[Senate Report 117-257]
[From the U.S. Government Publishing Office]
Calendar No. 648
117th Congress } { Report
SENATE
2d Session } { 117-257
_______________________________________________________________________
CYBER RESPONSE AND RECOVERY ACT
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 1316
TO AMEND THE HOMELAND SECURITY ACT OF 2002 TO
AUTHORIZE THE SECRETARY OF HOMELAND SECURITY
TO MAKE A DECLARATION OF A SIGNIFICANT INCIDENT,
AND FOR OTHER PURPOSES
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
December 14, 2022.--Ordered to be printed
_________
U.S. GOVERNMENT PUBLISHING OFFICE
39-010 WASHINGTON : 2023
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona RAND PAUL, Kentucky
JACKY ROSEN, Nevada JAMES LANKFORD, Oklahoma
ALEX PADILLA, California MITT ROMNEY, Utah
JON OSSOFF, Georgia RICK SCOTT, Florida
JOSH HAWLEY, Missouri
David M. Weinberg, Staff Director
Zachary I. Schram, Chief Counsel
Christopher J. Mulkins, Director of Homeland Security
Jeffrey D. Rothblum, Senior Professional Staff Member
Pamela Thiessen, Minority Staff Director
Sam J. Mulopulos, Minority Deputy Staff Director
William H.W. McKenna, Minority Chief Counsel
Laura W. Kilbride, Chief Clerk
Calendar No. 648
117th Congress } { Report
SENATE
2d Session } { 117-257
======================================================================
CYBER RESPONSE AND RECOVERY ACT
_______
December 14, 2022.--Ordered to be printed
_______
Mr. Peters, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 1316]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 1316), to amend the
Homeland Security Act of 2002 to authorize the Secretary of
Homeland Security to make a declaration of a significant
incident, and for other purposes, having considered the same,
reports favorably thereon with an amendment in the nature of a
substitute, and recommends that the bill, as amended, do pass.
CONTENTS
Page
I. Purpose and Summary.............................................. 1
II. Background and Need for the Legislation.......................... 2
III. Legislative History.............................................. 3
IV. Section-by-Section Analysis of the Bill, as Reported............. 3
V. Evaluation of Regulatory Impact.................................. 5
VI. Changes in Existing Law Made by the Bill, as Reported............ 5
I. Purpose and Summary
S. 1316, the Cyber Response and Recovery Act of 2021, is
intended to permit the Secretary of Homeland Security
(Secretary) to declare a ``significant cyber incident'' in
response to a serious cyber attack on public or private
networks that risks the safety and security of Americans. This
bill provides additional authorities to the Secretary and the
Director of the Cybersecurity and Infrastructure Security
Agency (CISA) to perform asset response activities, including
providing, on a voluntary basis, advice, and technical
assistance to public and private entities to respond to,
mitigate the effects of, or recover from serious cyber
attacks.\1\
---------------------------------------------------------------------------
\1\Asset response activities are activities in support of the
response to, remediation of, or recovery from, the incident, including
furnishing voluntary technical and advisory assistance to the entity,
assessing potential risks to the critical infrastructure sector or
geographic region impacted by the incident, and providing voluntary
guidance on how best to use Federal resources and capabilities in a
timely, effective manner to speed recovery from the incident.
---------------------------------------------------------------------------
S. 1316 also establishes a Cyber Response and Recovery Fund
(Fund) that the Department of Homeland Security (DHS) and CISA
can use to provide direct support to public and private
entities as they respond to and recover from significant cyber
attacks and breaches.
