[Senate Report 115-410]
[From the U.S. Government Publishing Office]


                                                      Calendar No. 714
115th Congress      }                         }               Report
                                 SENATE
2d Session          }                         }                115-410   
_______________________________________________________________________

                                     

                                                    
       NATIONAL CYBERSECURITY PREPAREDNESS CONSORTIUM ACT OF 2017

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                                 S. 594

            TO AUTHORIZE THE SECRETARY OF HOMELAND SECURITY
   TO WORK WITH CYBERSECURITY CONSORTIA FOR TRAINING, AND FOR OTHER 
                                PURPOSES
                                
                                
                                
                                
                                

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]









                December 4, 2018.--Ordered to be printed
                                     ______

                       U.S. GOVERNMENT PUBLISHING OFFICE 

89-010                        WASHINGTON : 2018





              
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio                    CLAIRE McCASKILL, Missouri
RAND PAUL, Kentucky                  THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma             HEIDI HEITKAMP, North Dakota
MICHAEL B. ENZI, Wyoming             GARY C. PETERS, Michigan
JOHN HOEVEN, North Dakota            MAGGIE HASSAN, New Hampshire
STEVE DAINES, Montana                KAMALA D. HARRIS, California
JON KYL, Arizona                     DOUG JONES, Alabama

                  Christopher R. Hixon, Staff Director
                Gabrielle D'Adamo Singer, Chief Counsel
          Michelle D. Woods, Senior Professional Staff Member
               Margaret E. Daum, Minority Staff Director
       Charles A. Moskowitz, Minority Senior Legislative Counsel
           Julie G. Klein, Minority Professional Staff Member
                     Laura W. Kilbride, Chief Clerk




                                                      Calendar No. 714
115th Congress      }                         }               Report
                                 SENATE
2d Session          }                         }                115-410  

======================================================================



 
       NATIONAL CYBERSECURITY PREPAREDNESS CONSORTIUM ACT OF 2017

                                _______
                                

                December 4, 2018.--Ordered to be printed

                                _______
                                

 Mr. Johnson, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 594]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 594), to authorize 
the Secretary of Homeland Security to work with cybersecurity 
consortia for training, and for other purposes, having 
considered the same, reports favorably thereon with an 
amendment in the nature of a substitute and recommends that the 
bill, as amended, do pass.

                                CONTENTS

                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and Need for the Legislation..........................2
III. Legislative History..............................................3
 IV. Section-by-Section Analysis......................................3
  V. Evaluation of Regulatory Impact..................................4
 VI. Congressional Budget Office Cost Estimate........................4
VII. Changes in Existing Law Made by the Bill, as Reported............5

                         I. PURPOSE AND SUMMARY

    The purpose of S. 594, the National Cybersecurity 
Preparedness Consortium Act of 2018, is to codify the Secretary 
of Homeland Security's existing authority to work with 
consortia, primarily composed of academic institutions and 
nonprofit entities with expertise in cybersecurity, to address 
cybersecurity risks and incidents. The Secretary may work with 
a consortium to provide assistance to the National 
Cybersecurity and Communications Integration Center (NCCIC) 
within the Department of Homeland Security (DHS or the 
Department) to provide cybersecurity related training and 
expertise to state and local first responders and critical 
infrastructure owners and operators.

