[Senate Report 117-97]
[From the U.S. Government Publishing Office]
Calendar No. 348
117th Congress } { Report
SENATE
2d Session } { 117-97
_______________________________________________________________________
Calendar No. 348
CIVILIAN CYBERSECURITY RESERVE ACT
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 1324
TO ESTABLISH A CIVILIAN CYBER SECURITY RESERVE AS A
PILOT PROJECT TO ADDRESS THE CYBER SECURITY NEEDS OF
THE UNITED STATES WITH RESPECT TO NATIONAL SECURITY, AND FOR OTHER
PURPOSES
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
April 27, 2022.--Ordered to be printed
_________
U.S. GOVERNMENT PUBLISHING OFFICE
29-010 WASHINGTON : 2022
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona RAND PAUL, Kentucky
JACKY ROSEN, Nevada JAMES LANKFORD, Oklahoma
ALEX PADILLA, California MITT ROMNEY, Utah
JON OSSOFF, Georgia RICK SCOTT, Florida
JOSH HAWLEY, Missouri
David M. Weinberg, Staff Director
Zachary I. Schram, Chief Counsel
Devin Parsons, Professional Staff Member
Pamela Thiessen, Minority Staff Director
Sam J. Mulopulos, Minority Deputy Staff Director
Cara G. Mumford, Minority Professional Staff Member
Laura W. Kilbride, Chief Clerk
Calendar No. 348
117th Congress } { Report
SENATE
2d Session } { 117-97
======================================================================
CIVILIAN CYBERSECURITY RESERVE ACT
_______
April 27, 2022.--Ordered to be printed
_______
Mr. Peters, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 1324]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 1324) to establish
a Civilian Cyber Security Reserve as a pilot project to address
the cyber security needs of the United States with respect to
national security, and for other purposes, having considered
the same, reports favorably thereon with an amendment (in the
nature of a substitute) and recommends that the bill, as
amended, do pass.
CONTENTS
Page
I. Purpose and Summary.............................................. 1
II. Background and Need for the Legislation.......................... 1
III. Legislative History.............................................. 3
IV. Section-by-Section Analysis of Bill, as Reported................. 3
V. Evaluation of Regulatory Impact.................................. 5
VI. Congressional Budget Office Cost Estimate........................ 6
VII. Changes in Existing Law Made by the Bill, as Reported............ 8
I. PURPOSE AND SUMMARY
S. 1324, the Civilian Cybersecurity Reserve Act,
establishes a Civilian Cybersecurity Reserve as a four-year
pilot project to provide the Cybersecurity and Infrastructure
Security Agency (CISA) with qualified civilian personnel to
respond to significant cyber incidents.
II. BACKGROUND AND NEED FOR THE LEGISLATION
Federal agencies are experiencing a significant shortage of
cybersecurity talent. According to CyberSeek, a project
supported by the National Initiative for Cybersecurity
Education at the National Institute of Standards and Technology
within the Department of Commerce, the supply of cybersecurity
workers in the public sector relative to demand is ``very
low.''\1\
---------------------------------------------------------------------------
\1\Cyberseek, Interactive Map (www.cyberseek.org/heatmap.html)
(accessed Aug. 26, 2021).
---------------------------------------------------------------------------
The consistent shortage of cybersecurity personnel
represents a high risk to national security. Federal cyber
workforce management challenges have been on the High-Risk List
of the Government Accountability Office (GAO) since 2003.\2\ In
that report, GAO stated:
---------------------------------------------------------------------------
\2\Government Accountability Office, High-Risk Series: Protecting
Information Systems Supporting the Federal Government and the Nation's
Critical Infrastructures (GAO-03-121) (Jan. 2003) (www.gao.gov/assets/
gao-03-121.pdf).
Agencies must have the technical expertise they need
to select, implement, and maintain controls that
protect their information systems. Similarly, the
Federal government must maximize the value of its
technical staff by sharing expertise and information.