II. Background and Need for the Legislation
The United States faces a growing array of complex
cybersecurity threats posed by various state and nonstate
actors.\2\ Recent months have seen ransomware attacks on
critical energy infrastructure and food-processing facilities,
data breaches affecting government agencies and millions of
private citizens, and attacks on transit systems.\3\ Although
every cyber attack is different, the federal government can
lead the way on preparing for and defending against cyber
attacks by providing oversight, risk management, information
sharing, and coordination.\4\
---------------------------------------------------------------------------
\2\Congressional Research Service, Cybersecurity: A Primer
(IF10559) (Dec. 15, 2020); Congressional Research Service,
Cybersecurity: Homeland Security Issues for the 116th Congress (R45701)
(Nov. 26, 2019).
\3\Senator Gary Peters: Peters Presses Colonial Pipeline CEO on
Recent Hack That Caused Gas Shortages and Price Increases for Millions
of Americans (June 8, 2021); JBS Paid $11 Million in Ransom After
Hackers Shut Down Meat Plants, Washington Post (Jun. 9, 2021) (https://
www.washingtonpost.com/technology/2021/06/09/jbs-11-million-ransom);
Senator Gary Peters: Peters Convenes Second Hearing with Top Federal
Cybersecurity Officials to Discuss Recent Breaches and Attacks Against
U.S. Systems (May 11, 2021); Senate Permanent Subcommittee on
Investigations, How Equifax Neglected Cybersecurity and Suffered a
Devastating Data Breach (2019); The M.T.A. Is Breached by Hackers as
Cyberattacks Surge, New York Times (Jun. 3, 2021) (https://
www.nytimes.com/2021/06/02/nyregion/mta-cyber-attack.html).
\4\Congressional Research Service, Cybersecurity: A Primer
(IF10559) (Dec. 15, 2020); Congressional Research Service,
Cybersecurity: Homeland Security Issues for the 116th Congress (R45701)
(Nov. 26, 2019).
---------------------------------------------------------------------------
While DHS and CISA have previously provided advisory
support to entities affected by significant cyber attacks, the
Committee recognizes that America's national security apparatus
needs additional authorities and resources to perform these
functions and combat evolving cyber threats.\5\ S. 1316 will
accomplish this goal by providing authority to the Secretary to
declare a significant cyber incident. Such a declaration will
provide the Secretary with access to a dedicated Cyber Response
and Recovery Fund, which can be used to furnish technical and
advisory assistance, assess and mitigate potential risks to
critical infrastructure, facilitate information sharing and
operational coordination across affected private and public
entities, and speed recovery. The bill also ensures effective
communication and accountability by requiring the Secretary to
notify the National Cyber Director and appropriate
congressional committees with the details of any ongoing or
imminent significant cyber incidents. Finally, the bill
requires the Secretary to submit, within 180 days after an
incident, reports describing the reason for the declaration,
any actions taken, any funds used, and the effects of those
actions.
---------------------------------------------------------------------------
\5\Senator Gary Peters: Peters & Portman Introduce Legislation to
Create Significant Cyber Incident Declaration for Major Cyber-Attacks
(Apr. 23, 2021).
---------------------------------------------------------------------------
III. Legislative History
Senators Peters (D-MI) and Portman (R-OH) introduced S.
1316 on April 22, 2021. The bill was referred to the Senate
Committee on Homeland Security and Governmental Affairs.
The Committee considered S. 1316 at a business meeting on
May 12, 2021. During the business meeting, a substitute
amendment was offered by Senators Peters and Portman which
incorporated a Sense of Congress regarding the purpose of the
Cyber Response and Recovery Fund and incorporated several
technical changes to clarify that only previously appropriated
funds can be utilized by the Secretary when exercising the
authorities granted in the bill. The Peters-Portman Substitute
Amendment was adopted by unanimous consent with Senators
Peters, Carper, Hassan, Sinema, Rosen, Padilla, Ossoff,
Portman, Johnson, Paul, Lankford, Romney, Scott, and Hawley
present.
The Committee ordered the bill, as amended, reported
favorably by voice vote. The Senators present for the vote
were: Peters, Carper, Hassan, Sinema, Rosen, Padilla, Ossoff,
Portman, Johnson, Paul, Lankford, Romney, Scott, and Hawley.
