tribal, and territorial highly-secure interoperable systems 
     that enable digital identity verification;
       (7) recommend funding models to provide digital identity 
     verification to private sector entities, which may include 
     fee-based funding models;
       (8) determine if any additional steps are necessary with 
     respect to Federal, State, local, Tribal, and territorial 
     agencies to improve digital identity verification and 
     management processes for the purpose of enhancing the 
     security, reliability, privacy, accessibility, equity, and 
     convenience of digital identity solutions that support and 
     protect transactions between individuals, government 
     entities, and businesses; and
       (9) undertake other activities necessary to assess and 
     address other matters relating to digital identity 
     verification, including with respect to--
       (A) the potential exploitation of digital identity tools or 
     associated products and services by malign actors;
       (B) privacy implications; and
       (C) increasing access to foundational identity documents.
       (h) Prohibition.--The Task Force may not implicitly or 
     explicitly recommend the creation of--
       (1) a single identity credential provided or mandated by 
     the Federal Government for the purposes of verifying identity 
     or associated attributes;
       (2) a unilateral central national identification registry 
     relating to digital identity verification; or
       (3) a requirement that any individual be forced to use 
     digital identity verification for a given public purpose.
       (i) Required Consultation.--The Task Force shall closely 
     consult with leaders of Federal, State, local, Tribal, and 
     territorial governments and nongovernmental leaders, which 
     shall include the following:
       (1) The Secretary of Education.
       (2) The heads of other Federal agencies and offices 
     determined appropriate by the Director.
       (3) State, local, Tribal, and territorial government 
     officials focused on identity, such as information technology 
     officials and directors of State departments of motor 
     vehicles and vital records bureaus.
       (4) Digital privacy experts.
       (5) Civil liberties experts.
       (6) Technology and cybersecurity experts.
       (7) Users of identity verification services.
       (8) Representatives with relevant expertise from academia 
     and advocacy organizations.
       (9) Industry representatives with experience implementing 
     digital identity systems.
       (10) Identity theft and fraud prevention experts, including 
     advocates for victims of identity theft and fraud.
       (j) Reports.--
       (1) Initial report.--Not later than 180 days after the date 
     of enactment of this Act, the Director shall submit to the 
     appropriate notification entities a report on the activities 
     of the Task Force, including--
       (A) recommendations on--
       (i) implementing the strategy pursuant to subsection 
     (g)(4); and

[[Page S2820]]

       (ii) methods to leverage digital driver's licenses, 
     distributed ledger technology, and other technologies; and
       (B) summaries of the input and recommendations of the 
     leaders consulted under subsection (i).
       (2) Interim reports.--
       (A) In general.--The Director may submit to the appropriate 
     notification entities interim reports the Director determines 
     necessary to support the work of the Task Force and educate 
     the public.
       (B) Mandatory report.--Not later than the date that is 18 
     months after the date of enactment of this Act, the Director 
     shall submit to the appropriate notification entities an 
     interim report addressing--
       (i) the matters described in paragraphs (1), (2), (4), and 
     (6) of subsection (g); and
       (ii) any other matters the Director determines necessary to 
     support the work of the Task Force and educate the public.
       (3) Final report.--Not later than 180 days before the date 
     described in subsection (k), the Director shall submit to the 
     appropriate notification entities a final report that 
     includes recommendations for the President and Congress 
     relating to any relevant matter within the scope of the 
     duties of the Task Force.
       (4) Public availability.--The Task Force shall make the 
     reports required under this subsection publicly available on 
     a centralized website as an open Government data asset (as 
     defined in section 3502 of title 44, United States Code).
       (k) Sunset.--The Task Force shall conclude business on the 
     date that is 3 years after the date of enactment of this Act.

     SEC. 6035. SECURITY ENHANCEMENTS TO FEDERAL SYSTEMS.

       (a) Guidance for Federal Agencies.--Not later than 180 days 
     after the date on which the Director submits the report 
     required under section 6034(j)(1), the Director of the Office 
     of Management and Budget shall issue guidance to Federal 
     agencies for the purpose of implementing any recommendations 
     included in such report determined appropriate by the 
     Director of the Office of Management and Budget.
       (b) Reports on Federal Agency Progress Improving Digital 
     Identity Verification Capabilities.--
       (1) Annual report on guidance implementation.--Not later 
     than 1 year after the date of the issuance of guidance under 
     subsection (a), and annually thereafter, the head of each 
     Federal agency shall submit to the Director of the Office of 
     Management and Budget a report on the efforts of the Federal 
     agency to implement that guidance.
       (2) Public report.--
       (A) In general.--Not later than 45 days after the date of 
     the issuance of guidance under subsection (a), and annually 
     thereafter, the Director shall develop and make publicly 
     available a report that includes--
       (i) a list of digital identity verification services 
     offered by Federal agencies;
       (ii) the volume of digital identity verifications performed 
     by each Federal agency;
       (iii) information relating to the effectiveness of digital 
     identity verification services by Federal agencies; and
       (iv) recommendations to improve the effectiveness of 
     digital identity verification services by Federal agencies.
       (B) Consultation.--In developing the first report required 
     under subparagraph (A), the Director shall consult the Task 
     Force.
       (3) Congressional report on federal agency digital identity 
     capabilities.--
       (A) Reform.--Not later than 180 days after the date of the 
     enactment of this Act, the Director of the Office of 
     Management and Budget, in coordination with the Director of 
     the Cybersecurity and Infrastructure Security Agency, shall 
     submit to the Committee on Homeland Security and Governmental 
     Affairs of the Senate and the Committee on Oversight and 
     Accountability of the House of Representatives a report 
     relating to the implementation and effectiveness of the 
     digital identity capabilities of Federal agencies.
       (B) Consultation.--In developing the report required under 
     subparagraph (A), the Director of the Office of Management 
     and Budget shall--
       (i) consult with the Task Force; and
       (ii) to the greatest extent practicable, include in the 
     report recommendations of the Task Force.
       (C) Contents of report.--The report required under 
     subparagraph (A) shall include--
       (i) an analysis, including metrics and milestones, for the 
     implementation by Federal agencies of--

       (I) the guidelines published by the National Institute of 
     Standards and Technology in the document entitled ``Special 
     Publication 800-63'' (commonly referred to as the ``Digital 
     Identity Guidelines''), or any successor document; and
       (II) if feasible, any additional requirements relating to 
     enhancing digital identity capabilities identified in the 
     document of the Office of Management and Budget entitled ``M-
     19-17'' and issued on May 21, 2019, or any successor 
     document;

       (ii) a review of measures taken to advance the equity, 
     accessibility, cybersecurity, and privacy of digital identity 
     verification services offered by Federal agencies; and
       (iii) any other relevant data, information, or plans for 
     Federal agencies to improve the digital identity capabilities 
     of Federal agencies.
       (c) Additional Reports.--On the first March 1 occurring 
     after the date described in subsection (b)(3)(A), and 
     annually thereafter, the Director of the Office of Management 
     and Budget, in consultation with the Director of the National 
     Institute of Standards and Technology, shall include in the 
     report required under section 3553(c) of title 44, United 
     States Code--
       (1) any additional and ongoing reporting on the matters 
     described in subsection (b)(3)(C); and
       (2) associated information collection mechanisms.

     SEC. 6036. GAO REPORT.

       (a) In General.--Not later than 1 year after the date of 
     enactment of this Act, the Comptroller General of the United 
     States shall submit to Congress a report on the estimated 
     potential savings, including estimated annual potential 
     savings, due to the increased adoption and widespread use of 
     digital identification, of--
       (1) the Federal Government from averted fraud, including 
     benefit fraud; and
       (2) the economy of the United States and consumers from 
     averted identity theft.
       (b) Contents.--Among other variables the Comptroller 
     General of the United States determines relevant, the report 
     required under subsection (a) shall include multiple 
     scenarios with varying uptake rates to demonstrate a range of 
     possible outcomes.

        Subtitle C--Federal Data Center Enhancement Act of 2023

     SEC. 6041. SHORT TITLE.

       This subtitle may be cited as the ``Federal Data Center 
     Enhancement Act of 2023''.

     SEC. 6042. FEDERAL DATA CENTER CONSOLIDATION INITIATIVE 
                   AMENDMENTS.

       (a) Findings.--Congress finds the following:
       (1) The statutory authorization for the Federal Data Center 
     Optimization Initiative under section 834 of the Carl Levin 
     and Howard P. ``Buck'' McKeon National Defense Authorization 
     Act for Fiscal Year 2015 (44 U.S.C. 3601 note; Public Law 
     113-291) expired at the end of fiscal year 2022.
       (2) The expiration of the authorization described in 
     paragraph (1) presents Congress with an opportunity to review 
     the objectives of the Federal Data Center Optimization 
     Initiative to ensure that the initiative is meeting the 
     current needs of the Federal Government.
       (3) The initial focus of the Federal Data Center 
     Optimization Initiative, which was to consolidate data 
     centers and create new efficiencies, has resulted in, since 
     2010--
       (A) the consolidation of more than 6,000 Federal data 
     centers; and
       (B) cost savings and avoidance of $5,800,000,000.
       (4) The need of the Federal Government for access to data 
     and data processing systems has evolved since the date of 
     enactment in 2014 of subtitle D of title VIII of the Carl 
     Levin and Howard P. ``Buck'' McKeon National Defense 
     Authorization Act for Fiscal Year 2015.
       (5) Federal agencies and employees involved in mission 
     critical functions increasingly need reliable access to 
     secure, reliable, sustainable, and protected facilities to 
     house mission critical data and data operations to meet the 
     immediate needs of the people of the United States.
       (6) As of the date of enactment of this subtitle, there is 
     a growing need for Federal agencies to use data centers and 
     cloud applications that meet high standards for 
     cybersecurity, resiliency, availability, and sustainability.
       (b) Minimum Requirements for New Data Centers.--Section 834 
     of the Carl Levin and Howard P. ``Buck'' McKeon National 
     Defense Authorization Act for Fiscal Year 2015 (44 U.S.C. 
     3601 note; Public Law 113-291) is amended--
       (1) in subsection (a), by striking paragraphs (3) and (4) 
     and inserting the following:
       ``(3) New data center.--The term `new data center' means--
       ``(A)(i) a data center or a portion thereof that is owned, 
     operated, or maintained by a covered agency; or
       ``(ii) to the extent practicable, a data center or portion 
     thereof--
       ``(I) that is owned, operated, or maintained by a 
     contractor on behalf of a covered agency on the date on which 
     the contract between the covered agency and the contractor 
     expires; and
       ``(II) with respect to which the covered agency extends the 
     contract, or enters into a new contract, with the contractor; 
     and
       ``(B) on or after the date that is 180 days after the date 
     of enactment of the Federal Data Center Enhancement Act of 
     2023, a data center or portion thereof that is--
       ``(i) established; or
       ``(ii) substantially upgraded or expanded.'';
       (2) by striking subsection (b) and inserting the following:
       ``(b) Minimum Requirements for New Data Centers.--
       ``(1) In general.--Not later than 180 days after the date 
     of enactment of the Federal Data Center Enhancement Act of 
     2023, the Administrator shall establish minimum requirements 
     for new data centers in consultation with the Administrator 
     of General Services and the Federal Chief Information 
     Officers Council.
       ``(2) Contents.--
       ``(A) In general.--The minimum requirements established 
     under paragraph (1) shall include requirements relating to--
       ``(i) the availability of new data centers;
       ``(ii) the use of new data centers;
       ``(iii) the use of sustainable energy sources;
       ``(iv) uptime percentage;

[[Page S2821]]

       ``(v) protections against power failures, including on-site 
     energy generation and access to multiple transmission paths;
       ``(vi) protections against physical intrusions and natural 
     disasters;
       ``(vii) information security protections required by 
     subchapter II of chapter 35 of title 44, United States Code, 
     and other applicable law and policy; and
       ``(viii) any other requirements the Administrator 
     determines appropriate.
       ``(B) Consultation.--In establishing the requirements 
     described in subparagraph (A)(vii), the Administrator shall 
     consult with the Director of the Cybersecurity and 
     Infrastructure Security Agency and the National Cyber 
     Director.
       ``(3) Incorporation of minimum requirements into current 
     data centers.--As soon as practicable, and in any case not 
     later than 90 days after the Administrator establishes the 
     minimum requirements pursuant to paragraph (1), the 
     Administrator shall issue guidance to ensure, as appropriate, 
     that covered agencies incorporate the minimum requirements 
     established under that paragraph into the operations of any 
     data center of a covered agency existing as of the date of 
     enactment of the Federal Data Center Enhancement Act of 2023.
       ``(4) Review of requirements.--The Administrator, in 
     consultation with the Administrator of General Services and 
     the Federal Chief Information Officers Council, shall review, 
     update, and modify the minimum requirements established under 
     paragraph (1), as necessary.
       ``(5) Report on new data centers.--During the development 
     and planning lifecycle of a new data center, if the head of a 
     covered agency determines that the covered agency is likely 
     to make a management or financial decision relating to any 
     data center, the head of the covered agency shall--
       ``(A) notify--
       ``(i) the Administrator;
       ``(ii) Committee on Homeland Security and Governmental 
     Affairs of the Senate; and
       ``(iii) Committee on Oversight and Accountability of the 
     House of Representatives; and
       ``(B) describe in the notification with sufficient detail 
     how the covered agency intends to comply with the minimum 
     requirements established under paragraph (1).
       ``(6) Use of technology.--In determining whether to 
     establish or continue to operate an existing data center, the 
     head of a covered agency shall--
       ``(A) regularly assess the application portfolio of the 
     covered agency and ensure that each at-risk legacy 
     application is updated, replaced, or modernized, as 
     appropriate, to take advantage of modern technologies; and
       ``(B) prioritize and, to the greatest extent possible, 
     leverage commercial cloud environments rather than acquiring, 
     overseeing, or managing custom data center infrastructure.
       ``(7) Public website.--
       ``(A) In general.--The Administrator shall maintain a 
     public-facing website that includes information, data, and 
     explanatory statements relating to the compliance of covered 
     agencies with the requirements of this section.
       ``(B) Processes and procedures.--In maintaining the website 
     described in subparagraph (A), the Administrator shall--
       ``(i) ensure covered agencies regularly, and not less 
     frequently than biannually, update the information, data, and 
     explanatory statements posed on the website, pursuant to 
     guidance issued by the Administrator, relating to any new 
     data centers and, as appropriate, each existing data center 
     of the covered agency; and
       ``(ii) ensure that all information, data, and explanatory 
     statements on the website are maintained as open Government 
     data assets.''; and
       (3) in subsection (c), by striking paragraph (1) and 
     inserting the following:
       ``(1) In general.--The head of a covered agency shall 
     oversee and manage the data center portfolio and the 
     information technology strategy of the covered agency in 
     accordance with Federal cybersecurity guidelines and 
     directives, including--
       ``(A) information security standards and guidelines 
     promulgated by the Director of the National Institute of 
     Standards and Technology;
       ``(B) applicable requirements and guidance issued by the 
     Director of the Office of Management and Budget pursuant to 
     section 3614 of title 44, United States Code; and
       ``(C) directives issued by the Secretary of Homeland 
     Security under section 3553 of title 44, United States 
     Code.''.
       (c) Extension of Sunset.--Section 834(e) of the Carl Levin 
     and Howard P. ``Buck'' McKeon National Defense Authorization 
     Act for Fiscal Year 2015 (44 U.S.C. 3601 note; Public Law 
     113-291) is amended by striking ``2022'' and inserting 
     ``2026''.
       (d) GAO Review.--Not later than 1 year after the date of 
     the enactment of this subtitle, and annually thereafter, the 
     Comptroller General of the United States shall review, 
     verify, and audit the compliance of covered agencies with the 
     minimum requirements established pursuant to section 
     834(b)(1) of the Carl Levin and Howard P. ``Buck'' McKeon 
     National Defense Authorization Act for Fiscal Year 2015 (44 
     U.S.C. 3601 note; Public Law 113-291) for new data centers 
     and subsection (b)(3) of that section for existing data 
     centers, as appropriate.

      TITLE LXI--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

            Subtitle A--National Risk Management Act of 2023

     SEC. 6101. SHORT TITLE.

       This subtitle may be cited as the ``National Risk 
     Management Act of 2023''.

     SEC. 6102. NATIONAL RISK MANAGEMENT CYCLE.

       (a) In General.--Subtitle A of title XXII of the Homeland 
     Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by 
     adding at the end the following:

     ``SEC. 2220F. NATIONAL RISK MANAGEMENT CYCLE.

       ``(a) National Critical Functions Defined.--In this 
     section, the term `national critical functions' means the 
     functions of government and the private sector so vital to 
     the United States that their disruption, corruption, or 
     dysfunction would have a debilitating effect on security, 
     national economic security, national public health or safety, 
     or any combination thereof.
       ``(b) National Risk Management Cycle.--
       ``(1) Risk identification and assessment.--
       ``(A) In general.--The Secretary, acting through the 
     Director, shall establish a recurring process by which to 
     identify and assess risks to critical infrastructure, 
     considering both cyber and physical threats and the 
     associated likelihoods, vulnerabilities, and consequences.
       ``(B) Consultation.--In establishing the process required 
     under subparagraph (A), the Secretary shall consult--
       ``(i) Sector Risk Management Agencies;
       ``(ii) critical infrastructure owners and operators;
       ``(iii) the Assistant to the President for National 
     Security Affairs;
       ``(iv) the Assistant to the President for Homeland 
     Security; and
       ``(v) the National Cyber Director.
       ``(C) Process elements.--The process established under 
     subparagraph (A) shall include elements to--
       ``(i) collect relevant information, collected pursuant to 
     section 2218, from Sector Risk Management Agencies relating 
     to the threats, vulnerabilities, and consequences related to 
     the particular sectors of those Sector Risk Management 
     Agencies;
       ``(ii) allow critical infrastructure owners and operators 
     to submit relevant information to the Secretary for 
     consideration; and
       ``(iii) outline how the Secretary will solicit input from 
     other Federal departments and agencies.
       ``(D) Publication.--Not later than 180 days after the date 
     of enactment of this section, the Secretary shall publish in 
     the Federal Register procedures for the process established 
     under subparagraph (A), subject to any redactions the 
     Secretary determines are necessary to protect classified or 
     other sensitive information.
       ``(E) Report.--The Secretary shall submit to the President, 
     the Committee on Homeland Security and Governmental Affairs 
     of the Senate, and the Committee on Homeland Security of the 
     House of Representatives a report on the risks identified by 
     the process established under subparagraph (A)--
       ``(i) not later than 1 year after the date of enactment of 
     this section; and
       ``(ii) not later than 1 year after the date on which the 
     Secretary submits a periodic evaluation described in section 
     9002(b)(2) of title XC of division H of the William M. (Mac) 
     Thornberry National Defense Authorization Act for Fiscal Year 
     2021 (6 U.S.C. 652a(b)(2)).
       ``(2) National critical infrastructure resilience 
     strategy.--
       ``(A) In general.--Not later than 1 year after the date on 
     which the Secretary delivers each report required under 
     paragraph (1), the President shall deliver to majority and 
     minority leaders of the Senate, the Speaker and minority 
     leader of the House of Representatives, the Committee on 
     Homeland Security and Governmental Affairs of the Senate, and 
     the Committee on Homeland Security of the House of 
     Representatives a national critical infrastructure resilience 
     strategy designed to address the risks identified by the 
     Secretary.
       ``(B) Elements.--Each strategy delivered under subparagraph 
     (A) shall--
       ``(i) prioritize areas of risk to critical infrastructure 
     that would compromise or disrupt national critical functions 
     impacting national security, economic security, or public 
     health and safety;
       ``(ii) assess the implementation of the previous national 
     critical infrastructure resilience strategy, as applicable;
       ``(iii) identify and outline current and proposed national-
     level actions, programs, and efforts, including resource 
     requirements, to be taken to address the risks identified;
       ``(iv) identify the Federal departments or agencies 
     responsible for leading each national-level action, program, 
     or effort and the relevant critical infrastructure sectors 
     for each; and
       ``(v) request any additional authorities necessary to 
     successfully execute the strategy.
       ``(C) Form.--Each strategy delivered under subparagraph (A) 
     shall be unclassified, but may contain a classified annex.
       ``(3) Congressional briefing.--Not later than 1 year after 
     the date on which the President delivers the first strategy 
     required under paragraph (2)(A), and each year thereafter, 
     the Secretary, in coordination with Sector Risk Management 
     Agencies, shall brief the Committee on Homeland Security and 
     Governmental Affairs of the Senate and the Committee on 
     Homeland Security of the House of Representatives on--
       ``(A) the national risk management cycle activities 
     undertaken pursuant to the strategy delivered under paragraph 
     (2)(A); and

[[Page S2822]]

       ``(B) the amounts and timeline for funding that the 
     Secretary has determined would be necessary to address risks 
     and successfully execute the full range of activities 
     proposed by the strategy delivered under paragraph (2)(A).''.
       (b) Technical and Conforming Amendment.--The table of 
     contents in section 1(b) of the Homeland Security Act of 2002 
     (Public Law 107-296; 116 Stat. 2135) is amended by inserting 
     after the item relating to section 2220E the following:

``Sec. 2220F. National risk management cycle.''.

         Subtitle B--Securing Open Source Software Act of 2023

     SEC. 6111. SHORT TITLE.

       This subtitle may be cited as the ``Securing Open Source 
     Software Act of 2023''.

     SEC. 6112. FINDINGS.

       Congress finds that--
       (1) open source software fosters technology development and 
     is an integral part of overall cybersecurity;
       (2) a secure, healthy, vibrant, and resilient open source 
     software ecosystem is crucial for ensuring the national 
     security and economic vitality of the United States;
       (3) open source software is part of the foundation of 
     digital infrastructure that promotes a free and open 
     internet;
       (4) due to both the unique strengths of open source 
     software and inconsistent historical investment in open 
     source software security, there exist unique challenges in 
     securing open source software; and
       (5) the Federal Government should play a supporting role in 
     ensuring the long-term security of open source software.

     SEC. 6113. OPEN SOURCE SOFTWARE SECURITY DUTIES.

       (a) In General.--Title XXII of the Homeland Security Act of 
     2002 (6 U.S.C. 650 et seq.), as amended by section 6102(a), 
     is amended--
       (1) in section 2200 (6 U.S.C. 650)--
       (A) by redesignating paragraphs (22) through (28) as 
     paragraphs (25) through (31), respectively; and
       (B) by inserting after paragraph (21) the following:
       ``(22) Open source software.--The term `open source 
     software' means software for which the human-readable source 
     code is made available to the public for use, study, re-use, 
     modification, enhancement, and re-distribution.
       ``(23) Open source software community.--The term `open 
     source software community' means the community of 
     individuals, foundations, nonprofit organizations, 
     corporations, and other entities that--
       ``(A) develop, contribute to, maintain, and publish open 
     source software; or
       ``(B) otherwise work to ensure the security of the open 
     source software ecosystem.
       ``(24) Open source software component.--The term `open 
     source software component' means an individual repository of 
     open source software that is made available to the public.'';
       (2) in section 2202(c) (6 U.S.C. 652(c))--
       (A) in paragraph (13), by striking ``and'' at the end;
       (B) by redesignating paragraph (14) as paragraph (17); and
       (C) by inserting after paragraph (13) the following:
       ``(14) support, including by offering services, the secure 
     usage and deployment of software, including open source 
     software, in the software development lifecycle at Federal 
     agencies in accordance with section 2220G;''; and
       (3) by adding at the end the following:

     ``SEC. 2220G. OPEN SOURCE SOFTWARE SECURITY DUTIES.

       ``(a) Definition.--In this section, the term `software bill 
     of materials' has the meaning given the term in the Minimum 
     Elements for a Software Bill of Materials published by the 
     Department of Commerce, or any superseding definition 
     published by the Agency.
       ``(b) Employment.--The Director shall, to the greatest 
     extent practicable, employ individuals in the Agency who--
       ``(1) have expertise and experience participating in the 
     open source software community; and
       ``(2) perform the duties described in subsection (c).
       ``(c) Duties of the Director.--
       ``(1) In general.--The Director shall--
       ``(A) perform outreach and engagement to bolster the 
     security of open source software;
       ``(B) support Federal efforts to strengthen the security of 
     open source software;
       ``(C) coordinate, as appropriate, with non-Federal entities 
     on efforts to ensure the long-term security of open source 
     software;
       ``(D) serve as a public point of contact regarding the 
     security of open source software for non-Federal entities, 
     including State, local, Tribal, and territorial partners, the 
     private sector, international partners, and the open source 
     software community; and
       ``(E) support Federal and non-Federal supply chain security 
     efforts by encouraging efforts to bolster open source 
     software security, such as--
       ``(i) assisting in coordinated vulnerability disclosures in 
     open source software components pursuant to section 2209(n); 
     and
       ``(ii) supporting the activities of the Federal Acquisition 
     Security Council.
       ``(2) Assessment of critical open source software 
     components.--
       ``(A) Framework.--Not later than 1 year after the date of 
     enactment of this section, the Director shall publicly 
     publish a framework, incorporating government, industry, and 
     open source software community frameworks and best practices, 
     including those published by the National Institute of 
     Standards and Technology, for assessing the risk of open 
     source software components, including direct and indirect 
     open source software dependencies, which shall incorporate, 
     at a minimum--
       ``(i) the security properties of code in a given open 
     source software component, such as whether the code is 
     written in a memory-safe programming language;
       ``(ii) the security practices of development, build, and 
     release processes of a given open source software component, 
     such as the use of multi-factor authentication by maintainers 
     and cryptographic signing of releases;
       ``(iii) the number and severity of publicly known, 
     unpatched vulnerabilities in a given open source software 
     component;
       ``(iv) the breadth of deployment of a given open source 
     software component;
       ``(v) the level of risk associated with where a given open 
     source software component is integrated or deployed, such as 
     whether the component operates on a network boundary or in a 
     privileged location; and
       ``(vi) the health of the open source software community for 
     a given open source software component, including, where 
     applicable, the level of current and historical investment 
     and maintenance in the open source software component, such 
     as the number and activity of individual maintainers.
       ``(B) Updating framework.--Not less frequently than 
     annually after the date on which the framework is published 
     under subparagraph (A), the Director shall--
       ``(i) determine whether updates are needed to the framework 
     described in subparagraph (A), including the augmentation, 
     addition, or removal of the elements described in clauses (i) 
     through (vi) of such subparagraph; and
       ``(ii) if the Director determines that additional updates 
     are needed under clause (i), make those updates to the 
     framework.
       ``(C) Developing framework.--In developing the framework 
     described in subparagraph (A), the Director shall consult 
     with--
       ``(i) appropriate Federal agencies, including the National 
     Institute of Standards and Technology;
       ``(ii) individuals and nonprofit organizations from the 
     open source software community; and
       ``(iii) private companies from the open source software 
     community.
       ``(D) Usability.--The Director shall ensure, to the 
     greatest extent practicable, that the framework described in 
     subparagraph (A) is usable by the open source software 
     community, including through the consultation described in 
     subparagraph (C).
       ``(E) Federal open source software assessment.--Not later 
     than 1 year after the publication of the framework described 
     in subparagraph (A), and not less frequently than every 2 
     years thereafter, the Director shall, to the greatest extent 
     practicable and using the framework described in subparagraph 
     (A)--
       ``(i) perform an assessment of open source software 
     components used directly or indirectly by Federal agencies 
     based on readily available, and, to the greatest extent 
     practicable, machine readable, information, such as--

       ``(I) software bills of materials that are, at the time of 
     the assessment, made available to the Agency or are otherwise 
     accessible via the internet;
       ``(II) software inventories, available to the Director at 
     the time of the assessment, from the Continuous Diagnostics 
     and Mitigation program of the Agency; and
       ``(III) other publicly available information regarding open 
     source software components; and

       ``(ii) develop 1 or more ranked lists of components 
     described in clause (i) based on the assessment, such as 
     ranked by the criticality, level of risk, or usage of the 
     components, or a combination thereof.
       ``(F) Automation.--The Director shall, to the greatest 
     extent practicable, automate the assessment conducted under 
     subparagraph (E).
       ``(G) Publication.--The Director shall publicly publish and 
     maintain any tools developed to conduct the assessment 
     described in subparagraph (E) as open source software.
       ``(H) Sharing.--
       ``(i) Results.--The Director shall facilitate the sharing 
     of the results of each assessment described in subparagraph 
     (E)(i) with appropriate Federal and non-Federal entities 
     working to support the security of open source software, 
     including by offering means for appropriate Federal and non-
     Federal entities to download the assessment in an automated 
     manner.
       ``(ii) Datasets.--The Director may publicly publish, as 
     appropriate, any datasets or versions of the datasets 
     developed or consolidated as a result of an assessment 
     described in subparagraph (E)(i).
       ``(I) Critical infrastructure assessment study and pilot.--
       ``(i) Study.--Not later than 2 years after the publication 
     of the framework described in subparagraph (A), the Director 
     shall conduct a study regarding the feasibility of the 
     Director conducting the assessment described in subparagraph 
     (E) for critical infrastructure entities.
       ``(ii) Pilot.--

       ``(I) In general.--If the Director determines that the 
     assessment described in

[[Page S2823]]

     clause (i) is feasible, the Director may conduct a pilot 
     assessment on a voluntary basis with 1 or more critical 
     infrastructure sectors, in coordination with the Sector Risk 
     Management Agency and the sector coordinating council of each 
     participating sector.
       ``(II) Termination.--If the Director proceeds with the 
     pilot described in subclause (I), the pilot shall terminate 
     on the date that is 2 years after the date on which the 
     Director begins the pilot.