The availability of adequate technical and audit
expertise is a continuing concern to agencies.\3\
---------------------------------------------------------------------------
\3\Id.
In a March 2021 High-Risk Series report, GAO stated,
``federal agencies continue to face challenges in addressing
needs related to their cyber workforce'' and that the Office of
Management and Budget and the Department of Homeland Security
(DHS) need to take dedicated action to address the
cybersecurity workforce shortage.\4\
---------------------------------------------------------------------------
\4\Government Accountability Office, High-Risk Series: Federal
Government Needs to Urgently Pursue Critical Actions to Address Major
Cybersecurity Challenges (GAO-21-288) (Mar. 2021) (www.gao.gov/assets/
gao-21-288.pdf).
---------------------------------------------------------------------------
The problem of cybersecurity workforce shortages has taken
on new urgency as the United States faces escalating threats
from hostile cyber actors. On May 12, 2021, multiple high-
profile cybersecurity incidents, including SolarWinds,
Microsoft Exchange, and Colonial Pipeline, prompted President
Biden to issue an Executive Order aimed at improving the
nation's cybersecurity preparedness systems.\5\ The Senate
Committee on Homeland Security and Governmental Affairs held
multiple hearings in the wake of these cybersecurity attacks to
address the Government's preparedness, response, and recovery
efforts.\6\ These cyber-attacks further underscored the urgent
need to advance skills of the nation's cybersecurity workforce.
---------------------------------------------------------------------------
\5\Executive Order No. 14,028, 86 Fed. Reg. 26,633 (May 12, 2021).
\6\See Prevention, Response and Recovery: Improving Federal
Cybersecurity Post-SolarWinds before the Senate Committee on Homeland
Security and Governmental Affairs, 117th Cong. (2021); Threats to
Critical Infrastructure: Examining the Colonial Pipeline Cyber Attack
before the Senate Committee on Homeland Security and Governmental
Affairs, 117th Cong. (2021).
---------------------------------------------------------------------------
As part of the Biden Administration's cyber preparedness
efforts, DHS Secretary Mayorkas launched a 60-Day Cybersecurity
Workforce Sprint in early May 2021.\7\ On July 1, 2021, the
Secretary announced that 12 percent of over 2,000 vacancies had
been filled as a result of the hiring sprint, noting that
although progress has been made, ``we still have more work to
do.''\8\
---------------------------------------------------------------------------
\7\Department of Homeland Security, Secretary Mayorkas Urges Small
Businesses to Protect Themselves Against Ransomware (May 5, 2021)
(www.dhs.gov/news/2021/05/05/secretary-mayorkas-urges-small-businesses-
protect-themselves-against-ransomware).
\8\Department of Homeland Security, Secretary Mayorkas Announces
Most Successful Cybersecurity Hiring Initiative in DHS History (July 1,
2021) (www.dhs.gov/news/2021/07/01/secretary-mayorkas-announces-most-
successful-cybersecurity-hiring-initiative-dhs).
---------------------------------------------------------------------------
The Civilian Cybersecurity Reserve Act will help address
the continued federal cyber personnel shortages by establishing
a surge capacity to better ensure that the U.S. cyber workforce
is well-positioned to respond to significant cyberattacks. This
bill authorizes civilian cybersecurity personnel to serve in
temporary positions, for up to six months, as federal civil
service employees to supplement CISA's cybersecurity personnel.
Participation in the Civilian Cybersecurity Reserve would be
voluntary and by invitation. CISA is authorized to activate up
to 30 reserve personnel at a time.
The Civilian Cybersecurity Reserve Act is modeled after
recommendations from the National Commission on Military,
National, and Public Service as well as the Cyberspace Solarium
Commission. In March 2020, the National Commission on Military,
National, and Public Service released a Final Report
recommending that Congress authorize a pilot program to create
a ``Federal Civilian Cybersecurity Reserve.''\9\ The report
states:
---------------------------------------------------------------------------
\9\National Commission on Military, National, and Public Service,
Inspired to Serve: The Final Report of the National Commission on
Military, National, and Public Service (Mar. 2020).