IV. Section-by-Section Analysis of the Bill, as Reported
Section 1. Short title
This section establishes that the bill may be cited as the
``Cyber Response and Recovery Act of 2021.''
Section 2. Declaration of a Significant Incident
This section establishes a new heading in the Homeland
Security Act of 2002, which reads, ``Subtitle C--Declaration of
a Significant Incident.''
Section 2231. Sense of Congress
This section describes the purpose of the bill and notes
that it is intended to enable the Secretary to provide
voluntary assistance to non-Federal entities affected by
significant incidents.
Section 2232. Definitions
This section includes definitions of the terms ``asset
response activity,'' ``declaration,'' ``director,'' ``federal
agency,'' ``fund,'' ``incident,'' ``renewal,'' and
``significant incident.''
Section 2233. Declaration
Subsection (a) determines the circumstances under which the
Secretary may make a declaration of a significant incident. It
also prohibits the Secretary from delegating the authority to
declare a significant incident.
Subsection (b) lays out the activities that the Director of
CISA will coordinate after a declaration, including the
responses of Federal agencies, state and local governments and
law enforcement agencies, and private entities.
Subsection (c) sets the maximum duration of a declaration
at 120 days.
Subsection (d) allows the Secretary to renew a declaration,
as necessary.
Subsection (e) requires the Secretary to publish a
declaration or renewal in the Federal Register within 72 hours
and prohibits such a publication from including the name of any
affected individual or private company.
Subsection (f) allows the Secretary to take certain advance
actions before and during a declaration to arrange or procure
additional resources, including entering standby contracts with
private entities for cybersecurity or incident response
services. It also limits expenditures for those actions to
money available in the Cyber Response and Recovery Fund or
money otherwise appropriated to the Department.
Section 2234. Cyber response and recovery fund
Subsection (a) establishes the Fund and authorizes its use
to assist various public and private entities with response and
recovery from significant incidents. Subsection (a) establishes
that the Fund can be used on a reimbursable or nonreimbursable
basis for a variety of asset response and technical assistance
activities, including advance actions taken by the Secretary.
The Director may also distribute amounts to various public and
private entities from the Fund as grants or cooperative
agreements to replace, improve, or enhance hardware or software
systems, or to hire technical contract personnel support.
Subsection (b) establishes that money will be deposited
into the Fund only by appropriations, reimbursements for the
activities described in subsection (a), or any other income
incident to the activities of the Fund. Subsection (b) also
establishes that expenditures will be made from available money
in the Fund.
Subsection (c) specifically notes that the Fund is intended
to supplement, not supplant, other federal and nonfederal
governmental funding for activities in response to a
declaration.
Section 2235. Notification and reporting
Subsection (a) requires the Secretary to notify the
National Cyber Director and appropriate congressional
committees immediately upon a declaration or renewal. The
notification must include the estimated duration, reason for
the declaration, estimated impact and scope of the incident,
known perpetrators, a justification for why the fund will be
needed to address the incident, and a description of
coordination activities that the Secretary expects the Director
of CISA to perform.
Subsection (b) requires the Secretary to submit a report
within 180 days after any declaration or renewal to the
appropriate congressional committees. The report must include:
(1) the reason for the declaration or renewal; (2) the use of
any funds from the Fund for activities in response to an
incident (and any specific obligations and outlays of the
Fund); (3) a description of what actions were taken by various
entities including DHS in response to the significant incident;
and (4) an analysis of the impact of the significant incident,
the impact of the declaration or renewal, and the impact of the
funds made available from the Fund.
Subsection (c) requires the notification and reports under
subsections (b) and (c) to be unclassified, except for
information in a classified annex or otherwise exempt from
disclosure under the Freedom of Information Act.
Subsection (d) allows the Secretary to submit a single
report under subsection (b) for multiple declarations or
renewals if those declarations and renewals relate to the same
significant incident.
