[Senate Report 117-24]
[From the U.S. Government Publishing Office]


                                                        Calendar No. 73
_______________________________________________________________________

117th Congress }                                              { Report
                                SENATE                          
  1st Session  }                                              { 117-24
_______________________________________________________________________



       NATIONAL CYBERSECURITY PREPAREDNESS CONSORTIUM ACT OF 2021

                               __________

                               R E P O R T

                                 OF THE

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              TO ACCOMPANY

                                 S. 658

            TO AUTHORIZE THE SECRETARY OF HOMELAND SECURITY
           TO WORK WITH CYBERSECURITY CONSORTIA FOR TRAINING,
                         AND FOR OTHER PURPOSES


              [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                 June 14, 2021.--Ordered to be printed
                 
                               __________


                  U.S. GOVERNMENT PUBLISHING OFFICE

                          WASHINGTON : 2021





       COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman

THOMAS R. CARPER, Delaware           ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              RAND PAUL, Kentucky
JACKY ROSEN, Nevada                  JAMES LANKFORD, Oklahoma
ALEX PADILLA, California             MITT ROMNEY, Utah
JON OSSOFF, Georgia                  RICK SCOTT, Florida
                                     JOSH HAWLEY, Missouri

                   David M. Weinberg, Staff Director
                    Zachary I. Schram, Chief Counsel
         Christopher J. Mulkins, Director of Homeland Security
              Celeste M. Chamberlain, TechCongress Fellow
                Pamela Thiessen, Minority Staff Director
  Andrew C. Dockham, Minority Chief Counsel and Deputy Staff Director
          Cara G. Mumford, Minority Professional Staff Member
                     Laura W. Kilbride, Chief Clerk




                                                        Calendar No. 73
117th Congress }                                              { Report
                                 SENATE
 1st Session   }                                              { 117-24

======================================================================

 
       NATIONAL CYBERSECURITY PREPAREDNESS CONSORTIUM ACT OF 2021

                                _______
                                

                 June 14, 2021.--Ordered to be printed

                                _______
                                

 Mr. Peters, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 658]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 658) to authorize 
the Secretary of Homeland Security to work with cybersecurity 
consortia for training, and for other purposes, having 
considered the same, reports favorably thereon without 
amendment and recommends that the bill do pass.


                                CONTENTS

                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and Need for the Legislation..........................2
III. Legislative History..............................................3
 IV. Section-by-Section Analysis of the Bill, as Reported.............3
  V. Evaluation of Regulatory Impact..................................3
 VI. Congressional Budget Office Cost Estimate........................4
VII. Changes in Existing Law Made by the Bill, as Reported............5

                         I. PURPOSE AND SUMMARY

    The purpose of S. 658, the National Cybersecurity 
Preparedness Consortium Act of 2021, is to codify the Secretary 
of Homeland Security's existing authority to work with a 
consortium, primarily composed of nonprofit entities and 
academic institutions with expertise in cybersecurity, to 
address cybersecurity risks and incidents. The Secretary may 
work with such a consortium to provide assistance to the 
National Cybersecurity and Communications Integration Center 
(NCCIC) within the Department of Homeland Security (DHS) to 
provide cybersecurity-related training and expertise to state 
and local first responders and critical infrastructure owners 
and operators.\1\
---------------------------------------------------------------------------
    \1\On Mar. 12, 2019, the Committee approved S. 333, the National 
Cybersecurity Preparedness Consortium Act of 2019. That bill is 
substantially similar to S. 658. Accordingly, this committee report is 
in large part a reproduction of Chairman Johnson's committee report for 
S. 333, S. Rep. No. 116-5.
---------------------------------------------------------------------------