       ``(iii) Reports.--

       ``(I) Study.--Not later than 180 days after the date on 
     which the Director completes the study conducted under clause 
     (i), the Director shall submit to the appropriate 
     congressional committees a report that--

       ``(aa) summarizes the study; and
       ``(bb) states whether the Director plans to proceed with 
     the pilot described in clause (ii)(I).

       ``(II) Pilot.--If the Director proceeds with the pilot 
     described in clause (ii), not later than 1 year after the 
     date on which the Director begins the pilot, the Director 
     shall submit to the appropriate congressional committees a 
     report that includes--

       ``(aa) a summary of the results of the pilot; and
       ``(bb) a recommendation as to whether the activities 
     carried out under the pilot should be continued after the 
     termination of the pilot described in clause (ii)(II).
       ``(3) Coordination with national cyber director.--The 
     Director shall--
       ``(A) brief the National Cyber Director on the activities 
     described in this subsection; and
       ``(B) coordinate activities with the National Cyber 
     Director, as appropriate.
       ``(4) Reports.--
       ``(A) In general.--Not later than 1 year after the date of 
     enactment of this section, and every 2 years thereafter, the 
     Director shall submit to the appropriate congressional 
     committees a report that includes--
       ``(i) a summary of the work on open source software 
     security performed by the Director during the period covered 
     by the report, including a list of the Federal and non-
     Federal entities with which the Director interfaced;
       ``(ii) the framework developed under paragraph (2)(A);
       ``(iii) a summary of any updates made to the framework 
     developed under paragraph (2)(A) pursuant to paragraph (2)(B) 
     since the last report submitted under this subparagraph;
       ``(iv) a summary of each assessment conducted pursuant to 
     paragraph (2)(E) since the last report was submitted under 
     this subparagraph;
       ``(v) a summary of changes made to the assessment conducted 
     pursuant to paragraph (2)(E) since the last report submitted 
     under this subparagraph, including overall security trends; 
     and
       ``(vi) a summary of the types of entities with which an 
     assessment conducted pursuant to paragraph (2)(E) since the 
     last reported submitted under this subparagraph was shared 
     pursuant to paragraph (2)(H), including a list of the Federal 
     and non-Federal entities with which the assessment was 
     shared.
       ``(B) Public report.--Not later than 30 days after the date 
     on which the Director submits a report required under 
     subparagraph (A), the Director shall make a version of the 
     report publicly available on the website of the Agency.''.
       (b) Technical and Conforming Amendment.--The table of 
     contents in section 1(b) of the Homeland Security Act of 2002 
     (Public Law 107-296; 116 Stat. 2135), as amended by section 
     6102(b), is amended by inserting after the item relating to 
     section 2220F the following:

``Sec. 2220G. Open source software security duties.''.

     SEC. 6114. SOFTWARE SECURITY ADVISORY SUBCOMMITTEE.

       Section 2219(d)(1) of the Homeland Security Act of 2002 (6 
     U.S.C. 665e(d)(1)) is amended by adding at the end the 
     following:
       ``(E) Software security, including open source software 
     security.''.

     SEC. 6115. OPEN SOURCE SOFTWARE GUIDANCE.

       (a) Definitions.--In this section:
       (1) Appropriate congressional committee.--The term 
     ``appropriate congressional committee'' has the meaning given 
     the term in section 2 of the Homeland Security Act of 2002 (6 
     U.S.C. 101).
       (2) Covered agency.--The term ``covered agency'' means an 
     agency described in section 901(b) of title 31, United States 
     Code.
       (3) Director.--The term ``Director'' means the Director of 
     the Office of Management and Budget.
       (4) National security system.--The term ``national security 
     system'' has the meaning given the term in section 3552 of 
     title 44, United States Code.
       (5) Open source software; open source software community.--
     The terms ``open source software'' and ``open source software 
     community'' have the meanings given those terms in section 
     2200 of the Homeland Security Act of 2002 (6 U.S.C. 650), as 
     amended by section 6113.
       (b) Guidance.--
       (1) In general.--Not later than 1 year after the date of 
     enactment of this Act, the Director, in coordination with the 
     National Cyber Director, the Director of the Cybersecurity 
     and Infrastructure Security Agency, and the Administrator of 
     General Services, shall issue guidance on the 
     responsibilities of the chief information officer at each 
     covered agency regarding open source software, which shall 
     include--
       (A) how chief information officers at each covered agency 
     should, considering industry and open source software 
     community best practices--
       (i) manage and reduce risks of using open source software; 
     and
       (ii) guide contributing to and releasing open source 
     software;
       (B) how chief information officers should enable, rather 
     than inhibit, the secure usage of open source software at 
     each covered agency;
       (C) any relevant updates to the Memorandum M-16-21 issued 
     by the Office of Management and Budget on August 8, 2016, 
     entitled, ``Federal Source Code Policy: Achieving Efficiency, 
     Transparency, and Innovation through Reusable and Open Source 
     Software''; and
       (D) how covered agencies may contribute publicly to open 
     source software that the covered agency uses, including how 
     chief information officers should encourage those 
     contributions.
       (2) Exemption of national security systems.--The guidance 
     issued under paragraph (1) shall not apply to national 
     security systems.
       (c) Pilot.--
       (1) In general.--Not later than 1 year after the date of 
     enactment of this Act, the chief information officer of each 
     covered agency selected under paragraph (2), in coordination 
     with the Director, the National Cyber Director, the Director 
     of the Cybersecurity and Infrastructure Security Agency, and 
     the Administrator of General Services, shall establish a 
     pilot open source function at the covered agency that--
       (A) is modeled after open source program offices, such as 
     those in the private sector, the nonprofit sector, academia, 
     and other non-Federal entities; and
       (B) shall--
       (i) support the secure usage of open source software at the 
     covered agency;
       (ii) develop policies and processes for contributions to 
     and releases of open source software at the covered agency, 
     in consultation, as appropriate, with the offices of general 
     counsel and procurement of the covered agency;
       (iii) interface with the open source software community; 
     and
       (iv) manage and reduce risks of using open source software 
     at the covered agency.
       (2) Selection of pilot agencies.--The Director, in 
     coordination with the National Cyber Director, the Director 
     of the Cybersecurity and Infrastructure Security Agency, and 
     the Administrator of General Services, shall select not less 
     than 1 and not more than 5 covered agencies to conduct the 
     pilot described in paragraph (1).
       (3) Assessment.--Not later than 1 year after the 
     establishment of the pilot open source functions described in 
     paragraph (1), the Director, in coordination with the 
     National Cyber Director, the Director of the Cybersecurity 
     and Infrastructure Security Agency, and the Administrator of 
     General Services, shall assess whether open source functions 
     should be established at some or all covered agencies, 
     including--
       (A) how to organize those functions within covered 
     agencies, such as the creation of open source program 
     offices; and
       (B) appropriate roles and responsibilities for those 
     functions.
       (4) Guidance.--Notwithstanding the termination of the pilot 
     open source functions under paragraph (5), if the Director 
     determines, based on the assessment described in paragraph 
     (3), that some or all of the open source functions should be 
     established at some or all covered agencies, the Director, in 
     coordination with the National Cyber Director, the Director 
     of the Cybersecurity and Infrastructure Security Agency, and 
     the Administrator of General Services, shall issue guidance 
     on the implementation of those functions.
       (5) Termination.--The pilot open source functions described 
     in paragraph (1) shall terminate not later than 4 years after 
     the establishment of the pilot open source functions.
       (d) Briefing and Report.--The Director shall--
       (1) not later than 1 year after the date of enactment of 
     this Act, brief the appropriate congressional committees on 
     the guidance issued under subsection (b); and
       (2) not later than 540 days after the establishment of the 
     pilot open source functions under subsection (c)(1), submit 
     to the appropriate congressional committees a report on--
       (A) the pilot open source functions; and
       (B) the results of the assessment conducted under 
     subsection (c)(3).
       (e) Duties.--Section 3554(b) of title 44, United States 
     Code, as amended by section 5103, is amended by inserting 
     after paragraph (7) the following:
       ``(8) plans and procedures to ensure the secure usage and 
     development of software, including open source software (as 
     defined in section 2200 of the Homeland Security Act of 2002 
     (6 U.S.C. 650));''.

     SEC. 6116. RULE OF CONSTRUCTION.

       Nothing in this subtitle or the amendments made by this 
     subtitle shall be construed to provide any additional 
     regulatory authority to any Federal agency described therein.

            Subtitle C--National Cybersecurity Awareness Act

     SEC. 6121. SHORT TITLE.

       This subtitle may be cited as the ``National Cybersecurity 
     Awareness Act''.

[[Page S2824]]

  


     SEC. 6122. FINDINGS.

       Congress finds the following:
       (1) The presence of ubiquitous internet-connected devices 
     in the everyday lives of citizens of the United States has 
     created opportunities for constant connection and 
     modernization.
       (2) A connected society is subject to cybersecurity threats 
     that can compromise even the most personal and sensitive of 
     information.
       (3) Connected critical infrastructure is subject to 
     cybersecurity threats that can compromise fundamental 
     economic, health, and safety functions.
       (4) The Government of the United States plays an important 
     role in safeguarding the nation from malicious cyber 
     activity.
       (5) A citizenry that is knowledgeable regarding 
     cybersecurity is critical to building a robust cybersecurity 
     posture and reducing the threat of cyber attackers stealing 
     sensitive information and causing public harm.
       (6) While Cybersecurity Awareness Month is critical to 
     supporting national cybersecurity awareness, it cannot be a 
     once-a-year activity, and there must be a sustained, constant 
     effort to raise awareness about cyber hygiene, encourage 
     individuals in the United States to learn cyber skills, and 
     communicate the ways that cyber skills and careers in cyber 
     advance individual and societal security, privacy, safety, 
     and well-being.

     SEC. 6123. CYBERSECURITY AWARENESS.

       (a) In General.--Subtitle A of title XXII of the Homeland 
     Security Act of 2002 (6 U.S.C. 651 et seq.), as amended by 
     section 6113(a), is amended by adding at the end the 
     following:

     ``SEC. 2220H. CYBERSECURITY AWARENESS CAMPAIGNS.

       ``(a) Definition.--In this section, the term `Campaign 
     Program' means the campaign program established under 
     subsection (b)(1).
       ``(b) Awareness Campaign Program.--
       ``(1) In general.--Not later than 90 days after the date of 
     enactment of the National Cybersecurity Awareness Act, the 
     Director, in coordination with appropriate Federal agencies, 
     shall establish a program for planning and coordinating 
     Federal cybersecurity awareness campaigns.
       ``(2) Activities.--In carrying out the Campaign Program, 
     the Director shall--
       ``(A) inform non-Federal entities of voluntary cyber 
     hygiene best practices, including information on how to--
       ``(i) prevent cyberattacks; and
       ``(ii) mitigate cybersecurity risks; and
       ``(B) consult with private sector entities, State, local, 
     Tribal, and territorial governments, academia, nonprofit 
     organizations, and civil society--
       ``(i) to promote cyber hygiene best practices and the 
     importance of cyber skills, including by focusing on tactics 
     that are cost effective and result in significant 
     cybersecurity improvement, such as--

       ``(I) maintaining strong passwords and the use of password 
     managers;
       ``(II) enabling multi-factor authentication, including 
     phishing-resistant multi-factor authentication;
       ``(III) regularly installing software updates;
       ``(IV) using caution with email attachments and website 
     links; and
       ``(V) other cyber hygienic considerations, as appropriate;

       ``(ii) to promote awareness of cybersecurity risks and 
     mitigation with respect to malicious applications on 
     internet-connected devices, including applications to control 
     those devices or use devices for unauthorized surveillance of 
     users;
       ``(iii) to help consumers identify products that are 
     designed to support user and product security, such as 
     products designed using the Secure-by-Design and Secure-by-
     Default principles of the Agency or the Recommended Criteria 
     for Cybersecurity Labeling for Consumer Internet of Things 
     (IoT) Products of the National Institute of Standards and 
     Technology, published February 4, 2022 (or any subsequent 
     version);
       ``(iv) to coordinate with other Federal agencies, as 
     determined appropriate by the Director, to--

       ``(I) develop and promote relevant cybersecurity-related 
     and cyber skills-related awareness activities and resources; 
     and
       ``(II) ensure the Federal Government is coordinated in 
     communicating accurate and timely cybersecurity information;

       ``(v) to expand nontraditional outreach mechanisms to 
     ensure that entities, including low-income and rural 
     communities, small and medium sized businesses and 
     institutions, and State, local, Tribal, and territorial 
     partners, receive cybersecurity awareness outreach in an 
     equitable manner; and
       ``(vi) to encourage participation in cyber workforce 
     development ecosystems and to expand adoption of best 
     practices to grow the national cyber workforce.
       ``(3) Reporting.--
       ``(A) In general.--Not later than 180 days after the date 
     of enactment of the National Cybersecurity Awareness Act, and 
     annually thereafter, the Director, in consultation with the 
     heads of appropriate Federal agencies, shall submit to the 
     appropriate congressional committees a report regarding the 
     Campaign Program.
       ``(B) Contents.--Each report submitted pursuant to 
     subparagraph (A) shall include--
       ``(i) a summary of the activities of the Agency that 
     support promoting cybersecurity awareness under the Campaign 
     Program, including consultations made under paragraph (2)(B);
       ``(ii) an assessment of the effectiveness of techniques and 
     methods used to promote national cybersecurity awareness 
     under the Campaign Program; and
       ``(iii) recommendations on how to best promote 
     cybersecurity awareness nationally.
       ``(c) Cybersecurity Campaign Resources.--
       ``(1) In general.--Not later than 180 days after the date 
     of enactment of the National Cybersecurity Awareness Act, the 
     Director shall develop and maintain a repository for the 
     resources, tools, and public communications of the Agency 
     that promote cybersecurity awareness.
       ``(2) Requirements.--The resources described in paragraph 
     (1) shall be--
       ``(A) made publicly available online; and
       ``(B) regularly updated to ensure the public has access to 
     relevant and timely cybersecurity awareness information.''.
       (b) Responsibilities of the Cybersecurity and 
     Infrastructure Security Agency.--Section 2202(c) of the 
     Homeland Security Act of 2002 (6 U.S.C. 652(c)) is amended--
       (1) in paragraph (13), by striking ``; and'' and inserting 
     a semicolon;
       (2) by redesignating paragraph (14) as paragraph (16); and
       (3) by inserting after paragraph (13) the following:
       ``(14) lead and coordinate Federal efforts to promote 
     national cybersecurity awareness;''.
       (c) Clerical Amendment.--The table of contents in section 
     1(b) of the Homeland Security Act of 2002 (Public Law 107-
     296; 116 Stat. 2135), as amended by section 6113(b), is 
     amended by inserting after the item relating to section 2220G 
     the following:

``Sec. 2220H. Cybersecurity awareness campaigns.''.

        Subtitle D--DHS International Cyber Partner Act of 2023

     SEC. 6131. SHORT TITLE.

       This subtitle may be cited as the ``DHS International Cyber 
     Partner Act of 2023''.

     SEC. 6132. PURPOSE.

       The purposes of this subtitle are to--
       (1) authorize the Secretary of Homeland Security to assign 
     personnel to foreign locations to support the missions of the 
     Department of Homeland Security; and
       (2) provide assistance and expertise to foreign 
     governments, international organizations, and international 
     entities on cybersecurity and infrastructure security.

     SEC. 6133. INTERNATIONAL ASSIGNMENT AND ASSISTANCE.

       (a) In General.--Title I of the Homeland Security Act of 
     2002 (6 U.S.C. 111 et seq.) is amended by adding at the end 
     the following:

     ``SEC. 104. INTERNATIONAL ASSIGNMENT AND ASSISTANCE.

       ``(a) International Assignment.--
       ``(1) In general.--The Secretary, with the concurrence of 
     the Secretary of State, may assign personnel of the 
     Department to a duty station that is located outside the 
     United States at which the Secretary determines 
     representation of the Department is necessary to accomplish 
     the cybersecurity and infrastructure security missions of the 
     Department and to carry out duties and activities as assigned 
     by the Secretary.
       ``(2) Concurrence on activities.--The activities of 
     personnel of the Department who are assigned under this 
     subsection shall be--
       ``(A) performed with the concurrence of the chief of 
     mission to the foreign country to which such personnel are 
     assigned; and
       ``(B) consistent with the duties and powers of the 
     Secretary of State and the chief of mission for a foreign 
     country under section 103 of the Omnibus Diplomatic Security 
     and Antiterrorism Act of 1986 (22 U.S.C. 4802) and section 
     207 of the Foreign Service Act of 1980 (22 U.S.C. 3927), 
     respectively.
       ``(b) International Support.--
       ``(1) In general.--If the Secretary makes a determination 
     described in paragraph (2), the Secretary, with the 
     concurrence of the Secretary of State, may provide equipment, 
     services, technical assistance, or expertise on 
     cybersecurity, infrastructure security, and resilience to a 
     foreign government, an international organization, or an 
     international entity, with or without reimbursement, 
     including, as appropriate--
       ``(A) cybersecurity and infrastructure security advice, 
     training, capacity development, education, best practices, 
     incident response, threat hunting, and other similar 
     capabilities;
       ``(B) sharing and exchanging cybersecurity and 
     infrastructure security information, including research and 
     development, threat indicators, risk assessments, strategies, 
     and security recommendations;
       ``(C) cybersecurity and infrastructure security test and 
     evaluation support and services;
       ``(D) cybersecurity and infrastructure security research 
     and development support and services; and
       ``(E) any other assistance that the Secretary prescribes.
       ``(2) Determination.--A determination described in this 
     paragraph is a determination by the Secretary that providing 
     equipment, services, technical assistance, or expertise under 
     paragraph (1) would--
       ``(A) further the homeland security interests of the United 
     States; and
       ``(B) enhance the ability of a foreign government, an 
     international organization, or an international entity to 
     work cooperatively with the United States to advance the 
     homeland security interests of the United States.

[[Page S2825]]

       ``(3) Limitations.--Any equipment provided under paragraph 
     (1)--
       ``(A) may not include offensive security capabilities; and
       ``(B) shall be limited to enabling defensive cybersecurity 
     and infrastructure security activities by the receiving 
     entity, such as cybersecurity tools or explosive detection 
     and mitigation equipment.
       ``(4) Reimbursement of expenses.--If the Secretary 
     determines that collection of payment is appropriate, the 
     Secretary is authorized to collect payment from the receiving 
     entity for the cost of equipment, services, technical 
     assistance, and expertise provided under paragraph (1) and 
     any accompanying shipping costs.
       ``(5) Receipts credited as offsetting collections.--
     Notwithstanding section 3302 of title 31, United States Code, 
     any amount collected under paragraph (4)--
       ``(A) shall be credited as offsetting collections to the 
     account that finances the equipment, services, technical 
     assistance, or expertise for which the payment is received; 
     and
       ``(B) shall remain available until expended for the purpose 
     of providing for the security interests of the homeland.
       ``(c) Rule of Construction.--This section shall not be 
     construed to affect, augment, or diminish the authority of 
     the Secretary of State.
       ``(d) Congressional Reporting and Notification.--
       ``(1) Report on assistance.--Not later than 1 year after 
     the date of enactment of the DHS International Cyber Partner 
     Act of 2023, and every year thereafter, the Secretary shall 
     provide to the Committee on Homeland Security and 
     Governmental Affairs of the Senate and the Committee on 
     Homeland Security of the House of Representatives a report 
     that includes, for each instance in which assistance is 
     provided under subsection (b)--
       ``(A) the foreign government, international organization, 
     or international entity provided the assistance;
       ``(B) the reason for providing the assistance;
       ``(C) the equipment, services, technical assistance, or 
     expertise provided; and
       ``(D) whether the equipment, services, technical 
     assistance, or expertise was provided on a reimbursable or 
     nonreimbursable basis, and the rational for why the 
     assistance was provided with or without reimbursement.
       ``(2) Copies of agreements.--Not later than 30 days after 
     the effective date, under the authority under subsection (b), 
     of a contract, memorandum, or agreement with a foreign 
     government, international organization, or international 
     entity to provide assistance, the Secretary shall provide to 
     the Committee on Homeland Security and Governmental Affairs 
     of the Senate and the Committee on Homeland Security of the 
     House of Representatives a copy of the contract, memorandum, 
     or agreement.
       ``(3) Notice on assignments.--Not later than 30 days after 
     assigning personnel to a duty station located outside the 
     United States in accordance with subsection (a)(1), the 
     Secretary shall notify the Committee on Homeland Security and 
     Governmental Affairs of the Senate and the Committee on 
     Homeland Security of the House of Representatives regarding 
     the assignment.''.
       (b) Conforming Amendment.--The table of contents in section 
     1(b) of the Homeland Security Act of 2002 (Public Law 107-
     196; 116 Stat. 2135) is amended by inserting after the item 
     relating to section 103 the following:

``Sec. 104. International assignment and assistance.''.

     SEC. 6134. CISA ACTIVITIES.

       (a) Director.--Section 2202(c) of the Homeland Security Act 
     of 2002 (6 U.S.C. 652(c)), as amended by section 6123(b), is 
     amended by inserting after paragraph (14) the following:
       ``(15) provide support for the cybersecurity and physical 
     security of critical infrastructure of international partners 
     and allies in furtherance of the homeland security interests 
     of the United States, which may include, consistent with 
     section 104, assigning personnel to a duty station that is 
     located outside the United States and providing equipment, 
     services, technical assistance, or expertise; and''.
       (b) Foreign Locations.--Section 2202(g)(1) of the Homeland 
     Security Act of 2002 (6 U.S.C. 652(g)(1)) is amended by 
     inserting ``, including locations outside the United States'' 
     before the period at the end.
       (c) Cyber Planning.--Section 2216 of the Homeland Security 
     Act of 2002 (6 U.S.C. 665b) is amended--
       (1) in subsection (a), in the first sentence, by inserting 
     ``, including international partners, as appropriate'' after 
     ``for public and private sector entities''; and
       (2) in subsection (c)(2)--
       (A) in subparagraph (E), by striking ``and'' at the end;
       (B) in subparagraph (F), by striking the period at the end 
     and inserting ``; and''; and
       (C) by adding at the end the following
       ``(G) for planning with international partners, the 
     Department of State.''.

     SEC. 6135. LIMITATIONS.

       Under the authority provided under this subtitle, or an 
     amendment made by this subtitle, the Secretary of Homeland 
     Security may not--
       (1) engage in any activity that would censor a citizen of 
     the United States;
       (2) conduct surveillance of a citizen of the United States; 
     or
       (3) interfere with an election in the United States.

  Subtitle E--Department of Homeland Security Civilian Cybersecurity 
                              Reserve Act

     SEC. 6141. SHORT TITLE.

       This subtitle may be cited as the ``Department of Homeland 
     Security Civilian Cybersecurity Reserve Act''.

     SEC. 6142. CIVILIAN CYBERSECURITY RESERVE PILOT PROJECT.

       (a) Definitions.--In this section:
       (1) Agency.--The term ``Agency'' means the Cybersecurity 
     and Infrastructure Security Agency.
       (2) Appropriate congressional committees.--The term 
     ``appropriate congressional committees'' means--
       (A) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       (B) the Committee on Appropriations of the Senate;
       (C) the Committee on Homeland Security of the House of 
     Representatives;
       (D) the Committee on Oversight and Accountability of the 
     House of Representatives; and
       (E) the Committee on Appropriations of the House of 
     Representatives.
       (3) Competitive service.--The term ``competitive service'' 
     has the meaning given the term in section 2102 of title 5, 
     United States Code.
       (4) Director.--The term ``Director'' means the Director of 
     the Agency.
       (5) Excepted service.--The term ``excepted service'' has 
     the meaning given the term in section 2103 of title 5, United 
     States Code.
       (6) Significant incident.--The term ``significant 
     incident''--
       (A) means an incident or a group of related incidents that 
     results, or is likely to result, in demonstrable harm to--
       (i) the national security interests, foreign relations, or 
     economy of the United States; or
       (ii) the public confidence, civil liberties, or public 
     health and safety of the people of the United States; and
       (B) does not include an incident or a portion of a group of 
     related incidents that occurs on--
       (i) a national security system, as defined in section 3552 
     of title 44, United States Code; or
       (ii) an information system described in paragraph (2) or 
     (3) of section 3553(e) of title 44, United States Code.
       (7) Temporary position.--The term ``temporary position'' 
     means a position in the competitive or excepted service for a 
     period of 6 months or less.
       (8) Uniformed services.--The term ``uniformed services'' 
     has the meaning given the term in section 2101 of title 5, 
     United States Code.
       (b) Pilot Project.--
       (1) In general.--The Director may carry out a pilot project 
     to establish a Civilian Cybersecurity Reserve at the Agency.
       (2) Purpose.--The purpose of a Civilian Cybersecurity 
     Reserve is to enable the Agency to effectively respond to 
     significant incidents.
       (3) Alternative methods.--Consistent with section 4703 of 
     title 5, United States Code, in carrying out a pilot project 
     authorized under paragraph (1), the Director may, without 
     further authorization from the Office of Personnel 
     Management, provide for alternative methods of--
       (A) establishing qualifications requirements for, 
     recruitment of, and appointment to positions; and
       (B) classifying positions.
       (4) Appointments.--Under the pilot project authorized under 
     paragraph (1), upon occurrence of a significant incident, the 
     Director--
       (A) may activate members of the Civilian Cybersecurity 
     Reserve by--
       (i) noncompetitively appointing members of the Civilian 
     Cybersecurity Reserve to temporary positions in the 
     competitive service; or
       (ii) appointing members of the Civilian Cybersecurity 
     Reserve to temporary positions in the excepted service;
       (B) shall notify Congress whenever a member is activated 
     under subparagraph (A); and
       (C) may appoint not more than 30 members to temporary 
     positions.
       (5) Status as employees.--An individual appointed under 
     paragraph (4) shall be considered a Federal civil service 
     employee under section 2105 of title 5, United States Code.
       (6) Additional employees.--Individuals appointed under 
     paragraph (4) shall be in addition to any employees of the 
     Agency who provide cybersecurity services.
       (7) Employment protections.--The Secretary of Labor shall 
     prescribe such regulations as necessary to ensure the 
     reemployment, continuation of benefits, and non-
     discrimination in reemployment of individuals appointed under 
     paragraph (4), provided that such regulations shall include, 
     at a minimum, those rights and obligations set forth under 
     chapter 43 of title 38, United States Code.
       (8) Status in reserve.--During the period beginning on the 
     date on which an individual is recruited by the Agency to 
     serve in the Civilian Cybersecurity Reserve and ending on the 
     date on which the individual is appointed under paragraph 
     (4), and during any period in between any such appointments, 
     the individual shall not be considered a Federal employee.

