[Senate Report 117-275]
[From the U.S. Government Publishing Office]


                                                      Calendar No. 674
117th Congress     }                                    {       Report
                                 SENATE
 2d Session        }                                    {      117-275
_______________________________________________________________________

                                     



                        CISA CYBER EXERCISE ACT

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                                S. 2993

             TO AMEND THE HOMELAND SECURITY ACT OF 2002 TO
           ESTABLISH IN THE CYBERSECURITY AND INFRASTRUCTURE
          SECURITY AGENCY THE NATIONAL CYBER EXERCISE PROGRAM,
                         AND FOR OTHER PURPOSES









[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]









               December 19, 2022.--Ordered to be printed  
                             _________
                              
                 U.S. GOVERNMENT PUBLISHING OFFICE
                 
                      WASHINGTON : 2023
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware           ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              RAND PAUL, Kentucky
JACKY ROSEN, Nevada                  JAMES LANKFORD, Oklahoma
ALEX PADILLA, California             MITT ROMNEY, Utah
JON OSSOFF, Georgia                  RICK SCOTT, Florida
                                     JOSH HAWLEY, Missouri

                   David M. Weinberg, Staff Director
                    Zachary I. Schram, Chief Counsel
         Christopher J. Mulkins, Director of Homeland Security
         Jeffrey D. Rothblum, Senior Professional Staff Member
                Pamela Thiessen, Minority Staff Director
            Sam J. Mulopulos, Minority Deputy Staff Director
              William H.W. McKenna, Minority Chief Counsel
                     Laura W. Kilbride, Chief Clerk 























                                                      Calendar No. 674
117th Congress     }                                    {       Report
                                 SENATE
 2d Session        }                                    {      117-275

======================================================================



 
                        CISA CYBER EXERCISE ACT

                                _______
                                

               December 19, 2022.--Ordered to be printed

                                _______
                                

 Mr. Peters, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 2993]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 2993) to amend the 
Homeland Security Act of 2002 to establish in the Cybersecurity 
and Infrastructure Security Agency the National Cyber Exercise 
Program, and for other purposes, having considered the same, 
reports favorably thereon with an amendment, in the nature of a 
substitute, and recommends that the bill, as amended, do pass.

                                CONTENTS

                                                                     Page
  I. Purpose and Summary..............................................  1
 II. Background and Need for the Legislation..........................  2
III. Legislative History..............................................  3
 IV. Section-by-Section Analysis of the Bill, as Reported.............  3
  V. Evaluation of Regulatory Impact..................................  4
 VI. Congressional Budget Office Cost Estimate........................  4
VII. Changes in Existing Law Made by the Bill, as Reported............  5

                         I. Purpose and Summary

    The Cybersecurity and Infrastructure Security Agency (CISA) 
currently engages in cyber resiliency exercises to effectively 
``provide stakeholders with effective and practical mechanisms 
to identify best practices, lessons learned, and areas for 
improvement in plans and procedures.''\1\ CISA also developed 
and maintains the National Cyber Incident Response Plan 
(NCIRP), which defines the roles and responsibilities for 
Federal agencies when responding to cyber incidents. S. 2993, 
CISA Cyber Exercise Act, would codify CISA's existing exercise 
work by requiring the establishment of a National Cyber 
Exercise Program that would also be required to evaluate the 
NCIRP. The program would also develop model exercises that 
public and private sector stakeholders can utilize to evaluate 
their cyber readiness.