A reserve program that permits agencies to call up
cybersecurity experts could ensure additional cyber
capacity at times of greatest need. By building the
reserve program around cybersecurity experts who have
left Government service for other opportunities, the
program would also help the Government to maximize the
value of taxpayer investment in developing their
expertise.\10\
---------------------------------------------------------------------------
\10\Id.
A report by the Cyberspace Solarium Commission, also
released in March 2020, similarly recommends that Congress
assess the need for a military cyber reserve to ``play a
central role in mobilizing a surge capacity'' while utilizing
preexisting links with the private sector.\11\ The Civilian
Cybersecurity Reserve Act would help bring these expert
recommendations to fruition and improve our national security
by bolstering the federal cybersecurity workforce.
---------------------------------------------------------------------------
\11\Cyberspace Solarium Commission (Mar. 2020) (drive.google.com/
file/d/1ryMCIL_dZ30QyjFqFkkf10MxIXJGT4yv/view).
---------------------------------------------------------------------------
III. LEGISLATIVE HISTORY
Senator Jacky Rosen (D-NV) introduced S. 1324, the Civilian
Cybersecurity Reserve Act on April 22, 2021, with Senator
Marsha Blackburn (R-TN). The bill was referred to the Committee
on Homeland Security and Governmental Affairs on April 22,
2021.
The Committee considered S. 1324 at a business meeting on
July 14, 2021. The legislation was passed by voice vote en bloc
as amended by a Rosen Substitute Amendment as modified, with
Senators Peters, Hassan, Rosen, Padilla, Ossoff, Portman,
Johnson, Lankford, Romney, Scott, and Hawley present.
IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED
Section 1. Short title
This section established the short title of the bill as the
``Civilian Cybersecurity Reserve Act.''
Sec. 2. Civilian Cybersecurity Reserve pilot project
Subsection (a) includes definitions of the terms
``Agency,'' ``appropriate congressional committees,''
``competitive service,'' ``Director,'' ``excepted service,''
``significant incident,'' ``temporary position,'' and
``uniformed services.''
Subsection (b) authorizes the Director of CISA to establish
a Civilian Cybersecurity Reserve pilot project for the purpose
of effectively responding to significant incidents. When a
significant incident occurs, the Director may activate
reservists by appointing up to 30 individuals to temporary
positions for up to six months in the competitive service or
excepted service, notifying Congress whenever a reservist is
activated. The reservists are considered federal civil service
employees when deployed. The Department of Labor (DOL) would
promulgate regulations related to job protections for
reservists before and after a temporary appointment to the
federal civil service.
Subsection (c) instructs the Director of CISA to develop
criteria for eligibility and the application and selection
process for the Civilian Cybersecurity Reserve. The eligibility
requirements must include an individual's previous employment
and cybersecurity expertise. CISA is directed to prioritize the
appointment of individuals previously employed by the executive
branch or within the uniformed services. Individuals who have
worked for a federal contractor within the executive branch or
for a state, local, tribal, or territorial government would
also be eligible. If an individual has previously served in the
Civilian Cybersecurity Reserve, at least 60 days must pass
before a subsequent temporary appointment. Prior to being
appointed, each individual will be screened for anything that
might create a conflict of interest. A member of the Selected
Reserve may not be a member of the Civilian Cybersecurity
Reserve, nor can individuals who are currently employed by the
executive branch.
Subsection (d) instructs the Director of CISA to ensure
that all members of the Civilian Cybersecurity Reserve undergo
appropriate personnel vetting and adjudication commensurate
with the duties of the position, including access to classified
information where a security clearance is needed. CISA will be
responsible for any costs related to a member of the Civilian
Cybersecurity Reserve obtaining their security clearance.