[[Page S2826]]

       (c) Eligibility; Application and Selection.--
       (1) In general.--Under the pilot project authorized under 
     subsection (b)(1), the Director shall establish criteria 
     for--
       (A) individuals to be eligible for the Civilian 
     Cybersecurity Reserve; and
       (B) the application and selection processes for the 
     Civilian Cybersecurity Reserve.
       (2) Requirements for individuals.--The criteria established 
     under paragraph (1)(A) with respect to an individual shall 
     include--
       (A) previous employment--
       (i) by the executive branch;
       (ii) within the uniformed services;
       (iii) as a Federal contractor within the executive branch; 
     or
       (iv) by a State, local, Tribal, or territorial government;
       (B) if the individual has previously served as a member of 
     the Civilian Cybersecurity Reserve of the Agency, that the 
     previous appointment ended not less than 60 days before the 
     individual may be appointed for a subsequent temporary 
     position in the Civilian Cybersecurity Reserve of the Agency; 
     and
       (C) cybersecurity expertise.
       (3) Prescreening.--The Agency shall--
       (A) conduct a prescreening of each individual prior to 
     appointment under subsection (b)(4) for any topic or product 
     that would create a conflict of interest; and
       (B) require each individual appointed under subsection 
     (b)(4) to notify the Agency if a potential conflict of 
     interest arises during the appointment.
       (4) Agreement required.--An individual may become a member 
     of the Civilian Cybersecurity Reserve only if the individual 
     enters into an agreement with the Director to become such a 
     member, which shall set forth the rights and obligations of 
     the individual and the Agency.
       (5) Exception for continuing military service 
     commitments.--A member of the Selected Reserve under section 
     10143 of title 10, United States Code, may not be a member of 
     the Civilian Cybersecurity Reserve.
       (6) Priority.--In appointing individuals to the Civilian 
     Cybersecurity Reserve, the Agency shall prioritize the 
     appointment of individuals described in clause (i) or (ii) of 
     paragraph (2)(A) before considering individuals described in 
     clause (iii) or (iv) of paragraph (2)(A).
       (7) Prohibition.--Any individual who is an employee (as 
     defined in section 2105 of title 5, United States Code) of 
     the executive branch may not be recruited or appointed to 
     serve in the Civilian Cybersecurity Reserve.
       (d) Security Clearances.--
       (1) In general.--The Director shall ensure that all members 
     of the Civilian Cybersecurity Reserve undergo the appropriate 
     personnel vetting and adjudication commensurate with the 
     duties of the position, including a determination of 
     eligibility for access to classified information where a 
     security clearance is necessary, according to applicable 
     policy and authorities.
       (2) Cost of sponsoring clearances.--If a member of the 
     Civilian Cybersecurity Reserve requires a security clearance 
     in order to carry out their duties, the Agency shall be 
     responsible for the cost of sponsoring the security clearance 
     of that member.
       (e) Study and Implementation Plan.--
       (1) Study.--Not later than 60 days after the date of 
     enactment of this Act, the Agency shall begin a study on the 
     design and implementation of the pilot project authorized 
     under subsection (b)(1) at the Agency, including--
       (A) compensation and benefits for members of the Civilian 
     Cybersecurity Reserve;
       (B) activities that members may undertake as part of their 
     duties;
       (C) methods for identifying and recruiting members, 
     including alternatives to traditional qualifications 
     requirements;
       (D) methods for preventing conflicts of interest or other 
     ethical concerns as a result of participation in the pilot 
     project and details of mitigation efforts to address any 
     conflict of interest concerns;
       (E) resources, including additional funding, needed to 
     carry out the pilot project;
       (F) possible penalties for individuals who do not respond 
     to activation when called, in accordance with the rights and 
     procedures set forth under title 5, Code of Federal 
     Regulations; and
       (G) processes and requirements for training and onboarding 
     members.
       (2) Implementation plan.--Not later than 1 year after 
     beginning the study required under paragraph (1), the Agency 
     shall--
       (A) submit to the appropriate congressional committees an 
     implementation plan for the pilot project authorized under 
     subsection (b)(1); and
       (B) provide to the appropriate congressional committees a 
     briefing on the implementation plan.
       (3) Prohibition.--The Agency may not take any action to 
     begin implementation of the pilot project authorized under 
     subsection (b)(1) until the Agency fulfills the requirements 
     under paragraph (2).
       (f) Project Guidance.--Not later than 2 years after the 
     date of enactment of this Act, the Director shall, in 
     consultation with the Office of Government Ethics, issue 
     guidance establishing and implementing the pilot project 
     authorized under subsection (b)(1) at the Agency.
       (g) Briefings and Report.--
       (1) Briefings.--Not later than 1 year after the date on 
     which the Director issues the guidance required under 
     subsection (f), and every year thereafter, the Agency shall 
     provide to the appropriate congressional committees a 
     briefing on activities carried out under the pilot project 
     authorized under subsection (b)(1), including--
       (A) participation in the Civilian Cybersecurity Reserve, 
     including the number of participants, the diversity of 
     participants, and any barriers to recruitment or retention of 
     members;
       (B) an evaluation of the ethical requirements of the pilot 
     project;
       (C) whether the Civilian Cybersecurity Reserve has been 
     effective in providing additional capacity to the Agency 
     during significant incidents; and
       (D) an evaluation of the eligibility requirements for the 
     pilot project.
       (2) Report.--Not earlier than 6 months and not later than 3 
     months before the date on which the pilot project of the 
     Agency terminates under subsection (i), the Agency shall 
     submit to the appropriate congressional committees a report 
     on, and provide a briefing on recommendations relating to, 
     the pilot project, including recommendations for--
       (A) whether the pilot project should be modified, extended 
     in duration, or established as a permanent program, and if 
     so, an appropriate scope for the program;
       (B) how to attract participants, ensure a diversity of 
     participants, and address any barriers to recruitment or 
     retention of members of the Civilian Cybersecurity Reserve;
       (C) the ethical requirements of the pilot project and the 
     effectiveness of mitigation efforts to address any conflict 
     of interest concerns; and
       (D) an evaluation of the eligibility requirements for the 
     pilot project.
       (h) Evaluation.--Not later than 3 years after the pilot 
     project authorized under subsection (b)(1) is established in 
     the Agency, the Comptroller General of the United States 
     shall--
       (1) conduct a study evaluating the pilot project at the 
     Agency; and
       (2) submit to Congress--
       (A) a report on the results of the study; and
       (B) a recommendation with respect to whether the pilot 
     project should be modified, extended in duration, or 
     established as a permanent program.
       (i) Sunset.--The pilot project authorized under subsection 
     (b)(1) shall terminate on the date that is 4 years after the 
     date on which the pilot project is established, except that 
     an activated member of the Civilian Cybersecurity Reserve who 
     was appointed to and is serving in a temporary position under 
     this section as of the day before that termination date may 
     continue to serve until the end of the appointment.
       (j) No Additional Funds.--No additional funds are 
     authorized to be appropriated for the purpose of carrying out 
     this subtitle.

                Subtitle F--Satellite Cybersecurity Act

     SEC. 6151. SHORT TITLE.

       This subtitle may be cited as the ``Satellite Cybersecurity 
     Act''.

     SEC. 6152. DEFINITIONS.

       In this subtitle:
       (1) Clearinghouse.--The term ``clearinghouse'' means the 
     commercial satellite system cybersecurity clearinghouse 
     required to be developed and maintained under section 
     6154(b)(1).
       (2) Commercial satellite system.--The term ``commercial 
     satellite system''--
       (A) means a system that--
       (i) is owned or operated by a non-Federal entity based in 
     the United States; and
       (ii) is composed of not less than 1 earth satellite; and
       (B) includes--
       (i) any ground support infrastructure for each satellite in 
     the system; and
       (ii) any transmission link among and between any satellite 
     in the system and any ground support infrastructure in the 
     system.
       (3) Critical infrastructure.--The term ``critical 
     infrastructure'' has the meaning given the term in subsection 
     (e) of the Critical Infrastructure Protection Act of 2001 (42 
     U.S.C. 5195c).
       (4) Cybersecurity risk.--The term ``cybersecurity risk'' 
     has the meaning given the term in section 2200 of the 
     Homeland Security Act of 2002 (6 U.S.C. 650).
       (5) Cybersecurity threat.--The term ``cybersecurity 
     threat'' has the meaning given the term in section 2200 of 
     the Homeland Security Act of 2002 (6 U.S.C. 650).
       (6) Director.--The term ``Director'' means the Director of 
     the Cybersecurity and Infrastructure Security Agency.
       (7) Sector risk management agency.--The term ``sector risk 
     management agency'' has the meaning given the term ``Sector 
     Risk Management Agency'' in section 2200 of the Homeland 
     Security Act of 2002 (6 U.S.C. 650).

     SEC. 6153. REPORT ON COMMERCIAL SATELLITE CYBERSECURITY.

       (a) Study.--The Comptroller General of the United States 
     shall conduct a study on the actions the Federal Government 
     has taken to support the cybersecurity of commercial 
     satellite systems, including as part of any action to address 
     the cybersecurity of critical infrastructure sectors.
       (b) Report.--Not later than 2 years after the date of 
     enactment of this Act, the Comptroller General of the United 
     States shall report to the Committee on Homeland Security and 
     Governmental Affairs and the Committee on Commerce, Science, 
     and Transportation of the Senate and the Committee on 
     Homeland Security and the Committee on Science, Space, and 
     Technology of the House

[[Page S2827]]

     of Representatives on the study conducted under subsection 
     (a), which shall include information--
       (1) on efforts of the Federal Government, and the 
     effectiveness of those efforts, to--
       (A) address or improve the cybersecurity of commercial 
     satellite systems; and
       (B) support related efforts with international entities or 
     the private sector;
       (2) on the resources made available to the public by 
     Federal agencies to address cybersecurity risks and threats 
     to commercial satellite systems, including resources made 
     available through the clearinghouse;
       (3) on the extent to which commercial satellite systems are 
     reliant on, or relied on by, critical infrastructure;
       (4) that includes an analysis of how commercial satellite 
     systems and the threats to those systems are integrated into 
     Federal and non-Federal critical infrastructure risk analyses 
     and protection plans;
       (5) on the extent to which Federal agencies are reliant on 
     commercial satellite systems and how Federal agencies 
     mitigate cybersecurity risks associated with those systems;
       (6) on the extent to which Federal agencies are reliant on 
     commercial satellite systems that are owned wholly or in part 
     or controlled by foreign entities, or that have 
     infrastructure in foreign countries, and how Federal agencies 
     mitigate associated cybersecurity risks;
       (7) on the extent to which Federal agencies coordinate or 
     duplicate authorities and take other actions focused on the 
     cybersecurity of commercial satellite systems; and
       (8) as determined appropriate by the Comptroller General of 
     the United States, that includes recommendations for further 
     Federal action to support the cybersecurity of commercial 
     satellite systems, including recommendations on information 
     that should be shared through the clearinghouse.
       (c) Consultation.--In carrying out subsections (a) and (b), 
     the Comptroller General of the United States shall coordinate 
     with appropriate Federal agencies and organizations, 
     including--
       (1) the Office of the National Cyber Director;
       (2) the Department of Homeland Security;
       (3) the Department of Commerce;
       (4) the Department of Defense;
       (5) the Department of Transportation;
       (6) the Federal Communications Commission;
       (7) the National Aeronautics and Space Administration;
       (8) the National Executive Committee for Space-Based 
     Positioning, Navigation, and Timing; and
       (9) the National Space Council.
       (d) Briefing.--Not later than 2 years after the date of 
     enactment of this Act, the Comptroller General of the United 
     States shall provide a briefing to the appropriate 
     congressional committees on the study conducted under 
     subsection (a).
       (e) Classification.--The report made under subsection (b) 
     shall be unclassified but may include a classified annex.

     SEC. 6154. RESPONSIBILITIES OF THE CYBERSECURITY AND 
                   INFRASTRUCTURE SECURITY AGENCY.

       (a) Small Business Concern Defined.--In this section, the 
     term ``small business concern'' has the meaning given the 
     term in section 3 of the Small Business Act (15 U.S.C. 632).
       (b) Establishment of Commercial Satellite System 
     Cybersecurity Clearinghouse.--
       (1) In general.--Not later than 180 days after the date of 
     enactment of this Act, the Director shall develop and 
     maintain a commercial satellite system cybersecurity 
     clearinghouse.
       (2) Requirements.--The clearinghouse--
       (A) shall be publicly available online;
       (B) shall contain publicly available commercial satellite 
     system cybersecurity resources, including the voluntary 
     recommendations consolidated under subsection (c)(1);
       (C) shall contain appropriate materials for reference by 
     entities that develop, operate, or maintain commercial 
     satellite systems;
       (D) shall contain materials specifically aimed at assisting 
     small business concerns with the secure development, 
     operation, and maintenance of commercial satellite systems; 
     and
       (E) may contain controlled unclassified information 
     distributed to commercial entities through a process 
     determined appropriate by the Director.
       (3) Content maintenance.--The Director shall maintain 
     current and relevant cybersecurity information on the 
     clearinghouse.
       (4) Existing platform or website.--To the extent 
     practicable, the Director shall establish and maintain the 
     clearinghouse using an online platform, a website, or a 
     capability in existence as of the date of enactment of this 
     Act.
       (c) Consolidation of Commercial Satellite System 
     Cybersecurity Recommendations.--
       (1) In general.--The Director shall consolidate voluntary 
     cybersecurity recommendations designed to assist in the 
     development, maintenance, and operation of commercial 
     satellite systems.
       (2) Requirements.--The recommendations consolidated under 
     paragraph (1) shall include materials appropriate for a 
     public resource addressing, to the greatest extent 
     practicable, the following:
       (A) Risk-based, cybersecurity-informed engineering, 
     including continuous monitoring and resiliency.
       (B) Planning for retention or recovery of positive control 
     of commercial satellite systems in the event of a 
     cybersecurity incident.
       (C) Protection against unauthorized access to vital 
     commercial satellite system functions.
       (D) Physical protection measures designed to reduce the 
     vulnerabilities of a commercial satellite system's command, 
     control, and telemetry receiver systems.
       (E) Protection against jamming, eavesdropping, hijacking, 
     computer network exploitation, spoofing, threats to optical 
     satellite communications, and electromagnetic pulse.
       (F) Security against threats throughout a commercial 
     satellite system's mission lifetime.
       (G) Management of supply chain risks that affect the 
     cybersecurity of commercial satellite systems.
       (H) Protection against vulnerabilities posed by ownership 
     of commercial satellite systems or commercial satellite 
     system companies by foreign entities.
       (I) Protection against vulnerabilities posed by locating 
     physical infrastructure, such as satellite ground control 
     systems, in foreign countries.
       (J) As appropriate, and as applicable pursuant to the 
     maintenance requirement under subsection (b)(3), relevant 
     findings and recommendations from the study conducted by the 
     Comptroller General of the United States under section 
     6153(a).
       (K) Any other recommendations to ensure the 
     confidentiality, availability, and integrity of data residing 
     on or in transit through commercial satellite systems.
       (d) Implementation.--In implementing this section, the 
     Director shall--
       (1) to the extent practicable, carry out the implementation 
     in partnership with the private sector;
       (2) coordinate with--
       (A) the Office of the National Cyber Director, the National 
     Space Council, and the head of any other agency determined 
     appropriate by the Office of the National Cyber Director or 
     the National Space Council; and
       (B) the heads of appropriate Federal agencies with 
     expertise and experience in satellite operations, including 
     the entities described in section 6153(c), to enable--
       (i) the alignment of Federal efforts on commercial 
     satellite system cybersecurity; and
       (ii) to the extent practicable, consistency in Federal 
     recommendations relating to commercial satellite system 
     cybersecurity; and
       (3) consult with non-Federal entities developing commercial 
     satellite systems or otherwise supporting the cybersecurity 
     of commercial satellite systems, including private, consensus 
     organizations that develop relevant standards.
       (e) Report.--Not later than 1 year after the date of 
     enactment of this Act, and every 2 years thereafter until the 
     date that is 9 years after the date of enactment of this Act, 
     the Director shall submit to the Committee on Homeland 
     Security and Governmental Affairs and the Committee on 
     Commerce, Science, and Transportation of the Senate and the 
     Committee on Homeland Security and the Committee on Science, 
     Space, and Technology of the House of Representatives a 
     report summarizing--
       (1) any partnership with the private sector described in 
     subsection (d)(1);
       (2) any consultation with a non-Federal entity described in 
     subsection (d)(3);
       (3) the coordination carried out pursuant to subsection 
     (d)(2);
       (4) the establishment and maintenance of the clearinghouse 
     pursuant to subsection (b);
       (5) the recommendations consolidated pursuant to subsection 
     (c)(1); and
       (6) any feedback received by the Director on the 
     clearinghouse from non-Federal entities.

     SEC. 6155. STRATEGY.

       Not later than 120 days after the date of the enactment of 
     this Act, the National Space Council, jointly with the Office 
     of the National Cyber Director, in coordination with the 
     Director of the Office of Space Commerce and the heads of 
     other relevant agencies, shall submit to the Committee on 
     Homeland Security and Governmental Affairs and the Committee 
     on Commerce, Science, and Transportation of the Senate and 
     the Committee on Homeland Security and the Committee on 
     Science, Space, and Technology of the House of 
     Representatives a strategy for the activities of Federal 
     agencies to address and improve the cybersecurity of 
     commercial satellite systems, which shall include an 
     identification of--
       (1) proposed roles and responsibilities for relevant 
     agencies; and
       (2) as applicable, the extent to which cybersecurity 
     threats to such systems are addressed in Federal and non-
     Federal critical infrastructure risk analyses and protection 
     plans.

     SEC. 6156. RULES OF CONSTRUCTION.

       Nothing in this subtitle shall be construed to--
       (1) designate commercial satellite systems or other space 
     assets as a critical infrastructure sector; or
       (2) infringe upon or alter the authorities of the agencies 
     described in section 6153(c).

[[Page S2828]]

  


     SEC. 6157. SECTOR RISK MANAGEMENT AGENCY TRANSFER.

       If the President designates an infrastructure sector that 
     includes commercial satellite systems as a critical 
     infrastructure sector pursuant to the process established 
     under section 9002(b)(3) of the William M. (Mac) Thornberry 
     National Defense Authorization Act for Fiscal Year 2021 (6 
     U.S.C. 652a(b)(3)) and subsequently designates a sector risk 
     management agency for that critical infrastructure sector 
     that is not the Cybersecurity and Infrastructure Security 
     Agency, the President may direct the Director to transfer the 
     authorities of the Director under section 6154 of this 
     subtitle to the head of the designated sector risk management 
     agency.

        Subtitle G--Rural Hospital Cybersecurity Enhancement Act

     SEC. 6161. SHORT TITLE.

       This subtitle may be cited as the ``Rural Hospital 
     Cybersecurity Enhancement Act''.

     SEC. 6162. DEFINITIONS.

       In this subtitle:
       (1) Agency.--The term ``agency'' has the meaning given the 
     term in section 551 of title 5, United States Code.
       (2) Appropriate committees of congress.--The term 
     ``appropriate committees of Congress'' means--
       (A) the Committee on Homeland Security and Governmental 
     Affairs of the Senate; and
       (B) the Committee on Homeland Security of the House of 
     Representatives.
       (3) Director.--The term ``Director'' means the Director of 
     the Cybersecurity and Infrastructure Security Agency.
       (4) Geographic division.--The term ``geographic division'' 
     means a geographic division that is among the 9 geographic 
     divisions determined by the Bureau of the Census.
       (5) Rural hospital.--The term ``rural hospital'' means a 
     healthcare facility that--
       (A) is located in a non-urbanized area, as determined by 
     the Bureau of the Census; and
       (B) provides inpatient and outpatient healthcare services, 
     including primary care, emergency care, and diagnostic 
     services.
       (6) Secretary.--The term ``Secretary'' means the Secretary 
     of Homeland Security.

     SEC. 6163. RURAL HOSPITAL CYBERSECURITY WORKFORCE DEVELOPMENT 
                   STRATEGY.

       (a) In General.--Not later than 1 year after the date of 
     enactment of this Act, the Secretary, acting through the 
     Director, shall develop and transmit to the appropriate 
     committees of Congress a comprehensive rural hospital 
     cybersecurity workforce development strategy to address the 
     growing need for skilled cybersecurity professionals in rural 
     hospitals.
       (b) Consultation.--
       (1) Agencies.--In carrying out subsection (a), the 
     Secretary and Director may consult with the Secretary of 
     Health and Human Services, the Secretary of Education, the 
     Secretary of Labor, and any other appropriate head of an 
     agency.
       (2) Providers.--In carrying out subsection (a), the 
     Secretary shall consult with not less than 2 representatives 
     of rural healthcare providers from each geographic division 
     in the United States.
       (c) Considerations.--The rural hospital cybersecurity 
     workforce development strategy developed under subsection (a) 
     shall, at a minimum, consider the following components:
       (1) Partnerships between rural hospitals, non-rural 
     healthcare systems, educational institutions, private sector 
     entities, and nonprofit organizations to develop, promote, 
     and expand the rural hospital cybersecurity workforce, 
     including through education and training programs tailored to 
     the needs of rural hospitals.
       (2) The development of a cybersecurity curriculum and 
     teaching resources that focus on teaching technical skills 
     and abilities related to cybersecurity in rural hospitals for 
     use in community colleges, vocational schools, and other 
     educational institutions located in rural areas.
       (3) Identification of--
       (A) cybersecurity workforce challenges that are specific to 
     rural hospitals, as well as challenges that are relative to 
     hospitals generally; and
       (B) common practices to mitigate both sets of challenges 
     described in subparagraph (A).
       (4) Recommendations for legislation, rulemaking, or 
     guidance to implement the components of the rural hospital 
     cybersecurity workforce development strategy.
       (d) Annual Briefing.--Not later than 60 days after the date 
     on which the first full fiscal year ends following the date 
     on which the Secretary transmits the rural hospital 
     cybersecurity workforce development strategy developed under 
     subsection (a), and not later than 60 days after the date on 
     which each fiscal year thereafter ends, the Secretary shall 
     provide a briefing to the appropriate committees of Congress 
     that includes, at a minimum, information relating to--
       (1) updates to the rural hospital cybersecurity workforce 
     development strategy, as appropriate;
       (2) any programs or initiatives established pursuant to the 
     rural hospital cybersecurity workforce development strategy, 
     as well as the number of individuals trained or educated 
     through such programs or initiatives;
       (3) additional recommendations for legislation, rulemaking, 
     or guidance to implement the components of the rural hospital 
     cybersecurity workforce development strategy; and
       (4) the effectiveness of the rural hospital cybersecurity 
     workforce development strategy in addressing the need for 
     skilled cybersecurity professionals in rural hospitals.

     SEC. 6164. INSTRUCTIONAL MATERIALS FOR RURAL HOSPITALS.

       (a) In General.--Not later than 1 year after the date of 
     enactment of this Act, the Director shall make available 
     instructional materials for rural hospitals that can be used 
     to train staff on fundamental cybersecurity efforts.
       (b) Duties.--In carrying out subsection (a), the Director 
     shall--
       (1) consult with appropriate heads of agencies, experts in 
     cybersecurity education, and rural healthcare experts;
       (2) identify existing cybersecurity instructional materials 
     that can be adapted for use in rural hospitals and create new 
     materials as needed; and
       (3) conduct an awareness campaign to promote the materials 
     available to rural hospitals developed under subsection (a).

     SEC. 6165. NO ADDITIONAL FUNDS.

       No additional funds are authorized to be appropriated for 
     the purpose of carrying out this subtitle.

           TITLE LXII--STEMMING THE FLOW OF ILLICIT NARCOTICS

              Subtitle A--Enhancing DHS Drug Seizures Act

     SEC. 6201. SHORT TITLE.

       This subtitle may be cited as the ``Enhancing DHS Drug 
     Seizures Act''.

     SEC. 6202. COORDINATION AND INFORMATION SHARING.

       (a) Public-private Partnerships.--
       (1) Strategy.--Not later than 180 days after the date of 
     enactment of this Act, the Secretary of Homeland Security 
     shall develop a strategy to strengthen existing and establish 
     new public-private partnerships with shipping, chemical, and 
     pharmaceutical industries to assist with early detection and 
     interdiction of illicit drugs and precursor chemicals.
       (2) Contents.--The strategy required under paragraph (1) 
     shall contain goals and objectives for employees of the 
     Department of Homeland Security to ensure the tactics, 
     techniques, and procedures gained from the public-private 
     partnerships described in paragraph (1) are included in 
     policies, best practices, and training for the Department.
       (3) Implementation plan.--Not later than 180 days after 
     developing the strategy required under paragraph (1), the 
     Secretary of Homeland Security shall develop an 
     implementation plan for the strategy, which shall outline 
     departmental lead and support roles, responsibilities, 
     programs, and timelines for accomplishing the goals and 
     objectives of the strategy.
       (4) Briefing.--The Secretary of Homeland Security shall 
     provide annual briefings to the Committee on Homeland 
     Security and Governmental Affairs of the Senate and the 
     Committee on Homeland Security of the House of 
     Representatives regarding the progress made in addressing the 
     implementation plan developed pursuant to paragraph (3).
       (b) Assessment of Drug Task Forces.--
       (1) In general.--The Secretary of Homeland Security shall 
     conduct an assessment of the counterdrug task forces in which 
     the Department of Homeland Security, including components of 
     the Department, participates in or leads, which shall 
     include--
       (A) areas of potential overlap;
       (B) opportunities for sharing information and best 
     practices;
       (C) how the Department's processes for ensuring 
     accountability and transparency in its vetting and oversight 
     of partner agency task force members align with best 
     practices; and
       (D) corrective action plans for any capability limitations 
     and deficient or negative findings identified in the report 
     for any such task forces led by the Department.
       (2) Report.--Not later than 180 days after the date of 
     enactment of this Act, the Secretary of Homeland Security 
     shall submit a report to the Committee on Homeland Security 
     and Governmental Affairs of the Senate and the Committee on 
     Homeland Security of the House of Representatives that 
     contains a summary of the results of the assessment conducted 
     pursuant to paragraph (1).
       (3) Corrective action plan.--The Secretary of Homeland 
     Security shall--
       (A) implement the corrective action plans described in 
     paragraph (1)(D) immediately after the submission of the 
     report pursuant to paragraph (2); and
       (B) provide annual briefings to the Committee on Homeland 
     Security and Governmental Affairs of the Senate and the 
     Committee on Homeland Security of the House of 
     Representatives regarding the progress made in implementing 
     the corrective action plans.
       (c) Combination of Briefings.--The Secretary of Homeland 
     Security may combine the briefings required under subsections 
     (a)(4) and (b)(3)(B) and provide such combined briefings 
     through fiscal year 2026.

     SEC. 6203. DANGER PAY FOR DEPARTMENT OF HOMELAND SECURITY 
                   PERSONNEL DEPLOYED ABROAD.

       (a) In General.--Subtitle H of title VIII of the Homeland 
     Security Act of 2002 (6 U.S.C. 451 et seq.) is amended by 
     inserting after section 881 the following:

     ``SEC. 881A. DANGER PAY ALLOWANCE.

       ``(a) Authorization.--An employee of the Department, while 
     stationed in a foreign area, may be granted a danger pay 
     allowance, not to exceed 35 percent of the basic

[[Page S2829]]

     pay of such employee, for any period during which such 
     foreign area experiences a civil insurrection, a civil war, 
     ongoing terrorist acts, or wartime conditions that threaten 
     physical harm or imminent danger to the health or well-being 
     of such employee.
       ``(b) Notice.--Before granting or terminating a danger pay 
     allowance to any employee pursuant to subsection (a), the 
     Secretary, after consultation with the Secretary of State, 
     shall notify the Committee on Homeland Security and 
     Governmental Affairs of the Senate, the Committee on Foreign 
     Relations of the Senate, the Committee on Homeland Security 
     of the House of Representatives, and the Committee on Foreign 
     Affairs of the House of Representatives of--
       ``(1) the intent to make such payments and the 
     circumstances justifying such payments; or
       ``(2) the intent to terminate such payments and the 
     circumstances justifying such termination.''.

     SEC. 6204. IMPROVING TRAINING TO FOREIGN-VETTED LAW 
                   ENFORCEMENT OR NATIONAL SECURITY UNITS.

       The Secretary of Homeland Security, or the designee of the 
     Secretary, may waive reimbursement for salary expenses of 
     Department of Homeland Security for personnel providing 
     training to foreign-vetted law enforcement or national 
     security units in accordance with an agreement with the 
     Department of Defense pursuant to section 1535 of title 31, 
     United States Code.

     SEC. 6205. ENHANCING THE OPERATIONS OF U.S. CUSTOMS AND 
                   BORDER PROTECTION IN FOREIGN COUNTRIES.