              II. BACKGROUND AND NEED FOR THE LEGISLATION

    The Committee recognizes the challenges DHS faces in 
fulfilling its cyber mission and implementing timely and 
effective measures to mitigate the security risks posed by 
cyber vulnerabilities. One major challenge is that, while DHS 
is responsible for coordinating the Federal Government's 
efforts to protect the nation's critical infrastructure, 85 
percent of that infrastructure is owned by private entities.\2\ 
In May 2020, the Committee held a hearing entitled, Evolving 
the U.S. Cybersecurity Strategy and Posture: Reviewing the 
Cyberspace Solarium Commission Report, to discuss how Congress 
can work to ensure that our country is better prepared to 
deter, prevent, and recover from malicious cyber-attacks, 
including through improvements to cybersecurity human resource 
challenges.\3\ The combination of the cybersecurity workforce 
shortage and the majority of our nation's critical 
infrastructure being in private hands has created a difficult 
public-private environment in which DHS must operate.\4\
---------------------------------------------------------------------------
    \2\Press Release, Department of Homeland Security, The Department's 
Five Responsibilities (Jun. 8, 2009) (https://www.dhs.gov/blog/2009/06/
08/departments-five-responsibilities); Issue Brief, U.S. Chamber of 
Commerce, Critical Infrastructure Protection, Information Sharing and 
Cyber Security (https://www.uschamber.com/issue-brief/critical-
infrastructure-protection-information-sharing-and-cyber-security) (last 
accessed May 12, 2021).
    \3\Senate Committee on Homeland Security and Governmental Affairs, 
Statement of Senator Gary C. Peters (D-MI), Ranking Member, Hearing on 
Evolving the U.S. Cybersecurity Strategy and Posture: Reviewing the 
Cyberspace Solarium Commission Report, 116th Cong. (May 13, 2020) 
(https://www.hsgac.senate.gov/imo/media/doc/Opening%20Statement-Peters-
2020-05-13.pdf).
    \4\Id.; U.S. Government Accountability Office, Cybersecurity 
Workforce: Agencies Need to Improve Baseline Assessments and Procedures 
for Coding Positions (June 2018) (GAO-18-466) (https://www.gao.gov/
assets/700/692498.pdf).
---------------------------------------------------------------------------
    As a means to address these challenges, DHS has partnered 
since 2004 with the National Cybersecurity Preparedness 
Consortium (NCPC), an organization of five university partners 
that ``provide research-based, cybersecurity-related training, 
exercises and technical assistance to local jurisdictions, 
counties, states and the private sector.''\5\ As of October 
2020, NCPC members have trained more than 107,861 participants 
on topics such as cyberterrorism, critical infrastructure 
protection, and malware prevention.\6\ By leveraging the 
expertise of a consortium, DHS can better ensure that its 
partners in the private sector and state and local governments 
are prepared to assist the Federal Government in its efforts to 
combat cyber threats. S. 658 codifies an existing DHS practice 
and helps strengthen DHS's efforts to partner with the private 
sector and academia to secure our nation's cyber 
infrastructure.
---------------------------------------------------------------------------
    \5\National Cybersecurity Preparedness Consortium, About Page 
(https://nationalcpc.org/about.html) (last accessed May 12, 2021).
    \6\Id.; Center for Infrastructure Assurance and Security (CIAS), 
DHS FEMA Training (https://cias.utsa.edu/dhs-fema-training.html); Texas 
A&M Engineering Extension Service (TEEX), DHS-FEMA-Funded (https://
teex.org/dhs-fema-funded/); Cyberterrorism Defense Initiative (CDI), 
Malware Prevention, Discovery, and Recovery (MPDR) (https://
www.cybersecuritydefenseinitiative.org/mpdr.html) (all websites last 
accessed May 12, 2021).
---------------------------------------------------------------------------