Subsection (e) exempts from the provisions of the Paperwork
Reduction Act any voluntary collection of information by DHS
during an investigation, response, or post-response review of a
significant incident.
Section 2236. Rule of construction
Notes that nothing in this bill will be construed to impair
or limit the Director from carrying out the authorized
activities of CISA.
Section 2237. Authorization of appropriations
Authorizes $20,000,000 to the Fund for fiscal year 2022,
which will be available until September 30, 2028.
Section 2238. Sunset
Notes that the authorities granted by the bill will sunset
seven years after enactment. This section also contains an
addition to the table of contents for the Homeland Security Act
to reflect the provisions of the bill.
V. Evaluation of Regulatory Impact
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform bill (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. Changes in Existing Law Made by the Bill, as Reported
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, changes in existing law made by
the bill, as reported, are shown as follows: (existing law
proposed to be omitted is enclosed in brackets, new matter is
printed in italic, and existing law in which no change is
proposed is shown in roman):
HOMELAND SECURITY ACT OF 2002
* * * * * * *
SEC. 1. SHORT TITLE; TABLE OF CONTENTS.
(a) * * *
(b) Table of Contents.--The table of contents for this Act
is as follows:
Sec. 1. * * *
* * * * * * *
TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY
* * * * * * *
Subtitle C--Declaration of a Significant Incident
Sec. 2231. Sense of Congress.
Sec. 2232. Definitions.
Sec. 2233. Declaration.
Sec. 2234. Cyber response and recovery fund.
Sec. 2235. Notification and reporting.
Sec. 2236. Rule of construction.
Sec. 2237. Authorization of appropriations.
Sec. 2238. Sunset.
* * * * * * *
TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY
* * * * * * *
Subtitle C--Declaration of a Significant Incident
SEC. 2231. SENSE OF CONGRESS.
It is the sense of Congress that--
(1) the purpose of this subtitle is to authorize the
Secretary to declare that a significant incident has
occurred and to establish the authorities that are
provided under the declaration to respond to and
recover from the significant incident; and
(2) the authorities established under this subtitle
are intended to enable the Secretary to provide
voluntary assistance to non-Federal entities impacted
by a significant incident.
SEC. 2232. DEFINITIONS.
For the purposes of this subtitle:
(1) Asset response activity.--The term `asset
response activity' means an activity to support an
entity impacted by an incident with the response to,
remediation of, or recovery from, the incident,
including--
(A) furnishing technical and advisory
assistance to the entity to protect the assets
of the entity, mitigate vulnerabilities, and
reduce the related impacts;
(B) assessing potential risks to the critical
infrastructure sector or geographic region
impacted by the incident, including potential
cascading effects of the incident on other
critical infrastructure sectors or geographic
regions;
(C) developing courses of action to mitigate
the risks assessed under subparagraph (B);
(D) facilitating information sharing and
operational coordination with entities
performing threat response activities; and
(E) providing guidance on how best to use
Federal resources and capabilities in a timely,
effective manner to speed recovery from the
incident.
(2) Declaration.--The term `declaration' means a
declaration of the Secretary under section 2233(a)(1).
(3) Director.--The term `Director' means the Director
of the Cybersecurity and Infrastructure Security
Agency.
(4) Federal agency.--The term `Federal agency' has
the meaning given the term `agency' in section 3502 of
title 44, United States Code.
(5) Fund.--The term `Fund' means the Cyber Response
and Recovery Fund established under section 2234(a).
(6) Incident.--The term `incident' has the meaning
given the term in section 3552 of title 44, United
States Code.
(7) Renewal.--The term `renewal' means a renewal of a
declaration under section 2233(d).