       Section 411(f) of the Homeland Security Act of 2002 (6 
     U.S.C. 211(f)) is amended--
       (1) by redesignating paragraph (4) as paragraph (5); and
       (2) by inserting after paragraph (3) the following:
       ``(4) Permissible activities.--
       ``(A) In general.--Employees of U.S. Customs and Border 
     Protection and other customs officers designated in 
     accordance with the authorities granted to officers and 
     agents of Air and Marine Operations may provide the support 
     described in subparagraph (B) to authorities of the 
     government of a foreign country, including by conducting 
     joint operations with appropriate government officials within 
     the territory of such country, if an arrangement has been 
     entered into between the Government of the United States and 
     the government of such country that permits such support by 
     such employees and officers.
       ``(B) Support described.--The support described in this 
     subparagraph is support for--
       ``(i) the monitoring, locating, tracking, and deterrence 
     of--

       ``(I) illegal drugs to the United States;
       ``(II) the illicit smuggling of persons and goods into the 
     United States;
       ``(III) terrorist threats to the United States; and
       ``(IV) other threats to the security or economy of the 
     United States;

       ``(ii) emergency humanitarian efforts; and
       ``(iii) law enforcement capacity-building efforts.
       ``(C) Payment of claims.--
       ``(i) In general.--Subject to clauses (ii) and (iv), the 
     Secretary may expend funds that have been appropriated or 
     otherwise made available for the operating expenses of the 
     Department to pay claims for money damages against the United 
     States, in accordance with the first paragraph of section 
     2672 of title 28, United States Code, which arise in a 
     foreign country in connection with U.S. Customs and Border 
     Protection operations in such country.
       ``(ii) Submission deadline.--A claim may be allowed under 
     clause (i) only if it is presented not later than 2 years 
     after it accrues.
       ``(iii) Report.--Not later than 90 days after the date on 
     which the expenditure authority under clause (i) expires 
     pursuant to clause (iv), the Secretary shall submit a report 
     to Congress that describes, for each of the payments made 
     pursuant to clause (i)--

       ``(I) the foreign entity that received such payment;
       ``(II) the amount paid to such foreign entity;
       ``(III) the country in which such foreign entity resides or 
     has its principal place of business; and
       ``(IV) a detailed account of the circumstances justify such 
     payment.

       ``(iv) Sunset.--The expenditure authority under clause (i) 
     shall expire on the date that is 5 years after the date of 
     the enactment of the Enhancing DHS Drug Seizures Act.''.

     SEC. 6206. DRUG SEIZURE DATA IMPROVEMENT.

       (a) Study.--Not later than 180 days after the date of the 
     enactment of this Act, the Secretary of Homeland Security 
     shall conduct a study to identify any opportunities for 
     improving drug seizure data collection.
       (b) Elements.--The study required under subsection (a) 
     shall--
       (1) include a survey of the entities that use drug seizure 
     data; and
       (2) address--
       (A) any additional data fields or drug type categories that 
     should be added to U.S. Customs and Border Protection's 
     SEACATS, U.S. Border Patrol's e3 portal, and any other 
     systems deemed appropriate by the Commissioner of U.S. 
     Customs and Border Protection, in accordance with the first 
     recommendation in the Government Accountability Office's 
     report GAO-22-104725, entitled ``Border Security: CBP Could 
     Improve How It Categorizes Drug Seizure Data and Evaluates 
     Training'';
       (B) how all the Department of Homeland Security components 
     that collect drug seizure data can standardize their data 
     collection efforts and deconflict drug seizure reporting;
       (C) how the Department of Homeland Security can better 
     identify, collect, and analyze additional data on precursor 
     chemicals, synthetic drugs, novel psychoactive substances, 
     and analogues that have been seized by U.S. Customs and 
     Border Protection and U.S. Immigration and Customs 
     Enforcement; and
       (D) how the Department of Homeland Security can improve its 
     model of anticipated drug flow into the United States.
       (c) Implementation of Findings.--Following the completion 
     of the study required under subsection (a)--
       (1) the Secretary of Homeland Security, in accordance with 
     the Office of National Drug Control Policy's 2022 National 
     Drug Control Strategy, shall modify Department of Homeland 
     Security drug seizure policies and training programs, as 
     appropriate, consistent with the findings of such study; and
       (2) the Commissioner of U.S. Customs and Border Protection, 
     in consultation with the Director of U.S. Immigration and 
     Customs Enforcement, shall make any necessary updates to 
     relevant systems to include the results of confirmatory drug 
     testing results.

     SEC. 6207. DRUG PERFORMANCE MEASURES.

        Not later than 180 days after the date of enactment of 
     this Act, the Secretary of Homeland Security shall develop 
     and implement a plan to ensure that components of the 
     Department of Homeland Security develop and maintain outcome-
     based performance measures that adequately assess the success 
     of drug interdiction efforts and how to utilize the existing 
     drug-related metrics and performance measures to achieve the 
     missions, goals, and targets of the Department.

     SEC. 6208. PENALTIES FOR HINDERING IMMIGRATION, BORDER, AND 
                   CUSTOMS CONTROLS.

       (a) Personnel and Structures.--Title II of the Immigration 
     and Nationality Act (8 U.S.C. 1151 et seq.) is amended by 
     inserting after section 274D the following:

     ``SECTION 274E. DESTROYING OR EVADING BORDER CONTROLS.

       ``(a) In General.--It shall be unlawful to knowingly and 
     without lawful authorization--
       ``(1)(A) destroy or significantly damage any fence, 
     barrier, sensor, camera, or other physical or electronic 
     device deployed by the Federal Government to control an 
     international border of, or a port of entry to, the United 
     States; or
       ``(B) otherwise construct, excavate, or make any structure 
     intended to defeat, circumvent or evade such a fence, 
     barrier, sensor camera, or other physical or electronic 
     device deployed by the Federal Government to control an 
     international border of, or a port of entry to, the United 
     States; and
       ``(2) in carrying out an act described in paragraph (1), 
     have the intent to knowingly and willfully--
       ``(A) secure a financial gain;
       ``(B) further the objectives of a criminal organization; 
     and
       ``(C) violate--
       ``(i) section 274(a)(1)(A)(i);
       ``(ii) the customs and trade laws of the United States (as 
     defined in section 2(4) of the Trade Facilitation and Trade 
     Enforcement Act of 2015 (Public Law 114-125));
       ``(iii) any other Federal law relating to transporting 
     controlled substances, agriculture, or monetary instruments 
     into the United States; or
       ``(iv) any Federal law relating to border controls measures 
     of the United States.
       ``(b) Penalty.--Any person who violates subsection (a) 
     shall be fined under title 18, United States Code, imprisoned 
     for not more than 5 years, or both.''.
       (b) Clerical Amendment.--The table of contents for the 
     Immigration and Nationality Act (8 U.S.C. 1101 et seq.) is 
     amended by inserting after the item relating to section 274D 
     the following:

``Sec. 274E. Destroying or evading border controls.''.

           Subtitle B--Non-Intrusive Inspection Expansion Act

     SEC. 6211. SHORT TITLE.

       This subtitle may be cited as the ``Non-Intrusive 
     Inspection Expansion Act''.

     SEC. 6212. USE OF NON-INTRUSIVE INSPECTION SYSTEMS AT LAND 
                   PORTS OF ENTRY.

       (a) Fiscal Year 2026.--Using non-intrusive inspection 
     systems acquired through previous appropriations Acts, 
     beginning not later than September 30, 2026, U.S. Customs and 
     Border Protection shall use non-intrusive inspection systems 
     at land ports of entry to scan, cumulatively, at ports of 
     entry where systems are in place by the deadline, not fewer 
     than--
       (1) 40 percent of passenger vehicles entering the United 
     States; and
       (2) 90 percent of commercial vehicles entering the United 
     States.
       (b) Subsequent Fiscal Years.--Beginning in fiscal year 
     2027, U.S. Customs and Border Protection shall use non-
     intrusive inspection systems at land ports of entry to reach 
     the next projected benchmark for incremental scanning of 
     passenger and commercial vehicles entering the United States 
     at such ports of entry.
       (c) Briefing.--Not later than May 30, 2026, the 
     Commissioner of U.S. Customs and Border Protection shall 
     brief the Committee on Homeland Security and Governmental 
     Affairs of the Senate and the Committee on

[[Page S2830]]

     Homeland Security of the House of Representatives regarding 
     the progress made during the first half of fiscal year 2026 
     in achieving the scanning benchmarks described in subsection 
     (a).
       (d) Report.--If the scanning benchmarks described in 
     subsection (a) are not met by the end of fiscal year 2026, 
     not later than 120 days after the end of that fiscal year, 
     the Commissioner of U.S. Customs and Border Protection shall 
     submit a report to the Committee on Homeland Security and 
     Governmental Affairs of the Senate and the Committee on 
     Homeland Security of the House of Representatives that--
       (1) analyzes the causes for not meeting such requirements;
       (2) identifies any resource gaps and challenges; and
       (3) details the steps that will be taken to ensure 
     compliance with such requirements in the subsequent fiscal 
     year.

     SEC. 6213. NON-INTRUSIVE INSPECTION SYSTEMS FOR OUTBOUND 
                   INSPECTIONS.

       (a) Strategy.--Not later than 180 days after the date of 
     the enactment of this Act, the Commissioner of U.S. Customs 
     and Border Protection shall submit a strategy to the 
     Committee on Homeland Security and Governmental Affairs of 
     the Senate and the Committee on Homeland Security of the 
     House of Representatives for increasing sustained outbound 
     inspection operations at land ports of entry that includes--
       (1) the number of existing and planned outbound inspection 
     lanes at each port of entry;
       (2) infrastructure limitations that limit the ability of 
     U.S. Customs and Border Protection to deploy non-intrusive 
     inspection systems for outbound inspections;
       (3) the number of additional non-intrusive inspection 
     systems that are necessary to increase scanning capacity for 
     outbound inspections; and
       (4) plans for funding and acquiring the systems described 
     in paragraph (3).
       (b) Implementation.--Beginning not later than September 30, 
     2026, U.S. Customs and Border Protection shall use non-
     intrusive inspection systems at land ports of entry to scan 
     not fewer than 10 percent of all vehicles exiting the United 
     States through land ports of entry.

     SEC. 6214. GAO REVIEW AND REPORT.

       (a) Review.--
       (1) In general.--The Comptroller General of the United 
     States shall conduct a review of the use by U.S. Customs and 
     Border Protection of non-intrusive inspection systems for 
     border security.
       (2) Elements.--The review required under paragraph (1) 
     shall--
       (A) identify--
       (i) the number and types of non-intrusive inspection 
     systems deployed by U.S. Customs and Border Protection; and
       (ii) the locations to which such systems have been 
     deployed; and
       (B) examine the manner in which U.S. Customs and Border 
     Protection--
       (i) assesses the effectiveness of such systems; and
       (ii) uses such systems in conjunction with other border 
     security resources and assets, such as border barriers and 
     technology, to detect and interdict drug smuggling and 
     trafficking at the southwest border of the United States.
       (b) Report.--Not later than 2 years after the date of the 
     enactment of this Act, the Comptroller General shall submit a 
     report to the Committee on Homeland Security and Governmental 
     Affairs of the Senate and the Committee on Homeland Security 
     of the House of Representatives containing the findings of 
     the review conducted pursuant to subsection (a).

       Subtitle C--Securing America's Ports of Entry Act of 2023

     SEC. 6221. SHORT TITLE.

       This subtitle may be cited as the ``Securing America's 
     Ports of Entry Act of 2023''.

     SEC. 6222. ADDITIONAL U.S. CUSTOMS AND BORDER PROTECTION 
                   PERSONNEL.

       (a) Officers.--The Commissioner of U.S. Customs and Border 
     Protection shall hire, train, and assign not fewer than 600 
     new U.S. Customs and Border Protection officers above the 
     current attrition level during every fiscal year until the 
     total number of U.S. Customs and Border Protection officers 
     equals and sustains the requirements identified each year in 
     the Workload Staffing Model.
       (b) Support Staff.--The Commissioner is authorized to hire, 
     train, and assign support staff, including technicians and 
     Enterprise Services mission support, to perform non-law 
     enforcement administrative functions to support the new U.S. 
     Customs and Border Protection officers hired pursuant to 
     subsection (a).
       (c) Traffic Forecasts.--In calculating the number of U.S. 
     Customs and Border Protection officers needed at each port of 
     entry through the Workload Staffing Model, the Commissioner 
     shall--
       (1) rely on data collected regarding the inspections and 
     other activities conducted at each such port of entry;
       (2) consider volume from seasonal surges, other projected 
     changes in commercial and passenger volumes, the most current 
     commercial forecasts, and other relevant information; and
       (3) consider historical volume and forecasts prior to the 
     COVID-19 pandemic and the impact on international travel.
       (d) GAO Report.--If the Commissioner does not hire the 600 
     additional U.S. Customs and Border Protection officers 
     authorized under subsection (a) during fiscal year 2023, or 
     during any subsequent fiscal year in which the hiring 
     requirements set forth in the Workload Staffing Model have 
     not been achieved, the Comptroller General of the United 
     States shall--
       (1) conduct a review of U.S. Customs and Border Protection 
     hiring practices to determine the reasons that such 
     requirements were not achieved and other issues related to 
     hiring by U.S. Customs and Border Protection; and
       (2) submit a report to the Committee on Homeland Security 
     and Governmental Affairs of the Senate and the Committee on 
     Homeland Security of the House of Representatives that 
     describes the results of the review conducted under paragraph 
     (1).

     SEC. 6223. PORTS OF ENTRY INFRASTRUCTURE ENHANCEMENT REPORT.

       Not later than 90 days after the date of the enactment of 
     this Act, the Commissioner of U.S. Customs and Border 
     Protection shall submit a report to the Committee on Homeland 
     Security and Governmental Affairs of the Senate and the 
     Committee on Homeland Security of the House of 
     Representatives that identifies--
       (1) infrastructure improvements at ports of entry that 
     would enhance the ability of U.S. Customs and Border 
     Protection officers to interdict opioids and other drugs that 
     are being illegally transported into the United States, 
     including a description of circumstances at specific ports of 
     entry that prevent the deployment of technology used at other 
     ports of entry;
       (2) detection equipment that would improve the ability of 
     such officers to identify opioids, including precursors and 
     derivatives, that are being illegally transported into the 
     United States; and
       (3) safety equipment that would protect such officers from 
     accidental exposure to such drugs or other dangers associated 
     with the inspection of potential drug traffickers.

     SEC. 6224. REPORTING REQUIREMENTS.

       (a) Temporary Duty Assignments.--
       (1) Quarterly reports.--The Commissioner of U.S. Customs 
     and Border Protection shall submit quarterly reports to the 
     appropriate congressional committees that include, for the 
     reporting period--
       (A) the number of temporary duty assignments;
       (B) the number of U.S. Customs and Border Protection 
     employees required for each temporary duty assignment;
       (C) the ports of entry from which such employees were 
     reassigned;
       (D) the ports of entry to which such employees were 
     reassigned;
       (E) the ports of entry at which reimbursable service 
     agreements have been entered into that may be affected by 
     temporary duty assignments;
       (F) the duration of each temporary duty assignment;
       (G) the cost of each temporary duty assignment; and
       (H) for each temporary duty assignment to the southwest 
     border, a description of any activities done in support of 
     U.S. Border Patrol operations.
       (2) Notice.--Not later than 10 days before redeploying 
     employees from 1 port of entry to another, absent emergency 
     circumstances--
       (A) the Commissioner shall notify the director of the port 
     of entry from which employees will be reassigned of the 
     intended redeployments; and
       (B) the port director shall notify impacted facilities 
     (including airports, seaports, and land ports) of the 
     intended redeployments.
       (3) Staff briefing.--The Commissioner shall brief all 
     affected U.S. Customs and Border Protection employees 
     regarding plans to mitigate vulnerabilities created by any 
     planned staffing reductions at ports of entry.
       (b) Reports on U.S. Customs and Border Protection 
     Agreements.--Section 907(a) of the Trade Facilitation and 
     Trade Enforcement Act of 2015 (19 U.S.C. 4451(a)) is 
     amended--
       (1) in paragraph (3), by striking ``and an assessment'' and 
     all that follows and inserting a period;
       (2) by redesignating paragraphs (4) through (12) as 
     paragraphs (5) through (13), respectively;
       (3) by inserting after paragraph (3) the following:
       ``(4) A description of the factors that were considered 
     before entering into the agreement, including an assessment 
     of how the agreement provides economic benefits and security 
     benefits (if applicable) at the port of entry to which the 
     agreement relates.''; and
       (4) in paragraph (5), as redesignated by paragraph (2), by 
     inserting after ``the report'' the following: ``, including 
     the locations of such services and the total hours of 
     reimbursable services under the agreement, if any''.
       (c) Annual Workload Staffing Model Report.--As part of the 
     Annual Report on Staffing required under section 411(g)(5)(A) 
     of the Homeland Security Act of 2002 (6 U.S.C. 211(g)(5)(A)), 
     the Commissioner shall include--
       (1) information concerning the progress made toward meeting 
     the U.S. Customs and Border Protection officer and support 
     staff hiring targets set forth in section 6222, while 
     accounting for attrition;
       (2) an update to the information provided in the Resource 
     Optimization at the Ports of Entry report, which was 
     submitted to Congress on September 12, 2017, pursuant to the

[[Page S2831]]

     Department of Homeland Security Appropriations Act, 2017 
     (division F of Public Law 115-31); and
       (3) a summary of the information included in the reports 
     required under subsection (a) and section 907(a) of the Trade 
     Facilitation and Trade Enforcement Act of 2015, as amended by 
     subsection (b).
       (d) Defined Term.--In this section, the term ``appropriate 
     congressional committees'' means--
       (1) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       (2) the Committee on Appropriations of the Senate;
       (3) the Committee on Homeland Security of the House of 
     Representatives; and
       (4) the Committee on Appropriations of the House of 
     Representatives.

     SEC. 6225. AUTHORIZATION OF APPROPRIATIONS.

       There is authorized to be appropriated to carry out this 
     subtitle--
       (1) $136,292,948 for fiscal year 2024; and
       (2) $156,918,590 for each of the fiscal years 2025 through 
     2029.

               Subtitle D--Border Patrol Enhancement Act

     SEC. 6231. SHORT TITLE.

       This subtitle may be cited as the ``Border Patrol 
     Enhancement Act''.

     SEC. 6232. AUTHORIZED STAFFING LEVEL FOR THE UNITED STATES 
                   BORDER PATROL.

       (a) Defined Term.--In this section, the term ``validated 
     personnel requirements determination model'' means a 
     determination of the number of United States Border Patrol 
     agents needed to meet the critical mission requirements of 
     the United States Border Patrol to maintain an orderly 
     process for migrants entering the United States, that has 
     been validated by an entity pursuant to subsection (c).
       (b) United States Border Patrol Personnel Requirements 
     Determination Model.--
       (1) Completion; notice.--Not later than 180 days after the 
     date of the enactment of this Act, the Commissioner shall 
     complete a personnel requirements determination model for 
     United States Border Patrol that builds on the 5-year United 
     States Border Patrol staffing and deployment plan referred to 
     on page 33 of House of Representatives Report 112-91 (May 26, 
     2011) and submit a notice of completion to--
       (A) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       (B) the Committee on Homeland Security of the House of 
     Representatives;
       (C) the Director of the Office of Personnel Management; and
       (D) the Comptroller General of the United States.
       (2) Certification.--Not later than 30 days after the 
     completion of the personnel requirements determination model 
     described in paragraph (1), the Commissioner shall submit a 
     copy of such model, an explanation of its development, and a 
     strategy for obtaining independent verification and 
     validation of such model to the congressional committees and 
     Federal officials listed in subparagraphs (A) through (D) of 
     paragraph (1).
       (c) Independent Study of Personnel Requirements 
     Determination Model.--
       (1) Requirement for study.--Not later than 90 days after 
     the completion of the personnel requirements determination 
     model pursuant to subsection (b)(1), the Secretary of 
     Homeland Security shall select an entity that is technically, 
     managerially, and financially independent from the Department 
     of Homeland Security to conduct an independent verification 
     and validation of the model.
       (2) Reports.--
       (A) To secretary.--Not later than 1 year after the 
     completion of the personnel requirements determination model 
     pursuant to subsection (b)(1), the entity performing the 
     independent verification and validation of the model shall 
     submit a report to the Secretary of Homeland Security that 
     includes--
       (i) the results of the study required under paragraph (1); 
     and
       (ii) any recommendations regarding the model that the 
     entity considers to be appropriate.
       (B) To congress.--Not later than 30 days after receiving 
     the report described in subparagraph (A), the Secretary of 
     Homeland Security shall submit such report, along with any 
     additional views or recommendations regarding the personnel 
     requirements determination model, to the Committee on 
     Homeland Security and Governmental Affairs of the Senate and 
     the Committee on Homeland Security of the House of 
     Representatives.
       (d) Authority To Hire Additional Personnel.--Beginning on 
     the date that is 180 days after the Secretary of Homeland 
     Security receives a report pursuant to subsection (c)(2) that 
     validates the personnel requirements determination model and 
     after implementing any recommendations received pursuant to 
     subsection (c)(2)(A)(ii) to improve or update the model, the 
     Secretary may hire, train, and assign 600 or more United 
     States Border Patrol agents above the attrition level during 
     every fiscal year until the number of such active agents 
     meets the level recommended by such validated personnel 
     requirements determination model.

     SEC. 6233. ESTABLISHMENT OF HIGHER RATES OF REGULARLY 
                   SCHEDULED OVERTIME PAY FOR UNITED STATES BORDER 
                   PATROL AGENTS CLASSIFIED AT G-12.

       Section 5550(b) of title 5, United States Code, is amended 
     by adding at the end the following:
       ``(5) Regularly scheduled overtime pay for border patrol 
     agents classified at gs-12.--Notwithstanding any other 
     provision of this subsection or of section 5542, any border 
     patrol agent assigned to the level 1 border patrol rate of 
     pay or to the level 2 border patrol rate of pay who is 
     occupying a position classified at GS-12 level shall receive 
     pay for each hour of regularly scheduled overtime (in excess 
     of the 8 hours of regular time per workday) at a rate that is 
     equal to 1.5 times his or her applicable hourly rate of basic 
     pay.''.

     SEC. 6234. CONTINUING TRAINING.

       (a) In General.--The Commissioner shall require all United 
     States Border Patrol agents and other employees or contracted 
     employees designated by the Commissioner, to participate in 
     annual continuing training to maintain and update their 
     understanding of--
       (1) Department of Homeland Security policies, procedures, 
     and guidelines;
       (2) the fundamentals of law, ethics, and professional 
     conduct;
       (3) applicable Federal law and regulations;
       (4) precedential legal rulings, including Federal Circuit 
     Court and United States Supreme Court opinions relating to 
     the duty of care and treatment of persons in the custody of 
     the United States Border Patrol that the Commissioner 
     determines are relevant to active duty agents;
       (5) applicable migration trends that the Commissioner 
     determines are relevant;
       (6) best practices for coordinating with community 
     stakeholders; and
       (7) any other information that the Commissioner determines 
     to be relevant to active duty agents.
       (b) Training Subjects.--Continuing training under this 
     subsection shall include training regarding--
       (1) non-lethal use of force policies available to United 
     States Border Patrol agents and de-escalation strategies and 
     methods;
       (2) identifying, screening, and responding to vulnerable 
     populations, such as children, persons with diminished mental 
     capacity, victims of human trafficking, pregnant mothers, 
     victims of gender-based violence, victims of torture or 
     abuse, and the acutely ill;
       (3) trends in transnational criminal organization 
     activities that impact border security and migration;
       (4) policies, strategies, and programs--
       (A) to protect due process, the civil, human, and privacy 
     rights of individuals, and the private property rights of 
     land owners;
       (B) to reduce the number of migrant and agent deaths; and
       (C) to improve the safety of agents on patrol;
       (5) personal resilience;
       (6) anti-corruption and officer ethics training;
       (7) current migration trends, including updated cultural 
     and societal issues of nations that are a significant source 
     of migrants who are--
       (A) arriving at a United States port of entry to seek 
     humanitarian protection; or
       (B) encountered at a United States international boundary 
     while attempting to enter without inspection;
       (8) the impact of border security operations on natural 
     resources and the environment, including strategies to limit 
     the impact of border security operations on natural resources 
     and the environment;
       (9) relevant cultural, societal, racial, and religious 
     training, including cross-cultural communication skills;
       (10) training authorized under the Prison Rape Elimination 
     Act of 2003 (42 U.S.C. 15601 et seq.);
       (11) risk management and safety training that includes 
     agency protocols for ensuring public safety, personal safety, 
     and the safety of persons in the custody of the Department of 
     Homeland Security;
       (12) non-lethal, self-defense training; and
       (13) any other training that meets the requirements to 
     maintain and update the subjects identified in subsection 
     (a).
       (c) Course Requirements.--Courses offered under this 
     section--
       (1) shall be administered by the United States Border 
     Patrol, in consultation with the Federal Law Enforcement 
     Training Center; and
       (2) shall be approved in advance by the Commissioner of 
     U.S. Customs and Border Protection to ensure that such 
     courses satisfy the requirements for training under this 
     section.
       (d) Assessment.--Not later than 2 years after the date of 
     the enactment of this Act, the Comptroller General of the 
     United States shall submit a report to the Committee on 
     Homeland Security and Governmental Affairs of the Senate and 
     the Committee on Homeland Security of the House of 
     Representatives that assesses the training and education 
     provided pursuant to this section, including continuing 
     education.
       (e) Frequency Requirements.--Training offered as part of 
     continuing education under this section shall include--
       (1) annual courses focusing on the curriculum described in 
     paragraphs (1) through (6) of subsection (b); and
       (2) biannual courses focusing on curriculum described in 
     paragraphs (7) through (12) of subsection (b).

     SEC. 6235. RECRUITMENT AND RETENTION REPORT.

       (a) In General.--Not later than 60 days after the date of 
     the enactment of this Act,

[[Page S2832]]

     the Comptroller General of the United States shall--
       (1) conduct a study of the recruitment and retention of 
     female agents in United States Border Patrol; and
       (2) not later than 1 year after commencing such study, 
     submit a report containing the results of such study and 
     recommendations to address any identified deficiencies or 
     improvement opportunities to--
       (A) the Commissioner;
       (B) the Committee on Homeland Security and Governmental 
     Affairs of the Senate; and
       (C) the Committee on Homeland Security of the House of 
     Representatives;
       (b) Assessment.--In conducting the study pursuant to 
     subsection (a)(1), the Comptroller General shall assess--
       (1) the recruitment, application processes, training, 
     promotion, and other aspects of employment for women in the 
     United States Border Patrol;
       (2) the training, complaints system, and redress for sexual 
     harassment and assault; and
       (3) additional issues related to the recruitment and 
     retention of female agents.
       (c) Response From Commissioner.--Not later than 90 days 
     after receiving report required under subsection (a)(2), the 
     Commissioner shall submit to the Committee on Homeland 
     Security and Governmental Affairs of the Senate and the 
     Committee on Homeland Security of the House of 
     Representatives responses to the recommendations contained in 
     the report, including any necessary implementation plans to 
     address identified deficiencies or improvements.

  Subtitle E--Protecting the Border From Unmanned Aircraft Systems Act

     SEC. 6241. SHORT TITLE.

       This subtitle may be cited as the ``Protecting the Border 
     from Unmanned Aircraft Systems Act''.

     SEC. 6242. INTERAGENCY STRATEGY FOR CREATING A UNIFIED 
                   POSTURE ON COUNTER-UNMANNED AIRCRAFT SYSTEMS 
                   CAPABILITIES AND PROTECTIONS AT INTERNATIONAL 
                   BORDERS OF THE UNITED STATES.

