[House Report 117-245]
[From the U.S. Government Publishing Office]


117th Congress     }                                   {      Report
                        HOUSE OF REPRESENTATIVES
 2d Session        }                                   {      117-245

======================================================================



 
           DHS ROLES AND RESPONSIBILITIES IN CYBER SPACE ACT

                                _______
                                

 February 11, 2022.--Committed to the Committee of the Whole House on 
            the State of the Union and ordered to be printed

                                _______
                                

 Mr. Thompson of Mississippi, from the Committee on Homeland Security, 
                        submitted the following

                              R E P O R T

                        [To accompany H.R. 5658]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security, to whom was referred 
the bill (H.R. 5658) to require the Secretary of Homeland 
Security to submit a report on the cybersecurity roles and 
responsibilities of the Federal Government, and for other 
purposes, having considered the same, reports favorably thereon 
with an amendment and recommends that the bill as amended do 
pass.

                                CONTENTS

                                                                   Page
Purpose and Summary..............................................     3
Background and Need for Legislation..............................     3
Hearings.........................................................     4
Committee Consideration..........................................     5
Committee Votes..................................................     5
Committee Oversight Findings.....................................     5
C.B.O. Estimate, New Budget Authority, Entitlement Authority, and 
  Tax Expenditures...............................................     5
Federal Mandates Statement.......................................     6
Duplicative Federal Programs.....................................     7
Statement of General Performance Goals and Objectives............     7
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
  Benefits.......................................................     7
Advisory Committee Statement.....................................     7
Applicability to Legislative Branch..............................     7
Section-by-Section Analysis of the Legislation...................     7

    The amendment is as follows:
  Strike all after the enacting clause and insert the 
following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``DHS Roles and Responsibilities in 
Cyber Space Act''.

SEC. 2. FINDINGS.

  Congress finds the following:
          (1) The Department of Homeland Security, through the 
        Cybersecurity and Infrastructure Security Agency, is the lead 
        Federal coordinator for securing critical infrastructure across 
        all 16 sectors, in coordination with designated Sector Risk 
        Management Agencies.
          (2) Cyber incidents require technical resources and are only 
        sometimes sector specific.
          (3) The Cybersecurity and Infrastructure Security Agency is 
        the central agency that can quickly analyze and coordinate 
        mitigations when a malicious cyber campaign spans multiple 
        sectors.
          (4) Section 2209 of the Homeland Security Act of 2002 
        authorizes the Cybersecurity and Infrastructure Security Agency 
        as the Federal civilian interface for multi-directional and 
        cross-sector sharing of information related to cyber threat 
        indicators with and between the government and the private 
        sector.
          (5) Section 2209 of the Homeland Security Act of 2002 
        authorizes the Cybersecurity and Infrastructure Security Agency 
        to facilitate cross-sector coordination to address 
        cybersecurity risks and incidents, including cybersecurity 
        risks and incidents that may be related or could have 
        consequential impacts across multiple sectors.
          (6) Presidential Policy Directive-41 directs the Department 
        of Homeland Security, via the national cybersecurity and 
        communications integration center, to be the lead Federal 
        agency for asset response during a significant cyber incident.
          (7) The functions of the national cybersecurity and 
        communications integration center are carried about by the 
        Cybersecurity and Infrastructure Security Agency's 
        Cybersecurity Division.
          (8) Presidential Policy Directive-21 directs the Department 
        of Homeland Security to lead the coordination of critical 
        infrastructure protection among the Sector Risk Management 
        Agencies.
          (9) Section 9002 of the William M. (Mac) Thornberry National 
        Defense Authorization Act for Fiscal Year 2021 codified the 
        duties of Sector Risk Management Agencies for critical 
        infrastructure sectors, laying out the roles and 
        responsibilities they have in coordinating with the 
        Cybersecurity and Infrastructure Security Agency to secure the 
        nation's critical infrastructure.
          (10) Enhancing the security and resilience of our critical 
        infrastructure is a priority for Congress and for the Nation.
          (11) The Department of Homeland Security maintains and 
        continues to build partnerships across all infrastructure 
        sectors to enhance control systems cybersecurity.
          (12) Section 1731 of the William M. (Mac) Thornberry National 
        Defense Authorization Act for Fiscal Year 2021 directed the 
        Secretary of Homeland Security to submit a report on the 
        potential for better coordination of Federal cybersecurity 
        efforts at an integrated cybersecurity center within the 
        Cybersecurity and Infrastructure Security Agency.

