[Senate Report 116-265]
[From the U.S. Government Publishing Office]


 						      Calendar No. 528
116th Congress         }                          {             Report
                                 SENATE
 2d Session            }                          {            116-265

======================================================================

                                     

                                                       

       CYBERSECURITY ADVISORY COMMITTEE AUTHORIZATION ACT OF 2020

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                                S. 4024

          TO ESTABLISH IN THE CYBERSECURITY AND INFRASTRUCTURE
             SECURITY AGENCY OF THE DEPARTMENT OF HOMELAND
              SECURITY A CYBERSECURITY ADVISORY COMMITTEE

		
		
		[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

               
               
               September 9, 2020.--Ordered to be printed
               
               
               
               
               
               			__________
        
        
        
		     U.S. GOVERNMENT PUBLISHING OFFICE
		
99-010		             WASHINGTON : 2020

        
        
        
        
        
        
        
        
        
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio                    GARY C. PETERS, Michigan
RAND PAUL, Kentucky                  THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma             MAGGIE HASSAN, New Hampshire
MITT ROMNEY, Utah                    KAMALA D. HARRIS, California
RICK SCOTT, Florida                  KYRSTEN SINEMA, Arizona
MICHAEL B. ENZI, Wyoming             JACKY ROSEN, Nevada
JOSH HAWLEY, Missouri

                Gabrielle D'Adamo Singer, Staff Director
                   Joseph C. Folio III, Chief Counsel
                   Michael J.R. Flynn, Senior Counsel
               Andrew J. Timm, Professional Staff Member
               David M. Weinberg, Minority Staff Director
               Zachary I. Schram, Minority Chief Counsel
     Jeffrey D. Rothblum, Minority Senior Professional Staff Member
                     Laura W. Kilbride, Chief Clerk





						      Calendar No. 528
116th Congress         }                          {             Report
                                 SENATE
 2d Session            }                          {            116-265

======================================================================



 
       CYBERSECURITY ADVISORY COMMITTEE AUTHORIZATION ACT OF 2020

                                _______
                                

               September 9, 2020.--Ordered to be printed

                                _______
                                

 Mr. Johnson, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 4024]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 4024) to establish 
in the Cybersecurity and Infrastructure Security Agency of the 
Department of Homeland Security a Cybersecurity Advisory 
Committee, and for other purposes, having considered the same, 
reports favorably thereon with an amendment in the nature of a 
substitute and recommends that the bill, as amended, do pass.

                                CONTENTS

                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and Need for the Legislation..........................2
III. Legislative History..............................................3
 IV. Section-by-Section Analysis......................................3
  V. Evaluation of Regulatory Impact..................................5
 VI. Congressional Budget Office Cost Estimate........................6
VII. Changes in Existing Law Made by the Bill, as Reported............7

                         I. Purpose and Summary

    The purpose of S. 4024, the Cybersecurity Advisory 
Committee Authorization Act of 2020, is to amend the Homeland 
Security Act of 2002 to establish a Cybersecurity Advisory 
Committee (Advisory Committee) within the Department of 
Homeland Security's (DHS or the Department) Cybersecurity and 
Infrastructure Security Agency (CISA). The Advisory Committee 
is to be comprised of representatives of state and local 
governments as well as cybersecurity subject matter experts who 
would report to the Director of CISA. The Advisory Committee 
would be tasked to assist CISA in the execution of its 
cybersecurity mission by advising, consulting with, and making 
recommendations to the Director of CISA concerning the 
development, refinement, and implementation of CISA's 
cybersecurity policies, programs, planning, and training. This 
bill will better position CISA to effectively execute its cyber 
mission.