       (a) Definitions.-- In this section:
       (1) Appropriate congressional committees.--The term 
     ``appropriate congressional committees'' means--
       (A) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       (B) the Committee on Commerce, Science, and Transportation 
     of the Senate;
       (C) the Committee on the Judiciary of the Senate;
       (D) the Committee on Armed Services of the Senate;
       (E) the Committee on Appropriations of the Senate;
       (F) the Committee on Foreign Relations of the Senate;
       (G) the Select Committee on Intelligence of the Senate;
       (H) the Committee on Homeland Security of the House of 
     Representatives;
       (I) the Committee on the Judiciary of the House of 
     Representatives;
       (J) the Committee on Transportation and Infrastructure of 
     the House of Representatives;
       (K) the Committee on Energy and Commerce of the House of 
     Representatives;
       (L) the Committee on Foreign Affairs of the House of 
     Representatives;
       (M) the Permanent Select Committee on Intelligence of the 
     House of Representatives;
       (N) the Committee on Armed Services of the House of 
     Representatives; and
       (O) the Committee on Appropriations of the House of 
     Representatives.
       (2) Covered facility or asset.--The term ``covered facility 
     or asset'' has the meaning given such term in section 
     210G(k)(3) of the Homeland Security Act of 2002 (6 U.S.C. 
     124n(k)(3)).
       (3) C-UAS.--The term ``C-UAS'' means counter-unmanned 
     aircraft system.
       (4) National airspace system; nas.--The terms ``National 
     Airspace System'' and ``NAS'' have the meaning given such 
     terms in section 245.5 of title 32, Code of Federal 
     Regulations.
       (5) Unmanned aircraft system.--The term ``unmanned aircraft 
     system'' has the meaning given such term in section 44801 of 
     title 49, United States Code.
       (b) In General.--Not later than 180 days after the date of 
     the enactment of this Act, the Secretary of Homeland 
     Security, in coordination with the Attorney General, the 
     Administrator of the Federal Aviation Administration, the 
     Secretary of State, the Secretary of Energy, the Director of 
     National Intelligence, and the Secretary of Defense to 
     develop a strategy for creating a unified posture on C-UAS 
     capabilities and protections at--
       (1) covered facilities or assets along international 
     borders of the United States; and
       (2) any other border-adjacent facilities or assets at which 
     such capabilities maybe utilized under Federal law.
       (c) Elements.--The strategy required to be developed under 
     subsection (b) shall include the following elements:
       (1) An examination of C-UAS capabilities at covered 
     facilities or assets along the border, or such other border-
     adjacent facilities or assets at which such capabilities may 
     be utilized under Federal law, and their usage to detect or 
     mitigate credible threats to homeland security, including the 
     facilitation of illicit activities, or for other purposes 
     authorized by law.
       (2) An examination of efforts to protect privacy and civil 
     liberties in the context of C-UAS operations, including with 
     respect to impacts on border communities and protections of 
     the First and Fourth Amendments to the United States 
     Constitution.
       (3) An examination of unmanned aircraft system tactics, 
     techniques, and procedures being used in the border 
     environment by malign actors to include how unmanned aircraft 
     systems are acquired, modified, and utilized to conduct 
     malicious activity such, as attacks, surveillance, conveyance 
     of contraband, or other forms of threats.
       (4) An assessment of the C-UAS systems necessary to 
     identify illicit activity and protect against the threats 
     from unmanned aircraft systems at international borders of 
     the United States, including the availability, feasibility, 
     and interoperability of C-UAS.
       (5) A description of the training required or recommended 
     at international borders of the United States, including how 
     such training--
       (A) fits into broader training standards and norms; and
       (B) relates to the protection of privacy and civil 
     liberties.
       (6) Recommendations for additional authorities and 
     resources to protect against illicit unmanned aircraft 
     systems, including systems that may be necessary to detect 
     illicit activity and mitigate credible threats along 
     international borders of the United States.
       (7) An assessment of interagency research and development 
     efforts, including the potential for expanding such efforts.
       (d) Submission to Congress.--Not later than 1 year after 
     the date of the enactment of this Act, the Secretary of 
     Homeland Security, in coordination with the Attorney General, 
     the Administrator of the Federal Aviation Administration, the 
     Secretary of State, Secretary of Energy, the Director of 
     National Intelligence, and the Secretary of Defense, shall 
     submit the strategy developed pursuant to subsection (b) to 
     the appropriate congressional committees.
       (e) Reports to Congress.--
       (1) Annual report.--Not later than 2 years after the date 
     of the enactment of this Act, and annually thereafter for the 
     following 7 years, the Secretary of Homeland Security, in 
     coordination with the Attorney General, the Administrator of 
     the Federal Aviation Administration, the Secretary of State, 
     Secretary of Energy, the Director of National Intelligence, 
     and the Secretary of Defense, shall submit to the appropriate 
     congressional committees a report, which may include a 
     classified annex, that describes--
       (A) the resources that are necessary to carry out the 
     strategy developed pursuant to subsection (b); and
       (B) any significant developments relating to the elements 
     described in subsection (c).
       (2) Congressional briefings.--Beginning not later than 1 
     year after the date of the enactment of this Act, the 
     Secretary of Homeland Security shall include the elements 
     regarding C-UAS described in paragraph (1) in the semiannual 
     briefings to the appropriate congressional committees 
     required under section 210G(g) of the Homeland Security Act 
     of 2002 (6 U.S.C. 124n(g)).

                      Subtitle F--Port Maintenance

     SEC. 6251. PORT MAINTENANCE.

       (a) In General.--Section 411(o) of the Homeland Security 
     Act of 2002 (6 U.S.C. 211(o)) is amended--
       (1) by redesignating paragraph (3) as paragraph (4); and
       (2) by inserting after paragraph (2) the following:
       ``(3) Port maintenance.--
       ``(A) Procedures.--
       ``(i) In general.--Subject to subparagraphs (B) and (C), 
     the Commissioner, in consultation with the Administrator of 
     the General Services Administration--

       ``(I) shall establish procedures by which U.S. Customs and 
     Border Protection may conduct maintenance and repair projects 
     costing not more than $300,000 at any Federal Government-
     owned port of entry where the Office of Field Operations 
     performs any of the activities described in subparagraphs (A) 
     through (G) of subsection (g)(3); and
       ``(II) is authorized to perform such maintenance and repair 
     projects, subject to the procedures described in clause (ii).

       ``(ii) Procedures described.--The procedures established 
     pursuant to clause (i) shall include--

       ``(I) a description of the types of projects that may be 
     carried out pursuant to clause (i); and
       ``(II) the procedures for identifying and addressing any 
     impacts on other tenants of facilities where such projects 
     will be carried out.

       ``(iii) Publication of procedures.--All of the procedures 
     established pursuant to clause (i) shall be published in the 
     Federal Register.
       ``(iv) Rule of construction.--The publication of procedures 
     under clause (iii) shall not impact the authority of the 
     Commissioner to update such procedures, in consultation with 
     the Administrator, as appropriate.
       ``(B) Limitation.--The authority under subparagraph (A) 
     shall only be available for maintenance and repair projects 
     involving existing infrastructure, property, and capital at 
     any port of entry described in subparagraph (A).
       ``(C) Annual adjustments.--The Commissioner shall annually 
     adjust the amount described in subparagraph (A) by the 
     percentage (if any) by which the Consumer Price Index for All 
     Urban Consumers for the month of June preceding the date on 
     which such adjustment takes effect exceeds the

[[Page S2833]]

     Consumer Price Index for All Urban Consumers for the same 
     month of the preceding calendar year.
       ``(D) Rule of construction.--Nothing in this paragraph may 
     be construed to affect the availability of funding from--
       ``(i) the Federal Buildings Fund established under section 
     592 of title 40, United States Code;
       ``(ii) the Donation Acceptance Program established under 
     section 482; or
       ``(iii) any other statutory authority or appropriation for 
     projects described in subparagraph (A).''.
       (b) Reporting.--
       (1) In general.--Not later than 1 year after the date of 
     the enactment of this Act, and annually thereafter, the 
     Commissioner of U.S. Customs and Border Protection shall 
     submit a report to the Committee on Homeland Security and 
     Governmental Affairs of the Senate, the Committee on 
     Appropriations of the Senate, the Committee on Homeland 
     Security of the House of Representatives, and the Committee 
     on Appropriations of the House of Representatives that 
     includes the elements described in paragraph (2).
       (2) Elements.--The report required under paragraph (1) 
     shall include--
       (A) a summary of all maintenance projects conducted 
     pursuant to section 411(o)(3) of the Homeland Security Act of 
     2002, as added by subsection (a) during the prior fiscal 
     year;
       (B) the cost of each project referred to in subparagraph 
     (A);
       (C) the account that funded each such project, if 
     applicable; and
       (D) any budgetary transfers, if applicable, that funded 
     each such project.
       (c) Technical Amendment.--Section 422(a) of the Homeland 
     Security Act of 2002 (6 U.S.C. 232(a)) is amended by 
     inserting ``section 411(o)(3) of this Act and'' after 
     ``Administrator under''.

        TITLE LXIII--IMPROVING LOBBYING DISCLOSURE REQUIREMENTS

            Subtitle A--Lobbying Disclosure Improvement Act

     SEC. 6301. SHORT TITLE.

       This subtitle may be cited as the ``Lobbying Disclosure 
     Improvement Act''.

     SEC. 6302. REGISTRANT DISCLOSURE REGARDING FOREIGN AGENT 
                   REGISTRATION EXEMPTION.

       Section 4(b) of the Lobbying Disclosure Act of 1995 (2 
     U.S.C. 1603(b)) is amended--
       (1) in paragraph (6), by striking ``; and'' and inserting a 
     semicolon;
       (2) in paragraph (7), by striking the period at the end and 
     inserting ``; and''; and
       (3) by adding at the end the following:
       ``(8) a statement as to whether the registrant is exempt 
     under section 3(h) of the Foreign Agents Registration Act of 
     1938, as amended (22 U.S.C. 613(h)).''.

        Subtitle B--Disclosing Foreign Influence in Lobbying Act

     SEC. 6311. SHORT TITLE.

       This subtitle may be cited as the ``Disclosing Foreign 
     Influence in Lobbying Act''.

     SEC. 6312. CLARIFICATION OF CONTENTS OF REGISTRATION.

       Section 4(b) of the Lobbying Disclosure Act of 1995 (2 
     U.S.C. 1603(b)), as amended by section 5602 of this title, is 
     amended--
       (1) in paragraph (8), as added by section 5602 of this 
     title, by striking the period at the end and inserting ``; 
     and''; and
       (2) by adding at the end the following:
       ``(9) notwithstanding paragraph (4), the name and address 
     of each government of a foreign country (including any agency 
     or subdivision of a government of a foreign country, such as 
     a regional or municipal unit of government) and foreign 
     political party, other than the client, that participates in 
     the direction, planning, supervision, or control of any 
     lobbying activities of the registrant.''.

 TITLE LXIV--ENHANCING NATIONAL COUNTERING WEAPONS OF MASS DESTRUCTION 
                              CAPABILITIES

   Subtitle A--Offices of Countering Weapons of Mass Destruction and 
                      Health Security Act of 2023

     SEC. 6401. SHORT TITLE.

       This subtitle may be cited as the ``Offices of Countering 
     Weapons of Mass Destruction and Health Security Act of 
     2023''.

        CHAPTER 1--COUNTERING WEAPONS OF MASS DESTRUCTION OFFICE

     SEC. 6402. COUNTERING WEAPONS OF MASS DESTRUCTION OFFICE.

       (a) Homeland Security Act of 2002.--Title XIX of the 
     Homeland Security Act of 2002 (6 U.S.C. 590 et seq.) is 
     amended--
       (1) in section 1901 (6 U.S.C. 591)--
       (A) in subsection (c), by striking paragraphs (1) and (2) 
     and inserting the following:
       ``(1) matters and strategies pertaining to--
       ``(A) weapons of mass destruction; and
       ``(B) non-medical aspects of chemical, biological, 
     radiological, nuclear, and other related emerging threats;
       ``(2) coordinating the efforts of the Department to 
     counter--
       ``(A) weapons of mass destruction; and
       ``(B) non-medical aspects of chemical, biological, 
     radiological, nuclear, and other related emerging threats; 
     and
       ``(3) enhancing the ability of Federal, State, local, and 
     Tribal partners to prevent, detect, protect against, and 
     mitigate the impacts of terrorist attacks in the United 
     States to counter--
       ``(A) weapons of mass destruction; and
       ``(B) non-medical aspects of use of unauthorized chemical, 
     biological, radiological, and nuclear materials, devices, or 
     agents and other related emerging threats.''; and
       (B) by striking subsection (e);
       (2) by amending section 1921 (6 U.S.C. 591g) to read as 
     follows:

     ``SEC. 1921. MISSION OF THE OFFICE.

       ``The Office shall be responsible for--
       ``(1) coordinating the efforts of the Department and with 
     other Federal departments and agencies to counter--
       ``(A) weapons of mass destruction; and
       ``(B) chemical, biological, radiological, nuclear, and 
     other related emerging threats; and
       ``(2) enhancing the ability of Federal, State, local, and 
     Tribal partners to prevent, detect, protect against, and 
     mitigate the impacts of attacks using--
       ``(A) weapons of mass destruction against the United 
     States; or
       ``(B) unauthorized chemical, biological, radiological, 
     nuclear materials, devices, or agents or other related 
     emerging threats against the United States.'';
       (3) in section 1922 (6 U.S.C. 591h)--
       (A) by striking subsection (b); and
       (B) by redesignating subsection (c) as subsection (b);
       (4) in section 1923 (6 U.S.C. 592)--
       (A) by redesignating subsections (a) and (b) as subsections 
     (b) and (d), respectively;
       (B) by inserting before subsection (b), as so redesignated, 
     the following:
       ``(a) Office Responsibilities.--
       ``(1) In general.--For the purposes of coordinating the 
     efforts of the Department to counter weapons of mass 
     destruction and chemical, biological, radiological, nuclear, 
     and other related emerging threats, the Office shall--
       ``(A) provide expertise and guidance to Department 
     leadership and components on non-medical aspects of chemical, 
     biological, radiological, nuclear, and other related emerging 
     threats, subject to the research, development, testing, and 
     evaluation coordination requirement described in subparagraph 
     (G);
       ``(B) in coordination with the Office for Strategy, Policy, 
     and Plans, lead development of policies and strategies to 
     counter weapons of mass destruction and chemical, biological, 
     radiological, nuclear, and other related emerging threats on 
     behalf of the Department;
       ``(C) identify, assess, and prioritize capability gaps 
     relating to the strategic and mission objectives of the 
     Department for weapons of mass destruction and chemical, 
     biological, radiological, nuclear, and other related emerging 
     threats;
       ``(D) in coordination with the Office of Intelligence and 
     Analysis, support components of the Department, and Federal, 
     State, local, and Tribal partners by providing intelligence 
     and information analysis and reports on weapons of mass 
     destruction and chemical, biological, radiological, nuclear, 
     and other related emerging threats;
       ``(E) in consultation with the Science and Technology 
     Directorate, assess risk to the United States from weapons of 
     mass destruction and chemical, biological, radiological, 
     nuclear, and other related emerging threats;
       ``(F) lead development and prioritization of Department 
     requirements to counter weapons of mass destruction and 
     chemical, biological, radiological, nuclear, and other 
     related emerging threats, subject to the research, 
     development, testing, and evaluation coordination requirement 
     described in subparagraph (G), which requirements shall be--
       ``(i) developed in coordination with end users; and
       ``(ii) reviewed by the Joint Requirements Council, as 
     directed by the Secretary;
       ``(G) in coordination with the Science and Technology 
     Directorate, direct, fund, and coordinate capability 
     development activities to counter weapons of mass destruction 
     and chemical, biological, radiological, nuclear, and other 
     related emerging threats research, development, test, and 
     evaluation matters, including research, development, testing, 
     and evaluation expertise, threat characterization, technology 
     maturation, prototyping, and technology transition;
       ``(H) acquire, procure, and deploy capabilities to counter 
     weapons of mass destruction and chemical, biological, 
     radiological, nuclear, and other related emerging threats, 
     and serve as the lead advisor of the Department on component 
     acquisition, procurement, and deployment of counter-weapons 
     of mass destruction capabilities;
       ``(I) in coordination with the Office of Health Security, 
     support components of the Department, and Federal, State, 
     local, and Tribal partners on chemical, biological, 
     radiological, nuclear, and other related emerging threats 
     health matters;
       ``(J) provide expertise on weapons of mass destruction and 
     non-medical aspects of chemical, biological, radiological, 
     nuclear, and other related emerging threats to Departmental 
     and Federal partners to support engagements and efforts with 
     international partners subject to the research, development, 
     testing, and evaluation coordination requirement under 
     subparagraph (G); and
       ``(K) carry out any other duties assigned to the Office by 
     the Secretary.
       ``(2) Detection and reporting.--For purposes of the 
     detection and reporting responsibilities of the Office for 
     weapons of mass destruction and chemical, biological, 
     radiological, nuclear, and other related emerging threats, 
     the Office shall--
       ``(A) in coordination with end users, including State, 
     local, and Tribal partners, as appropriate--

[[Page S2834]]

       ``(i) carry out a program to test and evaluate technology, 
     in consultation with the Science and Technology Directorate, 
     to detect and report on weapons of mass destruction and 
     chemical, biological, radiological, nuclear, and other 
     related emerging threats, in coordination with other Federal 
     agencies, as appropriate, and establish performance metrics 
     to evaluate the effectiveness of individual detectors and 
     detection systems in detecting those weapons of mass 
     destruction or chemical, biological, radiological, nuclear, 
     or other related emerging threats--

       ``(I) under realistic operational and environmental 
     conditions; and
       ``(II) against realistic adversary tactics and 
     countermeasures;

       ``(B) in coordination with end users, conduct, support, 
     coordinate, and encourage a transformational program of 
     research and development to generate and improve technologies 
     to detect, protect against, and report on the illicit entry, 
     transport, assembly, or potential use within the United 
     States of weapons of mass destruction and chemical, 
     biological, radiological, nuclear, and other related emerging 
     threats, and coordinate with the Under Secretary for Science 
     and Technology on research and development efforts relevant 
     to the mission of the Office and the Under Secretary for 
     Science and Technology;
       ``(C) before carrying out operational testing under 
     subparagraph (A), develop a testing and evaluation plan that 
     articulates the requirements for the user and describes how 
     these capability needs will be tested in developmental test 
     and evaluation and operational test and evaluation;
       ``(D) as appropriate, develop, acquire, and deploy 
     equipment to detect and report on weapons of mass destruction 
     and chemical, biological, radiological, nuclear, and other 
     related emerging threats in support of Federal, State, local, 
     and Tribal governments;
       ``(E) support and enhance the effective sharing and use of 
     appropriate information on weapons of mass destruction and 
     chemical, biological, radiological, nuclear, and other 
     related emerging threats generated by elements of the 
     intelligence community, law enforcement agencies, other 
     Federal agencies, State, local, and Tribal governments, and 
     foreign governments, as well as provide appropriate 
     information to those entities;
       ``(F) consult, as appropriate, with relevant Departmental 
     components and offices, the Department of Health and Human 
     Services, and other Federal partners, on weapons of mass 
     destruction and non-medical aspects of chemical, biological, 
     radiological, nuclear, and other related emerging threats and 
     efforts to mitigate, prepare, and respond to all threats in 
     support of the State, local, and Tribal communities; and
       ``(G) perform other duties as assigned by the Secretary.'';
       (C) in subsection (b), as so redesignated--
       (i) in the subsection heading, by striking ``Mission'' and 
     inserting ``Radiological and Nuclear Responsibilities'';
       (ii) in paragraph (1)--

       (I) by inserting ``deploy,'' after ``acquire,''; and
       (II) by striking ``deployment'' and inserting 
     ``operation'';

       (iii) by striking paragraphs (6) through (10);
       (iv) redesignating paragraphs (11) and (12) as paragraphs 
     (6) and (7), respectively;
       (v) in paragraph (6), as so redesignated--

       (I) by striking subparagraph (B);
       (II) by striking ``activities--'' and all that follows 
     through ``to ensure'' and inserting ``activities to ensure''; 
     and
       (III) by striking ``attacks; and'' and inserting 
     ``attacks;'';

       (vi) in paragraph (7)(C)(v), as so redesignated--

       (I) in the matter preceding subclause (I), by inserting 
     ``except as otherwise provided,'' before ``require''; and
       (II) in subclause (II)--

       (aa) in the matter preceding item (aa), by striking ``death 
     or disability'' and inserting ``death, disability, or a 
     finding of good cause as determined by the Assistant 
     Secretary (including extreme hardship, extreme need, or the 
     needs of the Office) and for which the Assistant Secretary 
     may grant a waiver of the repayment obligation''; and
       (bb) in item (bb), by adding ``and'' at the end;
       (vii) by striking paragraph (13); and
       (viii) by redesignating paragraph (14) as paragraph (8); 
     and
       (D) by inserting after subsection (b), as so redesignated, 
     the following:
       ``(c) Chemical and Biological Responsibilities.--The 
     Office--
       ``(1) shall be responsible for coordinating with other 
     Federal efforts to enhance the ability of Federal, State, 
     local, and Tribal governments to prevent, detect, mitigate, 
     and protect against the importation, possession, storage, 
     transportation, development, or use of unauthorized chemical 
     and biological materials, devices, or agents against the 
     United States; and
       ``(2) shall--
       ``(A) serve as a primary entity responsible for the efforts 
     of the Department to develop, acquire, deploy, and support 
     the operations of a national biological detection system and 
     improve that system over time;
       ``(B) enhance the chemical and biological detection efforts 
     of Federal, State, local, and Tribal governments and provide 
     guidance, tools, and training to help ensure a managed, 
     coordinated response; and
       ``(C) collaborate with the Department of Health and Human 
     Services, the Office of Health Security of the Department, 
     the Defense Advanced Research Projects Agency, the National 
     Aeronautics and Space Administration, and other relevant 
     Federal stakeholders, and receive input from industry, 
     academia, and the national laboratories on chemical and 
     biological surveillance efforts.'';
       (5) in section 1924 (6 U.S.C. 593), by striking ``section 
     11011 of the Strom Thurmond National Defense Authorization 
     Act for Fiscal Year 1999 (5 U.S.C. 3104 note).'' and 
     inserting ``section 4092 of title 10, United States Code, 
     except that the authority shall be limited to facilitate the 
     recruitment of experts in the chemical, biological, 
     radiological, or nuclear specialties.'';
       (6) in section 1927(a)(1)(C) (6 U.S.C. 596a(a)(1)(C))--
       (A) in clause (i), by striking ``required under section 
     1036 of the National Defense Authorization Act for Fiscal 
     Year 2010'';
       (B) in clause (ii), by striking ``and'' at the end;
       (C) in clause (iii), by striking the period at the end and 
     inserting ``; and''; and
       (D) by adding at the end the following:
       ``(iv) includes any other information regarding national 
     technical nuclear forensics activities carried out under 
     section 1923.'';
       (7) in section 1928 (6 U.S.C. 596b)--
       (A) in subsection (a), by striking ``high-risk urban 
     areas'' and inserting ``jurisdictions designated under 
     subsection (c)'';
       (B) in subsection (c)(1), by striking ``from among high-
     risk urban areas under section 2003'' and inserting ``based 
     on the capability and capacity of the jurisdiction, as well 
     as the relative threat, vulnerability, and consequences from 
     terrorist attacks and other high-consequence events utilizing 
     nuclear or other radiological materials''; and
       (C) by striking subsection (d) and inserting the following:
       ``(d) Report.--Not later than 2 years after the date of 
     enactment of the Offices of Countering Weapons of Mass 
     Destruction and Health Security Act of 2023, the Secretary 
     shall submit to the appropriate congressional committees an 
     update on the STC program.''; and
       (8) by inserting after section 1928 (6 U.S.C. 596b) the 
     following:

     ``SEC. 1929. ACCOUNTABILITY.

       ``(a) Departmentwide Strategy.--
       ``(1) In general.--Not later than 180 days after the date 
     of enactment of the Offices of Countering Weapons of Mass 
     Destruction and Health Security Act of 2023, and every 4 
     years thereafter, the Secretary shall create a Departmentwide 
     strategy and implementation plan to counter weapons of mass 
     destruction and chemical, biological, radiological, nuclear, 
     and other related emerging threats, which should--
       ``(A) have clearly identified authorities, specified roles, 
     objectives, benchmarks, accountability, and timelines;
       ``(B) incorporate the perspectives of non-Federal and 
     private sector partners; and
       ``(C) articulate how the Department will contribute to 
     relevant national-level strategies and work with other 
     Federal agencies.
       ``(2) Consideration.--The Secretary shall appropriately 
     consider weapons of mass destruction and chemical, 
     biological, radiological, nuclear, and other related emerging 
     threats when creating the strategy and implementation plan 
     required under paragraph (1).
       ``(3) Report.--The Office shall submit to the appropriate 
     congressional committees a report on the updated 
     Departmentwide strategy and implementation plan required 
     under paragraph (1).
       ``(b) Departmentwide Biodefense Review and Strategy.--
       ``(1) In general.--Not later than 180 days after the date 
     of enactment of the Offices of Countering Weapons of Mass 
     Destruction and Health Security Act of 2023, the Secretary, 
     in consultation with appropriate stakeholders representing 
     Federal, State, local, Tribal, academic, private sector, and 
     nongovernmental entities, shall conduct a Departmentwide 
     review of biodefense activities and strategies.
       ``(2) Review.--The review required under paragraph (1) 
     shall--
       ``(A) identify with specificity the biodefense lines of 
     effort of the Department, including biodefense lines of 
     effort relating to biodefense roles, responsibilities, and 
     capabilities of components and offices of the Department;
       ``(B) assess how such components and offices coordinate 
     internally and with public and private partners in the 
     biodefense enterprise;
       ``(C) identify any policy, resource, capability, or other 
     gaps in the Department's ability to assess, prevent, protect 
     against, and respond to biological threats;
       ``(D) identify any organizational changes or reforms 
     necessary for the Department to effectively execute its 
     biodefense mission and role, including with respect to public 
     and private partners in the biodefense enterprise; and
       ``(E) assess the risk of high-risk gain-of-function 
     research to the homeland security of the United States and 
     identify the gaps in the response of the Department to that 
     risk.
       ``(3) Strategy.--Not later than 1 year after completion of 
     the review required under paragraph (1), the Secretary shall 
     issue a biodefense strategy for the Department that--

[[Page S2835]]

       ``(A) is informed by such review and is aligned with 
     section 1086 of the National Defense Authorization Act for 
     Fiscal Year 2017 (6 U.S.C. 104; relating to the development 
     of a national biodefense strategy and associated 
     implementation plan, including a review and assessment of 
     biodefense policies, practices, programs, and initiatives) or 
     any successor strategy; and
       ``(B) shall--
       ``(i) describe the biodefense mission and role of the 
     Department, as well as how such mission and role relates to 
     the biodefense lines of effort of the Department;
       ``(ii) clarify, as necessary, biodefense roles, 
     responsibilities, and capabilities of the components and 
     offices of the Department involved in the biodefense lines of 
     effort of the Department;
       ``(iii) establish how biodefense lines of effort of the 
     Department are to be coordinated within the Department;
       ``(iv) establish how the Department engages with public and 
     private partners in the biodefense enterprise, including 
     other Federal agencies, national laboratories and sites, and 
     State, local, and Tribal entities, with specificity regarding 
     the frequency and nature of such engagement by Department 
     components and offices with State, local, and Tribal 
     entities; and
       ``(v) include information relating to--

       ``(I) milestones and performance metrics that are specific 
     to the biodefense mission and role of the Department 
     described in clause (i); and
       ``(II) implementation of any operational changes necessary 
     to carry out clauses (iii) and (iv).