SEC. 3. REPORT ON CYBERSECURITY ROLES AND RESPONSIBILITIES OF THE 
                    DEPARTMENT OF HOMELAND SECURITY.

  (a) In General.--Not later than one year after the date of the 
enactment of this Act, the Secretary of Homeland Security, in 
coordination with the Director of the Cybersecurity and Infrastructure 
Security Agency of the Department of Homeland Security, shall submit to 
the Committee on Homeland Security of the House of Representatives and 
the Committee on Homeland Security and Governmental Affairs of the 
Senate a report on the roles and responsibilities of the Department and 
its components relating to cyber incident response.
  (b) Contents.--The report required under subsection (a) shall include 
the following:
          (1) A review of how the cyber incident response plans under 
        section 2210(c) of the Homeland Security Act of 2002 (6 U.S.C. 
        660(c)) are utilized in the Federal Government's response to a 
        cyber incident.
          (2) An explanation of the roles and responsibilities of the 
        Department of Homeland Security and its components with 
        responsibility for, or in support of, the Federal Government's 
        response to a cyber incident, including primary responsibility 
        for working with impacted private sector entities.
          (3) An explanation of which and how authorities of the 
        Department and its components are utilized in the Federal 
        Government's response to a cyber incident.
          (4) Recommendations to provide further clarity for roles and 
        responsibilities of the Department and its components relating 
        to cyber incident response.

                          PURPOSE AND SUMMARY

    H.R. 5658, ``DHS Roles and Responsibilities in Cyber Space 
Act,'' seeks to clarify the roles and responsibilities of 
officials across the Department of Homeland Security (DHS) 
related to the Department's cyber incident response mission. 
Specifically, it directs the Secretary of Homeland Security, in 
coordination with the Director of the Cybersecurity and 
Infrastructure Security Agency (CISA), to report to Congress on 
the roles and responsibilities of the Department and its 
components relating to cyber incident response. The report must 
include: (1) a review of how cyber incident response plans 
developed by CISA are utilized in the Federal Government's 
response to a cyber incident; (2) an explanation of the roles 
and responsibilities of DHS and its components in the Federal 
Government's response to a cyber incident; (3) an explanation 
of how the Department and its components leverage existing 
authorities in cyber incident response; and (4) recommendations 
to clarify roles and responsibilities among DHS components 
related to the its cybersecurity mission.