              II. Background and Need for the Legislation

---------------------------------------------------------------------------
    \1\Cybersecurity and Infrastructure Security Agency, Critical 
Infrastructure Exercises, (accessed Dec. 7, 2022) (https://
www.cisa.gov/critical-infrastructure-exercises).
---------------------------------------------------------------------------
    Cyber attacks continue to increase in both frequency and 
consequence. Recent unprecedented cyberattacks targeting 
critical infrastructure have exposed significant 
vulnerabilities in the United States' networks, such as the 
Colonial Pipeline Company attack in May 2021 which caused a 
multi-day outage of the largest pipeline system for refined oil 
products in the U.S.\2\ In the first half of 2021, there was a 
125% increase in cyber attacks worldwide, with the United 
States accounting for 36% of those attacks.\3\
---------------------------------------------------------------------------
    \2\Pipeline Attack Yields Urgent Lessons About U.S. Cybersecurity, 
New York Times (May 14, 2021, updated Jun. 8, 2021) (https://
www.nytimes.com/2021/05/14/us/politics/pipeline-hack.html).
    \3\Accenture, Triple digit increase in cyberattacks: What next?, 
Accenture Cybersecurity Blog (Blog) (August 4, 2021) (https://
www.accenture.com/us-en/blogs/security/triple-digit-increase-
cyberattacks).
---------------------------------------------------------------------------
    One of the most effective ways to enhance the security and 
resilience of critical infrastructure, and to ensure system 
defenders are able to effectively mitigate and respond to cyber 
attacks, is to conduct regular cyber exercises that test and 
evaluate critical infrastructure readiness.\4\ CISA regularly 
conducts cybersecurity exercises with both government and 
private sector organizations to ``enhance security and 
resilience of critical infrastructure.''\5\ These exercises are 
designed to ``identify best practices, lessons learned, and 
areas for improvement in [cyber response] plans and 
procedures.''\6\ For example, CISA's Cyber Storm biennial 
exercises bring together the public and private sectors to 
``simulate discovery of and response to a significant cyber 
incident impacting the Nation's critical infrastructure.''\7\ 
These exercises help to assess and strengthen the nation's 
cyber preparedness and improve cyber incident response.\8\
---------------------------------------------------------------------------
    \4\Cybersecurity and Infrastructure Security Agency, Critical 
Infrastructure Exercises (https://www.cisa.gov/critical-infrastructure-
exercises) (accessed Dec. 8, 2022).
    \5\Cybersecurity and Infrastructure Security Agency, Cybersecurity 
Training and Exercises (https://www.cisa.gov/cybersecurity-training-
exercises) (accessed Dec. 8, 2022).
    \6\Id.
    \7\Cybersecurity and Infrastructure Security Agency, Cyber Storm: 
Securing Cyber Space (https://www.cisa.gov/cyber-storm-securing-cyber-
space) (accessed Dec. 8, 2022).
    \8\Id.
---------------------------------------------------------------------------
    In addition to its cyber exercise program, CISA, at the 
direction of Presidential Policy Directive-41, developed the 
NCIRP.\9\ This plan ``articulate[s] the roles and 
responsibilities, capabilities, and coordinating structures 
that support how the Nation responds to and recovers from 
significant cyber incidents posing risks to critical 
infrastructure.''\10\ The NCIRP is not a tactical plan for 
cyber incident response, rather, it is a framework for 
understanding how the government will provide resources to 
support operations. The NCIRP addresses an important role that 
the private sector, state and local governments, and multiple 
federal agencies play in responding to incidents and how the 
actions of all fit together to create an integrated 
response.\11\
---------------------------------------------------------------------------
    \9\White House, United States Cyber Incident Coordination (PPD-41) 
(Jul. 26, 2016).
    \10\National Cyber Incident Response Plan, Department of Homeland 
Security, (December 2016).
    \11\Id.
---------------------------------------------------------------------------
    To strengthen CISA's ability to evaluate the national cyber 
incident response system, the CISA Cyber Exercise Act would 
codify CISA's existing exercise work (including Cyber Storm) by 
creating the National Cyber Exercise Program. This new program 
would continue performing CISA's existing exercise work, while 
also being required to regularly exercise and evaluate the 
NCIRP. The bill also directs CISA to develop model exercises, 
which could be readily used by Federal, State, local, Tribal, 
and territorial government organizations, and private sector 
entities to test their own cybersecurity posture. S. 2993 would 
also require CISA to assist those government and private 
entities with the design, implementation, and evaluation of 
cyber exercises.

                        III. Legislative History

    Senator Rosen (D-NV) introduced S. 2993, the CISA Cyber 
Exercise Act, on October 19, 2021, with Senators Sasse (R-NE) 
and King (I-ME). The bill was referred to the Senate Committee 
on Homeland Security and Governmental Affairs.
    The Committee considered S. 2993 at a business meeting on 
November 3, 2021. During the meeting, a substitute amendment, 
as modified, was offered by Senator Rosen, which made technical 
edits to the legislation and clarified that the bill would not 
affect the authorities of the Administrator of Federal 
Emergency Management Agency. The Committee adopted the Rosen 
substitute amendment, as modified, by voice vote en bloc. 
Senators present for the vote were: Peters, Hassan, Sinema, 
Rosen, Padilla, Ossoff, Portman, Johnson, Lankford, Romney, 
Scott, and Hawley. The committee then reported the bill 
favorably by voice vote en bloc, as amended. Senators present 
for the vote were: Peters, Hassan, Sinema, Rosen, Padilla, 
Ossoff, Portman, Johnson, Lankford, Romney, Scott, and Hawley.

        IV. Section-by-Section Analysis of the Bill, as Reported


Section 1. Short title

    This section designates the short title of the bill as the 
``CISA Cyber Exercise Act.''

Section 2. National Cyber Exercise Program

    Subsection (a) amends the Homeland Security Act of 2002 to 
create a new section, 2220A, which would establish the National 
Cyber Exercise Program.
    Sec. 2220A, subsection (a) requires the program to evaluate 
the National Cyber Incident Response Plan, and other related 
plans and strategies. As part of the National Cyber Exercise 
Program, CISA shall include a set of model exercises, which 
could be readily adapted by governments and private entities to 
test the safety and security of their own critical 
infrastructure. In carrying out the National Cyber Exercise 
Program, the Director of CISA may consult with appropriate 
representatives from Sector Risk Management Agencies, the 
Office of the National Cyber Director, cybersecurity research 
stakeholders, and Sector Coordinating Councils.
    Sec. 2220A, subsection (b) defines ``state'' and ``private 
entity.''
    Sec. 2220A, subsection (c) provides a rule of construction 
to clarify that the bill does not affect the Federal Emergency 
Management Agency's existing authority or responsibilities to 
conduct cyber exercises.
    Subsection (b) is a clerical amendment updating the table 
of contents of the Homeland Security Act of 2002 with the new 
section, 2220A.