Subsection (e) directs CISA to begin a study within 60 days
after enactment on the design and implementation of the pilot
project, including on the following: (1) compensation and
benefits for reservists; (2) activities that reservists may
undertake as part of their duties; (3) methods for identifying
and recruiting reservists; (4) methods for preventing conflicts
of interest; (5) resources needed to carry out the pilot
project; (6) possible penalties for individuals who fail to
respond to activation; and (7) processes and requirements for
training and onboarding reservists. Within one year after
beginning the study, CISA must submit and provide a briefing on
an implementation plan to the appropriate congressional
committees.
Subsection (f) instructs the Director of CISA to consult
with the Office of Personnel Management and Office of
Government Ethics and issue guidance on implementing the pilot
project within two years after enactment.
Subsection (g) directs CISA to provide a briefing on the
pilot project to the appropriate congressional committees once
per year starting within one year of enactment on subjects
including: (1) participation in the Civilian Cybersecurity
Reserve, including the number of participants, diversity of
participants, and barriers to recruitment or retention; (2) an
evaluation of the ethical requirements of pilot project; (3)
whether the Civilian Cybersecurity Reserve has been effective
in providing additional capacity to CISA during significant
incidents; and (4) an evaluation of eligibility requirements
for the pilot project. Between six months to three months
before the pilot project terminates, CISA must submit a report
and a provide briefing to Congress on recommendations relating
to the pilot project.
Subsection (h) directs the GAO to evaluate the pilot
project within three years after it is established.
Subsection (i) states that the pilot project shall
terminate four years after the date on which it is established.
Subsection (j) states that no additional funds are
authorized to be appropriated for the purpose of carrying out
this Act.
V. EVALUATION OF REGULATORY IMPACT
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have some regulatory impact within the
meaning of the rules. The bill requires:
DOL to prescribe antidiscrimination and employment
protections at least as stringent as those in the
Uniformed Services Employment and Reemployment Rights
Act. That act requires employers to provide employees
with the same benefits, pay, and seniority when
returning from deployment that they would have received
had they not been away. The act also requires employers
to treat workers on active military duty as furloughed
employees or as employees on a leave of absence,
entitling them to any compensation or benefits
otherwise available to them in that status.\12\
---------------------------------------------------------------------------
\12\Congressional Budget Office, S. 1324, Civilian Cybersecurity
Reserve Act Cost Estimate (Aug. 13, 2021) (https://www.cbo.gov/system/
files/2021-08/s1324.pdf).
The Committee agrees with the Congressional Budget Office's
statement that because the bill limits the Civilian
Cybersecurity Reserve to 30 members at a time, the cost to
employers would be small and well below the annual threshold
established in Unfunded Mandates Reform Act (UMRA) for
intergovernmental and private-sector mandates.
VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
U.S. Congress,
Congressional Budget Office,
Washington, DC, August 13, 2021.
Hon. Gary C. Peters,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S.
Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 1324, the Civilian
Cybersecurity Reserve Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Aldo
Prosperi.
Sincerely,
Phillip L. Swagel,
Director.
Enclosure.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Bill summary: S. 1324 would authorize the Cybersecurity and
Infrastructure Security Agency (CISA) to establish the Civilian
Cybersecurity Reserve under a four-year pilot program. CISA
would appoint cybersecurity professionals who are members of
the reserve to temporary federal civilian positions within the
agency to respond to significant national security threats.
CISA would be required to report regularly to the Congress on
the program's effectiveness.
Estimated Federal cost: For this estimate, CBO assumes that
S. 1324 will be enacted near the beginning of fiscal year 2022.
The costs of the legislation, detailed in Table 1, fall within
budget function 050 (national defense). Implementing the bill
would cost $63 million over the 2021-2026 period, CBO
estimates; such spending would be subject to the availability
of appropriated funds.