                  BACKGROUND AND NEED FOR LEGISLATION

    The volume of cyber attacks impacting our Nation's critical 
infrastructure in 2021 highlighted the lack of clarity among 
the roles and responsibilities among the Federal Government 
pertaining to cyber incident response. Pursuant to longstanding 
doctrine, including Presidential Policy Directive-21, DHS, 
through CISA, is the lead Federal coordinator for securing 
critical infrastructure across all 16 sectors, in coordination 
with designated Sector Risk Management Agencies. As 
cybersecurity incidents have grown in frequency and 
sophistication, the Federal Government and the private sector 
have demanded more of CISA's technical, analytic, and 
operational capabilities during incident response. DHS's cross-
sector coordination responsibilities related to cyber incident 
response have become increasingly important particularly 
because cyber incidents are rarely sector specific.
    Presidential Policy Directive-41 directs DHS, through the 
National Cybersecurity and Communications Integration Center, 
to be the lead Federal agency for asset response during a 
significant cyber incident. CISA is the central agency charged 
with quickly analyzing and coordinating mitigation when a 
malicious cyber campaign spans multiple sectors. Section 2209 
of the Homeland Security Act of 2002 authorizes the agency as 
the Federal civilian interface for multi-directional and cross-
sector sharing of information related to cyber threat 
indicators with, and between, the government and the private 
sector. It also directs CISA to facilitate cross-sector 
coordination to address cybersecurity risks and incidents, 
including cybersecurity risks and incidents that may be related 
or could have consequential impacts across multiple sectors.
    Although CISA plays a prominent role in executing DHS's 
cybersecurity responsibilities, other DHS components also bring 
to bear important capabilities. For example, the Transportation 
Security Administration and the United States Coast Guard carry 
out DHS responsibilities as the co-Sector Risk Management 
Agency for the transportation sector. Notably, those 
responsibilities include partnering with sector stakeholders on 
incident preventions, mitigation, response, and recovery 
activities.
    The United States Secret Service (USSS) is charged with 
investigating complex cyber crimes. To carry out its mission, 
USSS houses Cyber Fraud Task Forces (CFTFs), which are 
partnerships between the Secret Service, other law enforcement 
agencies, prosecutors, private industry, and academia, 
leveraged to enhance cyber investigative efforts. USSS also 
maintains a Global Investigative Operations Center, which 
supports strategic domestic and international investigations 
with potential impact on the integrity of the financial 
infrastructure and works with CFTFs to combat translational 
criminal organizations.
    Similarly, the Homeland Security Investigations (HSI) Cyber 
Crimes Center within Immigrations and Customs Enforcement 
brings together highly technical assets dedicated to conducting 
trans-border criminal investigations of cyber-related crimes 
within the HSI portfolio of customs and immigration 
authorities.
    Other activities related to DHS's cybersecurity 
preparedness and response missions are carried out, or 
supported by, other components of the Department, including the 
Office of Strategy, Policy, and Plans, the Science and 
Technology Directorate, and the Office of Intelligence and 
Analysis. A DHS strategy that articulates the roles and 
responsibilities for each component will ensure the efficient, 
strategic allocation of resources for the Department's 
cybersecurity missions.

                                HEARINGS

    For the purposes of clause 3(c)(6) of rule XIII of the 
Rules of the House of Representatives, the following hearings 
were used to develop H.R. 5658:
           On June 15, 2021, the Subcommittees on 
        Cybersecurity, Infrastructure Protection, and 
        Innovation and Transportation and Maritime Security 
        held a joint hearing entitled ``Cyber Threats in the 
        Pipeline: Lessons from the Federal Response to the 
        Colonial Pipeline Ransomware Attack.'' Ms. Sonya 
        Proctor, Assistant Administrator for Surface 
        Operations, Transportation Security Administration, 
        Department of Homeland Security; and Mr. Eric 
        Goldstein, Executive Assistant Director for 
        Cybersecurity, Cybersecurity and Infrastructure 
        Security Agency, Department of Homeland Security 
        testified.
            On October 26, 2021, the Subcommittees on 
        Cybersecurity, Infrastructure Protection, and 
        Innovation and Transportation and Maritime Security 
        held a joint hearing titled, ``Transportation 
        Cybersecurity: Protecting Planes, Trains, and Pipelines 
        from Cyber Threats.'' Ms. Suzanne Spaulding, Senior 
        Adviser, Center for Strategic and International Studies 
        (formerly Under Secretary, National Protection and 
        Programs Directorate); Ms. Patty Cogswell, Strategic 
        Advisor, Guidehouse (formerly Deputy Administrator, 
        Transportation Security Administration); Mr. Jeffrey 
        Troy, President & Chief Executive Officer, Aviation 
        Information Sharing and Analysis Center (formerly 
        Deputy Assistant Director, Cyber Division, Federal 
        Bureau of Investigation); and Mr. Scott Dickerson, 
        Executive Director, Maritime Transportation System 
        Information Sharing and Analysis Center (MTS-ISAC) 
        testified.
           On November 3, 2021, the Committee on 
        Homeland Security held a hearing entitled, ``Evolving 
        the U.S. Approach to Cybersecurity: Raising the Bar 
        Today to Meet the Threats of Tomorrow.'' The Honorable 
        Chris Inglis, National Cyber Director, Executive Office 
        of the President; and The Honorable Jen Easterly, 
        Director, Cybersecurity and Infrastructure Security 
        Agency testified.
           On November 17, 2021, the Subcommittees on 
        Intelligence and Counterterrorism and Cybersecurity, 
        Infrastructure Protection, and Innovation held a joint 
        hearing entitled ``A Whole-of-Government Approach to 
        Combatting Ransomware: Examining DHS's Role.'' The 
        Honorable Rob Silvers, Under Secretary, Office of 
        Strategy, Policy, and Plans, DHS, Mr. Brandon Wales, 
        Executive Director, Cybersecurity and Infrastructure 
        Security Agency (CISA), DHS, and Mr. Jeremy Sheridan, 
        Assistant Director of Investigations, U.S. Secret 
        Service (USSS), DHS testified.