(8) Significant incident.--The term `significant
incident--
(A) means an incident or a group of related
incidents that results, or is likely to result,
in demonstrable harm to--
(i) the national security interests,
foreign relations, or economy of the
United States; or
(ii) the public confidence, civil
liberties, or public health and safety
of the people of the United States; and
(B) does not include an incident or a portion
of a group of related incidents that occurs
on--
(i) a national security system (as
defined in section 3552 of title 44,
United States Code); or
(ii) an information system described
in paragraph (2) or (3) of section
3553(e) of title 44, United States
Code.
SEC. 2233. DECLARATION.
(a) In General.--
(1) Declaration.--The Secretary, in consultation with
the National Cyber Director, may make a declaration of
a significant incident in accordance with this section
for the purpose of enabling the activities described in
this subtitle if the Secretary determines that--
(A) a specific significant incident--
(i) has occurred; or
(ii) is likely to occur imminently;
and
(B) otherwise available resources, other than
the Fund, are likely insufficient to respond
effectively to, or to mitigate effectively, the
specific significant incident described in
subparagraph (A).
(2) Prohibition on delegation.--The Secretary may not
delegate the authority provided to the Secretary under
paragraph (1).
(b) Asset Response Activities.--Upon a declaration, the
Director shall coordinate--
(1) the asset response activities of each Federal
agency in response to the specific significant incident
associated with the declaration; and
(2) with appropriate entities, which may include--
(A) public and private entities and State and
local governments with respect to the asset
response activities of those entities and
governments; and
(B) Federal, State, local, and Tribal law
enforcement agencies with respect to
investigations and threat response activities
of those law enforcement agencies.
(c) Duration.--Subject to subsection (d), a declaration
shall terminate upon the earlier of--
(1) a determination by the Secretary that the
declaration is no longer necessary; or
(2) the expiration of the 120-day period beginning on
the date on which the Secretary makes the declaration.
(d) Renewal.--The Secretary, without delegation, may renew
a declaration as necessary.
(e) Publication.--
(1) In general.--Not later than 72 hours after a
declaration or a renewal, the Secretary shall publish
the declaration or renewal in the Federal Register.
(2) Prohibition.--A declaration or renewal published
under paragraph (1) may not include the name of any
affected individual or private company.
(f) Advance Actions.--
(1) In general.--The Secretary--
(A) shall assess the resources available to
respond to a potential declaration; and
(B) may take actions before and while a
declaration is in effect to arrange or procure
additional resources for asset response
activities or technical assistance the
Secretary determines necessary, which may
include entering into standby contracts with
private entities for cybersecurity services or
incident responders in the event of a
declaration.
(2) Expenditure of funds.--Any expenditure made for
the purpose of paragraph (1)(B) shall be made from
amounts--
(A) available in the Fund; or
(B) otherwise appropriated to the Department.
SEC. 2234. CYBER RESPONSE AND RECOVERY FUND.
(a) In General.--There is established a Cyber Response and
Recovery Fund, which shall be available for--
(1) the coordination of activities described in
section 2233(b);
(2) response and recovery support for the specific
significant incident associated with a declaration to
Federal, State, local, and Tribal, entities and public
and private entities on a reimbursable or non-
reimbursable basis, including through asset response
activities and technical assistance, such as--
(A) vulnerability assessments and mitigation;
(B) technical incident mitigation;
(C) malware analysis;
(D) analytic support;
(E) threat detection and hunting; and
(F) network protections;
(3) as the Director determines appropriate, grants
for, or cooperative agreements with, Federal, State,
local, and Tribal public and private entities to
respond to, and recover from, the specific significant
incident associated with a declaration, such as--
(A) hardware or software to replace, update,
improve, harden, or enhance the functionality
of existing hardware, software, or systems; and
(B) technical contract personnel support; and
(4) advance actions taken by the Secretary under
section 2233(f)(1)(B).
(b) Deposits and Expenditures.--
(1) In general.--Amounts shall be deposited into the
Fund from--
(A) appropriations to the Fund for activities
of the Fund;
(B) reimbursement from Federal agencies for
the activities described in paragraphs (1),
(2), and (4) of subsection (a); and
(C) any other income incident to activities
of the Fund.