              II. Background and the Need for Legislation

    In September 2018, the Trump Administration released the 
National Cybersecurity Strategy, which underscores the Federal 
Government's intent to strengthen its collaboration with the 
private sector and non-Federal entities to combat cyber threats 
and secure critical infrastructure.\1\ Additionally, the 2018 
DHS Cybersecurity Strategy recognized the need to ``partner 
with key stakeholders, including sector specific agencies and 
the private sector, to drive better cybersecurity.''\2\
---------------------------------------------------------------------------
    \1\The White House, National Cybersecurity Strategy 8, (2018), 
available at https://www.whitehouse.gov/wp-content/uploads/2018/09/
National-Cyber-Strategy.pdf.
    \2\U.S. Department of Homeland Security, U.S. Department of 
Homeland Security Cybersecurity Strategy 11 (2018), available at 
https://www.dhs.gov/sites/default/files/publications/DHS-Cybersecurity-
Strategy_1.pdf.
---------------------------------------------------------------------------
    To better position DHS to carry out its cybersecurity and 
infrastructure protection mission, Congress re-designated and 
restructured the Department's National Protection and Programs 
Directorate as CISA through the Cybersecurity and 
Infrastructure Security Agency Act of 2018.\3\ More 
specifically, Congress established CISA to, among other things, 
lead DHS's coordination ``with partners at all levels of 
government, and from the private and non-profit sectors, to 
share information and build greater trust in order to make our 
cyber and physical infrastructure more secure.''\4\
---------------------------------------------------------------------------
    \3\H. Rept. 115-454 at 2 (2017), available at https://
www.congress.gov/115/crpt/hrpt454/CRPT-115hrpt454.pdf.
    \4\Id.
---------------------------------------------------------------------------
    CISA has demonstrated its commitment to improving its 
partnerships with non-Federal entities. For example, in October 
2019, CISA Director Chris Krebs testified before the Committee 
at a hearing entitled, ``Supply Chain Security, Global 
Competitiveness, and 5G.''\5\ When asked by Chairman Ron 
Johnson what Congress could do to assist CISA in achieving its 
goals and priorities, Director Krebs said that Congress should 
``[m]ake it easier for [CISA] to be able to convene groups to 
develop frameworks, to share more broadly.''\6\ Additionally, 
at a Committee hearing held in February 2020, Director Krebs 
testified that CISA's goal is to work with government and 
industry partners in order to create ``a more strategic and 
unified approach towards improving our nation's overall 
defensive posture against malicious cyber activity.''\7\ At the 
same hearing, Director Krebs stated that as an agency, CISA's 
pathway to providing more value to its partners requires 
``listening and learning what [its non-Federal partners] 
actually need.''\8\
---------------------------------------------------------------------------
    \5\Supply Chain Security, Global Competitiveness, and 5G: Hearing 
Before the S. Comm. on Homeland Sec. & Governmental Affairs, 116th 
Cong. (Oct. 19, 2019), available at https://www.govinfo.gov/content/
pkg/CHRG-116shrg40385/pdf/CHRG-116shrg40385.pdf.
    \6\Id. (testimony of CISA Director Chris Krebs).
    \7\What States, Locals and the Business Community Should Know and 
Do: A Roadmap for Effective Cybersecurity: Hearing Before the S. Comm. 
on Homeland Sec. & Governmental Affairs, 116th Cong. (Feb. 11, 2020) 
(testimony of CISA Director Chris Krebs).
    \8\Id.
---------------------------------------------------------------------------
    Additionally, the Cyberspace Solarium Commission (CSC), a 
bipartisan, bicameral commission, was established in the John 
S. McCain National Defense Authorization Act of 2019 to 
``develop a consensus on a strategic approach to defending the 
United States in cyberspace against cyber attacks of 
significant consequence.''\9\ In March 2020, the CSC published 
its final report, which included a broad recommendation to 
strengthen CISA ``to promote a more secure cyber ecosystem, and 
to serve as the central civilian cybersecurity authority to 
support federal, state and local, and private sector 
cybersecurity efforts.''\10\ Specifically, the CSC recommended 
including a cybersecurity advisory committee for CISA to better 
account for non-Federal interests.\11\
---------------------------------------------------------------------------
    \9\Pub. L. No. 115-232, 115th Cong. (2018).
    \10\Cyberspace Solarium Commission 3 (Mar. 2020), available at 
https://www.solarium.gov/report.
    \11\Id. at 41.
---------------------------------------------------------------------------
    S. 4024 formally establishes an advisory body comprised of 
a diverse set of experts representing the private and non-
Federal public sector within CISA. The bill also establishes a 
process to provide direct input to CISA on policies, programs, 
planning, and training to account for non-Federal interests, 
thereby enhancing CISA's ability to engage with both public and 
private sector partners. The legislation should facilitate 
stakeholder engagement and ensure that a wide variety of views 
are represented, including through a geographically diverse 
membership.