                   V. Evaluation of Regulatory Impact

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that the bill contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform Act (UMRA) and would impose no costs 
on state, local, or tribal governments.

             VI. Congressional Budget Office Cost Estimate

                                     U.S. Congress,
                               Congressional Budget Office,
                                 Washington, DC, November 23, 2021.
Hon. Gary C. Peters,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S. 
        Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for S. 2993, the CISA Cyber 
Exercise Act.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Aldo 
Prosperi.
            Sincerely,
                                         Phillip L. Swagel,
                                                          Director.
    Enclosure.

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    

    S. 2993 would establish a cybersecurity exercise program to 
evaluate strategies and plans for responding to cyber 
incidents. The Cybersecurity and Infrastructure Security Agency 
currently operates the Cyber Exercise Program, which meets the 
requirements of the bill. Because S. 2993 would codify the 
agency's current practices, implementing the bill would not 
affect the federal budget.
    On May 27, 2021, CBO transmitted a cost estimate for H.R. 
3223, the CISA Cyber Exercise Act, as ordered reported by the 
House Committee on Oversight and Reform on May 18, 2021. The 
two bills are similar, and CBO's estimates of their costs are 
the same.
    The CBO staff contact for this estimate is Aldo Prosperi. 
The estimate was reviewed by Leo Lex, Deputy Director of Budget 
Analysis.

       VII. Changes in Existing Law Made by the Bill, as Reported

    In compliance with paragraph 12 of rule XXVI of the 
Standing Rules of the Senate, changes in existing law made by 
the bill, as reported, are shown as follows: (existing law 
proposed to be omitted is enclosed in brackets, new matter is 
printed in italic, and existing law in which no change is 
proposed is shown in roman):

HOMELAND SECURITY ACT OF 2002

           *       *       *       *       *       *       *


SEC. 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) * * *
    (b) Table of Contents.--The table of contents for this Act 
is as follows:
Sec. 1. * * *
     * * * * * * *

      TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

     * * * * * * *
Sec. 2220A. National cyber exercise program.
     * * * * * * *

TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

           *       *       *       *       *       *       *


                     Subtitle A--Cybersecurity and
Infrastructure Security

           *       *       *       *       *       *       *


SEC. 2220A. NATIONAL CYBER EXERCISE PROGRAM.

    (a) Establishment of Program.--
          (1) In general.--There is established in the Agency 
        the National Cyber Exercise Program (referred to in 
        this section as the `Exercise Program') to evaluate the 
        National Cyber Incident Response Plan, and other 
        related plans and strategies.
          (2) Requirements.--
                  (A) In general.--The Exercise Program shall 
                be--
                          (i) based on current risk 
                        assessments, including credible 
                        threats, vulnerabilities, and 
                        consequences;
                          (ii) designed, to the extent 
                        practicable, to simulate the partial or 
                        complete incapacitation of a government 
                        or critical infrastructure network 
                        resulting from a cyber incident;
                          (iii) designed to provide for the 
                        systematic evaluation of cyber 
                        readiness and enhance operational 
                        understanding of the cyber incident 
                        response system and relevant 
                        information sharing agreements; and
                          (iv) designed to promptly develop 
                        after-action reports and plans that can 
                        quickly incorporate lessons learned 
                        into future operations.
                  (B) Model exercise selection.--The Exercise 
                Program shall--
                          (i) include a selection of model 
                        exercises that government and private 
                        entities can readily adapt for use; and
                          (ii) aid such governments and private 
                        entities with the design, 
                        implementation, and evaluation of 
                        exercises that--
                                  (I) conform to the 
                                requirements described in 
                                subparagraph (A);
                                  (II) are consistent with any 
                                applicable national, State, 
                                local, or Tribal strategy or 
                                plan; and
                                  (III) provide for systematic 
                                evaluation of readiness.
          (3) Consultation.--In carrying out the Exercise 
        Program, the Director may consult with appropriate 
        representatives from Sector Risk Management Agencies, 
        the Office of the National Cyber Director, 
        cybersecurity research stakeholders, and Sector 
        Coordinating Councils.
    (b) Definitions.--In this section:
          (1) State.--The term `State' means any State of the 
        United States, the District of Columbia, the 
        Commonwealth of Puerto Rico, the Northern Mariana 
        Islands, the United States Virgin Islands, Guam, 
        American Samoa, and any other territory or possession 
        of the United States.
          (2) Private entity.--The term `private entity' has 
        the meaning given such term in section 102 of the 
        Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 
        1501).

           *       *       *       *       *       *       *


                                  [all]