(2) Expenditures.--Any expenditure from the Fund
shall be made from amounts that are available in the
Fund from a deposit described in paragraph (1).
(c) Supplement Not Supplant.--Amounts in the Fund shall be
used to supplement, not supplant, other Federal, State, local,
or Tribal funding for activities in response to a declaration.
SEC. 2235. NOTIFICATION AND REPORTING.
(a) Notification.--Upon a declaration or renewal, the
Secretary shall immediately notify the National Cyber Director
and appropriate congressional committees and include in the
notification--
(1) an estimation of the planned duration of the
declaration;
(2) with respect to a notification of a declaration,
the reason for the declaration, including information
relating to the specific significant incident or
imminent specific significant incident, including--
(A) the operational or mission impact or
anticipated impact of the specific significant
incident on Federal and non-Federal entities;
(B) if known, the perpetrator of the specific
significant incident; and
(C) the scope of the Federal and non-Federal
entities impacted or anticipated to be impacted
by the specific significant incident;
(3) with respect to a notification of a renewal, the
reason for the renewal;
(4) justification as to why available resources,
other than the Fund, are insufficient to respond to or
mitigate the specific significant incident; and
(5) a description of the coordination activities
described in section 2233(b) that the Secretary
anticipates the Director to perform.
(b) Report to Congress.--Not later than 180 days after the
date of a declaration or renewal, the Secretary shall submit to
the appropriate congressional committees a report that
includes--
(1) the reason for the declaration or renewal,
including information and intelligence relating to the
specific significant incident that led to the
declaration or renewal;
(2) the use of any funds from the Fund for the
purpose of responding to the incident or threat
described in paragraph (1);
(3) a description of the actions, initiatives, and
projects undertaken by the Department and State and
local governments and public and private entities in
responding to and recovering from the specific
significant incident described in paragraph (1);
(4) an accounting of the specific obligations and
outlays of the Fund; and
(5) an analysis of--
(A) the impact of the specific significant
incident described in paragraph (1) on Federal
and non-Federal entities;
(B) the impact of the declaration or renewal
on the response to, and recovery from, the
specific significant incident described in
paragraph (1); and
(C) the impact of the funds made available
from the Fund as a result of the declaration or
renewal on the recovery from, and response to,
the specific significant incident described in
paragraph (1).
(c) Classification.--Each notification made under
subsection (a) and each report submitted under subsection (b)--
(1) shall be in an unclassified form with appropriate
markings to indicate information that is exempt from
disclosure under section 552 of title 5, United States
Code (commonly known as the `Freedom of Information
Act'); and
(2) may include a classified annex.
(d) Consolidated Report.--The Secretary shall not be
required to submit multiple reports under subsection (b) for
multiple declarations or renewals if the Secretary determines
that the declarations or renewals substantively relate to the
same specific significant incident.
(e) Exemption.--The requirements of subchapter I of chapter
35 of title 44 (commonly known as the `Paperwork Reduction
Act') shall not apply to the voluntary collection of
information by the Department during an investigation of, a
response to, or an immediate post-response review of, the
specific significant incident leading to a declaration or
renewal.
SEC. 2236. RULE OF CONSTRUCTION.
Nothing in this subtitle shall be construed to impair or
limit the ability of the Director to carry out the authorized
activities of the Cybersecurity and Infrastructure Security
Agency.
SEC. 2237. AUTHORIZATION OF APPROPRIATIONS.
There are authorized to be appropriated to the Fund
$20,000,000 for fiscal year 2022, which shall remain available
to be expended until September 30, 2028.
SEC. 2238. SUNSET.
The authorities granted to the Secretary or the Director
under this subtitle shall expire on the date that is 7 years
after the date of enactment of the Cyber Response and Recovery
Act of 2021.
* * * * * * *
[all]