                        III. LEGISLATIVE HISTORY

    Senators John Cornyn (R-TX) and Patrick Leahy (D-VT) 
introduced S. 658 on March 10, 2021. The bill was referred to 
the Senate Committee on Homeland Security and Governmental 
Affairs.
    The Committee considered S. 658 at a business meeting on 
March 17, 2021. During the business meeting, S. 658 was ordered 
reported favorably without amendment by voice vote en bloc. The 
Senators present for the voice vote were Peters, Rosen, 
Padilla, Portman, Johnson, Lankford, Romney, Scott, and Hawley.
    The Senate passed S. 333, an identical bill to S. 658, by 
unanimous consent in the 116th Congress on November 21, 2019. 
Senator John Cornyn introduced S. 333 with Senator Ted Cruz (R-
TX) and Senator Patrick Leahy on February 5, 2019, and the 
Committee reported S. 333 favorably without amendment on March 
12, 2019.

        IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED

Section 1. Short title

    This section established that the bill may be cited as the 
``National Cybersecurity Preparedness Consortium Act of 2021.''

Section 2. Definitions

    This section includes definitions of the terms 
``consortium,'' ``cybersecurity risk,'' ``incident,'' 
``Department,'' and ``Secretary.''

Section 3. National Cybersecurity Preparedness Consortium

    Subsection (a) gives the Secretary the authority to work 
with a consortium on cybersecurity-related issues.
    Subsection (b) gives the Secretary guidance on the type of 
assistance that a consortium may provide to the NCCIC. Under 
this subsection, the consortium may be used to assist in the 
training of state and local first responders and private 
industry actors to address cybersecurity threats and risks. DHS 
may also work with the consortium to develop and update 
cybersecurity-related curricula and provide technical 
assistance related to cybersecurity risks and incidents. In 
addition, DHS may work with the consortium to incorporate 
cybersecurity incident prevention, risk, and response in 
existing state and local emergency plans.
    Subsection (c) requires the Secretary to consider prior 
cybersecurity training experience and geographic diversity when 
selecting consortium members.
    Subsection (d) requires the Secretary to establish metrics 
for effectiveness of consortium activities.
    Subsection (e) requires the Secretary to inform minority-
serving institutions of their ability to participate in the 
consortium and support DHS's cybersecurity efforts.

Section 4. Rule of construction

    This section prohibits the consortium from commanding any 
law enforcement agency or agents.

                   V. EVALUATION OF REGULATORY IMPACT

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that the bill contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform bill (UMRA) and would impose no costs 
on state, local, or tribal governments.

             VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE

                                     U.S. Congress,
                               Congressional Budget Office,
                                     Washington, DC, April 5, 2021.
Hon. Gary C. Peters,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S. 
        Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for S. 658, the National 
Cybersecurity Preparedness Consortium Act of 2021.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Aldo 
Prosperi.
            Sincerely,
                                         Phillip L. Swagel,
                                                          Director.
    Enclosure.


         [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    

    S. 658 would authorize the Department of Homeland Security 
(DHS) to coordinate with a consortium of academic and nonprofit 
entities to help state and local governments prepare for and 
respond to cybersecurity risks.
    Since 2014, the department has awarded $15 million from 
existing general grant programs to members of the National 
Cybersecurity Preparedness Consortium. Members of the 
consortium deliver cybersecurity training and technical 
assistance to state and local governments. CBO expects that 
when implementing S. 658, DHS would establish a new, dedicated 
grant program to support the consortium, thereby increasing the 
Department's total grant spending. CBO estimates that DHS would 
provide $3 million in new grant funding each year--similar to 
the amount it currently allocates from other sources. Such 
spending would be subject to the availability of 
appropriations. In total, implementing S. 658 would cost $18 
million over the 2021-2026 period.
    The CBO staff contact for this estimate is Aldo Prosperi. 
The estimate was reviewed by Leo Lex, Deputy Director of Budget 
Analysis.

       VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED

    Because this legislation would not repeal or amend any 
provision of current law, it would not make changes in existing 
law within the meaning of clauses (a) and (b) of paragraph 12 
of rule XXVI of the Standing Rules of the Senate.