                        III. Legislative History

    Senator David Perdue (R-GA) introduced S. 4024, the 
Cybersecurity Advisory Committee Authorization Act of 2020, on 
June 22, 2020, with Senator Kyrsten Sinema (D-AZ). The bill was 
referred to the Committee on Homeland Security and Governmental 
Affairs.
    The Committee considered S. 4024 at a business meeting on 
July 22, 2020. During the business meeting, Chairman Johnson 
and Senator Sinema offered a substitute amendment. The 
amendment provided additional oversight authorities to the 
Director, clarified the structure and composition of the 
Advisory Committee and its membership, and included measures to 
increase transparency of the Advisory Committee and its work. 
The Johnson-Sinema substitute amendment was adopted by voice 
vote en bloc. The bill, as amended, was reported favorably by 
voice vote en bloc. Senators present for both the vote on the 
amendment and on final passage were Johnson, Portman, Paul, 
Lankford, Romney, Scott, Enzi, Hawley, Peters, Carper, Hassan, 
Harris, and Rosen.

        IV. Section-by-Section Analysis of the Bill, as Reported


Section 1. Short title

    This section names the bill the ``Cybersecurity Advisory 
Committee Authorization Act of 2020.''

Section 2. Cybersecurity Advisory Committee

    Section 2, subsection (a) adds a new section, section 2215, 
to the Homeland Security Act of 2002 to establish the Advisory 
Committee within CISA.
    New section 2215 subsection (a) establishes the Advisory 
Committee. Subsection (b)(1) lays out the duties of the 
Advisory Committee. Specifically, this subsection requires that 
the Advisory Committee advise, consult with, report and make 
recommendations to the Director of CISA on the development, 
refinement, and implementation of policies, programs, planning, 
and training pertaining to the Agency's cybersecurity mission. 
Subsection (b)(2) requires the Advisory Committee, at the 
Director's request, to develop recommendations regarding 
improving and advancing CISA's cybersecurity mission and 
strengthening the United States' cybersecurity. Recommendations 
made by the Advisory Committee must be approved by the 
Committee before the submission of an annual report.
    New section 2215, subsection (b)(3) requires the Advisory 
Committee to submit periodic reports on matters identified by 
the Director as well as matters identified by a majority of the 
members of the Advisory Committee.
    New section 2215, subsection (b)(4) requires the Advisory 
Committee to submit an annual report including the Advisory 
Committee's activities, findings, and recommendations, 
including those of any subcommittee established under this Act, 
for the preceding year. Not later than 180 days after the 
Director receives the Advisory Committee's annual report, the 
Director must publish a public version of the report. 
Subsection (b)(5) requires the Director of CISA to respond in 
writing not later than 90 days after receiving any 
recommendation from the Advisory Committee. If the Director 
concurs with the recommendation, the Director must also submit 
an action plan to implement the recommendation; if the Director 
does not concur with the recommendation, the Director must 
provide justification for why the recommendation will not be 
implemented.
    New section 2215, subsection (b)(6) lays out the 
congressional notification process. Specifically, this 
subsection requires the Director of CISA to provide the 
Committees on Homeland Security and Governmental Affairs and 
Appropriations of the Senate and the Committees on Homeland 
Security and Appropriations of the House of Representatives a 
briefing on feedback from the Advisory Committee.
    New section 2215, subsection (b)(7) requires the Director 
of CISA to establish structure and governance rules concerning 
the Advisory Committee and any subcommittee established under 
the legislation.
    New section 2215, subsection (c) outlines the membership of 
the Advisory Committee. The Director of CISA shall appoint up 
to 35 individuals to serve as members of the Advisory 
Committee, within 180 days of the bill's enactment. The bill 
requires that the membership consist of subject matter experts, 
be geographically balanced, and include representatives from 
state, local, and tribal governments and a broad range of 
industries such as defense, education, financial services and 
insurance, healthcare, manufacturing, and other relevant fields 
identified by the Director. At least one, but not more than 
three, members of the Advisory Committee may represent a 
private sector category identified in this bill. The membership 
of the Advisory Committee is required to be made available on a 
public website at least once a year and must be updated to 
reflect changes in membership when they occur. Members of the 
Advisory Committee are permitted to serve for a period of two 
years, but may also serve in a holdover capacity until a 
successor is appointed. The Director of CISA has the authority 
to remove participants at his or her discretion. Members of the 
Advisory Committee are prohibited from being compensated by the 
Federal Government for their participation. The Advisory 
Committee must meet at least semiannually and may convene 
additional meetings as necessary. At least one semiannual 
meeting must be open to the public, and attendance must be 
recorded at each meeting. Within 60 days of appointing a member 
to the Advisory Committee, the Director is required to 
determine whether that member should be restricted from 
reviewing, discussing, or possessing classified materials. 
Members of the Advisory Committee are required to protect all 
classified information in accordance with applicable 
requirements. The requirements under this bill concerning a 
member's access to classified materials are not to affect the 
security clearance held by said member. Finally, the members of 
the Advisory Committee are required to appoint an Advisory 
Committee chairperson as well as a chairperson for each 
subcommittee.
    New section 2215, subsection (d) requires the Director of 
CISA to establish subcommittees within the Advisory Committee 
to address cybersecurity security issues, such as information 
exchange, critical infrastructure, risk management, and public 
and private partnerships. The subcommittees are required to 
meet not less than semiannually, and submit to the Advisory 
Committee information concerning its activities, findings, 
recommendations related to the subject matter considered by the 
subcommittee. The chair of the Advisory Committee must appoint 
members to serve on subcommittees and ensure that the appointed 
member possesses expertise relevant to the subcommittee's 
focus.
    Subsection (b) of the bill adds a clerical amendment to 
modify the Homeland Security Act of 2002's table of contents 
consistent with the new section added by this legislation.