                        COMMITTEE CONSIDERATION

    The Committee met on October 26, 2021, a quorum being 
present, to consider H.R. 5658 and ordered the measure to be 
favorably reported to the House, as amended, by voice vote.

                            COMMITTEE VOTES

    Clause 3(b) of rule XIII requires the Committee to list the 
recorded votes on the motion to report legislation and 
amendments thereto.
    No recorded votes were requested during consideration of 
H.R. 5658.

                      COMMITTEE OVERSIGHT FINDINGS

    In compliance with clause 3(c)(1) of rule XIII, the 
Committee advises that the findings and recommendations of the 
Committee, based on oversight activities under clause 2(b)(1) 
of rule X, are incorporated in the descriptive portions of this 
report.

CONGRESSIONAL BUDGET OFFICE ESTIMATE, NEW BUDGET AUTHORITY, ENTITLEMENT 
                    AUTHORITY, AND TAX EXPENDITURES

    With respect to the requirements of clause 3(c)(2) of rule 
XIII and section 308(a) of the Congressional Budget Act of 
1974, and with respect to the requirements of clause 3(c)(3) of 
rule XIII and section 402 of the Congressional Budget Act of 
1974, the Committee adopts as its own the estimate of any new 
budget authority, spending authority, credit authority, or an 
increase or decrease in revenues or tax expenditures contained 
in the cost estimate prepared by the Director of the 
Congressional Budget Office.

                                     U.S. Congress,
                               Congressional Budget Office,
                                 Washington, DC, November 22, 2021.
Hon. Bennie G. Thompson,
Chairman, Committee on Homeland Security,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 5658, the DHS 
Roles and Responsibilities in Cyber Space Act.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Aldo 
Prosperi.
            Sincerely,
                                         Phillip L. Swagel,
                                                          Director.
    Enclosure.

    	[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    

    H.R. 5658 would require the Department of Homeland Security 
(DHS) to report to the Congress on the effectiveness of the 
department's responses to cybersecurity incidents. Under the 
bill, DHS also would provide the Congress with recommendations 
to further clarify cybersecurity responsibilities across the 
department's component agencies.
    Based on the costs of similar studies, CBO estimates that 
preparing and delivering the required report would cost less 
than $500,000 over the 2022-2026 period. Such spending would be 
subject to the availability of appropriations.
    The CBO staff contact for this estimate is Aldo Prosperi. 
The estimate was reviewed by Leo Lex, Deputy Director of Budget 
Analysis.

                       FEDERAL MANDATES STATEMENT

    The Committee adopts as its own the estimate of Federal 
mandates prepared by the Director of the Congressional Budget 
Office pursuant to section 423 of the Unfunded Mandates Reform 
Act.

                      DUPLICATIVE FEDERAL PROGRAMS

    Pursuant to clause 3(c) of rule XIII, the Committee finds 
that H.R. 5658 does not contain any provision that establishes 
or reauthorizes a program known to be duplicative of another 
Federal program.

         STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES

    Pursuant to clause 3(c)(4) of rule XIII, the objective of 
H.R. 5658 is to clarify the roles and responsibilities of 
components within the Department of Homeland Security related 
to the Department's cybersecurity mission.