       ``(4) Periodic update.--Beginning not later than 5 years 
     after the issuance of the biodefense strategy and 
     implementation plans required under paragraph (3), and not 
     less often than once every 5 years thereafter, the Secretary 
     shall review and update, as necessary, such strategy and 
     plans.
       ``(5) Congressional oversight.--Not later than 30 days 
     after the issuance of the biodefense strategy and 
     implementation plans required under paragraph (3), the 
     Secretary shall brief the Committee on Homeland Security and 
     Governmental Affairs of the Senate and the Committee on 
     Homeland Security of the House of Representatives regarding 
     such strategy and plans.
       ``(c) Employee Morale.--Not later than 180 days after the 
     date of enactment of the Offices of Countering Weapons of 
     Mass Destruction and Health Security Act of 2023, the Office 
     shall submit to and brief the appropriate congressional 
     committees on a strategy and plan to continuously improve 
     morale within the Office.
       ``(d) Comptroller General.--Not later than 1 year after the 
     date of enactment of the Offices of Countering Weapons of 
     Mass Destruction and Health Security Act of 2023, the 
     Comptroller General of the United States shall conduct a 
     review of and brief the appropriate congressional committees 
     on--
       ``(1) the efforts of the Office to prioritize the programs 
     and activities that carry out the mission of the Office, 
     including research and development;
       ``(2) the consistency and effectiveness of stakeholder 
     coordination across the mission of the Office, including 
     operational and support components of the Department and 
     State and local entities; and
       ``(3) the efforts of the Office to manage and coordinate 
     the lifecycle of research and development within the Office 
     and with other components of the Department, including the 
     Science and Technology Directorate.
       ``(e) National Academies of Sciences, Engineering, and 
     Medicine.--
       ``(1) Study.--The Secretary shall enter into an agreement 
     with the National Academies of Sciences, Engineering, and 
     Medicine to conduct a consensus study and report to the 
     Secretary and the appropriate congressional committees on--
       ``(A) the role of the Department in preparing, detecting, 
     and responding to biological and health security threats to 
     the homeland;
       ``(B) recommendations to improve departmental 
     biosurveillance efforts against biological threats, including 
     any relevant biological detection methods and technologies; 
     and
       ``(C) the feasibility of different technological advances 
     for biodetection compared to the cost, risk reduction, and 
     timeliness of those advances.
       ``(2) Briefing.--Not later than 1 year after the date on 
     which the Secretary receives the report required under 
     paragraph (1), the Secretary shall brief the appropriate 
     congressional committees on--
       ``(A) the implementation of the recommendations included in 
     the report; and
       ``(B) the status of biological detection at the Department, 
     and, if applicable, timelines for the transition to updated 
     technology.
       ``(f) Advisory Council.--
       ``(1) Establishment.--Not later than 180 days after the 
     date of enactment of the Offices of Countering Weapons of 
     Mass Destruction and Health Security Act of 2023, the 
     Secretary shall establish an advisory body to advise on the 
     ongoing coordination of the efforts of the Department to 
     counter weapons of mass destruction and chemical, biological, 
     radiological, nuclear, and other related emerging threats, to 
     be known as the Advisory Council for Countering Weapons of 
     Mass Destruction (in this subsection referred to as the 
     `Advisory Council').
       ``(2) Membership.--The members of the Advisory Council 
     shall--
       ``(A) be appointed by the Assistant Secretary; and
       ``(B) to the extent practicable, represent a geographic 
     (including urban and rural) and substantive cross section of 
     officials from State, local, and Tribal governments, 
     academia, the private sector, national laboratories, and 
     nongovernmental organizations, including, as appropriate--
       ``(i) members selected from the emergency management field 
     and emergency response providers;
       ``(ii) State, local, and Tribal government officials;
       ``(iii) experts in the public and private sectors with 
     expertise in chemical, biological, radiological, or nuclear 
     materials, devices, or agents;
       ``(iv) representatives from the national laboratories; and
       ``(v) such other individuals as the Assistant Secretary 
     determines to be appropriate.
       ``(3) Responsibilities.-- The Advisory Council shall--
       ``(A) advise the Assistant Secretary on all aspects of 
     countering weapons of mass destruction and chemical, 
     biological, radiological, nuclear, and other related emerging 
     threats;
       ``(B) incorporate State, local, and Tribal government, 
     national laboratories, and private sector input in the 
     development of the strategy and implementation plan of the 
     Department for countering weapons of mass destruction and 
     chemical, biological, radiological, nuclear, and other 
     related emerging threats; and
       ``(C) provide advice on performance criteria for a national 
     biological detection system and review the testing protocol 
     for biological detection prototypes.
       ``(4) Consultation.--To ensure input from and coordination 
     with State, local, and Tribal governments, the Assistant 
     Secretary shall regularly consult and work with the Advisory 
     Council on the administration of Federal assistance provided 
     by the Department, including with respect to the development 
     of requirements of Office programs, as appropriate.
       ``(5) Voluntary service.--The members of the Advisory 
     Council shall serve on the Advisory Council on a voluntary 
     basis.
       ``(6) FACA.--Chapter 10 of title 5, United States Code, 
     shall not apply to the Advisory Council.
       ``(7) Qualifications.--Each member of the Advisory Council 
     shall--
       ``(A) be impartial in any advice provided to the Advisory 
     Council; and
       ``(B) not seek to advance any political position or 
     predetermined conclusion as a member of the Advisory 
     Council.''.
       (b) Countering Weapons of Mass Destruction Act of 2018.--
     Section 2 of the Countering Weapons of Mass Destruction Act 
     of 2018 (Public Law 115-387; 132 Stat. 5162) is amended--
       (1) in subsection (b)(2) (6 U.S.C. 591 note), by striking 
     ``1927'' and inserting ``1926''; and
       (2) in subsection (g) (6 U.S.C. 591 note)--
       (A) in the matter preceding paragraph (1), by striking 
     ``one year after the date of the enactment of this Act, and 
     annually thereafter,'' and inserting ``June 30 of each 
     year,''; and
       (B) in paragraph (2), by striking ``Security, including 
     research and development activities'' and inserting 
     ``Security''.
       (c) Security and Accountability for Every Port Act of 
     2006.--The Security and Accountability for Every Port Act of 
     2006 (Public Law 109-347; 120 Stat 1884) is amended--
       (1) in section 1(b), by striking the item relating to 
     section 502; and
       (2) by striking section 502 (6 U.S.C. 592a).

     SEC. 6403. RULE OF CONSTRUCTION.

       Nothing in this chapter or the amendments made by this 
     chapter may be construed as modifying any existing authority 
     under any provision of law not expressly amended by this 
     chapter.

                  CHAPTER 2--OFFICE OF HEALTH SECURITY

     SEC. 6404. OFFICE OF HEALTH SECURITY.

       (a) Establishment.--The Homeland Security Act of 2002 (6 
     U.S.C. 101 et seq.) is amended--
       (1) in section 103 (6 U.S.C. 113)--
       (A) in subsection (a)(2)--
       (i) by striking ``the Assistant Secretary for Health 
     Affairs,''; and
       (ii) by striking ``Affairs, or'' and inserting ``Affairs 
     or''; and
       (B) in subsection (d), by adding at the end the following:
       ``(6) A Chief Medical Officer.'';
       (2) by adding at the end the following:

              ``TITLE XXIII--OFFICE OF HEALTH SECURITY'';

       (3) by redesignating section 1931 (6 U.S.C. 597) as section 
     2301 and transferring such section to appear after the 
     heading for title XXIII, as added by paragraph (2);
       (4) in section 2301, as so redesignated--
       (A) in the section heading, by striking ``chief medical 
     officer'' and inserting ``office of health security'';
       (B) by striking subsections (a) and (b) and inserting the 
     following:
       ``(a) In General.--There is established in the Department 
     an Office of Health Security.
       ``(b) Head of Office of Health Security.--The Office of 
     Health Security shall be headed by a chief medical officer, 
     who shall--
       ``(1) be the Assistant Secretary for Health Security and 
     the Chief Medical Officer of the Department;
       ``(2) be a licensed physician possessing a demonstrated 
     ability in and knowledge of medicine and public health;

[[Page S2836]]

       ``(3) be appointed by the President; and
       ``(4) report directly to the Secretary.'';
       (C) in subsection (c)--
       (i) in the matter preceding paragraph (1), by striking 
     ``medical issues related to natural disasters, acts of 
     terrorism, and other man-made disasters'' and inserting 
     ``medical activities of the Department and all workforce-
     focused health and safety activities of the Department'';
       (ii) in paragraph (1), by striking ``, the Administrator of 
     the Federal Emergency Management Agency, the Assistant 
     Secretary, and other Department officials'' and inserting 
     ``and all other Department officials'';
       (iii) in paragraph (4), by striking ``and'' at the end;
       (iv) by redesignating paragraph (5) as paragraph (13); and
       (v) by inserting after paragraph (4) the following:
       ``(5) overseeing all medical activities of the Department, 
     including the delivery, advisement, and support of direct 
     patient care and the organization, management, and staffing 
     of component operations that deliver direct patient care;
       ``(6) advising the head of each component of the Department 
     that delivers direct patient care regarding the recruitment 
     and appointment of a component chief medical officer and 
     deputy chief medical officer or the employees who function in 
     the capacity of chief medical officer and deputy chief 
     medical officer;
       ``(7) advising the Secretary and the head of each component 
     of the Department that delivers direct patient care regarding 
     knowledge and skill standards for medical personnel and the 
     assessment of that knowledge and skill;
       ``(8) in coordination with the Chief Privacy Officer of the 
     Department and the Chief Information Officer of the 
     Department, advising the Secretary and the head of each 
     component of the Department that delivers patient care 
     regarding the collection, storage, and oversight of medical 
     records;
       ``(9) with respect to any psychological health counseling 
     or assistance program of the Department, including such a 
     program of a law enforcement, operational, or support 
     component of the Department, advising the head of each such 
     component with such a program regarding--
       ``(A) ensuring such program includes safeguards against 
     adverse actions by such component with respect to any 
     employee solely because the employee identifies a need for 
     psychological health counseling or assistance or receives 
     such assistance;
       ``(B) ensuring such program includes safeguards regarding 
     automatic referrals for employment-related examinations or 
     inquires that are based solely on an employee who self 
     identifies a need for psychological health counseling or 
     assistance or receives such counseling or assistance, except 
     that such safeguards shall not prevent a component referral 
     to evaluate the ability of an employee to meet established 
     medical or psychological standards by such component or to 
     evaluate the national security eligibility of the employee;
       ``(C) increasing the availability and number of local 
     psychological health professionals with experience providing 
     psychological support services to personnel;
       ``(D) establishing a behavioral health curriculum for 
     employees at the beginning of their careers to provide 
     resources early regarding the importance of psychological 
     health;
       ``(E) establishing periodic management training on crisis 
     intervention and such component's psychological health 
     counseling or assistance program;
       ``(F) improving any associated existing employee peer 
     support programs, including by making additional training and 
     resources available for peer support personnel in the 
     workplace across such component;
       ``(G) developing and implementing a voluntary alcohol 
     treatment program that includes a safe harbor for employees 
     who seek treatment;
       ``(H) prioritizing, as appropriate, expertise in the 
     provision of psychological health counseling and assistance 
     for certain populations of the workforce, such as employees 
     serving in positions within law enforcement, to help improve 
     outcomes for those employees receiving that counseling or 
     assistance; and
       ``(I) including, when appropriate, collaborating and 
     partnering with key employee stakeholders and, for those 
     components with employees with an exclusive representative, 
     the exclusive representative with respect to such a program;
       ``(10) in consultation with the Chief Information Officer 
     of the Department--
       ``(A) identifying methods and technologies for managing, 
     updating, and overseeing patient records; and
       ``(B) setting standards for technology used by the 
     components of the Department regarding the collection, 
     storage, and oversight of medical records;
       ``(11) advising the Secretary and the head of each 
     component of the Department that delivers direct patient care 
     regarding contracts for the delivery of direct patient care, 
     other medical services, and medical supplies;
       ``(12) coordinating with--
       ``(A) the Countering Weapons of Mass Destruction Office;
       ``(B) other components of the Department as directed by the 
     Secretary;
       ``(C) Federal agencies, including the Department of 
     Agriculture, the Department of Health and Human Services, the 
     Department of State, and the Department of Transportation;
       ``(D) State, local, and Tribal governments; and
       ``(E) the medical community; and''; and
       (D) by adding at the end the following:
       ``(d) Assistance and Agreements.--The Secretary, acting 
     through the Chief Medical Officer, in support of the medical 
     activities of the Department, may--
       ``(1) provide technical assistance, training, and 
     information to State, local, and Tribal governments and 
     nongovernmental organizations;
       ``(2) enter into agreements with other Federal agencies; 
     and
       ``(3) accept services from personnel of components of the 
     Department and other Federal agencies on a reimbursable or 
     nonreimbursable basis.
       ``(e) Office of Health Security Privacy Officer.--There 
     shall be a Privacy Officer in the Office of Health Security 
     with primary responsibility for privacy policy and compliance 
     within the Office, who shall--
       ``(1) report directly to the Chief Medical Officer; and
       ``(2) ensure privacy protections are integrated into all 
     Office of Health Security activities, subject to the review 
     and approval of the Chief Privacy Officer of the Department 
     to the extent consistent with the authority of the Chief 
     Privacy Officer of the Department under section 222.
       ``(f) Accountability.--
       ``(1) Strategy and implementation plan.--Not later than 180 
     days after the date of enactment of this subsection, and 
     every 4 years thereafter, the Secretary shall create a 
     Departmentwide strategy and implementation plan to address 
     medical activities of, and the workforce health and safety 
     matters under the purview of, the Department.
       ``(2) Briefing.--Not later than 90 days after the date of 
     enactment of this subsection, the Secretary shall brief the 
     appropriate congressional committees on the organizational 
     transformations of the Office of Health Security, including 
     how best practices were used in the creation of the Office of 
     Health Security.'';
       (5) by redesignating section 710 (6 U.S.C. 350) as section 
     2302 and transferring such section to appear after section 
     2301, as so redesignated;
       (6) in section 2302, as so redesignated--
       (A) in the section heading, by striking ``medical support'' 
     and inserting ``safety'';
       (B) in subsection (a), by striking ``Under Secretary for 
     Management'' each place that term appears and inserting 
     ``Chief Medical Officer''; and
       (C) in subsection (b)--
       (i) in the matter preceding paragraph (1), by striking 
     ``Under Secretary for Management, in coordination with the 
     Chief Medical Officer,'' and inserting ``Chief Medical 
     Officer''; and
       (ii) in paragraph (3), by striking ``as deemed appropriate 
     by the Under Secretary,'';
       (7) by redesignating section 528 (6 U.S.C. 321q) as section 
     2303 and transferring such section to appear after section 
     2302, as so redesignated;
       (8) in section 2303, as so redesignated--
       (A) in subsection (a), by striking ``Assistant Secretary 
     for the Countering Weapons of Mass Destruction Office'' and 
     inserting ``Chief Medical Officer''; and
       (B) in subsection (b)--
       (i) in paragraph (1), by striking ``Homeland Security 
     Presidential Directive 9-Defense of the United States 
     Agriculture and Food'' and inserting ``National Security 
     Memorandum 16--Strengthening the Security and Resilience of 
     the United States Food and Agriculture''; and
       (ii) in paragraph (6), by inserting ``the Department of 
     Agriculture and other'' before ``appropriate'';
       (9) by redesignating section 1932 (6 U.S.C. 597a) as 
     section 2304 and transferring such section to appear after 
     section 2303, as so redesignated;
       (10) in section 2304(f)(2)(B), as so redesignated, by 
     striking ``Office of the Assistant Secretary for Preparedness 
     and Response'' and inserting ``Administration for Strategic 
     Preparedness and Response''; and
       (11) by inserting after section 2304, as so redesignated, 
     the following:

     ``SEC. 2305. RULES OF CONSTRUCTION.

       ``Nothing in this title shall be construed to--
       ``(1) override or otherwise affect the requirements 
     described in section 888;
       ``(2) require the advice of the Chief Medical Officer on 
     the appointment of Coast Guard officers or the officer from 
     the Public Health Service of the Department of Health and 
     Human Services assigned to the Coast Guard;
       ``(3) provide the Chief Medical Officer with authority to 
     take any action that would diminish the interoperability of 
     the Coast Guard medical system with the medical systems of 
     the other branches of the Armed Forces of the United States; 
     or
       ``(4) affect or diminish the authority of the Secretary of 
     Health and Human Services or to grant to the Chief Medical 
     Officer any authority that is vested in, or delegated to, the 
     Secretary of Health and Human Services.''.
       (b) Transition and Transfers.--
       (1) Transition.--The individual appointed pursuant to 
     section 1931 of the Homeland Security Act of 2002 (6 U.S.C. 
     597) of the Department of Homeland Security, as in effect on 
     the day before the date of enactment of this

[[Page S2837]]

     Act, and serving as the Chief Medical Officer of the 
     Department of Homeland Security on the day before the date of 
     enactment of this Act, shall continue to serve as the Chief 
     Medical Officer of the Department on and after the date of 
     enactment of this Act without the need for reappointment.
       (2) Transfer.--The Secretary of Homeland Security shall 
     transfer to the Chief Medical Officer of the Department of 
     Homeland Security--
       (A) all functions, personnel, budget authority, and assets 
     of the Under Secretary for Management relating to workforce 
     health and safety, as in existence on the day before the date 
     of enactment of this Act;
       (B) all functions, personnel, budget authority, and assets 
     of the Assistant Secretary for the Countering Weapons of Mass 
     Destruction Office relating to the Chief Medical Officer, 
     including the Medical Operations Directorate of the 
     Countering Weapons of Mass Destruction Office, as in 
     existence on the day before the date of enactment of this 
     Act; and
       (C) all functions, personnel, budget authority, and assets 
     of the Assistant Secretary for the Countering Weapons of Mass 
     Destruction Office associated with the efforts pertaining to 
     the program coordination activities relating to defending the 
     food, agriculture, and veterinary defenses of the Office, as 
     in existence on the day before the date of enactment of this 
     Act.

     SEC. 6405. CONFIDENTIALITY OF MEDICAL QUALITY ASSURANCE 
                   RECORDS.

       Title XXIII of the Homeland Security Act of 2002, as added 
     by this chapter, is amended by adding at the end the 
     following:

     ``SEC. 2306. CONFIDENTIALITY OF MEDICAL QUALITY ASSURANCE 
                   RECORDS.

       ``(a) Definitions.--In this section:
       ``(1) Health care provider.--The term `health care 
     provider' means an individual who--
       ``(A) is--
       ``(i) an employee of the Department;
       ``(ii) a detailee to the Department from another Federal 
     agency;
       ``(iii) a personal services contractor of the Department; 
     or
       ``(iv) hired under a contract for services with the 
     Department;
       ``(B) performs health care services as part of duties of 
     the individual in that capacity; and
       ``(C) has a current, valid, and unrestricted license or 
     certification--
       ``(i) that is issued by a State; and
       ``(ii) that is for the practice of medicine, osteopathic 
     medicine, dentistry, nursing, emergency medical services, or 
     another health profession.
       ``(2) Medical quality assurance program.--The term `medical 
     quality assurance program' means any activity carried out on 
     or after the date of enactment of this section by the 
     Department to assess the quality of medical care, including 
     activities conducted by individuals, committees, or other 
     review bodies responsible for quality assurance, credentials, 
     infection control, incident reporting, the delivery, 
     advisement, and support of direct patient care and assessment 
     (including treatment procedures, blood, drugs, and 
     therapeutics), medical records, health resources management 
     review, or identification and prevention of medical, mental 
     health, or dental incidents and risks.
       ``(3) Medical quality assurance record of the department.--
     The term `medical quality assurance record of the Department' 
     means the proceedings, records (including patient records 
     that the Department creates and maintains as part of a system 
     of records), minutes, and reports that--
       ``(A) emanate from quality assurance program activities 
     described in paragraph (2); and
       ``(B) are produced or compiled by the Department as part of 
     a medical quality assurance program.
       ``(b) Confidentiality of Records.--A medical quality 
     assurance record of the Department that is created as part of 
     a medical quality assurance program--
       ``(1) is confidential and privileged; and
       ``(2) except as provided in subsection (d), may not be 
     disclosed to any person or entity.
       ``(c) Prohibition on Disclosure and Testimony.--Except as 
     otherwise provided in this section--
       ``(1) no part of any medical quality assurance record of 
     the Department may be subject to discovery or admitted into 
     evidence in any judicial or administrative proceeding; and
       ``(2) an individual who reviews or creates a medical 
     quality assurance record of the Department or who 
     participates in any proceeding that reviews or creates a 
     medical quality assurance record of the Department may not be 
     permitted or required to testify in any judicial or 
     administrative proceeding with respect to such record or with 
     respect to any finding, recommendation, evaluation, opinion, 
     or action taken by such individual in connection with such 
     record.
       ``(d) Authorized Disclosure and Testimony.--
       ``(1) In general.--Subject to paragraph (2), a medical 
     quality assurance record of the Department may be disclosed, 
     and a person described in subsection (c)(2) may give 
     testimony in connection with the record, only as follows:
       ``(A) To a Federal agency or private organization, if such 
     medical quality assurance record of the Department or 
     testimony is needed by the Federal agency or private 
     organization to--
       ``(i) perform licensing or accreditation functions related 
     to Department health care facilities, a facility affiliated 
     with the Department, or any other location authorized by the 
     Secretary for the performance of health care services; or
       ``(ii) perform monitoring, required by law, of Department 
     health care facilities, a facility affiliated with the 
     Department, or any other location authorized by the Secretary 
     for the performance of health care services.
       ``(B) To an administrative or judicial proceeding 
     concerning an adverse action related to the credentialing of 
     or health care provided by a present or former health care 
     provider by the Department.
       ``(C) To a governmental board or agency or to a 
     professional health care society or organization, if such 
     medical quality assurance record of the Department or 
     testimony is needed by the board, agency, society, or 
     organization to perform licensing, credentialing, or the 
     monitoring of professional standards with respect to any 
     health care provider who is or was a health care provider for 
     the Department.
       ``(D) To a hospital, medical center, or other institution 
     that provides health care services, if such medical quality 
     assurance record of the Department or testimony is needed by 
     such institution to assess the professional qualifications of 
     any health care provider who is or was a health care provider 
     for the Department and who has applied for or been granted 
     authority or employment to provide health care services in or 
     on behalf of the institution.
       ``(E) To an employee, a detailee, or a contractor of the 
     Department who has a need for such medical quality assurance 
     record of the Department or testimony to perform official 
     duties or duties within the scope of their employment or 
     contract.
       ``(F) To a criminal or civil law enforcement agency or 
     instrumentality charged under applicable law with the 
     protection of the public health or safety, if a qualified 
     representative of the agency or instrumentality makes a 
     written request that such medical quality assurance record of 
     the Department or testimony be provided for a purpose 
     authorized by law.
       ``(G) In an administrative or judicial proceeding commenced 
     by a criminal or civil law enforcement agency or 
     instrumentality described in subparagraph (F), but only with 
     respect to the subject of the proceeding.
       ``(2) Personally identifiable information.--
       ``(A) In general.--With the exception of the subject of a 
     quality assurance action, personally identifiable information 
     of any person receiving health care services from the 
     Department or of any other person associated with the 
     Department for purposes of a medical quality assurance 
     program that is disclosed in a medical quality assurance 
     record of the Department shall be deleted from that record 
     before any disclosure of the record is made outside the 
     Department.
       ``(B) Application.--The requirement under subparagraph (A) 
     shall not apply to the release of information that is 
     permissible under section 552a of title 5, United States Code 
     (commonly known as the `Privacy Act of 1974').
       ``(e) Disclosure for Certain Purposes.--Nothing in this 
     section shall be construed--
       ``(1) to authorize or require the withholding from any 
     person or entity de-identified aggregate statistical 
     information regarding the results of medical quality 
     assurance programs, under de-identification standards 
     developed by the Secretary in consultation with the Secretary 
     of Health and Human Services, as appropriate, that is 
     released in a manner in accordance with all other applicable 
     legal requirements; or
       ``(2) to authorize the withholding of any medical quality 
     assurance record of the Department from a committee of either 
     House of Congress, any joint committee of Congress, or the 
     Comptroller General of the United States if the record 
     pertains to any matter within their respective jurisdictions.
       ``(f) Prohibition on Disclosure of Information, Records, or 
     Testimony.--A person or entity having possession of or access 
     to a medical quality assurance record of the Department or 
     testimony described in this section may not disclose the 
     contents of the record or testimony in any manner or for any 
     purpose except as provided in this section.
       ``(g) Exemption From Freedom of Information Act.--A medical 
     quality assurance record of the Department shall be exempt 
     from disclosure under section 552(b)(3) of title 5, United 
     States Code.
       ``(h) Limitation on Civil Liability.--A person who 
     participates in the review or creation of, or provides 
     information to a person or body that reviews or creates, a 
     medical quality assurance record of the Department shall not 
     be civilly liable under this section for that participation 
     or for providing that information if the participation or 
     provision of information was--
       ``(1) provided in good faith based on prevailing 
     professional standards at the time the medical quality 
     assurance program activity took place; and
       ``(2) made in accordance with any other applicable legal 
     requirement, including Federal privacy laws and regulations.
       ``(i) Application to Information in Certain Other 
     Records.--Nothing in this section shall be construed as 
     limiting access to the information in a record created and 
     maintained outside a medical quality assurance program, 
     including the medical record

[[Page S2838]]

     of a patient, on the grounds that the information was 
     presented during meetings of a review body that are part of a 
     medical quality assurance program.
       ``(j) Penalty.--Any person who willfully discloses a 
     medical quality assurance record of the Department other than 
     as provided in this section, knowing that the record is a 
     medical quality assurance record of the Department shall be 
     fined not more than $3,000 in the case of a first offense and 
     not more than $20,000 in the case of a subsequent offense.
       ``(k) Relationship to Coast Guard.--The requirements of 
     this section shall not apply to any medical quality assurance 
     record of the Department that is created by or for the Coast 
     Guard as part of a medical quality assurance program.
       ``(l) Continued Protection.--Disclosure under subsection 
     (d) does not permit redisclosure except to the extent the 
     further disclosure is authorized under subsection (d) or is 
     otherwise authorized to be disclosed under this section.
       ``(m) Relationship to Other Law.--This section shall 
     continue in force and effect, except as otherwise 
     specifically provided in any Federal law enacted after the 
     date of enactment of this Act.
       ``(n) Rule of Construction.--Nothing in this section shall 
     be construed to supersede the requirements of--
       ``(1) the Health Insurance Portability and Accountability 
     Act of 1996 (Public Law 104-191; 110 Stat. 1936) and its 
     implementing regulations;
       ``(2) part 1 of subtitle D of title XIII of the Health 
     Information Technology for Economic and Clinical Health Act 
     (42 U.S.C. 17931 et seq.) and its implementing regulations; 
     or
       ``(3) sections 921 through 926 of the Public Health Service 
     Act (42 U.S.C. 299b-21 through 299b-26) and their 
     implementing regulations.''.

     SEC. 6406. TECHNICAL AND CONFORMING AMENDMENTS.

       The Homeland Security Act of 2002 (6 U.S.C. 101 et seq.) is 
     amended--
       (1) in the table of contents in section 1(b) (Public Law 
     107-296; 116 Stat. 2135)--
       (A) by striking the items relating to sections 528 and 529 
     and inserting the following:

``Sec. 528. Transfer of equipment during a public health emergency.'';
       (B) by striking the items relating to sections 710, 711, 
     712, and 713 and inserting the following:

``Sec. 710. Employee engagement.
``Sec. 711. Annual employee award program.
``Sec. 712. Acquisition professional career program.'';
       (C) by inserting after the item relating to section 1928 
     the following:

``Sec. 1929. Accountability.'';
       (D) by striking the items relating to subtitle C of title 
     XIX and sections 1931 and 1932; and
       (E) by adding at the end the following:

                ``TITLE XXIII--OFFICE OF HEALTH SECURITY

``Sec. 2301. Office of Health Security.
``Sec. 2302. Workforce health and safety.
``Sec. 2303. Coordination of Department of Homeland Security efforts 
              related to food, agriculture, and veterinary defense 
              against terrorism.
``Sec. 2304. Medical countermeasures.
``Sec. 2305. Rules of construction.
``Sec. 2306. Confidentiality of medical quality assurance records.'';
       (2) by redesignating section 529 (6 U.S.C. 321r) as section 
     528;
       (3) in section 704(e)(4) (6 U.S.C. 344(e)(4)), by striking 
     ``section 711(a)'' and inserting ``section 710(a))'';
       (4) by redesignating sections 711, 712, and 713 as sections 
     710, 711, and 712, respectively;
       (5) in section subsection (d)(3) of section 1923(d)(3) (6 
     U.S.C. 592), as so redesignated--
       (A) in the paragraph heading, by striking ``Hawaiian 
     native-serving'' and inserting ``Native hawaiian-serving''; 
     and
       (B) by striking ``Hawaiian native-serving'' and inserting 
     `` `Native Hawaiian-serving''; and
       (6) by striking the subtitle heading for subtitle C of 
     title XIX.

     TITLE LXV--PROTECTING OUR DOMESTIC WORKFORCE AND SUPPLY CHAIN

            Subtitle A--American Security Drone Act of 2023

     SEC. 6501. SHORT TITLE.

       This subtitle may be cited as the ``American Security Drone 
     Act of 2023''.

     SEC. 6502. DEFINITIONS.

       In this subtitle:
       (1) Covered foreign entity.--The term ``covered foreign 
     entity'' means an entity included on a list developed and 
     maintained by the Federal Acquisition Security Council and 
     published in the System for Award Management (SAM). This list 
     will include entities in the following categories:
       (A) An entity included on the Consolidated Screening List.
       (B) Any entity that is subject to extrajudicial direction 
     from a foreign government, as determined by the Secretary of 
     Homeland Security.
       (C) Any entity the Secretary of Homeland Security, in 
     coordination with the Attorney General, Director of National 
     Intelligence, and the Secretary of Defense, determines poses 
     a national security risk.
       (D) Any entity domiciled in the People's Republic of China 
     or subject to influence or control by the Government of the 
     People's Republic of China or the Communist Party of the 
     People's Republic of China, as determined by the Secretary of 
     Homeland Security.
       (E) Any subsidiary or affiliate of an entity described in 
     subparagraphs (A) through (D).
       (2) Covered unmanned aircraft system.--The term ``covered 
     unmanned aircraft system'' has the meaning given the term 
     ``unmanned aircraft system'' in section 44801 of title 49, 
     United States Code.
       (3) Intelligence; intelligence community.--The terms 
     ``intelligence'' and ``intelligence community'' have the 
     meanings given those terms in section 3 of the National 
     Security Act of 1947 (50 U.S.C. 3003).