                   V. Evaluation of Regulatory Impact

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that the bill contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform Act (UMRA) and would impose no costs 
on state, local, or tribal governments.

             VI. Congressional Budget Office Cost Estimate

                                     U.S. Congress,
                               Congressional Budget Office,
                                    Washington, DC, August 5, 2020.
Hon. Ron Johnson,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S. 
        Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for S. 4024, the 
Cybersecurity Advisory Committee Authorization Act of 2020.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Aldo 
Prosperi.
            Sincerely,
                                         Phillip L. Swagel,
                                                          Director.
    Enclosure.

    
    

    S. 4024 would require the Director of the Cybersecurity and 
Infrastructure Security Agency (CISA) to establish an advisory 
committee that would be composed of members from state and 
local governments and the private sector. The committee would 
provide CISA with recommendations on the implementation of 
cybersecurity policies and programs.
    Using information from the agency about the administrative 
costs of similar advisory committees, CBO estimates that staff 
salaries, travel costs, and other expenses would be less than 
$500,000 annually. In total, implementing S. 4024 would cost $2 
million over the 2020-2025 period; such spending would be 
subject to the availability of appropriations.
    On October 11, 2019, CBO transmitted a cost estimate for 
H.R. 1975, the Cybersecurity Advisory Committee Authorization 
Act of 2019, as ordered reported by the House Committee on 
Homeland Security on September 25, 2019. The two pieces of 
legislation are similar, and CBO's estimate of their budgetary 
effects is the same.
    The CBO staff contact for this estimate is Aldo Prosperi. 
The estimate was reviewed by Leo Lex, Deputy Director of Budget 
Analysis.

       VII. Changes in Existing Law Made by the Bill, as Reported

    In compliance with paragraph 12 of rule XXVI of the 
Standing Rules of the Senate, the following changes in existing 
law made by the bill, as reported, are shown as follows: 
(existing law proposed to be omitted is enclosed in black 
brackets, new matter is printed in italic, existing law in 
which no change is proposed is shown in roman):

HOMELAND SECURITY ACT OF 2002

           *       *       *       *       *       *       *


SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) * * *
    (b) Table of Contents.--The table of contents for this Act 
is as follows:

      TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

Subtitle A--Cybersecurity and Infrastructure Security

           *       *       *       *       *       *       *


SEC. 2215. CYBERSECURITY ADVISORY COMMITTEE.