   CONGRESSIONAL EARMARKS, LIMITED TAX BENEFITS, AND LIMITED TARIFF 
                                BENEFITS

    In compliance with rule XXI, this bill, as reported, 
contains no congressional earmarks, limited tax benefits, or 
limited tariff benefits as defined in clause 9(d), 9(e), or 
9(f) of rule XXI.

                      ADVISORY COMMITTEE STATEMENT

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act were created by this 
legislation.

                  APPLICABILITY TO LEGISLATIVE BRANCH

    The Committee finds that H.R. 5658 does not relate to the 
terms and conditions of employment or access to public services 
or accommodations within the meaning of section 102(b)(3) of 
the Congressional Accountability Act.

             SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION

    Section 1. Short Title.

    This section states that the Act may be cited as the ``DHS 
Roles and Responsibilities in Cyber Space Act''.

    Sec. 2. Findings.

     This section makes the following findings related to the 
cybersecurity roles and responsibilities within the Department 
of Homeland Security:
          1. The Department of Homeland Security, through the 
        Cybersecurity and Infrastructure Security Agency, is 
        the lead Federal coordinator for securing critical 
        infrastructure across all 16 sectors, in coordination 
        with designated Sector Risk Management Agencies.
          2. Cyber incidents require technical resources and 
        are very rarely sector specific.
          3. The Cybersecurity and Infrastructure Security 
        Agency is the central agency that can quickly analyze 
        and coordinate mitigations when a malicious cyber 
        campaign spans multiple sectors.
          4. Section 2209 of the Homeland Security Act of 2002 
        authorizes the Cybersecurity and Infrastructure 
        Security Agency as the Federal civilian interface for 
        multi-directional and cross-sector sharing of 
        information related to cyber threat indicators with and 
        between the government and the private sector.
          5. Section 2209 of the Homeland Security Act of 2002 
        authorizes the Cybersecurity and Infrastructure 
        Security Agency to facilitate cross-sector coordination 
        to address cybersecurity risks and incidents, including 
        cybersecurity risks and incidents that may be related 
        or could have consequential impacts across multiple 
        sectors.
          6. Presidential Policy Directive-41 directs the 
        Department of Homeland Security, via the national 
        cybersecurity and communications integration center, to 
        be the lead Federal agency for asset response during a 
        significant cyber incident.
          7. The functions of the national cybersecurity and 
        communications integration center are carried about by 
        the Cybersecurity and Infrastructure Security Agency's 
        Cybersecurity Division.
          8. Presidential Policy Directive-21 directs the 
        Department of Homeland Security to lead the 
        coordination of critical infrastructure protection 
        among the Sector Risk Management Agencies.
          9. Enhancing the security and resilience of our 
        critical infrastructure is a priority for Congress and 
        for the Nation.
          10. The Department of Homeland Security maintains and 
        continues to build partnerships across all 
        infrastructure sectors to enhance control systems 
        cybersecurity.

    Sec. 3. Report on Cybersecurity Roles and Responsibilities 
of the Department of Homeland Security.

    This section requires the Secretary of Homeland Security, 
in coordination with the Director of the Cybersecurity and 
Infrastructure Security Agency, to submit to the Committee on 
Homeland Security of the House of Representatives and the 
Committee on Homeland Security and Governmental Affairs of the 
Senate within 1 year of enactment a report on the roles and 
responsibilities of the Department and its components relating 
to cyber incident response.
    The report must contain:
          1. A review of how the cyber incident response plans 
        under section 2210(c) of the Homeland Security Act of 
        2002 (6 U.S.C. 660(c)) are utilized in the Federal 
        Government's response to a cyber incident;
          2. An explanation of the roles and responsibilities 
        of the Department of Homeland Security and its 
        components with responsibility for, or in support of, 
        the Federal Government's response to a cyber incident, 
        including primary responsibility for working with 
        impacted private sector entities;
          3. An explanation of which and how authorities of the 
        Department and its components are utilized in the 
        Federal Government's response to a cyber incident; and
          4. Recommendations to provide further clarity for 
        roles and responsibilities of the Department and its 
        components relating to cyber incident response.

                                  [all]