              II. BACKGROUND AND THE NEED FOR LEGISLATION

    The Committee recognizes the challenges DHS faces in 
fulfilling its cyber mission and implementing timely and 
effective measures to mitigate the security risks posed by 
nefarious cyber incidents.\1\ Specifically, DHS is responsible 
for coordinating the Federal Government's efforts to protect 
the nation's critical infrastructure.\2\ In April 2018, the 
Committee held a hearing entitled, Mitigating America's 
Cybersecurity Risks, to discuss the risks posed by malicious 
cyber incidents and to assess how DHS is using its existing 
authorities and cyber capabilities to minimize security 
risks.\3\ During the hearing, Ranking Member Claire McCaskill 
said ``DHS's responsibility also included coordinating critical 
infrastructure protection. But the majority of the critical 
infrastructure is not federally owned or operated.''\4\ 
Currently, 85 percent of the United States' national critical 
infrastructure is owned by private entities.\5\
---------------------------------------------------------------------------
    \1\Hearing on Mitigating America's Cybersecurity Risks Before the 
S. Comm. on Homeland Sec. & Governmental Affairs, 115th Cong. (2018) 
(statement of Sen. Ron Johnson, R-WI., Chairman), available at https://
www.hsgac.senate.gov/imo/media/doc/Opening%20Statement-Johnson-2018-04-
24.pdf.
    \2\Press Release, Dep't of Homeland Sec., The Department's Five 
Responsibilities (June 8, 2009), https://www.dhs.gov/blog/2009/06/08/
departments-five-responsibilities.
    \3\See generally Hearing on Mitigating America's Cybersecurity 
Risks Before the S. Comm. on Homeland Sec. & Governmental Affairs, 
115th Cong. (2018).
    \4\Hearing on Mitigating America's Cybersecurity Risks Before the 
S. Comm. on Homeland Sec. & Governmental Affairs, 115th Cong. (2018) 
(statement of Sen. Claire McCaskill, D-MO., Ranking Member), available 
at http://www.cq.com/doc/congressionaltranscripts-5304955?0.
    \5\Ann M. Beauchesne & Matthew J. Eggers, Critical Infrastructure 
Protection, Information Sharing and Cyber Security, U.S. Chamber of 
Commerce, (last accessed Nov. 6, 2018), https://www.uschamber.com/
issue-brief/critical-infrastructure-protection-information-sharing-and-
cyber-security.
---------------------------------------------------------------------------
    The combination of the cybersecurity manpower shortage and 
the majority of our nation's critical infrastructure being in 
private hands has created a unique public-private environment 
for DHS to operate in.\6\ The Committee held a hearing in June 
2017 entitled, Cybersecurity Regulation Harmonization, where 
the importance of public-private partnerships in combating 
cyber challenges facing DHS was highlighted. Dean Garfield, an 
expert witness, provided written testimony that stated: 
``[c]ongress should consider the public and private sectors' 
ongoing collaboration and efforts to implement pre-existing 
regulations before further legislating on cybersecurity so that 
Members may arrive at a holistic, federal cybersecurity 
strategy approach.''\7\
---------------------------------------------------------------------------
    \6\Id.; see also U.S. Gov't Accountability Office, GAO-18-466, 
Cybersecurity Workforce: Agencies Need to Improve Baseline Assessments 
and Procedures for Coding Positions (2018), available at https://
www.gao.gov/assets/700/692498.pdf.
    \7\Hearing on Cybersecurity Regulation Harmonization Before the S. 
Comm. on Homeland Sec. & Governmental Affairs, 115th Cong. (2017) 
(statement of Dean Garfield, Pres. and CEO of Info. Tech. Indus. 
Council), available at https://www.hsgac.senate.gov/imo/media/doc/
Testimony-Garfield-2017-06-21-REVISED.pdf.
---------------------------------------------------------------------------
    During the Committee's April 2018 hearing on mitigating 
cybersecurity risks, the DHS Assistant Secretary for 
Cybersecurity and Communications, Janette Manfra, testified 
that DHS has ``taken steps to empower public and private 
partners to defend against many of these threats by publicly 
attributing state-sponsored activity, issuing technical 
indicators and providing mitigation guidance.''\8\ For example, 
DHS has partnered with universities to aid in cyber security 
training.\9\ In 2004, DHS began partnering with the National 
Cybersecurity Preparedness Consortium.\10\ This consortium 
consists of five university partners from across the United 
States.\11\
---------------------------------------------------------------------------
    \8\Hearing on Mitigating America's Cybersecurity Risks, supra note 
1 (statement of Janette Manfra, Assistant Sec'y, Office of 
Cybersecurity & Communications, Nat'l Programs Directorate, U.S. Dept. 
of Homeland Sec.).
    \9\National Cyber Security Preparedness Consortium, About, (last 
accessed Nov. 20, 2018), http://nationalcpc.org/index.html.
    \10\Id.
    \11\Id.
---------------------------------------------------------------------------
    By leveraging the expertise of consortia, DHS can better 
ensure that its partners in the private sector and state and 
local governments are prepared to assist the Federal Government 
in its efforts to combat cyber threats. S. 594 codifies an 
existing DHS practice and helps strengthen the Department's 
efforts to partner with the private sector and academia to 
secure our nation's cyber infrastructure.