           *       *       *       *       *       *       *


TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

           *       *       *       *       *       *       *


Subtitle A--Cybersecurity and Infrastructure Security

           *       *       *       *       *       *       *


SEC. 2215. CYBERSECURITY ADVISORY COMMITTEE.

    (a) Establishment--.The Secretary shall establish within 
the Agency a Cybersecurity Advisory Committee (referred to in 
this section as the ``Advisory Committee'').
    (b) Duties.--
          (1) In general.--The Advisory Committee shall advise, 
        consult with, report to, and make recommendations to 
        the Director, as appropriate, on the development, 
        refinement, and implementation of policies, programs, 
        planning, and training pertaining to the cybersecurity 
        mission of the Agency.
          (2) Recommendations.--
                  (A) In general.--The Advisory Committee shall 
                develop, at the request of the Director, 
                recommendations for improvements to advance the 
                cybersecurity mission of the Agency and 
                strengthen the cybersecurity of the United 
                States.
                (B) Recommendations of subcommittees.--
                Recommendations agreed upon by subcommittees 
                established under subsection (d) for any year 
                shall be approved by the Advisory Committee 
                before the Advisory Committee submits to the 
                Director the annual report under paragraph (4) 
                for that year.
          (3) Periodic reports.--The Advisory Committee shall 
        periodically submit to the Director--
                  (A) reports on matters identified by the 
                Director; and
                  (B) reports on other matters identified by a 
                majority of the members of the Advisory 
                Committee.
          (4) Annual report.--
                  (A) In general.--The Advisory Committee shall 
                submit to the Director an annual report 
                providing information on the activities, 
                findings, and recommendations of the Advisory 
                Committee, including its subcommittees, for the 
                preceding year.
                  (B) Publication.--Not later than 180 days 
                after the date on which the Director receives 
                an annual report for a year under subparagraph 
                (A), the Director shall publish a public 
                version of the report describing the activities 
                of the Advisory Committee and such related 
                matters as would be informative to the public 
                during that year, consistent with section 
                552(b) of title 5, United States Code.
          (5) Feedback.--Not later than 90 days after receiving 
        any recommendation submitted by the Advisory Committee 
        under paragraph (2), (3), or (4), the Director shall 
        respond in writing to the Advisory Committee with 
        feedback on the recommendation. Such a response shall 
        include--
                  (A) with respect to any recommendation with 
                which the Director concurs, an action plan to 
                implement the recommendation; and
                  (B) with respect to any recommendation with 
                which the Director does not concur, a 
                justification for why the Director does not 
                plan to implement the recommendation.
          (6) Congressional notification.--Not less frequently 
        than once per year after the date of enactment of this 
        section, the Director shall provide to the Committee on 
        Homeland Security and Governmental Affairs and the 
        Committee on Appropriations of the Senate and the 
        Committee on Homeland Security and the Committee on 
        Appropriations of the House of Representatives a 
        briefing on feedback from the Advisory Committee.
          (7) Governance rules.--The Director shall establish 
        rules for the structure and governance of the Advisory 
        Committee and all subcommittees established under 
        subsection (d).
    (c) Membership.--
          (1) Appointment.--
                  (A) In general.--Not later than 180 days 
                after the date of enactment of the 
                Cybersecurity Advisory Committee Authorization 
                Act of 2020, the Director shall appoint the 
                members of the Advisory Committee.
                  (B) Composition.--The membership of the 
                Advisory Committee shall consist of not more 
                than 35 individuals.
                  (C) Representation.--
                          (i) In general.--The membership of 
                        the Advisory Committee shall--
                                  (I) consist of subject matter 
                                experts;
                                  (II) be geographically 
                                balanced; and
                                  (III) include representatives 
                                of State, local, and Tribal 
                                governments and of a broad 
                                range of industries, which may 
                                include the following:
                                          (aa) Defense.
                                          (bb) Education.
                                          (cc) Financial 
                                        services and insurance.
                                          (dd) Healthcare.
                                          (ee) Manufacturing.