     SEC. 6503. PROHIBITION ON PROCUREMENT OF COVERED UNMANNED 
                   AIRCRAFT SYSTEMS FROM COVERED FOREIGN ENTITIES.

       (a) In General.--Except as provided under subsections (b) 
     through (f), the head of an executive agency may not procure 
     any covered unmanned aircraft system that is manufactured or 
     assembled by a covered foreign entity, which includes 
     associated elements related to the collection and 
     transmission of sensitive information (consisting of 
     communication links and the components that control the 
     unmanned aircraft) that enable the operator to operate the 
     aircraft in the National Airspace System. The Federal 
     Acquisition Security Council, in coordination with the 
     Secretary of Transportation, shall develop and update a list 
     of associated elements.
       (b) Exemption.--The Secretary of Homeland Security, the 
     Secretary of Defense, the Director of National Intelligence, 
     and the Attorney General are exempt from the restriction 
     under subsection (a) if the procurement is required in the 
     national interest of the United States and--
       (1) is for the sole purposes of research, evaluation, 
     training, testing, or analysis for electronic warfare, 
     information warfare operations, cybersecurity, or development 
     of unmanned aircraft system or counter-unmanned aircraft 
     system technology;
       (2) is for the sole purposes of conducting counterterrorism 
     or counterintelligence activities, protective missions, or 
     Federal criminal or national security investigations, 
     including forensic examinations, or for electronic warfare, 
     information warfare operations, cybersecurity, or development 
     of an unmanned aircraft system or counter-unmanned aircraft 
     system technology; or
       (3) is an unmanned aircraft system that, as procured or as 
     modified after procurement but before operational use, can no 
     longer transfer to, or download data from, a covered foreign 
     entity and otherwise poses no national security cybersecurity 
     risks as determined by the exempting official.
       (c) Department of Transportation and Federal Aviation 
     Administration Exemption.--The Secretary of Transportation is 
     exempt from the restriction under subsection (a) if the 
     operation or procurement is deemed to support the safe, 
     secure, or efficient operation of the National Airspace 
     System or maintenance of public safety, including activities 
     carried out under the Federal Aviation Administration's 
     Alliance for System Safety of UAS through Research Excellence 
     (ASSURE) Center of Excellence (COE) and any other activity 
     deemed to support the safe, secure, or efficient operation of 
     the National Airspace System or maintenance of public safety, 
     as determined by the Secretary or the Secretary's designee.
       (d) National Transportation Safety Board Exemption.--The 
     National Transportation Safety Board, in consultation with 
     the Secretary of Homeland Security, is exempt from the 
     restriction under subsection (a) if the operation or 
     procurement is necessary for the sole purpose of conducting 
     safety investigations.
       (e) National Oceanic and Atmospheric Administration 
     Exemption.--The Administrator of the National Oceanic and 
     Atmospheric Administration (NOAA), in consultation with the 
     Secretary of Homeland Security, is exempt from the 
     restriction under subsection (a) if the procurement is 
     necessary for the purpose of meeting NOAA's science or 
     management objectives or operational mission.
       (f) Waiver.--The head of an executive agency may waive the 
     prohibition under subsection (a) on a case-by-case basis--
       (1) with the approval of the Director of the Office of 
     Management and Budget, after consultation with the Federal 
     Acquisition Security Council; and
       (2) upon notification to--
       (A) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       (B) the Committee on Oversight and Reform in the House of 
     Representatives; and
       (C) other appropriate congressional committees of 
     jurisdiction.

     SEC. 6504. PROHIBITION ON OPERATION OF COVERED UNMANNED 
                   AIRCRAFT SYSTEMS FROM COVERED FOREIGN ENTITIES.

       (a) Prohibition.--
       (1) In general.--Beginning on the date that is two years 
     after the date of the enactment of this Act, no Federal 
     department or agency may operate a covered unmanned aircraft 
     system manufactured or assembled by a covered foreign entity.
       (2) Applicability to contracted services.--The prohibition 
     under paragraph (1) applies to any covered unmanned aircraft 
     systems that are being used by any executive agency through 
     the method of contracting for the services of covered 
     unmanned aircraft systems.
       (b) Exemption.--The Secretary of Homeland Security, the 
     Secretary of Defense, the

[[Page S2839]]

     Director of National Intelligence, and the Attorney General 
     are exempt from the restriction under subsection (a) if the 
     operation is required in the national interest of the United 
     States and--
       (1) is for the sole purposes of research, evaluation, 
     training, testing, or analysis for electronic warfare, 
     information warfare operations, cybersecurity, or development 
     of unmanned aircraft system or counter-unmanned aircraft 
     system technology;
       (2) is for the sole purposes of conducting counterterrorism 
     or counterintelligence activities, protective missions, or 
     Federal criminal or national security investigations, 
     including forensic examinations, or for electronic warfare, 
     information warfare operations, cybersecurity, or development 
     of an unmanned aircraft system or counter-unmanned aircraft 
     system technology; or
       (3) is an unmanned aircraft system that, as procured or as 
     modified after procurement but before operational use, can no 
     longer transfer to, or download data from, a covered foreign 
     entity and otherwise poses no national security cybersecurity 
     risks as determined by the exempting official.
       (c) Department of Transportation and Federal Aviation 
     Administration Exemption.--The Secretary of Transportation is 
     exempt from the restriction under subsection (a) if the 
     operation is deemed to support the safe, secure, or efficient 
     operation of the National Airspace System or maintenance of 
     public safety, including activities carried out under the 
     Federal Aviation Administration's Alliance for System Safety 
     of UAS through Research Excellence (ASSURE) Center of 
     Excellence (COE) and any other activity deemed to support the 
     safe, secure, or efficient operation of the National Airspace 
     System or maintenance of public safety, as determined by the 
     Secretary or the Secretary's designee.
       (d) National Transportation Safety Board Exemption.--The 
     National Transportation Safety Board, in consultation with 
     the Secretary of Homeland Security, is exempt from the 
     restriction under subsection (a) if the operation is 
     necessary for the sole purpose of conducting safety 
     investigations.
       (e) National Oceanic and Atmospheric Administration 
     Exemption.--The Administrator of the National Oceanic and 
     Atmospheric Administration (NOAA), in consultation with the 
     Secretary of Homeland Security, is exempt from the 
     restriction under subsection (a) if the procurement is 
     necessary for the purpose of meeting NOAA's science or 
     management objectives or operational mission.
       (f) Waiver.--The head of an executive agency may waive the 
     prohibition under subsection (a) on a case-by-case basis--
       (1) with the approval of the Director of the Office of 
     Management and Budget, after consultation with the Federal 
     Acquisition Security Council; and
       (2) upon notification to--
       (A) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       (B) the Committee on Oversight and Reform in the House of 
     Representatives; and
       (C) other appropriate congressional committees of 
     jurisdiction.
       (g) Regulations and Guidance.--Not later than 180 days 
     after the date of the enactment of this Act, the Secretary of 
     Homeland Security, in consultation with the Attorney General 
     and the Secretary of Transportation, shall prescribe 
     regulations or guidance to implement this section.

     SEC. 6505. PROHIBITION ON USE OF FEDERAL FUNDS FOR 
                   PROCUREMENT AND OPERATION OF COVERED UNMANNED 
                   AIRCRAFT SYSTEMS FROM COVERED FOREIGN ENTITIES.

       (a) In General.--Beginning on the date that is two years 
     after the date of the enactment of this Act, except as 
     provided in subsection (b), no Federal funds awarded through 
     a contract, grant, or cooperative agreement, or otherwise 
     made available may be used--
       (1) to procure a covered unmanned aircraft system that is 
     manufactured or assembled by a covered foreign entity; or
       (2) in connection with the operation of such a drone or 
     unmanned aircraft system.
       (b) Exemption.--The Secretary of Homeland Security, the 
     Secretary of Defense, the Director of National Intelligence, 
     and the Attorney General are exempt from the restriction 
     under subsection (a) if the procurement or operation is 
     required in the national interest of the United States and--
       (1) is for the sole purposes of research, evaluation, 
     training, testing, or analysis for electronic warfare, 
     information warfare operations, cybersecurity, or development 
     of unmanned aircraft system or counter-unmanned aircraft 
     system technology;
       (2) is for the sole purposes of conducting counterterrorism 
     or counterintelligence activities, protective missions, or 
     Federal criminal or national security investigations, 
     including forensic examinations, or for electronic warfare, 
     information warfare operations, cybersecurity, or development 
     of an unmanned aircraft system or counter-unmanned aircraft 
     system technology; or
       (3) is an unmanned aircraft system that, as procured or as 
     modified after procurement but before operational use, can no 
     longer transfer to, or download data from, a covered foreign 
     entity and otherwise poses no national security cybersecurity 
     risks as determined by the exempting official.
       (c) Department of Transportation and Federal Aviation 
     Administration Exemption.--The Secretary of Transportation is 
     exempt from the restriction under subsection (a) if the 
     operation or procurement is deemed to support the safe, 
     secure, or efficient operation of the National Airspace 
     System or maintenance of public safety, including activities 
     carried out under the Federal Aviation Administration's 
     Alliance for System Safety of UAS through Research Excellence 
     (ASSURE) Center of Excellence (COE) and any other activity 
     deemed to support the safe, secure, or efficient operation of 
     the National Airspace System or maintenance of public safety, 
     as determined by the Secretary or the Secretary's designee.
       (d) National Oceanic and Atmospheric Administration 
     Exemption.--The Administrator of the National Oceanic and 
     Atmospheric Administration (NOAA), in consultation with the 
     Secretary of Homeland Security, is exempt from the 
     restriction under subsection (a) if the operation or 
     procurement is necessary for the purpose of meeting NOAA's 
     science or management objectives or operational mission.
       (e) Waiver.--The head of an executive agency may waive the 
     prohibition under subsection (a) on a case-by-case basis--
       (1) with the approval of the Director of the Office of 
     Management and Budget, after consultation with the Federal 
     Acquisition Security Council; and
       (2) upon notification to--
       (A) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       (B) the Committee on Oversight and Reform in the House of 
     Representatives; and
       (C) other appropriate congressional committees of 
     jurisdiction.
       (f) Regulations.--Not later than 180 days after the date of 
     the enactment of this Act, the Federal Acquisition Regulatory 
     Council shall prescribe regulations or guidance, as 
     necessary, to implement the requirements of this section 
     pertaining to Federal contracts.

     SEC. 6506. PROHIBITION ON USE OF GOVERNMENT-ISSUED PURCHASE 
                   CARDS TO PURCHASE COVERED UNMANNED AIRCRAFT 
                   SYSTEMS FROM COVERED FOREIGN ENTITIES.

       Effective immediately, Government-issued Purchase Cards may 
     not be used to procure any covered unmanned aircraft system 
     from a covered foreign entity.

     SEC. 6507. MANAGEMENT OF EXISTING INVENTORIES OF COVERED 
                   UNMANNED AIRCRAFT SYSTEMS FROM COVERED FOREIGN 
                   ENTITIES.

       (a) In General.--All executive agencies must account for 
     existing inventories of covered unmanned aircraft systems 
     manufactured or assembled by a covered foreign entity in 
     their personal property accounting systems, within one year 
     of the date of enactment of this Act, regardless of the 
     original procurement cost, or the purpose of procurement due 
     to the special monitoring and accounting measures necessary 
     to track the items' capabilities.
       (b) Classified Tracking.--Due to the sensitive nature of 
     missions and operations conducted by the United States 
     Government, inventory data related to covered unmanned 
     aircraft systems manufactured or assembled by a covered 
     foreign entity may be tracked at a classified level, as 
     determined by the Secretary of Homeland Security or the 
     Secretary's designee.
       (c) Exceptions.--The Department of Defense, the Department 
     of Homeland Security, the Department of Justice, the 
     Department of Transportation, and the National Oceanic and 
     Atmospheric Administration may exclude from the full 
     inventory process, covered unmanned aircraft systems that are 
     deemed expendable due to mission risk such as recovery 
     issues, or that are one-time-use covered unmanned aircraft 
     due to requirements and low cost.

     SEC. 6508. COMPTROLLER GENERAL REPORT.

       Not later than 275 days after the date of the enactment of 
     this Act, the Comptroller General of the United States shall 
     submit to Congress a report on the amount of commercial off-
     the-shelf drones and covered unmanned aircraft systems 
     procured by Federal departments and agencies from covered 
     foreign entities.

     SEC. 6509. GOVERNMENT-WIDE POLICY FOR PROCUREMENT OF UNMANNED 
                   AIRCRAFT SYSTEMS.

       (a) In General.--Not later than 180 days after the date of 
     the enactment of this Act, the Director of the Office of 
     Management and Budget, in coordination with the Department of 
     Homeland Security, Department of Transportation, the 
     Department of Justice, and other Departments as determined by 
     the Director of the Office of Management and Budget, and in 
     consultation with the National Institute of Standards and 
     Technology, shall establish a government-wide policy for the 
     procurement of an unmanned aircraft system--
       (1) for non-Department of Defense and non-intelligence 
     community operations; and
       (2) through grants and cooperative agreements entered into 
     with non-Federal entities.
       (b) Information Security.--The policy developed under 
     subsection (a) shall include the following specifications, 
     which to the extent practicable, shall be based on industry 
     standards and technical guidance from the National Institute 
     of Standards and Technology, to address the risks associated 
     with processing, storing, and transmitting Federal 
     information in an unmanned aircraft system:
       (1) Protections to ensure controlled access to an unmanned 
     aircraft system.
       (2) Protecting software, firmware, and hardware by ensuring 
     changes to an unmanned aircraft system are properly managed, 
     including by ensuring an unmanned

[[Page S2840]]

     aircraft system can be updated using a secure, controlled, 
     and configurable mechanism.
       (3) Cryptographically securing sensitive collected, stored, 
     and transmitted data, including proper handling of privacy 
     data and other controlled unclassified information.
       (4) Appropriate safeguards necessary to protect sensitive 
     information, including during and after use of an unmanned 
     aircraft system.
       (5) Appropriate data security to ensure that data is not 
     transmitted to or stored in non-approved locations.
       (6) The ability to opt out of the uploading, downloading, 
     or transmitting of data that is not required by law or 
     regulation and an ability to choose with whom and where 
     information is shared when it is required.
       (c) Requirement.--The policy developed under subsection (a) 
     shall reflect an appropriate risk-based approach to 
     information security related to use of an unmanned aircraft 
     system.
       (d) Revision of Acquisition Regulations.--Not later than 
     180 days after the date on which the policy required under 
     subsection (a) is issued--
       (1) the Federal Acquisition Regulatory Council shall revise 
     the Federal Acquisition Regulation, as necessary, to 
     implement the policy; and
       (2) any Federal department or agency or other Federal 
     entity not subject to, or not subject solely to, the Federal 
     Acquisition Regulation shall revise applicable policy, 
     guidance, or regulations, as necessary, to implement the 
     policy.
       (e) Exemption.--In developing the policy required under 
     subsection (a), the Director of the Office of Management and 
     Budget shall--
       (1) incorporate policies to implement the exemptions 
     contained in this subtitle; and
       (2) incorporate an exemption to the policy in the case of a 
     head of the procuring department or agency determining, in 
     writing, that no product that complies with the information 
     security requirements described in subsection (b) is capable 
     of fulfilling mission critical performance requirements, and 
     such determination--
       (A) may not be delegated below the level of the Deputy 
     Secretary, or Administrator, of the procuring department or 
     agency;
       (B) shall specify--
       (i) the quantity of end items to which the waiver applies 
     and the procurement value of those items; and
       (ii) the time period over which the waiver applies, which 
     shall not exceed three years;
       (C) shall be reported to the Office of Management and 
     Budget following issuance of such a determination; and
       (D) not later than 30 days after the date on which the 
     determination is made, shall be provided to the Committee on 
     Homeland Security and Governmental Affairs of the Senate and 
     the Committee on Oversight and Reform of the House of 
     Representatives.

     SEC. 6510. STATE, LOCAL, AND TERRITORIAL LAW ENFORCEMENT AND 
                   EMERGENCY SERVICE EXEMPTION.

       (a) Rule of Construction.--Nothing in this subtitle shall 
     prevent a State, local, or territorial law enforcement or 
     emergency service agency from procuring or operating a 
     covered unmanned aircraft system purchased with non-Federal 
     dollars.
       (b) Continuity of Arrangements.--The Federal Government may 
     continue entering into contracts, grants, and cooperative 
     agreements or other Federal funding instruments with State, 
     local, or territorial law enforcement or emergency service 
     agencies under which a covered unmanned aircraft system will 
     be purchased or operated if the agency has received approval 
     or waiver to purchase or operate a covered unmanned aircraft 
     system pursuant to section 6505.

     SEC. 6511. STUDY.

       (a) Study on the Supply Chain for Unmanned Aircraft Systems 
     and Components.--
       (1) Report required.--Not later than one year after the 
     date of the enactment of this Act, the Under Secretary of 
     Defense for Acquisition and Sustainment shall provide to the 
     appropriate congressional committees a report on the supply 
     chain for covered unmanned aircraft systems, including a 
     discussion of current and projected future demand for covered 
     unmanned aircraft systems.
       (2) Elements.--The report under paragraph (1) shall include 
     the following:
       (A) A description of the current and future global and 
     domestic market for covered unmanned aircraft systems that 
     are not widely commercially available except from a covered 
     foreign entity.
       (B) A description of the sustainability, availability, 
     cost, and quality of secure sources of covered unmanned 
     aircraft systems domestically and from sources in allied and 
     partner countries.
       (C) The plan of the Secretary of Defense to address any 
     gaps or deficiencies identified in subparagraph (B), 
     including through the use of funds available under the 
     Defense Production Act of 1950 (50 U.S.C. 4501 et seq.) and 
     partnerships with the National Aeronautics and Space 
     Administration and other interested persons.
       (D) Such other information as the Under Secretary of 
     Defense for Acquisition and Sustainment determines to be 
     appropriate.
       (3) Appropriate congressional committees defined.--In this 
     section the term ``appropriate congressional committees'' 
     means:
       (A) The Committees on Armed Services of the Senate and the 
     House of Representatives.
       (B) The Committee on Homeland Security and Governmental 
     Affairs of the Senate and the Committee on Oversight and 
     Reform of the House of Representatives.
       (C) The Committee on Commerce, Science, and Transportation 
     of the Senate and the Committee on Science, Space, and 
     Technology of the House of Representatives.
       (D) The Select Committee on Intelligence of the Senate and 
     the Permanent Select Committee on Intelligence of the House 
     of Representatives.
       (E) The Committee on Transportation and Infrastructure of 
     the House of Representatives.
       (F) The Committee on Homeland Security of the House of 
     Representatives.

     SEC. 6512. EXCEPTIONS.

       (a) Exception for Wildfire Management Operations and Search 
     and Rescue Operations.--The appropriate Federal agencies, in 
     consultation with the Secretary of Homeland Security, are 
     exempt from the procurement and operation restrictions under 
     sections 6503, 6504, and 6505 to the extent the procurement 
     or operation is necessary for the purpose of supporting the 
     full range of wildfire management operations or search and 
     rescue operations.
       (b) Exception for Intelligence Activities.--The elements of 
     the intelligence community, in consultation with the Director 
     of National Intelligence, are exempt from the procurement and 
     operation restrictions under sections 6503, 6504, and 6505 to 
     the extent the procurement or operation is necessary for the 
     purpose of supporting intelligence activities.
       (c) Exception for Tribal Law Enforcement or Emergency 
     Service Agency.--Tribal law enforcement or Tribal emergency 
     service agencies, in consultation with the Secretary of 
     Homeland Security, are exempt from the procurement, 
     operation, and purchase restrictions under sections 6503, 
     6504, and 6505 to the extent the procurement or operation is 
     necessary for the purpose of supporting the full range of law 
     enforcement operations or search and rescue operations on 
     Indian lands.

     SEC. 6513. SUNSET.

       Sections 6503, 6504, and 6505 shall cease to have effect on 
     the date that is five years after the date of the enactment 
     of this Act.

  Subtitle B--Government-wide Study Relating to High-security Leased 
                                 Space

     SEC. 6521. GOVERNMENT-WIDE STUDY.

       (a) Definitions.--In this section:
       (1) Administrator.--The term ``Administrator'' means the 
     Administrator of General Services.
       (2) Beneficial owner.--
       (A) In general.--The term ``beneficial owner'', with 
     respect to a covered entity, means each natural person who, 
     directly or indirectly, through any contract, arrangement, 
     understanding, relationship, or otherwise--
       (i) exercises substantial control over the covered entity; 
     or
       (ii) owns or controls not less than 25 percent of the 
     ownership interests of, or receives substantial economic 
     benefits from the assets of, the covered entity.
       (B) Exclusions.--The term ``beneficial owner'', with 
     respect to a covered entity, does not include--
       (i) a minor;
       (ii) a person acting as a nominee, intermediary, custodian, 
     or agent on behalf of another person;
       (iii) a person acting solely as an employee of the covered 
     entity and whose control over or economic benefits from the 
     covered entity derives solely from the employment status of 
     the person;
       (iv) a person whose only interest in the covered entity is 
     through a right of inheritance, unless the person also meets 
     the requirements of subparagraph (A); or
       (v) a creditor of the covered entity, unless the creditor 
     also meets the requirements of subparagraph (A).
       (C) Anti-abuse rule.--The exclusions under subparagraph (B) 
     shall not apply if, in the determination of the 
     Administrator, an exclusion is used for the purpose of 
     evading, circumventing, or abusing the requirements of this 
     Act.
       (3) Control.--The term ``control'', with respect to a 
     covered entity, means--
       (A) having the authority or ability to determine how the 
     covered entity is utilized; or
       (B) having some decisionmaking power for the use of the 
     covered entity.
       (4) Covered entity.--The term ``covered entity'' means--
       (A) a person, corporation, company, business association, 
     partnership, society, trust, or any other nongovernmental 
     entity, organization, or group; or
       (B) any governmental entity or instrumentality of a 
     government.
       (5) Executive agency.--The term ``Executive agency'' has 
     the meaning given the term in section 105 of title 5, United 
     States Code.
       (6) Federal agency.--The term ``Federal agency'' means--
       (A) an Executive agency; and
       (B) any establishment in the legislative or judicial branch 
     of the Federal Government.
       (7) Federal lessee.--
       (A) In general.--The term ``Federal lessee'' means--
       (i) the Administrator;
       (ii) the Architect of the Capitol; and
       (iii) the head of any other Federal agency that has 
     independent statutory leasing authority.
       (B) Exclusions.--The term ``Federal lessee'' does not 
     include--

[[Page S2841]]

       (i) the head of an element of the intelligence community; 
     or
       (ii) the Secretary of Defense.
       (8) Federal tenant.--
       (A) In general.--The term ``Federal tenant'' means a 
     Federal agency that is occupying or will occupy a high-
     security leased space for which a lease agreement has been 
     secured on behalf of the Federal agency.
       (B) Exclusion.--The term ``Federal tenant'' does not 
     include an element of the intelligence community.
       (9) Foreign entity.--The term ``foreign entity'' means--
       (A) a corporation, company, business association, 
     partnership, society, trust, or any other nongovernmental 
     entity, organization, or group that is headquartered in or 
     organized under the laws of--
       (i) a country that is not the United States; or
       (ii) a State, unit of local government, or Indian Tribe 
     that is not located within or a territory of the United 
     States; or
       (B) a government or governmental instrumentality that is 
     not--
       (i) the United States Government; or
       (ii) a State, unit of local government, or Indian Tribe 
     that is located within or a territory of the United States.
       (10) Foreign person.--The term ``foreign person'' means an 
     individual who is not a United States person.
       (11) High-security leased adjacent space.--The term ``high-
     security leased adjacent space'' means a building or office 
     space that shares a boundary with or surrounds a high-
     security leased space.
       (12) High-security leased space.--The term ``high-security 
     leased space'' means a space leased by a Federal lessee 
     that--
       (A) will be occupied by Federal employees for nonmilitary 
     activities; and
       (B) has a facility security level of III, IV, or V, as 
     determined by the Federal tenant in consultation with the 
     Interagency Security Committee, the Secretary of Homeland 
     Security, and the Administrator.
       (13) Highest-level owner.--The term ``highest-level owner'' 
     means an entity that owns or controls--
       (A) an immediate owner of the offeror of a lease for a 
     high-security leased adjacent space; or
       (B) 1 or more entities that control an immediate owner of 
     the offeror of a lease described in subparagraph (A).
       (14) Immediate owner.--The term ``immediate owner'' means 
     an entity, other than the offeror of a lease for a high-
     security leased adjacent space, that has direct control of 
     that offeror, including--
       (A) ownership or interlocking management;
       (B) identity of interests among family members;
       (C) shared facilities and equipment; and
       (D) the common use of employees.
       (15) Intelligence community.--The term ``intelligence 
     community'' has the meaning given the term in section 3 of 
     the National Security Act of 1947 (50 U.S.C. 3003).
       (16) Substantial economic benefits.--The term ``substantial 
     economic benefits'', with respect to a natural person 
     described in paragraph (2)(A)(ii), means having an 
     entitlement to the funds or assets of a covered entity that, 
     as a practical matter, enables the person, directly or 
     indirectly, to control, manage, or direct the covered entity.
       (17) United states person.--The term ``United States 
     person'' means an individual who--
       (A) is a citizen of the United States; or
       (B) is an alien lawfully admitted for permanent residence 
     in the United States.
       (b) Government-wide Study.--
       (1) Coordination study.--The Administrator, in coordination 
     with the Director of the Federal Protective Service, the 
     Secretary of Homeland Security, the Director of the Office of 
     Management and Budget, and any other relevant entities, as 
     determined by the Administrator, shall carry out a 
     Government-wide study examining options to assist agencies 
     (as defined in section 551 of title 5, United States Code) to 
     produce a security assessment process for high-security 
     leased adjacent space before entering into a lease or 
     novation agreement with a covered entity for the purposes of 
     accommodating a Federal tenant located in a high-security 
     leased space.
       (2) Contents.--The study required under paragraph (1)--
       (A) shall evaluate how to produce a security assessment 
     process that includes a process for assessing the threat 
     level of each occupancy of a high-security leased adjacent 
     space, including through--
       (i) site-visits;
       (ii) interviews; and
       (iii) any other relevant activities determined necessary by 
     the Director of the Federal Protective Service; and
       (B) may include a process for collecting and using 
     information on each immediate owner, highest-level owner, or 
     beneficial owner of a covered entity that seeks to enter into 
     a lease with a Federal lessee for a high-security leased 
     adjacent space, including--
       (i) name;
       (ii) current residential or business street address; and
       (iii) an identifying number or document that verifies 
     identity as a United States person, a foreign person, or a 
     foreign entity.
       (3) Working group.--
       (A) In general.--Not later than 90 days after the date of 
     enactment of this Act, the Administrator, in coordination 
     with the Director of Federal Protective Service, the 
     Secretary of Homeland Security, the Director of the Office of 
     Management and Budget, and any other relevant entities, as 
     determined by the Administrator, shall establish a working 
     group to assist in the carrying out of the study required 
     under paragraph (1).
       (B) No compensation.--A member of the working group 
     established under subparagraph (A) shall receive no 
     compensation as a result of serving on the working group.
       (C) Sunset.--The working group established under 
     subparagraph (A) shall terminate on the date on which the 
     report required under paragraph (6) is submitted.
       (4) Protection of information.--The Administrator shall 
     ensure that any information collected pursuant to the study 
     required under paragraph (1) shall not be made available to 
     the public.
       (5) Limitation.--Nothing in this subsection requires an 
     entity located in the United States to provide information 
     requested pursuant to the study required under paragraph (1).
       (6) Report.--Not later than 2 years after the date of 
     enactment of this Act, the Administrator, in coordination 
     with the Director of Federal Protective Service, the 
     Secretary of Homeland Security, the Director of the Office of 
     Management and Budget, and any other relevant entities, as 
     determined by the Administrator, shall submit to the 
     Committee on Homeland Security and Governmental Affairs of 
     the Senate and the Committee on Transportation and 
     Infrastructure of the House of Representatives a report 
     describing--
       (A) the results of the study required under paragraph (1); 
     and
       (B) how all applicable privacy laws and rights relating to 
     the First and Fourth Amendments to the Constitution of the 
     United States would be upheld and followed in--
       (i) the security assessment process described in 
     subparagraph (A) of paragraph (2); and
       (ii) the information collection process described in 
     subparagraph (B) of that paragraph.
       (7) Limitation.--Nothing in this subsection authorizes a 
     Federal entity to mandate information gathering unless 
     specifically authorized by law.
       (8) Prohibition.--No information collected pursuant the 
     security assessment process described in paragraph (2)(A) may 
     be used for law enforcement purposes.
       (9) No additional funding.--No additional funds are 
     authorized to be appropriated to carry out this subsection.