TABLE 1.--ESTIMATED INCREASES IN SPENDING SUBJECT TO APPROPRIATION UNDER S. 1324
----------------------------------------------------------------------------------------------------------------
By fiscal year, millions of dollars--
----------------------------------------------------
2021 2022 2023 2024 2025 2026 2021-2026
----------------------------------------------------------------------------------------------------------------
Civilian Cybersecurity Reserve:
Estimated Authorization................................ 0 0 7 15 15 16 53
Estimated Outlays...................................... 0 0 7 15 15 16 53
Program Management:
Estimated Authorization................................ 0 1 2 2 2 3 10
Estimated Outlays...................................... 0 1 2 2 2 3 10
Total Changes:
Estimated Authorization................................ 0 1 9 17 17 19 63
Estimated Outlays...................................... 0 1 9 17 17 19 63
----------------------------------------------------------------------------------------------------------------
Under S. 1324, CISA would recruit and train members of the
reserve group and mobilize as many as 30 at a time to serve as
federal civilian employees for up to six months within a year.
Activated reservists would augment CISA's workforce by
detecting and responding to malicious activity in federal and
nonfederal information networks. The bill would require CISA to
complete plans for the initiative within one year; CBO
anticipates that the reserve would begin to operate in 2023.
CBO expects that the costs to pay and equip the reservists
would be comparable to the costs incurred for CISA's Cyber
Defense Teams--about $440,000 annually per employee, on
average. About half of that amount would cover salaries and
benefits; the rest would pay for network sensors, other
equipment, and software licenses. CBO expects that CISA would
activate reservists at a rate sufficient to keep the 30
authorized positions fully staffed each year. On that basis,
CBO estimates, it would cost $53 million over the 2021-2026
period to staff and operate the reserve.
CBO also expects that a program management office would
administer recruitment, training, logistics, and security
clearances and the office would ensure that a sufficient pool
of reservists was available to maintain 30 activated reservists
at all times. Using information about the costs of similar
efforts, CBO estimates that CISA would hire 10 new employees to
manage the program at a total cost of $10 million over the
2021-2026 period.
Uncertainty: Areas of uncertainty in this estimate include
identifying the conditions under which CISA would activate the
reserve. S. 1324 would provide CISA broad latitude for making
that determination. Although CBO expects that the agency would
use the full number authorized under the bill, if fewer than 30
reservists were activated at any time, the budgetary effects
would be proportionately smaller than estimated.
Mandates: S. 1324 bill would impose both an
intergovernmental and a private-sector mandate as defined in
the Unfunded Mandates Reform Act (UMRA) on public and private-
sector employers of activated members of the Civilian
Cybersecurity Reserve. The bill also would require the
Department of Labor (DOL) to prescribe antidiscrimination and
employment protections at least as stringent as those in the
Uniformed Services Employment and Reemployment Rights Act. That
act requires employers to provide employees with the same
benefits, pay, and seniority when returning from deployment
that they would have received had they not been away. The act
also requires employers to treat workers on active military
duty as furloughed employees or as employees on a leave of
absence, entitling them to any compensation or benefits
otherwise available to them in that status.
The cost of the mandate would be the cost to the employers
that provide the benefits as well as the cost of any other
protections DOL requires. Although the mandate's ultimate cost
would depend on those regulations, the bill limits the number
of activated reservists to 30 at a time. Therefore, CBO
estimates, the cost to employers would be small and well below
the annual thresholds established in UMRA for intergovernmental
and private-sector mandates ($85 million and $170 million in
2021, respectively, adjusted annually for inflation).
Estimate prepared by: Federal Costs: Aldo Prosperi;
Mandates: Brandon Lever.
Estimate reviewed by: David Newman, Chief, Defense,
International Affairs, and Veterans' Affairs Cost Estimates
Unit; Kathleen FitzGerald, Chief, Public and Private Mandates
Unit; Leo Lex, Deputy Director of Budget Analysis; Theresa
Gullo, Director of Budget Analysis.
VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
Because S. 1324 would not repeal or amend any provision of
current law, it would make no changes in existing law within
the meaning of clauses (a) and (b) of paragraph 12 of rule XXVI
of the Standing Rules of the Senate.
[all]