                                          (ff) Media and 
                                        entertainment.
                                          (gg) Chemicals.
                                          (hh) Retail.
                                          (ii) Transportation.
                                          (jj) Energy.
                                          (kk) Information 
                                        Technology.
                                          (ll) Communications.
                                          (mm) Other relevant 
                                        fields identified by 
                                        the Director.
                          (ii) Prohibition.--Not less than 1 
                        member nor more than 3 members may 
                        represent any 1 category under clause 
                        (i)(III).
                          (iii) Publication of membership 
                        list.--The Advisory Committee shall 
                        publish its membership list on a 
                        publicly available website not less 
                        than once per fiscal year and shall 
                        update the membership list as changes 
                        occur.
          (2) Term of office.--
                (A) Terms.--The term of each member of the 
                Advisory Committee shall be 2 years, except 
                that a member may continue to serve until a 
                successor is appointed.
                  (B) Removal.--The Director may review the 
                participation of a member of the Advisory 
                Committee and remove such member any time at 
                the discretion of the Director.
                  (C) Reappointment.--A member of the Advisory 
                Committee may be reappointed for an unlimited 
                number of terms.
          (3) Prohibition of compensation.--The members of the 
        Advisory Committee may not receive pay or benefits from 
        the United States Government by reason of their service 
        on the Advisory Committee.
          (4) Meetings.--
                  (A) In general.--The Director shall require 
                the Advisory Committee to meet not less 
                frequently than semiannually, and may convene 
                additional meetings as necessary.
                  (B) Public meetings.--At least one of the 
                meetings referred to in subparagraph (A) shall 
                be open to the public.
                  (C) Attendance.--The Advisory Committee shall 
                maintain a record of the persons present at 
                each meeting.
          (5) Member access to classified information.--
                  (A) In general.--Not later than 60 days after 
                the date on which a member is first appointed 
                to the Advisory Committee and before the member 
                is granted access to any classified 
                information, the Director shall determine, for 
                the purposes of the Advisory Committee, if the 
                member should be restricted from reviewing, 
                discussing, or possessing classified 
                information.
                  (B) Access.--Access to classified materials 
                shall be managed in accordance with Executive 
                Order No. 13526 of December 29, 2009 (75 Fed. 
                Reg. 707), or any subsequent corresponding 
                Executive Order.
                  (C) Protections.--A member of the Advisory 
                Committee shall protect all classified 
                information in accordance with the applicable 
                requirements for the particular level of 
                classification of such information.
                  (D) Rule of construction.--Nothing in this 
                paragraph shall be construed to affect the 
                security clearance of a member of the Advisory 
                Committee or the authority of a Federal agency 
                to provide a member of the Advisory Committee 
                access to classified information.
          (6) Chairperson.--The Advisory Committee shall 
        select, from among the members of the Advisory 
        Committee--
                  (A) a member to serve as chairperson of the 
                Advisory Committee; and
                  (B) a member to serve as chairperson of each 
                subcommittee of the Advisory Committee 
                established under subsection (d).
    (d) Subcommittees.--
          (1) In general.--The Director shall establish 
        subcommittees within the Advisory Committee to address 
        cybersecurity issues, which may include the following:
                  (A) Information exchange.
                  (B) Critical infrastructure.
                  (C) Risk management.
                  (D) Public and private partnerships.
          (2) Meetings and reporting.--Each subcommittee shall 
        meet not less frequently than semiannually, and submit 
        to the Advisory Committee for inclusion in the annual 
        report required under subsection (b)(4) information, 
        including activities, findings, and recommendations, 
        regarding subject matter considered by the 
        subcommittee.
          (3) Subject matter experts.--The chairperson of the 
        Advisory Committee shall appoint members to 
        subcommittees and shall ensure that each member 
        appointed to a subcommittee has subject matter 
        expertise relevant to the subject matter of the 
        subcommittee.

                                  [all]