     Subtitle C--Intergovernmental Critical Minerals Task Force Act

     SEC. 6531. SHORT TITLE.

       This subtitle may be cited as the ``Intergovernmental 
     Critical Minerals Task Force Act''.

     SEC. 6532. DEFINITIONS.

       In this subtitle:
       (1) Appropriate committees of congress.--The term 
     ``appropriate committees of Congress'' means--
       (A) the Committees on Homeland Security and Governmental 
     Affairs, Energy and Natural Resources, Armed Services, 
     Environment and Public Works, Commerce, Science, and 
     Transportation, and Foreign Relations of the Senate; and
       (B) the Committees on Oversight and Accountability, Natural 
     Resources, Armed Services, and Foreign Affairs of the House 
     of Representatives.
       (2) Covered country.--The term ``covered country'' means--
       (A) a covered nation (as defined in section 4872(d) of 
     title 10, United States Code); and
       (B) any other country determined by the task force to be a 
     geostrategic competitor or adversary of the United States 
     with respect to critical minerals.
       (3) Critical mineral.--The term ``critical mineral'' has 
     the meaning given the term in section 7002(a) of the Energy 
     Act of 2020 (30 U.S.C. 1606(a)).
       (4) Director.--The term ``Director'' means the Director of 
     the Office of Management and Budget.
       (5) Task force.--The term ``task force'' means the task 
     force established under section 6534(b).

     SEC. 6533. FINDINGS.

       Congress finds that--
       (1) current supply chains of critical minerals pose a great 
     risk to the homeland and national security of the United 
     States;
       (2) critical minerals contribute to transportation, 
     technology, renewable energy, military equipment and 
     machinery, and other relevant entities crucial for the 
     homeland and national security of the United States;
       (3) in 2022, the United States was 100 percent import 
     reliant for 12 out of 50 critical minerals and more than 50 
     percent import reliant for an additional 31 critical mineral 
     commodities classified as ``critical'' by the United States 
     Geological Survey, and the People's Republic of China was the 
     top producing nation for 30 of those 50 critical minerals;
       (4) companies based in the People's Republic of China that 
     extract rare earth minerals around the world have received 
     hundreds of charges of human rights violations; and
       (5) on March 26, 2014, the World Trade Organization ruled 
     that the export restraints by the People's Republic of China 
     on rare earth metals violated obligations under the

[[Page S2842]]

     protocol of accession to the World Trade Organization, which 
     harmed manufacturers and workers in the United States.

     SEC. 6534. INTERGOVERNMENTAL CRITICAL MINERALS TASK FORCE.

       (a) Purposes.--The purposes of the task force are--
       (1) to assess the reliance of the United States on the 
     People's Republic of China, and other covered countries, for 
     critical minerals, and the resulting homeland and national 
     security risks associated with that reliance, at each level 
     of the Federal, State, local, Tribal, and territorial 
     governments;
       (2) to make recommendations to onshore and improve the 
     domestic supply chain for critical minerals; and
       (3) to reduce the reliance of the United States, and 
     partners and allies of the United States, on critical mineral 
     supply chains involving covered countries.
       (b) Establishment.--Not later than 90 days after the date 
     of enactment of this Act, the Director shall establish a task 
     force to facilitate cooperation, coordination, and mutual 
     accountability among each level of the Federal Government and 
     State, local, Tribal, and territorial governments on a 
     holistic response to the dependence on covered countries for 
     critical minerals across the United States.
       (c) Composition; Meetings.--
       (1) Appointment.--The Director, in consultation with key 
     intergovernmental, private, and public sector stakeholders, 
     shall appoint to the task force representatives with 
     expertise in critical mineral supply chains from Federal 
     agencies, State, local, Tribal, and territorial governments, 
     including not less than 1 representative from each of--
       (A) the Bureau of Indian Affairs;
       (B) the Bureau of Land Management;
       (C) the Department of Agriculture;
       (D) the Department of Commerce;
       (E) the Department of Defense;
       (F) the Department of Energy;
       (G) the Department of Homeland Security;
       (H) the Department of Housing and Urban Development;
       (I) the Department of the Interior;
       (J) the Department of Labor;
       (K) the Department of State;
       (L) the Department of Transportation;
       (M) the Environmental Protection Agency;
       (N) the General Services Administration;
       (O) the National Science Foundation;
       (P) the United States International Development Finance 
     Corporation;
       (Q) the United States Geological Survey; and
       (R) any other relevant Federal entity, as determined by the 
     Director.
       (2) Consultation.--The task force shall consult individuals 
     with expertise in critical mineral supply chains, individuals 
     from States whose communities, businesses, and industries are 
     involved in aspects of the critical mineral supply chain, 
     including mining and processing operations, and individuals 
     from a diverse and balanced cross-section of--
       (A) intergovernmental consultees, including--
       (i) State governments;
       (ii) local governments;
       (iii) Tribal governments; and
       (iv) territorial governments; and
       (B) other stakeholders, including--
       (i) academic research institutions;
       (ii) corporations;
       (iii) nonprofit organizations;
       (iv) private sector stakeholders;
       (v) trade associations;
       (vi) mining industry stakeholders; and
       (vii) labor representatives.
       (3) Chair.--The Director may serve as chair of the task 
     force, or designate a representative of the task force to 
     serve as chair.
       (4) Meetings.--
       (A) Initial meeting.--Not later than 90 days after the date 
     on which all representatives of the task force have been 
     appointed, the task force shall hold the first meeting of the 
     task force.
       (B) Frequency.--The task force shall meet not less than 
     once every 90 days.
       (d) Duties.--
       (1) In general.--The duties of the task force shall 
     include--
       (A) facilitating cooperation, coordination, and mutual 
     accountability for the Federal Government and State, local, 
     Tribal, and territorial governments to enhance data sharing 
     and transparency in the supply chains for critical minerals 
     in support of the purposes described in subsection (a);
       (B) providing recommendations with respect to--
       (i) research and development into emerging technologies 
     used to expand existing critical mineral supply chains in the 
     United States and to establish secure and reliable critical 
     mineral supply chains to the United States;
       (ii) increasing capacities for mining, processing, 
     refinement, reuse, and recycling of critical minerals in the 
     United States to facilitate the environmentally responsible 
     production of domestic resources to meet national critical 
     mineral needs, in consultation with Tribal and local 
     communities;
       (iii) identifying how statutes, regulations, and policies 
     related to the critical mineral supply chain could be 
     modified to accelerate environmentally responsible domestic 
     production of critical minerals, in consultation with Tribal 
     and local communities;
       (iv) strengthening the domestic workforce to support 
     growing critical mineral supply chains with good-paying, safe 
     jobs in the United States;
       (v) identifying alternative domestic sources to critical 
     minerals that the United States currently relies on the 
     People's Republic of China or other covered countries for 
     mining, processing, refining, and recycling, including the 
     availability, cost, and quality of those domestic 
     alternatives;
       (vi) identifying critical minerals and critical mineral 
     supply chains that the United States can onshore, at a 
     competitive availability, cost, and quality, for those 
     minerals and supply chains that the United States relies on 
     the People's Republic of China or other covered countries to 
     provide; and
       (vii) opportunities for the Federal Government and State, 
     local, Tribal, and territorial governments to mitigate risks 
     to the homeland and national security of the United States 
     with respect to supply chains for critical minerals that the 
     United States currently relies on the People's Republic of 
     China or other covered countries for mining, processing, 
     refining, and recycling;
       (C) prioritizing the recommendations in subparagraph (B), 
     taking into consideration economic costs and focusing on the 
     critical mineral supply chains with vulnerabilities posing 
     the most significant risks to the homeland and national 
     security of the United States;
       (D) establishing specific strategies, to be carried out in 
     coordination with the Secretary of State, to strengthen 
     international partnerships in furtherance of critical 
     minerals supply chain security with international allies and 
     partners, including--
       (i) countries with which the United States has a free trade 
     agreement;
       (ii) countries participating in the Indo-Pacific Economic 
     Framework for Prosperity;
       (iii) countries participating in the Quadrilateral Security 
     Dialogue;
       (iv) countries that are signatories to the Abraham Accords;
       (v) countries designated as eligible sub-Saharan Africa 
     countries under section 104 of the Africa Growth and 
     Opportunity Act (19 U.S.C. 3701 et seq.); and
       (vi) other countries or multilateral partnerships the Task 
     Force determines to be appropriate; and
       (E) other duties, as determined by the Director.
       (2) Report.--The Director shall--
       (A) not later than 2 years after the date of enactment of 
     this Act, submit to the appropriate committees of Congress a 
     report, which shall be submitted in unclassified form, but 
     may include a classified annex, that describes any findings, 
     guidelines, and recommendations created in performing the 
     duties under paragraph (1);
       (B) not later than 120 days after the date on which the 
     Director submits the report under subparagraph (A), publish 
     that report in the Federal Register and on the website of the 
     Office of Management and Budget, except that the Director 
     shall redact information from the report that the Director 
     determines could pose a risk to the homeland and national 
     security of the United States by being publicly available; 
     and
       (C) brief the appropriate committees of Congress twice per 
     year.
       (e) Sunset.--The task force shall terminate on the date 
     that is 90 days after the date on which the task force 
     completes the requirements under subsection (d)(2).
       (f) GAO Study.--
       (1) In general.--The Comptroller General of the United 
     States shall conduct a study examining the Federal and State 
     regulatory landscape related to improving domestic supply 
     chains for critical minerals in the United States.
       (2) Report.--Not later than 18 months after the date of 
     enactment of this Act, the Comptroller General of the United 
     States shall submit to the appropriate committees of Congress 
     a report that describes the results of the study under 
     paragraph (1).

                  Subtitle D--Federal Executive Boards

     SEC. 6541. SHORT TITLE.

       This subtitle may be cited as the ``Improving Government 
     Efficiency and Workforce Development through Federal 
     Executive Boards Act of 2023''.

     SEC. 6542. FEDERAL EXECUTIVE BOARDS.

       (a) In General.--Chapter 11 of title 5, United States Code, 
     is amended by adding at the end the following:

     ``Sec. 1106. Federal Executive Boards

       ``(a) Purposes.--The purposes of this section are to--
       ``(1) strengthen the strategic coordination, communication, 
     and management of Government activities across the United 
     States, including to improve the experience of citizens 
     interacting with agencies, and to incorporate field 
     perspectives into the preparation of Federal workforce policy 
     goals;
       ``(2) facilitate interagency collaboration to improve the 
     efficiency and effectiveness of Federal programs and 
     initiatives, including those that impact the competitiveness 
     of the United States in the global economy;
       ``(3) facilitate communication and collaboration on Federal 
     emergency preparedness and continuity of operations for the 
     Federal workforce in applicable geographic areas;
       ``(4) facilitate strategies and programs for recruiting, 
     training, managing, and retaining Federal employees, as well 
     as sharing best practices for improving the workforce 
     experience and access to education and training, including 
     with respect to the responsible use of emerging technology;
       ``(5) facilitate relationships with State and local 
     governments, colleges and universities,

[[Page S2843]]

     and local nonprofit organizations that collaborate with the 
     Federal Government; and
       ``(6) provide stable funding for Federal Executive Boards 
     to enable the activities described in paragraphs (1) through 
     (5).
       ``(b) Definitions.--In this section:
       ``(1) Agency.--The term `agency'--
       ``(A) means an Executive agency, as defined in section 105; 
     and
       ``(B) does not include the Government Accountability 
     Office.
       ``(2) Director.--The term `Director' means the Director of 
     the Office of Personnel Management.
       ``(3) Federal executive board.--The term `Federal Executive 
     Board' means an interagency entity--
       ``(A) established by the Director--
       ``(i) in coordination with the Director of the Office of 
     Management and Budget and the Administrator of General 
     Services; and
       ``(ii) in consultation with the headquarters of appropriate 
     agencies;
       ``(B) located in a geographic area with a high 
     concentration of Federal employees outside the Washington, 
     DC, metropolitan area; and
       ``(C) focused on strengthening the management and 
     administration of agency activities and coordination among 
     local Federal officers to implement national initiatives in 
     that geographic area.
       ``(4) Institution of higher education.--The term 
     `institution of higher education' has the meaning given the 
     term in section 101(a) of the Higher Education Act of 1965 
     (20 U.S.C. 1001(a)).
       ``(5) State apprenticeship agency.--The term `State 
     Apprenticeship Agency' has the meaning given the term in 
     section 29.2 of title 29, Code of Federal Regulations, or any 
     successor regulation.
       ``(c) Perpetuation and Continued Support.--
       ``(1) In general.--The Director, in coordination with the 
     Director of the Office of Management and Budget and the 
     Administrator of General Services, shall continue to support 
     the existence of Federal Executive Boards in geographic areas 
     outside the Washington, DC, metropolitan area.
       ``(2) Consultation.--Before establishing any new Federal 
     Executive Boards that are not in existence on the date of 
     enactment of this section, the Director shall conduct a 
     review of existing Federal Executive Boards and consult with 
     the headquarters of appropriate agencies to guide the 
     determination of the number and location of Federal Executive 
     Boards.
       ``(3) Location.--The Director shall develop a set of 
     criteria to establish and evaluate the number and locations 
     of Federal Executive Boards that shall--
       ``(A) factor in contemporary Federal workforce data as of 
     the date of enactment of this section; and
       ``(B) be informed by the annual changes in workforce data, 
     including the geographic disbursement of the Federal 
     workforce and the role of remote work options.
       ``(4) Membership.--
       ``(A) In general.--Each Federal Executive Board for a 
     geographic area shall consist of the most senior officer of 
     each agency in that geographic area.
       ``(B) Alternate representative.--The senior officer of an 
     agency described in subparagraph (A) may designate, by title 
     of office, an alternate representative, who shall--
       ``(i) be a senior officer in the agency; and
       ``(ii) attend meetings and otherwise represent the agency 
     on the Federal Executive Board in the absence of the most 
     senior officer.
       ``(d) Administration and Oversight.--The Director, in 
     coordination with the Director of the Office of Management 
     and Budget and the Administrator of General Services, shall 
     administer and oversee Federal Executive Boards, including--
       ``(1) establishing staffing and accountability policies, 
     including performance standards, for employees responsible 
     for administering Federal Executive Boards with an 
     opportunity for employee customer service feedback from 
     agencies participating in Federal Executive Boards;
       ``(2) establishing communications policies for the 
     dissemination of information to agencies participating in 
     Federal Executive Boards; and
       ``(3) administering Federal Executive Board funding through 
     the fund established in subsection (f).
       ``(e) Governance and Activities.--
       ``(1) In general.--Each Federal Executive Board shall--
       ``(A) subject to the approval of the Director, adopt 
     charters or other rules for the internal governance of the 
     Federal Executive Board;
       ``(B) elect a Chairperson from among the members of the 
     Federal Executive Board, who shall serve for a set term;
       ``(C) serve as an instrument of outreach relating to agency 
     activities in the geographic area;
       ``(D) provide a forum to amplify the exchange of 
     information relating to programs and management methods and 
     problems--
       ``(i) between the national headquarters of agencies and the 
     field; and
       ``(ii) among field elements in geographic areas;
       ``(E) develop local coordinated approaches to the 
     development and operation of programs that have common 
     characteristics or serve the same populations;
       ``(F) communicate management initiatives and other concerns 
     from Federal officers and employees in the Washington, DC, 
     metropolitan area to Federal officers and employees in the 
     geographic area to achieve better mutual understanding and 
     support;
       ``(G) develop relationships with State and local 
     governments, institutions of higher education, and 
     nongovernmental organizations to help fulfill the roles and 
     responsibilities of the Federal Executive Board;
       ``(H) in coordination with appropriate agencies and 
     consistent with any relevant memoranda of understanding 
     between the Office of Personnel Management and those 
     agencies, facilitate communication, collaboration, and 
     training to prepare the Federal workforce for emergencies and 
     continuity of operations;
       ``(I) in coordination with appropriate agencies, support 
     agency efforts to place and recruit students in training 
     opportunities, particularly apprenticeships and paid 
     internships;
       ``(J) consult with the Secretary of Labor or State 
     Apprenticeship Agencies on the process for establishing 
     registered apprenticeship programs within agencies, as 
     appropriate;
       ``(K) consult with State workforce development boards and 
     local workforce development boards as established in sections 
     101 and 107 of the Workforce Innovation and Opportunity Act 
     (29 U.S.C. 3111, 3122), respectively, as appropriate;
       ``(L) as appropriate and in accordance with law, rules, and 
     policies, lead cross-agency talent management initiatives--
       ``(i) including interagency--

       ``(I) recruitment and hiring activities;
       ``(II) internships and apprenticeships;
       ``(III) onboarding and leadership and management 
     development; and
       ``(IV) mentorship programs; and

       ``(ii) by prioritizing initiatives related to--

       ``(I) conducting outreach to communities of individuals 
     with demographics that are underrepresented in a given 
     occupation or agency;
       ``(II) addressing skills gaps within the Federal Government 
     related to high-risk areas as identified by the Government 
     Accountability Office;
       ``(III) enabling the Federal workforce to adapt to and 
     responsibly use emerging technology; and
       ``(IV) strengthening the competitiveness of the United 
     States in the global economy;

       ``(M) coordinate with the Transition Assistance Centers 
     established to carry out the Transition Assistance Program of 
     the Department of Defense to help members of the Armed Forces 
     who are transitioning to civilian life apply for Government 
     positions in the geographic location of the Federal Executive 
     Board;
       ``(N) as appropriate, serve as a collaborative space where 
     employees from across agencies can participate in innovation 
     projects relevant to Federal initiatives by applying human-
     centered design, user-experience design, or other creativity 
     methods; and
       ``(O) take other actions as agreed to by the Federal 
     Executive Board and the Director, in consultation with the 
     Director of the Office of Management and Budget and the 
     Administrator of General Services.
       ``(2) Coordination of certain activities.--The facilitation 
     of communication, collaboration, and training described in 
     paragraph (1)(H) shall, when appropriate, be coordinated and 
     defined through written agreements entered into between the 
     Director and the heads of the applicable agencies.
       ``(3) Non-monetary donations.--Each Federal Executive Board 
     may accept donations of supplies, services, land, and 
     equipment consistent with the purposes described in 
     paragraphs (1) through (5) of subsection (a), including to 
     assist in carrying out the activities described in paragraph 
     (1) of this subsection.
       ``(4) Programmatic assessments.--Not less frequently than 
     semi-annually or following each major programmatic activity, 
     each Federal Executive Board shall assess the experience of 
     participants or other relevant stakeholders in each program 
     provided by the Federal Executive Board.
       ``(f) Funding.--
       ``(1) Establishment of fund.--The Director, in coordination 
     with the Director of the Office of Management and Budget and 
     the Administrator of General Services, shall establish a 
     Federal Executive Board Fund within the Office of Personnel 
     Management for financing essential Federal Executive Board 
     functions for the purposes of staffing and operating 
     expenses.
       ``(2) Deposits.--There shall be deposited in the fund 
     established under paragraph (1) amounts transferred to the 
     fund pursuant to paragraph (3) from each agency participating 
     in Federal Executive Boards, according to a formula 
     established by the Director--
       ``(A) in consultation with the headquarters of those 
     agencies; and
       ``(B) in coordination with the Director of the Office of 
     Management and Budget and the Administrator of General 
     Services.
       ``(3) Contributions.--
       ``(A) Contribution transfers.--Subject to the formula for 
     contributions established by the Director under paragraph 
     (2), each agency participating in Federal Executive Boards 
     shall transfer amounts to the fund established under 
     paragraph (1).
       ``(B) Formula.--
       ``(i) In general.--The formula for contributions 
     established by the Director under paragraph (2) shall 
     consider the number of employees in each agency in all 
     geographic areas served by Federal Executive Boards.

[[Page S2844]]

       ``(ii) Recalculation.--The contribution of the headquarters 
     of each agency under clause (i) to the fund established under 
     paragraph (1) shall be recalculated not less frequently than 
     every 2 years.
       ``(C) In-kind contributions.--At the discretion of the 
     Director, an agency may provide in-kind contributions instead 
     of, or in addition to, providing monetary contributions to 
     the fund established under paragraph (1).
       ``(4) Minimum amount.--
       ``(A) In general.--The fund established under paragraph (1) 
     shall include a minimum of $15,000,000 in each fiscal year, 
     to remain available until expended.
       ``(B) Adjustment.--The Director shall adjust the amount 
     required under subparagraph (A) every 2 years on a schedule 
     aligned with the recalculation described in paragraph 
     (3)(B)(ii) to reflect--
       ``(i) the percentage increase, if any, in the Consumer 
     Price Index for all Urban Consumers as determined by the 
     Bureau of Labor Statistics; and
       ``(ii) any changes in costs related to Federal pay changes 
     authorized by the President or by an Act of Congress.
       ``(5) Use of excess amounts.--Any unobligated and 
     unexpended balances in the fund established under paragraph 
     (1) that the Director determines to be in excess of amounts 
     needed for Federal Executive Board functions shall be 
     allocated among the Federal Executive Boards for the 
     activities described in subsection (e) by the Director--
       ``(A) in coordination with the Director of the Office of 
     Management and Budget and the Administrator of General 
     Services; and
       ``(B) in consultation with the headquarters of agencies 
     participating in Federal Executive Boards.
       ``(6) Administrative and oversight costs.--The Office of 
     Personnel Management shall pay for costs relating to 
     administrative and oversight activities conducted under 
     subsection (d) from appropriations made available to the 
     Office of Personnel Management.
       ``(g) Reports.--The Director, in coordination with the 
     Director of the Office of Management and Budget and the 
     Administrator of General Services, shall submit biennial 
     reports to Congress and to agencies participating in Federal 
     Executive Boards on the outcomes of and budget matters 
     related to Federal Executive Boards.
       ``(h) Regulations.--The Director, in coordination with the 
     Director of the Office of Management and Budget and the 
     Administrator of General Services, shall prescribe 
     regulations necessary to carry out this section.''.
       (b) Report.--
       (1) Definition.--In this subsection, the term ``Federal 
     Executive Board'' has the meaning given the term in section 
     1106(b) of title 5, United States Code, as added by 
     subsection (a) of this section.
       (2) Report.--Not later than 180 days after the date of 
     enactment of this Act, the Director of the Office of 
     Personnel Management, in coordination with the Director of 
     the Office of Management and Budget and the Administrator of 
     General Services, shall submit to the Committee on Homeland 
     Security and Governmental Affairs of the Senate and the 
     Committee on Oversight and Accountability of the House of 
     Representatives a report that includes--
       (A) a description of essential Federal Executive Board 
     functions;
       (B) details of staffing requirements for each Federal 
     Executive Board; and
       (C) estimates of staffing and operating expenses for each 
     Federal Executive Board.
       (c) Technical and Conforming Amendments.--The table of 
     sections for chapter 11 of title 5, United States Code, is 
     amended by inserting after the item relating to section 1105 
     the following:

``1106. Federal Executive Boards.''.

   Subtitle E--Mitigating Foreign Influence in Classified Government 
                             Contracts Act

     SEC. 6551. SHORT TITLE.

       This subtitle may be cited as the ``Mitigating Foreign 
     Influence in Classified Government Contracts Act''.

     SEC. 6552. DEFINITIONS.

       In this Act:
       (1) Appropriate committees of congress.--The term 
     ``appropriate committees of Congress'' means--
       (A) the Committee on Homeland Security and Governmental 
     Affairs, the Committee on Armed Services, and the Select 
     Committee on Intelligence of the Senate; and
       (B) the Committee on Oversight and Accountability, the 
     Committee on Armed Services, and the Permanent Select 
     Committee on Intelligence of the House of Representatives.
       (2) Cognizant security agencies; entity; foreign 
     interest.-- The terms ``cognizant security agencies'', 
     ``entity'', and ``foreign interest'' have the meanings given 
     those term in section 2004.4 of title 32, Code of Federal 
     Regulations.
       (3) Director.--The term ``Director'' means the Director of 
     the Information Security Oversight Office.
       (4) NISPPAC.--The term ``NISPPAC'' means the National 
     Industrial Security Program Policy Advisory Committee 
     established by Executive Order 12829 (50 U.S.C. 3161 note; 
     relating to national industrial security program).

     SEC. 6553. ASSESSMENT OF FOREIGN INFLUENCE IN NATIONAL 
                   INDUSTRIAL SECURITY PROGRAM.

       (a) In General.--The Director shall convene and direct 
     NISPPAC to complete and submit, not later than 1 year after 
     the date of the enactment of this Act, to the Director an 
     assessment of foreign influence in the National Industrial 
     Security Program.
       (b) Elements.--The assessment required by subsection (a) 
     shall include the following:
       (1) A definition of foreign influence that focuses on 
     contractual agreements or other non-ownership means that may 
     allow foreign interests unauthorized access to classified 
     information or to adversely affect performance of a contract 
     or agreement requiring access to classified information.
       (2) An assessment of the extent of the threat of foreign 
     influence in the National Industrial Security Program.
       (3) A description of the challenges in identifying foreign 
     influence.
       (4) A list of the criteria and factors that should be 
     considered to identify foreign influence requiring 
     mitigation.
       (5) An identification of the methods, if any, currently 
     used to mitigate foreign influence.
       (6) An assessment of the effectiveness and limitations of 
     such mitigations, and recommendations for new mitigation 
     methods.
       (7) An assessment of whether processes to identify and 
     mitigate foreign influence are consistent across cognizant 
     security agencies.
       (8) An identification of the tools available to assist 
     entities identify and avoid foreign influence that would 
     require mitigation, and recommendations for tools needed.
       (c) Submission to Congress.--Not later than 1 year after 
     the date of the enactment of this Act, the Director shall 
     submit to the appropriate congressional committees the 
     assessment completed under subsection (a).

     SEC. 6554. STRATEGY TO IDENTIFY AND MITIGATE FOREIGN 
                   INFLUENCE IN NATIONAL INDUSTRIAL SECURITY 
                   PROGRAM.

       (a) In General.--Not later than 540 days after the date of 
     the enactment of this Act, the Director, in consultation with 
     the cognizant security agencies, shall submit to the 
     appropriate committees of Congress a strategy, to be known as 
     the ``National Strategy to Mitigate Foreign Influence in the 
     National Industrial Security Program'', to improve the 
     ability of the Federal Government and entities to identify 
     and mitigate foreign influence.
       (b) Elements.--The strategy required by subsection (a) 
     shall include the following:
       (1) Processes to identify foreign influence requiring 
     mitigation, including entity submission of standard forms and 
     government security reviews.
       (2) Methods to mitigate foreign influence.
       (3) Practices to ensure processes to identify foreign 
     influence and methods to mitigate foreign influence are 
     consistent across cognizant security agencies.
       (4) Tools, including best practices, to assist entities in 
     recognizing the risk of foreign influence and implementing 
     methods to mitigate foreign influence.
       (5) Proposed updates to parts 117 and 2004 of title 32, 
     Code of Federal Regulations.
       (6) Recommendations for legislation as the Director 
     considers appropriate.
       (c) Implementation.--
       (1) In general.--Not later than 90 days after the date on 
     which the strategy required under subsection (a) is submitted 
     to the appropriate committees of Congress, the Director, in 
     collaboration with the cognizant security agencies, shall 
     commence implementation of the strategy.
       (2) Report.--Not later than 1 year after the date on which 
     the Director commences implementation of the strategy 
     required by subsection (a) in accordance with paragraph (1), 
     the Director shall submit to the appropriate committees of 
     Congress a report describing the efforts of the cognizant 
     security agencies to implement the strategy and the progress 
     of such efforts.
                                 ______