                        III. LEGISLATIVE HISTORY

    Senator John Cornyn, (R-TX) introduced S. 594 on March 9, 
2017, with Senator Ted Cruz (R-TX) and Senator Patrick Leahy 
(D-VT). Senators John Boozman (R-AR) and Tom Cotton (R-AR) 
joined as cosponsors on April 6, 2017. The bill was referred to 
the Committee on March 9, 2017.
    The Committee considered S. 594 at a business meeting on 
September 26, 2018. During the business meeting, Senator 
Johnson offered a substitute amendment that was accepted by 
unanimous consent. The substitute amendment narrowed the focus 
of the collaborative efforts between the Department and a 
consortium to cybersecurity risks and incidents. It also 
removed three provisions: a provision that required DHS to work 
with a specific consortium, a prohibition on duplication of 
existing program efforts, and the five-year sunset.
    The bill, as amended, was ordered reported favorably by 
voice vote en bloc. The Senators present for the voice vote 
were Johnson, Portman, Lankford, Enzi, Hoeven, McCaskill, 
Carper, Heitkamp, Peters, Hassan, Harris, and Jones.

        IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED

Section 1. Short title

    This section established that the bill may be cited as the 
``National Cybersecurity Preparedness Consortium Act of 2018.''

Section 2. Definitions

    This section includes definitions of the terms 
``consortium,'' ``cybersecurity risk,'' ``incident,'' 
``Department,'' and ``Secretary.''

Section 3. National Cybersecurity Preparedness Consortium

    Subsection (a) gives the Secretary the authority to work 
with a consortium on cyber related issues.
    Subsection (b) gives the Secretary guidance on the type of 
assistance consortia may provide the NCCIC. Under this 
subsection, consortia may be used to assist in the training of 
state and local first responders and private industry actors in 
addressing cybersecurity threats and risks. DHS may also work 
with consortia to develop and update cybersecurity related 
emergency plans and to provide technical assistance related to 
cybersecurity risks and incidents. DHS may also work with the 
consortia to incorporate cybersecurity incident prevention, 
risk, and response in existing state and local emergency plans.
    Subsection (c) requires the Secretary to consider prior 
cybersecurity training experience and geographic diversity when 
selecting consortium participants.
    Subsection (d) requires the Secretary to establish metrics 
for effectiveness of consortium activities.
    Subsection (e) requires the Secretary to inform minority-
serving institutions of their ability to participate in 
consortia and support the Department's cybersecurity efforts.

Section 4. Rule of construction

    This section prohibits the consortium from commanding any 
law enforcement agency or agents.

                   V. EVALUATION OF REGULATORY IMPACT

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that the bill contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform bill (UMRA) and would impose no costs 
on state, local, or tribal governments.

             VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE

                                     U.S. Congress,
                               Congressional Budget Office,
                                   Washington, DC, October 9, 2018.
Hon. Ron Johnson, Chairman,
Committee on Homeland Security and Governmental Affairs,
U.S. Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for S. 594, the National 
Cybersecurity Preparedness Consortium Act of 2017.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is William Ma.
            Sincerely,
                                                Keith Hall,
                                                          Director.
    Enclosure.

S. 594--National Cybersecurity Preparedness Consortium Act of 2017

    S. 594 would authorize the Department of Homeland Security 
(DHS) to work with a consortium to assist state and local 
governments to prepare for and respond to cybersecurity risks 
and incidents. Since 2014, the department has awarded $13 
million in grants to members of the National Cybersecurity 
Preparedness Consortium to deliver cybersecurity training and 
technical assistance to state and local governments. CBO 
expects that DHS would continue to provide a similar level of 
support under S. 594. CBO estimates that DHS would provide $3 
million in new grant funding each year, assuming appropriation 
of the estimated amounts. In total, implementing S. 594 would 
cost $15 million over the 2019-2023 period.
    Enacting S. 594 would not affect direct spending or 
revenues; therefore, pay-as-you-go procedures do not apply.
    CBO estimates that enacting S. 594 would not increase net 
direct spending or on-budget deficits in any of the four 
consecutive 10-year periods beginning in 2029.
    S. 594 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act.
    The CBO staff contact for this estimate is William Ma. The 
estimate was reviewed by Leo Lex, Deputy Assistant Director for 
Budget Analysis.

       VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED

    Because this legislation would not repeal or amend any 
provision of current law, it would not make changes in existing 
law within the meaning of clauses (a) and (b) of paragraph 12 
of rule XXVI of the Standing Rules of the Senate.

                                  [all]